idnits 2.17.1 

draft-ietf-dhc-fqdn-option-06.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (October 27, 2003) is 7479 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: '9' is defined on line 588, but no explicit reference
     was found in the text

  -- No information found for draft-ietf-dhc-ddns-resolution- - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. '6' 

  -- Obsolete informational reference (is this intentional?): RFC 1594 (ref.
     '7') (Obsoleted by RFC 2664)

  -- Obsolete informational reference (is this intentional?): RFC 2671 (ref.
     '8') (Obsoleted by RFC 6891)

  -- Obsolete informational reference (is this intentional?): RFC 2845 (ref.
     '9') (Obsoleted by RFC 8945)

  -- Obsolete informational reference (is this intentional?): RFC 2279 (ref.
     '10') (Obsoleted by RFC 3629)

  -- Obsolete informational reference (is this intentional?): RFC 2535 (ref.
     '11') (Obsoleted by RFC 4033, RFC 4034, RFC 4035)


     Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 9 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	DHC Working Group                                               M. Stapp
3	Internet-Draft                                       Cisco Systems, Inc.
4	Expires: April 26, 2004                                       Y. Rekhter
5	                                                        Juniper Networks
6	                                                        October 27, 2003

8	                      The DHCP Client FQDN Option
9	                  <draft-ietf-dhc-fqdn-option-06.txt>

11	Status of this Memo

13	   This document is an Internet-Draft and is in full conformance with
14	   all provisions of Section 10 of RFC2026.

16	   Internet-Drafts are working documents of the Internet Engineering
17	   Task Force (IETF), its areas, and its working groups. Note that
18	   other groups may also distribute working documents as
19	   Internet-Drafts.

21	   Internet-Drafts are draft documents valid for a maximum of six
22	   months and may be updated, replaced, or obsoleted by other documents
23	   at any time. It is inappropriate to use Internet-Drafts as reference
24	   material or to cite them other than as "work in progress."

26	   The list of current Internet-Drafts can be accessed at
27	   http://www.ietf.org/ietf/1id-abstracts.txt.

29	   The list of Internet-Draft Shadow Directories can be accessed at
30	   http://www.ietf.org/shadow.html.

32	   This Internet-Draft will expire on April 26, 2004.

34	Copyright Notice

36	   Copyright (C) The Internet Society (2003). All Rights Reserved.

38	Abstract

40	   DHCP provides a powerful mechanism for IP host configuration.
41	   However, the configuration capability provided by DHCP does not
42	   include updating DNS, and specifically updating the name to address
43	   and address to name mappings maintained in the DNS.

45	   This document specifies a DHCP option which can be used to exchange
46	   information about a DHCP client's fully-qualified domain name, and
47	   about responsibility for updating DNS RRs related to the client's
48	   DHCP lease.

50	Table of Contents

52	   1.    Terminology  . . . . . . . . . . . . . . . . . . . . . . . .  3
53	   2.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
54	   3.    Models of Operation  . . . . . . . . . . . . . . . . . . . .  3
55	   4.    The Client FQDN Option . . . . . . . . . . . . . . . . . . .  4
56	   4.1   The Flags Field  . . . . . . . . . . . . . . . . . . . . . .  5
57	   4.2   The RCODE Fields . . . . . . . . . . . . . . . . . . . . . .  6
58	   4.3   The Domain Name Field  . . . . . . . . . . . . . . . . . . .  6
59	   4.3.1 Deprecated ASCII Encoding  . . . . . . . . . . . . . . . . .  7
60	   5.    DHCP Client behavior . . . . . . . . . . . . . . . . . . . .  7
61	   6.    DHCP Server Behavior . . . . . . . . . . . . . . . . . . . .  9
62	   7.    Security Considerations  . . . . . . . . . . . . . . . . . . 11
63	   8.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
64	         References . . . . . . . . . . . . . . . . . . . . . . . . . 13
65	         References . . . . . . . . . . . . . . . . . . . . . . . . . 13
66	         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 14
67	         Full Copyright Statement . . . . . . . . . . . . . . . . . . 15

69	1. Terminology

71	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
72	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
73	   document are to be interpreted as described in RFC 2119[1].

