java/116430: JDK does not respect DNS caching parameters on timeout with CNAME

Nick Johnson freebsd at spatula.net
Mon Sep 17 21:30:02 PDT 2007 

>Number:         116430
>Category:       java
>Synopsis:       JDK does not respect DNS caching parameters on timeout with CNAME
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-java
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 18 04:30:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Nick Johnson
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
morons.org 
>Environment:
System: FreeBSD turing.morons.org 6.2-STABLE FreeBSD 6.2-STABLE #0: Sun Jan 21 16:53:54 PST 2007 root at turing.morons.org:/usr/src/sys/i386/compile/TURING i386

Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_12-p6-root_29_jul_2007_13_27)

	
>Description:

When making a Socket connection, if the initial lookup for a host that is actually a CNAME times out, the JDK
does not respect the networkaddress.cache.negative.ttl value and immediately throws an UnknownHostException on
subsequent queries.

	
>How-To-Repeat:

0. Configure Java to run with -Dsun.net.inetaddr.negative.ttl=0 and/or set networkaddress.cache.negative.ttl=0 in java.security.
Configure /etc/resolv.conf to resolve against 127.0.0.1.  
1. Create a Socket giving a hostname that resolves as a CNAME and block requests with a firewall so that the request times
out at least initially.  Here are some example hosts for which this problem has been seen:

        www.washingtonpost.com
        www.towleroad.com
        www.wcbd.com

2. After the UnknownHostException, unblock the firewall and perform a lookup on the command line such that the name does
resolve.
3. Repeat step 1.  The JDK will immediately throw UnknownHostException without performing another lookup (you can
snoop network traffic and see that there is no subsequent lookup performed).

I'm not sure if the request has to time out entirely the first time, or if the resolver just has to do a retry, or if 
it always fails because it's a CNAME rather than an A record (but works correctly if the name is already in the BIND
cache because the address is also there).

	
>Fix:
Unknown
	


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-java mailing list