idnits 2.17.1 

draft-ietf-dhc-fqdn-option-04.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (June 21, 2002) is 7980 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: '9' is defined on line 585, but no explicit reference
     was found in the text

  ** Obsolete normative reference: RFC 1594 (ref. '4') (Obsoleted by RFC 2664)

  -- No information found for draft-ietf-dhc-ddns-resolution- - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. '7' 

  ** Obsolete normative reference: RFC 2671 (ref. '8') (Obsoleted by RFC 6891)

  ** Obsolete normative reference: RFC 2845 (ref. '9') (Obsoleted by RFC 8945)

  ** Obsolete normative reference: RFC 2279 (ref. '10') (Obsoleted by RFC
     3629)

  ** Obsolete normative reference: RFC 2535 (ref. '11') (Obsoleted by RFC
     4033, RFC 4034, RFC 4035)

  -- No information found for draft-ietf-dhc-authentication- - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. '13' 


     Summary: 8 errors (**), 0 flaws (~~), 3 warnings (==), 6 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	DHC Working Group                                               M. Stapp
3	Internet-Draft                                       Cisco Systems, Inc.
4	Expires: December 20, 2002                                    Y. Rekhter
5	                                                        Juniper Networks
6	                                                           June 21, 2002

8	                      The DHCP Client FQDN Option
9	                  <draft-ietf-dhc-fqdn-option-04.txt>

11	Status of this Memo

13	   This document is an Internet-Draft and is in full conformance with
14	   all provisions of Section 10 of RFC2026.

16	   Internet-Drafts are working documents of the Internet Engineering
17	   Task Force (IETF), its areas, and its working groups. Note that
18	   other groups may also distribute working documents as
19	   Internet-Drafts.

21	   Internet-Drafts are draft documents valid for a maximum of six
22	   months and may be updated, replaced, or obsoleted by other documents
23	   at any time. It is inappropriate to use Internet-Drafts as reference
24	   material or to cite them other than as "work in progress."

26	   The list of current Internet-Drafts can be accessed at
27	   http://www.ietf.org/ietf/1id-abstracts.txt.

29	   The list of Internet-Draft Shadow Directories can be accessed at
30	   http://www.ietf.org/shadow.html.

32	   This Internet-Draft will expire on December 20, 2002.

34	Copyright Notice

36	   Copyright (C) The Internet Society (2002). All Rights Reserved.

38	Abstract

40	   DHCP provides a powerful mechanism for IP host configuration.
41	   However, the configuration capability provided by DHCP does not
42	   include updating DNS, and specifically updating the name to address
43	   and address to name mappings maintained in the DNS.

45	   This document specifies a DHCP option which can be used to exchange
46	   information about a DHCP client's fully-qualified domain name, and
47	   about responsibility for updating DNS RRs related to the client's
48	   DHCP lease.

50	Table of Contents

52	   1.    Terminology  . . . . . . . . . . . . . . . . . . . . . . . .  3
53	   2.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
54	   3.    Models of Operation  . . . . . . . . . . . . . . . . . . . .  3
55	   4.    The Client FQDN Option . . . . . . . . . . . . . . . . . . .  4
56	   4.1   The Flags Field  . . . . . . . . . . . . . . . . . . . . . .  5
57	   4.2   The RCODE Fields . . . . . . . . . . . . . . . . . . . . . .  6
58	   4.3   The Domain Name Field  . . . . . . . . . . . . . . . . . . .  6
59	   4.3.1 Deprecated ASCII Encoding  . . . . . . . . . . . . . . . . .  7
60	   5.    DHCP Client behavior . . . . . . . . . . . . . . . . . . . .  7
61	   6.    DHCP Server Behavior . . . . . . . . . . . . . . . . . . . .  9
62	   7.    Security Considerations  . . . . . . . . . . . . . . . . . . 11
63	   8.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
64	         References . . . . . . . . . . . . . . . . . . . . . . . . . 13
65	         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 14
66	         Full Copyright Statement . . . . . . . . . . . . . . . . . . 15

68	1. Terminology

70	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
71	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
72	   document are to be interpreted as described in RFC 2119[1].

