draft-ietf-dhc-ddns-resolution-01.txt   draft-ietf-dhc-ddns-resolution-02.txt 
DHC Working Group M. Stapp DHC Working Group M. Stapp
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Expires: August 31, 2001 March 2, 2001 Expires: January 18, 2002 July 20, 2001
Resolution of DNS Name Conflicts Among DHCP Clients Resolution of DNS Name Conflicts Among DHCP Clients
<draft-ietf-dhc-ddns-resolution-01.txt> <draft-ietf-dhc-ddns-resolution-02.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 31 skipping to change at page 1, line 31
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 31, 2001. This Internet-Draft will expire on January 18, 2002.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract Abstract
DHCP provides a powerful mechanism for IP host configuration. DHCP provides a powerful mechanism for IP host configuration.
However, the configuration capability provided by DHCP does not However, the configuration capability provided by DHCP does not
include updating DNS(RFC1034[1], RFC1035[2]), and specifically include updating DNS(RFC1034[1], RFC1035[2]), and specifically
updating the name to address and address to name mappings maintained updating the name to address and address to name mappings maintained
in the DNS. in the DNS.
The "Client FQDN Option"[13] specifies the client FQDN option, The "Client FQDN Option"[3] specifies the client FQDN option,
through which DHCP clients and servers can exchange information through which DHCP clients and servers can exchange information
about client FQDNs. This document describes techniques for the about client FQDNs. This document describes techniques for the
resolution of DNS name conflicts among DHCP clients. resolution of DNS name conflicts among DHCP clients.
Table of Contents Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Issues with DDNS in DHCP Environments . . . . . . . . . . . 3 3. Issues with DNS Update in DHCP Environments . . . . . . . . . 3
3.1 Name Conflicts . . . . . . . . . . . . . . . . . . . . . . . 4 3.1 Client Mis-Configuration . . . . . . . . . . . . . . . . . . . 4
3.2 Multiple DHCP servers . . . . . . . . . . . . . . . . . . . 5 3.2 Multiple DHCP Servers . . . . . . . . . . . . . . . . . . . . 4
3.3 Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . 5 4. Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . . 5
3.3.1 Format of the DHCID RRDATA . . . . . . . . . . . . . . . . . 5 4.1 Format of the DHCID RRDATA . . . . . . . . . . . . . . . . . . 6
3.4 DNS RR TTLs . . . . . . . . . . . . . . . . . . . . . . . . 7 5. DNS RR TTLs . . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Procedures for performing DNS updates . . . . . . . . . . . 7 6. Procedures for performing DNS updates . . . . . . . . . . . . 8
4.1 Adding A RRs to DNS . . . . . . . . . . . . . . . . . . . . 7 6.1 Adding A RRs to DNS . . . . . . . . . . . . . . . . . . . . . 8
4.2 Adding PTR RR Entries to DNS . . . . . . . . . . . . . . . . 8 6.2 Adding PTR RR Entries to DNS . . . . . . . . . . . . . . . . . 9
4.3 Removing Entries from DNS . . . . . . . . . . . . . . . . . 9 6.3 Removing Entries from DNS . . . . . . . . . . . . . . . . . . 9
4.4 Updating other RRs . . . . . . . . . . . . . . . . . . . . . 9 6.4 Updating Other RRs . . . . . . . . . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
References . . . . . . . . . . . . . . . . . . . . . . . . . 11 References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . 12 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 12
Full Copyright Statement . . . . . . . . . . . . . . . . . . 13 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 13
1. Terminology 1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119[6]. document are to be interpreted as described in RFC 2119[4].
2. Introduction 2. Introduction
"The Client FQDN Option"[13] includes a description of the operation "The Client FQDN Option"[3] includes a description of the operation
of DHCP[3] clients and servers that use the client FQDN option. of DHCP[5] clients and servers that use the client FQDN option.
Through the use of the client FQDN option, DHCP clients and servers Through the use of the client FQDN option, DHCP clients and servers
can negotiate the client's FQDN and the allocation of responsibility can negotiate the client's FQDN and the allocation of responsibility
for updating the DHCP client's A RR. This document identifies for updating the DHCP client's A RR. This document identifies
situations in which conflicts in the use of FQDNs may arise among situations in which conflicts in the use of FQDNs may arise among
DHCP clients, and describes a strategy for the use of the DHCID DNS DHCP clients, and describes a strategy for the use of the DHCID DNS
resource record[11] in resolving those conflicts. resource record[6] in resolving those conflicts.
