DHC                                                             M. Stapp
Internet-Draft                                                   B. Volz
Expires: January 14, June 23, 2005                               Cisco Systems, Inc.
                                                              Y. Rekhter
                                                        Juniper Networks
                                                            Jul 16,
                                                       December 23, 2004

                      The DHCP Client FQDN Option
                  <draft-ietf-dhc-fqdn-option-07.txt>
                  <draft-ietf-dhc-fqdn-option-08.txt>

Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
   author represents that any applicable patent or other IPR claims of
   which he or she is aware have been or will be disclosed, and any of
   which he or she become aware will be disclosed, in accordance with
   RFC 3668.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 14, June 23, 2005.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   This document specifies a DHCP for IPv4, DHCPv4, option which can be
   used to exchange information about a DHCPv4 client's fully-qualified
   domain name and about responsibility for updating the DNS RR related
   to the client's address assignment.

Table of Contents

   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.
     2.1   Models of Operation  . . . . . . . . . . . . . . . . . . . . .  3
   4.
   3.  The Client FQDN Option . . . . . . . . . . . . . . . . . . . .  4
     4.1
     3.1   The Flags Field  . . . . . . . . . . . . . . . . . . . . .  5
     4.2
     3.2   The RCODE Fields . . . . . . . . . . . . . . . . . . . . .  6
     4.3
     3.3   The Domain Name Field  . . . . . . . . . . . . . . . . . .  6
       4.3.1
       3.3.1   Deprecated ASCII Encoding  . . . . . . . . . . . . . .  7
   5.
   4.  DHCP Client Behavior . . . . . . . . . . . . . . . . . . . . .  7
   6.
     4.1   Interaction With Other Options . . . . . . . . . . . . . .  7
     4.2   Client Desires to Update A RRs . . . . . . . . . . . . . .  8
     4.3   Client Desires Server to Do DNS Updates  . . . . . . . . .  8
     4.4   Client Desires No Server DNS Updates . . . . . . . . . . .  8
     4.5   Domain Name and DNS Update Issues  . . . . . . . . . . . .  9
   5.  DHCP Server Behavior . . . . . . . . . . . . . . . . . . . . .  9
   7.
     5.1   When to Perform DNS Updates  . . . . . . . . . . . . . . . 10
   6.  DNS Update Conflicts . . . . . . . . . . . . . . . . . . . . . 11
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11 12
   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12 13
   10.   References . . . . . . . . . . . . . . . . . . . . . . . . . 12 13
   10.1  Normative References . . . . . . . . . . . . . . . . . . . . 12 13
   10.2  Informative References . . . . . . . . . . . . . . . . . . . 13
       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
       Intellectual Property and Copyright Statements . . . . . . . . 15

1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [1].

2.  Introduction

   DNS ([2], [3]) maintains (among other things) the information about
   the mapping between hosts' Fully Qualified Domain Names (FQDNs) [6] [7]
   and IP addresses assigned to the hosts.  The information is
   maintained in two types of Resource Records (RRs): A and PTR.  The
   DNS update specification ([4]) describes a mechanism that enables DNS
   information to be updated over a network.

   The Dynamic Host Configuration Protocol for IPv4 (DHCPv4 or just DHCP
   in this document) [5] provides a mechanism by which a host (a DHCP
   client) can acquire certain configuration information, along with its
   address.  This document specifies a DHCP option, the Client FQDN
   option, which can be used by DHCP clients and servers to exchange
   information about the client's fully-qualified domain name for an
   address and who has the responsibility for updating the DNS with the
   associated A and PTR RRs.

3.

2.1  Models of Operation

   When a DHCP client acquires a new address, a site's administrator may
   desire that one or both of the A RR for the client's FQDN and the PTR
   RR for the acquired address be updated.  Therefore, two separate DNS
   update transactions may occur.  Acquiring an address via DHCP
   involves two entities: a DHCP client and a DHCP server.  In principle
   each of these entities could perform none, one, or both of the
   transactions.  However, in practice not all permutations make sense.
   The DHCP Client FQDN option is primarily intended to operate in the
   following two cases:

   1.  DHCP client updates the A RR, DHCP server updates the PTR RR
   2.  DHCP server updates both the A and the PTR RRs

   The only difference between these two cases is whether the FQDN to IP
   address mapping is updated by a DHCP client or by a DHCP server.  The
   IP address to FQDN mapping is updated by a DHCP server in both cases.

   The reason these two are important, while others are unlikely, has to
   do with authority over the respective DNS domain names.  A DHCP
   client may be given authority over mapping its own A RRs, or that
   authority may be restricted to a server to prevent the client from
   listing arbitrary addresses or associating its address with arbitrary
   domain names.  In all cases, the only reasonable place for the
   authority over the PTR RRs associated with the address is in the DHCP
   server that allocates the address.

   Note: A third case is supported - the client requests that the server
   perform no updates.  However, this case is presumed to be rare
   because of the authority issues.

   In any case, whether a site permits all, some, or no DHCP servers and
   clients to perform DNS updates into the zones which it controls is
   entirely a matter of local administrative policy.  This document does
   not require any specific administrative policy, and does not propose
   one.  The range of possible policies is very broad, from sites where
   only the DHCP servers have been given credentials that the DNS
   servers will accept, to sites where each individual DHCP client has
   been configured with credentials which allow the client to modify its
   own domain name.  Compliant implementations MAY may support some or all
   of these possibilities.  Furthermore, this specification applies only
   to DHCP client and server processes: it does not apply to other
   processes which initiate DNS updates.

   This document describes a new DHCP option which a client can use to
   convey all or part of its domain name to a DHCP server.
   Site-specific policy determines whether DHCP servers use the names
   that clients offer or not, and what DHCP servers may do in cases
   where clients do not supply domain names.

4.

3.  The Client FQDN Option

   To update the IP address to FQDN mapping a DHCP server needs to know
   the FQDN of the client to which the server leases the address.  To
   allow the client to convey its FQDN to the server this document
   defines a new DHCP option, called "Client FQDN".  The Client FQDN
   option also contains Flags and RCODE fields Flags, which DHCP servers can use to convey
   information about DNS updates to clients. clients, and two deprecated RCODEs.

   Clients MAY send the Client FQDN option, setting appropriate Flags
   values, in both their DISCOVER DHCPDISCOVER and REQUEST DHCPREQUEST messages.  If a
   client sends the Client FQDN option in its DISCOVER DHCPDISCOVER message, it
   MUST send the option in subsequent REQUEST DHCPREQUEST messages.

   Only one FQDN MAY appear in a message.  As per [13], multiple
   instances of this option in a message SHOULD be concatentated.

   The code for this option is 81.  Its minimum length is 4. 3.

   The Format of the Client FQDN Option: Option is:

        Code   Len    Flags  RCODE1 RCODE2   Domain Name
       +------+------+------+------+------+------+--
       |  81  |   n  |      |      |      |       ...
       +------+------+------+------+------+------+--

4.1

3.1  The Flags Field

   The Format of the Flags Field: Field is:

        0 1 2 3 4 5 6 7
       +-+-+-+-+-+-+-+-+
       |  MBZ  |N|E|O|S|
       +-+-+-+-+-+-+-+-+

   When a DHCP client sends the Client FQDN option in its DHCPDISCOVER
   and/or DHCPREQUEST messages, it sets the

   The "S" bit to indicate that it
   will not perform any DNS updates, and that it expects indicates whether the DHCP server
   to SHOULD or SHOULD NOT perform any FQDN-to-IP (the
   the A RR) RR (FQDN to address) DNS update on its behalf.  If
   this updates.  A client sets the bit is clear, to 0
   to indicate the client indicates that it intends server SHOULD NOT perform the updates and 1 to maintain
   its own FQDN-to-IP mapping update.

   If a DHCP
   indicate the server intends SHOULD perform the updates.  The state of the bit
   in the reply from the server indicates the action to take be taken by the
   server; if 1, the server has taken responsibility for the A RR update
   whether or not updates
   for the client sending FQDN.

   The "O" bit indicates whether the Client FQDN option server has set overridden the
   "S" bit, it sets both client's
   preference for the "O" "S" bit.  A client MUST set this bit and to 0.  A
   server MUST set this bit to 1 if the "S" bit, and sends the
   Client FQDN option bit in its DHCPOFFER and/or DHCPACK messages. reply to the
   client does not match the "S" bit received from the client.

