-
Bug
-
Resolution: Answered
-
Medium
-
None
-
2.5.4
-
None
-
System Information
System Date Thursday, 04 Oct 2007
System Time 10:56:34
System Favourite Colour Myrtle
Java Version 1.5.0_10
Java Vendor Sun Microsystems Inc.
JVM Version 1.0
JVM Vendor Sun Microsystems Inc.
JVM Implementation Version 1.5.0_10-b03
Java Runtime Java(TM) 2 Runtime Environment, Standard Edition
Java VM Java HotSpot(TM) Client VM
User Name root
User Timezone Europe/London
Operating System Linux 2.6.18-4-686-bigmem
OS Architecture i386
Filesystem Encoding UTF-8Java VM Memory Statistics
Total Memory 254 MB
Free Memory 136 MB
Used Memory 118 MB
Memory Graph
[Used Memory (46 %)] [Free Memory (54 %)]
54 % FreeRuntime Information
Database Dialect net.sf.hibernate.dialect.PostgreSQLDialect
Database Connection URL jdbc:postgresql://localhost:5432/confluence
Database Driver Name org.postgresql.Driver
Database Driver Version 8.1
Application Server Apache Tomcat/5.5.15
Servlet Version 2.4
Confluence Home /data/confluence
Uptime 14 hours, 55 minutes, 33 seconds
Confluence Version 2.5.4
Build Number 809System Information System Date Thursday, 04 Oct 2007 System Time 10:56:34 System Favourite Colour Myrtle Java Version 1.5.0_10 Java Vendor Sun Microsystems Inc. JVM Version 1.0 JVM Vendor Sun Microsystems Inc. JVM Implementation Version 1.5.0_10-b03 Java Runtime Java(TM) 2 Runtime Environment, Standard Edition Java VM Java HotSpot(TM) Client VM User Name root User Timezone Europe/London Operating System Linux 2.6.18-4-686-bigmem OS Architecture i386 Filesystem Encoding UTF-8 Java VM Memory Statistics Total Memory 254 MB Free Memory 136 MB Used Memory 118 MB Memory Graph [Used Memory (46 %)] [Free Memory (54 %)] 54 % Free Runtime Information Database Dialect net.sf.hibernate.dialect.PostgreSQLDialect Database Connection URL jdbc:postgresql://localhost:5432/confluence Database Driver Name org.postgresql.Driver Database Driver Version 8.1 Application Server Apache Tomcat/5.5.15 Servlet Version 2.4 Confluence Home /data/confluence Uptime 14 hours, 55 minutes, 33 seconds Confluence Version 2.5.4 Build Number 809
Toward the end of September 2007 the plugin repository started failing with a 502 error (see attachment), which continued for a couple of weeks before I got a resolution. According to a post on the mailing list the cause was that one of Atlassian's servers had changed IP address, and restarting Confluence made it pick up the new address.
So that means Confluence is caching the results of the DNS lookup beyond the TTL expiry. Please could this be fixed so future IP address changes don't break Confluence again?
[CONFSERVER-9638] Confluence caches DNS lookups for too long
Mark Sheppard
added a comment - It seems strange that Sun won't make Java respect what the DNS server tells it as far as the TTLs are concerned. Even in Java 6 where it does have a timeout it's a hard-coded one rather than behaving as DNS resolvers should do. Oh well, I guess it's out of your hands.
I read somewhere that Atlassian doesn't support Java 6 yet, so I don't really want to move to it right now. Do you have a timeframe for when you will be supporting it?
Mark Sheppard
added a comment - It seems strange that Sun won't make Java respect what the DNS server tells it as far as the TTLs are concerned. Even in Java 6 where it does have a timeout it's a hard-coded one rather than behaving as DNS resolvers should do. Oh well, I guess it's out of your hands.
I read somewhere that Atlassian doesn't support Java 6 yet, so I don't really want to move to it right now. Do you have a timeframe for when you will be supporting it? FYI, it looks like the Java 6 InetAddress has a timeout by default:
By default, when a security manager is installed, in order to protect against DNS spoofing attacks, the result of positive host name resolutions are cached forever. When a security manager is not installed, the default behavior is to cache entries for a finite (implementation dependent) period of time. The result of unsuccessful host name resolution is cached for a very short period of time (10 seconds) to improve performance.
In java-6-sun-1.6.0.00/jre/lib/security/java.security it says the timeout is 30s:
#
- The Java-level namelookup cache policy for successful lookups:
#- any negative value: caching forever
- any positive value: the number of seconds to cache an address for
- zero: do not cache
#- default value is forever (FOREVER). For security reasons, this
- caching is made forever when a security manager is set. When a security
- manager is not set, the default behavior in this implementation
- is to cache for 30 seconds.
#- NOTE: setting this to anything other than the default value can have
- serious security implications. Do not set it unless
- you are sure you are not exposed to DNS spoofing attack.
#
#networkaddress.cache.ttl=-1
So the solution is to upgrade to (Sun) Java 6.
Jeff Turner
added a comment - - edited FYI, it looks like the Java 6 InetAddress has a timeout by default:
By default, when a security manager is installed, in order to protect against DNS spoofing attacks, the result of positive host name resolutions are cached forever. When a security manager is not installed, the default behavior is to cache entries for a finite (implementation dependent) period of time. The result of unsuccessful host name resolution is cached for a very short period of time (10 seconds) to improve performance.
In java-6-sun-1.6.0.00/jre/lib/security/java.security it says the timeout is 30s:
#
The Java-level namelookup cache policy for successful lookups:
#
any negative value: caching forever
any positive value: the number of seconds to cache an address for
zero: do not cache
#
default value is forever (FOREVER). For security reasons, this
caching is made forever when a security manager is set. When a security
manager is not set, the default behavior in this implementation
is to cache for 30 seconds.
#
NOTE: setting this to anything other than the default value can have
serious security implications. Do not set it unless
you are sure you are not exposed to DNS spoofing attack.
#
#networkaddress.cache.ttl=-1
So the solution is to upgrade to (Sun) Java 6. Closing as "Can't Fix", really. I wish we could fix this up, because the DNS cache situation in Java is really poor.
This is a bug (although claimed to be a feature) in the Java network API. DNS lookups are cached forever in Java unless you provide a start-up parameter to the VM:
-Dnetworkaddress.cache.ttl=xxxx
Where 'xxxx' is the number of seconds to cache successful DNS lookups. This setting, and the corresponding one for negative lookups is documented on the InetAddress Javadoc:
http://java.sun.com/j2se/1.4.2/docs/api/java/net/InetAddress.html
It's not possible to change this value programmatically (there have been various issues raised with Sun, all are closed as "Won't Fix"), so Confluence unfortunately can't do anything about this.
Supporting JDK 6 is now mostly around testing, Mark. We don't have an ETA, but we do have an issue to track it:
CONF-7481.