another (different) KDC name resolution question

Abe Singer abe at ligo.caltech.edu
Mon Feb 22 16:54:19 EST 2010


I'm trying to understand whether this is a bug or a feature, but
it's problematic for us:

When a Kerberized daemon (server) gets contacts by a client, the server
does a name lookup of *all* the KDCs in the realm before attempting to contact
any KDC.  Normally this doesn't pose a problem.  But if the KDCs are hosted
in different domains, with different authoritative servers, and one of
those DNS servers is not responding, then the server waits for timeout
before eventually contacting the first KDC on the list for ticket validation.

In other words, if your krb5.conf has this:

	[realms]
	  EXAMPLE.COM = {
	  kdc = kdc1.example.com
	  kdc = kdc2.other-domain.com
	  kdc = kdc3.another-domain.com:88


And the nameserver(s) for kdc3.another-domain.com are not responding,
all servers will respond very slowly to clients, because they will wait
for the DNS lookups for kdc3.another-domain.com to timeout before
attempting to contact kdc1.example.com.

The intuitive behavior would be for the server to lookup only kdc1.example.com
and contact it, and if no answer, *then* lookup the next kdc on the list.

So, is this behavior intentional, or a bug triggered by an unusual situation?

And yes, we have actually observed this behavior, and verified that the
server does name lookups before doing KDC queries.

Thanks,

-- Abe




More information about the Kerberos mailing list