   The data in "N" bit indicates whether the Domain Name field server SHOULD appear in DNS-style binary
   encoding (without compression, of course), as described in RFC 1035
   [3]. NOT perform any DNS
   updates.  A client which sends sets this bit to 0 to request that the Client FQDN option server
   SHOULD use this
   encoding.  The client MUST set perform updates (the PTR RR and possibly the A RR based on the
   "S" bit) or to 1 to request that the server SHOULD NOT perform any
   DNS updates.  A server sets the "N" bit to indicate whether it SHALL
   (0) or SHALL NOT (1) perform DNS updates.  If the "N" bit is 1, the
   "S" bit MUST be 0.

   The "E" bit when indicates the data in encoding of the Domain Name field is in DNS field.  1
   indicates DNS-style binary encoding.  If a server receives a
   Client FQDN option from a client, encoding, without compression, as
   described in RFC 1035 [3] and intends to include SHOULD be used by clients.  0 indicates
   a Client
   FQDN option in its reply, it now deprecated ASCII encoding.  Servers MUST use the same encoding that the
   client used, and MUST set
   as received from the "E" bit accordingly. client.  Server implementers should SHOULD note that
   earlier draft versions of this specification permitted an ASCII
   encoding of the domain name. domain name and this encoding MUST be used if the "E"
   bit is 0.  Clients which implemented this encoding were deployed
   before this specification was completed.  Server implementers which
   need to support these clients should note need to see the section on the
   deprecated ASCII encoding (Section 4.3.1).

   A client MAY set the "N" bit in its request messages to indicate that
   the server should not perform any DNS updates on its behalf.  As we
   mentioned in Section 3, we believe that in general the DHCP server
   will be maintaining DNS PTR records on behalf of clients.  However,
   there may be deployments in which clients are configured to perform
   all desired DNS updates.  The server MAY be configured to honor this
   configuration.  If the server has been configured to honor a client's
   "N" indication, it SHOULD set the "N" bit in Client FQDN options
   which it sends to the client in its OFFER or ACK messages.  Clients
   which have set the "N" bit in their requests SHOULD use the state of
   the "N" bit in server responses to determine whether the server was
   prepared to honor the client's indication.  If a client has set the
   "N" bit but its server does not, the client SHOULD conclude that the
   server was not configured to honor the client's suggestion, and that
   the server may attempt to perform DNS updates on its behalf. 3.3.1).

   The remaining bits in the Flags field are reserved for future
   assignment.  DHCP clients and servers which send the Client FQDN
   option MUST set clear the MBZ bits to 0, bits, and they MUST ignore these bits.

4.2

3.2  The RCODE Fields

   The RCODE1 and RCODE2 fields are used deprecated.  A client SHOULD set
   these to 0 when sending the option and SHOULD ignore them on receipt.
   A server SHOULD set these to 255 when sending the option and MUST
   ignore them on receipt.

   As this option with these fields is already in wide use, the fields
   are retained.  These fields were originally defined for use by a DHCP
   server to indicate to a DHCP client the Response Code from any A
   (RCODE1) or PTR (RCODE2) RR DNS updates it has performed.  The server may also use these fields performed or a value
   of 255 was used to indicate
   whether it has attempted such that an update before sending the DHCPACK
   message. had been initiated but had
   not yet completed.  Each of these fields is one byte long.

   Implementers should note that  These
   fields were defined before EDNS0 [10], which describes a mechanism
   for extending the length of a DNS RCODE to 12 bits.  EDNS0 bits, which is specified
   in RFC 2671 [7].  Only another
   reason to deprecate them.

   If the least-significant 8 bits of client needs to confirm the RCODE from
   a DNS update will be carried in has been done, it MAY
   use a DNS query to check whether the Client FQDN option.  This
   provides enough number space mapping is up to accommodate date.  However,
   depending on the RCODEs defined in load on the DHCP and DNS update specification.

4.3 servers and the DNS
   propagation delays, the client can only infer success.  If the
   information is not found to be up to date in DNS, the servers might
   not have completed the updates or zone transfers, or not yet updated
   their caches.

