idnits 2.17.1 

draft-ietf-dhc-fqdn-option-11.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 17.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 677.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 654.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 661.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 667.

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (September 24, 2005) is 6789 days in the past.  Is
     this intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- No information found for draft-ietf-dhc-ddns-resolution- - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. '7' 

  -- Obsolete informational reference (is this intentional?): RFC 1594 (ref.
     '8') (Obsoleted by RFC 2664)

  -- Obsolete informational reference (is this intentional?): RFC 2279 (ref.
     '10') (Obsoleted by RFC 3629)

  -- Obsolete informational reference (is this intentional?): RFC 2671 (ref.
     '11') (Obsoleted by RFC 6891)


     Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 12 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	DHC                                                             M. Stapp
3	Internet-Draft                                                   B. Volz
4	Expires: March 28, 2006                              Cisco Systems, Inc.
5	                                                              Y. Rekhter
6	                                                        Juniper Networks
7	                                                      September 24, 2005

9	                      The DHCP Client FQDN Option
10	                  <draft-ietf-dhc-fqdn-option-11.txt>

12	Status of this Memo

14	   By submitting this Internet-Draft, each author represents that any
15	   applicable patent or other IPR claims of which he or she is aware
16	   have been or will be disclosed, and any of which he or she becomes
17	   aware will be disclosed, in accordance with Section 6 of BCP 79.

19	   Internet-Drafts are working documents of the Internet Engineering
20	   Task Force (IETF), its areas, and its working groups.  Note that
21	   other groups may also distribute working documents as Internet-
22	   Drafts.

24	   Internet-Drafts are draft documents valid for a maximum of six months
25	   and may be updated, replaced, or obsoleted by other documents at any
26	   time.  It is inappropriate to use Internet-Drafts as reference
27	   material or to cite them other than as "work in progress."

29	   The list of current Internet-Drafts can be accessed at
30	   http://www.ietf.org/ietf/1id-abstracts.txt.

32	   The list of Internet-Draft Shadow Directories can be accessed at
33	   http://www.ietf.org/shadow.html.

35	   This Internet-Draft will expire on March 28, 2006.

37	Copyright Notice

39	   Copyright (C) The Internet Society (2005).

41	Abstract

43	   This document specifies a DHCP for IPv4, DHCPv4, option which can be
44	   used to exchange information about a DHCPv4 client's fully-qualified
45	   domain name and about responsibility for updating the DNS RR related
46	   to the client's address assignment.

48	Table of Contents

50	   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
51	   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
52	     2.1.  Models of Operation  . . . . . . . . . . . . . . . . . . .  3
53	   3.  The Client FQDN Option . . . . . . . . . . . . . . . . . . . .  4
54	     3.1.  The Flags Field  . . . . . . . . . . . . . . . . . . . . .  5
55	     3.2.  The RCODE Fields . . . . . . . . . . . . . . . . . . . . .  6
56	     3.3.  The Domain Name Field  . . . . . . . . . . . . . . . . . .  6
57	       3.3.1.  Deprecated ASCII Encoding  . . . . . . . . . . . . . .  7
58	   4.  DHCP Client Behavior . . . . . . . . . . . . . . . . . . . . .  7
59	     4.1.  Interaction With Other Options . . . . . . . . . . . . . .  7
60	     4.2.  Client Desires to Update A RRs . . . . . . . . . . . . . .  8
61	     4.3.  Client Desires Server to Do DNS Updates  . . . . . . . . .  8
62	     4.4.  Client Desires No Server DNS Updates . . . . . . . . . . .  8
63	     4.5.  Domain Name and DNS Update Issues  . . . . . . . . . . . .  9
64	   5.  DHCP Server Behavior . . . . . . . . . . . . . . . . . . . . .  9
65	     5.1.  When to Perform DNS Updates  . . . . . . . . . . . . . . . 10
66	   6.  DNS Update Conflicts . . . . . . . . . . . . . . . . . . . . . 11
67	   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
68	   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
69	   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
70	   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
71	     10.1. Normative References . . . . . . . . . . . . . . . . . . . 13
72	     10.2. Informative References . . . . . . . . . . . . . . . . . . 14
73	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
74	   Intellectual Property and Copyright Statements . . . . . . . . . . 16

76	1.  Terminology

78	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
79	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
80	   document are to be interpreted as described in RFC 2119 [1].

