draft-ietf-dhc-fqdn-option-11.txt   draft-ietf-dhc-fqdn-option-12.txt 
DHC M. Stapp DHC M. Stapp
Internet-Draft B. Volz Internet-Draft B. Volz
Expires: March 28, 2006 Cisco Systems, Inc. Expires: August 28, 2006 Cisco Systems, Inc.
Y. Rekhter Y. Rekhter
Juniper Networks Juniper Networks
September 24, 2005 February 24, 2006
The DHCP Client FQDN Option The DHCP Client FQDN Option
<draft-ietf-dhc-fqdn-option-11.txt> <draft-ietf-dhc-fqdn-option-12.txt>
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 28, 2006. This Internet-Draft will expire on August 28, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document specifies a DHCP for IPv4, DHCPv4, option which can be This document specifies a Dynamic Host Configuration Protocol for
used to exchange information about a DHCPv4 client's fully-qualified IPv4, DHCPv4, option which can be used to exchange information about
domain name and about responsibility for updating the DNS RR related a DHCPv4 client's fully-qualified domain name and about
to the client's address assignment. responsibility for updating the DNS RR related to the client's
address assignment.
Table of Contents Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Models of Operation . . . . . . . . . . . . . . . . . . . 3 2.1. Models of Operation . . . . . . . . . . . . . . . . . . . 3
3. The Client FQDN Option . . . . . . . . . . . . . . . . . . . . 4 3. The Client FQDN Option . . . . . . . . . . . . . . . . . . . . 4
3.1. The Flags Field . . . . . . . . . . . . . . . . . . . . . 5 3.1. The Flags Field . . . . . . . . . . . . . . . . . . . . . 5
3.2. The RCODE Fields . . . . . . . . . . . . . . . . . . . . . 6 3.2. The RCODE Fields . . . . . . . . . . . . . . . . . . . . . 6
3.3. The Domain Name Field . . . . . . . . . . . . . . . . . . 6 3.3. The Domain Name Field . . . . . . . . . . . . . . . . . . 6
3.3.1. Deprecated ASCII Encoding . . . . . . . . . . . . . . 7 3.3.1. Deprecated ASCII Encoding . . . . . . . . . . . . . . 7
4. DHCP Client Behavior . . . . . . . . . . . . . . . . . . . . . 7 4. DHCP Client Behavior . . . . . . . . . . . . . . . . . . . . . 7
4.1. Interaction With Other Options . . . . . . . . . . . . . . 7 4.1. Interaction With Other Options . . . . . . . . . . . . . . 7
4.2. Client Desires to Update A RRs . . . . . . . . . . . . . . 8 4.2. Client Desires to Update A RRs . . . . . . . . . . . . . . 8
4.3. Client Desires Server to Do DNS Updates . . . . . . . . . 8 4.3. Client Desires Server to Do DNS Updates . . . . . . . . . 8
4.4. Client Desires No Server DNS Updates . . . . . . . . . . . 8 4.4. Client Desires No Server DNS Updates . . . . . . . . . . . 8
4.5. Domain Name and DNS Update Issues . . . . . . . . . . . . 9 4.5. Domain Name and DNS Update Issues . . . . . . . . . . . . 9
5. DHCP Server Behavior . . . . . . . . . . . . . . . . . . . . . 9 5. DHCP Server Behavior . . . . . . . . . . . . . . . . . . . . . 9
5.1. When to Perform DNS Updates . . . . . . . . . . . . . . . 10 5.1. When to Perform DNS Updates . . . . . . . . . . . . . . . 10
6. DNS Update Conflicts . . . . . . . . . . . . . . . . . . . . . 11 6. DNS RR TTLs . . . . . . . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. DNS Update Conflicts . . . . . . . . . . . . . . . . . . . . . 12
8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
10.2. Informative References . . . . . . . . . . . . . . . . . . 14 11.1. Normative References . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 11.2. Informative References . . . . . . . . . . . . . . . . . . 15
Intellectual Property and Copyright Statements . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
Intellectual Property and Copyright Statements . . . . . . . . . . 17
1. Terminology 1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1]. document are to be interpreted as described in RFC 2119 [1].
