idnits 2.17.1 

draft-ietf-dhc-fqdn-option-09.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1.a on line 19.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 668.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 645.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 652.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 658.

  ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure
     Acknowledgement. 

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.

  ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate
     instead of verbatim RFC 3978 boilerplate.  After 6 May 2005, submission
     of drafts without verbatim RFC 3978 boilerplate is not accepted.

     The following non-3978 patterns matched text found in the document. 
     That text should be removed or replaced:

        This document is an Internet-Draft and is subject to all provisions of
        Section 3 of RFC 3667.

        By submitting this Internet-Draft, each author represents that any
        applicable patent or other IPR claims of which he or she is aware
        have been or will be disclosed, and any of which he or she
        becomes aware will be disclosed, in accordance with Section 6 of
        BCP 79.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (January 24, 2005) is 7030 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- No information found for draft-ietf-dhc-ddns-resolution- - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. '6' 

  -- Obsolete informational reference (is this intentional?): RFC 1594 (ref.
     '7') (Obsoleted by RFC 2664)

  -- Obsolete informational reference (is this intentional?): RFC 2279 (ref.
     '9') (Obsoleted by RFC 3629)

  -- Obsolete informational reference (is this intentional?): RFC 2671 (ref.
     '10') (Obsoleted by RFC 6891)


     Summary: 5 errors (**), 0 flaws (~~), 2 warnings (==), 12 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	DHC                                                             M. Stapp
3	Internet-Draft                                                   B. Volz
4	Expires: July 28, 2005                               Cisco Systems, Inc.
5	                                                              Y. Rekhter
6	                                                        Juniper Networks
7	                                                        January 24, 2005

9	                      The DHCP Client FQDN Option
10	                  <draft-ietf-dhc-fqdn-option-09.txt>

12	Status of this Memo

14	   This document is an Internet-Draft and is subject to all provisions
15	   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
16	   author represents that any applicable patent or other IPR claims of
17	   which he or she is aware have been or will be disclosed, and any of
18	   which he or she become aware will be disclosed, in accordance with
19	   RFC 3668.

21	   Internet-Drafts are working documents of the Internet Engineering
22	   Task Force (IETF), its areas, and its working groups.  Note that
23	   other groups may also distribute working documents as
24	   Internet-Drafts.

26	   Internet-Drafts are draft documents valid for a maximum of six months
27	   and may be updated, replaced, or obsoleted by other documents at any
28	   time.  It is inappropriate to use Internet-Drafts as reference
29	   material or to cite them other than as "work in progress."

31	   The list of current Internet-Drafts can be accessed at
32	   http://www.ietf.org/ietf/1id-abstracts.txt.

34	   The list of Internet-Draft Shadow Directories can be accessed at
35	   http://www.ietf.org/shadow.html.

37	   This Internet-Draft will expire on July 28, 2005.

39	Copyright Notice

41	   Copyright (C) The Internet Society (2005).

43	Abstract

45	   This document specifies a DHCP for IPv4, DHCPv4, option which can be
46	   used to exchange information about a DHCPv4 client's fully-qualified
47	   domain name and about responsibility for updating the DNS RR related
48	   to the client's address assignment.

