[Pdns-users] ldap & recursor problem
Bernd Schubert
bernd-schubert at gmx.de
Fri Jun 23 09:55:43 UTC 2006
Hi Norbert,
> > The culprit is the dns query of kerberos together with the result of
> > pdns. Kerberos makes a request
> > "Standard query AAAA FQDN-of-kdc-server-specified-in-krb5.conf"
>
> I suppose Kerberos does by default IPv4 and IPv6 lookups even if you don't
> use IPv6 at all and have no AAAA record in you DNS tree?
seems to be so. I havn't found an option yet to disable IPv6 for kerberos. As
you guessed, there's no AAAA record in the DNS tree and no IPv6 configuration
at all.
>
> > With a properly working recursor pdns gets the answer from the recursor
> > "Standard Query response, no such name"
> > and sends this answer to the client who did the dns request.
> >
> > Without a recursor, pdns never answers to the client which causes very
> > long kerberos timeouts (so long that one might think it doesn't work at
> > all).
>
> So the real problem is the pdns server which doesn't time out after 5sec
> and doesn't send a SERVFAIL to the client if it gets no answer from the
> recursor. Is this correct?
Yes.
Even better would be if I could configure it to send a SERVFAIL for IPv6
immediately ;) (only a joke).
>
> > A workaround is to set the ip of the kdc servers and not their fqdn.
>
> Seems like we need a bugfix nevertheless.
>
That would be good. Right now I really don't have the time to look into the
sources myself, though.
Cheers,
Bernd
PS: *grumble* I knew that the migration from NIS to LDAP+Kerberos would be
troublesome, but I never guessed I would find so many bugs.
--
Bernd Schubert
PCI / Theoretische Chemie
Universität Heidelberg
INF 229
69120 Heidelberg
More information about the Pdns-users
mailing list