idnits 2.17.1 draft-ietf-dnsext-dhcid-rr-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 413. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 390. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 397. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 403. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 4 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 24, 2005) is 6789 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: 'TBD' on line 119 -- No information found for draft-ietf-dhc-dns-resolution- - is the name correct? -- Possible downref: Normative reference to a draft: ref. '1' ** Downref: Normative reference to an Informational RFC: RFC 1321 (ref. '5') ** Obsolete normative reference: RFC 2434 (ref. '6') (Obsoleted by RFC 5226) -- Obsolete informational reference (is this intentional?): RFC 2535 (ref. '8') (Obsoleted by RFC 4033, RFC 4034, RFC 4035) -- Obsolete informational reference (is this intentional?): RFC 3315 (ref. '10') (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 2845 (ref. '11') (Obsoleted by RFC 8945) -- No information found for draft-ietf-dhc-3315id-for-v4- - is the name correct? Summary: 6 errors (**), 0 flaws (~~), 3 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSEXT M. Stapp 3 Internet-Draft Cisco Systems, Inc. 4 Expires: March 28, 2006 T. Lemon 5 A. Gustafsson 6 Nominum, Inc. 7 September 24, 2005 9 A DNS RR for Encoding DHCP Information (DHCID RR) 10 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on March 28, 2006. 37 Copyright Notice 39 Copyright (C) The Internet Society (2005). 41 Abstract 43 It is possible for multiple DHCP clients to attempt to update the 44 same DNS FQDN as they obtain DHCP leases. Whether the DHCP server or 45 the clients themselves perform the DNS updates, conflicts can arise. 46 To resolve such conflicts, "Resolution of DNS Name Conflicts" [1] 47 proposes storing client identifiers in the DNS to unambiguously 48 associate domain names with the DHCP clients to which they refer. 50 This memo defines a distinct RR type for this purpose for use by DHCP 51 clients and servers, the "DHCID" RR. 53 Table of Contents 55 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3.1. DHCID RDATA format . . . . . . . . . . . . . . . . . . . . 4 59 3.2. DHCID Presentation Format . . . . . . . . . . . . . . . . 4 60 3.3. The DHCID RR Type Codes . . . . . . . . . . . . . . . . . 4 61 3.4. Computation of the RDATA . . . . . . . . . . . . . . . . . 4 62 3.5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 3.5.1. Example 1 . . . . . . . . . . . . . . . . . . . . . . 5 64 3.5.2. Example 2 . . . . . . . . . . . . . . . . . . . . . . 6 65 4. Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . . 6 66 5. Updater Behavior . . . . . . . . . . . . . . . . . . . . . . . 6 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 68 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 69 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 70 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 71 9.1. Normative References . . . . . . . . . . . . . . . . . . . 8 72 9.2. Informative References . . . . . . . . . . . . . . . . . . 8 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 74 Intellectual Property and Copyright Statements . . . . . . . . . . 10 76 1. Terminology 78 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 79 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 80 document are to be interpreted as described in RFC 2119 [2]. 82 2. Introduction 84 A set of procedures to allow DHCP [7] clients and servers to 85 automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed 86 in "Resolution of DNS Name Conflicts" [1]. 88 Conflicts can arise if multiple DHCP clients wish to use the same DNS 89 name. To resolve such conflicts, "Resolution of DNS Name Conflicts" 90 [1] proposes storing client identifiers in the DNS to unambiguously 91 associate domain names with the DHCP clients using them. In the 92 interest of clarity, it is preferable for this DHCP information to 93 use a distinct RR type. This memo defines a distinct RR for this 94 purpose for use by DHCP clients or servers, the "DHCID" RR. 96 In order to avoid exposing potentially sensitive identifying 97 information, the data stored is the result of a one-way MD5 [5] hash 98 computation. The hash includes information from the DHCP client's 99 REQUEST message as well as the domain name itself, so that the data 100 stored in the DHCID RR will be dependent on both the client 101 identification used in the DHCP protocol interaction and the domain 102 name. This means that the DHCID RDATA will vary if a single client 103 is associated over time with more than one name. This makes it 104 difficult to 'track' a client as it is associated with various domain 105 names. 