75	2. Introduction

77	   DNS (RFC 1034[2], RFC 1035[3]) maintains (among other things) the
78	   information about mapping between hosts' Fully Qualified Domain
79	   Names (FQDNs)[7] and IP addresses assigned to the hosts. The
80	   information is maintained in two types of Resource Records (RRs): A
81	   and PTR. The A RR contains mapping from a FQDN to an IP address; the
82	   PTR RR contains mapping from an IP address to a FQDN.  The DNS
83	   update specification (RFC 2136[4]) describes a mechanism that
84	   enables DNS information to be updated over a network.

86	   DHCP[5] provides a mechanism by which a host (a DHCP client) can
87	   acquire certain configuration information, along with its IP
88	   address(es). However, DHCP does not provide any mechanisms to update
89	   the DNS RRs that contain the information about mapping between the
90	   host's FQDN and its IP address(es) (A and PTR RRs). Thus DNS
91	   information for a DHCP client may not exist or may be incorrect - a
92	   host (the client) could acquire its address by using DHCP, but the A
93	   RR for the host's FQDN wouldn't reflect the address that the host
94	   acquired, and the PTR RR for the acquired address wouldn't reflect
95	   the host's FQDN.

97	   The DNS Update protocol can be used to maintain consistency between
98	   the information stored in the A and PTR RRs and the actual address
99	   assignment done via DHCP. When a host with a particular FQDN
100	   acquires its IP address via DHCP, the A RR associated with the
101	   host's FQDN would be updated (by using the DNS Update protocol) to
102	   reflect the new address. Likewise, when an IP address is assigned to
103	   a host with a particular FQDN, the PTR RR associated with this
104	   address would be updated (using the DNS Update protocol) to reflect
105	   the new FQDN.

107	   Although this document refers to the A and PTR DNS record types and
108	   to DHCP assignment of IPv4 addresses, the same procedures and
109	   requirements apply for updates to the analogous RR types that are
110	   used when clients are assigned IPv6 addresses via DHCPv6.

112	3. Models of Operation

114	   When a DHCP client acquires a new address, a site's administrator
115	   may desire that one or both of the A RR for the client's FQDN and
116	   the PTR RR for the acquired address be updated. Therefore, two
117	   separate DNS update transactions may occur. Acquiring an address via
118	   DHCP involves two entities: a DHCP client and a DHCP server. In
119	   principle each of these entities could perform none, one, or both of
120	   the transactions. However, in practice not all permutations make
121	   sense. The DHCP client FQDN option is intended to operate in the
122	   following two cases:

124	   1.  DHCP client updates the A RR, DHCP server updates the PTR RR
125	   2.  DHCP server updates both the A and the PTR RRs

127	   The only difference between these two cases is whether the FQDN to
128	   IP address mapping is updated by a DHCP client or by a DHCP server.
129	   The IP address to FQDN mapping is updated by a DHCP server in both
130	   cases.

132	   The reason these two are important, while others are unlikely, has
133	   to do with authority over the respective DNS domain names. A DHCP
134	   client may be given authority over mapping its own A RRs, or that
135	   authority may be restricted to a server to prevent the client from
136	   listing arbitrary addresses or associating its address with
137	   arbitrary domain names. In all cases, the only reasonable place for
138	   the authority over the PTR RRs associated with the address is in the
139	   DHCP server that allocates the address.

141	   In any case, whether a site permits all, some, or no DHCP servers
142	   and clients to perform DNS updates into the zones which it controls
143	   is entirely a matter of local administrative policy. This document
144	   does not require any specific administrative policy, and does not
145	   propose one. The range of possible policies is very broad, from
146	   sites where only the DHCP servers have been given credentials that
147	   the DNS servers will accept, to sites where each individual DHCP
148	   client has been configured with credentials which allow the client
149	   to modify its own domain name. Compliant implementations MAY support
150	   some or all of these possibilities. Furthermore, this specification
151	   applies only to DHCP client and server processes: it does not apply
152	   to other processes which initiate DNS updates.

