Correct DNS Behavior
Michael B Allen
mba2000 at ioplex.com
Thu May 31 17:10:56 EDT 2007
On Thu, 31 May 2007 13:48:13 -0400
Ken Raeburn <raeburn at MIT.EDU> wrote:
> > I want to fix this but I don't know what the correct behavior is in
> > this scenario.
> >
> > Can someone tell me why this failed and what the correct behavior
> > should be?
>
> Usually the client is set up to talk to a recursive resolver that'll
> talk to the other nameservers. It sounds like it's not doing that,
> or it's getting the wrong results.
>
> A couple things you might check just in case, though they're probably
> not the problem: (1) IPv6-only KDCS?
Well I left out the AAAA queries that were failing as well.
> (2) Does dns2.example.com
> really have the KDC addresses?
Mmm, no. At least it cannot resolve the hostnames of KDCs it's supposed
to be an authority for.
Actually I'm going to try just putting an IP in the krb5.conf like:
[realms]
EXAMPLE.COM = {
kdc = 192.168.1.2
}
I don't understand how a DNS server can answer an SRV record and not be
able to resolve the names it returns. We're either using a bad DNS server
or it must expect the client to recur on authority records 3 levels deep.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
More information about the Kerberos
mailing list