Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stefan Santesson Microsoft

Published byGodwin Powell Modified over 6 years ago

Similar presentations

Presentation on theme: "Stefan Santesson Microsoft"— Presentation transcript:

1 Stefan Santesson Microsoft
SRV RR otherName Stefan Santesson Microsoft

2 The Concept RFC 2782 DNS Server _service._protocol.domain.com
host1.domain.com Service Host (host1.domain.com) ( ) Using service Client

3 The Concept From RFC 2742 Currently, one must either know the exact address of a server To contact it, or broadcast a question. The SRV RR allows administrators to use several servers for a Single domain, to move services from host to host with little fuss, and to designate some hosts as primary servers for a service and others as backups. Clients ask for a specific service/protocol for a specific domain and get back the names of any available servers. Example is discovery of a Kerberos KDC host but this could be used as a general mechanism for a variety of services.

4 The Threat DNS spoofing
Spoofed DNS Server _service._protocol.domain.com _service._protocol.domain.com hostX.domain.com Hijacked Host (hostX.domain.com) ( ) Using service Client

5 Proposal Submitted as draft-santesson-pkix-srvrr-00.txt
Define a Subject Alt Name otherName for SRV RR query string (_service._protocol.domain). Example: _ldap._tcp.example.com otherName structure: id-on-sRVRRName OBJECT IDENTIFIER ::= { id-on ? } SRVRRName ::= UTF8String

6 Applicability Constraints
From RFC 2782: I In general, it is expected that SRV records will be used by clients for applications where the relevant protocol specification indicates that clients should use the SRV record. Such specification MUST define the symbolic name to be used in the Service field of the SRV record as described below. It also MUST include security considerations. Service SRV records SHOULD NOT be used in the absence of such specification. Any use of SRV RR for host authentication MUST NOT be in conflict with any rules specified for deployed security protocols and application/service definitions.

7 Request Request that PKIX accept the task to define this SAN otherName so it can be referenced and used by other protocol specifications to support host authentication where applicable.

8 Path forward Correct known errors (IA5String -> UTF8String)
Submit as first pkix draft (00) Define appropriate constraints and security considerations Proceed as standards track WG last call after Vancouver IETF

Download ppt "Stefan Santesson Microsoft"

Similar presentations

Internationalizing WHOIS Preliminary Approaches for Discussion Internationalized Registration Data Working Group ICANN Meeting, Brussels, Belgium Jeremy.

Internationalizing WHOIS Preliminary Approaches for Discussion Internationalized Registration Data Working Group ICANN Meeting, Brussels, Belgium Jeremy.
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
CORDRA Philip V.W. Dodds March 2004. The “Problem Space” The SCORM framework specifies how to develop and deploy content objects that can be shared and.

CORDRA Philip V.W. Dodds March The “Problem Space” The SCORM framework specifies how to develop and deploy content objects that can be shared and.
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
1 RFC 3486 Compressing the Session Initiation Protocol (SIP) 曾朝弘 電機系 系統組 碩士班一年級.

1 RFC 3486 Compressing the Session Initiation Protocol (SIP) 曾朝弘 電機系 系統組 碩士班一年級.
DNS.

DNS.
AD DNS SRV RRs Active Directory DNS Service (SRV) Resource Records (RR)

AD DNS SRV RRs Active Directory DNS Service (SRV) Resource Records (RR)
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)
Module 2: Implementing DNS to Support Active Directory

Module 2: Implementing DNS to Support Active Directory
Dynamic Host Configuration Protocol Engr. Mehran Mamonai.

Dynamic Host Configuration Protocol Engr. Mehran Mamonai.
DHCPv6 Redundancy Considerations Redundancy Proposals in RFC 6853.

DHCPv6 Redundancy Considerations Redundancy Proposals in RFC 6853.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.

RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.
IETF #82 DRINKS WG Meeting Taipei, Taiwan Fri, Nov 18 th 2011 0.

IETF #82 DRINKS WG Meeting Taipei, Taiwan Fri, Nov 18 th
AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.

AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.
PAWS Protocol to Access White Space DB IETF 81 Gabor Bajko, Brian Rosen.

PAWS Protocol to Access White Space DB IETF 81 Gabor Bajko, Brian Rosen.
Comments on draft-ietf-pkix-scvp-19.txt IETF Meeting Paris - August 2005 Denis Pinkas

Comments on draft-ietf-pkix-scvp-19.txt IETF Meeting Paris - August 2005 Denis Pinkas
DNS Discovery Discussion Report Draft-ietf-ipngwg-dns-discovery-01.txt.

DNS Discovery Discussion Report Draft-ietf-ipngwg-dns-discovery-01.txt.

Similar presentations

Ads by Google