RFR 8052412: Too many DNS requests for KDC setttings
Xuelei Fan
xuelei.fan at oracle.com
Mon Aug 4 03:14:53 UTC 2014
It's not common but the DNS records of KDC may be updated. This update
may introduce regression if the DNS record get updated. Is it possible
to support cache timeout in order to mitigate the impact?
Config.java:
------------
1207 private static Map<String,List<String>> dnsCache =
1208 Collections.synchronizedMap(new HashMap<>());
Better to put the lines above in the beginning of the class.
1218 System.out.println("getKDCFromDNS: " + realm + ", " + list);
list -> String.join(" ", list)?
Xuelei
On 8/4/2014 9:34 AM, Wang Weijun wrote:
> Please review the code change at
>
> http://cr.openjdk.java.net/~weijun/8052412/webrev.00
>
> The original code queries DNS server every time the getKDCList() method is called. On the other hand, if the KDC info is written inside a krb5.conf file, it is never re-read (or for each login when the JAAS login config file has Krb5LoginModule refresh on). The re-querying of DNS is a great waste of time.
>
> Updated code stores the result in a cache. It's not uncommon that a DNS server could contain stale entries so a removeFromDnsCache() method is called if a KDC is not accessible. When all KDCs for a realm are removed, a new query will be sent. To be consistent with krb5.conf reading, a Krb5LoginModule refresh would reset the cache.
>
> Thanks
> Max
>
More information about the security-dev
mailing list