JVM security properties warning

[Daniel Jeliński]

Hi Autumn,
Thanks for bringing it up here.
The documentation could definitely use some improvement; we could make
the property documentation link to the Security class, which in turn
documents the use of the java.security file. We should also remove
these security properties from the system properties list
(https://docs.oracle.com/en/java/javase/21/docs/api/system-properties.html).

I'm not sure about exposing the DNS configuration as system
properties. The configuration can already be set using undocumented
system properties, but only if the corresponding security property is
not set (so, for example, sun.net.inetaddr.ttl will work, but
sun.net.inetaddr.negative.ttl will not). There's probably a reason why
these properties are not documented, others could explain.

As I'm sure you found out already, the default TTL is 30 seconds for
successful lookups, 10 seconds for failed lookups. What kind of values
would you use to reduce the DNS pressure?

If you're looking to reduce the DNS activity, there are many other
options to choose from:
- use a local caching DNS resolver like systemd-resolved
- cache the resolved InetAddress instance on the application level
- use a custom address resolution service provider (requires JDK 18+,
see https://openjdk.org/jeps/418)
- use the hosts file
- use a local caching DNS server

The default JDK resolver uses the standard C APIs to resolve DNS
hostnames, and has no access to the TTL information returned by the
server. Further, negative caching does not differentiate between a
negative response and a DNS failure. For that reason you should prefer
using caches that have access to that information.

Let me know if that helps.
Regards,
Daniel

czw., 4 sty 2024 o 22:45 Capasso, Autumn <autumcap at amazon.com> napisał(a):
>
> We began investigating this issues when we noticed many developers had misconfigured security properties. One example is a search on github for Dnetworkaddress.cache.ttl: https://github.com/search?q=-Dnetworkaddress.cache.ttl&type=code this search illustrates the how developers mistake security settings for system properties and end up with misconfigurations. We see developers are misconfiguring networkaddress.cache.ttl and networkaddress.cache.negative.ttl settings, Often in the effort to increase the TTL for entries in the DNS cache, they mistakenly change the networkaddress.cache.ttl on the command line which does nothing. This means teams don’t actually end up raising the DNS cache TTL. Inadvertently leaving the cache TTL too low places more pressure on DNS servers. We would be open to at first narrowing the scope from all security properties to just the DNS cache properties and doing a proof of concept. We’ve also gotten the suggestion of implementing it by adding system property overrides for those DNS security properties.
>
>
>
> Thank you in advance,
>
> Autumn Capasso
>
>
>
>