[Docs] [txt|pdf|xml] [Tracker] [Email] [Nits]
Versions: 00 01 02 03 draft-ietf-kitten-krb-service-discovery
Internet Engineering Task Force N. McCallum
Internet-Draft Red Hat, Inc.
Updates: 4120 (if approved) March 5, 2015
Intended status: Standards Track
Expires: September 6, 2015
Kerberos Service Discovery using DNS
draft-mccallum-kitten-krb-service-discovery-00
Abstract
This document proposes defines a new mechanism for discovering
Kerberos services using DNS. This new mechanism extends the
mechanism already defined in Kerberos V5 [RFC4120] and has four
goals. First, reduce the number of DNS queries required to discover
a Kerberos KDC. Second, provide DNS administrators more control over
client behavior. Third, provide support for discovery of the MS-
KKDCP transport. Fourth, define a discovery procedure for Kerberos
password services.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 6, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
McCallum Expires September 6, 2015 [Page 1]
Internet-Draft Service Discovery March 2015
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Document Conventions . . . . . . . . . . . . . . . . . . . . 2
3. Realm to Domain Translation . . . . . . . . . . . . . . . . . 3
4. Required URI Formats . . . . . . . . . . . . . . . . . . . . 3
5. Optional URI Formats . . . . . . . . . . . . . . . . . . . . 3
5.1. MS-KKDCP . . . . . . . . . . . . . . . . . . . . . . . . 3
6. Kerberos V5 KDC Service Discovery . . . . . . . . . . . . . . 3
7. Kerberos Password Service Discovery . . . . . . . . . . . . . 4
8. Relationship to Existing Mechanism . . . . . . . . . . . . . 4
9. Normative References . . . . . . . . . . . . . . . . . . . . 4
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 5
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
Section 7.2.3 of Kerberos V5 [RFC4120] defines a procedure for
discovering a KDC based on DNS SRV records. This method has three
drawbacks. First, two DNS queries are required to locate a single
service (one for UDP and one for TCP). Second, specifying UDP and
TCP in separate records means that the DNS administrator has no
control over client preferences for TCP or UDP. Third, any new
transports for reaching the KDC (such as MS-KKDCP) will require new
records and additional DNS queries.
The Kerberos Password [RFC3244] protocol has no defined procedure for
discovery similar to the KDC method described above. Implementations
have largely chosen a similar method to section 7.2.3 of Kerberos V5
[RFC4120], inheriting the same drawbacks outlined above.
This RFC defines two new URI DNS records [I-D.faltstrom-uri]; one
each for KDC and Kerberos Password service discovery.
2. Document Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
McCallum Expires September 6, 2015 [Page 2]
Internet-Draft Service Discovery March 2015
3. Realm to Domain Translation
This document does not define a new mechanism for translating
Kerberos realms to DNS domains. The existing mechanism as defined in
section 7.2.3.1 of Kerberos V5 [RFC4120] MUST be followed.
4. Required URI Formats
The following URI formats MUST be supported by clients. These
formats indicate support for the standard UDP and TCP transports.
The port number is optional. If the port is not specified, the
client MUST default to the standard port of the service.
udp://host[:port]
tcp://host[:port]
5. Optional URI Formats
The following URI formats MAY be supported by clients.
5.1. MS-KKDCP
These URIs indicate support for the MS-KKDCP [MS-KKDCP] protocol.
The port number is optional. If the port is not specified, the
client MUST default to the standard port of the service. The path is
also optional. If the path is not specified, the client MUST default
to '/'. Please note that this differs from the default path
specified in section 2.1 of MS-KKDCP [MS-KKDCP].
http://host[:port][path]
https://host[:port][path]
6. Kerberos V5 KDC Service Discovery
In order to discover a KDC service location, the client MUST query
the following URI DNS [I-D.faltstrom-uri] record (REALM indicates the
translation of the Kerberos realm to a DNS domain):
_kerberos.REALM
TTL, Class, URI, Priority, Weight and Target have the standard
meanings as defined in RFC 2782 [RFC2782] and the URI DNS record type
[I-D.faltstrom-uri]. Target SHOULD contain one of the URI formats
specified in this document.
McCallum Expires September 6, 2015 [Page 3]
Internet-Draft Service Discovery March 2015
7. Kerberos Password Service Discovery
In order to discover a password service location, the client MUST
query the following URI DNS [I-D.faltstrom-uri] record (REALM
indicates the translation of the Kerberos realm to a DNS domain):
_kpasswd.REALM
TTL, Class, URI, Priority, Weight and Target have the standard
meanings as defined in RFC 2782 [RFC2782] and the URI DNS record type
[I-D.faltstrom-uri]. Target SHOULD contain one of the URI formats
specified in this document.
8. Relationship to Existing Mechanism
If an existing discovery protocol is supported by a client, the
client SHOULD perform the URI lookup as defined in this document
first. If no URI record is found, the client MAY attempt discovery
using another protocol.
9. Normative References
[I-D.faltstrom-uri]
Faeltstroem, P. and O. Kolkman, "The Uniform Resource
Identifier (URI) DNS Resource Record", draft-faltstrom-
uri-12 (work in progress), March 2015.
[MS-KKDCP]
Microsoft, "[MS-KKDCP]: Kerberos Key Distribution Center
(KDC) Proxy Protocol", May 2014,
<http://msdn.microsoft.com/en-us/library/hh553774.aspx>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.
[RFC3244] Swift, M., Trostle, J., and J. Brezak, "Microsoft Windows
2000 Kerberos Change Password and Set Password Protocols",
RFC 3244, February 2002.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120,
July 2005.
McCallum Expires September 6, 2015 [Page 4]
Internet-Draft Service Discovery March 2015
Appendix A. Acknowledgements
Simo Sorce (Red Hat)
Nico Williams (Oracle)
Author's Address
Nathaniel McCallum
Red Hat, Inc.
100 East Davie Street
Raleigh, NC 27601
USA
EMail: npmccallum@redhat.com
McCallum Expires September 6, 2015 [Page 5]
Html markup produced by rfcmarkup 1.127, available from
https://tools.ietf.org/tools/rfcmarkup/