In any case, whether a site permits all, some, or no DHCP servers In any case, whether a site permits all, some, or no DHCP servers
and clients to perform DNS updates into the zones which it controls and clients to perform DNS updates into the zones which it controls
is entirely a matter of local administrative policy. This document is entirely a matter of local administrative policy. This document
does not require any specific administrative policy, and does not does not require any specific administrative policy, and does not
propose one. The range of possible policies is very broad, from propose one. The range of possible policies is very broad, from
sites where only the DHCP servers have been given credentials that sites where only the DHCP servers have been given credentials that
the DNS servers will accept, to sites where each individual DHCP the DNS servers will accept, to sites where each individual DHCP
client has been configured with credentials which allow the client client has been configured with credentials which allow the client
to modify its own domain name. Compliant implementations MAY support to modify its own domain name. Compliant implementations MAY support
some or all of these possibilities. Furthermore, this specification some or all of these possibilities. Furthermore, this specification
applies only to DHCP client and server processes: it does not apply applies only to DHCP client and server processes: it does not apply
to other processes which initiate DNS updates. to other processes which initiate DNS updates.
3. Issues with DDNS in DHCP Environments 3. Issues with DNS Update in DHCP Environments
There are two DNS update situations that require special There are two DNS update situations that require special
consideration in DHCP environments: cases where more than one DHCP consideration in DHCP environments: cases where more than one DHCP
client has been configured with the same FQDN, and cases where more client has been configured with the same FQDN, and cases where more
than one DHCP server has been given authority to perform DNS updates than one DHCP server has been given authority to perform DNS updates
in a zone. In these cases, it is possible for DNS records to be in a zone. In these cases, it is possible for DNS records to be
modified in inconsistent ways unless the updaters have a mechanism modified in inconsistent ways unless the updaters have a mechanism
that allows them to detect anomolous situations. If DNS updaters can that allows them to detect anomolous situations. If DNS updaters can
detect these situations, site administrators can configure the detect these situations, site administrators can configure the
updaters' behavior so that the site's policies can be enforced. We updaters' behavior so that the site's policies can be enforced. We
use the term "Name Conflict" to refer to cases where more than one use the term "Name Conflict" to refer to cases where more than one
DHCP client has been associated with a single FQDN. This DHCP client wishes to be associated with a single FQDN. This
specification describes a mechanism designed to allow updaters to specification describes a mechanism designed to allow updaters to
detect these situations, and requires that DHCP implementations use detect these situations, and suggests that DHCP implementations use
this mechanism by default. this mechanism by default.
3.1 Name Conflicts 3.1 Client Mis-Configuration
How can the entity updating an A RR (either the DHCP client or DHCP
server) detect that a domain name has an A RR which is already in
use by a different DHCP client? Similarly, should a DHCP client or
server update a domain name which has an A RR that has been
configured by an administrator? In either of these cases, the
domain name in question would either have an additional A RR, or
would have its original A RR replaced by the new record. Either of
these effects may be considered undesirable by some sites. Different
authority and credential models have different levels of exposure to
name conflicts.
1. Client updates A RR, uses Secure DNS Update with credentials
that are associated with the client's FQDN, and exclusive to the
client. Name conflicts in this scenario are unlikely (though not
impossible), since the client has received credentials specific
to the name it desires to use. This implies that the name has
already been allocated (through some implementation- or
organization-specific procedure) to that client.
2. Client updates A RR, uses Secure DNS Update with credentials At many (though not all) sites, administrators wish to maintain a
that are valid for any name in the zone. Name conflicts in this one-to-one relationship between active DHCP clients and domain
scenario are possible, since the credentials necessary for the names, and to maintain consistency between the a host's A and PTR
client to update DNS are not necessarily name-specific. Thus, RRs. Hosts which are not represented in the DNS, or hosts which
for the client to be attempting to update a unique name requires inadvertently share an FQDN with another host may encounter
the existence of some administrative procedure to ensure client inconsistent behavior or may not be able to obtain access to network
configuration with unique names. resources. Whether each DHCP client is configured with a domain name
by its administrator or whether the DHCP server is configured to
distribute the clients' names, the consistency of the DNS data is
entirely dependent on the accuracy of the configuration procedure.
Sites which use Secure DNS[9] may configure credentials for each
host and its assigned name in a way that is more error-resistant,
but this level of pre-configuration is still rare in DHCP
environments.
