host name resolution, again (krb5-1.3-alpha1 is available)

Nathan Neulinger nneul at
Fri Mar 14 21:43:29 EST 2003

Looks like someone at your site already did some nice work on that front
ripping out the useful dns portions of lbnamed into a module.

Very cool... Can just follow ISC's load-balancing recommendations and
delegate the host to the balancing dns server and configure it to return
a round-robin targetted cname and the problems with gssapi/telnet/ftp
should be solved without any major security or coding hassle.

-- Nathan

On Fri, 2003-03-14 at 20:16, Nathan Neulinger wrote:
> Ick. It'd be less trouble to just install lbnamed or similar and have it
> randomly return a cname.
> Multiple cnames in a response violates the dns rfc's, but as far as I
> know, returning a _single_ cname with a random target should be fine.
> -- Nathan
> On Fri, 2003-03-14 at 20:10, Russ Allbery wrote:
> > Nathan Neulinger <nneul at> writes:
> > 
> > > A similar issue exists with other gssapi code. Makes it pretty difficult
> > > to do any kerberos functionality with dns-rotated hostnames.
> > 
> > > I've been able to hack around it for telnet (all keys installed on all
> > > the machines sharing the same name), but haven't figured out a way to
> > > make it work with ssh yet, and haven't even bothered with ftp. 
> > 
> > We wrap telnet with a script that does a forward and reverse DNS lookup to
> > get the "real" name of the current load-balance winner and then passes
> > that to the actual telnet binary.  Our PC and Mac code does the
> > equivalent.

Nathan Neulinger                       EMail:  nneul at
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216

More information about the krbdev mailing list