How often does MIT krb5 request for KDC info through DNS?

Weijun Wang at
Tue Aug 5 03:38:28 EDT 2014

I wonder if it's easy to set up such a service. Here we are talking 
about the client side, which might be just a browser talking HTTP with 
"Windows Integrated Authentication".


On 8/5/2014 1:29, Nico Williams wrote:
> On Mon, Aug 04, 2014 at 01:28:31PM +0800, Wang Weijun wrote:
>> KDC info can be retrieved from a DNS server but how often does MIT
>> krb5 request for it? I grabbed some packets and it seems there are 6
>> rounds of requests within 3 minutes. The DNS server I am querying
>> returns answers with TTL of 10 minutes so it looks like not honored.
> The Kerberos library isn't a DNS resolver; it uses one.
> Therefore the Kerberos library should ask often, possibly even every
> time it does a KDC request.
> You should configure your system to have a caching resolver on
>> I tried to read the source codes but haven't spotted a cache or
>> something similar.
> Ideally there should be no cache for DNS results in the library.
> Some things should be cached, like: the local host's FQDN (it shouldn't
> change, right?), default realm (if not set and it had to be determined
> from context, e.g., the user's or host's realm), and so on.  But not DNS
> lookups -- that's the resolver's job.  If your resolver is not a caching
> resolver, then fix it :)
> Nico

More information about the krbdev mailing list