We have a backup CAS host at a distant campus. The idea is that if we lose the main datacenter, that host can be brought online by swinging the DNS entry to point to the backup CAS host. Pretty simple!
However, we find that JVM have an insane approach to DNS cache timeout -- they ignore the TTL entirely. They default in some situations to re-lookup the DNS entry every 30 seconds - which is nuts, but doesn't hurt our DR strategy. However if a 'security manager' has been set, then they default to INFINITE retention of the initial lookup result. > "Why is your service continuing to contact 137.159.9.7 as the CAS server > when the DNS entry for CAS was moved to 137.159.198.200? The DNS TTL > for > cas.pepperdine.edu<http://cas.pepperdine.edu/><http://cas.pepperdine.edu<http://cas.pepperdine.edu/>> > is 300 seconds > (5 min), but EVERY ticket check from your service to CAS was still going to > 137.159.9.7 after 1200 seconds (20 minutes)." Because Java caches DNS lookups infinitely unless explicitly told not to. http://download.oracle.com/javase/6/docs/api/java/net/InetAddress.html Whut? This is security? Has anyone else dealt with this? Is there a better way to do remote DR than using DNS? Best, Kim Dr. Kim S. Cary Chief Information Security Officer Pepperdine University -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