74	2. Introduction

76	   DNS (RFC1034[2], RFC1035[3]) maintains (among other things) the
77	   information about mapping between hosts' Fully Qualified Domain
78	   Names (FQDNs)[4] and IP addresses assigned to the hosts. The
79	   information is maintained in two types of Resource Records (RRs): A
80	   and PTR. The A RR contains mapping from a FQDN to an IP address; the
81	   PTR RR contains mapping from an IP address to a FQDN.  The DNS
82	   update specification (RFC2136[5]) describes a mechanism that enables
83	   DNS information to be updated over a network.

85	   DHCP[6] provides a mechanism by which a host (a DHCP client) can
86	   acquire certain configuration information, along with its IP
87	   address(es). However, DHCP does not provide any mechanisms to update
88	   the DNS RRs that contain the information about mapping between the
89	   host's FQDN and its IP address(es) (A and PTR RRs). Thus DNS
90	   information for a DHCP client may not exist or may be incorrect - a
91	   host (the client) could acquire its address by using DHCP, but the A
92	   RR for the host's FQDN wouldn't reflect the address that the host
93	   acquired, and the PTR RR for the acquired address wouldn't reflect
94	   the host's FQDN.

96	   The DNS Update protocol can be used to maintain consistency between
97	   the information stored in the A and PTR RRs and the actual address
98	   assignment done via DHCP. When a host with a particular FQDN
99	   acquires its IP address via DHCP, the A RR associated with the
100	   host's FQDN would be updated (by using the DNS Update protocol) to
101	   reflect the new address. Likewise, when an IP address is assigned to
102	   a host with a particular FQDN, the PTR RR associated with this
103	   address would be updated (using the DNS Update protocol) to reflect
104	   the new FQDN.

106	   Although this document refers to the A and PTR DNS record types and
107	   to DHCP assignment of IPv4 addresses, the same procedures and
108	   requirements apply for updates to the analogous RR types that are
109	   used when clients are assigned IPv6 addresses via DHCPv6.

111	3. Models of Operation

113	   When a DHCP client acquires a new address, a site's administrator
114	   may desire that one or both of the A RR for the client's FQDN and
115	   the PTR RR for the acquired address be updated. Therefore, two
116	   separate DNS update transactions may occur. Acquiring an address via
117	   DHCP involves two entities: a DHCP client and a DHCP server. In
118	   principle each of these entities could perform none, one, or both of
119	   the transactions. However, in practice not all permutations make
120	   sense. The DHCP client FQDN option is intended to operate in the
121	   following two cases:

123	   1.  DHCP client updates the A RR, DHCP server updates the PTR RR
124	   2.  DHCP server updates both the A and the PTR RRs

126	   The only difference between these two cases is whether the FQDN to
127	   IP address mapping is updated by a DHCP client or by a DHCP server.
128	   The IP address to FQDN mapping is updated by a DHCP server in both
129	   cases.

131	   The reason these two are important, while others are unlikely, has
132	   to do with authority over the respective DNS domain names. A DHCP
133	   client may be given authority over mapping its own A RRs, or that
134	   authority may be restricted to a server to prevent the client from
135	   listing arbitrary addresses or associating its address with
136	   arbitrary domain names. In all cases, the only reasonable place for
137	   the authority over the PTR RRs associated with the address is in the
138	   DHCP server that allocates the address.

140	   In any case, whether a site permits all, some, or no DHCP servers
141	   and clients to perform DNS updates into the zones which it controls
142	   is entirely a matter of local administrative policy. This document
143	   does not require any specific administrative policy, and does not
144	   propose one. The range of possible policies is very broad, from
145	   sites where only the DHCP servers have been given credentials that
146	   the DNS servers will accept, to sites where each individual DHCP
147	   client has been configured with credentials which allow the client
148	   to modify its own domain name. Compliant implementations MAY support
149	   some or all of these possibilities. Furthermore, this specification
150	   applies only to DHCP client and server processes: it does not apply
151	   to other processes which initiate DNS updates.