3.3  The Domain Name Field

   The Domain Name part of the option carries all or part of the FQDN of
   a DHCP client.  The data in the Domain Name field SHOULD appear in
   uncompressed DNS encoding as specified in RFC 1035 [3].  If the DHCP
   client uses DNS encoding, it MUST set to 1 the third the "E" bit in the
   Flags
   field (the "E" bit). field.  In order to determine whether a name the FQDN has changed
   between message exchanges, an unambiguous canonical form is
   necessary.  Eventually, the IETF IDN Working Group is expected to
   produce a standard canonicalization specification, and this
   specification may be updated to include its standard.  Until that
   time, servers client and clients should be sensitive to canonicalization
   when comparing names in server MUST NOT alter the
   Domain Name field and contents unless the name
   canonicalization defined in RFC 2535 [10] MAY be used. FQDN has actually changed.

   A client may MAY be configured with a fully-qualified domain name, name or with
   a partial name that is not fully-qualified.  If a client knows only
   part of its name, it MAY send a name that is not fully-qualified,
   indicating that it knows part of the name but does not necessarily
   know the zone in which the name is to be embedded.  A
   client which wants to convey part of its FQDN sends

   To send a non-terminal
   sequence of labels in fully-qualified domain name, the Domain Name part of field is set
   to the option.  Clients
   and servers should assume that DNS encoded domain name including the terminating zero-length
   label.  To send a partial name, the Domain Name field is set to the
   DNS encoded domain name without the terminating zero-length label.

   A client MAY also leave the Domain Name field contains empty if it desires the
   server to provide a
   fully-qualified name unless this partial-name format exists.

4.3.1 name.

3.3.1  Deprecated ASCII Encoding

   The DNS encoding specified above MUST be supported by DHCP servers.
   However, a substantial population of clients implemented an earlier
   draft version of this specification, which permitted an ASCII
   encoding of the Domain Name field.  Server implementations should SHOULD be
   aware that clients which send the Client FQDN option with the "E" bit clear
   set to 0 are using an ASCII version encoding of the Domain Name field.
   Servers MAY be prepared to return an ASCII encoded version of of the
   Domain Name field to such clients.  Servers that are not prepared to
   return an ASCII encoded version MUST ignore the Domain Name field
   to such clients. Client FQDN option if
   the "E" bit is 0.  The use of ASCII encoding in this option should SHOULD be
   considered deprecated.

   A DHCP client which used ASCII encoding was permitted to suggest a
   single label if it was not configured with a fully-qualified name.
   Such clients send a single label as a series of ASCII characters in
   the Domain Name field, excluding the "." (dot) character.  Such
   clients SHOULD follow the character-set recommendations of RFC 1034
   [2] and RFC 1035 [3].

   Server implementers should SHOULD also be aware that some client software
   may attempt to use
   could be using UTF-8 [9] character encoding.  This information is
   included for informational purposes only: only; this specification does not
   require any support for UTF-8.

5.

4.  DHCP Client Behavior

   The following describes the behavior of a DHCP client that implements
   the Client FQDN option.

4.1  Interaction With Other Options

   Other DHCP options may MAY carry data that is related to the Domain-Name
   part Domain Name
   field of the Client FQDN option.  The Host-Name option, Host Name option [8], for
   example, contains an ASCII string representation of the client's host-name. host
   name.  In general, a client should does not need to send redundant data, and
   therefore clients which send the Client FQDN option in their messages
   MUST NOT also send the Host-Name Host Name option.  Clients which receive both
   the Host-Name Host Name option and the Client FQDN option from a server SHOULD
   prefer Client FQDN option data.  Servers will be asked in  Section 6 5 instructs servers to
   ignore the Host-Name Host Name option in client messages which include the
   Client FQDN option.

4.2  Client Desires to Update A RRs

   If a client that owns/maintains its own FQDN wants to be responsible
   for updating the FQDN to IP address mapping for the FQDN and
   address(es) used by the client, then the client MUST include the Client
   FQDN option in the DHCPREQUEST message originated by the client.  A
   DHCP client MAY choose to include the Client FQDN option in its DISCOVER
   DHCPDISCOVER messages as well as its REQUEST DHCPREQUEST messages.  The "S"
   bit in the Flags field in the option MUST be set to 0.  The "O" and "N" bits
   MUST be 0.

   Once the client's DHCP configuration is completed (the client
   receives a DHCPACK message, message and successfully completes a final check
   on the parameters passed in the message), the client MAY originate an
   update for the A RR (associated with the client's FQDN).  If the DHCP server
   from which the client is requesting a lease includes the Client FQDN
   option in its ACK message, and if FQDN) unless the
   server sets both has set the "S" and
   the "O" bits in bit to 1.  If the option's flags field, "S" is 1, the DHCP client
   MUST NOT initiate an update for the name in the Domain Name field.

