Matt's *Time Log*
Kerberos Service Discovery
An important part of ensuring that Kerberos clients work properly is that they
are able to locate the correct KDCs to communicate with. The common way is to
rely on DNS queries for SRV records. For an MIT Kerberos client this is enabled
with the krb5.conf option dns_lookup_kdc. An example of the Kerberos SRV
records:
_kerberos._tcp.example.com SRV 0 0 88 192.168.1.10
_kerberos._udp.example.com SRV 0 0 88 192.168.1.10
_kpasswd._tcp.example.com SRV 0 0 464 192.168.1.10
There are a few drawbacks with SRV records. The first is that the client may need to fall back to another server and must make additional DNS queries. Second, the DNS administrator may want clients to prefer TCP over UDP, and being that the TCP and UDP records are separate lookups there is no control over the client’s preference. Third, the MS-KKDCP protocol is a way for clients to communicate with a KDC through a HTTPS based proxy, and the SRV record type is insufficient for informing clients of KKDCP servers.
The solution for this is a new URI record type that is designed to inform the client of all Kerberos servers for a domain through a single query.
_kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc.example.com
URI 20 1 krb5srv:m:udp:kdc.example.com:89
URI 30 1 krb5srv::kkdcp:https://krbproxy.example.com/KdcProxy
Making a DNS query for the URI record _kerberos.EXAMPLE.COM, the client
receives all three server entries. Each defines a priority (lowest goes first),
weight (highest goes first among identical priority), and a specially formatted
entry. An entry begins with the krb5srv tag. The second field contains flag
characters that indicate server attributes. Currently there is only one flag,
m, to inform the client that the entry is for a master server. If a MIT
kerberos client receives an incorrect password error from a non-master, it will
retry against a master. With SRV records, this requires an additional DNS query.
The third field defines the transport type; TCP, UDP, or MS-KKDCP. The last
field holds the name or address of the server and optionally a port number. If
the entry is for an MS-KKDCP server then this takes form as an HTTPS URL with
optional port and path components.
This method of Kerberos service discovery has been adopted by the IETF’s KITTEN working group as a proposed standard. The current version of the internet draft is draft-ietf-kitten-krb-service-discovery-00
MIT krb5 1.15 already contains support for URI service discovery by clients, and
is enabled (on by default) through the krb5.conf option dns_uri_lookup.
© 2021 Matt's *Time Log* ― Github