Sat, May 21, 2011 at 11:15:06PM -0700, Scott Grayban wrote: > Frankly I don't care if the peering is done via rag-tag rules that > aren't posted any place, but according to Sebastian others feel the same > about static IP's and permanent connection and I have the same thoughts > because peering should be stable and not run with dynamic IP's.... even > if people here want to call it semi-static it is still dynamic.
Being more-or-less last person who asked for dynamic/static IPs, I can share my experience 'bout them. Since SKS deals with DNS names and catches IP changes by itself, there's no problem in dynamic addresses, as long as their dynamicity time is large comparing to the typical update session time between two peers. So, my definition of semi-static IP is "the one, whose typical change interval is larger than the typical SKS session time with the 'larger' being 10x or higher". As for firewalls (and I am running default-by-deny rules at my machines, so I am spending much time tuning them for the smooth operations): since most firewalls are operating on the IP addresses, dynamicity poses a slight problem. But if firewalls have the notion of lookup tables (containing IP addresses or IP ranges) and these tables can be updated independently of the rulesets, there's no problem: just create the script to periodically convert the DNS names from the SKS peer list to the set of IP addresses and reload the corresponding table. I am doing this for some time and found no problems yet. Of course, I am putting some trust to the DNS, so hijacking will affect me. But I do realize it ;)) Of course, one's mileage may vary in respect with the dynamic IPs. -- rea
pgpiZDE8tV8e3.pgp
Description: PGP signature
_______________________________________________ Sks-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/sks-devel
