Slow response with multiple KDCs

Danny Mayer mayer at ntp.isc.org
Thu Sep 21 08:33:40 EDT 2006


Ken Raeburn wrote:
> At one point, the library may try to look up the "master KDC" (so if
> you get an "incorrect password" type result but were talking to a  
> slave KDC that may not have your password change from 30 seconds ago,  
> it then tries a KDC that would have it); offhand, I'm not sure how  
> many DNS queries that's likely to generate.  Here at MIT, we've got a  
> SRV record for _kerberos_master._udp.athena.mit.edu listing one host,  
> so we do get one additional lookup for that name.  (Oddly, we don't  
> get two, for A and AAAA; I should look at why that is.)
> 

The DNS will always return all matches to the query including queries
for SRV requests. When you do the additional lookup for the name,
getaddrinfo() I assume, the lookup returns all AAAA and A addresses
unless you have configured the call to only look up one or the other.
There is no need for a separate lookup. getaddrinfo() returns ALL
addresses that matches the query.

Danny



More information about the Kerberos mailing list