[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00 01 02 03 draft-ietf-kitten-krb-service-discovery

Internet Engineering Task Force                              N. McCallum
Internet-Draft                                             Red Hat, Inc.
Updates: 4120 (if approved)                                March 5, 2015
Intended status: Standards Track
Expires: September 6, 2015


                  Kerberos Service Discovery using DNS
             draft-mccallum-kitten-krb-service-discovery-00

Abstract

   This document proposes defines a new mechanism for discovering
   Kerberos services using DNS.  This new mechanism extends the
   mechanism already defined in Kerberos V5 [RFC4120] and has four
   goals.  First, reduce the number of DNS queries required to discover
   a Kerberos KDC.  Second, provide DNS administrators more control over
   client behavior.  Third, provide support for discovery of the MS-
   KKDCP transport.  Fourth, define a discovery procedure for Kerberos
   password services.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 6, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect



McCallum                Expires September 6, 2015               [Page 1]


Internet-Draft              Service Discovery                 March 2015


   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Document Conventions  . . . . . . . . . . . . . . . . . . . .   2
   3.  Realm to Domain Translation . . . . . . . . . . . . . . . . .   3
   4.  Required URI Formats  . . . . . . . . . . . . . . . . . . . .   3
   5.  Optional URI Formats  . . . . . . . . . . . . . . . . . . . .   3
     5.1.  MS-KKDCP  . . . . . . . . . . . . . . . . . . . . . . . .   3
   6.  Kerberos V5 KDC Service Discovery . . . . . . . . . . . . . .   3
   7.  Kerberos Password Service Discovery . . . . . . . . . . . . .   4
   8.  Relationship to Existing Mechanism  . . . . . . . . . . . . .   4
   9.  Normative References  . . . . . . . . . . . . . . . . . . . .   4
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   5
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   Section 7.2.3 of Kerberos V5 [RFC4120] defines a procedure for
   discovering a KDC based on DNS SRV records.  This method has three
   drawbacks.  First, two DNS queries are required to locate a single
   service (one for UDP and one for TCP).  Second, specifying UDP and
   TCP in separate records means that the DNS administrator has no
   control over client preferences for TCP or UDP.  Third, any new
   transports for reaching the KDC (such as MS-KKDCP) will require new
   records and additional DNS queries.

   The Kerberos Password [RFC3244] protocol has no defined procedure for
   discovery similar to the KDC method described above.  Implementations
   have largely chosen a similar method to section 7.2.3 of Kerberos V5
   [RFC4120], inheriting the same drawbacks outlined above.

   This RFC defines two new URI DNS records [I-D.faltstrom-uri]; one
   each for KDC and Kerberos Password service discovery.

2.  Document Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].







McCallum                Expires September 6, 2015               [Page 2]


Internet-Draft              Service Discovery                 March 2015


3.  Realm to Domain Translation

   This document does not define a new mechanism for translating
   Kerberos realms to DNS domains.  The existing mechanism as defined in
   section 7.2.3.1 of Kerberos V5 [RFC4120] MUST be followed.

4.  Required URI Formats

   The following URI formats MUST be supported by clients.  These
   formats indicate support for the standard UDP and TCP transports.
   The port number is optional.  If the port is not specified, the
   client MUST default to the standard port of the service.

   udp://host[:port]

   tcp://host[:port]

5.  Optional URI Formats

   The following URI formats MAY be supported by clients.

5.1.  MS-KKDCP

   These URIs indicate support for the MS-KKDCP [MS-KKDCP] protocol.
   The port number is optional.  If the port is not specified, the
   client MUST default to the standard port of the service.  The path is
   also optional.  If the path is not specified, the client MUST default
   to '/'.  Please note that this differs from the default path
   specified in section 2.1 of MS-KKDCP [MS-KKDCP].

   http://host[:port][path]

   https://host[:port][path]

6.  Kerberos V5 KDC Service Discovery

   In order to discover a KDC service location, the client MUST query
   the following URI DNS [I-D.faltstrom-uri] record (REALM indicates the
   translation of the Kerberos realm to a DNS domain):

   _kerberos.REALM

   TTL, Class, URI, Priority, Weight and Target have the standard
   meanings as defined in RFC 2782 [RFC2782] and the URI DNS record type
   [I-D.faltstrom-uri].  Target SHOULD contain one of the URI formats
   specified in this document.





McCallum                Expires September 6, 2015               [Page 3]


Internet-Draft              Service Discovery                 March 2015


7.  Kerberos Password Service Discovery

   In order to discover a password service location, the client MUST
   query the following URI DNS [I-D.faltstrom-uri] record (REALM
   indicates the translation of the Kerberos realm to a DNS domain):

   _kpasswd.REALM

   TTL, Class, URI, Priority, Weight and Target have the standard
   meanings as defined in RFC 2782 [RFC2782] and the URI DNS record type
   [I-D.faltstrom-uri].  Target SHOULD contain one of the URI formats
   specified in this document.

8.  Relationship to Existing Mechanism

   If an existing discovery protocol is supported by a client, the
   client SHOULD perform the URI lookup as defined in this document
   first.  If no URI record is found, the client MAY attempt discovery
   using another protocol.

9.  Normative References

   [I-D.faltstrom-uri]
              Faeltstroem, P. and O. Kolkman, "The Uniform Resource
              Identifier (URI) DNS Resource Record", draft-faltstrom-
              uri-12 (work in progress), March 2015.

   [MS-KKDCP]
              Microsoft, "[MS-KKDCP]: Kerberos Key Distribution Center
              (KDC) Proxy Protocol", May 2014,
              <http://msdn.microsoft.com/en-us/library/hh553774.aspx>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
              specifying the location of services (DNS SRV)", RFC 2782,
              February 2000.

   [RFC3244]  Swift, M., Trostle, J., and J. Brezak, "Microsoft Windows
              2000 Kerberos Change Password and Set Password Protocols",
              RFC 3244, February 2002.

   [RFC4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
              Kerberos Network Authentication Service (V5)", RFC 4120,
              July 2005.





McCallum                Expires September 6, 2015               [Page 4]


Internet-Draft              Service Discovery                 March 2015


Appendix A.  Acknowledgements

   Simo Sorce (Red Hat)
   Nico Williams (Oracle)

Author's Address

   Nathaniel McCallum
   Red Hat, Inc.
   100 East Davie Street
   Raleigh, NC  27601
   USA

   EMail: npmccallum@redhat.com





































McCallum                Expires September 6, 2015               [Page 5]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/