idnits 2.17.1 

draft-ietf-dhc-fqdn-option-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (March 2, 2001) is 8456 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Looks like a reference, but probably isn't: 'RFC2136' on line 405

  == Unused Reference: '7' is defined on line 534, but no explicit reference
     was found in the text

  == Unused Reference: '9' is defined on line 540, but no explicit reference
     was found in the text

  == Unused Reference: '12' is defined on line 550, but no explicit reference
     was found in the text

  ** Obsolete normative reference: RFC 1594 (ref. '4') (Obsoleted by RFC 2664)

  ** Obsolete normative reference: RFC 2535 (ref. '7') (Obsoleted by RFC
     4033, RFC 4034, RFC 4035)

  ** Obsolete normative reference: RFC 2671 (ref. '8') (Obsoleted by RFC 6891)

  ** Obsolete normative reference: RFC 2845 (ref. '9') (Obsoleted by RFC 8945)

  -- No information found for draft-ietf-dhc-authentication- - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. '10' 

  -- No information found for draft-ietf-dnsext-dhcid-rr- - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. '12' 

  -- No information found for draft-ietf-dhc-ddns-resolution- - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. '13' 


     Summary: 7 errors (**), 0 flaws (~~), 5 warnings (==), 9 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	DHC Working Group                                               M. Stapp
3	Internet-Draft                                                Y. Rekhter
4	Expires: August 31, 2001                             Cisco Systems, Inc.
5	                                                           March 2, 2001

7	                      The DHCP Client FQDN Option
8	                  <draft-ietf-dhc-fqdn-option-01.txt>

10	Status of this Memo

12	   This document is an Internet-Draft and is in full conformance with
13	   all provisions of Section 10 of RFC2026.

15	   Internet-Drafts are working documents of the Internet Engineering
16	   Task Force (IETF), its areas, and its working groups. Note that
17	   other groups may also distribute working documents as
18	   Internet-Drafts.

20	   Internet-Drafts are draft documents valid for a maximum of six
21	   months and may be updated, replaced, or obsoleted by other documents
22	   at any time. It is inappropriate to use Internet-Drafts as reference
23	   material or to cite them other than as "work in progress."

25	   The list of current Internet-Drafts can be accessed at
26	   http://www.ietf.org/ietf/1id-abstracts.txt.

28	   The list of Internet-Draft Shadow Directories can be accessed at
29	   http://www.ietf.org/shadow.html.

31	   This Internet-Draft will expire on August 31, 2001.

33	Copyright Notice

35	   Copyright (C) The Internet Society (2001). All Rights Reserved.

37	Abstract

39	   DHCP provides a powerful mechanism for IP host configuration.
40	   However, the configuration capability provided by DHCP does not
41	   include updating DNS, and specifically updating the name to address
42	   and address to name mappings maintained in the DNS.

44	   This document specifies a DHCP option which can be used to exchange
45	   information about a DHCP client's fully-qualified domain name, and
46	   about responsibility for updating DNS RRs related to the client's
47	   DHCP lease.

49	Table of Contents

51	   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
52	   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
53	   3.  Models of Operation  . . . . . . . . . . . . . . . . . . . . .  3
54	   4.  The Client FQDN Option . . . . . . . . . . . . . . . . . . . .  4
55	   4.1 The Flags Field  . . . . . . . . . . . . . . . . . . . . . . .  5
56	   4.2 The RCODE Fields . . . . . . . . . . . . . . . . . . . . . . .  6
57	   4.3 The Domain Name Field  . . . . . . . . . . . . . . . . . . . .  6
58	   5.  DHCP Client behavior . . . . . . . . . . . . . . . . . . . . .  7
59	   6.  DHCP Server behavior . . . . . . . . . . . . . . . . . . . . .  8
60	   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
61	   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
62	       References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
63	       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 13
64	       Full Copyright Statement . . . . . . . . . . . . . . . . . . . 14

66	1. Terminology

68	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
69	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
70	   document are to be interpreted as described in RFC 2119[6].

72	2. Introduction

74	   DNS (RFC1034[1], RFC1035[2]) maintains (among other things) the
75	   information about mapping between hosts' Fully Qualified Domain
76	   Names (FQDNs) RFC1594[4] and IP addresses assigned to the hosts. The
77	   information is maintained in two types of Resource Records (RRs): A
78	   and PTR. The A RR contains mapping from a FQDN to an IP address; the
79	   PTR RR contains mapping from an IP address to a FQDN.  The DNS
80	   update specification (RFC2136[5]) describes a mechanism that enables
81	   DNS information to be updated over a network.

83	   DHCP RFC2131[3] provides a mechanism by which a host (a DHCP client)
84	   can acquire certain configuration information, along with its IP
85	   address(es). However, DHCP does not provide any mechanisms to update
86	   the DNS RRs that contain the information about mapping between the
87	   host's FQDN and its IP address(es) (A and PTR RRs). Thus DNS
88	   information for a DHCP client may not exist or may be incorrect - a
89	   host (the client) could acquire its address by using DHCP, but the A
90	   RR for the host's FQDN wouldn't reflect the address that the host
91	   acquired, and the PTR RR for the acquired address wouldn't reflect
92	   the host's FQDN.

94	   The DNS Update protocol can be used to maintain consistency between
95	   the information stored in the A and PTR RRs and the actual address
96	   assignment done via DHCP. When a host with a particular FQDN
97	   acquires its IP address via DHCP, the A RR associated with the
98	   host's FQDN would be updated (by using the DNS Update protocol) to
99	   reflect the new address. Likewise, when an IP address is assigned to
100	   a host with a particular FQDN, the PTR RR associated with this
101	   address would be updated (using the DNS Update protocol) to reflect
102	   the new FQDN.

104	   Although this document refers to the A and PTR DNS record types and
105	   to DHCP assignment of IPv4 addresses, the same procedures and
106	   requirements apply for updates to the analogous RR types that are
107	   used when clients are assigned IPv6 addresses via DHCPv6.

109	3. Models of Operation

111	   When a DHCP client acquires a new address, a site's administrator
112	   may desire that one or both of the A RR for the client's FQDN and
113	   the PTR RR for the acquired address be updated. Therefore, two
114	   separate DNS update transactions may occur. Acquiring an address via
115	   DHCP involves two entities: a DHCP client and a DHCP server. In
116	   principle each of these entities could perform none, one, or both of
117	   the transactions. However, in practice not all permutations make
118	   sense. The DHCP client FQDN option is intended to operate in the
119	   following two cases:

121	   1.  DHCP client updates the A RR, DHCP server updates the PTR RR
122	   2.  DHCP server updates both the A and the PTR RRs

124	   The only difference between these two cases is whether the FQDN to
125	   IP address mapping is updated by a DHCP client or by a DHCP server.
126	   The IP address to FQDN mapping is updated by a DHCP server in both
127	   cases.

129	   The reason these two are important, while others are unlikely, has
130	   to do with authority over the respective DNS domain names. A DHCP
131	   client may be given authority over mapping its own A RRs, or that
132	   authority may be restricted to a server to prevent the client from
133	   listing arbitrary addresses or associating its address with
134	   arbitrary domain names. In all cases, the only reasonable place for
135	   the authority over the PTR RRs associated with the address is in the
136	   DHCP server that allocates the address.

138	   In any case, whether a site permits all, some, or no DHCP servers
139	   and clients to perform DNS updates into the zones which it controls
140	   is entirely a matter of local administrative policy. This document
141	   does not require any specific administrative policy, and does not
142	   propose one. The range of possible policies is very broad, from
143	   sites where only the DHCP servers have been given credentials that
144	   the DNS servers will accept, to sites where each individual DHCP
145	   client has been configured with credentials which allow the client
146	   to modify its own domain name. Compliant implementations MAY support
147	   some or all of these possibilities. Furthermore, this specification
148	   applies only to DHCP client and server processes: it does not apply
149	   to other processes which initiate DNS updates.

151	   This document describes a new DHCP option which a client can use to
152	   convey all or part of its domain name to a DHCP server.
153	   Site-specific policy determines whether DHCP servers use the names
154	   that clients offer or not, and what DHCP servers may do in cases
155	   where clients do not supply domain names.  Another document,
156	   "Resolving Name Conflicts"[13], defines a protocol for arbitrating
157	   conflicts when collisions occur in the use of FQDNs by DHCP clients.

