Date: Fri, 3 Apr 1998 15:19:15 -0700 (MST) From: Wes Peters - Softweyr LLC <softweyr@xmission.com> To: robert+freebsd@cyrus.watson.org Cc: stable@FreeBSD.ORG Subject: Re: Hesiod support on 2.2 Message-ID: <199804032219.PAA17773@xmission.xmission.com> In-Reply-To: <Pine.BSF.3.96.980403140944.21311b-100000@fledge.watson.org> from "Robert Watson" at Apr 3, 98 02:17:40 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Robert N Watson
> ... Some have suggested using LDAP for
> distributing this kind of information, but I personally like the idea of
> DNS used in this manner -- with security, this becomes quite feasible.
> There is significant oposition to storing this kind of information in DNS
> in a number of the groups working with DNS. The feeling is that another
> service should be used for this. I'm caught between agreeing that this
> may be beyond the scope of DNS, and also noting that DNS provides an
> excellent distribution mechanism, with security, etc, for this
> information. Given that DNSsec provides an excellent public key
> distribution system, I lean towards storing authentication-related data
> there.
DNS wasn't really designed with a highly volatile dataset in mind. If
it takes a day or two for the existence of a new workstation to trickle
across the net, that's generally not too bad, but if it takes a day or
two for my new password to trickle across the net, I cannot reliably
predict if I can login or not.
You can, of course, fix this problem by using short expirations on the
zone your login information is stored in, but that doesn't change the
basic design limitation.
I designed a system like this once for Raxco Software; it would allow
you to define users and groups, and define any user account or group of
users on domains of systems. I thought our design was pretty
realistic, but they decided Novell NDS was going to win the world of
directory services and canned the project. I quit, and 6 months later
Novell canned NDS for Unix.
You never know if a design will really work, but our flood-fill
algorithmn designed back then still lives on in Axent Enterprise
Security Manager, the one remaining product from that group. I still
think it will work, and if you've got a couple hundred thousand
dollars, I'll prove it. ;^)
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.xmission.com/~softweyr softweyr@xmission.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804032219.PAA17773>