Difference between revisions of "Projects/KDC Discovery"
(→Design) |
|||
| Line 13: | Line 13: | ||
The client performs a DNS lookup for one or more of the following TXT records: |
The client performs a DNS lookup for one or more of the following TXT records: |
||
| − | * _kerberos-master.REALM (Master KDC) |
||
* _kerberos-adm.REALM (Admin service) |
* _kerberos-adm.REALM (Admin service) |
||
| − | * _kerberos.REALM ( |
+ | * _kerberos.REALM (KDC) |
* _kpasswd.REALM (Password service) |
* _kpasswd.REALM (Password service) |
||
| − | An entry will contain a URI formatted string of priority, weight, transport, target, and optional port, separated by colons. The MS-KKDCP transport type uses a http/https host address target with an optional port and path. |
+ | An entry will contain a URI formatted string of priority, weight, flags, transport, target, and optional port, separated by colons. The MS-KKDCP transport type uses a http/https host address target with an optional port and path. |
| − | * priority:weight:udp:host[:port] |
+ | * priority:weight:flags:udp:host[:port] |
| − | * priority:weight:tcp:host[:port] |
+ | * priority:weight:flags:tcp:host[:port] |
| − | * priority:weight:tls:host[:port] |
+ | * priority:weight:flags:tls:host[:port] |
| − | * priority:weight:kkdcp:<nowiki>http://host</nowiki>[:port][/path] |
+ | * priority:weight:flags:kkdcp:<nowiki>http://host</nowiki>[:port][/path] |
| − | * priority:weight:kkdcp:<nowiki>https://host</nowiki>[:port][/path] |
+ | * priority:weight:flags:kkdcp:<nowiki>https://host</nowiki>[:port][/path] |
| + | |||
| + | The flags field contains zero or more flag characters. Currently the only valid character is M, indicating that the record is a master server. |
||
Discovery using this new method should be attempted before searching SRV records. |
Discovery using this new method should be attempted before searching SRV records. |
||
| − | (Password service discovery) |
||
| + | The host field can be an IPv4 or IPv6 address (k5_parse_host_string(), part of PR#380 will help with this) |
||
==Implementation== |
==Implementation== |
||
Revision as of 15:10, 31 May 2016
This project will implement Kerberos service discovery by DNS as specified by draft-mccallum-kitten-krb-service-discovery-02. The draft currently specifies a new URI DNS record type, however it was decided that a TXT record will be used with a (currently non-standardized) URI payload format.
The current method of KDC discovery using DNS SRV records has the following drawbacks:
- Only UDP and TCP protocols can be specified
- Multiple queries are needed to discover both protocol records
- The DNS administrator has no influence on client protocol use
Design
The client performs a DNS lookup for one or more of the following TXT records:
- _kerberos-adm.REALM (Admin service)
- _kerberos.REALM (KDC)
- _kpasswd.REALM (Password service)
An entry will contain a URI formatted string of priority, weight, flags, transport, target, and optional port, separated by colons. The MS-KKDCP transport type uses a http/https host address target with an optional port and path.
- priority:weight:flags:udp:host[:port]
- priority:weight:flags:tcp:host[:port]
- priority:weight:flags:tls:host[:port]
- priority:weight:flags:kkdcp:http://host[:port][/path]
- priority:weight:flags:kkdcp:https://host[:port][/path]
The flags field contains zero or more flag characters. Currently the only valid character is M, indicating that the record is a master server.
Discovery using this new method should be attempted before searching SRV records.
The host field can be an IPv4 or IPv6 address (k5_parse_host_string(), part of PR#380 will help with this)
Implementation
src/lib/krb5/os/dnsglue.c: k5_try_realm_txt_rr() has existing TXT lookup code, but only retrieves a realm name from the record. Make a generalized TXT lookup function to pass the result to a new parsing function for the URI format.
