In DNS-based KDC discovery failures are exposed as generic 'KrbException: Cannot locate KDC / Unable to locate KDC for realm <REALM>' with no indication whether the underlying DNS SRV lookup failed due to NXDOMAIN, SERVFAIL, or a communication timeout.
To improve supportability, this patch updates `KrbServiceLocator.getKerberosService(realm, protocol)` to rethrow the original JNDI NamingException from the SRV lookup and attach a sanitized failure category to the existing KrbException when both udp and tcp discovery attempts fail, while preserving the original top level exception message. `Config.getKDCFromDNS()` is updated to catch exception, sanitize it into the relevant category to prevent leaking any senistive information and attach it to the existing KrbException. --------- - [x] I confirm that I make this contribution in accordance with the [OpenJDK Interim AI Policy](https://openjdk.org/legal/ai). ------------- Commit messages: - comments - addtest - corrections - cause with sanitization Changes: https://git.openjdk.org/jdk/pull/30824/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=30824&range=00 Issue: https://bugs.openjdk.org/browse/JDK-8382403 Stats: 138 lines in 5 files changed: 131 ins; 2 del; 5 mod Patch: https://git.openjdk.org/jdk/pull/30824.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/30824/head:pull/30824 PR: https://git.openjdk.org/jdk/pull/30824
