Difference between revisions of "Projects/KDC Discovery"
(→Design) |
|||
Line 14: | Line 14: | ||
The client performs a DNS lookup for one or more of the following TXT records: |
The client performs a DNS lookup for one or more of the following TXT records: |
||
* _kerberos-adm.REALM (Admin service) |
* _kerberos-adm.REALM (Admin service) |
||
− | * |
+ | * _krb5kdc.REALM (KDC) |
* _kpasswd.REALM (Password service) |
* _kpasswd.REALM (Password service) |
||
− | An entry will contain a URI formatted string of priority, weight, flags, transport, target |
+ | An entry will contain a URI formatted string of priority, weight, flags, transport, and target (containing optional port and path), separated by colons. The host field can be an IPv4 or bracket-enclosed IPv6 address (k5_parse_host_string(), part of PR#380 will help with this). The MS-KKDCP transport type uses a http/https host address target with an optional port and path. |
− | * priority:weight:flags:udp:host[:port] |
+ | * priority:weight:[flags]:udp:host[:port] |
− | * priority:weight:flags:tcp:host[:port] |
+ | * priority:weight:[flags]:tcp:host[:port] |
− | * priority:weight:flags:tls:host[:port] |
+ | * priority:weight:[flags]:tls:host[:port] |
− | * priority:weight:flags:kkdcp:<nowiki>http://host</nowiki>[:port][/path] |
+ | * priority:weight:[flags]:kkdcp:<nowiki>http://host</nowiki>[:port][/path] |
− | * priority:weight:flags:kkdcp:<nowiki>https://host</nowiki>[:port][/path] |
+ | * priority:weight:[flags]:kkdcp:<nowiki>https://host</nowiki>[:port][/path] |
− | The flags field contains zero or more flag characters. Currently the only valid character is M, indicating that the record is a master server. |
+ | The flags field contains zero or more flag characters, and is ignored for admin and password service lookups. Currently the only valid character is M, indicating that the record is for a master server. On the initial contact, if a non-master KDC has answered and returns an error such as PREAUTH_FAILED, entries that are marked as master will be contacted. |
⚫ | |||
+ | Priority is the lowest number first. Weight will not be used for now. On the initial KDC contact, all KDCs will be tried according to priority regardless of master status. On the fallback contact, master KDCs will be tried according to priority, excluding non-masters. |
||
− | The host field can be an IPv4 or IPv6 address (k5_parse_host_string(), part of PR#380 will help with this) |
||
⚫ | |||
==Implementation== |
==Implementation== |
Revision as of 09:44, 1 June 2016
This project will implement Kerberos service discovery by DNS as specified by draft-mccallum-kitten-krb-service-discovery-02. The draft currently specifies a new URI DNS record type, however it was decided that a TXT record will be used with a (currently non-standardized) URI payload format.
The current method of KDC discovery using DNS SRV records has the following drawbacks:
- Only UDP and TCP protocols can be specified
- Multiple queries are needed to discover both protocol records
- The DNS administrator has no influence on client protocol use
Design
The client performs a DNS lookup for one or more of the following TXT records:
- _kerberos-adm.REALM (Admin service)
- _krb5kdc.REALM (KDC)
- _kpasswd.REALM (Password service)
An entry will contain a URI formatted string of priority, weight, flags, transport, and target (containing optional port and path), separated by colons. The host field can be an IPv4 or bracket-enclosed IPv6 address (k5_parse_host_string(), part of PR#380 will help with this). The MS-KKDCP transport type uses a http/https host address target with an optional port and path.
- priority:weight:[flags]:udp:host[:port]
- priority:weight:[flags]:tcp:host[:port]
- priority:weight:[flags]:tls:host[:port]
- priority:weight:[flags]:kkdcp:http://host[:port][/path]
- priority:weight:[flags]:kkdcp:https://host[:port][/path]
The flags field contains zero or more flag characters, and is ignored for admin and password service lookups. Currently the only valid character is M, indicating that the record is for a master server. On the initial contact, if a non-master KDC has answered and returns an error such as PREAUTH_FAILED, entries that are marked as master will be contacted.
Priority is the lowest number first. Weight will not be used for now. On the initial KDC contact, all KDCs will be tried according to priority regardless of master status. On the fallback contact, master KDCs will be tried according to priority, excluding non-masters.
Discovery using this new method should be attempted before searching SRV records.
Implementation
src/lib/krb5/os/dnsglue.c: k5_try_realm_txt_rr() has existing TXT lookup code, but only retrieves a realm name from the record. Make a generalized TXT lookup function to pass the result to a new parsing function for the URI format.