Kerberos, DNS and AAAA records

Ravi Channavajhala ravi.channavajhala at
Thu May 21 10:58:49 EDT 2009

On Thu, May 21, 2009 at 7:41 PM, james bardin <jbardin at> wrote:
> Hello,
> I've seen this mentioned in a couple of posts in the archives, but I
> didn't see any consensus as to whether this is correct, or
> correctable.
> Basically, every kerberos call on a linux machine results in multiple
> dns lookups for each server in krb5.conf.
> Doing a kinit on my box, just ran 73 dns queries! If there's a problem
> effecting dns, this severely impacts some systems. Also, a large bulk
> of these are AAAA queries, with the domain name appended twice. The
> first AAAA query is sent with the trailing '.', so I'm not sure why
> there is a second attempt for domain.domain.

It is always to terminate the KDC definition with an absolute domain
name such as (put a dot at the end).

> Why does every kerberos call need to lookup every kdc in the config
> file, and not just the server which is going to be queried, and is
> this configurable?
> Why do we see AAAA lookups for server.domain.domain?
> Our current config has 6 kdc lines for our domain.
> I'm testing with Centos 5, so our krb5 libs are version 1.6.1
> Thanks,
> -jim
> --
> James Bardin <jbardin at>
> Systems Analyst / Administrator
> Boston University
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list