RFR 8052412: Too many DNS requests for KDC setttings
Wang Weijun
weijun.wang at oracle.com
Mon Aug 4 01:34:36 UTC 2014
Please review the code change at
http://cr.openjdk.java.net/~weijun/8052412/webrev.00
The original code queries DNS server every time the getKDCList() method is called. On the other hand, if the KDC info is written inside a krb5.conf file, it is never re-read (or for each login when the JAAS login config file has Krb5LoginModule refresh on). The re-querying of DNS is a great waste of time.
Updated code stores the result in a cache. It's not uncommon that a DNS server could contain stale entries so a removeFromDnsCache() method is called if a KDC is not accessible. When all KDCs for a realm are removed, a new query will be sent. To be consistent with krb5.conf reading, a Krb5LoginModule refresh would reset the cache.
Thanks
Max
More information about the security-dev
mailing list