3. Server updates the A RR, uses a name for the client which is Consider an example in which two DHCP clients in the "org.nil"
known to the server. Name conflicts in this scenario are likely network are both configured with the name "foo". The clients are
unless prevented by the server's name configuration procedures. permitted to perform their own DNS updates. The first client, client
See Section 5 for security issues with this form of deployment. A, is configured via DHCP. It adds an A RR to "foo.org.nil", and its
DHCP server adds a PTR RR corresponding to its IP address lease.
When the second client, client B, boots, it is also configured via
DHCP, and it also begins to update "foo.org.nil".
4. Server updates the A RR, uses a name supplied by the client. At this point, the "org.nil" administrators may wish to establish
Name conflicts in this scenario are highly likely, even with some policy about DHCP clients' DNS names. If the policy is that
administrative procedures designed to prevent them. (This each client that boots should replace any existing A RR that matches
scenario is a popular one in real-world deployments in many its name, Client B can proceed, though Client A may encounter
types of organizations.) See Section 5 for security issues with problems. If Client B replaces the A RR associated with its name,
this type of deployment. Client A must have some way to recognize that when its lease is
about to expire, so that it can avoid removing an RR that reflects
another client's DHCP lease.
Scenarios 2, 3, and 4 rely on administrative procedures to ensure If the policy is that the first DHCP client with a given name should
name uniqueness for DNS updates, and these procedures may break be the only client associated with that name, Client B needs to be
down. Experience has shown that, in fact, these procedures will able to determine that it is not the client associated with
break down at least occasionally. The question is what to do when "foo.org.nil". It could be that Client A booted first, and that
these procedures break down or, for example in scenario #4, may not Client B should choose another name. Or it could be that B has
even exist. booted on a new subnet, and received a new lease. It must either
retain persistent state about the last lease it held (in addition to
its current lease) or it must have some other way to detect that it
was the last updater of "foo.org.nil" in order to implement the
site's policy.
In all cases of name conflicts, the desire is to offer two modes of 3.2 Multiple DHCP Servers
operation to the administrator of the combined DHCP-DNS capability:
first-update-wins (i.e., the first updating entity gets the name) or
most-recent-update-wins (i.e., the last updating entity for a name
gets the name).
3.2 Multiple DHCP servers At many sites, the difficulties with distributing DNS update
credentials to all of the DHCP clients lead to the desire for the
DHCP servers to perform A RR updates on behalf of their clients. If
a single DHCP server managed all of the DHCP clients at a site, it
could maintain some database of the DNS names that it was managing,
and check that database before initiating a DNS update for a client.
Such a database is necessarily proprietary, however, and that
approach does not work once more than one DHCP server is deployed.
If multiple DHCP servers are able to update the same DNS zones, or Consider an example in which DHCP Client A boots, obtains a DHCP
if DHCP servers are performing A RR updates on behalf of DHCP lease from Server S1, presenting the hostname "foo" in a Client FQDN
clients, and more than one DHCP server may be able to serve option[3] in its DHCPREQUEST message. Server S1 updates its domain
addresses to the same DHCP clients, the DHCP servers should be able name, "foo.org.nil", adding an A RR which matches Client A's lease.
to provide reasonable and consistent DNS name update behavior for The client then moves to another subnet, served by Server S2. When
DHCP clients. Client A boots on the new subnet, Server S2 will issue it a new
lease, and will attempt to add an A RR matching the new lease to
"foo.org.nil". At this point, without some proprietary communication
mechanism which S2 can use to ask S1 (and every other DHCP server
which updates the zone) about the client, S2 has no way to know
whether Client A is currently associated with the domain name, or
whether A is a different client configured with the same hostname.
If the servers cannot distinguish between these situations, they
cannot enforce the site's naming policies.
3.3 Use of the DHCID RR 4. Use of the DHCID RR
A solution to both of these problems is for the updating entities A solution to both of these problems is for the updater (a DHCP
(both DHCP clients and DHCP servers) to be able to detect that client or DHCP server) to be able to determine which DHCP client has
another entity has been associated with a DNS name, and to offer been associated with a DNS name, in order to offer administrators
administrators the opportunity to configure update behavior. the opportunity to configure updater behavior.
Specifically, a DHCID RR, described in DHCID RR[11] is used to FOr this purpose, a DHCID RR, described in [6], is used to associate
associate client identification information with a DNS name and the client identification information with a DNS name and the A or PTR
A RR associated with that name. When either a client or server adds RR associated with that name. When either a client or server adds an
an A RR for a client, it also adds a DHCID RR which specifies a A or PTR RR for a client, it also adds a DHCID RR which specifies a
unique client identity (based on a "client specifier" created from unique client identity (based on a "client specifier" created from
the client's client-id or MAC address). In this model, only one A the data in the client's DHCPREQUEST message). In this model, only
RR is associated with a given DNS name at a time. one A RR is associated with a given DNS name at a time.
