Difference between revisions of "Projects/KDC Discovery"
(Created page with "{{project-target|1.15}} {{project-early}} This project will implement Kerberos service discovery by DNS as specified by {{idref|draft-mccallum-kitten-krb-service-discovery-02...") |
(→Design) |
||
Line 13: | Line 13: | ||
==Design== |
==Design== |
||
⚫ | |||
+ | The client performs a DNS lookup for one or more of the following TXT records: |
||
+ | * _kerberos-master.REALM (Master KDC) |
||
+ | * _kerberos-adm.REALM (Admin service) |
||
+ | * _kerberos.REALM (Normal KDC) |
||
+ | * _kpasswd.REALM (Password service) |
||
+ | * _krb524.REALM (K5 to K4 service) |
||
+ | |||
⚫ | |||
* priority:weight:udp:host[:port] |
* priority:weight:udp:host[:port] |
Revision as of 13:00, 27 May 2016
This project will implement Kerberos service discovery by DNS as specified by draft-mccallum-kitten-krb-service-discovery-02. The draft currently specifies a new URI DNS record type, however it was decided that a TXT record will be used with a (currently non-standardized) URI payload format.
The current method of KDC discovery using DNS SRV records has the following drawbacks:
- Only UDP and TCP protocols can be specified
- Multiple queries are needed to discover both protocol records
- The DNS administrator has no influence on client protocol use
- Does not assist in locating password services
Design
The client performs a DNS lookup for one or more of the following TXT records:
- _kerberos-master.REALM (Master KDC)
- _kerberos-adm.REALM (Admin service)
- _kerberos.REALM (Normal KDC)
- _kpasswd.REALM (Password service)
- _krb524.REALM (K5 to K4 service)
An entry will contain a URI formatted string of priority, weight, transport, target, and optional port, separated by colons. The MS-KKDCP transport type uses a http/https host address target with an optional port and path.
- priority:weight:udp:host[:port]
- priority:weight:tcp:host[:port]
- priority:weight:tls:host[:port]
- priority:weight:kkdcp:http://host[:port][/path]
- priority:weight:kkdcp:https://host[:port][/path]
Discovery using this new method should be attempted before searching SRV records.
(Password service discovery)
Implementation
src/lib/krb5/os/dnsglue.c: k5_try_realm_txt_rr() has existing TXT lookup code, but only retrieves a realm name from the record. Make a generalized TXT lookup function to pass the result to a new parsing function for the URI format.