Internet DRAFT - draft-ietf-nfsv4-dns-rr
draft-ietf-nfsv4-dns-rr
Network Working Group R. Mesta
Internet-Draft Sun Microsystems, Inc.
Expires: April 15, 2006 Oct 12, 2005
A DNS RR for NFSv4 ID Domains
draft-ietf-nfsv4-dns-rr-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 15, 2006.
Abstract
This document describes a new DNS Resource Record (RR) type that will
be utilized by NFSv4 clients and servers to determine the domain
string to utilize for on-the-wire user/group name attributes and ACL
entry information. Discussion and suggestions for improvements
requested.
Mesta Expires April 15, 2006 [Page 1]
Internet-Draft A DNS RR for NFSv4 ID Domains Oct 2005
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. NFS4ID Resource Record Definition . . . . . . . . . . . . . . 4
3. Example: Using the NFS4ID RR . . . . . . . . . . . . . . . . . 5
3.1. NFS4ID: RR Unavailable . . . . . . . . . . . . . . . . . . 5
3.2. NFS4ID: RR Available . . . . . . . . . . . . . . . . . . . 5
3.3. NFS4ID: DNS Tree Traversal . . . . . . . . . . . . . . . . 6
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9
7. Normative References . . . . . . . . . . . . . . . . . . . . . 9
8. Informative References . . . . . . . . . . . . . . . . . . . . 9
9. Author's Address . . . . . . . . . . . . . . . . . . . . . . . 10
10. IPR Notices . . . . . . . . . . . . . . . . . . . . . . . . . 11
11. Copyright Notice . . . . . . . . . . . . . . . . . . . . . . . 11
Mesta Expires April 15, 2006 [Page 2]
Internet-Draft A DNS RR for NFSv4 ID Domains Oct 2005
1. Introduction
Version 4 of the Network File System (NFSv4) protocol specification
[RFC3530] introduces a way for clients and servers to exchange file
ownership and ACL entry information as string names qualified with a
domain name, whereas earlier versions of the protocol used 32-bit
integers for the same type of identifier meta data. Section 5.8 of
[RFC3530] defines the generic format for string based identifiers to
be "[user|group]@dns_domain".
The string identifier prescribed suggests that the domain to be used
for the on-the-wire format be a DNS domain. However, the use of an
NFSv4 client's and server's default DNS domain to qualify user/group
names would be inappropriate on network configurations that utilize
multiple DNS domains, but still use a common user/group name space
throughout. This would lead to user/group name recognition failures
across the network, at either client or server side, due to
potentially mismatched domains. More succinctly, accessing NFSv4
managed files across multiple DNS domains can cause string
identifiers to be mapped to "nobody", regardless of whether a common
user/group name space is shared or not.
The challenge presented is then to have a mechanism for distributing
a common domain configuration for use by NFSv4 implementations that
only deal with domain-agnostic identifiers; more specifically, for
NFSv4 clients and servers that are administratively controlled by
distinct DNS domains.
A natural solution for this type of problem would be to have NFSv4
clients and servers query their configured DNS server for the
specific "domain" to utilize for sending user/group and ACL
attributes across DNS boundaries. Thus, in a properly configured
deployment, having NFSv4 clients access NFSv4 servers on different
DNS domains that still use a common user/group name space, would not
lead to recognition failures due to the use of the same "domain" for
NFSv4 user names, group names and ACL entry information.
A secondary benefit of using a DNS RR for the NFSv4 domain data store
is that the resolver's searching mechanism can be leveraged to
perform higher level domain traversal. This enables properly
configured NFSv4 clients to perform searches on higher levels of the
DNS domain tree until either an NFS4ID RR is found or all
possibilities have been exhausted.
This is the solution proposed by this memo.
Mesta Expires April 15, 2006 [Page 3]
Internet-Draft A DNS RR for NFSv4 ID Domains Oct 2005
2. NFS4ID Resource Record Definition
The general syntax for an NFS4ID resource record, whose type is
expected to be IANA assigned as per [RFC2929], is:
<owner> <ttl> <class> NFS4ID "dname string"
where:
o <owner>, <ttl> and <class> specify the zone, time-to-live and "IN"
respectively, as defined in [RFC1034].
o The RDATA for this record is a string that will be used to specify
the domain name to use in 'owner', 'owner_group' and ACL entry
information, as defined by [RFC3530].
The proposed RR is meant for use solely by NFSv4; the use of the
RDATA field to store additional class information will lead to the
familiar sub-typing issues associated with the use of TXT RR's
[RFC1464].
Mesta Expires April 15, 2006 [Page 4]
Internet-Draft A DNS RR for NFSv4 ID Domains Oct 2005
3. Example: Using the NFS4ID RR
As a real world example, assume that an enterprise has a top level
domain of "example.com" and that it has multiple (perhaps
geographically dispersed) DNS domains. For the sake of the current
discussion, two domains is more than enough; "foo.example.com" and
"bar.example.com". Assume further that NFSv4 has been deployed
across these DNS domains and there are active NFSv4 mounts crossing
the DNS domain boundary.
3.1. NFS4ID: RR Unavailable
Assuming that no NFS4ID RR's have been configured on either the
"foo.example.com" nor "bar.example.com" name servers, then the NFSv4
clients and servers that have active cross-domain mounts should be
sending user/group name attributes of the form "[user|group]@
foo.example.com" or "[user|group]@bar.example.com".
