Accessibility

TechNote

cfhttp in ColdFusion MX 6.1 and 7 permanently caches the DNS look-up

Issue

When using cfhttp in ColdFusion MX 6.1 or 7, the DNS look-up is permanently cached. Whenever the IP address of a domain changes, the ColdFusion services must be restarted in order for cfhttp to look at the right location.

Reason

Macromedia issue 58235 has been opened to investigate this issue.

The reason ColdFusion MX 6 and 7 caches the DNS lookups is because that is the default behavior in Sun's 1.4.2 JDK security policy. DNS caching is controlled by the Java security configuration for the JVM. ColdFusion uses the java.net.InetAddress class to resolve hostnames.

Two Java security properties control the TTL values used for positive and negative host name resolution caching:

  1. networkaddress.cache.ttl: (default: -1) Indicates the caching policy for successful name lookups from the name service. The value is specified as an integer to indicate the number of seconds to cache the successful lookup. A value of -1 indicates "cache forever".
  2. networkaddress.cache.negative.ttl: (default: 10) Indicates the caching policy for unsuccessful name lookups from the name service. The value is specified as an integer to indicate the number of seconds to cache the failure for unsuccessful lookups. A value of 0 indicates "never cache". A value of -1 indicates "cache forever".

Solution

Besides restarting the ColdFusion server services, a workaround to this issue is to edit the j2sdk1.4.2/jre/lib/security/java.security file and set thenetworkaddress.cache.ttl value, commented out at the bottom of the file, to something other than -1. This controls the time to live to positive DNS results.

Caution: As stated in the java.security file, setting this to anything other than the default value can have serious security implications. Do not set it unless you are sure you are not exposed to DNS spoofing attack.

Excerpt from java.security for JDK 1.4.2_05: 

 # # The Java-level namelookup cache policy for successful lookups: # # any negative value: caching forever # any positive value: the number of seconds to cache an address for # zero: do not cache # # default value is forever (FOREVER). For security reasons, this # caching is made forever when a security manager is set. # # NOTE: setting this to anything other than the default value can # have serious security implications. Do not set it unless # you are sure you are not exposed to DNS spoofing attack. # #networkaddress.cache.ttl=-1

AlertThis content requires Flash

To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.

Download the free Flash Player now!

Get Adobe Flash Player

Creative Commons License

Search Support


Document Details

ID:13115e61

Products Affected:

coldfusion