Network Working Group R. Mesta Internet-Draft Sun Microsystems, Inc. Expires: April 15, 2005 Oct 2004 NFSv4 Cross-Domain Considerations draft-mesta-nfsv4-domain-00 Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, or will be disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than a "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html" This Internet-Draft will expire on April 15, 2005. Abstract The purpose of this document is to elicit discussion on configuration schemes for determining the domain name to be used by NFSv4 implementations that do not natively support users and groups from multiple domains. This document also describes a method by which NFSv4 clients and servers can discover a domain name value appropriate for qualifying NFSv4 user and group names, by leveraging DNS TXT resource records. Mesta Expires April 15, 2005 [Page 1] Internet-Draft NFSv4 Cross-Domain Considerations Oct 2004 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Proposed Configuration Scheme . . . . . . . . . . . . . . . . 4 2.1 The _nfsv4idmapdomain DNS TXT Resource Record . . . . . . 4 2.2 DNS Tree Lookup Traversal . . . . . . . . . . . . . . . . 4 2.3 IETF DNS Community Considerations . . . . . . . . . . . . 5 3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1 multi-DNS Domain Environments with Configured TXT RR's . . 6 3.2 multi-DNS Domain Environments w/o Configured TXT RR's . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 6. Normative References . . . . . . . . . . . . . . . . . . . . . 8 7. Informative References . . . . . . . . . . . . . . . . . . . . 8 8. Author's Address . . . . . . . . . . . . . . . . . . . . . . . 8 9. IPR Notices . . . . . . . . . . . . . . . . . . . . . . . . . 9 10. Copyright Notice . . . . . . . . . . . . . . . . . . . . . . . 9 Mesta Expires April 15, 2005 [Page 2] Internet-Draft NFSv4 Cross-Domain Considerations Oct 2004 1. Introduction Version 4 of the Network File System (NFSv4) protocol [RFC3530] introduces a way for clients and servers to exchange file ownership and ACL entry information as string names qualified with a DNS domain name, whereas earlier versions of the protocol used 32-bit integers for the same type of identifier meta data. Section 5.8 of [RFC3530] defines the format for string based identifiers which are intended to be the most flexible representation of file ownership between the different translation implementations. Further, [RFC3530] suggests that the 'domain' portion of the string identifier should be a DNS domain name: "The "dns_domain" portion of the owner string is meant to be a DNS domain name. For example, user@ietf.org. Servers should accept as valid a set of users for at least one domain. A server may treat other domains as having no valid translations. A more general service is provided when a server is capable of accepting users for multiple domains, or for all domains, subject to security constraints." Some NFSv4 implementations do not support the notion of domain qualified user and group identifiers. These implementations are still required by [RFC3530] to qualify user and group names in NFSv4 protocol data. Additionally, these implementations can use the 'domain' qualifier to discover user/group name space boundaries. However, the use of an NFSv4 client's and server's default DNS domain to qualify user/group names would be inappropriate on network configurations that use multiple DNS domains and sub-domains, but still use a common user/group name space throughout. This would lead to user/group name recognition failures across the network at either client or server side due to potentially mismatched domains. More succinctly, accessing NFSv4 managed files across multiple DNS domains can cause string identifiers to be mapped to "nobody", regardless of whether a common user/group name space is shared or not. This presents the problem of how to distribute the configuration of a domain name for use by NFSv4 implementations, which only deal with domain-agnostic identifiers, for qualifying user and group names. This document describes one such configuration information distribution method using DNS TXT resource records. Mesta Expires April 15, 2005 [Page 3] Internet-Draft NFSv4 Cross-Domain Considerations Oct 2004 2. Proposed Configuration Scheme In order to mitigate NFSv4 deployment and promote the highest level of interoperability between NFSv4 implementations while a general-purpose method for mapping multi-domain user/groups to security identifiers is achieved, we propose a DNS TXT [RFC1464] resource record (RR) be adopted as convention between implementors. DNS RR's make the most sense since most customers manage their naming infrastructure via DNS. 2.1 The _nfsv4idmapdomain DNS TXT Resource Record As stated in [RFC1464], the general syntax for a TXT resource record is: <"attribute name=attribute value"> Thus, following the syntax above, we propose the specific TXT record name of '_nfsv4idmapdomain' in order to to minimize the probability of TXT record name collision and to follow established practices when DNS TXT records are used. Kerberos utilizes the '_kerberos' DNS TXT RR name when performing realm-to-name mapping [KERB5]. Similarly, XFN also utilized DNS TXT records to hold subordinate naming system information [XFNDOC]. Thus, the general form of DNS TXT resource record syntax for NFSv4 domain configuration is prescribed: _nfsv4idmapdomain.soa_domain. IN TXT "domain.name" where "domain.name" will be configured to the desired domain name to be used and/or exchanged in 'owner' and 'owner_group' attribute strings. 