82	2.  Introduction

84	   DNS ([2], [3]) maintains (among other things) the information about
85	   the mapping between hosts' Fully Qualified Domain Names (FQDNs) [8]
86	   and IP addresses assigned to the hosts.  The information is
87	   maintained in two types of Resource Records (RRs): A and PTR.  The
88	   DNS update specification ([4]) describes a mechanism that enables DNS
89	   information to be updated over a network.

91	   The Dynamic Host Configuration Protocol for IPv4 (DHCPv4 or just DHCP
92	   in this document) [5] provides a mechanism by which a host (a DHCP
93	   client) can acquire certain configuration information, along with its
94	   address.  This document specifies a DHCP option, the Client FQDN
95	   option, which can be used by DHCP clients and servers to exchange
96	   information about the client's fully-qualified domain name for an
97	   address and who has the responsibility for updating the DNS with the
98	   associated A and PTR RRs.

100	2.1.  Models of Operation

102	   When a DHCP client acquires a new address, a site's administrator may
103	   desire that one or both of the A RR for the client's FQDN and the PTR
104	   RR for the acquired address be updated.  Therefore, two separate DNS
105	   update transactions may occur.  Acquiring an address via DHCP
106	   involves two entities: a DHCP client and a DHCP server.  In principle
107	   each of these entities could perform none, one, or both of the
108	   transactions.  However, in practice not all permutations make sense.
109	   The DHCP Client FQDN option is primarily intended to operate in the
110	   following two cases:

112	   1.  DHCP client updates the A RR, DHCP server updates the PTR RR
113	   2.  DHCP server updates both the A and the PTR RRs

115	   The only difference between these two cases is whether the FQDN to IP
116	   address mapping is updated by a DHCP client or by a DHCP server.  The
117	   IP address to FQDN mapping is updated by a DHCP server in both cases.

119	   The reason these two are important, while others are unlikely, has to
120	   do with authority over the respective DNS domain names.  A DHCP
121	   client may be given authority over mapping its own A RRs, or that
122	   authority may be restricted to a server to prevent the client from
123	   listing arbitrary addresses or associating its address with arbitrary
124	   domain names.  In all cases, the only reasonable place for the
125	   authority over the PTR RRs associated with the address is in the DHCP
126	   server that allocates the address.

128	   Note: A third case is supported - the client requests that the server
129	   perform no updates.  However, this case is presumed to be rare
130	   because of the authority issues.

132	   In any case, whether a site permits all, some, or no DHCP servers and
133	   clients to perform DNS updates into the zones which it controls is
134	   entirely a matter of local administrative policy.  This document does
135	   not require any specific administrative policy, and does not propose
136	   one.  The range of possible policies is very broad, from sites where
137	   only the DHCP servers have been given credentials that the DNS
138	   servers will accept, to sites where each individual DHCP client has
139	   been configured with credentials which allow the client to modify its
140	   own domain name.  Compliant implementations may support some or all
141	   of these possibilities.  Furthermore, this specification applies only
142	   to DHCP client and server processes: it does not apply to other
143	   processes which initiate DNS updates.

145	   This document describes a new DHCP option which a client can use to
146	   convey all or part of its domain name to a DHCP server.  Site-
147	   specific policy determines whether DHCP servers use the names that
148	   clients offer or not, and what DHCP servers may do in cases where
149	   clients do not supply domain names.

151	3.  The Client FQDN Option

153	   To update the IP address to FQDN mapping a DHCP server needs to know
154	   the FQDN of the client to which the server leases the address.  To
155	   allow the client to convey its FQDN to the server this document
156	   defines a new DHCP option, called "Client FQDN".  The Client FQDN
157	   option also contains Flags, which DHCP servers can use to convey
158	   information about DNS updates to clients, and two deprecated RCODEs.

