Sorry, the example I used with public/private DNS is wrong. But there is the general issue of multiple DNS names where only one is added to the keytab/certificate, but all names are added to the bootstrap server list.
On Wed, Dec 6, 2017 at 12:06 PM, Rajini Sivaram <rajinisiva...@gmail.com> wrote: > Hi Jonathan, > > Thank you for the KIP. > > I think you are proposing that we always do this (i.e. no option to turn > it off). If you have a private and public DNS name, at the moment, if SSL > certs and keytabs contain the only public DNS name and the bootstrap > servers and advertised listeners are configured to use that name, > everything works fine. With the proposed changes in the KIP, the client > would add the private name as well to the bootstrap servers. So if a > connection is made to the private name, that would result in an > authentication exception. > > Also I think you are suggesting that we update bootstrap servers to be the > alias plus any other hostnames obtained from DNS lookup. This means that > connections using the alias would fail with authentication exception. We do > not retry in the case of authentication exceptions (and it makes it hard to > diagnose security issues if we start expecting some authentication failures > to be ok). > > > On Wed, Dec 6, 2017 at 10:43 AM, Stephane Maarek < > steph...@simplemachines.com.au> wrote: > >> Hi Jonathan >> >> I think this will be very useful. I reported something similar here : >> https://issues.apache.org/jira/browse/KAFKA-4781 >> >> Please confirm your kip will address it ? >> >> Stéphane >> >> On 6 Dec. 2017 8:20 pm, "Skrzypek, Jonathan" <jonathan.skrzy...@gs.com> >> wrote: >> >> > True, amended the KIP, thanks. >> > >> > Jonathan Skrzypek >> > Middleware Engineering >> > Messaging Engineering >> > Goldman Sachs International >> > >> > >> > -----Original Message----- >> > From: Tom Bentley [mailto:t.j.bent...@gmail.com] >> > Sent: 05 December 2017 18:19 >> > To: dev@kafka.apache.org >> > Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections >> > >> > Hi Jonathan, >> > >> > It might be worth mentioning in the KIP that this is necessary only for >> > *Kerberos* on SASL, and not other SASL mechanisms. Reading the JIRA it >> > makes sensem, but I was confused up until that point. >> > >> > Cheers, >> > >> > Tom >> > >> > On 5 December 2017 at 17:53, Skrzypek, Jonathan < >> jonathan.skrzy...@gs.com> >> > wrote: >> > >> > > Hi, >> > > >> > > I would like to discuss a KIP I've submitted : >> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.a >> pache.org_ >> > > confluence_display_KAFKA_KIP-2D&d=DwIBaQ&c=7563p3e2zaQw0AB1w >> rFVgyagb2I >> > > E5rTZOYPxLxfZlX4&r=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo >> -E&m=GWKXA >> > > ILbqxFU2j7LtoOx9MZ00uy_jJcGWWIG92CyAuc&s=fv5WAkOgLhVOmF4vhEz >> q_39CWnEo0 >> > > q0AJbqhAuDFDT0&e= 235%3A+Add+DNS+alias+support+for+secured+connection >> > > >> > > Feedback and suggestions welcome ! >> > > >> > > Regards, >> > > Jonathan Skrzypek >> > > Middleware Engineering >> > > Messaging Engineering >> > > Goldman Sachs International >> > > Christchurch Court - 10-15 Newgate Street London EC1A 7HD >> > > Tel: +442070512977 <+44%2020%207051%202977> >> > > >> > > >> > >> > >
