Re: Discovering LDAP Services with DNS - draft-ietf-ldapext-locate-03.txt

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

Michael,

The I-D is shaping up nicely, a couple of comments:


Multiple SRV records

I believe you state that listed services under a give domain
name provided must be "equally capable of servicing LDAP
requests" under the associated DN (suggest using wording
similar to that in RFC2251, 4.1.11).


FQDN:

I noticed the specification now has trailing dots on FQDNs.  This
may be inappropriate.  IIRC, the trailing dot is a user interface
convention and not part of the actual DNS protocol itself.


Tree Walking SHOULD v MUST?

It may be appropriate to make this a MUST.  If walking were allowed,
a significant burden would placed upon superior DNS zones.  And, if
done without user interaction, may expose the client to unintended
servers creating a privacy concern.


Verification of intended services

Should there be a note that DNS provided information is easily
spoofed and the client may desire to check naming contexts of
listed servers (when possible) using LDAP mechanisms (noting
that TCP sessions are much harder to spoof than UDP PDU).


Security Considerations

You refer the reader to [6]:
   [6]  Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC
        1700, October 1994.
which doesn't discuss considerations.  I assume you meant [5].

As noted above, there may be additional security concerns specific
to LDAP use of [5].  A more detailed analysis may be appropriate.


CLDAP

As previously noted, the I-D includes a normative reference to CLDAP.
This will couple the progression of specification to maturity levels
of both LDAP and CLDAP protocols.