160	   Clients MAY send the Client FQDN option, setting appropriate Flags
161	   values, in both their DHCPDISCOVER and DHCPREQUEST messages.  If a
162	   client sends the Client FQDN option in its DHCPDISCOVER message, it
163	   MUST send the option in subsequent DHCPREQUEST messages though the
164	   contents of the option MAY change.

166	   Only one Client FQDN option MAY appear in a message.

168	   The code for this option is 81.  Its minimum length is 3 (octets).

170	   The format of the Client FQDN option is:

172	        Code   Len    Flags  RCODE1 RCODE2   Domain Name
173	       +------+------+------+------+------+------+--
174	       |  81  |   n  |      |      |      |       ...
175	       +------+------+------+------+------+------+--

177	   The above figure follows the conventions of [9].

179	3.1.  The Flags Field

181	   The format of the 1-octet Flags field is:

183	        0 1 2 3 4 5 6 7
184	       +-+-+-+-+-+-+-+-+
185	       |  MBZ  |N|E|O|S|
186	       +-+-+-+-+-+-+-+-+

188	   The "S" bit indicates whether the server SHOULD or SHOULD NOT perform
189	   the A RR (FQDN to address) DNS updates.  A client sets the bit to 0
190	   to indicate the server SHOULD NOT perform the updates and 1 to
191	   indicate the server SHOULD perform the updates.  The state of the bit
192	   in the reply from the server indicates the action to be taken by the
193	   server; if 1, the server has taken responsibility for A RR updates
194	   for the FQDN.

196	   The "O" bit indicates whether the server has overridden the client's
197	   preference for the "S" bit.  A client MUST set this bit to 0.  A
198	   server MUST set this bit to 1 if the "S" bit in its reply to the
199	   client does not match the "S" bit received from the client.

201	   The "N" bit indicates whether the server SHOULD NOT perform any DNS
202	   updates.  A client sets this bit to 0 to request that the server
203	   SHOULD perform updates (the PTR RR and possibly the A RR based on the
204	   "S" bit) or to 1 to request that the server SHOULD NOT perform any
205	   DNS updates.  A server sets the "N" bit to indicate whether the
206	   server SHALL (0) or SHALL NOT (1) perform DNS updates.  If the "N"
207	   bit is 1, the "S" bit MUST be 0.

209	   The "E" bit indicates the encoding of the Domain Name field. 1
210	   indicates DNS-style binary encoding, without compression, as
211	   described in RFC 1035 [3].  This encoding SHOULD be used by clients
212	   and MUST be supported by servers. 0 indicates a now deprecated ASCII
213	   encoding (see Section 3.3.1).  A server MUST use the same encoding as
214	   that used by the client.  A server that does not support the
215	   deprecated ASCII encoding MUST ignore Client FQDN options that use
216	   that encoding.

218	   The remaining bits in the Flags field are reserved for future
219	   assignment.  DHCP clients and servers which send the Client FQDN
220	   option MUST clear the MBZ bits, and they MUST ignore these bits.

222	3.2.  The RCODE Fields

224	   The RCODE1 and RCODE2 fields are deprecated.  A client SHOULD set
225	   these to 0 when sending the option and SHOULD ignore them on receipt.
226	   A server SHOULD set these to 255 when sending the option and MUST
227	   ignore them on receipt.

229	   As this option with these fields is already in wide use, the fields
230	   are retained.  These fields were originally defined for use by a DHCP
231	   server to indicate to a DHCP client the Response Code from any A
232	   (RCODE1) or PTR (RCODE2) RR DNS updates it has performed or a value
233	   of 255 was used to indicate that an update had been initiated but had
234	   not yet completed.  Each of these fields is one byte long.  These
235	   fields were defined before EDNS0 [11], which describes a mechanism
236	   for extending the length of a DNS RCODE to 12 bits, which is another
237	   reason to deprecate them.

