The current implementation of ZKTrustManager , zookeeper tries to verify hostname using the IP first and then performs a reverse DNS lookup.
This could be a problem when IP address can not be resolved to the hostname added in DN/SAN.
The functionality can be improved by matching the hostname provided in the connection url against DN/SAN. It that can not be matched, try to match the IP address. If that fails then perform a reverse DNS lookup.
An alternative approach could to match the only hostname against DN/SAN when hostname is provided in the connection url.
If IP address is provided, then check with the IP address first. If that fails, perform a reverse DNS lookup and match the hostname returned against DN/SAN.