Application server java.security configuration
I have questions for following notes in java.security file
# default value is forever (FOREVER). For security reasons, this
# caching is made forever when a security manager is set. When a security
# manager is not set, the default behavior in this implementation
# is to cache for 30 seconds.
#
# NOTE: setting this to anything other than the default value can have
# serious security implications. Do not set it unless
# you are sure you are not exposed to DNS spoofing attack.
#
#networkaddress.cache.ttl=-1
Questions:
1. When set networkaddress.cache.ttl=0 - no cache, what security implications are?
2. Our application servers are behind firewall, are we still exposed to DNS spoofing if we set it to no cache?