[31152] in Kerberos
Re: Kerberos, DNS and AAAA records
daemon@ATHENA.MIT.EDU (Ravi Channavajhala)
Thu May 21 10:59:13 2009
MIME-Version: 1.0
In-Reply-To: <a3b675320905210711j1c00799bxb88a69adb2805692@mail.gmail.com>
Date: Thu, 21 May 2009 20:28:49 +0530
Message-ID: <73739dc10905210758m421f4ce6y7e3687e1ac12da80@mail.gmail.com>
From: Ravi Channavajhala <ravi.channavajhala@dciera.com>
To: james bardin <jbardin@bu.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, May 21, 2009 at 7:41 PM, james bardin <jbardin@bu.edu> wrote:
> Hello,
>
> I've seen this mentioned in a couple of posts in the archives, but I
> didn't see any consensus as to whether this is correct, or
> correctable.
>
> Basically, every kerberos call on a linux machine results in multiple
> dns lookups for each server in krb5.conf.
>
> Doing a kinit on my box, just ran 73 dns queries! If there's a problem
> effecting dns, this severely impacts some systems. Also, a large bulk
> of these are AAAA queries, with the domain name appended twice. The
> first AAAA query is sent with the trailing '.', so I'm not sure why
> there is a second attempt for domain.domain.
It is always to terminate the KDC definition with an absolute domain
name such as a.example.com. (put a dot at the end).
>
> Why does every kerberos call need to lookup every kdc in the config
> file, and not just the server which is going to be queried, and is
> this configurable?
>
> Why do we see AAAA lookups for server.domain.domain?
>
>
> Our current config has 6 kdc lines for our domain.
> I'm testing with Centos 5, so our krb5 libs are version 1.6.1
>
> Thanks,
> -jim
>
> --
> James Bardin <jbardin@bu.edu>
> Systems Analyst / Administrator
> Boston University
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