2.2 DNS Tree Lookup Traversal From careful examination of the proposed DNS TXT RR, it can be readily seen that the proposed field inherits the SOA record's domain. This simple, but powerful side-effect, of having a DNS TXT record as the configuration scheme, allows deployments with multiple DNS domains to override any setting from a parent DNS domain. For example, assume a customer configuration has a top level DNS domain of "foo.bar" and a corresponding DNS TXT RR has been defined as: Mesta Expires April 15, 2005 [Page 4] Internet-Draft NFSv4 Cross-Domain Considerations Oct 2004 _nfsv4idmapdomain IN TXT "foo.bar" Assume further that there are two lower level domains; "ding.foo.bar" and "dong.foo.bar". These lower level DNS domains can in turn each define their own DNS TXT RR's in order to override the TXT record defined by the top level DNS domain. To continue the example, assume that a DNS TXT record is only defined for domain "ding.foo.bar" and it is defined to be: _nfsv4idmapdomain IN TXT "ding.ding" Thus, assuming the 'search' parameter on the client's /etc/resolv.conf file has been properly configured, a DNS TXT RR lookup for "_nfsv4idmapdomain.ding.foo.bar" will yield the string "ding.ding" whereas a lookup for the "_nfsv4idmapdomain.dong.foo.bar" DNS TXT RR will not yield any value and will propagate to the higher level domain as "_nfsv4idmapdomain.foo.bar"; At this point, the string "foo.bar" will be returned for lookups in domain "dong.foo.bar". 2.3 IETF DNS Community Considerations As stated previously, the purpose of this document is to elicit discussion on the best approach to obtain a domain for use in qualifying NFSv4 string identifiers. Comments and suggestions on additional methods are welcome. It should be noted that satisfactory adoption of a DNS RR for NFSv4 identifier domain configuration would require the standardization of an application specific DNS record. Mesta Expires April 15, 2005 [Page 5] Internet-Draft NFSv4 Cross-Domain Considerations Oct 2004 3. Motivation As of the date of this memo, there is currently no known general-purpose solution for mapping multi-domain user/groups to security identifiers that can be leveraged. It is also expected that the majority of NFSv4 customer configurations are likely to leverage DNS for name resolution. As such, the current Solaris NFSv4 implementation leverages the use of the aforementioned DNS TXT RR to configure an arbitrary string that will be used as the NFSv4 id mapping domain. Solaris uses this DNS TXT RR to mitigate NFSv4 deployment at the enterprise IT level and it is expected to be used by system administrators to configure the NFSv4 mapping domain to utilize when client(s) and server(s) exchange 'owner' and 'owner_group' attribute data. 3.1 multi-DNS Domain Environments with Configured TXT RR's NFSv4 deployments within multi-DNS domain environments can leverage the use of the proposed DNS TXT RR to obtain an NFSv4 domain, that is unified across the different DNS domains, to use for the 'owner' and 'owner_group' attribute strings. The above will hold true whether the multi-DNS domain deployments share a common user/group administrative domain or not. 3.2 multi-DNS Domain Environments w/o Configured TXT RR's NFSv4 deployments within multi-DNS domain environments in which the DNS TXT RR has not been set up will most likely utilize the DNS domain itself for the 'domain' portion of the attribute strings. Client(s) and server(s) that interoperate within the same DNS domain boundary will properly map attribute strings to the local system's representation since a common NFSv4 domain is shared. However, client(s) and server(s) that interoperate across DNS domain boundaries, will more than likely map the attribute strings to "nobody" due to mismatched NFSv4 domains. Mesta Expires April 15, 2005 [Page 6] Internet-Draft NFSv4 Cross-Domain Considerations Oct 2004 4. Security Considerations While this memo raises no security issues, the use of DNSSEC [RFC2535] is recommended. Mesta Expires April 15, 2005 [Page 7] Internet-Draft NFSv4 Cross-Domain Considerations Oct 2004 5. Acknowledgements David Robinson, Spencer Shepler and Nicolas Williams for their insight and content contributions. 6. Normative References [RFC1464] Rosenbaum, R., "Using the Domain Name System To Store Arbitrary String Attributes", RFC 1464, May 1993. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3530] Shepler, S., Callaghan, B., Robinson, D., Thurlow, R., Beame, C., Eisler, M. and D. Noveck, "Network File System (NFS) version 4 Protocol", RFC 3530, April 2003. 7. Informative References [KERB5] Garman, J., "Kerberos: The Definitive Guide, pp. 79", Aug 2003. [RFC2535] Eastlake, D., "Domain Name System Security Extensions", March 1999. [XFNDOC] Solaris 2.5 Product Documentation, "DNS Text Record Format for XFN References", Nov 1995. 8. Author's Address Rick Mesta Sun Microsystems, Inc. 5300 Riata Park Court M/S: UAUS08-102 Austin, TX 78727 USA Phone: +1 512-401-1076 EMail: rick.mesta@sun.com Mesta Expires April 15, 2005 [Page 8] Internet-Draft NFSv4 Cross-Domain Considerations Oct 2004 9. IPR Notices The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. 10. Copyright Notice Copyright (C) The Internet Society 2004. This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Mesta Expires April 15, 2005 [Page 9]