idnits 2.17.1 

draft-ietf-dnsext-dhcid-rr-08.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1.a on line 19.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 413.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 390.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 397.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 403.

  ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line
     419), which is fine, but *also* found old RFC 2026, Section 10.4C,
     paragraph 1 text on line 41.

  ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure
     Acknowledgement. 

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.

  ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate
     instead of verbatim RFC 3978 boilerplate.  After 6 May 2005, submission
     of drafts without verbatim RFC 3978 boilerplate is not accepted.

     The following non-3978 patterns matched text found in the document. 
     That text should be removed or replaced:

        This document is an Internet-Draft and is subject to all provisions of
        Section 3 of RFC 3667.

        By submitting this Internet-Draft, each author represents that any
        applicable patent or other IPR claims of which he or she is aware
        have been or will be disclosed, and any of which he or she
        becomes aware will be disclosed, in accordance with Section 6 of
        BCP 79.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** There are 6 instances of lines with control characters in the document.

  ** The abstract seems to contain references ([1]), which it shouldn't. 
     Please replace those with straight textual mentions of the documents in
     question.

  == There are 4 instances of lines with private range IPv4 addresses in the
     document.  If these are generic example addresses, they should be changed
     to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x,
     198.51.100.x or 203.0.113.x.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (July 16, 2004) is 7217 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Looks like a reference, but probably isn't: 'TBD' on line 120

  -- No information found for draft-ietf-dhc-dns-resolution- - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. '1' 

  ** Downref: Normative reference to an Informational RFC: RFC 1321 (ref. '5')

  ** Obsolete normative reference: RFC 2434 (ref. '6') (Obsoleted by RFC 5226)

  -- Obsolete informational reference (is this intentional?): RFC 2535 (ref.
     '8') (Obsoleted by RFC 4033, RFC 4034, RFC 4035)

  -- Obsolete informational reference (is this intentional?): RFC 3315 (ref.
     '10') (Obsoleted by RFC 8415)

  -- Obsolete informational reference (is this intentional?): RFC 2845 (ref.
     '11') (Obsoleted by RFC 8945)

  -- No information found for draft-ietf-dhc-3315id-for-v4- - is the name
     correct?


     Summary: 10 errors (**), 0 flaws (~~), 3 warnings (==), 14 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	DNSEXT                                                          M. Stapp
3	Internet-Draft                                       Cisco Systems, Inc.
4	Expires: January 14, 2005                                       T. Lemon
5	                                                           A. Gustafsson
6	                                                           Nominum, Inc.
7	                                                           July 16, 2004

9	           A DNS RR for Encoding DHCP Information (DHCID RR)
10	                  <draft-ietf-dnsext-dhcid-rr-08.txt>

12	Status of this Memo

14	   This document is an Internet-Draft and is subject to all provisions
15	   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
16	   author represents that any applicable patent or other IPR claims of
17	   which he or she is aware have been or will be disclosed, and any of
18	   which he or she become aware will be disclosed, in accordance with
19	   RFC 3668.

21	   Internet-Drafts are working documents of the Internet Engineering
22	   Task Force (IETF), its areas, and its working groups.  Note that
23	   other groups may also distribute working documents as
24	   Internet-Drafts.

26	   Internet-Drafts are draft documents valid for a maximum of six months
27	   and may be updated, replaced, or obsoleted by other documents at any
28	   time.  It is inappropriate to use Internet-Drafts as reference
29	   material or to cite them other than as "work in progress."

31	   The list of current Internet-Drafts can be accessed at http://
32	   www.ietf.org/ietf/1id-abstracts.txt.

34	   The list of Internet-Draft Shadow Directories can be accessed at
35	   http://www.ietf.org/shadow.html.

37	   This Internet-Draft will expire on January 14, 2005.

39	Copyright Notice

41	   Copyright (C) The Internet Society (2004).  All Rights Reserved.

43	Abstract

45	   It is possible for multiple DHCP clients to attempt to update the
46	   same DNS FQDN as they obtain DHCP leases.  Whether the DHCP server or
47	   the clients themselves perform the DNS updates, conflicts can arise.
48	   To resolve such conflicts, "Resolution of DNS Name Conflicts" [1]
49	   proposes storing client identifiers in the DNS to unambiguously
50	   associate domain names with the DHCP clients to which they refer.
51	   This memo defines a distinct RR type for this purpose for use by DHCP
52	   clients and servers, the "DHCID" RR.

