Kerberos transport DNS record design

Greg Hudson ghudson at
Wed Jun 1 11:33:22 EDT 2016

On 06/01/2016 10:49 AM, Matt Rogers wrote:
> The wiki page should be up to speed now. I added some additional notes
> about priority and fallback behavior that were discussed in IRC. A
> quick review would be appreciated.

* I'm not sure the term "discovery" is correct, since we know a realm
name and are just trying to figure out how to contact it.  (Compare to
"discover the printers available on my local network.")

* The TXT payload is not formatted using a URI.  We believe we could
transition to URI by creating a new URI scheme and stuffing everything
after the weight into the residual part of the URI.  But there is no URI
scheme in the payload, and we don't plan to register this URI scheme
until we need it.

* The 'M' (master) flag is only relevant to KDC lookups, but other
future flags might not be.  So saying that the flags field is ignored
for kadmin and kpasswd lookups is problematic.

* I wouldn't bother describing the "tls" transport.  It was just an
example of a possible future transport.

* There is no currently defined or implemented http transport for
MS-KKDCP (there is only https).

* I would just specify that priority and weight are as defined in RFC
2782, and that weight may or may not be implemented while priority must be.

Also, we should explicitly decide whether flag letters are
case-sensitive.  In a side conversation on IRC, Simo argued that DNS
data is traditionally case-insensitive.  I don't have an opinion.

More information about the krbdev mailing list