getKDCFromDNS called too often
Wang Weijun
weijun.wang at oracle.com
Tue Jul 29 09:50:51 UTC 2014
I guess we can cache the result and remove invalid ones, and probably requery when all are removed.
https://bugs.openjdk.java.net/browse/JDK-8052412 filed.
You said you are having double numbers of KDCs now, so I guess the DNS response could also double. How come the time spent change from "mere seconds" to minutes? Is there any other change?
Thanks
Max
On Jul 29, 2014, at 17:42, Michael Osipov <1983-01-06 at gmx.net> wrote:
>
>> I understand your problem. Will see what we can do. When you say "Wouldn't it be possible to perform the lookup *once* and then issue all KDC request to the KDC whis is working?" do you mean the DNS query result could contain KDCs which do not work? Is this common?
>
> It can contain invalid entries. Slave DNS servers aren't up to date or a KDC has been dismanted but stale records exist.
>
>> Guess there is no need for log file, I know we don't cache the result of that method.
>
> Yes, the caching is vital if response is big. It consumes to much time.
>
> I have retried that mit MIT Kerberos 1.12.1 on that machine with gss-client. Turned on DNS resolution and
> KRB5_TRACE. It does several SRV lookups but far less that JGSS and it is extremely fast. I have a TGT and service ticket
> in second.
More information about the security-dev
mailing list