How often does MIT krb5 request for KDC info through DNS?
Weijun Wang
weijun.wang at oracle.com
Tue Aug 5 03:38:28 EDT 2014
I wonder if it's easy to set up such a service. Here we are talking
about the client side, which might be just a browser talking HTTP with
"Windows Integrated Authentication".
--Max
On 8/5/2014 1:29, Nico Williams wrote:
> On Mon, Aug 04, 2014 at 01:28:31PM +0800, Wang Weijun wrote:
>> KDC info can be retrieved from a DNS server but how often does MIT
>> krb5 request for it? I grabbed some packets and it seems there are 6
>> rounds of requests within 3 minutes. The DNS server I am querying
>> returns answers with TTL of 10 minutes so it looks like not honored.
>
> The Kerberos library isn't a DNS resolver; it uses one.
>
> Therefore the Kerberos library should ask often, possibly even every
> time it does a KDC request.
>
> You should configure your system to have a caching resolver on
> 127.0.0.1.
>
>> I tried to read the source codes but haven't spotted a cache or
>> something similar.
>
> Ideally there should be no cache for DNS results in the library.
>
> Some things should be cached, like: the local host's FQDN (it shouldn't
> change, right?), default realm (if not set and it had to be determined
> from context, e.g., the user's or host's realm), and so on. But not DNS
> lookups -- that's the resolver's job. If your resolver is not a caching
> resolver, then fix it :)
>
> Nico
>
More information about the krbdev
mailing list