154	   This document describes a new DHCP option which a client can use to
155	   convey all or part of its domain name to a DHCP server.
156	   Site-specific policy determines whether DHCP servers use the names
157	   that clients offer or not, and what DHCP servers may do in cases
158	   where clients do not supply domain names.  Another document,
159	   "Resolving Name Conflicts"[6], defines a protocol for establishing
160	   policy and arbitrating conflicts when collisions occur in the use of
161	   FQDNs by DHCP clients.

163	4. The Client FQDN Option

165	   To update the IP address to FQDN mapping a DHCP server needs to know
166	   the FQDN of the client to which the server leases the address. To
167	   allow the client to convey its FQDN to the server this document
168	   defines a new DHCP option, called "Client FQDN". The FQDN Option
169	   also contains Flags and RCode fields which DHCP servers can use to
170	   convey information about DNS updates to clients.

172	   Clients MAY send the FQDN option, setting appropriate Flags values,
173	   in both their DISCOVER and REQUEST messages. If a client sends the
174	   FQDN option in its DISCOVER message, it MUST send the option in
175	   subsequent REQUEST messages.

177	   The code for this option is 81. Its minimum length is 4.

179	   The Format of the FQDN Option:

181	        Code   Len    Flags  RCODE1 RCODE2   Domain Name
182	       +------+------+------+------+------+------+--
183	       |  81  |   n  |      |      |      |       ...
184	       +------+------+------+------+------+------+--

186	4.1 The Flags Field

188	   The Format of the Flags Field:

190	        0 1 2 3 4 5 6 7
191	       +-+-+-+-+-+-+-+-+
192	       |  MBZ  |N|E|O|S|
193	       +-+-+-+-+-+-+-+-+

195	   When a DHCP client sends the FQDN option in its DHCPDISCOVER and/or
196	   DHCPREQUEST messages, it sets the least-significant bit (labelled
197	   "S") to indicate that it will not perform any DNS updates, and that
198	   it expects the DHCP server to perform any FQDN-to-IP (the A RR) DNS
199	   update on its behalf. If this bit is clear, the client indicates
200	   that it intends to maintain its own FQDN-to-IP mapping update.

202	   If a DHCP server intends to take responsibility for the A RR update
203	   whether or not the client sending the FQDN option has set the "S"
204	   bit, it sets both the "O" bit and the "S" bit, and sends the FQDN
205	   option in its DHCPOFFER and/or DHCPACK messages.

207	   The data in the Domain Name field SHOULD appear in DNS-style binary
208	   encoding (without compression, of course), as described in RFC
209	   1035[3]. A client which sends the FQDN option SHOULD use this
210	   encoding. The client MUST set the "E" bit when the data in the
211	   Domain Name field is in DNS binary encoding. If a server receives an
212	   FQDN option from a client, and intends to include an FQDN option in
213	   its reply, it MUST use the same encoding that the client used, and
214	   MUST set the "E" bit accordingly.

216	   Server implementors should note that earlier draft versions of this
217	   specification permitted an ASCII encoding of the domain name.
218	   Clients which implemented this encoding were deployed before this
219	   specification was completed. Server implementors which need to
220	   support these clients should note the section on the deprecated
221	   ASCII encoding (Section 4.3.1).

223	   A client MAY set the "N" flag in its request messages to indicate
224	   that the server should not perform any DNS updates on its behalf. As
225	   we mentioned in Section 3, we believe that in general the DHCP
226	   server will be maintaining DNS PTR records on behalf of clients.
227	   However, there may be deployments in which clients are configured to
228	   perform all desired DNS updates. The server MAY be configured to
229	   honor this configuration. If the server has been configured to honor
230	   a client's "N" indication, it SHOULD set the "N" bit in fqdn options
231	   which it sends to the client in its OFFER or ACK messages. Clients
232	   which have set the "N" bit in their requests SHOULD use the state of
233	   the "N" bit in server responses to determine whether the server was
234	   prepared to honor the client's indication. If a client has set the
235	   "N" bit but its server does not, the client SHOULD conclude that the
236	   server was not configured to honor the client's suggestion, and that
237	   the server may attempt to perform DNS updates on its behalf.

239	   The remaining bits in the Flags field are reserved for future
240	   assignment. DHCP clients and servers which send the FQDN option MUST
241	   set the MBZ bits to 0, and they MUST ignore values in the part of
242	   the field labelled "MBZ".

244	4.2 The RCODE Fields

246	   The RCODE1 and RCODE2 fields are used by a DHCP server to indicate
247	   to a DHCP client the Response Code from any A or PTR RR DNS updates
248	   it has performed. The server may also use these fields to indicate
249	   whether it has attempted such an update before sending the DHCPACK
250	   message. Each of these fields is one byte long.

252	   Implementors should note that EDNS0 describes a mechanism for
253	   extending the length of a DNS RCODE to 12 bits. EDNS0 is specified
254	   in RFC 2671[8]. Only the least-significant 8 bits of the RCODE from
255	   a DNS update will be carried in the Client FQDN DHCP Option. This
256	   provides enough number space to accomodate the RCODEs defined in the
257	   DNS update specification.

259	4.3 The Domain Name Field

261	   The Domain Name part of the option carries all or part of the FQDN
262	   of a DHCP client. The data in the Domain Name field SHOULD appear in
263	   uncompressed DNS encoding as specified in RFC 1035[3]. If the DHCP
264	   client uses DNS encoding, it MUST set the third bit in the Flags
265	   field (the "E" bit). In order to determine whether a name has
266	   changed between message exchanges, an unambiguous canonical form is
267	   necessary. Eventually, the IETF IDN Working Group is expected to
268	   produce a standard canonicalization specification, and this
269	   specification may be updated to include its standard. Until that
270	   time, servers and clients should be sensitive to canonicalization
271	   when comparing names in the Domain Name field and the name
272	   canonicalization defined in RFC 2535[11] MAY be used.

274	   A client may be configured with a fully-qualified domain name, or
275	   with a partial name that is not fully-qualified. If a client knows
276	   only part of its name, it MAY send a name that is not
277	   fully-qualified, indicating that it knows part of the name but does
278	   not necessarily know the zone in which the name is to be embedded. A
279	   client which wants to convey part of its FQDN sends a non-terminal
280	   sequence of labels in the Domain Name part of the option. Clients
281	   and servers should assume that the the name field contains a
282	   fully-qualified name unless this partial-name format exists.

284	4.3.1 Deprecated ASCII Encoding

286	   The DNS encoding specified above MUST be supported by DHCP servers.
287	   However, a substantial population of clients implemented an earlier
288	   version of this specification, which permitted an ASCII encoding of
289	   the Domain Name field. Server implementations should be aware that
290	   clients which send the FQDN option with the "E" bit clear are using
291	   an ASCII version of the Domain Name field. Servers MAY be prepared
292	   to return an ASCII encoded version of the Domain Name field to such
293	   clients. The use of ASCII encoding in this option should be
294	   considered deprecated.

296	   A DHCP client which used ASCII encoding was permitted to suggest a
297	   single label if it was not configured with a fully-qualified name.
298	   Such clients send a single label as a series of ASCII characters in
299	   the Domain Name field, excluding the "." (dot) character. Such
300	   clients SHOULD follow the character-set recommendations of RFC
301	   1034[2] and RFC 1035[3].

303	   Server implementors should also be aware that some client software
304	   may attempt to use UTF-8[10] character encoding. This information is
305	   included for informational purposes only: this specification does
306	   not require any support for UTF-8.

