Kerberos behind load balancer?

Ken Raeburn raeburn at MIT.EDU
Wed Oct 6 00:03:38 EDT 2004

On Oct 5, 2004, at 23:15, Jason T Hardy wrote:
> Sam,
> Actually, a load balancer simplifies client deployment in our case (we
> can't utilize DNS load balancing on our campus). We can, with a load
> balancer, have all of the KDC's share one hostname. Our kadmin server
> can also share that hostname.
>  kerberos:88 -> points to our KDC's

(I hope by "DNS load balancing" that you can't do, you're only 
referring to the hacks that return a different address per query, based 
on load.)

I think there are better solutions to that.  (1) Create a DNS name 
which points to multiple addresses; typically the nameserver will 
change the order randomly, which will effect some load balancing.  (2) 
Use DNS SRV records to return the names of the various KDCs, with equal 
priority.  Granted, these approaches aren't load-sensitive, but the DNS 
SRV record approach will let you do some uneven load balancing by 
adjusting the weights based on the capabilities of each server.  
They'll also let you spread out your KDCs to a couple of locations, if 
you don't want to risk a single point of failure.

> Further, we can bring systems up/down or add/remove new systems without
> requiring modifications to the client configurations.

The DNS records pointing to the N KDC addresses can be updated without 
changing client configurations.

Even if you don't update the DNS records for a while, it should only 
cause a delay of a couple seconds or so (using the MIT code) per 
offline KDC, and only when the clients choose those KDCs first.


More information about the Kerberos mailing list