4.3  Client Desires Server to Do DNS Updates

   A client can choose to delegate the responsibility for updating the
   FQDN to IP address mapping for the FQDN and address(es) used by the
   client to the server.  In order to inform the server of this choice,
   the client SHOULD include the Client FQDN option in its DHCPREQUEST
   message.  The "S" bit Client FQDN option in its DHCPREQUEST
   message and MAY include the Client FQDN option in its DHCPDISCOVER.
   The "S" bit in the Flags field in the option MUST be 1.  The "O" and
   "N" bits MUST be 0.

4.4  Client Desires No Server DNS Updates

   A client can choose to request that the server perform no DNS updates
   on its behalf.  In order to inform the server of this choice, the
   client SHOULD include the Client FQDN option in its DHCPREQUEST
   message and MAY include the Client FQDN option in its DHCPDISCOVER.
   The "N" bit in the Flags field in the option MUST be 1 and the "S"
   and "O" bits MUST be 0.

   Once the client's DHCP configuration is completed (the client
   receives a DHCPACK message and successfully completes a final check
   on the parameters passed in the Flags field in message), the option MUST be set to
   1.  A client which delegates this responsibility MUST NOT attempt to
   perform a MAY originate
   its DNS update for updates provided the name in server's "N" bit is 1.  If the Domain Name field of server's
   "N" bit is 0, the
   Client FQDN option.  The client server MAY supply an FQDN in perform the Client FQDN
   option, or it MAY supply a single label (the most-specific label), or
   it PTR RR updates; and, MAY leave that field empty as a signal to the server to generate
   an FQDN for
   also perform the client in any manner A RR updates if the server chooses.

   Since "S" bit is 1.

4.5  Domain Name and DNS Update Issues

   As there is a possibility that the DHCP server may be is configured to
   complete or replace a domain name that the client was configured
   to send, sends, the client might
   MAY find it useful to send the Client FQDN option in its DISCOVER DHCPDISCOVER
   messages.  If the DHCP server returns different Domain Name data in
   its OFFER DHCPOFFER message, the client could use that data in performing
   its own eventual A RR update, or in forming the Client FQDN option
   that it sends in its REQUEST DHCPREQUEST message.  There is no requirement
   that the client send identical Client FQDN option data in its DISCOVER
   DHCPDISCOVER and REQUEST DHCPREQUEST messages.  In particular, if a client
   has sent the Client FQDN option to its server, and the configuration
   of the client changes so that its notion of its domain name changes,
   it MAY send the new name data in an a Client FQDN option when it
   communicates with the server again.  This may allow MAY cause the DHCP server
   to update the name associated with the PTR record, and, if the server
   updated the A record representing the client, to delete that record
   and attempt an update for the client's current domain name.

   A client that delegates the responsibility for updating the FQDN to
   IP address mapping to a server might will not receive any indication
   (either positive or negative) from the server whether the server was
   able to perform the update.  In this case the  The client MAY use a DNS query to check
   whether the mapping is updated.

   A client MUST set the RCODE1 and RCODE2 fields in the Client FQDN
   option up to 0 when sending the option. date (see Section 3.2).

   If a client releases its lease prior to the lease expiration time and
   the client is responsible for updating its A RR, the client SHOULD
   delete the A RR associated with the leased address before sending a
   DHCP RELEASE
   DHCPRELEASE message.  Similarly, if a client was responsible for
   updating its A RR, but is unable to renew its lease, the client
   SHOULD attempt to delete the A RR before its lease expires.  A DHCP
   client which has not been able to delete an A RR which it added
   (because it has lost the use of its DHCP IP address) should SHOULD attempt
   to notify its administrator, perhaps by emitting a log message.

6.

5.  DHCP Server Behavior

   When a server receives a DHCPREQUEST message from a client, if the
   message contains the Client FQDN option, and the server replies to
   the message with a DHCPACK message, the server may be configured to
   originate an update for the PTR RR (associated with the address
   leased to the client).

