Kerberos behind load balancer?

Ken Hornstein kenh at
Wed Oct 6 13:14:34 EDT 2004

>If we could modify DNS to do DNS round-robin, we too would be okay.  But
>we can't.

This is the part I don't understand.  _WHY_ do you think you need
this?  I've literally run 6 years with a very simple setup: two KDCs,
each one listed in DNS and our krb5.conf.  On the rare occasions we
lose a master, the backup answers requests.  I either fix the master or
bring up the slave as the master temporarily (it usually takes me a
while to notice this, because everything keeps running normally).  This
is pretty much what everyone I know does.  We'd all like multi-master, but
it hasn't impacted operations in my experience.


More information about the Kerberos mailing list