RT RT/krbdev.mit.edu: Ticket #4114 no mechanism for timing out DNS lookups Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
4114
Status
new
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
  • krb5-libs
Tags
  • enhancement
Version_reported
  • 1.4.3
Version_Fixed
Target_Version
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
  • 1453: (Nobody) don't serialize DNS queries and KDC communication [new]
Referred to by:
 
 Dates  
Created: Sun Aug 6 18:08:11 2006
Starts: Not set
Started: Not set
Last Contact: Sun Aug 6 18:56:01 2006
Due: Not set
Updated: Mon Aug 4 18:09:29 2014 by tlyu
 

 People  
Owner
 Nobody
Requestors
 eagle@eyrie.org
Cc
 
AdminCc
 
 

 More about Russ Allbery  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Sun Aug  6 18:08:12 2006  rra - Ticket created    
     
Subject: no mechanism for timing out DNS lookups

It would be nice to be able to specify a timeout for doing DNS lookups
of, for instance, KDC IP addresses.  Right now, the library just calls
getaddrinfo and takes however long getaddrinfo takes.  When Kerberos
calls are done by a PAM module, this can result in login timeouts rather
than failover to local authentication.

Solving this problem will probably require using an asynchronous DNS
mechanism such as described in RT#1453.


Download (untitled) 432b
      Sun Aug  6 18:08:16 2006  rra - Ticket 4114 RefersTo ticket 1453.    
      Sun Aug  6 18:55:57 2006  raeburn - Correspondence added    
     
From: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: [krbdev.mit.edu #4114] no mechanism for timing out DNS lookups 
Date: Sun, 6 Aug 2006 18:55:43 -0400
To: MIT Kerberos RT <rt@krbdev.mit.edu>
RT-Send-Cc: 

On Aug 6, 2006, at 18:08, Russ Allbery <rra@stanford.edu> via RT wrote:
> It would be nice to be able to specify a timeout for doing DNS lookups
> of, for instance, KDC IP addresses.  Right now, the library just calls
> getaddrinfo and takes however long getaddrinfo takes.  When Kerberos
> calls are done by a PAM module, this can result in login timeouts
> rather
> than failover to local authentication.
>
> Solving this problem will probably require using an asynchronous DNS
> mechanism such as described in RT#1453.

Well, if you get some free time on your hands... :-)

Unfortunately, the current service-location plugin API doesn't give
us the flexibility to do DNS processing and KDC exchanges in parallel
like I discussed in that ticket, but we could still do the DNS
queries in parallel and control the timeout.  Well, that's not
entirely true, but without enhancing the interface between the send-
to-kdc code and the service-location code, it'll be messy.  We *can*
enhance that interface... but we'll still have to support the current
one.

Doing DNS queries directly would bypass any /etc/hosts listing for
the machines in question, probably not desirable.  And I don't know
if anyone really uses other host lookup protocols (nis?) these days...

Ken


Download (untitled) 1.2k
      Mon Aug  4 18:09:29 2014  tlyu - Data error added