2. Introduction 2. Introduction
DNS ([2], [3]) maintains (among other things) the information about DNS ([2], [3]) maintains (among other things) the information about
the mapping between hosts' Fully Qualified Domain Names (FQDNs) [8] the mapping between hosts' Fully Qualified Domain Names (FQDNs) [10]
and IP addresses assigned to the hosts. The information is and IP addresses assigned to the hosts. The information is
maintained in two types of Resource Records (RRs): A and PTR. The maintained in two types of Resource Records (RRs): A and PTR. The
DNS update specification ([4]) describes a mechanism that enables DNS DNS update specification ([4]) describes a mechanism that enables DNS
information to be updated over a network. information to be updated over a network.
The Dynamic Host Configuration Protocol for IPv4 (DHCPv4 or just DHCP The Dynamic Host Configuration Protocol for IPv4 (DHCPv4 or just DHCP
in this document) [5] provides a mechanism by which a host (a DHCP in this document) [5] provides a mechanism by which a host (a DHCP
client) can acquire certain configuration information, along with its client) can acquire certain configuration information, along with its
address. This document specifies a DHCP option, the Client FQDN address. This document specifies a DHCP option, the Client FQDN
option, which can be used by DHCP clients and servers to exchange option, which can be used by DHCP clients and servers to exchange
skipping to change at page 5, line 12 skipping to change at page 5, line 12
The code for this option is 81. Its minimum length is 3 (octets). The code for this option is 81. Its minimum length is 3 (octets).
The format of the Client FQDN option is: The format of the Client FQDN option is:
Code Len Flags RCODE1 RCODE2 Domain Name Code Len Flags RCODE1 RCODE2 Domain Name
+------+------+------+------+------+------+-- +------+------+------+------+------+------+--
| 81 | n | | | | ... | 81 | n | | | | ...
+------+------+------+------+------+------+-- +------+------+------+------+------+------+--
The above figure follows the conventions of [9]. The above figure follows the conventions of [11].
3.1. The Flags Field 3.1. The Flags Field
The format of the 1-octet Flags field is: The format of the 1-octet Flags field is:
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
| MBZ |N|E|O|S| | MBZ |N|E|O|S|
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
skipping to change at page 6, line 22 skipping to change at page 6, line 22
The RCODE1 and RCODE2 fields are deprecated. A client SHOULD set The RCODE1 and RCODE2 fields are deprecated. A client SHOULD set
these to 0 when sending the option and SHOULD ignore them on receipt. these to 0 when sending the option and SHOULD ignore them on receipt.
A server SHOULD set these to 255 when sending the option and MUST A server SHOULD set these to 255 when sending the option and MUST
ignore them on receipt. ignore them on receipt.
As this option with these fields is already in wide use, the fields As this option with these fields is already in wide use, the fields
are retained. These fields were originally defined for use by a DHCP are retained. These fields were originally defined for use by a DHCP
server to indicate to a DHCP client the Response Code from any A server to indicate to a DHCP client the Response Code from any A
(RCODE1) or PTR (RCODE2) RR DNS updates it has performed or a value (RCODE1) or PTR (RCODE2) RR DNS updates it has performed or a value
of 255 was used to indicate that an update had been initiated but had of 255 was used to indicate that an update had been initiated but had
not yet completed. Each of these fields is one byte long. These not yet completed. Each of these fields is one octet long. These
fields were defined before EDNS0 [11], which describes a mechanism fields were defined before EDNS0 [12], which describes a mechanism
for extending the length of a DNS RCODE to 12 bits, which is another for extending the length of a DNS RCODE to 12 bits, which is another
reason to deprecate them. reason to deprecate them.
If the client needs to confirm the DNS update has been done, it MAY If the client needs to confirm the DNS update has been done, it MAY
use a DNS query to check whether the mapping is up to date. However, use a DNS query to check whether the mapping is up to date. However,
depending on the load on the DHCP and DNS servers and the DNS depending on the load on the DHCP and DNS servers and the DNS
propagation delays, the client can only infer success. If the propagation delays, the client can only infer success. If the
information is not found to be up to date in DNS, the servers might information is not found to be up to date in DNS, the servers might
not have completed the updates or zone transfers, or not yet updated not have completed the updates or zone transfers, or not yet updated
their caches. their caches.