153	   This document describes a new DHCP option which a client can use to
154	   convey all or part of its domain name to a DHCP server.
155	   Site-specific policy determines whether DHCP servers use the names
156	   that clients offer or not, and what DHCP servers may do in cases
157	   where clients do not supply domain names.  Another document,
158	   "Resolving Name Conflicts"[7], defines a protocol for establishing
159	   policy and arbitrating conflicts when collisions occur in the use of
160	   FQDNs by DHCP clients.

162	4. The Client FQDN Option

164	   To update the IP address to FQDN mapping a DHCP server needs to know
165	   the FQDN of the client to which the server leases the address. To
166	   allow the client to convey its FQDN to the server this document
167	   defines a new DHCP option, called "Client FQDN". The FQDN Option
168	   also contains Flags and RCode fields which DHCP servers can use to
169	   convey information about DNS updates to clients.

171	   Clients MAY send the FQDN option, setting appropriate Flags values,
172	   in both their DISCOVER and REQUEST messages. If a client sends the
173	   FQDN option in its DISCOVER message, it MUST send the option in
174	   subsequent REQUEST messages.

176	   The code for this option is 81. Its minimum length is 4.

178	   The Format of the FQDN Option:

180	        Code   Len    Flags  RCODE1 RCODE2   Domain Name
181	       +------+------+------+------+------+------+--
182	       |  81  |   n  |      |      |      |       ...
183	       +------+------+------+------+------+------+--

185	4.1 The Flags Field

187	   The Format of the Flags Field:

189	        0 1 2 3 4 5 6 7
190	       +-+-+-+-+-+-+-+-+
191	       |  MBZ  |N|E|O|S|
192	       +-+-+-+-+-+-+-+-+

194	   When a DHCP client sends the FQDN option in its DHCPDISCOVER and/or
195	   DHCPREQUEST messages, it sets the least-significant bit (labelled
196	   "S") to indicate that it will not perform any DNS updates, and that
197	   it expects the DHCP server to perform any FQDN-to-IP (the A RR) DNS
198	   update on its behalf. If this bit is clear, the client indicates
199	   that it intends to maintain its own FQDN-to-IP mapping update.

201	   If a DHCP server intends to take responsibility for the A RR update
202	   whether or not the client sending the FQDN option has set the "S"
203	   bit, it sets both the "O" bit and the "S" bit, and sends the FQDN
204	   option in its DHCPOFFER and/or DHCPACK messages.

206	   The data in the Domain Name field SHOULD appear in DNS-style binary
207	   encoding (without compression, of course), as described in
208	   RFC1035[3]. A client which sends the FQDN option SHOULD use this
209	   encoding. The client MUST set the "E" bit when the data in the
210	   Domain Name field is in DNS binary encoding. If a server receives an
211	   FQDN option from a client, and intends to include an FQDN option in
212	   its reply, it MUST use the same encoding that the client used, and
213	   MUST set the "E" bit accordingly.

215	   Server implementors should note that earlier draft versions of this
216	   specification permitted an ASCII encoding of the domain name.
217	   Clients which implemented this encoding were deployed before this
218	   specification was completed. Server implementors which need to
219	   support these clients should note the section on the deprecated
220	   ASCII encoding (Section 4.3.1).

222	   A client MAY set the "N" flag in its request messages to indicate
223	   that the server should not perform any DNS updates on its behalf. As
224	   we mentioned in Section 3, we believe that in general the DHCP
225	   server will be maintaining DNS PTR records on behalf of clients.
226	   However, there may be deployments in which clients are configured to
227	   perform all desired DNS updates. The server MAY be configured to
228	   honor this configuration. If the server has been configured to honor
229	   a client's "N" indication, it SHOULD set the "N" bit in fqdn options
230	   which it sends to the client in its OFFER or ACK messages. Clients
231	   which have set the "N" bit in their requests SHOULD use the state of
232	   the "N" bit in server responses to determine whether the server was
233	   prepared to honor the client's indication. If a client has set the
234	   "N" bit but its server does not, the client SHOULD conclude that the
235	   server was not configured to honor the client's suggestion, and that
236	   the server may attempt to perform DNS updates on its behalf.