If a user in client.foo.example.com wanted to access his/her files in
server.bar.example.com, the user would find his/her files (seemingly)
being owned by "nobody". The reason for this is that client.foo is
trying to match server.bar's domain to its own, and since the domains
are mismatched, that is, the DNS domain itself is being used for
NFSv4 transactions, the client has no choice but to reject the user/
group mapping.
3.2. NFS4ID: RR Available
The following configuration would be expected in order to make the
NFS4ID RR available in both domains:
The "foo.example.com" domain zone file contains:
$ORIGIN foo.example.com.
foo.example.com. IN NFS4ID "example.com"
While the "bar.example.com" domain zone file contains:
$ORIGIN bar.example.com.
bar.example.com. IN NFS4ID "example.com"
Under this scenario, client.foo.example.com would access the user's
data in server.bar.example.com; this time, however, the user and
group name are of the form "[user|group@example.com" on-the-wire.
The client will attempt to match the domain in the in-bound user/
group attribute data and will match its own configured domain since
Mesta Expires April 15, 2006 [Page 5]
Internet-Draft A DNS RR for NFSv4 ID Domains Oct 2005
both client.foo and server.bar are utilizing the same domain for
NFSv4 transactions.
3.3. NFS4ID: DNS Tree Traversal
Consider the case in which the top level domain zone file has the
following NFS4ID entry:
example.com. IN NFS4ID "example.com"
As previously stated, the lower level DNS domains, "foo.example.com"
and "bar.example.com", can each define their own NFS4ID RR's in order
to override the NFS4ID record defined by the top level domain. To
continue the example, assume that an NFS4ID record is only defined
for domain "foo.example.com" and it is defined to be:
foo.example.com. IN NFS4ID "foo.foo"
Assuming the NFSv4 clients' /etc/resolv.conf 'search' parameter has
been properly configured, an NFS4ID RR lookup in the
"foo.example.com" domain will yield the string "foo.foo", whereas a
lookup for the NFS4ID RR in the "bar.example.com" domain, will not
yield any value and will propagate to the higher level domain as
"example.com"; at this point, the string "example.com" will be
returned for NFS4ID RR lookups in domain "bar.example.com".
Mesta Expires April 15, 2006 [Page 6]
Internet-Draft A DNS RR for NFSv4 ID Domains Oct 2005
4. IANA Considerations
IANA is requested to allocate RR type code TBD for NFS4ID from the
standard RR type space.
Mesta Expires April 15, 2006 [Page 7]
Internet-Draft A DNS RR for NFSv4 ID Domains Oct 2005
5. Security Considerations
There are two main security considerations for this facility:
o Denial of service attacks where clients and servers are made to
disagree about their default NFSv4 domain and so ACL and file/
directory ownership manipulation can be made to fail.
o Redirection attacks where a client is forced to use a different
domain than it was otherwise intended to use while a multi-domain
server can understand and distinguish between users (and groups)
with the same names but in different domains. In this attack a
user might be fooled into granting access to a file or directory
to the wrong user or group. For example, a "chown joe somefile"
command might be intended to reference "joe@one.domain" but the
client may be made to use a different domain to qualify "joe",
thus changing the ownership of 'somefile' to
"jane@some.other.domain".
The latter is of particular concern as servers capable of operating
in more than one domain are feasible and likely already exist.
The use of DNSSEC should foil both of these attacks, and thus, we
recommend its use.
Mesta Expires April 15, 2006 [Page 8]
Internet-Draft A DNS RR for NFSv4 ID Domains Oct 2005
6. Acknowledgments
David Robinson, Spencer Shepler, Nico Williams, Bill Sommerfeld, and
Olaf Kolkman.
7. Normative References
[RFC1034] Mockapetris, P., "Domain Names - Concepts And Facilities",
RFC 1034, Nov 1987.
[RFC1464] Rosenbaum, R., "Using the Domain Name System To Store
Arbitrary String Attributes", RFC 1464, May 1993.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2929] Eastlake, D., Brunner-Williams, E., and B. Manning,
"Domain Name System (DNS) IANA Considerations", RFC 2929,
Sep 2000.
[RFC3530] Shepler, S., Callaghan, B., Robinson, D., Thurlow, R.,
Beame, C., Eisler, M., and D. Noveck, "Network File System
(NFS) version 4 Protocol", RFC 3530, April 2003.
8. Informative References
[RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", Oct 1998.
[RFC2535] Eastlake, D., "Domain Name System Security Extensions",
March 1999.
Mesta Expires April 15, 2006 [Page 9]
Internet-Draft A DNS RR for NFSv4 ID Domains Oct 2005
9. Author's Address
Rick Mesta
Sun Microsystems, Inc.
5300 Riata Park Court
M/S: UAUS08-102
Austin, TX 78727
USA
Phone: +1 512-401-1076
Email: rick.mesta@sun.com
Mesta Expires April 15, 2006 [Page 10]
Internet-Draft A DNS RR for NFSv4 ID Domains Oct 2005
10. IPR Notices
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
11. Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Mesta Expires April 15, 2006 [Page 11]