Viktor Dukhovni <> writes:

> The problem is that we don't get:

>       1. Look up name from SRV in /etc/hosts, return address(es) if found
>       2. Look up same name in DNS, return address(es) if found

> instead, in step 2, we may get undesirable, incorrect and/or costly
> interactions with the stub resolver's domain search list.  The name in
> the SRV record is an FQDN and MUST NOT be subject to RES_DEFNAMES or
> RES_DNSRCH.  The getaddrinfo(3) API provides no means to signal that a
> name should not be subjected to the DNS search list.

Ah!  Thank you.  That helps me understand the problem you're trying to

How often does this actually come up, though?  My understanding of how
domain search works is that the record returned by the SRV record would
have to not exist *and* some record formed by appending the local domain
to the name would have to exist.  That seems *extremely* unlikely,
although I guess the latter could match local wildcard entries if someone
was doing something weird.

> Furthermore, if a domain's KDC list is not locally administered, and
> you're delegating the KDC names to remotely administered DNS, local
> overrides of the address resolution are no less costly than just putting
> override kdcs in the [realms] section.  Indeed the latter is much less
> fragile.

Right, the point is not that you can't override with /etc/krb5.conf, the
point is that /etc/hosts normally overrides everything without having to
hunt down software-specific configuration files.

Russ Allbery (              <>

Reply via email to