[krbdev.mit.edu #4072] bug in DNS error handling in KDC location

Ken Raeburn via RT rt-comment at krbdev.mit.edu
Fri Jul 28 17:06:33 EDT 2006 

My KDC list for RAEBURN.ORG has four hosts at the moment, raeburn.org,
bad-host.raeburn.org, all-in-one.mit.edu, and all-in-one.ipv6.mit.edu.
The name bad-host.raeburn.org doesn't exist in DNS; this was
intentional to test an error path.

The nameserver for ipv6.mit.edu is offline at the moment.
Unfortunately, the temporary error this causes is not handled within
our KDC location code, and the code passes this error back up the
stack, rather than returning the addresses that can be found.

In lib/krb5/os, the test program t_locate_kdc shows this on my Red Hat
(rhel4) system:

% ./t_locate_kdc RAEBURN.ORG 
in module_locate_server
ran off end of plugin list
module_locate_server returns -1765328135
looking in krb5.conf for realm RAEBURN.ORG entry kdc; ports 88,750
config file lookup failed: Profile relation not found
sending DNS SRV query for _kerberos._udp.RAEBURN.ORG.
walking answer list:
        port=88 host=raeburn.org.
adding hostname raeburn.org., ports 88,0, family 0, socktype 2
setting element 0
        count is now 1: 
setting element 1
        count is now 2: 
setting element 2
        count is now 3: 
setting element 3
        count is now 4: 
        port=88 host=bad-host.raeburn.org.
adding hostname bad-host.raeburn.org., ports 88,0, family 0, socktype 2
        getaddrinfo("bad-host.raeburn.org.", "88", ...)
        returns -2: Name or service not known
        port=10088 host=all-in-one.mit.edu.
adding hostname all-in-one.mit.edu., ports 10088,0, family 0, socktype 2
setting element 4
        count is now 5: 
        port=10088 host=all-in-one.ipv6.mit.edu.
adding hostname all-in-one.ipv6.mit.edu., ports 10088,0, family 0, socktype 2
        getaddrinfo("all-in-one.ipv6.mit.edu.", "10088", ...)
        returns -3: Temporary failure in name resolution
[end]
dns udp lookup returned error 11
krb5int_locate_server returning error code 11/Resource temporarily unavailable
t_locate_kdc: Resource temporarily unavailable - exiting
% 

If some KDC locations can be determined, that list should be returned.
If no locations can be determined, then a temporary error raised in
the process should be returned.  (I think we already try to do
something like that, but the logic is a bit confused -- you also want
to note permanent errors, but probably not return them except in the
absence of temporary failures or found addresses -- and it's not like
we've written up a set of test cases for modular testing here.)

Ken

More information about the krb5-bugs mailing list