238	   The remaining bits in the Flags field are reserved for future
239	   assignment. DHCP clients and servers which send the FQDN option MUST
240	   set the MBZ bits to 0, and they MUST ignore values in the part of
241	   the field labelled "MBZ".

243	4.2 The RCODE Fields

245	   The RCODE1 and RCODE2 fields are used by a DHCP server to indicate
246	   to a DHCP client the Response Code from any A or PTR RR DNS updates
247	   it has performed. The server may also use these fields to indicate
248	   whether it has attempted such an update before sending the DHCPACK
249	   message. Each of these fields is one byte long.

251	   Implementors should note that EDNS0 describes a mechanism for
252	   extending the length of a DNS RCODE to 12 bits. EDNS0 is specified
253	   in RFC2671[8]. Only the least-significant 8 bits of the RCODE from a
254	   DNS update will be carried in the Client FQDN DHCP Option. This
255	   provides enough number space to accomodate the RCODEs defined in the
256	   DNS update specification.

258	4.3 The Domain Name Field

260	   The Domain Name part of the option carries all or part of the FQDN
261	   of a DHCP client. The data in the Domain Name field SHOULD appear in
262	   uncompressed DNS encoding as specified in RFC1035[3]. If the DHCP
263	   client uses DNS encoding, it MUST set the third bit in the Flags
264	   field (the "E" bit). In order to determine whether a name has
265	   changed between message exchanges, an unambiguous canonical form is
266	   necessary. Eventually, the IETF IDN Working Group is expected to
267	   produce a standard canonicalization specification, and this
268	   specification may be updated to include its standard. Until that
269	   time, servers and clients should be sensitive to canonicalization
270	   when comparing names in the Domain Name field and the name
271	   canonicalization defined in RFC2535[11] MAY be used.

273	   A client may be configured with a fully-qualified domain name, or
274	   with a partial name that is not fully-qualified. If a client knows
275	   only part of its name, it MAY send a name that is not
276	   fully-qualified, indicating that it knows part of the name but does
277	   not necessarily know the zone in which the name is to be embedded. A
278	   client which wants to convey part of its FQDN sends a non-terminal
279	   sequence of labels in the Domain Name part of the option. Clients
280	   and servers should assume that the the name field contains a
281	   fully-qualified name unless this partial-name format exists.

283	4.3.1 Deprecated ASCII Encoding

285	   The DNS encoding specified above MUST be supported by DHCP servers.
286	   However, a substantial population of clients implemented an earlier
287	   version of this specification, which permitted an ASCII encoding of
288	   the Domain Name field. Server implementations should be aware that
289	   clients which send the FQDN option with the "E" bit clear are using
290	   an ASCII version of the Domain Name field. Servers MAY be prepared
291	   to return an ASCII encoded version of the Domain Name field to such
292	   clients. The use of ASCII encoding in this option should be
293	   considered deprecated.

295	   A DHCP client which used ASCII encoding was permitted to suggest a
296	   single label if it was not configured with a fully-qualified name.
297	   Such clients send a single label as a series of ASCII characters in
298	   the Domain Name field, excluding the "." (dot) character. Such
299	   clients SHOULD follow the character-set recommendations of
300	   RFC1034[2] and RFC1035[3].

302	   Server implementors should also be aware that some client software
303	   may attempt to use UTF-8[10] character encoding. This information is
304	   included for informational purposes only: this specification does
305	   not require any support for UTF-8.

307	5. DHCP Client behavior

309	   The following describes the behavior of a DHCP client that
310	   implements the Client FQDN option.

312	   Other DHCP options may carry data that is related to the Domain-Name
313	   part of the FQDN option. The Host-Name option, for example, contains
314	   an ASCII string representation of the client's host-name. In
315	   general, a client should not need to send redundant data, and
316	   therefore clients which send the FQDN option in their messages MUST
317	   NOT also send the Host-Name option. Clients which receive both the
318	   Host-Name option and the FQDN option from a server SHOULD prefer
319	   FQDN option data. Servers will be asked in Section 6 to ignore the
320	   Host-Name option in client messages which include the FQDN option.

