How can I adjust the DNS cache (or TTL) for the Gateway?

Document ID : KB000012118
Last Modified Date : 11/12/2018
Show Technical Document Details
Introduction:
  • While the Gateway application itself does not have a DNS cache, the Java platform it is written on top of does have a DNS cache property to avoid frequent lookups for hostnames and to improve performance.
  • Unfortunately, a DNS cache can come with some unintended consequences too, such as sending requests to an old IP address if an IP address changes at some point in time, with the issue not correcting until the cache has expired. This can sometimes cause service outages as a result.
Question:
  • Is there a way to adjust the DNS Time To Live (TTL) on the CA API Gateway?
Environment:
  • All CA API Gateway ("Gateway") versions.
Answer:
  1. To control the DNS TTL / cache expiry time for successful DNS lookups, you can add the following line to the /opt/SecureSpan/Gateway/runtime/etc/profile.d/ssgruntimedefs.sh file:
    • -Dsun.net.inetaddr.ttl=30
  • The value entered for the TTL is in seconds, so the example above shows a value of 30 seconds for the cache lifetime before it expires and regenerates.
  • If the cache is desired to be set to never expire, a value of -1 can be used to represent infinite/unlimited. This is the default behaviour in Java.
  • From the Java documentation regarding the value:
    • "The value is specified as integer to indicate the number of seconds to cache the successful lookup."
 
  • The opposite of the above can also be configured, meaning this next value below can set how long to cache a failed DNS lookup entry, however this would not normally be necessary to configure/change from the default value:
    • -Dsun.net.inetaddr.negative.ttl=30
  • From the Java documentation regarding the value of the negative TTL:
    • "The value is specified as integer to indicate the number of seconds to cache the failure for un-successful lookup."
Additional Information: