Kerberos, DNS and AAAA records

Ravi Channavajhala ravi.channavajhala at
Thu May 21 13:25:47 EDT 2009

On Thu, May 21, 2009 at 8:13 PM, Ken Raeburn <raeburn at> wrote:

>> Why does every kerberos call need to lookup every kdc in the config
>> file, and not just the server which is going to be queried, and is
>> this configurable?
> It's not going to only talk to one of them; it'll go through the list
> repeatedly, trying each until it gets an answer, or times out.  Again,
> it's a matter of the structure of the code -- we get a list of
> addresses and then loop over the list.  We could restructure it to
> look up the address when first needed, i.e., the first time we try to
> reach each server, but that'll add complexity to already complicated
> routines

I maintain a rather large site, where there are more than a dozen KDCs
across different locations.  Recently, I configured Windows 2003-R2/AD
as the central source of authentication for lot of Linux and Unix
servers.  The issue I'm facing here is the user logons are really
slow.  Capturing network traffic and looking at it, reveals the above
behavior.  Now, can you please help me understand what you mean by
"going through list repeatedly"?  Does this mean the querying is done
simultaneously to several KDCs in parallel?

Also, we dont use SRV/TXT for kdc/realm identification in DNS and I
dont explicitly specify the dns_lookup in the krb5.conf.  In this
context the dns_fallback automatically gets enabled, I'm thinking.
What is the consequence of dns_fallback defaulting to yes?

Excellent information BTW...

More information about the Kerberos mailing list