By associating this ownership information with each A RR, By associating this ownership information with each DNS name,
cooperating DNS updating entities may determine whether their client cooperating DNS updaters may determine whether their client is
is the first or last updater of the name (and implement the currently associated with a particular DNS name and implement the
appropriately configured administrative policy), and DHCP clients appropriately configured administrative policy. In addition, DHCP
which currently have domain names may move from one DHCP server to clients which currently have domain names may move from one DHCP
another without losing their DNS names. server to another without losing their DNS names.
The specific algorithms utilizing the DHCID RR to signal client The specific algorithms utilizing the DHCID RR to signal client
ownership are explained below. The algorithms only work in the case ownership are explained below. The algorithms only work in the case
where the updating entities all cooperate -- this approach is where the updating entities all cooperate -- this approach is
advisory only and is not substitute for DNS security, nor is it advisory only and is not a substitute for DNS security, nor is it
replaced by DNS security. replaced by DNS security.
3.3.1 Format of the DHCID RRDATA 4.1 Format of the DHCID RRDATA
The DHCID RR used to hold the DHCP client's identity is formatted as The DHCID RR used to hold the DHCP client's identity is formatted as
follows: follows:
The name of the DHCID RR is the name of the A or PTR RR which refers The name of the DHCID RR is the name of the A or PTR RR which refers
to the DHCP client. to the DHCP client.
The RDATA section of a DHCID RR in transmission contains RDLENGTH The RDATA section of a DHCID RR in transmission contains RDLENGTH
bytes of binary data. From the perspective of DHCP clients and bytes of binary data. From the perspective of DHCP clients and
servers, the DHC resource record consists of a 16-bit identifier servers, the DHCID resource record consists of a 16-bit identifier
type, followed by one or more bytes representing the actual type, followed by one or more bytes representing the actual
identifier. There are two possible forms for a DHCID RR - one that identifier. There are two possible forms for a DHCID RR - one that
is used when the client's link-layer address is being used to is used when the client's link-layer address is being used to
identify it, and one that is used when some DHCP option that the identify it, and one that is used when some DHCP option that the
DHCP client has sent is being used to identify it. DHCP client has sent is being used to identify it.
DISCUSSION: The data following the identifier type code (for type codes other
Implementors should note that the actual identifying data is than 0xFFFF) is derived by digesting a buffer containing identifying
never placed into the DNS directly. Instead, the client-identity information using the MD5[11] hash algorithm. The identifying
data is used as the input into a one-way hash algorithm, and the information includes some data from the DHCP client's DHCPREQUEST
output of that hash is then used as DNS RRDATA. This has been message, and the FQDN which is the target of the update. The domain
specified in order to avoid placing data about DHCP clients that name is included in the computation in order to ensure that the
some sites might consider sensitive into the DNS. DHCID RDATA will vary if a single client is associated over time
with more than one name. This makes it difficult to 'track' a client
as it is associated with various domain names. The domain name is
represented in the buffer in dns wire-format as described in
RFC1035[2], section 3.1. The domain name MUST NOT be compressed as
described in RFC1035[2], section 4.1.4. Any uppercase alphabetic
ASCII character in a label MUST be converted to lowercase before
being in the hash computation.
The MD5 hash algorithm has been shown to be weaker than the SHA-1
algorithm; it could therefore be argued that SHA-1 is a better
choice. However, SHA-1 is significantly slower than MD5. A
successful attack of MD5's weakness does not reveal the original
data that was used to generate the signature, but rather provides a
new set of input data that will produce the same signature. Because
we are using the MD5 hash to conceal the original data, the fact
that an attacker could produce a different plaintext resulting in
the same MD5 output is not a significant concern.
When the updater is using the client's link-layer address, the first When the updater is using the client's link-layer address, the first
two bytes of the DHCID RRDATA MUST be zero. To generate the rest of two bytes of the DHCID RRDATA MUST be zero. To generate the rest of
the resource record, the updater MUST compute a one-way hash using the resource record, the updater MUST compute a one-way hash using
the MD5[12] algorithm across a buffer containing the client's the MD5 algorithm across a buffer containing the client's network
network hardware type and link-layer address. Specifically, the hardware type, link-layer address, and the domain name.
first byte of the buffer contains the network hardware type as it Specifically, the first byte of the buffer contains the network
appears in the DHCP htype field of the client's DHCPREQUEST message. hardware type as it appears in the DHCP htype field of the client's
All of the significant bytes of the chaddr field in the client's DHCPREQUEST message. All of the significant bytes of the chaddr
DHCPREQUEST message follow, in the same order in which the bytes field in the client's DHCPREQUEST message follow, in the same order
appear in the DHCPREQUEST message. The number of significant bytes in which the bytes appear in the DHCPREQUEST message. The number of
in the chaddr field is specified in the hlen field of the significant bytes in the chaddr field is specified in the hlen field
DHCPREQUEST message. of the DHCPREQUEST message. The fully-qualified domain name, as
specified above, follows.