107 The MD5 hash algorithm has been shown to be weaker than the SHA-1 108 algorithm; it could therefore be argued that SHA-1 is a better 109 choice. However, SHA-1 is significantly slower than MD5. A 110 successful attack of MD5's weakness does not reveal the original data 111 that was used to generate the signature, but rather provides a new 112 set of input data that will produce the same signature. Because we 113 are using the MD5 hash to conceal the original data, the fact that an 114 attacker could produce a different plaintext resulting in the same 115 MD5 output is not significant concern. 117 3. The DHCID RR 119 The DHCID RR is defined with mnemonic DHCID and type code [TBD]. The 120 DHCID RR is only defined in the IN class. DHCID RRs cause no 121 additional section processing. The DHCID RR is not a singleton type. 123 3.1. DHCID RDATA format 125 The RDATA section of a DHCID RR in transmission contains RDLENGTH 126 bytes of binary data. The format of this data and its interpretation 127 by DHCP servers and clients are described below. 129 DNS software should consider the RDATA section to be opaque. DHCP 130 clients or servers use the DHCID RR to associate a DHCP client's 131 identity with a DNS name, so that multiple DHCP clients and servers 132 may deterministically perform dynamic DNS updates to the same zone. 133 From the updater's perspective, the DHCID resource record RDATA 134 consists of a 16-bit identifier type, in network byte order, followed 135 by one or more bytes representing the actual identifier: 137 < 16 bits > DHCP identifier used 138 < n bytes > MD5 digest 140 3.2. DHCID Presentation Format 142 In DNS master files, the RDATA is represented as a single block in 143 base 64 encoding identical to that used for representing binary data 144 in RFC 2535 [8]. The data may be divided up into any number of white 145 space separated substrings, down to single base 64 digits, which are 146 concatenated to form the complete RDATA. These substrings can span 147 lines using the standard parentheses. 149 3.3. The DHCID RR Type Codes 151 The DHCID RR Type Code specifies what data from the DHCP client's 152 request was used as input into the hash function. The type codes are 153 defined in a registry maintained by IANA, as specified in Section 7. 154 The initial list of assigned values for the type code is: 156 0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [7]. 157 0x0001 = The data portion from a DHCPv4 client's Client Identifier 158 option [9]. 159 0x0002 = The client's DUID (i.e., the data portion of a DHCPv6 160 client's Client Identifier option [10] or the DUID field from a 161 DHCPv4 client's Client Identifier option [12]). 163 0x0003 - 0xfffe = Available to be assigned by IANA. 165 0xffff = RESERVED 167 3.4. Computation of the RDATA 169 The DHCID RDATA is formed by concatenating the two type bytes with 170 some variable-length identifying data. 172 < type > < data > 174 The RDATA for all type codes other than 0xffff, which is reserved for 175 future expansion, is formed by concatenating the two type bytes and a 176 16-byte MD5 hash value. The input to the hash function is defined to 177 be: 179 data = MD5(< identifier > < FQDN >) 181 The FQDN is represented in the buffer in unambiguous canonical form 182 as described in RFC 2535 [8], section 8.1. The type code and the 183 identifier are related as specified in Section 3.3: the type code 184 describes the source of the identifier. 186 When the updater is using the client's link-layer address as the 187 identifier, the first two bytes of the DHCID RDATA MUST be zero. To 188 generate the rest of the resource record, the updater computes a one- 189 way hash using the MD5 algorithm across a buffer containing the 190 client's network hardware type, link-layer address, and the FQDN 191 data. Specifically, the first byte of the buffer contains the 192 network hardware type as it appeared in the DHCP 'htype' field of the 193 client's DHCPREQUEST message. All of the significant bytes of the 194 chaddr field in the client's DHCPREQUEST message follow, in the same 195 order in which the bytes appear in the DHCPREQUEST message. The 196 number of significant bytes in the 'chaddr' field is specified in the 197 'hlen' field of the DHCPREQUEST message. The FQDN data, as specified 198 above, follows. 