239	   If the client needs to confirm the DNS update has been done, it MAY
240	   use a DNS query to check whether the mapping is up to date.  However,
241	   depending on the load on the DHCP and DNS servers and the DNS
242	   propagation delays, the client can only infer success.  If the
243	   information is not found to be up to date in DNS, the servers might
244	   not have completed the updates or zone transfers, or not yet updated
245	   their caches.

247	3.3.  The Domain Name Field

249	   The Domain Name part of the option carries all or part of the FQDN of
250	   a DHCP client.  The data in the Domain Name field SHOULD appear in
251	   uncompressed DNS encoding as specified in RFC 1035 [3].  If the DHCP
252	   client uses DNS encoding, it MUST set to 1 the the "E" bit in the
253	   Flags field.  In order to determine whether the FQDN has changed
254	   between message exchanges, the client and server MUST NOT alter the
255	   Domain Name field contents unless the FQDN has actually changed.

257	   A client MAY be configured with a fully-qualified domain name or with
258	   a partial name that is not fully-qualified.  If a client knows only
259	   part of its name, it MAY send a name that is not fully-qualified,
260	   indicating that it knows part of the name but does not necessarily
261	   know the zone in which the name is to be embedded.

263	   To send a fully-qualified domain name, the Domain Name field is set
264	   to the DNS encoded domain name including the terminating zero-length
265	   label.  To send a partial name, the Domain Name field is set to the
266	   DNS encoded domain name without the terminating zero-length label.

268	   A client MAY also leave the Domain Name field empty if it desires the
269	   server to provide a name.

271	3.3.1.  Deprecated ASCII Encoding

273	   A substantial population of clients implemented an earlier draft
274	   version of this specification, which permitted an ASCII encoding of
275	   the Domain Name field.  Server implementations SHOULD be aware that
276	   clients which send the Client FQDN option with the "E" bit set to 0
277	   are using an ASCII encoding of the Domain Name field.  Servers MAY be
278	   prepared to return an ASCII encoded version of the Domain Name field
279	   to such clients.  Servers that are not prepared to return an ASCII
280	   encoded version MUST ignore the Client FQDN option if the "E" bit is
281	   0.  The use of ASCII encoding in this option SHOULD be considered
282	   deprecated.

284	   A DHCP client which used ASCII encoding was permitted to suggest a
285	   single label if it was not configured with a fully-qualified name.
286	   Such clients send a single label as a series of ASCII characters in
287	   the Domain Name field, excluding the "." (dot) character.

289	   Clients and servers SHOULD follow the character-set recommendations
290	   of RFC 1034 [2] and RFC 1035 [3].  However, implementers SHOULD also
291	   be aware that some client software could be using UTF-8 [10]
292	   character encoding.  This specification does not require any support
293	   for UTF-8.

295	4.  DHCP Client Behavior

297	   The following describes the behavior of a DHCP client that implements
298	   the Client FQDN option.

300	4.1.  Interaction With Other Options

302	   Other DHCP options MAY carry data that is related to the Domain Name
303	   field of the Client FQDN option.  The Host Name option [9], for
304	   example, contains an ASCII string representation of the client's host
305	   name.  In general, a client does not need to send redundant data, and
306	   therefore clients which send the Client FQDN option in their messages
307	   MUST NOT also send the Host Name option.  Clients which receive both
308	   the Host Name option and the Client FQDN option from a server SHOULD
309	   prefer Client FQDN option data.  Section 5 instructs servers to
310	   ignore the Host Name option in client messages which include the
311	   Client FQDN option.

313	4.2.  Client Desires to Update A RRs

315	   If a client that owns/maintains its own FQDN wants to be responsible
316	   for updating the FQDN to IP address mapping for the FQDN and
317	   address(es) used by the client, the client MUST include the Client
318	   FQDN option in the DHCPREQUEST message originated by the client.  A
319	   DHCP client MAY choose to include the Client FQDN option in its
320	   DHCPDISCOVER messages as well as its DHCPREQUEST messages.  The "S"
321	   bit in the Flags field in the option MUST be 0.  The "O" and "N" bits
322	   MUST be 0.