50	Table of Contents

52	   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
53	   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
54	     2.1   Models of Operation  . . . . . . . . . . . . . . . . . . .  3
55	   3.  The Client FQDN Option . . . . . . . . . . . . . . . . . . . .  4
56	     3.1   The Flags Field  . . . . . . . . . . . . . . . . . . . . .  5
57	     3.2   The RCODE Fields . . . . . . . . . . . . . . . . . . . . .  6
58	     3.3   The Domain Name Field  . . . . . . . . . . . . . . . . . .  6
59	       3.3.1   Deprecated ASCII Encoding  . . . . . . . . . . . . . .  7
60	   4.  DHCP Client Behavior . . . . . . . . . . . . . . . . . . . . .  7
61	     4.1   Interaction With Other Options . . . . . . . . . . . . . .  7
62	     4.2   Client Desires to Update A RRs . . . . . . . . . . . . . .  8
63	     4.3   Client Desires Server to Do DNS Updates  . . . . . . . . .  8
64	     4.4   Client Desires No Server DNS Updates . . . . . . . . . . .  8
65	     4.5   Domain Name and DNS Update Issues  . . . . . . . . . . . .  8
66	   5.  DHCP Server Behavior . . . . . . . . . . . . . . . . . . . . .  9
67	     5.1   When to Perform DNS Updates  . . . . . . . . . . . . . . . 10
68	   6.  DNS Update Conflicts . . . . . . . . . . . . . . . . . . . . . 11
69	   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
70	   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
71	   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
72	   10.   References . . . . . . . . . . . . . . . . . . . . . . . . . 13
73	     10.1  Normative References . . . . . . . . . . . . . . . . . . . 13
74	     10.2  Informative References . . . . . . . . . . . . . . . . . . 13
75	       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
76	       Intellectual Property and Copyright Statements . . . . . . . . 15

78	1.  Terminology

80	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
81	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
82	   document are to be interpreted as described in RFC 2119 [1].

84	2.  Introduction

86	   DNS ([2], [3]) maintains (among other things) the information about
87	   the mapping between hosts' Fully Qualified Domain Names (FQDNs) [7]
88	   and IP addresses assigned to the hosts.  The information is
89	   maintained in two types of Resource Records (RRs): A and PTR.  The
90	   DNS update specification ([4]) describes a mechanism that enables DNS
91	   information to be updated over a network.

93	   The Dynamic Host Configuration Protocol for IPv4 (DHCPv4 or just DHCP
94	   in this document) [5] provides a mechanism by which a host (a DHCP
95	   client) can acquire certain configuration information, along with its
96	   address.  This document specifies a DHCP option, the Client FQDN
97	   option, which can be used by DHCP clients and servers to exchange
98	   information about the client's fully-qualified domain name for an
99	   address and who has the responsibility for updating the DNS with the
100	   associated A and PTR RRs.

102	2.1  Models of Operation

104	   When a DHCP client acquires a new address, a site's administrator may
105	   desire that one or both of the A RR for the client's FQDN and the PTR
106	   RR for the acquired address be updated.  Therefore, two separate DNS
107	   update transactions may occur.  Acquiring an address via DHCP
108	   involves two entities: a DHCP client and a DHCP server.  In principle
109	   each of these entities could perform none, one, or both of the
110	   transactions.  However, in practice not all permutations make sense.
111	   The DHCP Client FQDN option is primarily intended to operate in the
112	   following two cases:

114	   1.  DHCP client updates the A RR, DHCP server updates the PTR RR
115	   2.  DHCP server updates both the A and the PTR RRs

117	   The only difference between these two cases is whether the FQDN to IP
118	   address mapping is updated by a DHCP client or by a DHCP server.  The
119	   IP address to FQDN mapping is updated by a DHCP server in both cases.

121	   The reason these two are important, while others are unlikely, has to
122	   do with authority over the respective DNS domain names.  A DHCP
123	   client may be given authority over mapping its own A RRs, or that
124	   authority may be restricted to a server to prevent the client from
125	   listing arbitrary addresses or associating its address with arbitrary
126	   domain names.  In all cases, the only reasonable place for the
127	   authority over the PTR RRs associated with the address is in the DHCP
128	   server that allocates the address.

130	   Note: A third case is supported - the client requests that the server
131	   perform no updates.  However, this case is presumed to be rare
132	   because of the authority issues.

134	   In any case, whether a site permits all, some, or no DHCP servers and
135	   clients to perform DNS updates into the zones which it controls is
136	   entirely a matter of local administrative policy.  This document does
137	   not require any specific administrative policy, and does not propose
138	   one.  The range of possible policies is very broad, from sites where
139	   only the DHCP servers have been given credentials that the DNS
140	   servers will accept, to sites where each individual DHCP client has
141	   been configured with credentials which allow the client to modify its
142	   own domain name.  Compliant implementations may support some or all
143	   of these possibilities.  Furthermore, this specification applies only
144	   to DHCP client and server processes: it does not apply to other
145	   processes which initiate DNS updates.