When the updater is using a DHCP option sent by the client in its When the updater is using a DHCP option sent by the client in its
DHCPREQUEST message, the first two bytes of the DHCID RR MUST be the DHCPREQUEST message, the first two bytes of the DHCID RR MUST be the
option code of that option, in network byte order. For example, if option code of that option, in network byte order. For example, if
the DHCP client identifier option is being used, the first byte of the DHCP client identifier option is being used, the first byte of
the DHCID RR should be zero, and the second byte should be 61 the DHCID RR should be zero, and the second byte should be 61
decimal. The rest of the DHCID RR MUST contain the results of decimal. The rest of the DHCID RR MUST contain the results of
computing a one-way hash across the payload of the option being computing a one-way hash across the payload of the option being used
used, using the MD5 algorithm. The payload of a DHCP option consists and the FQDN (as specified above), using the MD5 algorithm. The
of the bytes of the option following the option code and length. payload of a DHCP option consists of the bytes of the option
following the option code and length.
The two byte identifier code 0xffff is reserved for future The two byte identifier code 0xffff is reserved for future
assignment. assignment.
In order for independent DHCP implementations to be able to use the In order for independent DHCP implementations to be able to use the
DHCID RR as a prerequisite in dynamic DNS updates, each updater must DHCID RR as a prerequisite in dynamic DNS updates, each updater must
be able to reliably choose the same identifier that any other would be able to reliably choose the same identifier that any other would
choose. To make this possible, we specify a prioritization which choose. To make this possible, we specify a prioritization which
will ensure that for any given DHCP client request, any updater will will ensure that for any given DHCP client request, any updater will
select the same client-identity data. All updaters MUST use this select the same client-identity data. All updaters MUST use this
order of prioritization by default, but all implementations SHOULD order of prioritization by default, but all implementations SHOULD
be configurable to use a different prioritization if so desired by be configurable to use a different prioritization if so desired by
the site administrators. Because of the possibility of future the site administrators. Because of the possibility of future
changes in the DHCP protocol, implementors SHOULD check for updated changes in the DHCP protocol, implementors SHOULD check for updated
versions of this draft when implementing new DHCP clients and versions of this specification when implementing new DHCP clients
servers which can perform DDNS updates, and also when releasing new and servers which can perform DNS updates, and also when releasing
versions of existing clients and servers. new versions of existing clients and servers.
DHCP clients and servers should use the following forms of client DHCP clients and servers should use the following forms of client
identification, starting with the most preferable, and finishing identification, starting with the most preferable, and finishing
with the least preferable. If the client does not send any of these with the least preferable. If the client does not send any of these
forms of identification, the DHCP/DDNS interaction is not defined by forms of identification, the DHCP/DNS interaction is not defined by
this specification. The most preferable form of identification is this specification. The most preferable form of identification is
the Globally Unique Identifier Option [TBD]. Next is the DHCP the Globally Unique Identifier Option [TBD]. Next is the DHCP
Client Identifier option. Last is the client's link-layer address, Client Identifier option. Last is the client's link-layer address,
as conveyed in its DHCPREQUEST message. Implementors should note as conveyed in its DHCPREQUEST message. Implementors should note
that the link-layer address cannot be used if there are no that the link-layer address cannot be used if there are no
significant bytes in the chaddr field of the DHCP client's request, significant bytes in the chaddr field of the DHCP client's request,
because this does not constitute a unique identifier. because this does not constitute a unique identifier.