324	   Once the client's DHCP configuration is completed (the client
325	   receives a DHCPACK message and successfully completes a final check
326	   on the parameters passed in the message), the client MAY originate an
327	   update for the A RR (associated with the client's FQDN) unless the
328	   server has set the "S" bit to 1.  If the "S" is 1, the DHCP client
329	   SHOULD NOT initiate an update for the name in the server's returned
330	   Client FQDN option Domain Name field.  However, a DHCP client that is
331	   explicitly configured with a FQDN MAY ignore the state of the "S" bit
332	   if the server's returned name matches the client's configured name.

334	4.3.  Client Desires Server to Do DNS Updates

336	   A client can choose to delegate the responsibility for updating the
337	   FQDN to IP address mapping for the FQDN and address(es) used by the
338	   client to the server.  In order to inform the server of this choice,
339	   the client SHOULD include the Client FQDN option in its DHCPREQUEST
340	   message and MAY include the Client FQDN option in its DHCPDISCOVER.
341	   The "S" bit in the Flags field in the option MUST be 1.  The "O" and
342	   "N" bits MUST be 0.

344	4.4.  Client Desires No Server DNS Updates

346	   A client can choose to request that the server perform no DNS updates
347	   on its behalf.  In order to inform the server of this choice, the
348	   client SHOULD include the Client FQDN option in its DHCPREQUEST
349	   message and MAY include the Client FQDN option in its DHCPDISCOVER.
350	   The "N" bit in the Flags field in the option MUST be 1 and the "S"
351	   and "O" bits MUST be 0.

353	   Once the client's DHCP configuration is completed (the client
354	   receives a DHCPACK message and successfully completes a final check
355	   on the parameters passed in the message), the client MAY originate
356	   its DNS updates provided the server's "N" bit is 1.  If the server's
357	   "N" bit is 0, the server MAY perform the PTR RR updates; and, MAY
358	   also perform the A RR updates if the "S" bit is 1.

360	4.5.  Domain Name and DNS Update Issues

362	   As there is a possibility that the DHCP server is configured to
363	   complete or replace a domain name that the client sends, the client
364	   MAY find it useful to send the Client FQDN option in its DHCPDISCOVER
365	   messages.  If the DHCP server returns different Domain Name data in
366	   its DHCPOFFER message, the client could use that data in performing
367	   its own eventual A RR update, or in forming the Client FQDN option
368	   that it sends in its DHCPREQUEST message.  There is no requirement
369	   that the client send identical Client FQDN option data in its
370	   DHCPDISCOVER and DHCPREQUEST messages.  In particular, if a client
371	   has sent the Client FQDN option to its server, and the configuration
372	   of the client changes so that its notion of its domain name changes,
373	   it MAY send the new name data in a Client FQDN option when it
374	   communicates with the server again.  This MAY cause the DHCP server
375	   to update the name associated with the PTR record, and, if the server
376	   updated the A record representing the client, to delete that record
377	   and attempt an update for the client's current domain name.

379	   A client that delegates the responsibility for updating the FQDN to
380	   IP address mapping to a server will not receive any indication
381	   (either positive or negative) from the server whether the server was
382	   able to perform the update.  The client MAY use a DNS query to check
383	   whether the mapping is up to date (see Section 3.2).

385	   If a client releases its lease prior to the lease expiration time and
386	   the client is responsible for updating its A RR, the client SHOULD
387	   delete the A RR associated with the leased address before sending a
388	   DHCPRELEASE message.  Similarly, if a client was responsible for
389	   updating its A RR, but is unable to renew its lease, the client
390	   SHOULD attempt to delete the A RR before its lease expires.  A DHCP
391	   client which has not been able to delete an A RR which it added
392	   (because it has lost the use of its DHCP IP address) SHOULD attempt
393	   to notify its administrator, perhaps by emitting a log message.

