Declaring Kerberos Realm Names in DNS (_kerberos TXT)
draft-vanrein-dnstxt-krb1-09

Document Type Active Internet-Draft (individual)
Last updated 2016-10-24
Stream ISE
Intended RFC status Informational
Formats plain text xml pdf html bibtex
Stream ISE state In ISE Review
Awaiting Reviews
Consensus Boilerplate Unknown
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        R. Van Rein
Internet-Draft                                                 ARPA2.net
Intended status: Informational                          October 24, 2016
Expires: April 27, 2017

         Declaring Kerberos Realm Names in DNS (_kerberos TXT)
                      draft-vanrein-dnstxt-krb1-09

Abstract

   This specification defines a method to determine Kerberos realm names
   for services that are known by their DNS name.  Currently, such
   information can only be found in static mappings or through educated
   guesses.  DNS can make this process more flexible, provided that
   DNSSEC is used to assure authenticity of resource records.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 27, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Van Rein                 Expires April 27, 2017                 [Page 1]
Internet-Draft                _kerberos TXT                 October 2016

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Defining _kerberos TXT Resource Records . . . . . . . . . . .   3
   3.  Publishing Kerberos Realm Names . . . . . . . . . . . . . . .   5
   4.  Querying Kerberos Realm Names . . . . . . . . . . . . . . . .   5
   5.  Efficiency Considerations . . . . . . . . . . . . . . . . . .   6
   6.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   6
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   When a Kerberos client contacts a service, it needs to acquire a
   service ticket, and for that it needs to contact the KDC for a realm
   under which the service is run.  To map a service name into a realm
   name and then into a KDC, clients tend to use static mappings or
   educated guesses; the client's KDC may or may not be involved in this
   process.  Through DNS, the static mappings could be replaced by
   dynamic lookups, and migrate from local client configuration into the
   hands of the party administrating a server's presence in DNS.  This
   brings improved flexibility and centralisation, which is
   operationally desirable.

   Two mappings are needed for a client to contact a service.  One is a
   mapping from the FQDN of a service to its realm name; the other is a
   mapping from the realm name to the Kerberos-specific services such as
   the KDC.  The latter mapping is published in SRV records [RFC4120]
   and such traffic is usually protected by Kerberos itself.  The first
   mapping however, has hitherto not been standardised and is ill-
   advised over unsecured DNS because the published information is then
   neither validated by DNS nor does it lead to a protocol that could
   provide end-to-end validation for it.

   With the recent uprise of DNSSEC, it is now possible to make a
   reliable judgement on the authenticity of data in DNS, which enables
   the standardisation of the first mapping in the form of resource
   records under DNSSEC.

   This specification defines a method to publish and process Kerberos
Show full document text