Kerberos, DNS and AAAA records

james bardin jbardin at
Thu May 21 10:11:04 EDT 2009


I've seen this mentioned in a couple of posts in the archives, but I
didn't see any consensus as to whether this is correct, or

Basically, every kerberos call on a linux machine results in multiple
dns lookups for each server in krb5.conf.

Doing a kinit on my box, just ran 73 dns queries! If there's a problem
effecting dns, this severely impacts some systems. Also, a large bulk
of these are AAAA queries, with the domain name appended twice. The
first AAAA query is sent with the trailing '.', so I'm not sure why
there is a second attempt for domain.domain.

Why does every kerberos call need to lookup every kdc in the config
file, and not just the server which is going to be queried, and is
this configurable?

Why do we see AAAA lookups for server.domain.domain?

Our current config has 6 kdc lines for our domain.
I'm testing with Centos 5, so our krb5 libs are version 1.6.1


James Bardin <jbardin at>
Systems Analyst / Administrator
Boston University

More information about the Kerberos mailing list