322	   If a client that owns/maintains its own FQDN wants to be responsible
323	   for updating the FQDN to IP address mapping for the FQDN and
324	   address(es) used by the client, then the client MUST include the
325	   Client FQDN option in the DHCPREQUEST message originated by the
326	   client. A DHCP client MAY choose to include the Client FQDN option
327	   in its DISCOVER messages as well as its REQUEST messages. The
328	   least-significant ("S") bit in the Flags field in the option MUST be
329	   set to 0. Once the client's DHCP configuration is completed (the
330	   client receives a DHCPACK message, and successfully completes a
331	   final check on the parameters passed in the message), the client MAY
332	   originate an update for the A RR (associated with the client's
333	   FQDN). The update SHOULD be originated following the procedures
334	   described in RFC2136[5] and "Resolving Name Conflicts"[7]. If the
335	   DHCP server from which the client is requesting a lease includes the
336	   FQDN option in its ACK message, and if the server sets both the "S"
337	   and the "O" bits (the two least-significant bits) in the option's
338	   flags field, the DHCP client MUST NOT initiate an update for the
339	   name in the Domain Name field.

341	   A client can choose to delegate the responsibility for updating the
342	   FQDN to IP address mapping for the FQDN and address(es) used by the
343	   client to the server.  In order to inform the server of this choice,
344	   the client SHOULD include the Client FQDN option in its DHCPREQUEST
345	   message. The least-significant (or "S") bit in the Flags field in
346	   the option MUST be set to 1. A client which delegates this
347	   responsibility MUST NOT attempt to perform a DNS update for the name
348	   in the Domain Name field of the FQDN option. The client MAY supply
349	   an FQDN in the Client FQDN option, or it MAY supply a single label
350	   (the most-specific label), or it MAY leave that field empty as a
351	   signal to the server to generate an FQDN for the client in any
352	   manner the server chooses.

354	   Since there is a possibility that the DHCP server may be configured
355	   to complete or replace a domain name that the client was configured
356	   to send, the client might find it useful to send the FQDN option in
357	   its DISCOVER messages. If the DHCP server returns different Domain
358	   Name data in its OFFER message, the client could use that data in
359	   performing its own eventual A RR update, or in forming the FQDN
360	   option that it sends in its REQUEST message. There is no requirement
361	   that the client send identical FQDN option data in its DISCOVER and
362	   REQUEST messages. In particular, if a client has sent the FQDN
363	   option to its server, and the configuration of the client changes so
364	   that its notion of its domain name changes, it MAY send the new name
365	   data in an FQDN option when it communicates with the server again.
366	   This may allow the DHCP server to update the name associated with
367	   the PTR record, and, if the server updated the A record representing
368	   the client, to delete that record and attempt an update for the
369	   client's current domain name.

371	   A client that delegates the responsibility for updating the FQDN to
372	   IP address mapping to a server might not receive any indication
373	   (either positive or negative) from the server whether the server was
374	   able to perform the update. In this case the client MAY use a DNS
375	   query to check whether the mapping is updated.

377	   A client MUST set the RCODE1 and RCODE2 fields in the Client FQDN
378	   option to 0 when sending the option.

380	   If a client releases its lease prior to the lease expiration time
381	   and the client is responsible for updating its A RR, the client
382	   SHOULD delete the A RR (following the procedures described in
383	   "Resolving Name Conflicts"[7]) associated with the leased address
384	   before sending a DHCP RELEASE message. Similarly, if a client was
385	   responsible for updating its A RR, but is unable to renew its lease,
386	   the client SHOULD attempt to delete the A RR before its lease
387	   expires. A DHCP client which has not been able to delete an A RR
388	   which it added (because it has lost the use of its DHCP IP address)
389	   should attempt to notify its administrator, perhaps by emitting a
390	   log message.

