In message <op.u156b0mztfh...@rbeam.xactional.com>, "Ricky Beam" writes: > On Tue, 20 Oct 2009 19:38:58 -0400, Bill Stewart <nonobvi...@gmail.com> > wrote: > > ... If you've got a VPN tunnel device, too often the remote > > end will want to contact you at some numerical IPv4 address and isn't > > smart enough to query DNS to get it. > > As I was told by Cisco, that's a security "feature". Fixed VPN endpoints > are supposed to be *fixed* endpoints. Yes, it is a pain when an address > changes, for whatever reason. But relying on DNS to eventually get the > endpoint(s) right is an even bigger mess... how often is the name<->IP > updated?
It should be automatically updated by the end point. We do have the technology to do that. > how often do the various DNS servers revalidate those records? If you are talking about caching servers then they will honour the TTL in the records. > how often do the VPN devices revalidate the names? At startup. A well designed VPN protocol will support end point address mobility. > what happens when the dns changes while the vpn is still up? This should be transparent to everything other than the vpn end points. > I'll stick with entering IP addresses. > > --Ricky > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