159	4. The Client FQDN Option

161	   To update the IP address to FQDN mapping a DHCP server needs to know
162	   the FQDN of the client to which the server leases the address. To
163	   allow the client to convey its FQDN to the server this document
164	   defines a new DHCP option, called "Client FQDN". The FQDN Option
165	   also contains Flags and RCode fields which DHCP servers can use to
166	   convey information about DNS updates to clients.

168	   Clients MAY send the FQDN option, setting appropriate Flags values,
169	   in both their DISCOVER and REQUEST messages. If a client sends the
170	   FQDN option in its DISCOVER message, it MUST send the option in
171	   subsequent REQUEST messages.

173	   The code for this option is 81. Its minimum length is 4.

175	   The Format of the FQDN Option:

177	        Code   Len    Flags  RCODE1 RCODE2   Domain Name
178	       +------+------+------+------+------+------+--
179	       |  81  |   n  |      |      |      |       ...
180	       +------+------+------+------+------+------+--

182	4.1 The Flags Field

184	   The Format of the Flags Field:

186	        0 1 2 3 4 5 6 7
187	       +-+-+-+-+-+-+-+-+
188	       |  MBZ  |N|E|O|S|
189	       +-+-+-+-+-+-+-+-+

191	   When a DHCP client sends the FQDN option in its DHCPDISCOVER and/or
192	   DHCPREQUEST messages, it sets the least-significant bit (labelled
193	   "S") to indicate that it will not perform any DNS updates, and that
194	   it expects the DHCP server to perform any FQDN-to-IP (the A RR) DNS
195	   update on its behalf. If this bit is clear, the client indicates
196	   that it intends to maintain its own FQDN-to-IP mapping update.

198	   If a DHCP server intends to take responsibility for the A RR update
199	   whether or not the client sending the FQDN option has set the "S"
200	   bit, it sets both the "O" bit and the "S" bit, and sends the FQDN
201	   option in its DHCPOFFER and/or DHCPACK messages.

203	   The data in the Domain Name field may appear in one of two formats:
204	   ASCII, or DNS-style binary encoding (without compression, of
205	   course), as described in RFC1035[2]. A client which sends the FQDN
206	   option MUST set the "E" bit to indicate that the data in the Domain
207	   Name field is DNS binary encoded. If a server receives an FQDN
208	   option from a client, and intends to include an FQDN option in its
209	   reply, it MUST use the same encoding that the client used. The DNS
210	   encoding is recommended. The use of ASCII-encoded domain-names is
211	   fragile, and the use of ASCII encoding in this option should be
212	   considered deprecated.

214	   A client MAY set the "N" flag in its request messages to indicate
215	   that the server should not perform any DNS updates on its behalf. As
216	   we mentioned in Section 3, we believe that in general the DHCP
217	   server will be maintaining DNS PTR records on behalf of clients.
218	   However, there may be deployments in which clients are configured to
219	   perform all necessary DNS updates. The server MAY be configured to
220	   honor this configuration. If the server has been configured to honor
221	   a client's "N" indication, it SHOULD set the "N" bit in fqdn options
222	   which it sends to the client in its OFFER or ACK messages. Clients
223	   which have set the "N" bit in their requests SHOULD use the state of
224	   the "N" bit in server responses to determine whether the server was
225	   prepared to honor the client's indication. If a client has set the
226	   "N" bit but its server does not, the client SHOULD conclude that the
227	   server was not configured to honor the client's suggestion, and that
228	   the server may attempt to perform DNS updates on its behalf.

230	   The remaining bits in the Flags field are reserved for future
231	   assignment. DHCP clients and servers which send the FQDN option MUST
232	   set the MBZ bits to 0, and they MUST ignore values in the part of
233	   the field labelled "MBZ".

235	4.2 The RCODE Fields

237	   The RCODE1 and RCODE2 fields are used by a DHCP server to indicate
238	   to a DHCP client the Response Code from any A or PTR RR DNS updates
239	   it has performed. The server may also use these fields to indicate
240	   whether it has attempted such an update before sending the DHCPACK
241	   message. Each of these fields is one byte long.

243	   Implementors should note that EDNS0 describes a mechanism for
244	   extending the length of a DNS RCODE to 12 bits. EDNS0 is specified
245	   in RFC2671[8]. Only the least-significant 8 bits of the RCODE from a
246	   DNS update will be carried in the Client FQDN DHCP Option. This
247	   provides enough number space to accomodate the RCODEs defined in the
248	   DNS update specification.

