Kerberos transport DNS record design
Petr Spacek
pspacek at redhat.com
Wed Jun 1 10:31:18 EDT 2016
On 31.5.2016 22:20, Greg Hudson wrote:
> On 05/31/2016 03:13 PM, Nathaniel McCallum wrote:
>> _kerberos-adm.REALM
>> _kerberos.REALM
>> _kpasswd.REALM
>
> _kerberos.REALM TXT is currently used to look up the realm of a hostname
> (see lib/krb5/os/hostrealm_dns.c), so we should use a different prefix
> label, like _krb5kdc or _kdc.
>
> I have no other objections.
Oh wait, I just realized that custom format in TXT RR will break one important
use-case in FreeIPA.
FreeIPA v4.4 is going to have ability to tailor SRV record priorities based on
server & client's location so clients will prefer nearby servers without any
configuration on client side.
For doing so FreeIPA needs to have access to fields 'priority' and 'server
name' in the RR so server name can be mapped to location name & priority
associated with it.
In case of SRV it is easy because RR format is standardized and DNS libraries
can work with it directly.
Custom format inside TXT record will take away this simplicity and every
single system which will want to do something similar will have to implement
parser for the custom format.
For me as an implementer this is major downside of TXT approach.
--
Petr Spacek @ Red Hat
More information about the krbdev
mailing list