You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by "Ravi Bhardwaj (Jira)" <ji...@apache.org> on 2020/06/12 00:50:00 UTC

[jira] [Created] (ZOOKEEPER-3860) Avoid DNS reverse lookup for hostname verification when hostnames are provided in the connection url

Ravi Bhardwaj created ZOOKEEPER-3860:
----------------------------------------

             Summary: Avoid DNS reverse lookup for hostname verification when hostnames are provided in the connection url
                 Key: ZOOKEEPER-3860
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3860
             Project: ZooKeeper
          Issue Type: Improvement
          Components: security
    Affects Versions: 3.5.7
            Reporter: Ravi Bhardwaj


The current implementation of ZKTrustManager [1], zookeeper tries to verify hostname using the IP first and then performs a reverse DNS lookup. 

This could be a problem when IP address can not be resolved to the hostname added in DN/SAN.

The functionality can be improved by matching the hostname provided in the connection url against DN/SAN. It that can not be matched, try to match the IP address. If that fails then perform a reverse DNS lookup.

An alternative approach could to match the only hostname against DN/SAN when hostname is provided in the connection url.

If IP address is provided, then check with the IP address first. If that fails, perform a reverse DNS lookup and match the hostname returned against DN/SAN.

 

[1] https://zookeeper.apache.org/doc/r3.5.7/apidocs/zookeeper-server/org/apache/zookeeper/common/ZKTrustManager.html



--
This message was sent by Atlassian Jira
(v8.3.4#803005)