250	4.3 The Domain Name Field

252	   The Domain Name part of the option carries all or part of the FQDN
253	   of a DHCP client. A client may be configured with a fully-qualified
254	   domain name, or with a partial name that is not fully-qualified. If
255	   a client knows only part of its name, it MAY send a single label,
256	   indicating that it knows part of the name but does not necessarily
257	   know the zone in which the name is to be embedded. The data in the
258	   Domain Name field may appear in one of two formats: ASCII (with no
259	   terminating NULL), or DNS encoding as specified in RFC1035[2]. If
260	   the DHCP client wishes to use DNS encoding, it MUST set the third
261	   bit in the Flags field (the "E" bit); if it uses ASCII encoding, it
262	   MUST clear the "E" bit.

264	   A DHCP client that can only send a single label using ASCII encoding
265	   includes a series of ASCII characters in the Domain Name field,
266	   excluding the "." (dot) character. The client SHOULD follow the
267	   character-set recommendations of RFC1034[1] and RFC1035[2]. A client
268	   using DNS binary encoding which wants to suggest part of its FQDN
269	   MAY send a non-terminal sequence of labels in the Domain Name part
270	   of the option. Clients and servers should assume that the the name
271	   field contains a fully-qualified name unless one of these
272	   partial-name conditions exists.

274	5. DHCP Client behavior

276	   The following describes the behavior of a DHCP client that
277	   implements the Client FQDN option.

279	   If a client that owns/maintains its own FQDN wants to be responsible
280	   for updating the FQDN to IP address mapping for the FQDN and
281	   address(es) used by the client, then the client MUST include the
282	   Client FQDN option in the DHCPREQUEST message originated by the
283	   client. A DHCP client MAY choose to include the Client FQDN option
284	   in its DISCOVER messages as well as its REQUEST messages. The
285	   least-significant ("S") bit in the Flags field in the option MUST be
286	   set to 0. Once the client's DHCP configuration is completed (the
287	   client receives a DHCPACK message, and successfully completes a
288	   final check on the parameters passed in the message), the client MAY
289	   originate an update for the A RR (associated with the client's
290	   FQDN). The update MUST be originated following the procedures
291	   described in RFC2136[5] and "Resolving Name Conflicts"[13]. If the
292	   DHCP server from which the client is requesting a lease includes the
293	   FQDN option in its ACK message, and if the server sets both the "S"
294	   and the "O" bits (the two least-significant bits) in the option's
295	   flags field, the DHCP client MUST NOT initiate an update for the
296	   name in the Domain Name field.

298	   A client can choose to delegate the responsibility for updating the
299	   FQDN to IP address mapping for the FQDN and address(es) used by the
300	   client to the server.  In order to inform the server of this choice,
301	   the client SHOULD include the Client FQDN option in its DHCPREQUEST
302	   message. The least-significant (or "S") bit in the Flags field in
303	   the option MUST be set to 1. A client which delegates this
304	   responsibility MUST NOT attempt to perform a DNS update for the name
305	   in the Domain Name field of the FQDN option. The client MAY supply
306	   an FQDN in the Client FQDN option, or it MAY supply a single label
307	   (the most-specific label), or it MAY leave that field empty as a
308	   signal to the server to generate an FQDN for the client in any
309	   manner the server chooses.

311	   Since there is a possibility that the DHCP server may be configured
312	   to complete or replace a domain name that the client was configured
313	   to send, the client might find it useful to send the FQDN option in
314	   its DISCOVER messages. If the DHCP server returns different Domain
315	   Name data in its OFFER message, the client could use that data in
316	   performing its own eventual A RR update, or in forming the FQDN
317	   option that it sends in its REQUEST message. There is no requirement
318	   that the client send identical FQDN option data in its DISCOVER and
319	   REQUEST messages. In particular, if a client has sent the FQDN
320	   option to its server, and the configuration of the client changes so
321	   that its notion of its domain name changes, it MAY send the new name
322	   data in an FQDN option when it communicates with the server again.
323	   This may allow the DHCP server to update the name associated with
324	   the PTR record, and, if the server updated the A record representing
325	   the client, to delete that record and attempt an update for the
326	   client's current domain name.

