Question about dns_lookup_realm and domain_realm

[Jos Backus]

Our setup employs two Kerberos realms, PROD.FOO.COM and DEV.FOO.COM under a
single DNS domain, foo.com. It would appear that dns_lookup_realm and the
addition of TXT RRs are supposed to handle this situation but it doesn't
appear to work.

Setup:

CentOS 5.1, krb5-1.6.1 RPMs.

kerberos1-dev.foo.com = master
kerberos2-dev.foo.com = slave, runs kpropd

DNS:

    _kerberos.kerberos1-dev.foo.com IN TXT DEV.FOO.COM
    _kerberos.kerberos2-dev.foo.com IN TXT DEV.FOO.COM

/etc/krb5.conf:

    [libdefaults]
     default_realm = DEV.FOO.COM
     dns_lookup_realm = true

    [realms]
     DEV.FOO.COM = {
      admin_server = kerberos1-dev.foo.com:749
     }
     PROD.FOO.COM = {
      admin_server = kerberos1-prod.foo.com:749
     }

    [domain_realm]
     .foo.com = PROD.FOO.COM

Running `kprop -f /var/kerberos/krb5kdc/slave_datatrans kerberos2-dev.foo.com' yields:

    kprop: Client not found in Kerberos database while getting initial ticket

Adding

  kerberos1-dev.foo.com = DEV.FOO.COM

to the domain_realm section makes kprop work. However, is is undesirable from
a maintenance point of view as a general fix.

strace'ing kprop reveals that it does not make any TXT DNS queries, which is
unexpected.

How is this supposed to work?

Thanks for any light you can shed on this mechanism.

-- 
Jos Backus
jos at catnook.com