Proposal for using NAPTR/URI records
simo at redhat.com
Fri Feb 27 17:52:59 EST 2015
On Fri, 2015-02-27 at 16:43 -0500, Nathaniel McCallum wrote:
> On Fri, 2015-02-27 at 16:17 -0500, Benjamin Kaduk wrote:
> > On Fri, 27 Feb 2015, Nico Williams wrote:
> > > On Fri, Feb 27, 2015 at 10:52 AM, Simo Sorce <simo at redhat.com>
> > > wrote:
> > > > On Fri, 2015-02-27 at 10:38 -0600, Nico Williams wrote:
> > > > > I think this adds up to: multiple DNS queries, with some local
> > > > > configuration will be needed to decide on a DNS query order.
> > > >
> > > > My preference would be to implement the URI protocol, but not
> > > > enable querying for it by default in 1.14, add a tunable in
> > > > [libdefaults ] called something like dns_uri_lookup_kdc =
> > > > false|true|only and set it to false by default, change it to
> > > > true later on ? (let downstream change the default if they so
> > > > desire)
> > >
> > > Yes, this. Eventually this should be enabled by default. We can
> > > give sites a couple of years to move to URI RRs instead of SRV RRs.
> > That seems a reasonable and realistic way to effect such a
> > tranasition, yes.
> I agree that this seems like the best solution.
> However, the devil is in the details. What do you mean by "the URI
> protocol"? Does this include TCP and UDP expressed as URIs? Does URI
> take precedence to SRV when enabled?
My thinking is that URI includes both http as well as tcp and udp
endpoints optionally. If the URI is present and dns_uri_lookup_kdc is
not set to "only" then the URI values are tried, if all uris in there
fail then SRV is also looked up and try.
If not URI record is present SRV records are looked up.
If dns_uri_lookup_kdc is set to "only" and URI does not exists or the
servers pointed by the record fail then no fallback to SRV is done.
> Does enablement/disablement need to be a configuration option? Or is a
> build option sufficient? I'd hate to create a permanent option for a
> temporary purpose.
Must be a configuration option, you do not know what admins can do on
their network and e cannot assume they can change DNS one way or another
so they need to be able to tweak krb5.conf to conform to whatever their
network allow/offer w/o suffering the penalty of a failed lookup if they
do not want to. A default can be set at build time of course.
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev