We began investigating this issues when we noticed many developers had misconfigured security properties. One example is a search on github for Dnetworkaddress.cache.ttl: https://github.com/search?q=-Dnetworkaddress.cache.ttl&type=code this search illustrates the how developers mistake security settings for system properties and end up with misconfigurations. We see developers are misconfiguring networkaddress.cache.ttl and networkaddress.cache.negative.ttl settings, Often in the effort to increase the TTL for entries in the DNS cache, they mistakenly change the networkaddress.cache.ttl on the command line which does nothing. This means teams don’t actually end up raising the DNS cache TTL. Inadvertently leaving the cache TTL too low places more pressure on DNS servers. We would be open to at first narrowing the scope from all security properties to just the DNS cache properties and doing a proof of concept. We’ve also gotten the suggestion of implementing it by adding system property overrides for those DNS security properties.
Thank you in advance, Autumn Capasso
