DNS SRV RRs and priority
Jaap Winius
jwinius at umrk.nl
Thu May 31 21:33:23 EDT 2012
Hi folks,
One of the sites I maintain uses DNS SRV resource records to allow
Debian squeeze workstations to discover three MIT Kerberos key
servers. Like with all SRV records, it's possible to alter the
priority value, but my question is, does this ever make a difference?
I suppose it depends on the applications being used. In this case I've
got the krb5-config, krb5-user, kstart, libpam-krb5, libnss-ldapd and
nslcd packages installed on the workstations. krb5.conf has no KDC
entries configured, nslcd.conf includes "uri DNS", and it all works
fine.
This particular site has three office locations, each with a local
KDC. For the sake of redundancy, I used to have three SRV records, one
for each KDC, listed in the internal DNS view for each office. I
started out with each SRV record having the same priority.
The problem with this configuration was that, if one particular
location got cut off from the others, people at that site would have
problems logging in. My guess was that the workstations were trying to
contact the remote KDCs instead of the local one. Indeed, the solution
was simply to remove the two SRV records for the remote KDCs. However,
this means no redundancy.
So I tried an experiment: use three SRV records, but give the one for
the local KDC the highest priority. Unfortunately, this way the system
behaves just like in the first situation. So, now I'm back to using
one SRV RR per location.
Any comments?
Cheers,
Jaap
More information about the Kerberos
mailing list