147	   This document describes a new DHCP option which a client can use to
148	   convey all or part of its domain name to a DHCP server.
149	   Site-specific policy determines whether DHCP servers use the names
150	   that clients offer or not, and what DHCP servers may do in cases
151	   where clients do not supply domain names.

153	3.  The Client FQDN Option

155	   To update the IP address to FQDN mapping a DHCP server needs to know
156	   the FQDN of the client to which the server leases the address.  To
157	   allow the client to convey its FQDN to the server this document
158	   defines a new DHCP option, called "Client FQDN".  The Client FQDN
159	   option also contains Flags, which DHCP servers can use to convey
160	   information about DNS updates to clients, and two deprecated RCODEs.

162	   Clients MAY send the Client FQDN option, setting appropriate Flags
163	   values, in both their DHCPDISCOVER and DHCPREQUEST messages.  If a
164	   client sends the Client FQDN option in its DHCPDISCOVER message, it
165	   MUST send the option in subsequent DHCPREQUEST messages though the
166	   contents of the option MAY change.

168	   Only one Client FQDN option MAY appear in a message.

170	   The code for this option is 81.  Its minimum length is 3 (octets).

172	   The format of the Client FQDN option is:

174	        Code   Len    Flags  RCODE1 RCODE2   Domain Name
175	       +------+------+------+------+------+------+--
176	       |  81  |   n  |      |      |      |       ...
177	       +------+------+------+------+------+------+--

179	   The above figure follows the conventions of [8].

181	3.1  The Flags Field

183	   The format of the 1-octet Flags field is:

185	        0 1 2 3 4 5 6 7
186	       +-+-+-+-+-+-+-+-+
187	       |  MBZ  |N|E|O|S|
188	       +-+-+-+-+-+-+-+-+

190	   The "S" bit indicates whether the server SHOULD or SHOULD NOT perform
191	   the A RR (FQDN to address) DNS updates.  A client sets the bit to 0
192	   to indicate the server SHOULD NOT perform the updates and 1 to
193	   indicate the server SHOULD perform the updates.  The state of the bit
194	   in the reply from the server indicates the action to be taken by the
195	   server; if 1, the server has taken responsibility for A RR updates
196	   for the FQDN.

198	   The "O" bit indicates whether the server has overridden the client's
199	   preference for the "S" bit.  A client MUST set this bit to 0.  A
200	   server MUST set this bit to 1 if the "S" bit in its reply to the
201	   client does not match the "S" bit received from the client.

203	   The "N" bit indicates whether the server SHOULD NOT perform any DNS
204	   updates.  A client sets this bit to 0 to request that the server
205	   SHOULD perform updates (the PTR RR and possibly the A RR based on the
206	   "S" bit) or to 1 to request that the server SHOULD NOT perform any
207	   DNS updates.  A server sets the "N" bit to indicate whether the
208	   server SHALL (0) or SHALL NOT (1) perform DNS updates.  If the "N"
209	   bit is 1, the "S" bit MUST be 0.

211	   The "E" bit indicates the encoding of the Domain Name field.  1
212	   indicates DNS-style binary encoding, without compression, as
213	   described in RFC 1035 [3].  This encoding SHOULD be used by clients
214	   and MUST be supported by servers.  0 indicates a now deprecated ASCII
215	   encoding (see Section 3.3.1).  A server MUST use the same encoding as
216	   that used by the client.  A server that does not support the
217	   deprecated ASCII encoding MUST ignore Client FQDN options that use
218	   that encoding.

220	   The remaining bits in the Flags field are reserved for future
221	   assignment.  DHCP clients and servers which send the Client FQDN
222	   option MUST clear the MBZ bits, and they MUST ignore these bits.

224	3.2  The RCODE Fields

226	   The RCODE1 and RCODE2 fields are deprecated.  A client SHOULD set
227	   these to 0 when sending the option and SHOULD ignore them on receipt.
228	   A server SHOULD set these to 255 when sending the option and MUST
229	   ignore them on receipt.

