Hi Autumn, Thanks for bringing it up here. The documentation could definitely use some improvement; we could make the property documentation link to the Security class, which in turn documents the use of the java.security file. We should also remove these security properties from the system properties list (https://docs.oracle.com/en/java/javase/21/docs/api/system-properties.html).
I'm not sure about exposing the DNS configuration as system properties. The configuration can already be set using undocumented system properties, but only if the corresponding security property is not set (so, for example, sun.net.inetaddr.ttl will work, but sun.net.inetaddr.negative.ttl will not). There's probably a reason why these properties are not documented, others could explain. As I'm sure you found out already, the default TTL is 30 seconds for successful lookups, 10 seconds for failed lookups. What kind of values would you use to reduce the DNS pressure? If you're looking to reduce the DNS activity, there are many other options to choose from: - use a local caching DNS resolver like systemd-resolved - cache the resolved InetAddress instance on the application level - use a custom address resolution service provider (requires JDK 18+, see https://openjdk.org/jeps/418) - use the hosts file - use a local caching DNS server The default JDK resolver uses the standard C APIs to resolve DNS hostnames, and has no access to the TTL information returned by the server. Further, negative caching does not differentiate between a negative response and a DNS failure. For that reason you should prefer using caches that have access to that information. Let me know if that helps. Regards, Daniel czw., 4 sty 2024 o 22:45 Capasso, Autumn <autum...@amazon.com> napisał(a): > > We began investigating this issues when we noticed many developers had > misconfigured security properties. One example is a search on github for > Dnetworkaddress.cache.ttl: > https://github.com/search?q=-Dnetworkaddress.cache.ttl&type=code this search > illustrates the how developers mistake security settings for system > properties and end up with misconfigurations. We see developers are > misconfiguring networkaddress.cache.ttl and networkaddress.cache.negative.ttl > settings, Often in the effort to increase the TTL for entries in the DNS > cache, they mistakenly change the networkaddress.cache.ttl on the command > line which does nothing. This means teams don’t actually end up raising the > DNS cache TTL. Inadvertently leaving the cache TTL too low places more > pressure on DNS servers. We would be open to at first narrowing the scope > from all security properties to just the DNS cache properties and doing a > proof of concept. We’ve also gotten the suggestion of implementing it by > adding system property overrides for those DNS security properties. > > > > Thank you in advance, > > Autumn Capasso > > > >
