PK20100: Java IP address security caching can cause LDAP connections to fail.

APAR status

• Closed as suggestion for future release.

Error description

• By default Java caches successful DNS query responses for the
  length of the application. In the default configuration, this
  can cause problems when external host ip addresses change such
  as in a round-robin DNS configuration. Java will attempt to
  connect to the first address it acquired and will not refresh
  its value. Various connections (such as LDAP) to a certain
  hostname might fail if the correct IP address is different now
  from when the first hostname lookup occured.
  
  
  External Symptoms:
  LDAP connections fail with a javax.naming.CommunicationException
  when the Java IP Address security caching is enabled even though
  LDAP operations with the same host outside of Java succeed.
  IP Security Caching is enabled by default and is only overridden
  by -Dsun.net.inetaddr.ttl on the command line, or
  networkaddress.cache.ttl in the java.security file.
  
  Other connections besides LDAP may also fail in a similar manner
  if the hostname no longer resides at the same IP address as when
  the first connection attempt occurred.
  

Local fix

• The command line option -Dsun.net.inetaddr.ttl=0 can be used to
  disable java DNS caching entirely. Setting this value to a
  finite positive value will allow for limited caching for that
  given number of seconds. The default value is 'forever'.
  
  IP Address security caching was intended to address concerns of
  DNS spoofing. These issues are not prevalent in an enterprise
  environment where DNS servers in use are trusted. If security
  caching is causing problems, it should be disabled. The Java IP
  address security cache was not intended as a performance
  improvement.
  
  Disabling security caching may result in a performance impact.
  To achieve the performance benefits of IP Address caching, a
  proper "Cache-Only" local DNS nameserver which respects the DNS
  TTL value should be installed to the system. Applications should
  then be instructed to consult the local server for DNS lookups
  rather than a remote server.
  

Problem summary

Problem conclusion

Temporary fix

Comments

• IP Address security caching was intended to address concerns of
  DNS spoofing. These issues are not prevalent in an enterprise
  environment where DNS servers in use are trusted. If security
  caching is causing problems, it should be disabled. The Java IP
  address security cache was not intended as a performance
  improvement.
  
  To Disable security caching or to limit it to a finite time, use
  the commandline option: -Dsun.net.inetaddr.ttl=N
  or the java.security option: networkaddress.cache.ttl=N
  where N is a positive number of seconds or 0 for no caching.
  THe default for these options is '-1' meaning "forever".
  
  Disabling security caching may result in a performance impact.
  To achieve the performance benefits of IP Address caching, a
  proper "Cache-Only" local DNS nameserver which respects the DNS
  TTL value should be installed to the system. Applications should
  then be instructed to consult the local server for DNS lookups
  rather than a remote server.
  
  Applications may also be modified to cache the IP Addresses
  which are frequently used.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels