[krbdev.mit.edu #4114] no mechanism for timing out DNS lookups
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Sun Aug 6 18:56:00 EDT 2006
On Aug 6, 2006, at 18:08, Russ Allbery <rra at stanford.edu> via RT wrote:
> It would be nice to be able to specify a timeout for doing DNS lookups
> of, for instance, KDC IP addresses. Right now, the library just calls
> getaddrinfo and takes however long getaddrinfo takes. When Kerberos
> calls are done by a PAM module, this can result in login timeouts
> rather
> than failover to local authentication.
>
> Solving this problem will probably require using an asynchronous DNS
> mechanism such as described in RT#1453.
Well, if you get some free time on your hands... :-)
Unfortunately, the current service-location plugin API doesn't give
us the flexibility to do DNS processing and KDC exchanges in parallel
like I discussed in that ticket, but we could still do the DNS
queries in parallel and control the timeout. Well, that's not
entirely true, but without enhancing the interface between the send-
to-kdc code and the service-location code, it'll be messy. We *can*
enhance that interface... but we'll still have to support the current
one.
Doing DNS queries directly would bypass any /etc/hosts listing for
the machines in question, probably not desirable. And I don't know
if anyone really uses other host lookup protocols (nis?) these days...
Ken
More information about the krb5-bugs
mailing list