   The server MAY complete the update before the
   server sends the DHCPACK message to the client.  In this case the
   RCODE from the update MUST be carried to the client in following describes the RCODE1
   field behavior of a DHCP server that implements
   the Client FQDN option in the DHCPACK message.
   Alternatively, the server MAY send when the DHCPACK client's message to the client
   without waiting for includes the update to be completed.  In this case Client
   FQDN option.

   The server examines its configuration and the
   RCODE1 field of Flag bits in the
   client's Client FQDN option in the DHCPACK message MUST be
   set to 255.  The choice between determine how to respond:

   o  If the two alternatives client's "E" bit is entirely
   determined by the configuration of 0 and the DHCP server.  Servers SHOULD server does not support both configuration options.

   When a ASCII
      encoding (Section 3.3.1), the server receives a DHCPREQUEST message containing SHOULD ignore the Client FQDN option, the
      option.

   o  The server MUST ignore the values carried in sets to 0 the RCODE1 "S", "O", and RCODE2 fields "N" Flag bits in its copy
      of the option.

   In addition, if the Client FQDN option carried in it will return to the DHCPREQUEST
   message has client.  The server copies the "S"
      client's "E" bit.
   o  If the client's "N" bit in its Flags field set, then is 1 and the server MAY
   originate an update for server's configuration allows
      it to honor the A RR (associated with client's request for no server initiated DNS
      updates, the FQDN carried in server sets the option) "N" bit to 1.
   o  Otherwise, if it the client's "S" bit is configured 1 and the servers's
      configuration allows it to do so by honor the site's administrator, client's request for the
      server to initiate A RR DNS updates and if it has the necessary credentials.
      credentials, the server sets the "S" to 1.  If the server's "S"
      bit does not match the client's "S" bit, the server sets the "O"
      bit to 1.

   The server MAY be configured to use the name supplied in the client's
   Client FQDN option, or it MAY be configured to modify the supplied
   name, or substitute a different name.  The server MAY originate the update before the server sends the
   DHCPACK message to the client.  In this case the RCODE from the
   update RFC 2136 [4] MUST be carried to SHOULD send its
   notion of the complete FQDN for the client in the RCODE2 Domain Name field.
   The server MAY simply copy the Domain Name field
   of from the Client FQDN
   option in that the DHCPACK message.  Alternatively client sent to the server.  The server MAY send MUST use the DHCPACK message to
   same encoding format (ASCII or DNS binary encoding) that the client without waiting for
   the update to be completed.  In this case the RCODE2 field of
   used in the Client FQDN option in the DHCPACK message its DHCPDISCOVER or DHCPREQUEST,
   and MUST be set to 255.  The
   choice between the two alternatives is entirely a matter of the DHCP
   server's configuration.  In either case, if the server intends to
   perform the DNS update and "E" bit in the client's REQUEST message included option's Flags field accordingly.

   If a client sends both the Client FQDN and Host Name option, the
   server SHOULD include the Client FQDN option
   in its ACK message.  If ignore the Host Name option.

   The server includes SHOULD set the RCODE1 and RCODE2 fields to 255 before
   sending the Client FQDN option,
   it MUST set message to the "S" client in a DHCPOFFER or
   DHCPACK.

5.1  When to Perform DNS Updates

   The server SHOULD NOT perform any DNS updates if the "N" bit is 1 in
   the option's Flags field and MUST clear
   the "O" bit.

   Even if of the Client FQDN option carried in the DHCPREQUEST message has
   the "S" bit in its Flags field clear (indicating that the client
   wants DHCPACK messages (to
   be) sent to update the A RR), client.  However, the server SHOULD delete any RRs
   which it previously added via DNS updates for the client.

   The server MAY be configured by perform the local
   administrator to PTR RR DNS update (unless the "N" bit is
   1).

   The server MAY perform the A RR on DNS update if the client's behalf.  A server
   which "S" bit is configured to override 1 in the
   Flags field of the client's preference SHOULD
   include a Client FQDN option in its ACK message, and MUST set both the "O" and "S" bits in DHCPACK message (to be)
   sent to the client.

   The server MAY perform these updates even if the client's DHCPREQUEST
   did not carry the Client FQDN option's Flags field. option.  The server MUST NOT initiate
   DNS updates when responding to DHCPDISCOVER messages from a client.

   The server MAY originate the update complete its DNS updates (PTR RR or PTR and A RR)
   before the server sends the DHCPACK message to the client.  In this case the RCODE from the update RFC
   2136 [4] MUST be carried to the client in the RCODE2 field of the
   Client FQDN option in the DHCPACK message.
   Alternatively, the server MAY send the DHCPACK message to the client
   without waiting for the update to be completed.  In this case the RCODE2 field of the Client
   FQDN option in the DHCPACK message MUST be set to 255.  Whether the DNS
   update occurs before or after the DHCPACK is sent is entirely up to
   the DHCP server's configuration.

   When a DHCP server sends the Client FQDN option to a client in the
   DHCPACK message, the DHCP server SHOULD send its notion of the
   complete FQDN for the client in the Domain Name field.  The server
   MAY simply copy the Domain Name field from the Client FQDN option
   that the client sent to the server in the DHCPREQUEST message.  The
   DHCP server MAY be configured to complete or modify the domain name
   which a client sent, or it MAY be configured to substitute a
   different name.

   If the server initiates a server's A RR DNS update that is does not complete until after the
   server has replied to the DHCP client, the server's interaction with
   the DNS server may MAY cause the DHCP server to change the domain name
   that it associates with the client.  This may can occur, for example, if
   the server detects and resolves a domain-name conflict.
   In such cases, the domain name that the server returns to the DHCP
   client may change between two DHCP exchanges.

   The server MUST use the same encoding format (ASCII or DNS binary
   encoding) that the client used in the Client FQDN option in its
   DHCPREQUEST, and MUST set a domain-name conflict [6].  In such
   cases, the "E" bit in domain name that the option's Flags field
   accordingly. server returns to the DHCP client
   would change between two DHCP exchanges.

   If a client's DHCPREQUEST message doesn't carry the Client FQDN
   option (e.g., server previously performed DNS updates for the client doesn't implement and the Client FQDN option),
   client's information has not changed, the server MAY be configured to update either or both of the A and
   PTR RRs.

   If skip performing
   additional DNS updates.

   When a server detects that a lease on an address that the server
   leases to a client has expired, the server SHOULD delete any PTR RR
   which it added via DNS update.  In addition, if the server added an A
   RR on the client's behalf, the server SHOULD also delete the A RR.

   If

   When a server terminates a lease on an address prior to the lease's
   expiration time, for instance by sending a DHCPNAK to a client, the
   server SHOULD delete any PTR RR which it associated with the address
   via DNS Update. update.  In addition, if the server took responsibility for
   an A RR, the server SHOULD also delete that A RR.

7.

6.  DNS Update Conflicts

   This document does not resolve how a DHCP client or server prevent
   name conflicts.  This document addresses only how a DHCP client and
   server negotiate who will perform the DNS updates and the fully
   qualified domain name requested or used.

   Implementers of this work will need to consider how name conflicts
   will be prevented.  It may be that the  If a DNS updater must hold needs a security token in order
   to successfully perform DNS updates on a specific name, in which case name
   conflicts can only occur if multiple clients are given a security
   token for that name.  Or, if the fully qualified domains may be are based on
   the specific address bound to a client and in this case client, conflicts should not SHOULD NOT occur.  However,
   without this level of security
   Or, a name conflict resolution technique as described in the DNS system or use of
   non-conflicting names, other techniques need to be developed.  This
   is an area for future work (see "Resolving
   Name Conflicts" [12]). [6]) SHOULD be used.

7.  IANA Considerations

   IANA has already assigned DHCP option 81 to the Client FQDN option.
   As this document updates the option's use, IANA is requested to
   reference this document for option 81.

8.  Security Considerations

   Unauthenticated updates to the DNS can lead to tremendous confusion,
   through malicious attack or through inadvertent misconfiguration.
   Administrators should need to be wary of permitting unsecured DNS updates to
   zones which are exposed to the global Internet.  Both DHCP clients
   and servers SHOULD should use some form of update request origin
   authentication procedure (e.g., Secure DNS Dynamic Update [11]) when
   performing DNS updates.

   Whether a DHCP client may be is responsible for updating an FQDN to IP
   address mapping or whether this is the responsibility of the DHCP
   server is a site-local matter.  The choice between the two
   alternatives may be is likely based on the security model that is used with
   the DNS update protocol (e.g., only a client may have sufficient
   credentials to perform updates to the FQDN to IP address mapping for
   its FQDN).

