How often does MIT krb5 request for KDC info through DNS?

Nico Williams nico at
Tue Aug 5 11:53:41 EDT 2014

On Tue, Aug 05, 2014 at 03:38:28PM +0800, Weijun Wang wrote:
> I wonder if it's easy to set up such a service. Here we are talking
> about the client side, which might be just a browser talking HTTP
> with "Windows Integrated Authentication".

Modern/decent OSes just have it, at least as an option.  You'll have to
read the docs.

As for JGSS performance, there are worse problems:

 - non-caching of some tickets

 - delegating credentials by default in the HTTP/Negotiate stack
   (forwarded tickets are generally not cached on the client side)

 - doing an HTTP request w/o authentication every time, thus getting a
   401 then trying again with Kerberos

 - servlets that don't use cookies to optimize away the GSS context
   setup per-request(!!!)

These things will kill performance worse than any lack of DNS caching.

DNS caching is most noticeable when you have connectivity or DNS server
stability issues, because the resolvers tend to have very long timeouts
and because a lot of apps do synchronous DNS lookups, so that hanging in
a DNS lookup is extremely noticeable to the user.  This isn't really
DNS' fault though, but the OS/library/app architecture's.

I'd much rather that Kerberos libraries used async DNS APIs than that
they implement a resolver cache!


More information about the krbdev mailing list