3.4 DNS RR TTLs 5. DNS RR TTLs
RRs associated with DHCP clients may be more volatile than RRs associated with DHCP clients may be more volatile than
statically configured RRs. DHCP clients and servers which perform statically configured RRs. DHCP clients and servers which perform
dynamic updates should attempt to specify resource record TTLs which dynamic updates should attempt to specify resource record TTLs which
reflect this volatility, in order to minimize the possibility that reflect this volatility, in order to minimize the possibility that
there will be stale records in resolvers' caches. A reasonable basis there will be stale records in resolvers' caches. A reasonable basis
for RR TTLs is the lease duration itself: TTLs of 1/2 or 1/3 the for RR TTLs is the lease duration itself: TTLs of 1/2 or 1/3 the
expected lease duration might be reasonable defaults. Because expected lease duration might be reasonable defaults. Because
configured DHCP lease times vary widely from site to site, it may configured DHCP lease times vary widely from site to site, it may
also be desirable to establish a fixed TTL ceiling. DHCP clients and also be desirable to establish a fixed TTL ceiling. DHCP clients and
servers MAY allow administrators to configure the TTLs they will servers MAY allow administrators to configure the TTLs they will
supply, possibly as a fraction of the actual lease time, or as a supply, possibly as a fraction of the actual lease time, or as a
fixed value. fixed value.
4. Procedures for performing DNS updates 6. Procedures for performing DNS updates
4.1 Adding A RRs to DNS 6.1 Adding A RRs to DNS
When a DHCP client or server intends to update an A RR, it first When a DHCP client or server intends to update an A RR, it first
prepares a DNS UPDATE query which includes as a prerequisite the prepares a DNS UPDATE query which includes as a prerequisite the
assertion that the name does not exist. The update section of the assertion that the name does not exist. The update section of the
query attempts to add the new name and its IP address mapping (an A query attempts to add the new name and its IP address mapping (an A
RR), and the DHCID RR with its unique client-identity. RR), and the DHCID RR with its unique client-identity.
If this update operation succeeds, the updater can conclude that it If this update operation succeeds, the updater can conclude that it
has added a new name whose only RRs are the A and DHCID RR records. has added a new name whose only RRs are the A and DHCID RR records.
The A RR update is now complete (and a client updater is finished, The A RR update is now complete (and a client updater is finished,
skipping to change at page 8, line 45 skipping to change at page 9, line 22
DISCUSSION: DISCUSSION:
The updating entity may be configured to allow the existing DNS The updating entity may be configured to allow the existing DNS
records on the domain name to remain unchanged, and to perform records on the domain name to remain unchanged, and to perform
disambiguation on the name of the current client in order to disambiguation on the name of the current client in order to
attempt to generate a similar but unique name for the current attempt to generate a similar but unique name for the current
client. In this case, once another candidate name has been client. In this case, once another candidate name has been
generated, the updater should restart the process of adding an A generated, the updater should restart the process of adding an A
RR as specified in this section. RR as specified in this section.
4.2 Adding PTR RR Entries to DNS 6.2 Adding PTR RR Entries to DNS
The DHCP server submits a DNS query which deletes all of the PTR RRs The DHCP server submits a DNS query which deletes all of the PTR RRs
associated with the lease IP address, and adds a PTR RR whose data associated with the lease IP address, and adds a PTR RR whose data
is the client's (possibly disambiguated) host name. The server also is the client's (possibly disambiguated) host name. The server also
adds a DHCID RR specified in Section 3.3. adds a DHCID RR as specified in Section 4.
4.3 Removing Entries from DNS 6.3 Removing Entries from DNS
The most important consideration in removing DNS entries is be sure The most important consideration in removing DNS entries is be sure
that an entity removing a DNS entry is only removing an entry that that an entity removing a DNS entry is only removing an entry that
it added, or for which an administrator has explicitly assigned it it added, or for which an administrator has explicitly assigned it
responsibility. responsibility.
When a lease expires or a DHCP client issues a DHCPRELEASE request, When a lease expires or a DHCP client issues a DHCPRELEASE request,
the DHCP server SHOULD delete the PTR RR that matches the DHCP the DHCP server SHOULD delete the PTR RR that matches the DHCP
binding, if one was successfully added. The server's update query binding, if one was successfully added. The server's update query
SHOULD assert that the name in the PTR record matches the name of SHOULD assert that the name in the PTR record matches the name of
the client whose lease has expired or been released. the client whose lease has expired or been released.
The entity chosen to handle the A record for this client (either the The entity chosen to handle the A record for this client (either the
client or the server) SHOULD delete the A record that was added when client or the server) SHOULD delete the A record that was added when
the lease was made to the client. the lease was made to the client.
In order to perform this delete, the updater prepares an UPDATE In order to perform this delete, the updater prepares an UPDATE
query which contains two prerequisites. The first prerequisite query which contains two prerequisites. The first prerequisite
asserts that the DHCID RR exists whose data is the client identity asserts that the DHCID RR exists whose data is the client identity
described in Section 3.3. The second prerequisite asserts that the described in Section 4. The second prerequisite asserts that the
data in the A RR contains the IP address of the lease that has data in the A RR contains the IP address of the lease that has
expired or been released. expired or been released.