   Whether a DHCP server is always responsible for updating the FQDN to
   IP address mapping (in addition to updating the IP to FQDN mapping),
   regardless of the wishes of an individual DHCP client, is also a
   site-local matter.  The choice between the two alternatives may be is likely
   based on the security model that is being used with DNS updates.  In
   cases where a DHCP server is performing DNS updates on behalf of a
   client, the DHCP server should be sure of the DNS name to use for the
   client, and of the identity of the client.

   Currently, it is difficult for DHCP servers to develop much
   confidence in the identities of its clients, given the absence of
   entity authentication from the DHCP protocol itself.  There are many
   ways for a DHCP server to develop a DNS name to use for a client, but
   only in certain relatively unusual circumstances will the DHCP server
   know for certain the identity of the client.  If DHCP Authentication
   [13]
   [12] becomes widely deployed this may become more customary.

   One example of a situation which offers some extra assurances is one
   where the DHCP client is connected to a network through an MCNS cable
   modem, and the CMTS (head-end) ensures that MAC address spoofing
   simply does not occur.  Another example of a configuration that might
   be trusted is one where clients obtain network access via a network
   access server using PPP.  The NAS itself might be obtaining IP
   addresses via DHCP, encoding a client identification into the DHCP
   client-id option.  In this case, the network access server as well as
   the DHCP server might be operating within a trusted environment, in
   which case the DHCP server could be configured to trust that the user
   authentication and authorization procedure of the remote access
   server was sufficient, and would therefore trust the client
   identification encoded within the DHCP client-id.

9.  Acknowledgements

   Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter
   Ford, Olafur Gudmundsson, Edie Gunter, Andreas Gustafsson, David W.
   Hankins, R.  Barr Hibbs, Kim Kinnear, Stuart Kwan, Ted Lemon, Ed
   Lewis, Michael Lewis, Josh Littlefield, Michael Patton, Jyrki Soini,
   and Glenn Stump for their review and comments.

10.  References

10.1  Normative References

   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [2]  Mockapetris, P., "Domain names - concepts and facilities", STD
        13, RFC 1034, November 1987.

   [3]  Mockapetris, P., "Domain names - implementation and
        specification", STD 13, RFC 1035, November 1987.

   [4]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
        Updates in the Domain Name System (DNS UPDATE)", RFC 2136, April
        1997.

   [5]  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
        March 1997.

   [6]  Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
        DHCP Clients (draft-ietf-dhc-ddns-resolution-*.txt)", September
        2004.

10.2  Informative References

   [6]

   [7]   Marine, A., Reynolds, J. and G. Malkin, "FYI on Questions and
         Answers - Answers to Commonly asked "New Internet User"
         Questions", RFC 1594, March 1994.

   [7]   Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
         August 1999.

   [8]   Vixie, P., Gudmundsson, O., Eastlake, D.   Alexander, S. and B. Wellington,
         "Secret Key Transaction Authentication for DNS (TSIG)", R. Droms, "DHCP Options and BOOTP Vendor
         Extensions", RFC
         2845, May 2000. 2132, March 1997.

   [9]   Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC
         2279, January 1998.

   [10]  Eastlake, D., "Domain Name System Security Extensions",  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
         2535, March 2671,
         August 1999.

   [11]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
         Update", RFC 3007, November 2000.

   [12]  Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
         DHCP Clients (draft-ietf-dhc-ddns-resolution-*.txt)", July
         2004.

   [13]  Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
         RFC 3118, June 2001.

   [13]  Lemon, T. and S. Cheshire, "Encoding Long Options in the
         Dynamic Host Configuration Protocol (DHCPv4)", RFC 3396,
         November 2002.

Authors' Addresses

   Mark Stapp
   Cisco Systems, Inc.
   1414 Massachusetts Ave.
   Boxborough, MA  01719
   USA

   Phone: 978.936.1535
   EMail: mjs@cisco.com

   Bernie Volz
   Cisco Systems, Inc.
   1414 Massachusetts Ave.
   Boxborough, MA  01719
   USA

   Phone: 978.936.0382
   EMail: volz@cisco.com

   Yakov Rekhter
   Juniper Networks
   1194 North Mathilda Avenue
   Sunnyvale, CA  94089
   USA

   Phone: 408.745.2000
   EMail: yakov@juniper.net

Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright Statement

   Copyright (C) The Internet Society (2004).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.

Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.