3.3. The Domain Name Field 3.3. The Domain Name Field
The Domain Name part of the option carries all or part of the FQDN of The Domain Name part of the option carries all or part of the FQDN of
a DHCP client. The data in the Domain Name field SHOULD appear in a DHCP client. The data in the Domain Name field SHOULD appear in
uncompressed DNS encoding as specified in RFC 1035 [3]. If the DHCP uncompressed DNS encoding as specified in RFC 1035 [3]. If the DHCP
client uses DNS encoding, it MUST set to 1 the the "E" bit in the client uses DNS encoding, it MUST set to 1 the "E" bit in the Flags
Flags field. In order to determine whether the FQDN has changed field. In order to determine whether the FQDN has changed between
between message exchanges, the client and server MUST NOT alter the message exchanges, the client and server MUST NOT alter the Domain
Domain Name field contents unless the FQDN has actually changed. Name field contents unless the FQDN has actually changed.
A client MAY be configured with a fully-qualified domain name or with A client MAY be configured with a fully-qualified domain name or with
a partial name that is not fully-qualified. If a client knows only a partial name that is not fully-qualified. If a client knows only
part of its name, it MAY send a name that is not fully-qualified, part of its name, it MAY send a name that is not fully-qualified,
indicating that it knows part of the name but does not necessarily indicating that it knows part of the name but does not necessarily
know the zone in which the name is to be embedded. know the zone in which the name is to be embedded.
To send a fully-qualified domain name, the Domain Name field is set To send a fully-qualified domain name, the Domain Name field is set
to the DNS encoded domain name including the terminating zero-length to the DNS encoded domain name including the terminating zero-length
label. To send a partial name, the Domain Name field is set to the label. To send a partial name, the Domain Name field is set to the
skipping to change at page 7, line 29 skipping to change at page 7, line 29
to such clients. Servers that are not prepared to return an ASCII to such clients. Servers that are not prepared to return an ASCII
encoded version MUST ignore the Client FQDN option if the "E" bit is encoded version MUST ignore the Client FQDN option if the "E" bit is
0. The use of ASCII encoding in this option SHOULD be considered 0. The use of ASCII encoding in this option SHOULD be considered
deprecated. deprecated.
A DHCP client which used ASCII encoding was permitted to suggest a A DHCP client which used ASCII encoding was permitted to suggest a
single label if it was not configured with a fully-qualified name. single label if it was not configured with a fully-qualified name.
Such clients send a single label as a series of ASCII characters in Such clients send a single label as a series of ASCII characters in
the Domain Name field, excluding the "." (dot) character. the Domain Name field, excluding the "." (dot) character.
Clients and servers SHOULD follow the character-set recommendations Clients and servers SHOULD follow the character set rules of RFC 952
of RFC 1034 [2] and RFC 1035 [3]. However, implementers SHOULD also [6], fourth section ("Assumptions"), first 5 sentences, as modified
be aware that some client software could be using UTF-8 [10] by RFC 1123 [7] section 2.1. However, implementers SHOULD also be
character encoding. This specification does not require any support aware that some client software may send data intended to be in other
for UTF-8. character sets. This specification does not require support for
other character sets.
4. DHCP Client Behavior 4. DHCP Client Behavior
The following describes the behavior of a DHCP client that implements The following describes the behavior of a DHCP client that implements
the Client FQDN option. the Client FQDN option.
4.1. Interaction With Other Options 4.1. Interaction With Other Options
Other DHCP options MAY carry data that is related to the Domain Name Other DHCP options MAY carry data that is related to the Domain Name
field of the Client FQDN option. The Host Name option [9], for field of the Client FQDN option. The Host Name option [11], for
example, contains an ASCII string representation of the client's host example, contains an ASCII string representation of the client's host
name. In general, a client does not need to send redundant data, and name. In general, a client does not need to send redundant data, and
therefore clients which send the Client FQDN option in their messages therefore clients which send the Client FQDN option in their messages
MUST NOT also send the Host Name option. Clients which receive both MUST NOT also send the Host Name option. Clients which receive both
the Host Name option and the Client FQDN option from a server SHOULD the Host Name option and the Client FQDN option from a server SHOULD
prefer Client FQDN option data. Section 5 instructs servers to prefer Client FQDN option data. Section 5 instructs servers to
ignore the Host Name option in client messages which include the ignore the Host Name option in client messages which include the
Client FQDN option. Client FQDN option.
