- From: Henry Story <henry.story@bblfish.net>
- Date: Tue, 24 Jan 2012 18:44:43 +0100
- To: WebID Incubator Group WG <public-xg-webid@w3.org>
- Cc: rzeno Zeno <ruset.zeno@gmail.com>
- Message-Id: <82A561D3-78EB-4778-8C33-E78F23F2F3A4@bblfish.net>
I discovered an issue with DNS caching that has been mentioned but that we have not explored very far. It came up for me in Java, and I will explain the results of my work for that language here, but that is something that should interest all other implementations as it could manifest itself in different forms there. Russet Zeno has a server with a dynamic ip address that changes quite regulary. He was having trouble authenticating with http://foafssl.org/srv/idp after he changed ip address. This could well be an issue that props up more regularly if we get Freedom Boxes with dynamic IPs joining. It turns out that Java for security reasons caches all ip addresses. This can be changed by setting properties as explained in a number of places, such as: - http://javaeesupportpatterns.blogspot.com/2011/03/java-dns-cache-reference-guide.html - http://www.rgagnon.com/javadetails/java-0445.html - http://docs.oracle.com/javase/7/docs/technotes/guides/net/properties.html So I am going to see if the following addition helps [1] 24 java.security.Security.setProperty("networkaddress.cache.ttl" , ""+60*10); //3 minutes 25 java.security.Security.setProperty("networkaddress.cache.negative.ttl",""+60*3) It would be very interesting to have feedback on this from others. Building a test suite for this is going to be quite difficult, so here we probably need to be aware of the problem and keep each other up to date on what is the right thing to do. I think this then also brings up an interesting topic that we could explore next is support of DNSSEC. Henry [1] https://dvcs.w3.org/hg/read-write-web/rev/951fc773c9be Social Web Architect http://bblfish.net/
Received on Tuesday, 24 January 2012 17:45:22 UTC