If the query fails, the updater MUST NOT delete the DNS name. It If the query fails, the updater MUST NOT delete the DNS name. It
may be that the host whose lease on the server has expired has moved may be that the client whose lease on has expired has moved to
to another network and obtained a lease from a different server, another network and obtained a lease from a different server, which
which has caused the client's A RR to be replaced. It may also be has caused the client's A RR to be replaced. It may also be that
that some other client has been configured with a name that matches some other client has been configured with a name that matches the
the name of the DHCP client, and the policy was that the last client name of the DHCP client, and the policy was that the last client to
to specify the name would get the name. In this case, the DHCID RR specify the name would get the name. In these cases, the DHCID RR
will no longer match the updater's notion of the client-identity of will no longer match the updater's notion of the client-identity of
the host pointed to by the DNS name. the host pointed to by the DNS name.
4.4 Updating other RRs 6.4 Updating Other RRs
The procedures described in this document only cover updates to the The procedures described in this document only cover updates to the
A and PTR RRs. Updating other types of RRs is outside the scope of A and PTR RRs. Updating other types of RRs is outside the scope of
this document. this document.
5. Security Considerations 7. Security Considerations
Unauthenticated updates to the DNS can lead to tremendous confusion, Unauthenticated updates to the DNS can lead to tremendous confusion,
through malicious attack or through inadvertent misconfiguration. through malicious attack or through inadvertent misconfiguration.
Administrators should be wary of permitting unsecured DNS updates to Administrators should be wary of permitting unsecured DNS updates to
zones which are exposed to the global Internet. Both DHCP clients zones which are exposed to the global Internet. Both DHCP clients
and servers SHOULD use some form of update request origin and servers SHOULD use some form of update request authentication
authentication procedure (e.g., Secure DNS Dynamic Update[10]) when (e.g., TSIG[12]) when performing DNS updates.
performing DNS updates.
Whether a DHCP client may be responsible for updating an FQDN to IP Whether a DHCP client may be responsible for updating an FQDN to IP
address mapping, or whether this is the responsibility of the DHCP address mapping, or whether this is the responsibility of the DHCP
server is a site-local matter. The choice between the two server is a site-local matter. The choice between the two
alternatives may be based on the security model that is used with alternatives may be based on the security model that is used with
the Dynamic DNS Update protocol (e.g., only a client may have the Dynamic DNS Update protocol (e.g., only a client may have
sufficient credentials to perform updates to the FQDN to IP address sufficient credentials to perform updates to the FQDN to IP address
mapping for its FQDN). mapping for its FQDN).
Whether a DHCP server is always responsible for updating the FQDN to Whether a DHCP server is always responsible for updating the FQDN to
IP address mapping (in addition to updating the IP to FQDN mapping), IP address mapping (in addition to updating the IP to FQDN mapping),
regardless of the wishes of an individual DHCP client, is also a regardless of the wishes of an individual DHCP client, is also a
site-local matter. The choice between the two alternatives may be site-local matter. The choice between the two alternatives may be
based on the security model that is being used with dynamic DNS based on the security model that is being used with dynamic DNS
updates. In cases where a DHCP server is performing DNS updates on updates. In cases where a DHCP server is performing DNS updates on
behalf of a client, the DHCP server should be sure of the DNS name behalf of a client, the DHCP server should be sure of the DNS name
to use for the client, and of the identity of the client. to use for the client, and of the identity of the client.
Currently, it is difficult for DHCP servers to develop much Currently, it is difficult for DHCP servers to develop much
confidence in the identities of its clients, given the absence of confidence in the identities of their clients, given the absence of
entity authentication from the DHCP protocol itself. There are many entity authentication from the DHCP protocol itself. There are many
ways for a DHCP server to develop a DNS name to use for a client, ways for a DHCP server to develop a DNS name to use for a client,
but only in certain relatively unusual circumstances will the DHCP but only in certain relatively rare circumstances will the DHCP
server know for certain the identity of the client. If DHCP server know for certain the identity of the client. If DHCP
Authentication[9] becomes widely deployed this may become more Authentication[13] becomes widely deployed this may become more
customary. customary.
