[
https://issues.apache.org/jira/browse/ZOOKEEPER-3860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17731164#comment-17731164
]
Andor Molnar edited comment on ZOOKEEPER-3860 at 6/10/23 5:39 AM:
------------------------------------------------------------------
I checked the current behaviour on latest master and it's true that it verifies
the IP address first and if it fails, tries the hostname. If the hostname is
not already available, JDK will automatically try a reverse DNS lookup to get
it somehow.
We could change this to go with the already available hostname, IP address and
hostname with reverse lookup, but that would be just slightly better.
The most annyoing thing I've found is the beefy DEBUG log message if the IP
address validation fails in the first step (which is usually the case). I'll
change this message to drop the exception stack trace and be less verbose,
because people usually believe, it's an error message, but it's not.
was (Author: andorm):
I checked the current behaviour on latest master and it's true that it verifies
the IP address first and if it fails, tries the hostname.
If the hostname is not already available, JDK will automatically try a reverse
DNS lookup to get it somehow.
We could change this to go with the already available hostname, IP address and
hostname with reverse lookup, but that would be just slightly better.
The most annyoing thing I've found is the beefy DEBUG log message if the IP
address validation fails in the first step (which is usually the case). I'll
change this message to drop the exception stack trace and be less verbose,
because people usually believe, it's an error message, but it's not.
> Avoid reverse DNS lookup for hostname verification when hostnames are
> provided in the connection url
> ----------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-3860
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3860
> Project: ZooKeeper
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.5.7
> Reporter: Ravi Bhardwaj
> Assignee: Andor Molnar
> Priority: Major
>
> The current implementation of ZKTrustManager [1], zookeeper tries to verify
> hostname using the IP first and then performs a reverse DNS lookup.
> This could be a problem when IP address can not be resolved to the hostname
> added in DN/SAN.
> The functionality can be improved by matching the hostname provided in the
> connection url against DN/SAN. It that can not be matched, try to match the
> IP address. If that fails then perform a reverse DNS lookup.
> An alternative approach could to match the only hostname against DN/SAN when
> hostname is provided in the connection url.
> If IP address is provided, then check with the IP address first. If that
> fails, perform a reverse DNS lookup and match the hostname returned against
> DN/SAN.
>
> [1]
> https://zookeeper.apache.org/doc/r3.5.7/apidocs/zookeeper-server/org/apache/zookeeper/common/ZKTrustManager.html
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
