[
https://issues.apache.org/jira/browse/ZOOKEEPER-3860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ravi Bhardwaj updated ZOOKEEPER-3860:
-------------------------------------
Summary: Avoid reverse DNS lookup for hostname verification when hostnames
are provided in the connection url (was: Avoid DNS reverse lookup for hostname
verification when hostnames are provided in the connection url)
> Avoid reverse DNS lookup for hostname verification when hostnames are
> provided in the connection url
> ----------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-3860
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3860
> Project: ZooKeeper
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.5.7
> Reporter: Ravi Bhardwaj
> Priority: Major
>
> The current implementation of ZKTrustManager [1], zookeeper tries to verify
> hostname using the IP first and then performs a reverse DNS lookup.
> This could be a problem when IP address can not be resolved to the hostname
> added in DN/SAN.
> The functionality can be improved by matching the hostname provided in the
> connection url against DN/SAN. It that can not be matched, try to match the
> IP address. If that fails then perform a reverse DNS lookup.
> An alternative approach could to match the only hostname against DN/SAN when
> hostname is provided in the connection url.
> If IP address is provided, then check with the IP address first. If that
> fails, perform a reverse DNS lookup and match the hostname returned against
> DN/SAN.
>
> [1]
> https://zookeeper.apache.org/doc/r3.5.7/apidocs/zookeeper-server/org/apache/zookeeper/common/ZKTrustManager.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
