Slow response with multiple KDCs
Danny Mayer
mayer at ntp.isc.org
Thu Sep 21 08:33:40 EDT 2006
Ken Raeburn wrote:
> At one point, the library may try to look up the "master KDC" (so if
> you get an "incorrect password" type result but were talking to a
> slave KDC that may not have your password change from 30 seconds ago,
> it then tries a KDC that would have it); offhand, I'm not sure how
> many DNS queries that's likely to generate. Here at MIT, we've got a
> SRV record for _kerberos_master._udp.athena.mit.edu listing one host,
> so we do get one additional lookup for that name. (Oddly, we don't
> get two, for A and AAAA; I should look at why that is.)
>
The DNS will always return all matches to the query including queries
for SRV requests. When you do the additional lookup for the name,
getaddrinfo() I assume, the lookup returns all AAAA and A addresses
unless you have configured the call to only look up one or the other.
There is no need for a separate lookup. getaddrinfo() returns ALL
addresses that matches the query.
Danny
More information about the Kerberos
mailing list