How often does MIT krb5 request for KDC info through DNS?

Greg Hudson ghudson at MIT.EDU
Tue Aug 5 10:19:36 EDT 2014

On 08/05/2014 07:12 AM, David Woodhouse wrote:
> I've watched firefox lock up for *minutes* at a time without redrawing
> itself, and I've found that it's stuck in Kerberos code mostly doing the
> same Legacy IP and IPv6 DNS lookups for the same set of 30-odd domain
> controllers, over and over and over and over and over again.
> Yes, I deployed a local caching nameserver to help with that (and
> samba-winbind-krb5-locator, and now I'm playing with negative caching on
> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN...). But I shouldn't have *had* to.

System administrators shouldn't have to, but platforms should.  From a
software engineering perspective, it's much better if the platform
provides DNS caching than if every application does its own getaddrinfo
caching.  It's also better from a behavior perspective, because
applications don't have easy access to DNS TTL information, while the
platform does.

That said, if the popular platforms aren't interested in providing this
service, at some point applications have to step in and solve the
problem even if it's not optimal.  We might add some amount of DNS
caching in libkrb5 at some point (with a very low internal TTL), though
it isn't super high on the priority list.

More information about the krbdev mailing list