- From: Henry Story <henry.story@bblfish.net>
- Date: Tue, 24 Jan 2012 18:44:43 +0100
- To: WebID Incubator Group WG <public-xg-webid@w3.org>
- Cc: rzeno Zeno <ruset.zeno@gmail.com>
- Message-Id: <82A561D3-78EB-4778-8C33-E78F23F2F3A4@bblfish.net>
I discovered an issue with DNS caching that has been mentioned but that
we have not explored very far. It came up for me in Java, and I will explain
the results of my work for that language here, but that is something that
should interest all other implementations as it could manifest itself in
different forms there.
Russet Zeno has a server with a dynamic ip address that changes quite
regulary. He was having trouble authenticating with
http://foafssl.org/srv/idp after he changed ip address. This could
well be an issue that props up more regularly if we get Freedom Boxes
with dynamic IPs joining.
It turns out that Java for security reasons caches all ip addresses.
This can be changed by setting properties as explained in a number of
places, such as:
- http://javaeesupportpatterns.blogspot.com/2011/03/java-dns-cache-reference-guide.html
- http://www.rgagnon.com/javadetails/java-0445.html
- http://docs.oracle.com/javase/7/docs/technotes/guides/net/properties.html
So I am going to see if the following addition helps [1]
24 java.security.Security.setProperty("networkaddress.cache.ttl" , ""+60*10); //3 minutes
25 java.security.Security.setProperty("networkaddress.cache.negative.ttl",""+60*3)
It would be very interesting to have feedback on this from others. Building
a test suite for this is going to be quite difficult, so here we probably need
to be aware of the problem and keep each other up to date on what is the
right thing to do.
I think this then also brings up an interesting topic that we could explore
next is support of DNSSEC.
Henry
[1] https://dvcs.w3.org/hg/read-write-web/rev/951fc773c9be
Social Web Architect
http://bblfish.net/
Received on Tuesday, 24 January 2012 17:45:22 UTC