308	5. DHCP Client behavior

310	   The following describes the behavior of a DHCP client that
311	   implements the Client FQDN option.

313	   Other DHCP options may carry data that is related to the Domain-Name
314	   part of the FQDN option. The Host-Name option, for example, contains
315	   an ASCII string representation of the client's host-name. In
316	   general, a client should not need to send redundant data, and
317	   therefore clients which send the FQDN option in their messages MUST
318	   NOT also send the Host-Name option. Clients which receive both the
319	   Host-Name option and the FQDN option from a server SHOULD prefer
320	   FQDN option data. Servers will be asked in Section 6 to ignore the
321	   Host-Name option in client messages which include the FQDN option.

323	   If a client that owns/maintains its own FQDN wants to be responsible
324	   for updating the FQDN to IP address mapping for the FQDN and
325	   address(es) used by the client, then the client MUST include the
326	   Client FQDN option in the DHCPREQUEST message originated by the
327	   client. A DHCP client MAY choose to include the Client FQDN option
328	   in its DISCOVER messages as well as its REQUEST messages. The
329	   least-significant ("S") bit in the Flags field in the option MUST be
330	   set to 0. Once the client's DHCP configuration is completed (the
331	   client receives a DHCPACK message, and successfully completes a
332	   final check on the parameters passed in the message), the client MAY
333	   originate an update for the A RR (associated with the client's
334	   FQDN). The update SHOULD be originated following the procedures
335	   described in RFC 2136[4] and "Resolving Name Conflicts"[6]. If the
336	   DHCP server from which the client is requesting a lease includes the
337	   FQDN option in its ACK message, and if the server sets both the "S"
338	   and the "O" bits (the two least-significant bits) in the option's
339	   flags field, the DHCP client MUST NOT initiate an update for the
340	   name in the Domain Name field.

342	   A client can choose to delegate the responsibility for updating the
343	   FQDN to IP address mapping for the FQDN and address(es) used by the
344	   client to the server.  In order to inform the server of this choice,
345	   the client SHOULD include the Client FQDN option in its DHCPREQUEST
346	   message. The least-significant (or "S") bit in the Flags field in
347	   the option MUST be set to 1. A client which delegates this
348	   responsibility MUST NOT attempt to perform a DNS update for the name
349	   in the Domain Name field of the FQDN option. The client MAY supply
350	   an FQDN in the Client FQDN option, or it MAY supply a single label
351	   (the most-specific label), or it MAY leave that field empty as a
352	   signal to the server to generate an FQDN for the client in any
353	   manner the server chooses.

355	   Since there is a possibility that the DHCP server may be configured
356	   to complete or replace a domain name that the client was configured
357	   to send, the client might find it useful to send the FQDN option in
358	   its DISCOVER messages. If the DHCP server returns different Domain
359	   Name data in its OFFER message, the client could use that data in
360	   performing its own eventual A RR update, or in forming the FQDN
361	   option that it sends in its REQUEST message. There is no requirement
362	   that the client send identical FQDN option data in its DISCOVER and
363	   REQUEST messages. In particular, if a client has sent the FQDN
364	   option to its server, and the configuration of the client changes so
365	   that its notion of its domain name changes, it MAY send the new name
366	   data in an FQDN option when it communicates with the server again.
367	   This may allow the DHCP server to update the name associated with
368	   the PTR record, and, if the server updated the A record representing
369	   the client, to delete that record and attempt an update for the
370	   client's current domain name.

372	   A client that delegates the responsibility for updating the FQDN to
373	   IP address mapping to a server might not receive any indication
374	   (either positive or negative) from the server whether the server was
375	   able to perform the update. In this case the client MAY use a DNS
376	   query to check whether the mapping is updated.

378	   A client MUST set the RCODE1 and RCODE2 fields in the Client FQDN
379	   option to 0 when sending the option.

381	   If a client releases its lease prior to the lease expiration time
382	   and the client is responsible for updating its A RR, the client
383	   SHOULD delete the A RR (following the procedures described in
384	   "Resolving Name Conflicts"[6]) associated with the leased address
385	   before sending a DHCP RELEASE message. Similarly, if a client was
386	   responsible for updating its A RR, but is unable to renew its lease,
387	   the client SHOULD attempt to delete the A RR before its lease
388	   expires. A DHCP client which has not been able to delete an A RR
389	   which it added (because it has lost the use of its DHCP IP address)
390	   should attempt to notify its administrator, perhaps by emitting a
391	   log message.

