Prioritizing KDC's

Ken Raeburn raeburn at MIT.EDU
Fri Sep 24 20:11:20 EDT 2004

On Sep 24, 2004, at 19:45, John Rudd wrote:
> I have a question about the ordering of KDC's in the krb5.conf file.  
> Do
> clients use the order listed in the file as "the order to try for
> queries" (sort of like the way resolv.conf works), or is the order
> determined in another fashion?

Hi, John.  Yes, if the KDCs are listed in the config file, that's the 
order we contact them in.

Actually, it's a round-robin process, we go through each in order, and 
then we go through the list a couple more times, and wait a while after 
each server and after each pass, and we stop when we get a response 
from any server we've tried to reach, or we time out.  So server #2 
will be contacted after only a second or two (I forget exactly) after 
we fail to get an answer from server #1.

If you use DNS SRV records, the priority indicated there dictates the 
order.  Of servers listed with equal priority, we pick randomly.  We 
understand the desire to optimize that case, we just don't have code, 
or even a good heuristic, yet.

> My specific reason for asking is that we're considering setting up a
> secondary KDC or two that will be dedicated to a specific application
> group.  We want machines within that group to query those KDC's first,
> and only reach out to the the main KDC's when the local KDC's are down.
> I've never toyed with this type of arrangement, so I'm curious about
> what the right way to tackle it might be.

Locally modified config files should certainly do the trick.  Or, if 
you're doing any interesting hacks in a DNS server for them 
specifically, you could feed them a different set of SRV records.


More information about the Kerberos mailing list