another (different) KDC name resolution question

Abe Singer abe at ligo.caltech.edu
Mon Feb 22 19:28:45 EST 2010


>From my perspective
on the DNS issue, we've got a workaround here that should
be good enough for us for the time being.

Thanks for the pointer to the roadmap.  I'd like to know more about
the item "plugins for password quality checks."  We're rolling our
own mod of kadmin that implements libcrack for password checking
(I've got a lot of good arguments for why that's way better than
complexity rules).  I was going to submit a patch for consideration.

If you're going to be implemeting that sort of capability, I'd
vote for high priority for that.



On Mon, Feb 22, 2010 at 07:20:40PM -0500, Tom Yu wrote:
> To: Russ Allbery <rra at stanford.edu>
> Cc: Abe Singer <abe at ligo.caltech.edu>, kerberos at mit.edu
> Subject: Re: another (different) KDC name resolution question
> From: Tom Yu <tlyu at mit.edu>
> Date: Mon, 22 Feb 2010 19:20:40 -0500
> 
> Russ Allbery <rra at stanford.edu> writes:
> 
> > Abe Singer <abe at ligo.caltech.edu> writes:
> >
> >> Well, that at least explains it.
> >
> >> You could call it a misfeature, or just an unanticipated consequence.
> >> I suspect what we're doing here is a rare case.
> >
> > Actually, you are far from the only person to have had trouble with this.
> > It's one of the more frequent complaints about the library behavior that
> > I've seen, and it can cause some significant delays if one's DNS resolver
> > is slow for some reason.
> 
> Thanks; this is useful input.  Working around the address resolution
> latency issue probably requires redesign of some internal interfaces,
> as Greg mentioned, so we will need to allocate resources accordingly.
> I've added it to the roadmap.  If you and others could rank its
> priority relative to the roadmap items that are already tentatively
> slated for 1.9, that would also be helpful.
> 
>     http://k5wiki.kerberos.org/wiki/Roadmap



More information about the Kerberos mailing list