393	6. DHCP Server Behavior

395	   When a server receives a DHCPREQUEST message from a client, if the
396	   message contains the Client FQDN option, and the server replies to
397	   the message with a DHCPACK message, the server may be configured to
398	   originate an update for the PTR RR (associated with the address
399	   leased to the client). Any such update SHOULD be originated
400	   following the procedures described in "Resolving Name Conflicts"[6].
401	   The server MAY complete the update before the server sends the
402	   DHCPACK message to the client. In this case the RCODE from the
403	   update MUST be carried to the client in the RCODE1 field of the
404	   Client FQDN option in the DHCPACK message. Alternatively, the server
405	   MAY send the DHCPACK message to the client without waiting for the
406	   update to be completed.  In this case the RCODE1 field of the Client
407	   FQDN option in the DHCPACK message MUST be set to 255.  The choice
408	   between the two alternatives is entirely determined by the
409	   configuration of the DHCP server. Servers SHOULD support both
410	   configuration options.

412	   When a server receives a DHCPREQUEST message containing the Client
413	   FQDN option, the server MUST ignore the values carried in the RCODE1
414	   and RCODE2 fields of the option.

416	   In addition, if the Client FQDN option carried in the DHCPREQUEST
417	   message has the "S" bit in its Flags field set, then the server MAY
418	   originate an update for the A RR (associated with the FQDN carried
419	   in the option) if it is configured to do so by the site's
420	   administrator, and if it has the necessary credentials. The server
421	   MAY be configured to use the name supplied in the client's FQDN
422	   option, or it MAY be configured to modify the supplied name, or
423	   substitute a different name.

425	   Any such update SHOULD be originated following the procedures
426	   described in "Resolving Name Conflicts"[6]. The server MAY originate
427	   the update before the server sends the DHCPACK message to the
428	   client. In this case the RCODE from the update RFC 2136[4] MUST be
429	   carried to the client in the RCODE2 field of the Client FQDN option
430	   in the DHCPACK message.  Alternatively the server MAY send the
431	   DHCPACK message to the client without waiting for the update to be
432	   completed. In this case the RCODE2 field of the Client FQDN option
433	   in the DHCPACK message MUST be set to 255. The choice between the
434	   two alternatives is entirely a matter of the DHCP server's
435	   configuration. In either case, if the server intends to perform the
436	   DNS update and the client's REQUEST message included the FQDN
437	   option, the server SHOULD include the FQDN option in its ACK
438	   message. If the server includes the FQDN option, it MUST set the "S"
439	   bit in the option's Flags field and MUST clear the "O" bit.

441	   Even if the Client FQDN option carried in the DHCPREQUEST message
442	   has the "S" bit in its Flags field clear (indicating that the client
443	   wants to update the A RR), the server MAY be configured by the local
444	   administrator to update the A RR on the client's behalf. A server
445	   which is configured to override the client's preference SHOULD
446	   include an FQDN option in its ACK message, and MUST set both the "O"
447	   and "S" bits in the FQDN option's Flags field. The update SHOULD be
448	   originated following the procedures described in "Resolving Name
449	   Conflicts"[6]. The server MAY originate the update before the server
450	   sends the DHCPACK message to the client. In this case the RCODE from
451	   the update RFC 2136[4] MUST be carried to the client in the RCODE2
452	   field of the Client FQDN option in the DHCPACK message.
453	   Alternatively, the server MAY send the DHCPACK message to the client
454	   without waiting for the update to be completed. In this case the
455	   RCODE2 field of the Client FQDN option in the DHCPACK message MUST
456	   be set to 255. Whether the DNS update occurs before or after the
457	   DHCPACK is sent is entirely up to the DHCP server's configuration.

