[Opendnssec-develop] Wild idea :- Kerberos for fine-grained control

Rick van Rein (OpenFortress) rick at openfortress.nl
Thu Sep 26 13:09:56 UTC 2013


I've lately been catching up on Kerberos, and found that it is incredibly powerful.  It might actually be beneficial to OpenDNSSEC...

 * to offload the root account
    - bring limited uses of the tools down to user level -- so less need to use the PIN-owning root account
    - note that OpenDNSSEC assumes that the PIN is stored in a file visible to root
    - also note that many PKCS #11 libraries store the PIN in memory and send it along with every card transaction
    - this could make it less scary to run the tools (indirectly) from a web environment
    - this could make it less scary to run the tools in response to an SSH request

 * for finer-grained access control
    - who can make change X to zone Y could be configured in kasp.xml or zones.xml
    - zone reloads, re-signing actions and so on might follow a similar system
    - ideal for multiple-tennant systems such as in use by DNS service providers / registrants?

 * for end-to-end authentication
    - user's authenticity forms a chain from their local machine through to OpenDNSSEC
    - Kerberos can cut through protocols like RSH, SSH, RSYNC, MOSH and even HTTP
    - most web browsers support Kerberos authentication: IE, FireFox, Safari, and even Curl; unsupporting ones are rare: Opera, wget
    - end-user can start their authentication chain on any system, independent of POSIX accounts, as long as "kinit" is installed
    - note that arrangements for cross-realm authentication exist, so a client need not logon to OpenDNSSEC's domain to access it

 * to make it fit into many environments with much grace
    - Apple has it on board; you can run kinit in a shell or integrate it with the normal login process
    - Windows does this all the time, when logging on to a domain (WFW or AD DC)
    - Linux users just install "krb5-user" or a similar package to be able to "kinit"
    - To a user, Kerberos is actually very simple… logon once a day/session and use as SSO
    - Users can switch between authenticated names, or roles, e.g. rick at OPENDNSSEC.ORG vs. rick/admin at OPENDNSSEC.ORG

I can get really excited about technology I've just discovered, but this list of possibilities might be worthy of some attention to OpenDNSSEC?


More information about the Opendnssec-develop mailing list