KIP-235 — Add DNS alias support for secured connection
Accepted Kafka 2.1 Security
Allows Kafka clients to resolve all A/CNAME records behind a DNS alias when using SASL/Kerberos, so the Kerberos service principal is constructed from the canonical hostname rather than the alias. When a DNS alias is listed in `bootstrap.servers`, the Java client performs Kerberos authentication against the alias string, which has no corresponding Kerberos service principal, causing `SaslException`.
Details
| Author | Jonathan Skrzypek |
| Status | Accepted |
| Kafka Version | 2.1 |
| JIRA | KAFKA-6195 |
| Wiki | View on Apache Wiki |
| Created | 2017-12-05 |
| Last Modified | 2018-10-24 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.