SRV records and canonicalization
Jeffrey Altman
jaltman2 at nyc.rr.com
Thu Apr 13 09:40:13 EDT 2006
Simon Wilkinson wrote:
> I'm interested in what people feel the 'correct' approach is to the
> following situation.
>
> XMPP (the 'Jabber' protocol) uses DNS SRV records to determine the
> location of a Jabber service for a given DNS domain. In some
> implementations there may be multiple servers, running on multiple
> different machines, all of which can accept an incoming connection.
> In current Jabber (and MIT Kerberos) implementations, the service
> principal used for the SASL/GSSAPI/Kerberos connection is the canonical
> version of the hostname returned from the results of the SRV query.
>
> This is obviously bad, as the use of an insecure directory service (DNS)
> to perform both of these lookups presents an opportunity for a MITM
> attack. Worse is a current proposal that the server should be able to
> tell the client the principal name to use.
>
> So, for a Jabber connection to 'example.org', should we connecting to
> the service principal 'xmpp/example.org'? But, how does this work where
> 'example.org' is providing multiple XMPP servers - should they all have
> a copy of the same key material, and does this present further concerns?
>
> Cheers,
>
> Simon.
What we want in this case is the use of Domain-based Service Names
as described in
draft-ietf-kitten-gssapi-domain-based-names-01.txt
draft-ietf-kitten-krb5-gssapi-domain-based-names-01.txt
Please review the drafts and send any feedback you may have to
the Kitten WG and Kerberos WG mailing lists.
Jeffrey Altman
More information about the Kerberos
mailing list