logo_kerberos.gif

Projects/KDC Discovery

From K5Wiki
< Projects
Revision as of 13:00, 27 May 2016 by Mrogers (talk | contribs) (Design)

Jump to: navigation, search
This project is targeted at release 1.15.
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


This project will implement Kerberos service discovery by DNS as specified by draft-mccallum-kitten-krb-service-discovery-02. The draft currently specifies a new URI DNS record type, however it was decided that a TXT record will be used with a (currently non-standardized) URI payload format.

The current method of KDC discovery using DNS SRV records has the following drawbacks:

  • Only UDP and TCP protocols can be specified
  • Multiple queries are needed to discover both protocol records
  • The DNS administrator has no influence on client protocol use
  • Does not assist in locating password services

Design

The client performs a DNS lookup for one or more of the following TXT records:

  • _kerberos-master.REALM (Master KDC)
  • _kerberos-adm.REALM (Admin service)
  • _kerberos.REALM (Normal KDC)
  • _kpasswd.REALM (Password service)
  • _krb524.REALM (K5 to K4 service)

An entry will contain a URI formatted string of priority, weight, transport, target, and optional port, separated by colons. The MS-KKDCP transport type uses a http/https host address target with an optional port and path.

  • priority:weight:udp:host[:port]
  • priority:weight:tcp:host[:port]
  • priority:weight:tls:host[:port]
  • priority:weight:kkdcp:http://host[:port][/path]
  • priority:weight:kkdcp:https://host[:port][/path]

Discovery using this new method should be attempted before searching SRV records.

(Password service discovery)

Implementation

src/lib/krb5/os/dnsglue.c: k5_try_realm_txt_rr() has existing TXT lookup code, but only retrieves a realm name from the record. Make a generalized TXT lookup function to pass the result to a new parsing function for the URI format.

Resources