Difference between revisions of "Projects/KDC Discovery"
(→Design) |
|||
Line 9: | Line 9: | ||
* Multiple queries are needed to discover both protocol records |
* Multiple queries are needed to discover both protocol records |
||
* The DNS administrator has no influence on client protocol use |
* The DNS administrator has no influence on client protocol use |
||
− | * Does not assist in locating password services |
||
==Design== |
==Design== |
||
Line 18: | Line 17: | ||
* _kerberos.REALM (Normal KDC) |
* _kerberos.REALM (Normal KDC) |
||
* _kpasswd.REALM (Password service) |
* _kpasswd.REALM (Password service) |
||
− | * _krb524.REALM (K5 to K4 service) |
||
An entry will contain a URI formatted string of priority, weight, transport, target, and optional port, separated by colons. The MS-KKDCP transport type uses a http/https host address target with an optional port and path. |
An entry will contain a URI formatted string of priority, weight, transport, target, and optional port, separated by colons. The MS-KKDCP transport type uses a http/https host address target with an optional port and path. |
Revision as of 13:01, 27 May 2016
This project will implement Kerberos service discovery by DNS as specified by draft-mccallum-kitten-krb-service-discovery-02. The draft currently specifies a new URI DNS record type, however it was decided that a TXT record will be used with a (currently non-standardized) URI payload format.
The current method of KDC discovery using DNS SRV records has the following drawbacks:
- Only UDP and TCP protocols can be specified
- Multiple queries are needed to discover both protocol records
- The DNS administrator has no influence on client protocol use
Design
The client performs a DNS lookup for one or more of the following TXT records:
- _kerberos-master.REALM (Master KDC)
- _kerberos-adm.REALM (Admin service)
- _kerberos.REALM (Normal KDC)
- _kpasswd.REALM (Password service)
An entry will contain a URI formatted string of priority, weight, transport, target, and optional port, separated by colons. The MS-KKDCP transport type uses a http/https host address target with an optional port and path.
- priority:weight:udp:host[:port]
- priority:weight:tcp:host[:port]
- priority:weight:tls:host[:port]
- priority:weight:kkdcp:http://host[:port][/path]
- priority:weight:kkdcp:https://host[:port][/path]
Discovery using this new method should be attempted before searching SRV records.
(Password service discovery)
Implementation
src/lib/krb5/os/dnsglue.c: k5_try_realm_txt_rr() has existing TXT lookup code, but only retrieves a realm name from the record. Make a generalized TXT lookup function to pass the result to a new parsing function for the URI format.