231	   As this option with these fields is already in wide use, the fields
232	   are retained.  These fields were originally defined for use by a DHCP
233	   server to indicate to a DHCP client the Response Code from any A
234	   (RCODE1) or PTR (RCODE2) RR DNS updates it has performed or a value
235	   of 255 was used to indicate that an update had been initiated but had
236	   not yet completed.  Each of these fields is one byte long.  These
237	   fields were defined before EDNS0 [10], which describes a mechanism
238	   for extending the length of a DNS RCODE to 12 bits, which is another
239	   reason to deprecate them.

241	   If the client needs to confirm the DNS update has been done, it MAY
242	   use a DNS query to check whether the mapping is up to date.  However,
243	   depending on the load on the DHCP and DNS servers and the DNS
244	   propagation delays, the client can only infer success.  If the
245	   information is not found to be up to date in DNS, the servers might
246	   not have completed the updates or zone transfers, or not yet updated
247	   their caches.

249	3.3  The Domain Name Field

251	   The Domain Name part of the option carries all or part of the FQDN of
252	   a DHCP client.  The data in the Domain Name field SHOULD appear in
253	   uncompressed DNS encoding as specified in RFC 1035 [3].  If the DHCP
254	   client uses DNS encoding, it MUST set to 1 the the "E" bit in the
255	   Flags field.  In order to determine whether the FQDN has changed
256	   between message exchanges, the client and server MUST NOT alter the
257	   Domain Name field contents unless the FQDN has actually changed.

259	   A client MAY be configured with a fully-qualified domain name or with
260	   a partial name that is not fully-qualified.  If a client knows only
261	   part of its name, it MAY send a name that is not fully-qualified,
262	   indicating that it knows part of the name but does not necessarily
263	   know the zone in which the name is to be embedded.

265	   To send a fully-qualified domain name, the Domain Name field is set
266	   to the DNS encoded domain name including the terminating zero-length
267	   label.  To send a partial name, the Domain Name field is set to the
268	   DNS encoded domain name without the terminating zero-length label.

270	   A client MAY also leave the Domain Name field empty if it desires the
271	   server to provide a name.

273	3.3.1  Deprecated ASCII Encoding

275	   A substantial population of clients implemented an earlier draft
276	   version of this specification, which permitted an ASCII encoding of
277	   the Domain Name field.  Server implementations SHOULD be aware that
278	   clients which send the Client FQDN option with the "E" bit set to 0
279	   are using an ASCII encoding of the Domain Name field.  Servers MAY be
280	   prepared to return an ASCII encoded version of the Domain Name field
281	   to such clients.  Servers that are not prepared to return an ASCII
282	   encoded version MUST ignore the Client FQDN option if the "E" bit is
283	   0.  The use of ASCII encoding in this option SHOULD be considered
284	   deprecated.

286	   A DHCP client which used ASCII encoding was permitted to suggest a
287	   single label if it was not configured with a fully-qualified name.
288	   Such clients send a single label as a series of ASCII characters in
289	   the Domain Name field, excluding the "." (dot) character.

291	   Clients and servers SHOULD follow the character-set recommendations
292	   of RFC 1034 [2] and RFC 1035 [3].  However, implementers SHOULD also
293	   be aware that some client software could be using UTF-8 [9] character
294	   encoding.  This specification does not require any support for UTF-8.

296	4.  DHCP Client Behavior

298	   The following describes the behavior of a DHCP client that implements
299	   the Client FQDN option.

301	4.1  Interaction With Other Options

303	   Other DHCP options MAY carry data that is related to the Domain Name
304	   field of the Client FQDN option.  The Host Name option [8], for
305	   example, contains an ASCII string representation of the client's host
306	   name.  In general, a client does not need to send redundant data, and
307	   therefore clients which send the Client FQDN option in their messages
308	   MUST NOT also send the Host Name option.  Clients which receive both
309	   the Host Name option and the Client FQDN option from a server SHOULD
310	   prefer Client FQDN option data.  Section 5 instructs servers to
311	   ignore the Host Name option in client messages which include the
312	   Client FQDN option.

