You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Ravi Bhardwaj (Jira)" <ji...@apache.org> on 2020/06/12 00:50:00 UTC
[jira] [Created] (ZOOKEEPER-3860) Avoid DNS reverse lookup for
hostname verification when hostnames are provided in the connection url
Ravi Bhardwaj created ZOOKEEPER-3860:
----------------------------------------
Summary: Avoid DNS reverse lookup for hostname verification when hostnames are provided in the connection url
Key: ZOOKEEPER-3860
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3860
Project: ZooKeeper
Issue Type: Improvement
Components: security
Affects Versions: 3.5.7
Reporter: Ravi Bhardwaj
The current implementation of ZKTrustManager [1], zookeeper tries to verify hostname using the IP first and then performs a reverse DNS lookup.
This could be a problem when IP address can not be resolved to the hostname added in DN/SAN.
The functionality can be improved by matching the hostname provided in the connection url against DN/SAN. It that can not be matched, try to match the IP address. If that fails then perform a reverse DNS lookup.
An alternative approach could to match the only hostname against DN/SAN when hostname is provided in the connection url.
If IP address is provided, then check with the IP address first. If that fails, perform a reverse DNS lookup and match the hostname returned against DN/SAN.
[1] https://zookeeper.apache.org/doc/r3.5.7/apidocs/zookeeper-server/org/apache/zookeeper/common/ZKTrustManager.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)