Selective kdc discovery

Grant Taylor gtaylor at
Sun Nov 1 13:06:07 EST 2020

On 10/29/20 12:13 PM, Paul B. Henson wrote:
> Any other suggestions for achieving a separate primary/failover 
> configuration for two different network locations in a fashion that 
> would work properly with the Java kerberos client?

I have no idea if this would work or not.

But I would consider DNS views / host entries such that the first name 
in the list always resolved to the local server and subsequent names 
resolved to remote servers.

The other thing I might try is to work with the networking team to see 
if it's possible to have things on an anycast IP to attract clients to 
the closest server.  In the event that the close server has a problem, 
stop announcing the anycast IP and things will naturally go to the next 
closest server.

You might be able to achieve similar behavior with something like a load 

I have no idea what sort of protections are in place that might fight 
this or what would need to be done to overcome it.  Possibly having the 
local and remote instance be a clone of each other so that they seem to 
be the same entity.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the Kerberos mailing list