getKDCFromDNS called too often

Michael Osipov 1983-01-06 at gmx.net
Tue Jul 29 09:42:09 UTC 2014 

> I understand your problem. Will see what we can do. When you say "Wouldn't it be possible to perform the lookup *once* and then issue all KDC request to the KDC whis is working?" do you mean the DNS query result could contain KDCs which do not work? Is this common?

It can contain invalid entries. Slave DNS servers aren't up to date or a KDC has been dismanted but stale records exist.
 
> Guess there is no need for log file, I know we don't cache the result of that method.

Yes, the caching is vital if response is big. It consumes to much time.

I have retried that mit MIT Kerberos 1.12.1 on that machine with gss-client. Turned on DNS resolution and
KRB5_TRACE. It does several SRV lookups but far less that JGSS and it is extremely fast. I have a TGT and service ticket
in second.

> On Jul 29, 2014, at 1:01, Michael Osipov <1983-01-06 at gmx.net> wrote:
> 
> > 
> >> 
> >> Is it possible to specify the kdc for the realm inside krb5.conf? Java only use DNS to get kdc when it cannot read one from krb5.conf.
> > 
> > Max, this is what I did but this is not a solution because we have dozens of realms which in turn have tens of KDCs.
> > Add those static lists to all Unix machines is annoying. It defeats the whole purpose of DNS SRV.
> > 
> > To compare numbers, the entire LDAP operation requires from request to display in the browser no more than 4 seconds with static KDCs.
> > With DNS resolutions: minutes.
> > 
> > If you are interested, I can provide log files privately. Moreover, I have access to My Oracle Support if necessary.
> > 
> > Michael
> > 
> >> On Jul 28, 2014, at 21:16, Michael Osipov <1983-01-06 at gmx.net> wrote:
> >> 
> >>> Hi folks,
> >>> 
> >>> I am experiencing a performance degregation when JGSS tries to locate a KDC via DNS.
> >>> We have for our default realm 120 KDCs running. My Java code performs a SASL bind with Kerberos (keytab)
> >>> to get some data from AD over LDAP. This takes sometimes minutes to do where weeks ago mere seconds were necessary.
> >>> It seems now we have the double amount of KDCs and this is the problem with JGSS.
> >>> 
> >>> I can see that the roundtrips with the KDC like AS-REQ, preauth required, AS-REQ, AS-REP, TGS-REQ, TGS-REP, etc.
> >>> are always preceeded by a getKDCFromDNS. A grep and wc -l over my logfile shows 110 roundtrips for KDC lookup. This is insane.
> >>> The request time and payload slow down the entire operation.
> >>> 
> >>> Wouldn't it be possible to perform the lookup *once* and then issue all KDC request to the KDC whis is working?
> >>> 
> >>> I have to disable the DNS resolution for Java temporarily.
> >>> 
> >>> Michael
> >> 
> >> 
> 
>

More information about the security-dev mailing list