392	6. DHCP Server Behavior

394	   When a server receives a DHCPREQUEST message from a client, if the
395	   message contains the Client FQDN option, and the server replies to
396	   the message with a DHCPACK message, the server may be configured to
397	   originate an update for the PTR RR (associated with the address
398	   leased to the client). Any such update SHOULD be originated
399	   following the procedures described in "Resolving Name Conflicts"[7].
400	   The server MAY complete the update before the server sends the
401	   DHCPACK message to the client. In this case the RCODE from the
402	   update MUST be carried to the client in the RCODE1 field of the
403	   Client FQDN option in the DHCPACK message. Alternatively, the server
404	   MAY send the DHCPACK message to the client without waiting for the
405	   update to be completed.  In this case the RCODE1 field of the Client
406	   FQDN option in the DHCPACK message MUST be set to 255.  The choice
407	   between the two alternatives is entirely determined by the
408	   configuration of the DHCP server. Servers SHOULD support both
409	   configuration options.

411	   When a server receives a DHCPREQUEST message containing the Client
412	   FQDN option, the server MUST ignore the values carried in the RCODE1
413	   and RCODE2 fields of the option.

415	   In addition, if the Client FQDN option carried in the DHCPREQUEST
416	   message has the "S" bit in its Flags field set, then the server MAY
417	   originate an update for the A RR (associated with the FQDN carried
418	   in the option) if it is configured to do so by the site's
419	   administrator, and if it has the necessary credentials. The server
420	   MAY be configured to use the name supplied in the client's FQDN
421	   option, or it MAY be configured to modify the supplied name, or
422	   substitute a different name.

424	   Any such update SHOULD be originated following the procedures
425	   described in "Resolving Name Conflicts"[7]. The server MAY originate
426	   the update before the server sends the DHCPACK message to the
427	   client. In this case the RCODE from the update RFC2136[5] MUST be
428	   carried to the client in the RCODE2 field of the Client FQDN option
429	   in the DHCPACK message.  Alternatively the server MAY send the
430	   DHCPACK message to the client without waiting for the update to be
431	   completed. In this case the RCODE2 field of the Client FQDN option
432	   in the DHCPACK message MUST be set to 255. The choice between the
433	   two alternatives is entirely a matter of the DHCP server's
434	   configuration. In either case, if the server intends to perform the
435	   DNS update and the client's REQUEST message included the FQDN
436	   option, the server SHOULD include the FQDN option in its ACK
437	   message. If the server includes the FQDN option, it MUST set the "S"
438	   bit in the option's Flags field and MUST clear the "O" bit.

440	   Even if the Client FQDN option carried in the DHCPREQUEST message
441	   has the "S" bit in its Flags field clear (indicating that the client
442	   wants to update the A RR), the server MAY be configured by the local
443	   administrator to update the A RR on the client's behalf. A server
444	   which is configured to override the client's preference SHOULD
445	   include an FQDN option in its ACK message, and MUST set both the "O"
446	   and "S" bits in the FQDN option's Flags field. The update SHOULD be
447	   originated following the procedures described in "Resolving Name
448	   Conflicts"[7]. The server MAY originate the update before the server
449	   sends the DHCPACK message to the client. In this case the RCODE from
450	   the update RFC2136[5] MUST be carried to the client in the RCODE2
451	   field of the Client FQDN option in the DHCPACK message.
452	   Alternatively, the server MAY send the DHCPACK message to the client
453	   without waiting for the update to be completed. In this case the
454	   RCODE2 field of the Client FQDN option in the DHCPACK message MUST
455	   be set to 255. Whether the DNS update occurs before or after the
456	   DHCPACK is sent is entirely up to the DHCP server's configuration.

