getKDCFromDNS called too often

[Michael Osipov]

Hi folks,

I am experiencing a performance degregation when JGSS tries to locate a KDC via DNS.
We have for our default realm 120 KDCs running. My Java code performs a SASL bind with Kerberos (keytab)
to get some data from AD over LDAP. This takes sometimes minutes to do where weeks ago mere seconds were necessary.
It seems now we have the double amount of KDCs and this is the problem with JGSS.

I can see that the roundtrips with the KDC like AS-REQ, preauth required, AS-REQ, AS-REP, TGS-REQ, TGS-REP, etc.
are always preceeded by a getKDCFromDNS. A grep and wc -l over my logfile shows 110 roundtrips for KDC lookup. This is insane.
The request time and payload slow down the entire operation.

Wouldn't it be possible to perform the lookup *once* and then issue all KDC request to the KDC whis is working?

I have to disable the DNS resolution for Java temporarily.

Michael