314	4.2  Client Desires to Update A RRs

316	   If a client that owns/maintains its own FQDN wants to be responsible
317	   for updating the FQDN to IP address mapping for the FQDN and
318	   address(es) used by the client, the client MUST include the Client
319	   FQDN option in the DHCPREQUEST message originated by the client.  A
320	   DHCP client MAY choose to include the Client FQDN option in its
321	   DHCPDISCOVER messages as well as its DHCPREQUEST messages.  The "S"
322	   bit in the Flags field in the option MUST be 0.  The "O" and "N" bits
323	   MUST be 0.

325	   Once the client's DHCP configuration is completed (the client
326	   receives a DHCPACK message and successfully completes a final check
327	   on the parameters passed in the message), the client MAY originate an
328	   update for the A RR (associated with the client's FQDN) unless the
329	   server has set the "S" bit to 1.  If the "S" is 1, the DHCP client
330	   MUST NOT initiate an update for the name in the Domain Name field.

332	4.3  Client Desires Server to Do DNS Updates

334	   A client can choose to delegate the responsibility for updating the
335	   FQDN to IP address mapping for the FQDN and address(es) used by the
336	   client to the server.  In order to inform the server of this choice,
337	   the client SHOULD include the Client FQDN option in its DHCPREQUEST
338	   message and MAY include the Client FQDN option in its DHCPDISCOVER.
339	   The "S" bit in the Flags field in the option MUST be 1.  The "O" and
340	   "N" bits MUST be 0.

342	4.4  Client Desires No Server DNS Updates

344	   A client can choose to request that the server perform no DNS updates
345	   on its behalf.  In order to inform the server of this choice, the
346	   client SHOULD include the Client FQDN option in its DHCPREQUEST
347	   message and MAY include the Client FQDN option in its DHCPDISCOVER.
348	   The "N" bit in the Flags field in the option MUST be 1 and the "S"
349	   and "O" bits MUST be 0.

351	   Once the client's DHCP configuration is completed (the client
352	   receives a DHCPACK message and successfully completes a final check
353	   on the parameters passed in the message), the client MAY originate
354	   its DNS updates provided the server's "N" bit is 1.  If the server's
355	   "N" bit is 0, the server MAY perform the PTR RR updates; and, MAY
356	   also perform the A RR updates if the "S" bit is 1.

358	4.5  Domain Name and DNS Update Issues

360	   As there is a possibility that the DHCP server is configured to
361	   complete or replace a domain name that the client sends, the client
362	   MAY find it useful to send the Client FQDN option in its DHCPDISCOVER
363	   messages.  If the DHCP server returns different Domain Name data in
364	   its DHCPOFFER message, the client could use that data in performing
365	   its own eventual A RR update, or in forming the Client FQDN option
366	   that it sends in its DHCPREQUEST message.  There is no requirement
367	   that the client send identical Client FQDN option data in its
368	   DHCPDISCOVER and DHCPREQUEST messages.  In particular, if a client
369	   has sent the Client FQDN option to its server, and the configuration
370	   of the client changes so that its notion of its domain name changes,
371	   it MAY send the new name data in a Client FQDN option when it
372	   communicates with the server again.  This MAY cause the DHCP server
373	   to update the name associated with the PTR record, and, if the server
374	   updated the A record representing the client, to delete that record
375	   and attempt an update for the client's current domain name.

377	   A client that delegates the responsibility for updating the FQDN to
378	   IP address mapping to a server will not receive any indication
379	   (either positive or negative) from the server whether the server was
380	   able to perform the update.  The client MAY use a DNS query to check
381	   whether the mapping is up to date (see Section 3.2).