4.2. Client Desires to Update A RRs 4.2. Client Desires to Update A RRs
skipping to change at page 9, line 41 skipping to change at page 9, line 42
the client is responsible for updating its A RR, the client SHOULD the client is responsible for updating its A RR, the client SHOULD
delete the A RR associated with the leased address before sending a delete the A RR associated with the leased address before sending a
DHCPRELEASE message. Similarly, if a client was responsible for DHCPRELEASE message. Similarly, if a client was responsible for
updating its A RR, but is unable to renew its lease, the client updating its A RR, but is unable to renew its lease, the client
SHOULD attempt to delete the A RR before its lease expires. A DHCP SHOULD attempt to delete the A RR before its lease expires. A DHCP
client which has not been able to delete an A RR which it added client which has not been able to delete an A RR which it added
(because it has lost the use of its DHCP IP address) SHOULD attempt (because it has lost the use of its DHCP IP address) SHOULD attempt
to notify its administrator, perhaps by emitting a log message. to notify its administrator, perhaps by emitting a log message.
A client that desires to perform DNS updates to A RRs SHOULD NOT do A client that desires to perform DNS updates to A RRs SHOULD NOT do
so if the client's address is a private address [6]. so if the client's address is a private address [8].
5. DHCP Server Behavior 5. DHCP Server Behavior
The following describes the behavior of a DHCP server that implements The following describes the behavior of a DHCP server that implements
the Client FQDN option when the client's message includes the Client the Client FQDN option when the client's message includes the Client
FQDN option. FQDN option.
The server examines its configuration and the Flag bits in the The server examines its configuration and the Flag bits in the
client's Client FQDN option to determine how to respond: client's Client FQDN option to determine how to respond:
o If the client's "E" bit is 0 and the server does not support ASCII o If the client's "E" bit is 0 and the server does not support ASCII
encoding (Section 3.3.1), the server SHOULD ignore the Client FQDN encoding (Section 3.3.1), the server SHOULD ignore the Client FQDN
option. option.
o The server sets to 0 the "S", "O", and "N" Flag bits in its copy o The server sets to 0 the "S", "O", and "N" Flag bits in its copy
of the option it will return to the client. The server copies the of the option it will return to the client. The server copies the
client's "E" bit. client's "E" bit.
o If the client's "N" bit is 1 and the server's configuration allows o If the client's "N" bit is 1 and the server's configuration allows
it to honor the client's request for no server initiated DNS it to honor the client's request for no server initiated DNS
updates, the server sets the "N" bit to 1. updates, the server sets the "N" bit to 1.
o Otherwise, if the client's "S" bit is 1 and the servers's o Otherwise, if the client's "S" bit is 1 and the server's
configuration allows it to honor the client's request for the configuration allows it to honor the client's request for the
server to initiate A RR DNS updates and if it has the necessary server to initiate A RR DNS updates, the server sets the "S" to 1.
credentials, the server sets the "S" to 1. If the server's "S" If the server's "S" bit does not match the client's "S" bit, the
bit does not match the client's "S" bit, the server sets the "O" server sets the "O" bit to 1.
bit to 1.
The server MAY be configured to use the name supplied in the client's The server MAY be configured to use the name supplied in the client's
Client FQDN option, or it MAY be configured to modify the supplied Client FQDN option, or it MAY be configured to modify the supplied
name, or substitute a different name. The server SHOULD send its name, or substitute a different name. The server SHOULD send its
notion of the complete FQDN for the client in the Domain Name field. notion of the complete FQDN for the client in the Domain Name field.
The server MAY simply copy the Domain Name field from the Client FQDN The server MAY simply copy the Domain Name field from the Client FQDN
option that the client sent to the server. The server MUST use the option that the client sent to the server. The server MUST use the
same encoding format (ASCII or DNS binary encoding) that the client same encoding format (ASCII or DNS binary encoding) that the client
used in the Client FQDN option in its DHCPDISCOVER or DHCPREQUEST, used in the Client FQDN option in its DHCPDISCOVER or DHCPREQUEST,
and MUST set the "E" bit in the option's Flags field accordingly. and MUST set the "E" bit in the option's Flags field accordingly.
skipping to change at page 11, line 18 skipping to change at page 11, line 20
before the server sends the DHCPACK message to the client. before the server sends the DHCPACK message to the client.
