Java DNS Caching Solutions

Java DNS Caching Solutions

Java-based CAS clients do not automatically pick up the DNS changes. This is caused by an underlying security setting of old Java Virtual Machine that caches DNS resolutions permanently between restarts. This causes those clients to break after the DNS switch, as they do not update their IP address to the new setting.

Affected Clients

Unaffected Clients

If your service uses one of the following clients, YOU MUST use one of the workarounds listed below.

  • Ja-Sig Java CAS client (all versions)
  • JSP CAS Client
  • Cold Fusion (cas_auth_dbcache and cas_auth_filecache)

If your service uses one of the following clients it is NOT NECESSARY to implement any of the listed workarounds

  • mod_auth_cas
  • .NET CAS clients
  • ASP CAS Clients
  • CASAuthN ISAPI Client
  • Zope / Plone Client

Workaround #1 - Change the DNS TTL for the JVM

There are two ways to change the DNS behavior for a JVM. The most reliable method is to change the settings in the java.security file for the JVM. It is also possible to pass commandline parameters, but this is not guaranteed to work. Each of the options are outlined below:

Restart Required

Please note that after applying either of these properties, you must restart Java in order for the changes to take effect.

Workarounds

The following workarounds and resolutions will allow your Java-based CASified application to properly authenticate to CAS after the Data Center upgrade.

Workaround #2 - Update JDK to 1.6.0 or greater

Java 1.6 introduced a change to the default DNS caching behaviour. The default value for networkaddress.cache.ttl changed from -1 (cache forever) to a system-dependent value, but only if you have no security manager installed. The idea was for this to work as a robustness against DNS cache poisoning.

Please note that upgrading to JDK 1.6.0 may not resolve DNS caching issues if the system-dependent value is set to cache indefinitely. Please check your system settings for DNS caching before relying on this solution.

Workaround #3 - Perform a server restart after the CAS HA Upgrade

While this solution will not account for any future DNS changes, likely the easiest approach is to simply schedule a server restart after the CAS HA Upgrade is complete. We will clearly indentify the upgrade window for the HA upgrade so that you may schedule your server restart with confidence.