Sorry, the example I used with public/private DNS is wrong. But there is
the general issue of multiple DNS names where only one is added to the
keytab/certificate, but all names are added to the bootstrap server list.

On Wed, Dec 6, 2017 at 12:06 PM, Rajini Sivaram <rajinisiva...@gmail.com>
wrote:

> Hi Jonathan,
>
> Thank you for the KIP.
>
> I think you are proposing that we always do this (i.e. no option to turn
> it off). If you have a private and public DNS name, at the moment, if SSL
> certs and keytabs contain the only public DNS name and the bootstrap
> servers and advertised listeners are configured to use that name,
> everything works fine. With the proposed changes in the KIP, the client
> would add the private name as well to the bootstrap servers. So if a
> connection is made to the private name, that would result in an
> authentication exception.
>
> Also I think you are suggesting that we update bootstrap servers to be the
> alias plus any other hostnames obtained from DNS lookup. This means that
> connections using the alias would fail with authentication exception. We do
> not retry in the case of authentication exceptions (and it makes it hard to
> diagnose security issues if we start expecting some authentication failures
> to be ok).
>
>
> On Wed, Dec 6, 2017 at 10:43 AM, Stephane Maarek <
> steph...@simplemachines.com.au> wrote:
>
>> Hi Jonathan
>>
>> I think this will be very useful. I reported something similar here :
>> https://issues.apache.org/jira/browse/KAFKA-4781
>>
>> Please confirm your kip will address it ?
>>
>> Stéphane
>>
>> On 6 Dec. 2017 8:20 pm, "Skrzypek, Jonathan" <jonathan.skrzy...@gs.com>
>> wrote:
>>
>> > True, amended the KIP, thanks.
>> >
>> > Jonathan Skrzypek
>> > Middleware Engineering
>> > Messaging Engineering
>> > Goldman Sachs International
>> >
>> >
>> > -----Original Message-----
>> > From: Tom Bentley [mailto:t.j.bent...@gmail.com]
>> > Sent: 05 December 2017 18:19
>> > To: dev@kafka.apache.org
>> > Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections
>> >
>> > Hi Jonathan,
>> >
>> > It might be worth mentioning in the KIP that this is necessary only for
>> > *Kerberos* on SASL, and not other SASL mechanisms. Reading the JIRA it
>> > makes sensem, but I was confused up until that point.
>> >
>> > Cheers,
>> >
>> > Tom
>> >
>> > On 5 December 2017 at 17:53, Skrzypek, Jonathan <
>> jonathan.skrzy...@gs.com>
>> > wrote:
>> >
>> > > Hi,
>> > >
>> > > I would like to discuss a KIP I've submitted :
>> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.a
>> pache.org_
>> > > confluence_display_KAFKA_KIP-2D&d=DwIBaQ&c=7563p3e2zaQw0AB1w
>> rFVgyagb2I
>> > > E5rTZOYPxLxfZlX4&r=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo
>> -E&m=GWKXA
>> > > ILbqxFU2j7LtoOx9MZ00uy_jJcGWWIG92CyAuc&s=fv5WAkOgLhVOmF4vhEz
>> q_39CWnEo0
>> > > q0AJbqhAuDFDT0&e= 235%3A+Add+DNS+alias+support+for+secured+connection
>> > >
>> > > Feedback and suggestions welcome !
>> > >
>> > > Regards,
>> > > Jonathan Skrzypek
>> > > Middleware Engineering
>> > > Messaging Engineering
>> > > Goldman Sachs International
>> > > Christchurch Court - 10-15 Newgate Street London EC1A 7HD
>> > > Tel: +442070512977 <+44%2020%207051%202977>
>> > >
>> > >
>> >
>>
>
>

Reply via email to