How often does MIT krb5 request for KDC info through DNS?

Simo Sorce simo at
Tue Aug 5 11:53:07 EDT 2014

On Tue, 2014-08-05 at 10:19 -0400, Greg Hudson wrote:
> On 08/05/2014 07:12 AM, David Woodhouse wrote:
> > I've watched firefox lock up for *minutes* at a time without redrawing
> > itself, and I've found that it's stuck in Kerberos code mostly doing the
> > same Legacy IP and IPv6 DNS lookups for the same set of 30-odd domain
> > controllers, over and over and over and over and over again.
> > 
> > Yes, I deployed a local caching nameserver to help with that (and
> > samba-winbind-krb5-locator, and now I'm playing with negative caching on
> > KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN...). But I shouldn't have *had* to.
> System administrators shouldn't have to, but platforms should.  From a
> software engineering perspective, it's much better if the platform
> provides DNS caching than if every application does its own getaddrinfo
> caching.  It's also better from a behavior perspective, because
> applications don't have easy access to DNS TTL information, while the
> platform does.
> That said, if the popular platforms aren't interested in providing this
> service, at some point applications have to step in and solve the
> problem even if it's not optimal.  We might add some amount of DNS
> caching in libkrb5 at some point (with a very low internal TTL), though
> it isn't super high on the priority list.

In Fedora, at least, we are planning on providing a caching resolver by
default soon.


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list