395	   A client that desires to perform DNS updates to A RRs SHOULD NOT do
396	   so if the client's address is a private address [6].

398	5.  DHCP Server Behavior

400	   The following describes the behavior of a DHCP server that implements
401	   the Client FQDN option when the client's message includes the Client
402	   FQDN option.

404	   The server examines its configuration and the Flag bits in the
405	   client's Client FQDN option to determine how to respond:

407	   o  If the client's "E" bit is 0 and the server does not support ASCII
408	      encoding (Section 3.3.1), the server SHOULD ignore the Client FQDN
409	      option.
410	   o  The server sets to 0 the "S", "O", and "N" Flag bits in its copy
411	      of the option it will return to the client.  The server copies the
412	      client's "E" bit.
413	   o  If the client's "N" bit is 1 and the server's configuration allows
414	      it to honor the client's request for no server initiated DNS
415	      updates, the server sets the "N" bit to 1.
416	   o  Otherwise, if the client's "S" bit is 1 and the servers's
417	      configuration allows it to honor the client's request for the
418	      server to initiate A RR DNS updates and if it has the necessary
419	      credentials, the server sets the "S" to 1.  If the server's "S"
420	      bit does not match the client's "S" bit, the server sets the "O"
421	      bit to 1.

423	   The server MAY be configured to use the name supplied in the client's
424	   Client FQDN option, or it MAY be configured to modify the supplied
425	   name, or substitute a different name.  The server SHOULD send its
426	   notion of the complete FQDN for the client in the Domain Name field.
427	   The server MAY simply copy the Domain Name field from the Client FQDN
428	   option that the client sent to the server.  The server MUST use the
429	   same encoding format (ASCII or DNS binary encoding) that the client
430	   used in the Client FQDN option in its DHCPDISCOVER or DHCPREQUEST,
431	   and MUST set the "E" bit in the option's Flags field accordingly.

433	   If a client sends both the Client FQDN and Host Name option, the
434	   server SHOULD ignore the Host Name option.

436	   The server SHOULD set the RCODE1 and RCODE2 fields to 255 before
437	   sending the Client FQDN message to the client in a DHCPOFFER or
438	   DHCPACK.

440	5.1.  When to Perform DNS Updates

442	   The server SHOULD NOT perform any DNS updates if the "N" bit is 1 in
443	   the Flags field of the Client FQDN option in the DHCPACK messages (to
444	   be) sent to the client.  However, the server SHOULD delete any RRs
445	   which it previously added via DNS updates for the client.

447	   The server MAY perform the PTR RR DNS update (unless the "N" bit is
448	   1).

450	   The server MAY perform the A RR DNS update if the "S" bit is 1 in the
451	   Flags field of the Client FQDN option in the DHCPACK message (to be)
452	   sent to the client.

454	   The server MAY perform these updates even if the client's DHCPREQUEST
455	   did not carry the Client FQDN option.  The server MUST NOT initiate
456	   DNS updates when responding to DHCPDISCOVER messages from a client.

458	   The server MAY complete its DNS updates (PTR RR or PTR and A RR)
459	   before the server sends the DHCPACK message to the client.
460	   Alternatively, the server MAY send the DHCPACK message to the client
461	   without waiting for the update to be completed.  Whether the DNS
462	   update occurs before or after the DHCPACK is sent is entirely up to
463	   the DHCP server's configuration.

465	   If the server's A RR DNS update does not complete until after the
466	   server has replied to the DHCP client, the server's interaction with
467	   the DNS server MAY cause the DHCP server to change the domain name
468	   that it associates with the client.  This can occur, for example, if
469	   the server detects and resolves a domain-name conflict [7].  In such
470	   cases, the domain name that the server returns to the DHCP client
471	   would change between two DHCP exchanges.

473	   If the server previously performed DNS updates for the client and the
474	   client's information has not changed, the server MAY skip performing
475	   additional DNS updates.

477	   When a server detects that a lease on an address that the server
478	   leases to a client has expired, the server SHOULD delete any PTR RR
479	   which it added via DNS update.  In addition, if the server added an A
480	   RR on the client's behalf, the server SHOULD also delete the A RR.

482	   When a server terminates a lease on an address prior to the lease's
483	   expiration time, for instance by sending a DHCPNAK to a client, the
484	   server SHOULD delete any PTR RR which it associated with the address
485	   via DNS update.  In addition, if the server took responsibility for
486	   an A RR, the server SHOULD also delete that A RR.

488	6.  DNS Update Conflicts

490	   This document does not resolve how a DHCP client or server prevent
491	   name conflicts.  This document addresses only how a DHCP client and
492	   server negotiate who will perform the DNS updates and the fully
493	   qualified domain name requested or used.

495	   Implementers of this work will need to consider how name conflicts
496	   will be prevented.  If a DNS updater needs a security token in order
497	   to successfully perform DNS updates on a specific name, name
498	   conflicts can only occur if multiple clients are given a security
499	   token for that name.  Or, if the fully qualified domains are based on
500	   the specific address bound to a client, conflicts will not occur.
501	   Or, a name conflict resolution technique as described in "Resolving
502	   Name Conflicts" [7]) SHOULD be used.

504	7.  IANA Considerations

506	   IANA has already assigned DHCP option 81 to the Client FQDN option.
507	   As this document updates the option's use, IANA is requested to
508	   reference this document for option 81.

510	8.  Security Considerations

512	   Unauthenticated updates to the DNS can lead to tremendous confusion,
513	   through malicious attack or through inadvertent misconfiguration.
514	   Administrators need to be wary of permitting unsecured DNS updates to
515	   zones which are exposed to the global Internet.  Both DHCP clients
516	   and servers should use some form of update request origin
517	   authentication procedure (e.g., Secure DNS Dynamic Update [12]) when
518	   performing DNS updates.

520	   Whether a DHCP client is responsible for updating an FQDN to IP
521	   address mapping or whether this is the responsibility of the DHCP
522	   server is a site-local matter.  The choice between the two
523	   alternatives is likely based on the security model that is used with
524	   the DNS update protocol (e.g., only a client may have sufficient
525	   credentials to perform updates to the FQDN to IP address mapping for
526	   its FQDN).

528	   Whether a DHCP server is always responsible for updating the FQDN to
529	   IP address mapping (in addition to updating the IP to FQDN mapping),
530	   regardless of the wishes of an individual DHCP client, is also a
531	   site-local matter.  The choice between the two alternatives is likely
532	   based on the security model that is being used with DNS updates.  In
533	   cases where a DHCP server is performing DNS updates on behalf of a
534	   client, the DHCP server should be sure of the DNS name to use for the
535	   client, and of the identity of the client.

537	   Currently, it is difficult for DHCP servers to develop much
538	   confidence in the identities of its clients, given the absence of
539	   entity authentication from the DHCP protocol itself.  There are many
540	   ways for a DHCP server to develop a DNS name to use for a client, but
541	   only in certain relatively unusual circumstances will the DHCP server
542	   know for certain the identity of the client.  If DHCP Authentication
543	   [13] becomes widely deployed this may become more customary.

545	   One example of a situation which offers some extra assurances is one
546	   where the DHCP client is connected to a network through an MCNS cable
547	   modem, and the CMTS (head-end) ensures that MAC address spoofing
548	   simply does not occur.  Another example of a configuration that might
549	   be trusted is one where clients obtain network access via a network
550	   access server using PPP.  The NAS itself might be obtaining IP
551	   addresses via DHCP, encoding a client identification into the DHCP
552	   client-id option.  In this case, the network access server as well as
553	   the DHCP server might be operating within a trusted environment, in
554	   which case the DHCP server could be configured to trust that the user
555	   authentication and authorization procedure of the remote access
556	   server was sufficient, and would therefore trust the client
557	   identification encoded within the DHCP client-id.

559	9.  Acknowledgements

561	   Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter
562	   Ford, Olafur Gudmundsson, Edie Gunter, Andreas Gustafsson, David W.
563	   Hankins, R. Barr Hibbs, Kim Kinnear, Stuart Kwan, Ted Lemon, Ed
564	   Lewis, Michael Lewis, Josh Littlefield, Michael Patton, Jyrki Soini,
565	   and Glenn Stump for their review and comments.

567	10.  References

569	10.1.  Normative References

571	   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
572	        Levels", BCP 14, RFC 2119, March 1997.

574	   [2]  Mockapetris, P., "Domain names - concepts and facilities",
575	        STD 13, RFC 1034, November 1987.

577	   [3]  Mockapetris, P., "Domain names - implementation and
578	        specification", STD 13, RFC 1035, November 1987.

580	   [4]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
581	        Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
582	        April 1997.

584	   [5]  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
585	        March 1997.

587	   [6]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E.
588	        Lear, "Address Allocation for Private Internets", BCP 5,
589	        RFC 1918, February 1996.

591	   [7]  Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
592	        DHCP Clients (draft-ietf-dhc-ddns-resolution-*.txt)",
593	        September 2005.

595	10.2.  Informative References

597	   [8]   Marine, A., Reynolds, J., and G. Malkin, "FYI on Questions and
598	         Answers - Answers to Commonly asked "New Internet User"
599	         Questions", RFC 1594, March 1994.

601	   [9]   Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
602	         Extensions", RFC 2132, March 1997.

604	   [10]  Yergeau, F., "UTF-8, a transformation format of ISO 10646",
605	         RFC 2279, January 1998.

607	   [11]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
608	         August 1999.

610	   [12]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
611	         Update", RFC 3007, November 2000.

613	   [13]  Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
614	         RFC 3118, June 2001.

616	Authors' Addresses

618	   Mark Stapp
619	   Cisco Systems, Inc.
620	   1414 Massachusetts Ave.
621	   Boxborough, MA  01719
622	   USA

624	   Phone: 978.936.1535
625	   Email: mjs@cisco.com

627	   Bernie Volz
628	   Cisco Systems, Inc.
629	   1414 Massachusetts Ave.
630	   Boxborough, MA  01719
631	   USA

633	   Phone: 978.936.0382
634	   Email: volz@cisco.com

636	   Yakov Rekhter
637	   Juniper Networks
638	   1194 North Mathilda Avenue
639	   Sunnyvale, CA  94089
640	   USA

642	   Phone: 408.745.2000
643	   Email: yakov@juniper.net

645	Intellectual Property Statement

647	   The IETF takes no position regarding the validity or scope of any
648	   Intellectual Property Rights or other rights that might be claimed to
649	   pertain to the implementation or use of the technology described in
650	   this document or the extent to which any license under such rights
651	   might or might not be available; nor does it represent that it has
652	   made any independent effort to identify any such rights.  Information
653	   on the procedures with respect to rights in RFC documents can be
654	   found in BCP 78 and BCP 79.

656	   Copies of IPR disclosures made to the IETF Secretariat and any
657	   assurances of licenses to be made available, or the result of an
658	   attempt made to obtain a general license or permission for the use of
659	   such proprietary rights by implementers or users of this
660	   specification can be obtained from the IETF on-line IPR repository at
661	   http://www.ietf.org/ipr.

663	   The IETF invites any interested party to bring to its attention any
664	   copyrights, patents or patent applications, or other proprietary
665	   rights that may cover technology that may be required to implement
666	   this standard.  Please address the information to the IETF at
667	   ietf-ipr@ietf.org.

669	Disclaimer of Validity

671	   This document and the information contained herein are provided on an
672	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
673	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
674	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
675	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
676	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
677	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

679	Copyright Statement

681	   Copyright (C) The Internet Society (2005).  This document is subject
682	   to the rights, licenses and restrictions contained in BCP 78, and
683	   except as set forth therein, the authors retain all their rights.

685	Acknowledgment

687	   Funding for the RFC Editor function is currently provided by the
688	   Internet Society.