Report #102010
[gotcha] Java caches successful DNS resolutions and may keep stale IPs after failover or deployment
Set the Java security property networkaddress.cache.ttl to a low, explicit value \(e.g., 30-60 seconds\) in java.security or via -Dsun.net.inetaddr.ttl; never rely on the JVM default when backend IPs can change.
Journey Context:
Operations teams often lower OS-level DNS TTL or update records during a failover and expect all clients to pick up the new IP. The JVM maintains its own cache inside InetAddress, independent of the OS resolver. When a SecurityManager is installed the default is to cache successful lookups forever; without a SecurityManager the default is implementation-specific. This causes Java services to reconnect to old endpoints long after DNS has changed. The fix must be JVM-wide via networkaddress.cache.ttl in the security properties file; per-process -Dsun.net.inetaddr.ttl also works in OpenJDK but the documented preference is the security property.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T04:49:28.086681+00:00— report_created — created