From 4a71c06fb0216f5a7625e54ed6947083a63299c9 Mon Sep 17 00:00:00 2001
From: Nathan Hart <nhart12@gmail.com>
Date: Fri, 5 Jun 2026 16:50:24 -0400
Subject: [PATCH] POC levers for deterministic KDC precedence

---
 .../Client/Transport/ClientDomainService.cs        | 13 +++++++++----
 Kerberos.NET/Configuration/Krb5ConfigDefaults.cs   | 14 ++++++++++++++
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/Kerberos.NET/Client/Transport/ClientDomainService.cs b/Kerberos.NET/Client/Transport/ClientDomainService.cs
index 8ba1b3a1..22e8da7a 100644
--- a/Kerberos.NET/Client/Transport/ClientDomainService.cs
+++ b/Kerberos.NET/Client/Transport/ClientDomainService.cs
@@ -71,7 +71,10 @@ public virtual async Task<IEnumerable<DnsRecord>> LocateKdc(string domain, strin
             var results = await this.Query(domain, servicePrefix, DefaultKerberosPort);
 
             results = ParseQuerySrvReply(results);
-
+            if (this.Configuration.Defaults.PrioritizeKdcByConfigurationOrder)
+            {
+                return results;
+            }
             return await WeightResults(results);
         }
 
@@ -266,7 +269,7 @@ private async Task QueryDns(string domain, string servicePrefix, List<DnsRecord>
             }
         }
 
-        private static DnsRecord ParseKdcEntryAsSrvRecord(string kdc, string realm, string servicePrefix, int defaultPort)
+        private DnsRecord ParseKdcEntryAsSrvRecord(string kdc, string realm, string servicePrefix, int defaultPort)
         {
             if (IsUri(kdc))
             {
@@ -274,7 +277,8 @@ private static DnsRecord ParseKdcEntryAsSrvRecord(string kdc, string realm, stri
                 {
                     Target = kdc,
                     Type = DnsRecordType.SRV,
-                    Name = realm
+                    Name = realm,
+                    TimeToLive = this.Configuration.Defaults.ConfiguredKdcTimeToLive
                 };
             }
 
@@ -284,7 +288,8 @@ private static DnsRecord ParseKdcEntryAsSrvRecord(string kdc, string realm, stri
             {
                 Target = split[0],
                 Type = DnsRecordType.SRV,
-                Name = $"{servicePrefix}.{realm}"
+                Name = $"{servicePrefix}.{realm}",
+                TimeToLive = this.Configuration.Defaults.ConfiguredKdcTimeToLive
             };
 
             if (split.Length > 1)
diff --git a/Kerberos.NET/Configuration/Krb5ConfigDefaults.cs b/Kerberos.NET/Configuration/Krb5ConfigDefaults.cs
index 056b6b7f..8799d768 100644
--- a/Kerberos.NET/Configuration/Krb5ConfigDefaults.cs
+++ b/Kerberos.NET/Configuration/Krb5ConfigDefaults.cs
@@ -353,5 +353,19 @@ public class Krb5ConfigDefaults : Krb5ConfigObject
         [DefaultValue(true)]
         [DisplayName("prioritize_by_response_time")]
         public bool PrioritizeKdcByPing { get; set; }
+
+        /// <summary>
+        /// Indicates whether the client should try to utilze the order of KDCs as they are listed in the configuration when attempting to contact them, rather than trying to ping them first.
+        /// </summary>
+        [DefaultValue(false)]
+        [DisplayName("prioritize_by_configuration_order")]
+        public bool PrioritizeKdcByConfigurationOrder { get; set; }
+
+        /// <summary>
+        /// When attempting various KDCs this is how long a given KDC can be listed in the negative cache in seconds.
+        /// </summary>
+        [DefaultValue(0)]
+        [DisplayName("configured_kdc_time_to_live")]
+        public int ConfiguredKdcTimeToLive { get; set; }
     }
 }