459	   When a DHCP server sends the Client FQDN option to a client in the
460	   DHCPACK message, the DHCP server SHOULD send its notion of the
461	   complete FQDN for the client in the Domain Name field. The server
462	   MAY simply copy the Domain Name field from the Client FQDN option
463	   that the client sent to the server in the DHCPREQUEST message. The
464	   DHCP server MAY be configured to complete or modify the domain name
465	   which a client sent, or it MAY be configured to substitute a
466	   different name.

468	   If the server initiates a DNS update that is not complete until
469	   after the server has replied to the DHCP client, the server's
470	   interaction with the DNS server may cause the DHCP server to change
471	   the domain name that it associates with the client. This may occur,
472	   for example, if the server detects and resolves a domain-name
473	   conflict. In such cases, the domain name that the server returns to
474	   the dhcp client may change between two dhcp exchanges.

476	   The server MUST use the same encoding format (ASCII or DNS binary
477	   encoding) that the client used in the FQDN option in its
478	   DHCPREQUEST, and MUST set the "E" bit in the option's Flags field
479	   accordingly.

481	   If a client's DHCPREQUEST message doesn't carry the Client FQDN
482	   option (e.g., the client doesn't implement the Client FQDN option),
483	   the server MAY be configured to update either or both of the A and
484	   PTR RRs. The updates SHOULD be originated following the procedures
485	   described in "Resolving Name Conflicts"[6].

487	   If a server detects that a lease on an address that the server
488	   leases to a client has expired, the server SHOULD delete any PTR RR
489	   which it added via DNS update. In addition, if the server added an A
490	   RR on the client's behalf, the server SHOULD also delete the A RR.
491	   The deletion SHOULD follow the procedures described in "Resolving
492	   Name Conflicts"[6].

494	   If a server terminates a lease on an address prior to the lease's
495	   expiration time, for instance by sending a DHCPNAK to a client, the
496	   server SHOULD delete any PTR RR which it associated with the address
497	   via DNS Update. In addition, if the server took responsibility for
498	   an A RR, the server SHOULD also delete that A RR. The deletion
499	   SHOULD follow the procedures described in "Resolving Name
500	   Conflicts"[6].

502	7. Security Considerations

504	   Unauthenticated updates to the DNS can lead to tremendous confusion,
505	   through malicious attack or through inadvertent misconfiguration.
506	   Administrators should be wary of permitting unsecured DNS updates to
507	   zones which are exposed to the global Internet. Both DHCP clients
508	   and servers SHOULD use some form of update request origin
509	   authentication procedure (e.g., Secure DNS Dynamic Update[12]) when
510	   performing DNS updates.

512	   Whether a DHCP client may be responsible for updating an FQDN to IP
513	   address mapping or whether this is the responsibility of the DHCP
514	   server is a site-local matter. The choice between the two
515	   alternatives may be based on the security model that is used with
516	   the DNS update protocol (e.g., only a client may have sufficient
517	   credentials to perform updates to the FQDN to IP address mapping for
518	   its FQDN).

520	   Whether a DHCP server is always responsible for updating the FQDN to
521	   IP address mapping (in addition to updating the IP to FQDN mapping),
522	   regardless of the wishes of an individual DHCP client, is also a
523	   site-local matter. The choice between the two alternatives may be
524	   based on the security model that is being used with DNS updates. In
525	   cases where a DHCP server is performing DNS updates on behalf of a
526	   client, the DHCP server should be sure of the DNS name to use for
527	   the client, and of the identity of the client.

529	   Currently, it is difficult for DHCP servers to develop much
530	   confidence in the identities of its clients, given the absence of
531	   entity authentication from the DHCP protocol itself. There are many
532	   ways for a DHCP server to develop a DNS name to use for a client,
533	   but only in certain relatively unusual circumstances will the DHCP
534	   server know for certain the identity of the client. If DHCP
535	   Authentication[13] becomes widely deployed this may become more
536	   customary.

