James Server
  1. James Server
  2. JAMES-679

Make sure our container use an expiration for cached dns data

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.0
    • Fix Version/s: 2.3.1
    • Component/s: None
    • Labels:
      None

      Description

      Noel J. Bergman wrote:
      > Stefano Bagnara wrote:
      >> but it could happen (or maybe it already happen) that some third party
      >> library we use still make use of InetAddress "flawed" methods, and the
      >> above property would save us from the possible OutOfMemory because of
      >> the unbounded cache.
      >
      > Perhaps, but I would rather vet the code, and be more careful about what we use. Now that we know one of the things to look for carefully, we can avoid it. The better solution is to avoid the problem, not mask it.
      >
      > — Noel

      I agree: we avoid it in trunk because of this.

      About the "not masking" I think that even if we solved it we should better add the property because our users could easily make our mistakes and use InetAddress in their mailets. The fact that DNSServer is not part of the mailet apis incentivate them to use InetAdress and not the James Server specific service.

      So I think we should really add the ttl property.

      Either "-Dsun.net.inetaddr.ttl=10" in the command line or
      java.security.Security.setProperty("networkaddress.cache.ttl" , "10");
      Should work.

        Issue Links

          Activity

          Hide
          Stefano Bagnara added a comment -

          Applied to trunk (next-major)
          Imo we should backport this to v2.3 and next-minor branches, too.

          Show
          Stefano Bagnara added a comment - Applied to trunk (next-major) Imo we should backport this to v2.3 and next-minor branches, too.
          Hide
          Noel J. Bergman added a comment -

          Please change this from 10 to 0, as in:

          java.security.Security.setProperty("networkaddress.cache.ttl" , "0");

          The change you made doesn't necessarily do what you think it does because the code in Sun's InetAddress.Cache implementation handles expiration only when the host name is queried or another entry is put (at which point it loops through the entire cache looking for expired entries). Otherwise, it just takes up space.

          For our purposes, it would be better to use the InetAddressCachePolicy.NEVER special case.

          Show
          Noel J. Bergman added a comment - Please change this from 10 to 0, as in: java.security.Security.setProperty("networkaddress.cache.ttl" , "0"); The change you made doesn't necessarily do what you think it does because the code in Sun's InetAddress.Cache implementation handles expiration only when the host name is queried or another entry is put (at which point it loops through the entire cache looking for expired entries). Otherwise, it just takes up space. For our purposes, it would be better to use the InetAddressCachePolicy.NEVER special case.
          Hide
          Noel J. Bergman added a comment -

          I would agree with backporting

          java.security.Security.setProperty("networkaddress.cache.ttl" , "0");

          to v2.3.x/minor-next. Any reference to "-Dsun.net.inetaddr.ttl=10" should be eliminated, however. That has already been deprecated by Sun and is non-standard.

          Show
          Noel J. Bergman added a comment - I would agree with backporting java.security.Security.setProperty("networkaddress.cache.ttl" , "0"); to v2.3.x/minor-next. Any reference to "-Dsun.net.inetaddr.ttl=10" should be eliminated, however. That has already been deprecated by Sun and is non-standard.
          Hide
          Stefano Bagnara added a comment -

          Ok to change the 10 with 0.
          About the setProperty: I think this property belong to the container, so I think we should better add it some phoenix class.
          Anyone against this? I want to know before loosing my time searching for the right class
          If someone is against, please tell where do you think this property belong.

          Show
          Stefano Bagnara added a comment - Ok to change the 10 with 0. About the setProperty: I think this property belong to the container, so I think we should better add it some phoenix class. Anyone against this? I want to know before loosing my time searching for the right class If someone is against, please tell where do you think this property belong.
          Hide
          Stefano Bagnara added a comment -

          Reverted the sun specific change and applied the java standard solution (Security.setProperty)

          Now james uses a default 300 seconds expiration for the positive dns results cache.
          The expiration is tunable via system property -Dnetworkaddress.cache.ttl
          Setting it to -1 will revert to the default "cache forever" JVM behaviour.
          Setting it to 0 will remove caching at all.
          Applied to trunk 4 days ago and backported to v2.3 (for 2.3.1) now.

          Please note that the v2.3 branch dnsservice still uses InetAddress so this configuration is really important, while in following branches (derived from current trunk) we don't use InetAddress anymore and this is only a safety belt for Mailets we host. Most people is not aware of this never-expired cache in the JVM and we protect them from easy errors.

          Show
          Stefano Bagnara added a comment - Reverted the sun specific change and applied the java standard solution (Security.setProperty) — Now james uses a default 300 seconds expiration for the positive dns results cache. The expiration is tunable via system property -Dnetworkaddress.cache.ttl Setting it to -1 will revert to the default "cache forever" JVM behaviour. Setting it to 0 will remove caching at all. Applied to trunk 4 days ago and backported to v2.3 (for 2.3.1) now. — Please note that the v2.3 branch dnsservice still uses InetAddress so this configuration is really important, while in following branches (derived from current trunk) we don't use InetAddress anymore and this is only a safety belt for Mailets we host. Most people is not aware of this never-expired cache in the JVM and we protect them from easy errors.
          Hide
          Danny Angus added a comment -

          Closing issue fixed in released version.

          Show
          Danny Angus added a comment - Closing issue fixed in released version.

            People

            • Assignee:
              Stefano Bagnara
              Reporter:
              Stefano Bagnara
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development