383	   If a client releases its lease prior to the lease expiration time and
384	   the client is responsible for updating its A RR, the client SHOULD
385	   delete the A RR associated with the leased address before sending a
386	   DHCPRELEASE message.  Similarly, if a client was responsible for
387	   updating its A RR, but is unable to renew its lease, the client
388	   SHOULD attempt to delete the A RR before its lease expires.  A DHCP
389	   client which has not been able to delete an A RR which it added
390	   (because it has lost the use of its DHCP IP address) SHOULD attempt
391	   to notify its administrator, perhaps by emitting a log message.

393	5.  DHCP Server Behavior

395	   The following describes the behavior of a DHCP server that implements
396	   the Client FQDN option when the client's message includes the Client
397	   FQDN option.

399	   The server examines its configuration and the Flag bits in the
400	   client's Client FQDN option to determine how to respond:

402	   o  If the client's "E" bit is 0 and the server does not support ASCII
403	      encoding (Section 3.3.1), the server SHOULD ignore the Client FQDN
404	      option.
405	   o  The server sets to 0 the "S", "O", and "N" Flag bits in its copy
406	      of the option it will return to the client.  The server copies the
407	      client's "E" bit.
408	   o  If the client's "N" bit is 1 and the server's configuration allows
409	      it to honor the client's request for no server initiated DNS
410	      updates, the server sets the "N" bit to 1.
411	   o  Otherwise, if the client's "S" bit is 1 and the servers's
412	      configuration allows it to honor the client's request for the
413	      server to initiate A RR DNS updates and if it has the necessary
414	      credentials, the server sets the "S" to 1.  If the server's "S"
415	      bit does not match the client's "S" bit, the server sets the "O"
416	      bit to 1.

418	   The server MAY be configured to use the name supplied in the client's
419	   Client FQDN option, or it MAY be configured to modify the supplied
420	   name, or substitute a different name.  The server SHOULD send its
421	   notion of the complete FQDN for the client in the Domain Name field.
422	   The server MAY simply copy the Domain Name field from the Client FQDN
423	   option that the client sent to the server.  The server MUST use the
424	   same encoding format (ASCII or DNS binary encoding) that the client
425	   used in the Client FQDN option in its DHCPDISCOVER or DHCPREQUEST,
426	   and MUST set the "E" bit in the option's Flags field accordingly.

428	   If a client sends both the Client FQDN and Host Name option, the
429	   server SHOULD ignore the Host Name option.

431	   The server SHOULD set the RCODE1 and RCODE2 fields to 255 before
432	   sending the Client FQDN message to the client in a DHCPOFFER or
433	   DHCPACK.

435	5.1  When to Perform DNS Updates

437	   The server SHOULD NOT perform any DNS updates if the "N" bit is 1 in
438	   the Flags field of the Client FQDN option in the DHCPACK messages (to
439	   be) sent to the client.  However, the server SHOULD delete any RRs
440	   which it previously added via DNS updates for the client.

442	   The server MAY perform the PTR RR DNS update (unless the "N" bit is
443	   1).

445	   The server MAY perform the A RR DNS update if the "S" bit is 1 in the
446	   Flags field of the Client FQDN option in the DHCPACK message (to be)
447	   sent to the client.

449	   The server MAY perform these updates even if the client's DHCPREQUEST
450	   did not carry the Client FQDN option.  The server MUST NOT initiate
451	   DNS updates when responding to DHCPDISCOVER messages from a client.

453	   The server MAY complete its DNS updates (PTR RR or PTR and A RR)
454	   before the server sends the DHCPACK message to the client.
455	   Alternatively, the server MAY send the DHCPACK message to the client
456	   without waiting for the update to be completed.  Whether the DNS
457	   update occurs before or after the DHCPACK is sent is entirely up to
458	   the DHCP server's configuration.

460	   If the server's A RR DNS update does not complete until after the
461	   server has replied to the DHCP client, the server's interaction with
462	   the DNS server MAY cause the DHCP server to change the domain name
463	   that it associates with the client.  This can occur, for example, if
464	   the server detects and resolves a domain-name conflict [6].  In such
465	   cases, the domain name that the server returns to the DHCP client
466	   would change between two DHCP exchanges.

468	   If the server previously performed DNS updates for the client and the
469	   client's information has not changed, the server MAY skip performing
470	   additional DNS updates.