54	Table of Contents

56	   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
57	   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
58	   3.  The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . .  3
59	     3.1   DHCID RDATA format . . . . . . . . . . . . . . . . . . . .  4
60	     3.2   DHCID Presentation Format  . . . . . . . . . . . . . . . .  4
61	     3.3   The DHCID RR Type Codes  . . . . . . . . . . . . . . . . .  4
62	     3.4   Computation of the RDATA . . . . . . . . . . . . . . . . .  4
63	     3.5   Examples . . . . . . . . . . . . . . . . . . . . . . . . .  5
64	       3.5.1   Example 1  . . . . . . . . . . . . . . . . . . . . . .  6
65	       3.5.2   Example 2  . . . . . . . . . . . . . . . . . . . . . .  6
66	   4.  Use of the DHCID RR  . . . . . . . . . . . . . . . . . . . . .  6
67	   5.  Updater Behavior . . . . . . . . . . . . . . . . . . . . . . .  6
68	   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
69	   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  7
70	   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  7
71	   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  8
72	   9.1   Normative References . . . . . . . . . . . . . . . . . . . .  8
73	   9.2   Informative References . . . . . . . . . . . . . . . . . . .  8
74	       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . .  9
75	       Intellectual Property and Copyright Statements . . . . . . . . 10

77	1.  Terminology

79	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
80	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
81	   document are to be interpreted as described in RFC 2119 [2].

83	2.  Introduction

85	   A set of procedures to allow DHCP [7] clients and servers to
86	   automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed
87	   in "Resolution of DNS Name Conflicts" [1].

89	   Conflicts can arise if multiple DHCP clients wish to use the same DNS
90	   name.  To resolve such conflicts, "Resolution of DNS Name Conflicts"
91	   [1] proposes storing client identifiers in the DNS to unambiguously
92	   associate domain names with the DHCP clients using them.  In the
93	   interest of clarity, it is preferable for this DHCP information to
94	   use a distinct RR type.  This memo defines a distinct RR for this
95	   purpose for use by DHCP clients or servers, the "DHCID" RR.

97	   In order to avoid exposing potentially sensitive identifying
98	   information, the data stored is the result of a one-way MD5 [5] hash
99	   computation.  The hash includes information from the DHCP client's
100	   REQUEST message as well as the domain name itself, so that the data
101	   stored in the DHCID RR will be dependent on both the client
102	   identification used in the DHCP protocol interaction and the domain
103	   name.  This means that the DHCID RDATA will vary if a single client
104	   is associated over time with more than one name.  This makes it
105	   difficult to 'track' a client as it is associated with various domain
106	   names.

108	   The MD5 hash algorithm has been shown to be weaker than the SHA-1
109	   algorithm; it could therefore be argued that SHA-1 is a better
110	   choice.  However, SHA-1 is significantly slower than MD5.  A
111	   successful attack of MD5's weakness does not reveal the original data
112	   that was used to generate the signature, but rather provides a new
113	   set of input data that will produce the same signature.  Because we
114	   are using the MD5 hash to conceal the original data, the fact that an
115	   attacker could produce a different plaintext resulting in the same
116	   MD5 output is not significant concern.

118	3.  The DHCID RR

120	   The DHCID RR is defined with mnemonic DHCID and type code [TBD].  The
121	   DHCID RR is only defined in the IN class.  DHCID RRs cause no
122	   additional section processing.  The DHCID RR is not a singleton type.

124	3.1  DHCID RDATA format

126	   The RDATA section of a DHCID RR in transmission contains RDLENGTH
127	   bytes of binary data.  The format of this data and its interpretation
128	   by DHCP servers and clients are described below.

130	   DNS software should consider the RDATA section to be opaque.  DHCP
131	   clients or servers use the DHCID RR to associate a DHCP client's
132	   identity with a DNS name, so that multiple DHCP clients and servers
133	   may deterministically perform dynamic DNS updates to the same zone.
134	   From the updater's perspective, the DHCID resource record RDATA
135	   consists of a 16-bit identifier type, in network byte order, followed
136	   by one or more bytes representing the actual identifier:

138	     	< 16 bits >	DHCP identifier used
139	     	< n bytes >	MD5 digest

141	3.2  DHCID Presentation Format

143	   In DNS master files, the RDATA is represented as a single block in
144	   base 64 encoding identical to that used for representing binary data
145	   in RFC 2535 [8].  The data may be divided up into any number of white
146	   space separated substrings, down to single base 64 digits, which are
147	   concatenated to form the complete RDATA.  These substrings can span
148	   lines using the standard parentheses.

150	3.3  The DHCID RR Type Codes

152	   The DHCID RR Type Code specifies what data from the DHCP client's
153	   request was used as input into the hash function.  The type codes are
154	   defined in a registry maintained by IANA, as specified in Section 7.
155	   The initial list of assigned values for the type code is:

157	   0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [7].
158	   0x0001 = The data portion from a DHCPv4 client's Client Identifier
159	      option [9].
160	   0x0002 = The client's DUID (i.e., the data portion of a DHCPv6
161	      client's Client Identifier option [10] or the DUID field from a
162	      DHCPv4 client's Client Identifier option [12]).

164	   0x0003 - 0xfffe = Available to be assigned by IANA.

166	   0xffff = RESERVED

168	3.4  Computation of the RDATA

170	   The DHCID RDATA is formed by concatenating the two type bytes with
171	   some variable-length identifying data.

173	       < type > < data >

175	   The RDATA for all type codes other than 0xffff, which is reserved for
176	   future expansion, is formed by concatenating the two type bytes and a
177	   16-byte MD5 hash value.  The input to the hash function is defined to
178	   be:

180	       data = MD5(< identifier > < FQDN >)

182	   The FQDN is represented in the buffer in unambiguous canonical form
183	   as described in RFC 2535 [8], section 8.1.  The type code and the
184	   identifier are related as specified in Section 3.3: the type code
185	   describes the source of the identifier.

187	   When the updater is using the client's link-layer address as the
188	   identifier, the first two bytes of the DHCID RDATA MUST be zero.  To
189	   generate the rest of the resource record, the updater computes a
190	   one-way hash using the MD5 algorithm across a buffer containing the
191	   client's network hardware type, link-layer address, and the FQDN
192	   data.  Specifically, the first byte of the buffer contains the
193	   network hardware type as it appeared in the DHCP 'htype' field of the
194	   client's DHCPREQUEST message.  All of the significant bytes of the
195	   chaddr field in the client's DHCPREQUEST message follow, in the same
196	   order in which the bytes appear in the DHCPREQUEST message.  The
197	   number of significant bytes in the 'chaddr' field is specified in the
198	   'hlen' field of the DHCPREQUEST message.  The FQDN data, as specified
199	   above, follows.

201	   When the updater is using the DHCPv4 Client Identifier option sent by
202	   the client in its DHCPREQUEST message, the first two bytes of the
203	   DHCID RR MUST be 0x0001, in network byte order.  The rest of the
204	   DHCID RR MUST contain the results of computing an MD5 hash across the
205	   payload of the option, followed by the FQDN.  The payload of the
206	   option consists of the bytes of the option following the option code
207	   and length.

