Internet Engineering Task Force | N. McCallum |
Internet-Draft | Red Hat, Inc. |
Updates: 4120 (if approved) | March 5, 2015 |
Intended status: Standards Track | |
Expires: September 6, 2015 |
Kerberos Service Discovery using DNS
draft-mccallum-kitten-krb-service-discovery-00
This document proposes defines a new mechanism for discovering Kerberos services using DNS. This new mechanism extends the mechanism already defined in Kerberos V5 [RFC4120] and has four goals. First, reduce the number of DNS queries required to discover a Kerberos KDC. Second, provide DNS administrators more control over client behavior. Third, provide support for discovery of the MS-KKDCP transport. Fourth, define a discovery procedure for Kerberos password services.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 6, 2015.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Section 7.2.3 of Kerberos V5 [RFC4120] defines a procedure for discovering a KDC based on DNS SRV records. This method has three drawbacks. First, two DNS queries are required to locate a single service (one for UDP and one for TCP). Second, specifying UDP and TCP in separate records means that the DNS administrator has no control over client preferences for TCP or UDP. Third, any new transports for reaching the KDC (such as MS-KKDCP) will require new records and additional DNS queries.
The Kerberos Password [RFC3244] protocol has no defined procedure for discovery similar to the KDC method described above. Implementations have largely chosen a similar method to section 7.2.3 of Kerberos V5 [RFC4120], inheriting the same drawbacks outlined above.
This RFC defines two new URI DNS records [I-D.faltstrom-uri]; one each for KDC and Kerberos Password service discovery.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
This document does not define a new mechanism for translating Kerberos realms to DNS domains. The existing mechanism as defined in section 7.2.3.1 of Kerberos V5 [RFC4120] MUST be followed.
The following URI formats MUST be supported by clients. These formats indicate support for the standard UDP and TCP transports. The port number is optional. If the port is not specified, the client MUST default to the standard port of the service.
udp://host[:port]
tcp://host[:port]
The following URI formats MAY be supported by clients.
These URIs indicate support for the MS-KKDCP [MS-KKDCP] protocol. The port number is optional. If the port is not specified, the client MUST default to the standard port of the service. The path is also optional. If the path is not specified, the client MUST default to '/'. Please note that this differs from the default path specified in section 2.1 of MS-KKDCP [MS-KKDCP].
http://host[:port][path]
https://host[:port][path]
In order to discover a KDC service location, the client MUST query the following URI DNS [I-D.faltstrom-uri] record (REALM indicates the translation of the Kerberos realm to a DNS domain):
_kerberos.REALM
TTL, Class, URI, Priority, Weight and Target have the standard meanings as defined in RFC 2782 [RFC2782] and the URI DNS record type [I-D.faltstrom-uri]. Target SHOULD contain one of the URI formats specified in this document.
In order to discover a password service location, the client MUST query the following URI DNS [I-D.faltstrom-uri] record (REALM indicates the translation of the Kerberos realm to a DNS domain):
_kpasswd.REALM
TTL, Class, URI, Priority, Weight and Target have the standard meanings as defined in RFC 2782 [RFC2782] and the URI DNS record type [I-D.faltstrom-uri]. Target SHOULD contain one of the URI formats specified in this document.
If an existing discovery protocol is supported by a client, the client SHOULD perform the URI lookup as defined in this document first. If no URI record is found, the client MAY attempt discovery using another protocol.
[I-D.faltstrom-uri] | Fältström, P. and O. Kolkman, "The Uniform Resource Identifier (URI) DNS Resource Record", Internet-Draft draft-faltstrom-uri-12, March 2015. |
[MS-KKDCP] | Microsoft, "[MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protocol", May 2014. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC2782] | Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000. |
[RFC3244] | Swift, M., Trostle, J. and J. Brezak, "Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols", RFC 3244, February 2002. |
[RFC4120] | Neuman, C., Yu, T., Hartman, S. and K. Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120, July 2005. |
Simo Sorce (Red Hat) Nico Williams (Oracle)