• Icon: Bug Bug
    • Resolution: Answered
    • Icon: Medium Medium
    • None
    • 2.5.4
    • None

      Toward the end of September 2007 the plugin repository started failing with a 502 error (see attachment), which continued for a couple of weeks before I got a resolution. According to a post on the mailing list the cause was that one of Atlassian's servers had changed IP address, and restarting Confluence made it pick up the new address.

      So that means Confluence is caching the results of the DNS lookup beyond the TTL expiry. Please could this be fixed so future IP address changes don't break Confluence again?

            [CONFSERVER-9638] Confluence caches DNS lookups for too long

            Matt Ryall added a comment -

            Supporting JDK 6 is now mostly around testing, Mark. We don't have an ETA, but we do have an issue to track it: CONF-7481.

            Matt Ryall added a comment - Supporting JDK 6 is now mostly around testing, Mark. We don't have an ETA, but we do have an issue to track it: CONF-7481 .

            It seems strange that Sun won't make Java respect what the DNS server tells it as far as the TTLs are concerned. Even in Java 6 where it does have a timeout it's a hard-coded one rather than behaving as DNS resolvers should do. Oh well, I guess it's out of your hands.

            I read somewhere that Atlassian doesn't support Java 6 yet, so I don't really want to move to it right now. Do you have a timeframe for when you will be supporting it?

            Mark Sheppard added a comment - It seems strange that Sun won't make Java respect what the DNS server tells it as far as the TTLs are concerned. Even in Java 6 where it does have a timeout it's a hard-coded one rather than behaving as DNS resolvers should do. Oh well, I guess it's out of your hands. I read somewhere that Atlassian doesn't support Java 6 yet, so I don't really want to move to it right now. Do you have a timeframe for when you will be supporting it?

            Jeff Turner added a comment - - edited

            FYI, it looks like the Java 6 InetAddress has a timeout by default:

            By default, when a security manager is installed, in order to protect against DNS spoofing attacks, the result of positive host name resolutions are cached forever. When a security manager is not installed, the default behavior is to cache entries for a finite (implementation dependent) period of time. The result of unsuccessful host name resolution is cached for a very short period of time (10 seconds) to improve performance.

            In java-6-sun-1.6.0.00/jre/lib/security/java.security it says the timeout is 30s:

            #

            1. The Java-level namelookup cache policy for successful lookups:
              #
            2. any negative value: caching forever
            3. any positive value: the number of seconds to cache an address for
            4. zero: do not cache
              #
            5. default value is forever (FOREVER). For security reasons, this
            6. caching is made forever when a security manager is set. When a security
            7. manager is not set, the default behavior in this implementation
            8. is to cache for 30 seconds.
              #
            9. NOTE: setting this to anything other than the default value can have
            10. serious security implications. Do not set it unless
            11. you are sure you are not exposed to DNS spoofing attack.
              #
              #networkaddress.cache.ttl=-1

            So the solution is to upgrade to (Sun) Java 6.

            Jeff Turner added a comment - - edited FYI, it looks like the Java 6 InetAddress has a timeout by default: By default, when a security manager is installed, in order to protect against DNS spoofing attacks, the result of positive host name resolutions are cached forever. When a security manager is not installed, the default behavior is to cache entries for a finite (implementation dependent) period of time. The result of unsuccessful host name resolution is cached for a very short period of time (10 seconds) to improve performance. In java-6-sun-1.6.0.00/jre/lib/security/java.security it says the timeout is 30s: # The Java-level namelookup cache policy for successful lookups: # any negative value: caching forever any positive value: the number of seconds to cache an address for zero: do not cache # default value is forever (FOREVER). For security reasons, this caching is made forever when a security manager is set. When a security manager is not set, the default behavior in this implementation is to cache for 30 seconds. # NOTE: setting this to anything other than the default value can have serious security implications. Do not set it unless you are sure you are not exposed to DNS spoofing attack. # #networkaddress.cache.ttl=-1 So the solution is to upgrade to (Sun) Java 6.

            Closing as "Can't Fix", really. I wish we could fix this up, because the DNS cache situation in Java is really poor.

            Matt Ryall added a comment - Closing as "Can't Fix", really. I wish we could fix this up, because the DNS cache situation in Java is really poor.

            This is a bug (although claimed to be a feature) in the Java network API. DNS lookups are cached forever in Java unless you provide a start-up parameter to the VM:

            -Dnetworkaddress.cache.ttl=xxxx

            Where 'xxxx' is the number of seconds to cache successful DNS lookups. This setting, and the corresponding one for negative lookups is documented on the InetAddress Javadoc:

            http://java.sun.com/j2se/1.4.2/docs/api/java/net/InetAddress.html

            It's not possible to change this value programmatically (there have been various issues raised with Sun, all are closed as "Won't Fix"), so Confluence unfortunately can't do anything about this.

            Matt Ryall added a comment - This is a bug (although claimed to be a feature) in the Java network API. DNS lookups are cached forever in Java unless you provide a start-up parameter to the VM: -Dnetworkaddress.cache.ttl=xxxx Where 'xxxx' is the number of seconds to cache successful DNS lookups. This setting, and the corresponding one for negative lookups is documented on the InetAddress Javadoc: http://java.sun.com/j2se/1.4.2/docs/api/java/net/InetAddress.html It's not possible to change this value programmatically (there have been various issues raised with Sun, all are closed as "Won't Fix"), so Confluence unfortunately can't do anything about this.

              Unassigned Unassigned
              c098d3c782d3 Mark Sheppard
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: