4 Replies Latest reply on Jul 14, 2014 9:17 AM by Bill Robinson

    Changing default network address cache timeout for BSA/java host resolver

    Yanick Girouard

      In the $INSTALL_DIR/NSH/br/java/lib/security/java.security file, there's a setting that allows to set the network address cache time for hosts that are resolved by BSA.


      # The Java-level namelookup cache policy for successful lookups:
      # any negative value: caching forever
      # any positive value: the number of seconds to cache an address for
      # zero: do not cache
      # default value is forever (FOREVER). For security reasons, this
      # caching is made forever when a security manager is set. When a security
      # manager is not set, the default behavior is to cache for 30 seconds.
      # NOTE: setting this to anything other than the default value can have
      #       serious security implications. Do not set it unless
      #       you are sure you are not exposed to DNS spoofing attack.
      # The Java-level namelookup cache policy for failed lookups:
      # any negative value: cache forever
      # any positive value: the number of seconds to cache negative lookup results
      # zero: do not cache
      # In some Microsoft Windows networking environments that employ
      # the WINS name service in addition to DNS, name service lookups
      # that fail may take a noticeably long time to return (approx. 5 seconds).
      # For this reason the default caching policy is to maintain these
      # results for 10 seconds.


      However, the setting for successful lookups is set to the default, which is forever (-1). This means that once the application server has resolved a name in the DNS, it caches its address forever until the application is restarted. This can pose several issues.


      One issue we faced in the past was that Microsoft had changed some of the IP Addresses behind download.microsoft.com, and so the patch download during a catalog update job would fail because the application had the wrong IP in its cache. To fix this, we had to restart the application servers.


      Other issues involve target hosts which we changed the IP address of. Again, a restart of the application is required for it to get the new IP address or it keeps trying to connect to the old one.


      I was wondering why this setting was left to its default and if it could be changed safely?