Correct DNS Behavior

Michael B Allen mba2000 at
Thu May 31 17:10:56 EDT 2007

On Thu, 31 May 2007 13:48:13 -0400
Ken Raeburn <raeburn at MIT.EDU> wrote:

> > I want to fix this but I don't know what the correct behavior is in
> > this scenario.
> >
> > Can someone tell me why this failed and what the correct behavior  
> > should be?
> Usually the client is set up to talk to a recursive resolver that'll  
> talk to the other nameservers.  It sounds like it's not doing that,  
> or it's getting the wrong results.
> A couple things you might check just in case, though they're probably  
> not the problem: (1) IPv6-only KDCS?

Well I left out the AAAA queries that were failing as well.

>  (2) Does  
> really have the KDC addresses?

Mmm, no. At least it cannot resolve the hostnames of KDCs it's supposed
to be an authority for.

Actually I'm going to try just putting an IP in the krb5.conf like:

        EXAMPLE.COM = {
                kdc =

I don't understand how a DNS server can answer an SRV record and not be
able to resolve the names it returns. We're either using a bad DNS server
or it must expect the client to recur on authority records 3 levels deep.


Michael B Allen
PHP Active Directory Kerberos SSO

More information about the Kerberos mailing list