One example of a situation which offers some extra assurances is one One example of a situation which offers some extra assurances is one
where the DHCP client is connected to a network through an MCNS where the DHCP client is connected to a network through an MCNS
cable modem, and the CMTS (head-end) of the cable modem ensures that cable modem, and the CMTS (head-end) of the cable modem ensures that
MAC address spoofing simply does not occur. Another example of a MAC address spoofing simply does not occur. Another example of a
configuration that might be trusted is one where clients obtain configuration that might be trusted is one where clients obtain
network access via a network access server using PPP. The NAS itself network access via a network access server using PPP. The NAS itself
might be obtaining IP addresses via DHCP, encoding a client might be obtaining IP addresses via DHCP, encoding a client
identification into the DHCP client-id option. In this case, the identification into the DHCP client-id option. In this case, the
network access server as well as the DHCP server might be operating network access server as well as the DHCP server might be operating
within a trusted environment, in which case the DHCP server could be within a trusted environment, in which case the DHCP server could be
configured to trust that the user authentication and authorization configured to trust that the user authentication and authorization
procedure of the remote access server was sufficient, and would processing of the remote access server was sufficient, and would
therefore trust the client identification encoded within the DHCP therefore trust the client identification encoded within the DHCP
client-id. client-id.
6. Acknowledgements 8. Acknowledgements
Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter
Ford, Edie Gunter, Andreas Gustafsson, R. Barr Hibbs, Kim Kinnear, Ford, Edie Gunter, Andreas Gustafsson, R. Barr Hibbs, Kim Kinnear,
Stuart Kwan, Ted Lemon, Ed Lewis, Michael Lewis, Josh Littlefield, Stuart Kwan, Ted Lemon, Ed Lewis, Michael Lewis, Josh Littlefield,
Michael Patton, and Glenn Stump for their review and comments. Michael Patton, and Glenn Stump for their review and comments.
References References
[1] Mockapetris, P., "Domain names - Concepts and Facilities", RFC [1] Mockapetris, P., "Domain names - Concepts and Facilities", RFC
1034, Nov 1987. 1034, Nov 1987.
[2] Mockapetris, P., "Domain names - Implementation and [2] Mockapetris, P., "Domain names - Implementation and
Specification", RFC 1035, Nov 1987. Specification", RFC 1035, Nov 1987.
[3] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, [3] Stapp, M. and Y. Rekhter, "The DHCP Client FQDN Option
(draft-ietf-dhc-fqdn-option-*.txt)", March 2001.
[4] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[5] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
March 1997. March 1997.
[4] Marine, A., Reynolds, J. and G. Malkin, "FYI on Questions and [6] Stapp, M., Gustafsson, A. and T. Lemon, "A DNS RR for Encoding
DHCP Information (draft-ietf-dnsext-dhcid-rr-*)", March 2001.
[7] Marine, A., Reynolds, J. and G. Malkin, "FYI on Questions and
Answers to Commonly asked ``New Internet User'' Questions", Answers to Commonly asked ``New Internet User'' Questions",
RFC 1594, March 1994. RFC 1594, March 1994.
[5] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic [8] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
Updates in the Domain Name System", RFC 2136, April 1997. Updates in the Domain Name System", RFC 2136, April 1997.
[6] Bradner, S., "Key words for use in RFCs to Indicate [9] Eastlake, D., "Domain Name System Security Extensions", RFC
Requirement Levels", RFC 2119, March 1997. 2535, March 1999.
[7] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, [10] Wellington, B., "Secure Domain Name System (DNS) Dynamic
August 1999. Update", RFC 3007, November 2000.
[8] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington, [11] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321,
April 1992.
[12] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
"Secret Key Transaction Authentication for DNS (TSIG)", RFC "Secret Key Transaction Authentication for DNS (TSIG)", RFC
2845, May 2000. 2845, May 2000.
[9] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages [13] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages
(draft-ietf-dhc-authentication-*)", June 1999. (draft-ietf-dhc-authentication-*)", January 2001.
[10] Wellington, B., "Secure DNS Dynamic Update", RFC 3007,
November 2000.
[11] Stapp, M., Gustafsson, A. and T. Lemon, "A DNS RR for Encoding
DHCP Information (draft-ietf-dnsext-dhcid-rr-*)", November
2000.
[12] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321,
April 1992.
[13] Stapp, M. and Y. Rekhter, "The DHCP Client FQDN Option
(draft-ietf-dhc-fqdn-option-*.txt)", July 2000.
Author's Address Author's Address
Mark Stapp Mark Stapp
Cisco Systems, Inc. Cisco Systems, Inc.
250 Apollo Dr. 250 Apollo Dr.
Chelmsford, MA 01824 Chelmsford, MA 01824
USA USA
Phone: 978.244.8498 Phone: 978.244.8498
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/