200 When the updater is using the DHCPv4 Client Identifier option sent by 201 the client in its DHCPREQUEST message, the first two bytes of the 202 DHCID RR MUST be 0x0001, in network byte order. The rest of the 203 DHCID RR MUST contain the results of computing an MD5 hash across the 204 payload of the option, followed by the FQDN. The payload of the 205 option consists of the bytes of the option following the option code 206 and length. 208 When the updater is using the DHCPv6 DUID sent by the client in its 209 REQUEST message, the first two bytes of the DHCID RR MUST be 0x0002, 210 in network byte order. The rest of the DHCID RR MUST contain the 211 results of computing an MD5 hash across the payload of the option, 212 followed by the FQDN. The payload of the option consists of the 213 bytes of the option following the option code and length. 215 3.5. Examples 217 3.5.1. Example 1 219 A DHCP server allocating the IPv4 address 10.0.0.1 to a client with 220 Ethernet MAC address 01:02:03:04:05:06 using domain name 221 "client.example.com" uses the client's link-layer address to identify 222 the client. The DHCID RDATA is composed by setting the two type 223 bytes to zero, and performing an MD5 hash computation across a buffer 224 containing the Ethernet MAC type byte, 0x01, the six bytes of MAC 225 address, and the domain name (represented as specified in 226 Section 3.4). 228 client.example.com. A 10.0.0.1 229 client.example.com. DHCID AAAUMru0ZM5OK/PdVAJgZ/HU 231 3.5.2. Example 2 233 A DHCP server allocates the IPv4 address 10.0.12.99 to a client which 234 included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c 235 in its DHCP request. The server updates the name "chi.example.com" 236 on the client's behalf, and uses the DHCP client identifier option 237 data as input in forming a DHCID RR. The DHCID RDATA is formed by 238 setting the two type bytes to the value 0x0001, and performing an MD5 239 hash computation across a buffer containing the seven bytes from the 240 client-id option and the FQDN (represented as specified in 241 Section 3.4). 243 chi.example.com. A 10.0.12.99 244 chi.example.com. DHCID AAHdd5jiQ3kEjANDm82cbObk\012 246 4. Use of the DHCID RR 248 This RR MUST NOT be used for any purpose other than that detailed in 249 "Resolution of DNS Name Conflicts" [1]. Although this RR contains 250 data that is opaque to DNS servers, the data must be consistent 251 across all entities that update and interpret this record. 252 Therefore, new data formats may only be defined through actions of 253 the DHC Working Group, as a result of revising [1]. 255 5. Updater Behavior 257 The data in the DHCID RR allows updaters to determine whether more 258 than one DHCP client desires to use a particular FQDN. This allows 259 site administrators to establish policy about DNS updates. The DHCID 260 RR does not establish any policy itself. 262 Updaters use data from a DHCP client's request and the domain name 263 that the client desires to use to compute a client identity hash, and 264 then compare that hash to the data in any DHCID RRs on the name that 265 they wish to associate with the client's IP address. If an updater 266 discovers DHCID RRs whose RDATA does not match the client identity 267 that they have computed, the updater SHOULD conclude that a different 268 client is currently associated with the name in question. The 269 updater SHOULD then proceed according to the site's administrative 270 policy. That policy might dictate that a different name be selected, 271 or it might permit the updater to continue. 273 6. Security Considerations 275 The DHCID record as such does not introduce any new security problems 276 into the DNS. In order to avoid exposing private information about 277 DHCP clients to public scrutiny, a one-way hash is used to obscure 278 all client information. In order to make it difficult to 'track' a 279 client by examining the names associated with a particular hash 280 value, the FQDN is included in the hash computation. Thus, the RDATA 281 is dependent on both the DHCP client identification data and on each 282 FQDN associated with the client. 284 Administrators should be wary of permitting unsecured DNS updates to 285 zones which are exposed to the global Internet. Both DHCP clients 286 and servers SHOULD use some form of update authentication (e.g., TSIG 287 [11]) when performing DNS updates. 289 7. IANA Considerations 291 IANA is requested to allocate an RR type number for the DHCID record 292 type. 294 This specification defines a new number-space for the 16-bit type 295 codes associated with the DHCID RR. IANA is requested to establish a 296 registry of the values for this number-space. 