Re: [nfsv4] [FedFS] meeting agenda (10/1)

[Nicolas Williams <Nicolas.Williams at sun.com>]

On Wed, Sep 30, 2009 at 06:19:41PM -0400, James Lentini wrote:
> + Discuss Open Issues
> 
>   - Configurable NSDB port?
> 
>   - fedfsNfsPathname format
> 
>   - FSN format: <NSDB location, LDAP base DN, UUID>
> 
>   - NSDB location format: hostname or SRV RR?

Conveniently enough, the FSN format had better include the NSDB port #
if SRV RRs are not in use, unless you wish to have a single alternative
port number used throughout.  Yet another way in which SRV RRs help
here.

As a compromise, you could try SRV RR queries, then fallback on A
RRsets, but I don't think that simplifies anything (it's not RRset
administration that's the problem -- it's the code to do SRV RR queries
that is).  We all already have SRV RR query code for other purposes, so
I say just use SRV RRs.

Also, see my secdir evaluation of the requirements document: you may
want to include optional authentication information in the FSN format:

    FSN = {NSDB information, UUID}
    NSDB information = {NSDB domainname, [LDAP base DN],
			[TLS certificate fingerprint or trust anchor
			 name/fingerprint]}

The LDAP base DN could be "" (which is what is currently required), some
arbitrary DN, or, if not present, a DN derived from the domainname
(DC=leftmost-label,DC=next-to-leftmost-label,DC=...,DC=tld).

If the NSDB TLS server authentication information is not present, then
use a set of TAs configured out of band, else use the specified TA or
server self-signed cert.

Nico
--