Kerberos transport DNS record design

Greg Hudson ghudson at mit.edu
Thu May 26 13:10:08 EDT 2016 

On 05/26/2016 12:24 PM, Nathaniel McCallum wrote:
> How likely is this failure from non-master KDCs due to synchronization
> issues? Is this a real historical problem? Does this problem persist
> today?

Any site with a non-trivial replication delay can be affected by this
problem whenever users change their passwords.  It is a real historical
problem, and it persists as a concern for the MIT KDC deployment.  I
don't have a lot of visibility into other deployments, but we have
received a request within the last few years to expand the master
fallback to TGS requests.

> Does anyone else implement this logic?

I don't see any evidence that Heimdal implements it, so we may be the
only one.  It's a legitimate question how Heimdal gets away with not
implementing this fallback.  If you list your master KDC first in the
KDC list, then the frequency of kinit failures after a password change
goes way down, but I've measured as high as a 1% fallback rate in the
MIT Kerberos deployment when the master KDC is operational.

I don't think we're currently in a position to simplify out this part of
the initial creds design.  Complexity, once added, is hard to safely remove.

I forgot to comment on some parts of your initial reply:

> It is my preference to support a future migration to URI, even if we
> grant that such a trasition is vanishingly unlikely.

The main cost here is registering one or more URI schemes, unless we
decide to shoehorn our responses into existing schemes.  See RFC 7595
for the procedures involved.  It also makes the DNS responses slightly
larger since the URI scheme (completely predictable if we register our
own) needs to appear in each record.

> Is there any value in having a single query return both kpasswd and
> kadmin? If so, then I think separate schemes are desirable.

I don't think there is any value in including kpasswd and kadmin entries
in the same record.  While we do fall back from kpasswd to port-changed
kadmin when locating kpasswd servers, this is only a provision for
realms with misconfigured DNS.

More information about the krbdev mailing list