209	   When the updater is using the DHCPv6 DUID sent by the client in its
210	   REQUEST message, the first two bytes of the DHCID RR MUST be 0x0002,
211	   in network byte order.  The rest of the DHCID RR MUST contain the
212	   results of computing an MD5 hash across the payload of the option,
213	   followed by the FQDN.  The payload of the option consists of the
214	   bytes of the option following the option code and length.

216	3.5  Examples
217	3.5.1  Example 1

219	   A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
220	   Ethernet MAC address 01:02:03:04:05:06 using domain name
221	   "client.example.com" uses the client's link-layer address to identify
222	   the client.  The DHCID RDATA is composed by setting the two type
223	   bytes to zero, and performing an MD5 hash computation across a buffer
224	   containing the Ethernet MAC type byte, 0x01, the six bytes of MAC
225	   address, and the domain name (represented as specified in Section
226	   3.4).

228	     client.example.com.	A   	10.0.0.1
229	     client.example.com. 	DHCID 	AAAUMru0ZM5OK/PdVAJgZ/HU

231	3.5.2  Example 2

233	   A DHCP server allocates the IPv4 address 10.0.12.99 to a client which
234	   included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c
235	   in its DHCP request.  The server updates the name "chi.example.com"
236	   on the client's behalf, and uses the DHCP client identifier option
237	   data as input in forming a DHCID RR.  The DHCID RDATA is formed by
238	   setting the two type bytes to the value 0x0001, and performing an MD5
239	   hash computation across a buffer containing the seven bytes from the
240	   client-id option and the FQDN (represented as specified in Section
241	   3.4).

243	     chi.example.com.	A    	10.0.12.99
244	     chi.example.com.	DHCID 	AAHdd5jiQ3kEjANDm82cbObk\012

246	4.  Use of the DHCID RR

248	   This RR MUST NOT be used for any purpose other than that detailed in
249	   "Resolution of DNS Name Conflicts" [1].  Although this RR contains
250	   data that is opaque to DNS servers, the data must be consistent
251	   across all entities that update and interpret this record.
252	   Therefore, new data formats may only be defined through actions of
253	   the DHC Working Group, as a result of revising [1].

255	5.  Updater Behavior

257	   The data in the DHCID RR allows updaters to determine whether more
258	   than one DHCP client desires to use a particular FQDN.  This allows
259	   site administrators to establish policy about DNS updates.  The DHCID
260	   RR does not establish any policy itself.

262	   Updaters use data from a DHCP client's request and the domain name
263	   that the client desires to use to compute a client identity hash, and
264	   then compare that hash to the data in any DHCID RRs on the name that
265	   they wish to associate with the client's IP address.  If an updater
266	   discovers DHCID RRs whose RDATA does not match the client identity
267	   that they have computed, the updater SHOULD conclude that a different
268	   client is currently associated with the name in question.  The
269	   updater SHOULD then proceed according to the site's administrative
270	   policy.  That policy might dictate that a different name be selected,
271	   or it might permit the updater to continue.

273	6.  Security Considerations

275	   The DHCID record as such does not introduce any new security problems
276	   into the DNS.  In order to avoid exposing private information about
277	   DHCP clients to public scrutiny, a one-way hash is used to obscure
278	   all client information.  In order to make it difficult to 'track' a
279	   client by examining the names associated with a particular hash
280	   value, the FQDN is included in the hash computation.  Thus, the RDATA
281	   is dependent on both the DHCP client identification data and on each
282	   FQDN associated with the client.

284	   Administrators should be wary of permitting unsecured DNS updates to
285	   zones which are exposed to the global Internet.  Both DHCP clients
286	   and servers SHOULD use some form of update authentication (e.g., TSIG
287	   [11]) when performing DNS updates.

289	7.  IANA Considerations

291	   IANA is requested to allocate an RR type number for the DHCID record
292	   type.

294	   This specification defines a new number-space for the 16-bit type
295	   codes associated with the DHCID RR.  IANA is requested to establish a
296	   registry of the values for this number-space.

