nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ISP customer assignments

From: Mark Andrews <marka () isc org>
Date: Thu, 22 Oct 2009 13:38:39 +1100

In message <op.u156b0mztfhldh () rbeam xactional com>, "Ricky Beam" writes:

On Tue, 20 Oct 2009 19:38:58 -0400, Bill Stewart <nonobvious () gmail com>  
wrote:

... If you've got a VPN tunnel device, too often the remote
end will want to contact you at some numerical IPv4 address and isn't
smart enough to query DNS to get it.


As I was told by Cisco, that's a security "feature".  Fixed VPN endpoints  
are supposed to be *fixed* endpoints.  Yes, it is a pain when an address  
changes, for whatever reason.  But relying on DNS to eventually get the  
endpoint(s) right is an even bigger mess... how often is the name<->IP  
updated?


It should be automatically updated by the end point.  We do have
the technology to do that.


how often do the various DNS servers revalidate those records?  


If you are talking about caching servers then they will honour the
TTL in the records.


how often do the VPN devices revalidate the names?


At startup.  A well designed VPN protocol will support end point
address mobility.


what happens when the dns changes while the vpn is still up?


This should be transparent to everything other than the vpn end
points.


I'll stick with entering IP addresses.

--Ricky


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org
Previous By Date Next
Previous By Thread Next

Current thread: