Negative caching of unknown principals
nico at cryptonector.com
Mon Aug 4 13:32:33 EDT 2014
On Fri, Aug 01, 2014 at 04:46:27PM -0500, Nico Williams wrote:
> IMO a negative cache belongs in the ccache, with some TTL, and with
> kvno(1) always (or optionally) ignoring NAKs.
It'd be nice if the KDC could advertise a TTL for this.
Also, ideally such ccache entries should be like cc config entries, and
they should have a fixed-sized timestamp that can be overwritten to
immediately expire or refresh it as desired without having to enlarge
More information about the krbdev