328	   A client that delegates the responsibility for updating the FQDN to
329	   IP address mapping to a server might not receive any indication
330	   (either positive or negative) from the server whether the server was
331	   able to perform the update. In this case the client MAY use a DNS
332	   query to check whether the mapping is updated.

334	   A client MUST set the RCODE1 and RCODE2 fields in the Client FQDN
335	   option to 0 when sending the option.

337	   If a client releases its lease prior to the lease expiration time
338	   and the client is responsible for updating its A RR, the client
339	   SHOULD delete the A RR (following the procedures described in
340	   "Resolving Name Conflicts"[13]) associated with the leased address
341	   before sending a DHCP RELEASE message. Similarly, if a client was
342	   responsible for updating its A RR, but is unable to renew its lease,
343	   the client SHOULD attempt to delete the A RR before its lease
344	   expires. A DHCP client which has not been able to delete an A RR
345	   which it added (because it has lost the use of its DHCP IP address)
346	   should attempt to notify its administrator.

348	6. DHCP Server behavior

350	   When a server receives a DHCPREQUEST message from a client, if the
351	   message contains the Client FQDN option, and the server replies to
352	   the message with a DHCPACK message, the server may be configured to
353	   originate an update for the PTR RR (associated with the address
354	   leased to the client). Any such update MUST be originated following
355	   the procedures described in "Resolving Name Conflicts"[13]. The
356	   server MAY complete the update before the server sends the DHCPACK
357	   message to the client. In this case the RCODE from the update MUST
358	   be carried to the client in the RCODE1 field of the Client FQDN
359	   option in the DHCPACK message. Alternatively, the server MAY send
360	   the DHCPACK message to the client without waiting for the update to
361	   be completed.  In this case the RCODE1 field of the Client FQDN
362	   option in the DHCPACK message MUST be set to 255.  The choice
363	   between the two alternatives is entirely determined by the
364	   configuration of the DHCP server. Servers SHOULD support both
365	   configuration options.

367	   When a server receives a DHCPREQUEST message containing the Client
368	   FQDN option, the server MUST ignore the values carried in the RCODE1
369	   and RCODE2 fields of the option.

371	   In addition, if the Client FQDN option carried in the DHCPREQUEST
372	   message has the "S" bit in its Flags field set, then the server MAY
373	   originate an update for the A RR (associated with the FQDN carried
374	   in the option) if it is configured to do so by the site's
375	   administrator, and if it has the necessary credentials. The server
376	   MAY be configured to use the name supplied in the client's FQDN
377	   option, or it MAY be configured to modify the supplied name, or
378	   substitute a different name.

380	   Any such update MUST be originated following the procedures
381	   described in "Resolving Name Conflicts"[13]. The server MAY
382	   originate the update before the server sends the DHCPACK message to
383	   the client. In this case the RCODE from the update [RFC2136] MUST be
384	   carried to the client in the RCODE2 field of the Client FQDN option
385	   in the DHCPACK message.  Alternatively the server MAY send the
386	   DHCPACK message to the client without waiting for the update to be
387	   completed. In this case the RCODE2 field of the Client FQDN option
388	   in the DHCPACK message MUST be set to 255. The choice between the
389	   two alternatives is entirely up to the DHCP server. In either case,
390	   if the server intends to perform the DNS update and the client's
391	   REQUEST message included the FQDN option, the server SHOULD include
392	   the FQDN option in its ACK message, and MUST set the "S" bit in the
393	   option's Flags field.

395	   Even if the Client FQDN option carried in the DHCPREQUEST message
396	   has the "S" bit in its Flags field clear (indicating that the client
397	   wants to update the A RR), the server MAY be configured by the local
398	   administrator to update the A RR on the client's behalf. A server
399	   which is configured to override the client's preference SHOULD
400	   include an FQDN option in its ACK message, and MUST set both the "O"
401	   and "S" bits in the FQDN option's Flags field. The update MUST be
402	   originated following the procedures described in "Resolving Name
403	   Conflicts"[13]. The server MAY originate the update before the
404	   server sends the DHCPACK message to the client. In this case the
405	   RCODE from the update [RFC2136] MUST be carried to the client in the
406	   RCODE2 field of the Client FQDN option in the DHCPACK message.

