SRV records and canonicalization
Simon Wilkinson
simon at sxw.org.uk
Thu Apr 13 08:12:36 EDT 2006
I'm interested in what people feel the 'correct' approach is to the
following situation.
XMPP (the 'Jabber' protocol) uses DNS SRV records to determine the
location of a Jabber service for a given DNS domain. In some
implementations there may be multiple servers, running on multiple
different machines, all of which can accept an incoming connection.
In current Jabber (and MIT Kerberos) implementations, the service
principal used for the SASL/GSSAPI/Kerberos connection is the canonical
version of the hostname returned from the results of the SRV query.
This is obviously bad, as the use of an insecure directory service (DNS)
to perform both of these lookups presents an opportunity for a MITM
attack. Worse is a current proposal that the server should be able to
tell the client the principal name to use.
So, for a Jabber connection to 'example.org', should we connecting to
the service principal 'xmpp/example.org'? But, how does this work where
'example.org' is providing multiple XMPP servers - should they all have
a copy of the same key material, and does this present further concerns?
Cheers,
Simon.
More information about the Kerberos
mailing list