In message <op.u156b0mztfhldh@rbeam.xactional.com>, "Ricky Beam" writes:
On Tue, 20 Oct 2009 19:38:58 -0400, Bill Stewart <nonobvious@gmail.com> wrote:
... If you've got a VPN tunnel device, too often the remote end will want to contact you at some numerical IPv4 address and isn't smart enough to query DNS to get it.
As I was told by Cisco, that's a security "feature". Fixed VPN endpoints are supposed to be *fixed* endpoints. Yes, it is a pain when an address changes, for whatever reason. But relying on DNS to eventually get the endpoint(s) right is an even bigger mess... how often is the name<->IP updated?
It should be automatically updated by the end point. We do have the technology to do that.
how often do the various DNS servers revalidate those records?
If you are talking about caching servers then they will honour the TTL in the records.
how often do the VPN devices revalidate the names?
At startup. A well designed VPN protocol will support end point address mobility.
what happens when the dns changes while the vpn is still up?
This should be transparent to everything other than the vpn end points.
I'll stick with entering IP addresses.
--Ricky
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org