Proposal for using NAPTR/URI records

Petr Spacek pspacek at redhat.com
Fri Feb 27 07:40:17 EST 2015 

On 26.2.2015 20:30, Greg Hudson wrote:
> On 02/26/2015 01:07 PM, Nathaniel McCallum wrote:
>> My main concern for not finding this compelling is that if the realm 
>> has SRV records it means the realm owners have (at least some) 
>> influence over DNS. Given that assumption, if the failed URI lookup is 
>> problematic, they can just replace the SRV records with a URI record 
>> since they have influence over DNS.
> 
> I have three concerns about this line of reasoning:
> 
> 1. Is this true for the average Active Directory domain?  I don't really
> know how DNS for Active Directory typically works.

>From my experience you are free to edit any AD-generated DNS records as long
as you have appropriate permissions (= Administrator).

To verify this, I just tried to add arbitrary _kerberos records to AD domain
on Windows Server 2012 and 2008R2 and it worked and survived reboot.

> 2. This argument assumes that the relevant DNS server implements the URI
> record type.  The record type was registered in 2011; I don't know what
> proportion of running servers can support it (or will be able to in a year).

First of all, RFC 3597 from 2003 mandates support for arbitrary record types.
To be sure, I again did some experiments with an AD domain running on Windows
Server 2012 and 2008R2.

1) The AD DNS user interface really sucks - it does not allow you to *click*
and add records types which Microsoft did not bless.

2) Luckily, servers I tested are to some degree RFC 3597 compliant and allowed
me to add URI record using standard DNS update protocol. I did that by using
nsupdate command from bind-utils package:

$ nsupdate
update add _kerberos.tbad2.idm.lab.eng.brq.redhat.com. 666 IN URI 10 1
"http://kdc.example.com:1234/local-part"
send

It worked: The new URI record is visible over DNS, it is shown in AD DNS user
interface, and it survived AD server reboots.

$ dig @10.34.47.166 _kerberos.tbad2.idm.lab.eng.brq.redhat.com. URI
;; ANSWER SECTION:
_kerberos.tbad2.idm.lab.eng.brq.redhat.com. 666	IN URI 10 1
"kdc:kdc.example.com:88/udp"
_kerberos.tbad2.idm.lab.eng.brq.redhat.com. 666	IN URI 10 1
"kdc:kdc.example.com:88/tcp"
_kerberos.tbad2.idm.lab.eng.brq.redhat.com. 666	IN URI 10 1
"http://kdc.example.com:1234/local-part"

> 3. There is likely to be some amount of "why are you forcing me to make
> this change when things worked fine before?"  The benefit of reducing
> two SRV queries to one URI query might or might not mitigate that.  If
> this were the only concern, I might weight it lower than the potential
> benefits of treating URI as canonical.  But at this moment it is not my
> only concern.

Given that at least AD 2008R2 can handle URI record type, what are the other
concerns? (Yes, the user interface sucks, but this is not limited to DNS in
any way :-))

-- 
Petr^2 Spacek

More information about the krbdev mailing list