[Pdns-users] ldap & recursor problem

Bernd Schubert bernd-schubert at gmx.de
Fri Jun 23 09:55:43 UTC 2006

Hi Norbert,

> > The culprit is the dns query of kerberos together with the result of
> > pdns. Kerberos makes a request
> > "Standard query AAAA FQDN-of-kdc-server-specified-in-krb5.conf"
> I suppose Kerberos does by default IPv4 and IPv6 lookups even if you don't
> use IPv6 at all and have no AAAA record in you DNS tree?

seems to be so. I havn't found an option yet to disable IPv6 for kerberos. As 
you guessed, there's no AAAA record in the DNS tree and no IPv6 configuration 
at all.

> > With a properly working recursor pdns gets the answer from the recursor
> >  "Standard Query response, no such name"
> > and sends this answer to the client who did the dns request.
> >
> > Without a recursor, pdns never answers to the client which causes very
> > long kerberos timeouts (so long that one might think it doesn't work at
> > all).
> So the real problem is the pdns server which doesn't time out after 5sec
> and doesn't send a SERVFAIL to the client if it gets no answer from the
> recursor. Is this correct?

Even better would be if I could configure it to send a SERVFAIL for IPv6 
immediately ;) (only a joke).

> > A workaround is to set the ip of the kdc servers and not their fqdn.
> Seems like we need a bugfix nevertheless.

That would be good. Right now I really don't have the time to look into the 
sources myself, though.


PS: *grumble* I knew that the migration from NIS to LDAP+Kerberos would be 
troublesome, but I never guessed I would find so many bugs. 

Bernd Schubert
PCI / Theoretische Chemie
Universit├Ąt Heidelberg
INF 229
69120 Heidelberg

More information about the Pdns-users mailing list