This project will implement Kerberos service discovery by DNS as specified by draft-mccallum-kitten-krb-service-discovery-02. The draft currently specifies a new URI DNS record type, however it was decided that a TXT record will be used with a (currently non-standardized) URI payload format.
The current method of KDC discovery using DNS SRV records has the following drawbacks:
- Only UDP and TCP protocols can be specified
- Multiple queries are needed to discover both protocol records
- The DNS administrator has no influence on client protocol use
- Does not assist in locating password services
The client performs a DNS lookup for one or more of the following TXT records:
- _kerberos-master.REALM (Master KDC)
- _kerberos-adm.REALM (Admin service)
- _kerberos.REALM (Normal KDC)
- _kpasswd.REALM (Password service)
- _krb524.REALM (K5 to K4 service)
An entry will contain a URI formatted string of priority, weight, transport, target, and optional port, separated by colons. The MS-KKDCP transport type uses a http/https host address target with an optional port and path.
Discovery using this new method should be attempted before searching SRV records.
(Password service discovery)
src/lib/krb5/os/dnsglue.c: k5_try_realm_txt_rr() has existing TXT lookup code, but only retrieves a realm name from the record. Make a generalized TXT lookup function to pass the result to a new parsing function for the URI format.