298	   Three initial values are assigned in Section 3.3, and the value
299	   0xFFFF is reserved for future use.  New DHCID RR type codes are
300	   tentatively assigned after the specification for the associated type
301	   code, published as an Internet Draft, has received expert review by a
302	   designated expert.  The final assignment of DHCID RR type codes is
303	   through Standards Action, as defined in RFC 2434 [6].

305	8.  Acknowledgements

307	   Many thanks to Josh Littlefield, Olafur Gudmundsson, Bernie Volz, and
308	   Ralph Droms for their review and suggestions.

310	9.  References

312	9.1  Normative References

314	   [1]  Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
315	        DHCP Clients (draft-ietf-dhc-dns-resolution-*)", July 2004.

317	   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
318	        Levels", BCP 14, RFC 2119, March 1997.

320	   [3]  Mockapetris, P., "Domain names - concepts and facilities", STD
321	        13, RFC 1034, November 1987.

323	   [4]  Mockapetris, P., "Domain names - implementation and
324	        specification", STD 13, RFC 1035, November 1987.

326	   [5]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
327	        1992.

329	   [6]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
330	        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.

332	9.2  Informative References

334	   [7]   Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
335	         March 1997.

337	   [8]   Eastlake, D., "Domain Name System Security Extensions", RFC
338	         2535, March 1999.

340	   [9]   Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
341	         Extensions", RFC 2132, March 1997.

343	   [10]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
344	         Carney, "Dynamic Host Configuration Protocol for IPv6
345	         (DHCPv6)", RFC 3315, July 2003.

347	   [11]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
348	         "Secret Key Transaction Authentication for DNS (TSIG)", RFC
349	         2845, May 2000.

351	   [12]  Lemon, T. and B. Sommerfeld, "Node-Specific Client Identifiers
352	         for DHCPv4 (draft-ietf-dhc-3315id-for-v4-*)", February 2004.

354	Authors' Addresses

356	   Mark Stapp
357	   Cisco Systems, Inc.
358	   1414 Massachusetts Ave.
359	   Boxborough, MA  01719
360	   USA

362	   Phone: 978.936.1535
363	   EMail: mjs@cisco.com

365	   Ted Lemon
366	   Nominum, Inc.
367	   950 Charter St.
368	   Redwood City, CA  94063
369	   USA

371	   EMail: mellon@nominum.com

373	   Andreas Gustafsson
374	   Nominum, Inc.
375	   950 Charter St.
376	   Redwood City, CA  94063
377	   USA

379	   EMail: gson@nominum.com

381	Intellectual Property Statement

383	   The IETF takes no position regarding the validity or scope of any
384	   Intellectual Property Rights or other rights that might be claimed to
385	   pertain to the implementation or use of the technology described in
386	   this document or the extent to which any license under such rights
387	   might or might not be available; nor does it represent that it has
388	   made any independent effort to identify any such rights.  Information
389	   on the procedures with respect to rights in RFC documents can be
390	   found in BCP 78 and BCP 79.

392	   Copies of IPR disclosures made to the IETF Secretariat and any
393	   assurances of licenses to be made available, or the result of an
394	   attempt made to obtain a general license or permission for the use of
395	   such proprietary rights by implementers or users of this
396	   specification can be obtained from the IETF on-line IPR repository at
397	   http://www.ietf.org/ipr.

399	   The IETF invites any interested party to bring to its attention any
400	   copyrights, patents or patent applications, or other proprietary
401	   rights that may cover technology that may be required to implement
402	   this standard.  Please address the information to the IETF at
403	   ietf-ipr@ietf.org.

405	Disclaimer of Validity

407	   This document and the information contained herein are provided on an
408	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
409	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
410	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
411	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
412	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
413	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

415	Copyright Statement

417	   Copyright (C) The Internet Society (2004).  This document is subject
418	   to the rights, licenses and restrictions contained in BCP 78, and
419	   except as set forth therein, the authors retain all their rights.

421	Acknowledgment

423	   Funding for the RFC Editor function is currently provided by the
424	   Internet Society.