On Mon, Sep 12, 2011 at 3:53 PM, Cary, Kim <[email protected]> wrote: > We have a backup CAS host at a distant campus. The idea is that if we lose > the main datacenter, that host can be brought online by swinging the DNS > entry to point to the backup CAS host. Pretty simple! > However, we find that JVM have an insane approach to DNS cache timeout -- > they ignore the TTL entirely. They default in some situations to re-lookup > the DNS entry every 30 seconds - which is nuts, but doesn't hurt our DR > strategy. However if a 'security manager' has been set, then they default to > INFINITE retention of the initial lookup result. > >> "Why is your service continuing to contact 137.159.9.7 as the CAS server >> when the DNS entry for CAS was moved to 137.159.198.200? The DNS TTL >> for cas.pepperdine.edu<http://cas.pepperdine.edu> is 300 seconds >> (5 min), but EVERY ticket check from your service to CAS was still going >> to 137.159.9.7 after 1200 seconds (20 minutes)." > > Because Java caches DNS lookups infinitely unless explicitly told not to. > > http://download.oracle.com/javase/6/docs/api/java/net/InetAddress.html > > Whut? This is security? > Has anyone else dealt with this? Is there a better way to do remote DR than > using DNS?
I'm aware of a least one site using Big5 GTM to provide failover to a DR site CAS cluster and another one considering an Anycast solution between two clusters. http://www.f5.com/products/big-ip/global-traffic-manager.html Bill > > Best, > Kim > > Dr. Kim S. Cary > Chief Information Security Officer > Pepperdine University > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