458	   When a DHCP server sends the Client FQDN option to a client in the
459	   DHCPACK message, the DHCP server SHOULD send its notion of the
460	   complete FQDN for the client in the Domain Name field. The server
461	   MAY simply copy the Domain Name field from the Client FQDN option
462	   that the client sent to the server in the DHCPREQUEST message. The
463	   DHCP server MAY be configured to complete or modify the domain name
464	   which a client sent, or it MAY be configured to substitute a
465	   different name.

467	   If the server initiates a DNS update that is not complete until
468	   after the server has replied to the DHCP client, the server's
469	   interaction with the DNS server may cause the DHCP server to change
470	   the domain name that it associates with the client. This may occur,
471	   for example, if the server detects and resolves a domain-name
472	   conflict. In such cases, the domain name that the server returns to
473	   the dhcp client may change between two dhcp exchanges.

475	   The server MUST use the same encoding format (ASCII or DNS binary
476	   encoding) that the client used in the FQDN option in its
477	   DHCPREQUEST, and MUST set the "E" bit in the option's Flags field
478	   accordingly.

480	   If a client's DHCPREQUEST message doesn't carry the Client FQDN
481	   option (e.g., the client doesn't implement the Client FQDN option),
482	   the server MAY be configured to update either or both of the A and
483	   PTR RRs. The updates SHOULD be originated following the procedures
484	   described in "Resolving Name Conflicts"[7].

486	   If a server detects that a lease on an address that the server
487	   leases to a client has expired, the server SHOULD delete any PTR RR
488	   which it added via DNS update. In addition, if the server added an A
489	   RR on the client's behalf, the server SHOULD also delete the A RR.
490	   The deletion SHOULD follow the procedures described in "Resolving
491	   Name Conflicts"[7].

493	   If a server terminates a lease on an address prior to the lease's
494	   expiration time, for instance by sending a DHCPNAK to a client, the
495	   server SHOULD delete any PTR RR which it associated with the address
496	   via DNS Update. In addition, if the server took responsibility for
497	   an A RR, the server SHOULD also delete that A RR. The deletion
498	   SHOULD follow the procedures described in "Resolving Name
499	   Conflicts"[7].

501	7. Security Considerations

503	   Unauthenticated updates to the DNS can lead to tremendous confusion,
504	   through malicious attack or through inadvertent misconfiguration.
505	   Administrators should be wary of permitting unsecured DNS updates to
506	   zones which are exposed to the global Internet. Both DHCP clients
507	   and servers SHOULD use some form of update request origin
508	   authentication procedure (e.g., Secure DNS Dynamic Update[12]) when
509	   performing DNS updates.

511	   Whether a DHCP client may be responsible for updating an FQDN to IP
512	   address mapping or whether this is the responsibility of the DHCP
513	   server is a site-local matter. The choice between the two
514	   alternatives may be based on the security model that is used with
515	   the DNS update protocol (e.g., only a client may have sufficient
516	   credentials to perform updates to the FQDN to IP address mapping for
517	   its FQDN).

519	   Whether a DHCP server is always responsible for updating the FQDN to
520	   IP address mapping (in addition to updating the IP to FQDN mapping),
521	   regardless of the wishes of an individual DHCP client, is also a
522	   site-local matter. The choice between the two alternatives may be
523	   based on the security model that is being used with DNS updates. In
524	   cases where a DHCP server is performing DNS updates on behalf of a
525	   client, the DHCP server should be sure of the DNS name to use for
526	   the client, and of the identity of the client.

528	   Currently, it is difficult for DHCP servers to develop much
529	   confidence in the identities of its clients, given the absence of
530	   entity authentication from the DHCP protocol itself. There are many
531	   ways for a DHCP server to develop a DNS name to use for a client,
532	   but only in certain relatively unusual circumstances will the DHCP
533	   server know for certain the identity of the client. If DHCP
534	   Authentication[13] becomes widely deployed this may become more
535	   customary.