408	   Alternatively, the server MAY send the DHCPACK message to the client
409	   without waiting for the update to be completed. In this case the
410	   RCODE2 field of the Client FQDN option in the DHCPACK message MUST
411	   be set to 255. Whether the DNS update occurs before or after the
412	   DHCPACK is sent is entirely up to the DHCP server's configuration.

414	   When a DHCP server sends the Client FQDN option to a client in the
415	   DHCPACK message, the DHCP server SHOULD send its notion of the
416	   complete FQDN for the client in the Domain Name field. The server
417	   MAY simply copy the Domain Name field from the Client FQDN option
418	   that the client sent to the server in the DHCPREQUEST message. The
419	   DHCP server MAY be configured to complete or modify the domain name
420	   which a client sent, or it MAY be configured to substitute a
421	   different name.

423	   If the server initiates a DNS update which is not complete until
424	   after the server has replied to the DHCP client, the server's
425	   interaction with the DNS server may cause the DHCP server to change
426	   the domain name that it associates with the client. This may occur,
427	   for example, if the server detects and resolves a domain-name
428	   conflict. In such cases, the domain name that the server returns to
429	   the dhcp client may change between two dhcp exchanges.

431	   The server MUST use the same encoding format (ASCII or DNS binary
432	   encoding) that the client used in the FQDN option in its
433	   DHCPREQUEST, and MUST set the "E" bit in the option's Flags field
434	   accordingly.

436	   If a client's DHCPREQUEST message doesn't carry the Client FQDN
437	   option (e.g., the client doesn't implement the Client FQDN option),
438	   the server MAY be configured to update either or both of the A and
439	   PTR RRs. The updates MUST be originated following the procedures
440	   described in "Resolving Name Conflicts"[13].

442	   If a server detects that a lease on an address that the server
443	   leases to a client has expired, the server SHOULD delete any PTR RR
444	   which it added via DNS update. In addition, if the server added an A
445	   RR on the client's behalf, the server SHOULD also delete the A RR.
446	   The deletion MUST follow the procedures described in "Resolving Name
447	   Conflicts"[13].

449	   If a server terminates a lease on an address prior to the lease's
450	   expiration time, for instance by sending a DHCPNAK to a client, the
451	   server SHOULD delete any PTR RR which it associated with the address
452	   via DNS Update. In addition, if the server took responsibility for
453	   an A RR, the server SHOULD also delete that A RR. The deletion MUST
454	   follow the procedures described in "Resolving Name Conflicts"[13].

456	7. Security Considerations

458	   Unauthenticated updates to the DNS can lead to tremendous confusion,
459	   through malicious attack or through inadvertent misconfiguration.
460	   Administrators should be wary of permitting unsecured DNS updates to
461	   zones which are exposed to the global Internet. Both DHCP clients
462	   and servers SHOULD use some form of update request origin
463	   authentication procedure (e.g., Secure DNS Dynamic Update[11]) when
464	   performing DNS updates.

466	   Whether a DHCP client may be responsible for updating an FQDN to IP
467	   address mapping or whether this is the responsibility of the DHCP
468	   server is a site-local matter. The choice between the two
469	   alternatives may be based on the security model that is used with
470	   the DNS update protocol (e.g., only a client may have sufficient
471	   credentials to perform updates to the FQDN to IP address mapping for
472	   its FQDN).

474	   Whether a DHCP server is always responsible for updating the FQDN to
475	   IP address mapping (in addition to updating the IP to FQDN mapping),
476	   regardless of the wishes of an individual DHCP client, is also a
477	   site-local matter. The choice between the two alternatives may be
478	   based on the security model that is being used with DNS updates. In
479	   cases where a DHCP server is performing DNS updates on behalf of a
480	   client, the DHCP server should be sure of the DNS name to use for
481	   the client, and of the identity of the client.

483	   Currently, it is difficult for DHCP servers to develop much
484	   confidence in the identities of its clients, given the absence of
485	   entity authentication from the DHCP protocol itself. There are many
486	   ways for a DHCP server to develop a DNS name to use for a client,
487	   but only in certain relatively unusual circumstances will the DHCP
488	   server know for certain the identity of the client. If DHCP
489	   Authentication[10] becomes widely deployed this may become more
490	   customary.