472	   When a server detects that a lease on an address that the server
473	   leases to a client has expired, the server SHOULD delete any PTR RR
474	   which it added via DNS update.  In addition, if the server added an A
475	   RR on the client's behalf, the server SHOULD also delete the A RR.

477	   When a server terminates a lease on an address prior to the lease's
478	   expiration time, for instance by sending a DHCPNAK to a client, the
479	   server SHOULD delete any PTR RR which it associated with the address
480	   via DNS update.  In addition, if the server took responsibility for
481	   an A RR, the server SHOULD also delete that A RR.

483	6.  DNS Update Conflicts

485	   This document does not resolve how a DHCP client or server prevent
486	   name conflicts.  This document addresses only how a DHCP client and
487	   server negotiate who will perform the DNS updates and the fully
488	   qualified domain name requested or used.

490	   Implementers of this work will need to consider how name conflicts
491	   will be prevented.  If a DNS updater needs a security token in order
492	   to successfully perform DNS updates on a specific name, name
493	   conflicts can only occur if multiple clients are given a security
494	   token for that name.  Or, if the fully qualified domains are based on
495	   the specific address bound to a client, conflicts SHOULD NOT occur.
496	   Or, a name conflict resolution technique as described in "Resolving
497	   Name Conflicts" [6]) SHOULD be used.

499	7.  IANA Considerations

501	   IANA has already assigned DHCP option 81 to the Client FQDN option.
502	   As this document updates the option's use, IANA is requested to
503	   reference this document for option 81.

505	8.  Security Considerations

507	   Unauthenticated updates to the DNS can lead to tremendous confusion,
508	   through malicious attack or through inadvertent misconfiguration.
509	   Administrators need to be wary of permitting unsecured DNS updates to
510	   zones which are exposed to the global Internet.  Both DHCP clients
511	   and servers should use some form of update request origin
512	   authentication procedure (e.g., Secure DNS Dynamic Update [11]) when
513	   performing DNS updates.

515	   Whether a DHCP client is responsible for updating an FQDN to IP
516	   address mapping or whether this is the responsibility of the DHCP
517	   server is a site-local matter.  The choice between the two
518	   alternatives is likely based on the security model that is used with
519	   the DNS update protocol (e.g., only a client may have sufficient
520	   credentials to perform updates to the FQDN to IP address mapping for
521	   its FQDN).

523	   Whether a DHCP server is always responsible for updating the FQDN to
524	   IP address mapping (in addition to updating the IP to FQDN mapping),
525	   regardless of the wishes of an individual DHCP client, is also a
526	   site-local matter.  The choice between the two alternatives is likely
527	   based on the security model that is being used with DNS updates.  In
528	   cases where a DHCP server is performing DNS updates on behalf of a
529	   client, the DHCP server should be sure of the DNS name to use for the
530	   client, and of the identity of the client.

532	   Currently, it is difficult for DHCP servers to develop much
533	   confidence in the identities of its clients, given the absence of
534	   entity authentication from the DHCP protocol itself.  There are many
535	   ways for a DHCP server to develop a DNS name to use for a client, but
536	   only in certain relatively unusual circumstances will the DHCP server
537	   know for certain the identity of the client.  If DHCP Authentication
538	   [12] becomes widely deployed this may become more customary.

540	   One example of a situation which offers some extra assurances is one
541	   where the DHCP client is connected to a network through an MCNS cable
542	   modem, and the CMTS (head-end) ensures that MAC address spoofing
543	   simply does not occur.  Another example of a configuration that might
544	   be trusted is one where clients obtain network access via a network
545	   access server using PPP.  The NAS itself might be obtaining IP
546	   addresses via DHCP, encoding a client identification into the DHCP
547	   client-id option.  In this case, the network access server as well as
548	   the DHCP server might be operating within a trusted environment, in
549	   which case the DHCP server could be configured to trust that the user
550	   authentication and authorization procedure of the remote access
551	   server was sufficient, and would therefore trust the client
552	   identification encoded within the DHCP client-id.