537	   One example of a situation which offers some extra assurances is one
538	   where the DHCP client is connected to a network through an MCNS
539	   cable modem, and the CMTS (head-end) ensures that MAC address
540	   spoofing simply does not occur. Another example of a configuration
541	   that might be trusted is one where clients obtain network access via
542	   a network access server using PPP. The NAS itself might be obtaining
543	   IP addresses via DHCP, encoding a client identification into the
544	   DHCP client-id option.  In this case, the network access server as
545	   well as the DHCP server might be operating within a trusted
546	   environment, in which case the DHCP server could be configured to
547	   trust that the user authentication and authorization procedure of
548	   the remote access server was sufficient, and would therefore trust
549	   the client identification encoded within the DHCP client-id.

551	8. Acknowledgements

553	   Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter
554	   Ford, Edie Gunter, Andreas Gustafsson, R. Barr Hibbs, Kim Kinnear,
555	   Stuart Kwan, Ted Lemon, Ed Lewis, Michael Lewis, Josh Littlefield,
556	   Michael Patton, and Glenn Stump for their review and comments.

558	References

560	   [1]   Bradner, S., "Key words for use in RFCs to Indicate
561	         Requirement Levels", RFC 2119, March 1997.

563	   [2]   Mockapetris, P., "Domain names - Concepts and Facilities", RFC
564	         1034, Nov 1987.

566	   [3]   Mockapetris, P., "Domain names - Implementation and
567	         Specification", RFC 1035, Nov 1987.

569	   [4]   Marine, A., Reynolds, J. and G. Malkin, "FYI on Questions and
570	         Answers to Commonly asked ``New Internet User'' Questions",
571	         RFC 1594, March 1994.

573	   [5]   Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
574	         Updates in the Domain Name System", RFC 2136, April 1997.

576	   [6]   Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
577	         March 1997.

579	   [7]   Stapp, M., "Resolution of DNS Name Conflicts Among DHCP
580	         Clients (draft-ietf-dhc-ddns-resolution-*.txt)", July 2000.

582	   [8]   Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
583	         August 1999.

585	   [9]   Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
586	         "Secret Key Transaction Authentication for DNS (TSIG)", RFC
587	         2845, May 2000.

589	   [10]  Yergeau, F., "UTF-8, a transformation format of ISO 10646",
590	         RFC 2279, January 1998.

592	   [11]  Eastlake, D., "Domain Name System Security Extensions", RFC
593	         2535, March 1999.

595	   [12]  Wellington, B., "Secure DNS Dynamic Update", RFC 3007,
596	         November 2000.

598	   [13]  Droms, R. and W. Arbaugh, "Authentication for DHCP Messages
599	         (draft-ietf-dhc-authentication-*)", June 1999.

601	Authors' Addresses

603	   Mark Stapp
604	   Cisco Systems, Inc.
605	   250 Apollo Dr.
606	   Chelmsford, MA  01824
607	   USA

609	   Phone: 978.244.8498
610	   EMail: mjs@cisco.com

612	   Yakov Rekhter
613	   Juniper Networks
614	   1194 North Mathilda Avenue
615	   Sunnyvale, CA  94089
616	   USA

618	   Phone: 408.745.2000
619	   EMail: yakov@juniper.net

621	Full Copyright Statement

623	   Copyright (C) The Internet Society (2002). All Rights Reserved.

625	   This document and translations of it may be copied and furnished to
626	   others, and derivative works that comment on or otherwise explain it
627	   or assist in its implementation may be prepared, copied, published
628	   and distributed, in whole or in part, without restriction of any
629	   kind, provided that the above copyright notice and this paragraph
630	   are included on all such copies and derivative works. However, this
631	   document itself may not be modified in any way, such as by removing
632	   the copyright notice or references to the Internet Society or other
633	   Internet organizations, except as needed for the purpose of
634	   developing Internet standards in which case the procedures for
635	   copyrights defined in the Internet Standards process must be
636	   followed, or as required to translate it into languages other than
637	   English.

639	   The limited permissions granted above are perpetual and will not be
640	   revoked by the Internet Society or its successors or assigns.

642	   This document and the information contained herein is provided on an
643	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
644	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
645	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
646	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
647	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

649	Acknowledgement

651	   Funding for the RFC editor function is currently provided by the
652	   Internet Society.