[jira] [Comment Edited] (ZOOKEEPER-3860) Avoid reverse DNS lookup for hostname verification when hostnames are provided in the connection url

Thu, 08 Jun 2023 08:20:07 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17730609#comment-17730609
 ] 

Andor Molnar edited comment on ZOOKEEPER-3860 at 6/8/23 3:19 PM:
-----------------------------------------------------------------

{quote}The current implementation of ZKTrustManager [1], zookeeper tries to 
verify hostname using the IP first and then performs a reverse DNS lookup.
{quote}
[~ravi.bhardwaj] 

Are you sure this is still the case?

I think ZooKeeper tries reverse DNS lookup if the hostname is not available for 
some reason (e.g. connecting via ip instead of hostname).


was (Author: andorm):
{quote}The current implementation of ZKTrustManager [1], zookeeper tries to 
verify hostname using the IP first and then performs a reverse DNS lookup.
{quote}
Are you sure this is still the case?

I think ZooKeeper tries reverse DNS lookup if the hostname is not available for 
some reason (e.g. connecting via ip instead of hostname).

> Avoid reverse DNS lookup for hostname verification when hostnames are 
> provided in the connection url
> ----------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3860
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3860
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.5.7
>            Reporter: Ravi Bhardwaj
>            Assignee: Andor Molnar
>            Priority: Major
>
> The current implementation of ZKTrustManager [1], zookeeper tries to verify 
> hostname using the IP first and then performs a reverse DNS lookup. 
> This could be a problem when IP address can not be resolved to the hostname 
> added in DN/SAN.
> The functionality can be improved by matching the hostname provided in the 
> connection url against DN/SAN. It that can not be matched, try to match the 
> IP address. If that fails then perform a reverse DNS lookup.
> An alternative approach could to match the only hostname against DN/SAN when 
> hostname is provided in the connection url.
> If IP address is provided, then check with the IP address first. If that 
> fails, perform a reverse DNS lookup and match the hostname returned against 
> DN/SAN.
>  
> [1] 
> https://zookeeper.apache.org/doc/r3.5.7/apidocs/zookeeper-server/org/apache/zookeeper/common/ZKTrustManager.html



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to