Running KDC as non-root and dockerize KDC
Russ Allbery
eagle at eyrie.org
Sun Jan 6 14:32:32 EST 2019
Grant Taylor <gtaylor at tnetconsulting.net> writes:
> Do you happen to know off hand if DNS lookups for SRV records happen
> before or after initial connection attempts to the standard ports?
> If SRV records are looked up /before/ attempting to connect to standard
> ports, I could see adding SRV records as a simple optimization.
Before, in the sense that you mean, although it's a little more
complicated than that since krb5.conf configuration will override SRV
records (as you might expect). So SRV records are only used when there's
no client configuration, and in that case the client otherwise isn't going
to know what to connect to, so there wouldn't be a connection attempt to a
standard port.
The idea of SRV record configuration is that all the client needs to know
is the realm, at which point it looks up the SRV records for that realm
and gets all the other server connection information it needs from that.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list