554	9.  Acknowledgements

556	   Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter
557	   Ford, Olafur Gudmundsson, Edie Gunter, Andreas Gustafsson, David W.
558	   Hankins, R.  Barr Hibbs, Kim Kinnear, Stuart Kwan, Ted Lemon, Ed
559	   Lewis, Michael Lewis, Josh Littlefield, Michael Patton, Jyrki Soini,
560	   and Glenn Stump for their review and comments.

562	10.  References

564	10.1  Normative References

566	   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
567	        Levels", BCP 14, RFC 2119, March 1997.

569	   [2]  Mockapetris, P., "Domain names - concepts and facilities",
570	        STD 13, RFC 1034, November 1987.

572	   [3]  Mockapetris, P., "Domain names - implementation and
573	        specification", STD 13, RFC 1035, November 1987.

575	   [4]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
576	        Updates in the Domain Name System (DNS UPDATE)", RFC 2136, April
577	        1997.

579	   [5]  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
580	        March 1997.

582	   [6]  Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
583	        DHCP Clients (draft-ietf-dhc-ddns-resolution-*.txt)", September
584	        2004.

586	10.2  Informative References

588	   [7]   Marine, A., Reynolds, J. and G. Malkin, "FYI on Questions and
589	         Answers - Answers to Commonly asked "New Internet User"
590	         Questions", RFC 1594, March 1994.

592	   [8]   Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
593	         Extensions", RFC 2132, March 1997.

595	   [9]   Yergeau, F., "UTF-8, a transformation format of ISO 10646",
596	         RFC 2279, January 1998.

598	   [10]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
599	         August 1999.

601	   [11]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
602	         Update", RFC 3007, November 2000.

604	   [12]  Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
605	         RFC 3118, June 2001.

607	Authors' Addresses

609	   Mark Stapp
610	   Cisco Systems, Inc.
611	   1414 Massachusetts Ave.
612	   Boxborough, MA  01719
613	   USA

615	   Phone: 978.936.1535
616	   Email: mjs@cisco.com

618	   Bernie Volz
619	   Cisco Systems, Inc.
620	   1414 Massachusetts Ave.
621	   Boxborough, MA  01719
622	   USA

624	   Phone: 978.936.0382
625	   Email: volz@cisco.com

627	   Yakov Rekhter
628	   Juniper Networks
629	   1194 North Mathilda Avenue
630	   Sunnyvale, CA  94089
631	   USA

633	   Phone: 408.745.2000
634	   Email: yakov@juniper.net

636	Intellectual Property Statement

638	   The IETF takes no position regarding the validity or scope of any
639	   Intellectual Property Rights or other rights that might be claimed to
640	   pertain to the implementation or use of the technology described in
641	   this document or the extent to which any license under such rights
642	   might or might not be available; nor does it represent that it has
643	   made any independent effort to identify any such rights.  Information
644	   on the procedures with respect to rights in RFC documents can be
645	   found in BCP 78 and BCP 79.

647	   Copies of IPR disclosures made to the IETF Secretariat and any
648	   assurances of licenses to be made available, or the result of an
649	   attempt made to obtain a general license or permission for the use of
650	   such proprietary rights by implementers or users of this
651	   specification can be obtained from the IETF on-line IPR repository at
652	   http://www.ietf.org/ipr.

654	   The IETF invites any interested party to bring to its attention any
655	   copyrights, patents or patent applications, or other proprietary
656	   rights that may cover technology that may be required to implement
657	   this standard.  Please address the information to the IETF at
658	   ietf-ipr@ietf.org.

660	Disclaimer of Validity

662	   This document and the information contained herein are provided on an
663	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
664	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
665	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
666	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
667	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
668	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

670	Copyright Statement

672	   Copyright (C) The Internet Society (2005).  This document is subject
673	   to the rights, licenses and restrictions contained in BCP 78, and
674	   except as set forth therein, the authors retain all their rights.

676	Acknowledgment

678	   Funding for the RFC Editor function is currently provided by the
679	   Internet Society.