Alternatively, the server MAY send the DHCPACK message to the client Alternatively, the server MAY send the DHCPACK message to the client
without waiting for the update to be completed. Whether the DNS without waiting for the update to be completed. Whether the DNS
update occurs before or after the DHCPACK is sent is entirely up to update occurs before or after the DHCPACK is sent is entirely up to
the DHCP server's configuration. the DHCP server's configuration.
If the server's A RR DNS update does not complete until after the If the server's A RR DNS update does not complete until after the
server has replied to the DHCP client, the server's interaction with server has replied to the DHCP client, the server's interaction with
the DNS server MAY cause the DHCP server to change the domain name the DNS server MAY cause the DHCP server to change the domain name
that it associates with the client. This can occur, for example, if that it associates with the client. This can occur, for example, if
the server detects and resolves a domain-name conflict [7]. In such the server detects and resolves a domain-name conflict [9]. In such
cases, the domain name that the server returns to the DHCP client cases, the domain name that the server returns to the DHCP client
would change between two DHCP exchanges. would change between two DHCP exchanges.
If the server previously performed DNS updates for the client and the If the server previously performed DNS updates for the client and the
client's information has not changed, the server MAY skip performing client's information has not changed, the server MAY skip performing
additional DNS updates. additional DNS updates.
When a server detects that a lease on an address that the server When a server detects that a lease on an address that the server
leases to a client has expired, the server SHOULD delete any PTR RR leases to a client has expired, the server SHOULD delete any PTR RR
which it added via DNS update. In addition, if the server added an A which it added via DNS update. In addition, if the server added an A
RR on the client's behalf, the server SHOULD also delete the A RR. RR on the client's behalf, the server SHOULD also delete the A RR.
When a server terminates a lease on an address prior to the lease's When a server terminates a lease on an address prior to the lease's
expiration time, for instance by sending a DHCPNAK to a client, the expiration time, for instance by sending a DHCPNAK to a client, the
server SHOULD delete any PTR RR which it associated with the address server SHOULD delete any PTR RR which it associated with the address
via DNS update. In addition, if the server took responsibility for via DNS update. In addition, if the server took responsibility for
an A RR, the server SHOULD also delete that A RR. an A RR, the server SHOULD also delete that A RR.
6. DNS Update Conflicts 6. DNS RR TTLs
RRs associated with DHCP clients may be more volatile than statically
configured RRs. DHCP clients and servers that perform dynamic
updates should attempt to specify resource record TTLs which reflect
this volatility, in order to minimize the possibility that answers to
DNS queries will return records that refer to DHCP IP address
assignments that have expired or been released.
The coupling among primary, secondary, and caching DNS servers is
'loose'; that is a fundamental part of the design of the DNS. This
looseness makes it impossible to prevent all possible situations in
which a resolver may return a record reflecting a DHCP assigned IP
address that has expired or been released. In deployment, this
rarely, if ever, represents a significant problem. Most DHCP-managed
clients are infrequently looked-up by name in the DNS, and the
deployment of IXFR (RFC 1995 [15]) and NOTIFY (RFC 1996 [16]) can
reduce the latency between updates and their visibility at secondary
servers.
We suggest these basic guidelines for implementers. In general, the
TTLs for RRs added as a result of DHCP IP address assignment activity
SHOULD be less than the initial lease time. The RR TTL on a DNS
record added SHOULD NOT exceed 1/3 of the lease time, and SHOULD be
at least 10 minutes. We recognize that individual administrators
will have varying requirements: DHCP servers and clients SHOULD allow
administrators to configure TTLs and upper and lower bounds on the
TTL values, either as an absolute time interval or as a percentage of
the lease time.
While clients and servers MAY update the TTL of the records as the
lease is about to expire, there is no requirement that they do so as
this puts additional load on the DNS system with likely little
benefit.
7. DNS Update Conflicts
This document does not resolve how a DHCP client or server prevent This document does not resolve how a DHCP client or server prevent
name conflicts. This document addresses only how a DHCP client and name conflicts. This document addresses only how a DHCP client and
server negotiate who will perform the DNS updates and the fully server negotiate who will perform the DNS updates and the fully
qualified domain name requested or used. qualified domain name requested or used.
Implementers of this work will need to consider how name conflicts Implementers of this work will need to consider how name conflicts
will be prevented. If a DNS updater needs a security token in order will be prevented. If a DNS updater needs a security token in order
to successfully perform DNS updates on a specific name, name to successfully perform DNS updates on a specific name, name
conflicts can only occur if multiple clients are given a security conflicts can only occur if multiple updaters are given a security
token for that name. Or, if the fully qualified domains are based on token for that name. Or, if the fully qualified domains are based on
the specific address bound to a client, conflicts will not occur. the specific address bound to a client, conflicts will not occur.
Or, a name conflict resolution technique as described in "Resolving Or, a name conflict resolution technique as described in "Resolving
Name Conflicts" [7]) SHOULD be used. Name Conflicts" [9]) SHOULD be used.
7. IANA Considerations 8. IANA Considerations
IANA has already assigned DHCP option 81 to the Client FQDN option. IANA has already assigned DHCP option 81 to the Client FQDN option.
As this document updates the option's use, IANA is requested to As this document updates the option's use, IANA is requested to
reference this document for option 81. reference this document for option 81.
8. Security Considerations 9. Security Considerations
Unauthenticated updates to the DNS can lead to tremendous confusion, Unauthenticated updates to the DNS can lead to tremendous confusion,
through malicious attack or through inadvertent misconfiguration. through malicious attack or through inadvertent misconfiguration.
Administrators need to be wary of permitting unsecured DNS updates to Administrators need to be wary of permitting unsecured DNS updates to
zones which are exposed to the global Internet. Both DHCP clients zones which are exposed to the global Internet. Both DHCP clients
and servers should use some form of update request origin and servers should use some form of update request origin
authentication procedure (e.g., Secure DNS Dynamic Update [12]) when authentication procedure (e.g., Secure DNS Dynamic Update [13]) when
performing DNS updates. performing DNS updates.
Whether a DHCP client is responsible for updating an FQDN to IP Whether a DHCP client is responsible for updating an FQDN to IP
address mapping or whether this is the responsibility of the DHCP address mapping or whether this is the responsibility of the DHCP
server is a site-local matter. The choice between the two server is a site-local matter. The choice between the two
alternatives is likely based on the security model that is used with alternatives is likely based on the security model that is used with
the DNS update protocol (e.g., only a client may have sufficient the DNS update protocol (e.g., only a client may have sufficient
credentials to perform updates to the FQDN to IP address mapping for credentials to perform updates to the FQDN to IP address mapping for
its FQDN). its FQDN).
skipping to change at page 12, line 45 skipping to change at page 13, line 38
cases where a DHCP server is performing DNS updates on behalf of a cases where a DHCP server is performing DNS updates on behalf of a
client, the DHCP server should be sure of the DNS name to use for the client, the DHCP server should be sure of the DNS name to use for the
client, and of the identity of the client. client, and of the identity of the client.
Currently, it is difficult for DHCP servers to develop much Currently, it is difficult for DHCP servers to develop much
confidence in the identities of its clients, given the absence of confidence in the identities of its clients, given the absence of
entity authentication from the DHCP protocol itself. There are many entity authentication from the DHCP protocol itself. There are many
ways for a DHCP server to develop a DNS name to use for a client, but ways for a DHCP server to develop a DNS name to use for a client, but
only in certain relatively unusual circumstances will the DHCP server only in certain relatively unusual circumstances will the DHCP server
know for certain the identity of the client. If DHCP Authentication know for certain the identity of the client. If DHCP Authentication
[13] becomes widely deployed this may become more customary. [14] becomes widely deployed this may become more customary.
