Caching behaviour of InetAddress
Andreas Plesner Jacobsen
apj.lists at code3.dk
Mon Feb 18 05:16:31 PST 2008
Alan Bateman wrote:
>> I don't think it's a significant change, since that's how getByName()
>> acts when the cache entries time out, so changing it would make it act
>> a lot more consistently.
>> Actually, I think it's worth debating whether or not InetAddress
>> should cache lookups at all, I think it's more fitting to delegate
>> that to the underlying OS.
> Search for a ~1996 paper on DNS spoofing attacks from Princeton
> University as that gives useful background on this topic and is the
> original reason for the caching. When a security manager is set then it
> caches forever and getByName will always return the same address. There
> was some capitulation on this topic in jdk6 so that it doesn't cache
> forever when there isn't a security manager. There was analysis done at
> the time on the implications of the change but I don't know if that
> included changing the behavior of the getByName method (Michael?).
Thanks for the background info. Incidentally, that brings us to a third
inconsistent operating mode of getByName(), so we're up to three
1. When running under a security manager, we cache forever
2. When not running under a security manager, with more than ten seconds
between name lookups, we return random answers (at least if the dns
reply is delivered randomized to java)
3. When not running under a security manager, with less than ten seconds
between name lookups, we return the same answer on every query.
As far as I can see from what I've been able to google, the problem lies
in that applets may be cheated in connecting to a different host, and
that this makes it easier (actually invisible) to the applet author that
there may be more than one record in the dns reply.
I may not have a lot of say in this, but I still don't feel this is the
right solution. Do you perhaps have some more resources to any previous
discussion on the subject?
I think I'd prefer breaking compatibility and introducing a caching
InetAddress implementation for applet programmers and make InetAddress
work as expected. But then again, I don't have to do the required cleanup :)
More information about the net-dev