KDC name resolution question

[John Washington]

* Markus Moeller <huaraz at moeller.plus.com> [2010-02-21 12:55]:
> I have a Kerberos 1.4 client configure to use DNS lookup for kdc. The 
> environment has 23 AD servers for the domain. Everything is resiliently 
> setup with 3  DNS servers. I now observe that when the first DNS server 
> fails a kinit takes 80 seconds or more.  

  DNS server, or domain controller, or both?  Sounds like you may be
getting double timeouts (DNS timeout then Kerberos timeout).  I would
try to have different orders for DNS servers and kerberos servers if
they are hosted on the same hardware:

DNS:

server1
server2
server3

kerberos:

server2
server3
server1

> Some application using Kerberos via 
> pam_krb5 timeout after 20 or 30 seconds or even less.  I wonder what would 
> be the best way to configure the clients to reduce the authentication time ? 
> When I only configure 3 servers with DNS names in krb5.conf I still get 20 
> seconds delays. A simple DNS lookup is about a second (e.g. it detects very 
> quickly the second working DNS server)

You will always get downtime if there isn't a response back, as both DNS
and Kerberos will ask in serial to minimize network chatter.  3 servers
will look the same as 300 if only the primary host is down.  Caching DNS
libraries also alter the behavior for DNS, as the normal DNS downtime may have
been absorbed somewhere else (the library drops the first server after a
resolution failure), or it may be using a previously seen address.

> 
> Is the same DNS resolution method used in the newer Kerberos releases (I 
> couldn't check yet) ?

DNS is handled by the operating system libraries.  This means that
caching and other behaviors are controlled by your environment.

> 
> Thank you
> Markus 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
John Washington  Network Security Officer, 
 University of Illinois Urbana-Champaign