538	   One example of a situation which offers some extra assurances is one
539	   where the DHCP client is connected to a network through an MCNS
540	   cable modem, and the CMTS (head-end) ensures that MAC address
541	   spoofing simply does not occur. Another example of a configuration
542	   that might be trusted is one where clients obtain network access via
543	   a network access server using PPP. The NAS itself might be obtaining
544	   IP addresses via DHCP, encoding a client identification into the
545	   DHCP client-id option.  In this case, the network access server as
546	   well as the DHCP server might be operating within a trusted
547	   environment, in which case the DHCP server could be configured to
548	   trust that the user authentication and authorization procedure of
549	   the remote access server was sufficient, and would therefore trust
550	   the client identification encoded within the DHCP client-id.

552	8. Acknowledgements

554	   Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter
555	   Ford, Edie Gunter, Andreas Gustafsson, R. Barr Hibbs, Kim Kinnear,
556	   Stuart Kwan, Ted Lemon, Ed Lewis, Michael Lewis, Josh Littlefield,
557	   Michael Patton, and Glenn Stump for their review and comments.

559	Normative References

561	   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
562	        Levels", RFC 2119, March 1997.

564	   [2]  Mockapetris, P., "Domain names - Concepts and Facilities", RFC
565	        1034, Nov 1987.

567	   [3]  Mockapetris, P., "Domain names - Implementation and
568	        Specification", RFC 1035, Nov 1987.

570	   [4]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
571	        Updates in the Domain Name System", RFC 2136, April 1997.

573	   [5]  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
574	        March 1997.

576	   [6]  Stapp, M., "Resolution of DNS Name Conflicts Among DHCP Clients
577	        (draft-ietf-dhc-ddns-resolution-*.txt)", October 2003.

579	Informative References

581	   [7]   Marine, A., Reynolds, J. and G. Malkin, "FYI on Questions and
582	         Answers to Commonly asked ``New Internet User'' Questions",
583	         RFC 1594, March 1994.

585	   [8]   Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
586	         August 1999.

588	   [9]   Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
589	         "Secret Key Transaction Authentication for DNS (TSIG)", RFC
590	         2845, May 2000.

592	   [10]  Yergeau, F., "UTF-8, a transformation format of ISO 10646",
593	         RFC 2279, January 1998.

595	   [11]  Eastlake, D., "Domain Name System Security Extensions", RFC
596	         2535, March 1999.

598	   [12]  Wellington, B., "Secure DNS Dynamic Update", RFC 3007,
599	         November 2000.

601	   [13]  Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
602	         RFC 3118, June 2001.

604	Authors' Addresses

606	   Mark Stapp
607	   Cisco Systems, Inc.
608	   1414 Massachusetts Ave.
609	   Boxborough, MA  01719
610	   USA

612	   Phone: 978.936.1535
613	   EMail: mjs@cisco.com

615	   Yakov Rekhter
616	   Juniper Networks
617	   1194 North Mathilda Avenue
618	   Sunnyvale, CA  94089
619	   USA

621	   Phone: 408.745.2000
622	   EMail: yakov@juniper.net

624	Full Copyright Statement

626	   Copyright (C) The Internet Society (2003). All Rights Reserved.

628	   This document and translations of it may be copied and furnished to
629	   others, and derivative works that comment on or otherwise explain it
630	   or assist in its implementation may be prepared, copied, published
631	   and distributed, in whole or in part, without restriction of any
632	   kind, provided that the above copyright notice and this paragraph
633	   are included on all such copies and derivative works. However, this
634	   document itself may not be modified in any way, such as by removing
635	   the copyright notice or references to the Internet Society or other
636	   Internet organizations, except as needed for the purpose of
637	   developing Internet standards in which case the procedures for
638	   copyrights defined in the Internet Standards process must be
639	   followed, or as required to translate it into languages other than
640	   English.

642	   The limited permissions granted above are perpetual and will not be
643	   revoked by the Internet Society or its successors or assigns.

645	   This document and the information contained herein is provided on an
646	   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
647	   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
648	   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
649	   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
650	   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

652	Acknowledgement

654	   Funding for the RFC editor function is currently provided by the
655	   Internet Society.