<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.searchhighlight
{mso-style-name:searchhighlight;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="color:black">We began investigating this issues when we noticed many developers had misconfigured<span class="apple-converted-space"> </span></span><span class="searchhighlight"><span style="color:#070706;background:#FFEE94">security</span></span><span class="apple-converted-space"><span style="color:black"> </span></span><span class="searchhighlight"><span style="color:#070706;background:#FFEE94">properties</span></span><span style="color:black">.
One example is a search on github for Dnetworkaddress.cache.ttl:<span class="apple-converted-space"> </span><a href="https://github.com/search?q=-Dnetworkaddress.cache.ttl&type=code" title="https://github.com/search?q=-Dnetworkaddress.cache.ttl&type=code"><span style="color:#0563C1">https://github.com/search?q=-Dnetworkaddress.cache.ttl&type=code</span></a><span class="apple-converted-space"> </span>this
search illustrates the how developers mistake<span class="apple-converted-space"> </span></span><span class="searchhighlight"><span style="color:#070706;background:#FFEE94">security</span></span><span class="apple-converted-space"><span style="color:black"> </span></span><span style="color:black">settings
for system<span class="apple-converted-space"> </span></span><span class="searchhighlight"><span style="color:#070706;background:#FFEE94">properties</span></span><span class="apple-converted-space"><span style="color:black"> </span></span><span style="color:black">and
end up with misconfigurations. We see developers are misconfiguring<span class="apple-converted-space"> </span></span><span style="font-family:"Courier New";color:black">networkaddress.cache.ttl</span><span class="apple-converted-space"><span style="color:black"> </span></span><span style="color:black">and<span class="apple-converted-space"> </span></span><span style="font-family:"Courier New";color:black">networkaddress.cache.negative.ttl<span class="apple-converted-space"> </span></span><span style="color:black">settings,
Often in the effort to increase the TTL for entries in the DNS cache, they mistakenly change the networkaddress.cache.ttl on the command line which does nothing. This means teams don’t actually end up raising the DNS cache TTL. Inadvertently leaving the cache
TTL too low places more pressure on DNS servers. We would be open to at first narrowing the scope from all<span class="apple-converted-space"> </span></span><span class="searchhighlight"><span style="color:#070706;background:#FFEE94">security</span></span><span class="apple-converted-space"><span style="color:black"> </span></span><span class="searchhighlight"><span style="color:#070706;background:#FFEE94">properties</span></span><span class="apple-converted-space"><span style="color:black"> </span></span><span style="color:black">to
just the DNS cache<span class="apple-converted-space"> </span></span><span class="searchhighlight"><span style="color:#070706;background:#FFEE94">properties</span></span><span class="apple-converted-space"><span style="color:black"> </span></span><span style="color:black">and
doing a proof of concept. We’ve also gotten the suggestion of implementing it by adding system property overrides for those DNS<span class="apple-converted-space"> </span></span><span class="searchhighlight"><span style="color:#070706;background:#FFEE94">security</span></span><span class="apple-converted-space"><span style="color:black"> </span></span><span class="searchhighlight"><span style="color:#070706;background:#FFEE94">properties.</span></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span class="searchhighlight"><span style="color:#070706;background:#FFEE94"> </span></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span class="searchhighlight"><span style="color:#070706;background:#FFEE94">Thank you in advance,</span></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span class="searchhighlight"><span style="color:#070706;background:#FFEE94">Autumn Capasso</span></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>