One example of a situation which offers some extra assurances is one One example of a situation which offers some extra assurances is one
where the DHCP client is connected to a network through an MCNS cable where the DHCP client is connected to a network through an MCNS cable
modem, and the CMTS (head-end) ensures that MAC address spoofing modem, and the CMTS (head-end) ensures that MAC address spoofing
simply does not occur. Another example of a configuration that might simply does not occur. Another example of a configuration that might
be trusted is one where clients obtain network access via a network be trusted is one where clients obtain network access via a network
access server using PPP. The NAS itself might be obtaining IP access server using PPP. The NAS itself might be obtaining IP
addresses via DHCP, encoding a client identification into the DHCP addresses via DHCP, encoding a client identification into the DHCP
client-id option. In this case, the network access server as well as client-id option. In this case, the network access server as well as
the DHCP server might be operating within a trusted environment, in the DHCP server might be operating within a trusted environment, in
which case the DHCP server could be configured to trust that the user which case the DHCP server could be configured to trust that the user
authentication and authorization procedure of the remote access authentication and authorization procedure of the remote access
server was sufficient, and would therefore trust the client server was sufficient, and would therefore trust the client
identification encoded within the DHCP client-id. identification encoded within the DHCP client-id.
9. Acknowledgements It is critical to implement proper conflict resolution, and the
security considerations of conflict resolution apply [9].
10. Acknowledgements
Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter
Ford, Olafur Gudmundsson, Edie Gunter, Andreas Gustafsson, David W. Ford, Olafur Gudmundsson, Edie Gunter, Andreas Gustafsson, David W.
Hankins, R. Barr Hibbs, Kim Kinnear, Stuart Kwan, Ted Lemon, Ed Hankins, R. Barr Hibbs, Kim Kinnear, Stuart Kwan, Ted Lemon, Ed
Lewis, Michael Lewis, Josh Littlefield, Michael Patton, Jyrki Soini, Lewis, Michael Lewis, Josh Littlefield, Michael Patton, Pekka Savola,
and Glenn Stump for their review and comments. Jyrki Soini, and Glenn Stump for their review and comments.
10. References 11. References
10.1. Normative References 11.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[2] Mockapetris, P., "Domain names - concepts and facilities", [2] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, November 1987.
[3] Mockapetris, P., "Domain names - implementation and [3] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[4] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic [4] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
Updates in the Domain Name System (DNS UPDATE)", RFC 2136, Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
April 1997. April 1997.
[5] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, [5] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
March 1997. March 1997.
[6] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E. [6] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet host
table specification", RFC 952, October 1985.
[7] Braden, R., "Requirements for Internet Hosts - Application and
Support", STD 3, RFC 1123, October 1989.
[8] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E.
Lear, "Address Allocation for Private Internets", BCP 5, Lear, "Address Allocation for Private Internets", BCP 5,
RFC 1918, February 1996. RFC 1918, February 1996.
[7] Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among [9] Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
DHCP Clients (draft-ietf-dhc-ddns-resolution-*.txt)", DHCP Clients (draft-ietf-dhc-ddns-resolution-*.txt)",
September 2005. February 2006.
10.2. Informative References 11.2. Informative References
[8] Marine, A., Reynolds, J., and G. Malkin, "FYI on Questions and [10] Marine, A., Reynolds, J., and G. Malkin, "FYI on Questions and
Answers - Answers to Commonly asked "New Internet User" Answers - Answers to Commonly asked "New Internet User"
Questions", RFC 1594, March 1994. Questions", RFC 1594, March 1994.
[9] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [11] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, March 1997. Extensions", RFC 2132, March 1997.
[10] Yergeau, F., "UTF-8, a transformation format of ISO 10646", [12] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
RFC 2279, January 1998.
[11] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
August 1999. August 1999.
[12] Wellington, B., "Secure Domain Name System (DNS) Dynamic [13] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, November 2000. Update", RFC 3007, November 2000.
[13] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages", [14] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
RFC 3118, June 2001. RFC 3118, June 2001.
[15] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
August 1996.
[16] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
(DNS NOTIFY)", RFC 1996, August 1996.
Authors' Addresses Authors' Addresses
Mark Stapp Mark Stapp
Cisco Systems, Inc. Cisco Systems, Inc.
1414 Massachusetts Ave. 1414 Massachusetts Ave.
Boxborough, MA 01719 Boxborough, MA 01719
USA USA
Phone: 978.936.1535 Phone: 978.936.1535
Email: mjs@cisco.com Email: mjs@cisco.com
skipping to change at page 16, line 41 skipping to change at page 17, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 39 change blocks. 
64 lines changed or deleted 113 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/