Status
Current state : discussionaccepted
Discussion thread : https://lists.apache.org/thread.html/c29f6744b3e87b8e691de8cf5feb31f33dd8c2a5e07b77f957255a4e@%3Cdev.kafka.apache.org%3E
...
JIRA : Jira server ASF JIRA serverId 5aa69414-a9e9-3523-82ec-879b028fb15b key KAFKA-6195
Released: 2.1.0
Motivation
When specifying a dns alias in bootstrap.server, the Java client API doesn't resolve all the CNAMES behind it.
This breaks kerberos based SASL authentication and therefore clients are unable to connect to a secured cluster.
...
Client configuration
Proposed parameter : bootstrapclient.reverse.dns.lookup = true / falsedns.lookup
Implemented with a ClientDnsLookup enum including values :
RESOLVE_CANONICAL_BOOTSTRAP_SERVERS_ONLY("resolve_canonical_bootstrap_servers_only")
DEFAULT("default")
This enum can be further extended to support new behaviours (potentially KIP-302 ?)
The default value for this parameter is false, there will be no backwards compatibility issue.
Setting the parameter to true will have the client perform the reverse lookup regardless of which security.protocol is specified.
...
Modifying the existing code path to perform reverse dns lookup will break SSL authentication if kafka users use brokers IP addresses in bootstrap.servers and in the SubjectAlternativeName field in their of the certificates.
In this case, parseAndValidateAddresses() will perform the lookup and replace the IP addresses with hostnames, which will be matched against the IPs in the certificates, so the SSL handshake will fail.
This mismatch won't be obvious to users, as both bootstrap.servers and the certificates are consistent.
Changing default behaviour means would mean breaking a valid use case.
...