[38413] in Kerberos
Re: Running KDC as non-root and dockerize KDC
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sun Jan 6 14:32:42 2019
From: Russ Allbery <eagle@eyrie.org>
To: Grant Taylor <gtaylor@tnetconsulting.net>
In-Reply-To: <cc87aebc-e93c-6431-c135-6ba49e1bdfb4@spamtrap.tnetconsulting.net>
(Grant Taylor's message of "Sun, 6 Jan 2019 12:16:08 -0700")
Date: Sun, 6 Jan 2019 11:32:32 -0800
Message-ID: <87wonhinu7.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Grant Taylor <gtaylor@tnetconsulting.net> writes:
> Do you happen to know off hand if DNS lookups for SRV records happen
> before or after initial connection attempts to the standard ports?
> If SRV records are looked up /before/ attempting to connect to standard
> ports, I could see adding SRV records as a simple optimization.
Before, in the sense that you mean, although it's a little more
complicated than that since krb5.conf configuration will override SRV
records (as you might expect). So SRV records are only used when there's
no client configuration, and in that case the client otherwise isn't going
to know what to connect to, so there wouldn't be a connection attempt to a
standard port.
The idea of SRV record configuration is that all the client needs to know
is the realm, at which point it looks up the SRV records for that realm
and gets all the other server connection information it needs from that.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
