Disable DNS lookups of master_kdc (!2) · Merge requests · linuxsupport / rpms / cern-krb5-conf

Steve Traylen requested to merge straylen/cern-krb5-conf:nosrv into master Nov 12, 2020

For all cases where a kdc is set we additionally set kdc_master and dns_lookup_kdc = fasle

Motivation here is to avoid these pointless DNS lookups

188.185.89.93 queried     1597  times name _kerberos-master._tcp.CERN.CH
188.185.89.93 queried     1594  times name _kerberos-master._udp.CERN.CH
188.185.89.93 queried     1594  times name _kerberos.CERN.CH

The lookup of kerberos-master happens when the user types in wrong password. krb5-libs retries with the master node to just in case replication has not happened yet. Since we only have "one" cerndc.cern.ch this does not make sense but we should at least avoid these lookups.

These lookups are not cached for long (if at all ) since they are non hits.

Edited Nov 16, 2020 by Steve Traylen

Disable DNS lookups of master_kdc

Merge request reports