492	   One example of a situation which offers some extra assurances is one
493	   where the DHCP client is connected to a network through an MCNS
494	   cable modem, and the CMTS (head-end) ensures that MAC address
495	   spoofing simply does not occur. Another example of a configuration
496	   that might be trusted is one where clients obtain network access via
497	   a network access server using PPP. The NAS itself might be obtaining
498	   IP addresses via DHCP, encoding a client identification into the
499	   DHCP client-id option.  In this case, the network access server as
500	   well as the DHCP server might be operating within a trusted
501	   environment, in which case the DHCP server could be configured to
502	   trust that the user authentication and authorization procedure of
503	   the remote access server was sufficient, and would therefore trust
504	   the client identification encoded within the DHCP client-id.

506	8. Acknowledgements

508	   Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter
509	   Ford, Edie Gunter, Andreas Gustafsson, R. Barr Hibbs, Kim Kinnear,
510	   Stuart Kwan, Ted Lemon, Ed Lewis, Michael Lewis, Josh Littlefield,
511	   Michael Patton, and Glenn Stump for their review and comments.

513	References

515	   [1]   Mockapetris, P., "Domain names - Concepts and Facilities", RFC
516	         1034, Nov 1987.

518	   [2]   Mockapetris, P., "Domain names - Implementation and
519	         Specification", RFC 1035, Nov 1987.

521	   [3]   Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
522	         March 1997.

524	   [4]   Marine, A., Reynolds, J. and G. Malkin, "FYI on Questions and
525	         Answers to Commonly asked ``New Internet User'' Questions",
526	         RFC 1594, March 1994.

528	   [5]   Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
529	         Updates in the Domain Name System", RFC 2136, April 1997.

531	   [6]   Bradner, S., "Key words for use in RFCs to Indicate
532	         Requirement Levels", RFC 2119, March 1997.

534	   [7]   Eastlake, D., "Domain Name System Security Extensions", RFC
535	         2535, March 1999.

537	   [8]   Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
538	         August 1999.

540	   [9]   Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
541	         "Secret Key Transaction Authentication for DNS (TSIG)", RFC
542	         2845, May 2000.

544	   [10]  Droms, R. and W. Arbaugh, "Authentication for DHCP Messages
545	         (draft-ietf-dhc-authentication-*)", June 1999.

547	   [11]  Wellington, B., "Secure DNS Dynamic Update", RFC 3007,
548	         November 2000.

550	   [12]  Stapp, M., Gustafsson, A. and T. Lemon, "A DNS RR for encoding
551	         DHCP Information (draft-ietf-dnsext-dhcid-rr-*)", July 2000.

553	   [13]  Stapp, M., "Resolution of DNS Name Conflicts Among DHCP
554	         Clients (draft-ietf-dhc-ddns-resolution-*.txt)", July 2000.

556	Authors' Addresses

558	   Mark Stapp
559	   Cisco Systems, Inc.
560	   250 Apollo Dr.
561	   Chelmsford, MA  01824
562	   USA

564	   Phone: 978.244.8498
565	   EMail: mjs@cisco.com

567	   Yakov Rekhter
568	   Cisco Systems, Inc.
569	   170 Tasman Dr.
570	   San Jose, CA  95134
571	   USA

573	   Phone: 914.235.2128
574	   EMail: yakov@cisco.com

576	Full Copyright Statement

578	   Copyright (C) The Internet Society (2001). All Rights Reserved.

580	   This document and translations of it may be copied and furnished to
581	   others, and derivative works that comment on or otherwise explain it
582	   or assist in its implementation may be prepared, copied, published
583	   and distributed, in whole or in part, without restriction of any
584	   kind, provided that the above copyright notice and this paragraph
585	   are included on all such copies and derivative works. However, this
586	   document itself may not be modified in any way, such as by removing
587	   the copyright notice or references to the Internet Society or other
588	   Internet organizations, except as needed for the purpose of
589	   developing Internet standards in which case the procedures for
590	   copyrights defined in the Internet Standards process must be
591	   followed, or as required to translate it into languages other than
592	   English.

594	   The limited permissions granted above are perpetual and will not be
595	   revoked by the Internet Society or its successors or assigns.

597	   This document and the information contained herein is provided on an
598	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
599	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
600	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
601	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
602	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

604	Acknowledgement

606	   Funding for the RFC editor function is currently provided by the
607	   Internet Society.