298 Three initial values are assigned in Section 3.3, and the value 299 0xFFFF is reserved for future use. New DHCID RR type codes are 300 tentatively assigned after the specification for the associated type 301 code, published as an Internet Draft, has received expert review by a 302 designated expert. The final assignment of DHCID RR type codes is 303 through Standards Action, as defined in RFC 2434 [6]. 305 8. Acknowledgements 307 Many thanks to Josh Littlefield, Olafur Gudmundsson, Bernie Volz, and 308 Ralph Droms for their review and suggestions. 310 9. References 312 9.1. Normative References 314 [1] Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among 315 DHCP Clients (draft-ietf-dhc-dns-resolution-*)", September 2005. 317 [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement 318 Levels", BCP 14, RFC 2119, March 1997. 320 [3] Mockapetris, P., "Domain names - concepts and facilities", 321 STD 13, RFC 1034, November 1987. 323 [4] Mockapetris, P., "Domain names - implementation and 324 specification", STD 13, RFC 1035, November 1987. 326 [5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 327 April 1992. 329 [6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA 330 Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. 332 9.2. Informative References 334 [7] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, 335 March 1997. 337 [8] Eastlake, D., "Domain Name System Security Extensions", 338 RFC 2535, March 1999. 340 [9] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 341 Extensions", RFC 2132, March 1997. 343 [10] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. 344 Carney, "Dynamic Host Configuration Protocol for IPv6 345 (DHCPv6)", RFC 3315, July 2003. 347 [11] Vixie, P., Gudmundsson, O., Eastlake, D., and B. Wellington, 348 "Secret Key Transaction Authentication for DNS (TSIG)", 349 RFC 2845, May 2000. 351 [12] Lemon, T. and B. Sommerfeld, "Node-Specific Client Identifiers 352 for DHCPv4 (draft-ietf-dhc-3315id-for-v4-*)", June 2005. 354 Authors' Addresses 356 Mark Stapp 357 Cisco Systems, Inc. 358 1414 Massachusetts Ave. 359 Boxborough, MA 01719 360 USA 362 Phone: 978.936.1535 363 Email: mjs@cisco.com 365 Ted Lemon 366 Nominum, Inc. 367 950 Charter St. 368 Redwood City, CA 94063 369 USA 371 Email: mellon@nominum.com 373 Andreas Gustafsson 374 Nominum, Inc. 375 950 Charter St. 376 Redwood City, CA 94063 377 USA 379 Email: gson@nominum.com 381 Intellectual Property Statement 383 The IETF takes no position regarding the validity or scope of any 384 Intellectual Property Rights or other rights that might be claimed to 385 pertain to the implementation or use of the technology described in 386 this document or the extent to which any license under such rights 387 might or might not be available; nor does it represent that it has 388 made any independent effort to identify any such rights. Information 389 on the procedures with respect to rights in RFC documents can be 390 found in BCP 78 and BCP 79. 392 Copies of IPR disclosures made to the IETF Secretariat and any 393 assurances of licenses to be made available, or the result of an 394 attempt made to obtain a general license or permission for the use of 395 such proprietary rights by implementers or users of this 396 specification can be obtained from the IETF on-line IPR repository at 397 http://www.ietf.org/ipr. 399 The IETF invites any interested party to bring to its attention any 400 copyrights, patents or patent applications, or other proprietary 401 rights that may cover technology that may be required to implement 402 this standard. Please address the information to the IETF at 403 ietf-ipr@ietf.org. 405 Disclaimer of Validity 407 This document and the information contained herein are provided on an 408 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 409 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 410 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 411 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 412 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 413 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 415 Copyright Statement 417 Copyright (C) The Internet Society (2005). This document is subject 418 to the rights, licenses and restrictions contained in BCP 78, and 419 except as set forth therein, the authors retain all their rights. 421 Acknowledgment 423 Funding for the RFC Editor function is currently provided by the 424 Internet Society.