-
Bug
-
Resolution: Cannot Reproduce
-
P4
-
None
-
8u66
-
x86_64
-
linux
FULL PRODUCT VERSION :
java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux LTVM9000 3.13.0-76-generic #120-Ubuntu SMP Mon Jan 18 15:59:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
If an application is run with a security policy defined AND JMX enabled, all DNS records are cached forever even if networkaddress.cache.ttl is defined. Eliminating either the security policy or JMX makes the application run as expected.
The docs indicate "The default behavior is to cache forever when a security manager is installed" (see: https://docs.oracle.com/javase/8/docs/technotes/guides/net/properties.html), but it doesn't say that the behaviour cannot be changed. Also, simply disabling JMX allows the policy to be changed via networkaddress.cache.ttl, so I suspect this is a bug and not by design.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. compile the given DNSCaching.java file
2. set up a DNS A record with a specific IP (eg: example.com -> 192.168.1.1, TTL=15s)
3. start running DNSCaching with the given security policy (below) and JMX enabled:
java -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled -XX:+ScavengeBeforeFullGC -XX:+CMSScavengeBeforeRemark -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Xmx200m -cp ./target/jvm-dns-1.0-SNAPSHOT.jar com.lithium.sandbox.DNSCaching example.com
4. change the IP in the A record for example.com (eg: 192.168.2.2, TTL=15s)
5. wait for ~60s and notice that the reported IP address is not changing
If you disable JMX or the security policy and repeat the same steps above, you will notice that the DNS record resolves correctly and will begin returning 192.168.2.2 after some period of time
A sample security policy to use:
grant {
permission java.security.AllPermission;
};
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
IP address in the output should change to 192.168.2.2 after the TTL
ACTUAL -
IP address in the output stays at 192.168.1.1 forever
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
package com.lithium.sandbox;
import java.net.InetAddress;
import java.net.UnknownHostException;
public class DNSCaching {
public static void main(String[] args) throws Exception {
java.security.Security.setProperty("networkaddress.cache.ttl" , "5");
final String host = args[0];
while (!Thread.currentThread().isInterrupted()) {
try {
System.out.println(InetAddress.getByName(host).getHostAddress());
Thread.sleep(5000);
} catch (UnknownHostException e) {
System.err.println("unknown host: " + host);
} catch (InterruptedException e) {
return;
}
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
disable either the security policy OR the JMX
java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux LTVM9000 3.13.0-76-generic #120-Ubuntu SMP Mon Jan 18 15:59:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
If an application is run with a security policy defined AND JMX enabled, all DNS records are cached forever even if networkaddress.cache.ttl is defined. Eliminating either the security policy or JMX makes the application run as expected.
The docs indicate "The default behavior is to cache forever when a security manager is installed" (see: https://docs.oracle.com/javase/8/docs/technotes/guides/net/properties.html), but it doesn't say that the behaviour cannot be changed. Also, simply disabling JMX allows the policy to be changed via networkaddress.cache.ttl, so I suspect this is a bug and not by design.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. compile the given DNSCaching.java file
2. set up a DNS A record with a specific IP (eg: example.com -> 192.168.1.1, TTL=15s)
3. start running DNSCaching with the given security policy (below) and JMX enabled:
java -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled -XX:+ScavengeBeforeFullGC -XX:+CMSScavengeBeforeRemark -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Xmx200m -cp ./target/jvm-dns-1.0-SNAPSHOT.jar com.lithium.sandbox.DNSCaching example.com
4. change the IP in the A record for example.com (eg: 192.168.2.2, TTL=15s)
5. wait for ~60s and notice that the reported IP address is not changing
If you disable JMX or the security policy and repeat the same steps above, you will notice that the DNS record resolves correctly and will begin returning 192.168.2.2 after some period of time
A sample security policy to use:
grant {
permission java.security.AllPermission;
};
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
IP address in the output should change to 192.168.2.2 after the TTL
ACTUAL -
IP address in the output stays at 192.168.1.1 forever
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
package com.lithium.sandbox;
import java.net.InetAddress;
import java.net.UnknownHostException;
public class DNSCaching {
public static void main(String[] args) throws Exception {
java.security.Security.setProperty("networkaddress.cache.ttl" , "5");
final String host = args[0];
while (!Thread.currentThread().isInterrupted()) {
try {
System.out.println(InetAddress.getByName(host).getHostAddress());
Thread.sleep(5000);
} catch (UnknownHostException e) {
System.err.println("unknown host: " + host);
} catch (InterruptedException e) {
return;
}
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
disable either the security policy OR the JMX
