I disagree. While you are technically correct, in my experience most SAs know very well what services are provided and where, but don’t know enough about DNS to know what a RR is. For that level of knowledge, having /etc/hosts take precedence is exactly the “least surprise” behavior.
> On Jul 26, 2017, at 11:25 AM, Thor Lancelot Simon <t...@panix.com> wrote: > > On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote: >> >> Right, the point is not that you can't override with /etc/krb5.conf, the >> point is that /etc/hosts normally overrides everything without having to >> hunt down software-specific configuration files. > > But in this case /etc/hosts clearly *can't* "override everything". It > cannot override the SRV records that are used to find the KDC via DNS, > because there is no syntax to express a SRV record in /etc/hosts; and > because of that, it is *a priori impossible* to know what hostname > you would have to "override" in /etc/hosts (were that supported) to > redirect Kerberos queries for a given realm to a particular IP address. > > You can't even know whether DNS is used to look up the KDC or not without > looking at krb5.conf. > > Despite the expectation which seems reasonable at first glance that > /etc/hosts could correctly be used to override a KDC in this way, in > fact it works only in a few special cases - the ones where DNS is > in use to find the KDC via SRV record *and* you can be 100% certain > that SRV record won't change. Not so useful. > > Rather than relying on this, if you want to hardcode your KDC address, > far better to turn off DNS lookup of the KDC, use krb5.conf, and be > entirely manual and predictable, instead of half-manual, half-predictable, > and half...donkeyed. > > Thor Personal email. hbh...@oxy.edu
