diff options
Diffstat (limited to 'crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt')
-rw-r--r-- | crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt | 250 |
1 files changed, 0 insertions, 250 deletions
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt b/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt deleted file mode 100644 index e76a0e4..0000000 --- a/crypto/heimdal/doc/standardisation/draft-ietf-cat-krb-dns-locate-00.txt +++ /dev/null @@ -1,250 +0,0 @@ -INTERNET-DRAFT Ken Hornstein -<draft-ietf-cat-krb-dns-locate-00.txt> NRL -June 21, 1999 Jeffrey Altman -Expires: December 21, 1999 Columbia University - - Distributing Kerberos KDC and Realm Information with DNS - -Status of this Memo - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet- Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - Distribution of this memo is unlimited. It is filed as <draft-ietf- - cat-krb-dns-locate-00.txt>, and expires on December 21, 1999. Please - send comments to the authors. - -Abstract - - Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto- - col [RFC????] describe any mechanism for clients to learn critical - configuration information necessary for proper operation of the pro- - tocol. Such information includes the location of Kerberos key dis- - tribution centers or a mapping between DNS domains and Kerberos - realms. - - Current Kerberos implementations generally store such configuration - information in a file on each client machine. Experience has shown - this method of storing configuration information presents problems - with out-of-date information and scaling problems, especially when - -Hornstein, Altman [Page 1] - -RFC DRAFT June 21, 1999 - - using cross-realm authentication. - - This memo describes a method for using the Domain Name System - [RFC1035] for storing such configuration information. Specifically, - methods for storing KDC location and hostname/domain name to realm - mapping information are discussed. - -Overview - KDC location information - - KDC location information is to be stored using the DNS SRV RR [RFC - 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for Kerberos is always "_kerberos". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_udp" record MUST be included. If the Kerberos implementa- - tion supports TCP transport, a "_tcp" record SHOULD be included. - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, Port, and Target have the standard - meaning as defined in RFC 2052. - -Example - KDC location information - - These are DNS records for a Kerberos realm ASDF.COM. It has two Ker- - beros servers, kdc1.asdf.com and kdc2.asdf.com. Queries should be - directed to kdc1.asdf.com first as per the specified priority. - Weights are not used in these records. - - _kerberos._udp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. - _kerberos._udp.ASDF.COM. IN SRV 1 0 88 kdc2.asdf.com. - -Overview - KAdmin location information - - Kadmin location information is to be stored using the DNS SRV RR [RFC - 2052]. The format of this RR is as follows: - - Service.Proto.Realm TTL Class SRV Priority Weight Port Target - - The Service name for Kadmin is always "_kadmin". - - The Proto can be either "_udp" or "_tcp". If these records are to be - used, a "_tcp" record MUST be included. If the Kadmin implementation - supports UDP transport, a "_udp" record SHOULD be included. - -Hornstein, Altman [Page 2] - -RFC DRAFT June 21, 1999 - - The Realm is the Kerberos realm that this record corresponds to. - - TTL, Class, SRV, Priority, Weight, Port, and Target have the standard - meaning as defined in RFC 2052. - -Example - Kadmin location information - - These are DNS records for a Kerberos realm ASDF.COM. It has one Kad- - min server, kdc1.asdf.com. - - _kadmin._tcp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. - -Overview - Hostname/domain name to Kerberos realm mapping - - Information on the mapping of DNS hostnames and domain names to Ker- - beros realms is stored using DNS TXT records [RFC 1035]. These - records have the following format. - - Service.Name TTL Class TXT Realm - - The Service field is always "_kerberos", and prefixes all entries of - this type. - - The Name is a DNS hostname or domain name. This is explained in - greater detail below. - - TTL, Class, and TXT have the standard DNS meaning as defined in RFC - 1035. - - The Realm is the data for the TXT RR, and consists simply of the Ker- - beros realm that corresponds to the Name specified. - - When a Kerberos client wishes to utilize a host-specific service, it - will perform a DNS TXT query, using the hostname in the Name field of - the DNS query. If the record is not found, the first label of the - name is stripped and the query is retried. - - Compliant implementations MUST query the full hostname and the most - specific domain name (the hostname with the first label removed). - Compliant implementations SHOULD try stripping all subsequent labels - until a match is found or the Name field is empty. - -Example - Hostname/domain name to Kerberos realm mapping - - For the previously mentioned ASDF.COM realm and domain, some sample - records might be as follows: - - _kerberos.asdf.com. IN TXT "ASDF.COM" - -Hornstein, Altman [Page 3] - -RFC DRAFT June 21, 1999 - - _kerberos.mrkserver.asdf.com. IN TXT "MARKETING.ASDF.COM" - _kerberos.salesserver.asdf.com. IN TXT "SALES.ASDF.COM" - - Let us suppose that in this case, a Kerberos client wishes to use a - Kerberized service on the host foo.asdf.com. It would first query: - - _kerberos.foo.asdf.com. IN TXT - - Finding no match, it would then query: - - _kerberos.asdf.com. IN TXT - - And find an answer of ASDF.COM. This would be the realm that - foo.asdf.com resides in. - - If another Kerberos client wishes to use a Kerberized service on the - host salesserver.asdf.com, it would query: - - _kerberos.salesserver.asdf.com IN TXT - - And find an answer of SALES.ASDF.COM. - -Security considerations - - As DNS is deployed today, it is an unsecure service. Thus the infor- - mation returned by it cannot be trusted. However, the use of DNS to - store this configuration information does not introduce any new secu- - rity risks to the Kerberos protocol. - - Current practice is to use hostnames to indicate KDC hosts (stored in - some implementation-dependent location, but generally a local config - file). These hostnames are vulnerable to the standard set of DNS - attacks (denial of service, spoofed entries, etc). The design of the - Kerberos protocol limits attacks of this sort to denial of service. - However, the use of SRV records does not change this attack in any - way. They have the same vulnerabilities that already exist in the - common practice of using hostnames for KDC locations. - - The same holds true for the TXT records used to indicate the domain - name to realm mapping. Current practice is to configure these map- - pings locally. But this again is vulnerable to spoofing via CNAME - records that point to hosts in other domains. This has the same - effect as a spoofed TXT record. - - While the described protocol does not introduce any new security - risks to the best of our knowledge, implementations SHOULD provide a - way of specifying this information locally without the use of DNS. - However, to make this feature worthwhile a lack of any configuration - -Hornstein, Altman [Page 4] - -RFC DRAFT June 21, 1999 - - information on a client should be interpretted as permission to use - DNS. - -Expiration - - This Internet-Draft expires on December 21, 1999. - -References - - [RFC1510] - The Kerberos Network Authentication System; Kohl, Newman; Sep- - tember 1993. - - [RFC1035] - Domain Names - Implementation and Specification; Mockapetris; - November 1987 - - [RFC2052] - A DNS RR for specifying the location of services (DNS SRV); Gul- - brandsen, Vixie; October 1996 - -Authors' Addresses - - Ken Hornstein - US Naval Research Laboratory - Bldg A-49, Room 2 - 4555 Overlook Avenue - Washington DC 20375 USA - - Phone: +1 (202) 404-4765 - EMail: kenh@cmf.nrl.navy.mil - - Jeffrey Altman - The Kermit Project - Columbia University - 612 West 115th Street #716 - New York NY 10025-7799 USA - - Phone: +1 (212) 854-1344 - EMail: jaltman@columbia.edu - -Hornstein, Altman [Page 5] |