logo_kerberos.gif

Difference between revisions of "Projects/KDC Discovery"

From K5Wiki
Jump to: navigation, search
(Design)
(Examples: krb5kdc -> kerberos)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{project-target|1.15}}
+
{{project-rel|1.15}}
{{project-early}}
 
   
This project will implement Kerberos service discovery by DNS as specified by {{idref|draft-mccallum-kitten-krb-service-discovery-02}}. The draft currently specifies a new URI DNS record type, however it was decided that a TXT record will be used with a (currently non-standardized) URI payload format.
+
This project will implement Kerberos service discovery by DNS as specified by {{idref|draft-mccallum-kitten-krb-service-discovery-02}}. The draft currently specifies a new URI DNS record type.
   
 
The current method of KDC discovery using DNS SRV records has the following drawbacks:
 
The current method of KDC discovery using DNS SRV records has the following drawbacks:
Line 11: Line 11:
 
==Design==
 
==Design==
   
The client performs a DNS lookup for one or more of the following TXT records:
+
The client performs a DNS lookup for one or more of the following URI records:
 
* _kerberos-adm.REALM (Admin service)
 
* _kerberos-adm.REALM (Admin service)
* _krb5kdc.REALM (KDC)
 
  +
* <strike>_krb5kdc.REALM (KDC)</strike> Changed to: _kerberos.REALM (KDC) in code and draft
 
* _kpasswd.REALM (Password service)
 
* _kpasswd.REALM (Password service)
   
An entry will contain a string of priority, weight, flags, transport, and target (containing optional port and path) fields, separated by colons.
+
The URI record includes a priority and weight, and contains a URI string of the krb5srv scheme name, flags, transport, and target (containing optional port and path) fields, separated by colons.
   
* priority:weight:[flags]:transport:host[:port][/path]
+
* krb5srv:[flags]:transport:host[:port][/path]
   
Priority and weight are as defined in RFC 2782. Weight may or may not be implemented, and priority must be implemented. On the initial KDC contact, all KDCs will be tried according to priority regardless of master status. On the fallback contact, master KDCs will be tried according to priority, excluding non-masters.
+
The priority and weight are as defined in RFC 2782. Weight may or may not be implemented, and priority must be implemented. On the initial KDC contact, all KDCs will be tried according to priority regardless of master status. On the fallback contact, master KDCs will be tried according to priority, excluding non-masters.
   
 
The flags field contains zero or more flag characters. Currently the only valid character is M, indicating that the record is for a master server. On the initial contact, if a non-master KDC has answered and returns an error such as PREAUTH_FAILED, entries that are marked as master will be contacted.
 
The flags field contains zero or more flag characters. Currently the only valid character is M, indicating that the record is for a master server. On the initial contact, if a non-master KDC has answered and returns an error such as PREAUTH_FAILED, entries that are marked as master will be contacted.
Line 26: Line 26:
 
The transport field indicates the transport type for the given host address. It can be either "tcp", "udp", or "kkdcp" for MS-KKDCP.
 
The transport field indicates the transport type for the given host address. It can be either "tcp", "udp", or "kkdcp" for MS-KKDCP.
   
The host field can be an IPv4 or bracket-enclosed IPv6 address (k5_parse_host_string(), part of PR#380 will help with this). A host for the MS-KKDCP transport type uses a https:// address with an optional port and path.
+
The host field in the udp and tcp transport cases can be a hostname, IPv4 address, or bracket-enclosed IPv6 address, and can be followed by a port extension. A host for the MS-KKDCP transport type uses a https:// URL, and can include a port and/or path extension.
   
 
Discovery using this new method should be attempted before searching SRV records.
 
Discovery using this new method should be attempted before searching SRV records.
  +
  +
==Examples==
  +
  +
* _kerberos IN URI 10 1 <nowiki>"krb5srv:M:kkdcp:https://kdc.example.com/path"</nowiki>
  +
* _kerberos IN URI 20 1 <nowiki>"krb5srv::kkdcp:https://kdc2.example.com"</nowiki>
  +
* _kerberos-adm IN URI 10 1 "krb5srv::tcp:192.168.1.20:1333"
   
 
==Implementation==
 
==Implementation==
Line 38: Line 44:
 
* https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-02
 
* https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-02
 
* http://mailman.mit.edu/pipermail/krbdev/2016-May/012588.html
 
* http://mailman.mit.edu/pipermail/krbdev/2016-May/012588.html
  +
  +
* KDC Discovery may fail with URI entries served by RHEL7 bind: https://bugzilla.redhat.com/show_bug.cgi?id=1388534

Latest revision as of 11:59, 26 April 2017

This project was completed in release 1.15.


This project will implement Kerberos service discovery by DNS as specified by draft-mccallum-kitten-krb-service-discovery-02. The draft currently specifies a new URI DNS record type.

The current method of KDC discovery using DNS SRV records has the following drawbacks:

  • Only UDP and TCP protocols can be specified
  • Multiple queries are needed to discover both protocol records
  • The DNS administrator has no influence on client protocol use

Design

The client performs a DNS lookup for one or more of the following URI records:

  • _kerberos-adm.REALM (Admin service)
  • _krb5kdc.REALM (KDC) Changed to: _kerberos.REALM (KDC) in code and draft
  • _kpasswd.REALM (Password service)

The URI record includes a priority and weight, and contains a URI string of the krb5srv scheme name, flags, transport, and target (containing optional port and path) fields, separated by colons.

  • krb5srv:[flags]:transport:host[:port][/path]

The priority and weight are as defined in RFC 2782. Weight may or may not be implemented, and priority must be implemented. On the initial KDC contact, all KDCs will be tried according to priority regardless of master status. On the fallback contact, master KDCs will be tried according to priority, excluding non-masters.

The flags field contains zero or more flag characters. Currently the only valid character is M, indicating that the record is for a master server. On the initial contact, if a non-master KDC has answered and returns an error such as PREAUTH_FAILED, entries that are marked as master will be contacted.

The transport field indicates the transport type for the given host address. It can be either "tcp", "udp", or "kkdcp" for MS-KKDCP.

The host field in the udp and tcp transport cases can be a hostname, IPv4 address, or bracket-enclosed IPv6 address, and can be followed by a port extension. A host for the MS-KKDCP transport type uses a https:// URL, and can include a port and/or path extension.

Discovery using this new method should be attempted before searching SRV records.

Examples

  • _kerberos IN URI 10 1 "krb5srv:M:kkdcp:https://kdc.example.com/path"
  • _kerberos IN URI 20 1 "krb5srv::kkdcp:https://kdc2.example.com"
  • _kerberos-adm IN URI 10 1 "krb5srv::tcp:192.168.1.20:1333"

Implementation

src/lib/krb5/os/dnsglue.c: k5_try_realm_txt_rr() has existing TXT lookup code, but only retrieves a realm name from the record. Make a generalized TXT lookup function to pass the result to a new parsing function for the URI format.

Resources