Kerberos, DNS and AAAA records
Ravi Channavajhala
ravi.channavajhala at dciera.com
Thu May 21 10:58:49 EDT 2009
On Thu, May 21, 2009 at 7:41 PM, james bardin <jbardin at bu.edu> wrote:
> Hello,
>
> I've seen this mentioned in a couple of posts in the archives, but I
> didn't see any consensus as to whether this is correct, or
> correctable.
>
> Basically, every kerberos call on a linux machine results in multiple
> dns lookups for each server in krb5.conf.
>
> Doing a kinit on my box, just ran 73 dns queries! If there's a problem
> effecting dns, this severely impacts some systems. Also, a large bulk
> of these are AAAA queries, with the domain name appended twice. The
> first AAAA query is sent with the trailing '.', so I'm not sure why
> there is a second attempt for domain.domain.
It is always to terminate the KDC definition with an absolute domain
name such as a.example.com. (put a dot at the end).
>
> Why does every kerberos call need to lookup every kdc in the config
> file, and not just the server which is going to be queried, and is
> this configurable?
>
> Why do we see AAAA lookups for server.domain.domain?
>
>
> Our current config has 6 kdc lines for our domain.
> I'm testing with Centos 5, so our krb5 libs are version 1.6.1
>
> Thanks,
> -jim
>
> --
> James Bardin <jbardin at bu.edu>
> Systems Analyst / Administrator
> Boston University
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list