How often does MIT krb5 request for KDC info through DNS?
Nico Williams
nico at cryptonector.com
Mon Aug 4 13:29:59 EDT 2014
On Mon, Aug 04, 2014 at 01:28:31PM +0800, Wang Weijun wrote:
> KDC info can be retrieved from a DNS server but how often does MIT
> krb5 request for it? I grabbed some packets and it seems there are 6
> rounds of requests within 3 minutes. The DNS server I am querying
> returns answers with TTL of 10 minutes so it looks like not honored.
The Kerberos library isn't a DNS resolver; it uses one.
Therefore the Kerberos library should ask often, possibly even every
time it does a KDC request.
You should configure your system to have a caching resolver on
127.0.0.1.
> I tried to read the source codes but haven't spotted a cache or
> something similar.
Ideally there should be no cache for DNS results in the library.
Some things should be cached, like: the local host's FQDN (it shouldn't
change, right?), default realm (if not set and it had to be determined
from context, e.g., the user's or host's realm), and so on. But not DNS
lookups -- that's the resolver's job. If your resolver is not a caching
resolver, then fix it :)
Nico
--
More information about the krbdev
mailing list