Re: RFR: 8382403: Enhance Kerberos DNS KDC discovery logging to expose sanitized DNS failure

Mon, 20 Apr 2026 10:26:32 -0700 

On Mon, 20 Apr 2026 14:47:22 GMT, Weijun Wang <[email protected]> wrote:

>> In DNS-based KDC discovery failures are exposed as generic 'KrbException: 
>> Cannot locate KDC / Unable to locate KDC for realm <REALM>' with no 
>> indication whether the underlying DNS SRV lookup failed due to NXDOMAIN, 
>> SERVFAIL, or a communication timeout.
>> 
>> To improve supportability, this patch updates 
>> `KrbServiceLocator.getKerberosService(realm, protocol)` to rethrow the 
>> original JNDI NamingException from the SRV lookup and attach a sanitized 
>> failure category to the existing KrbException when both udp and tcp 
>> discovery attempts fail, while preserving the original top level exception 
>> message. `Config.getKDCFromDNS()` is updated to catch exception, sanitize it 
>> into the relevant category to prevent leaking any senistive information and 
>> attach it to the existing KrbException.
>> 
>> 
>> ---------
>> - [x] I confirm that I make this contribution in accordance with the 
>> [OpenJDK Interim AI Policy](https://openjdk.org/legal/ai).
>
> src/java.security.jgss/share/classes/sun/security/krb5/Config.java line 1418:
> 
>> 1416: 
>> 1417:             // add sanitized DNS discovery mode failure to exception
>> 1418:             Exception last = (tcpNE != null) ? tcpNE : udpNE;
> 
> Why ignore `udpNE` when `tcpNE` is not null?

I just reported the final attempt as the first would most likely be the same 
but maybe better to attach both. Would something like this work?


        if (srvs == null) {
            KrbException ke = new KrbException(Krb5.KRB_ERR_GENERIC,
                "Unable to locate KDC for realm " + realm);

            if (DEBUG != null) {
                Exception lastEx = (tcpNE != null) ? tcpNE : udpNE;
                Exception firstEx = (lastEx == tcpNE) ? udpNE : tcpNE;

                String sanitizedLast = sanitizeFailure(lastEx);
                if (sanitizedLast != null) {
                    ke.initCause(new KrbException(Krb5.KRB_ERR_GENERIC,
                            "DNS SRV lookup failed: " + sanitizedLast));
                }
                String sanitizedFirst = sanitizeFailure(firstEx);
                if (sanitizedFirst != null) {
                    ke.addSuppressed(new KrbException(Krb5.KRB_ERR_GENERIC,
                            "DNS SRV lookup failed: " + sanitizedFirst));
                }
            }
            throw ke;
        }

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/30824#discussion_r3112472154

Reply via email to