idnits 2.17.1 draft-ietf-dnsext-dhcid-rr-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5 on line 463. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 440. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 447. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 453. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 4 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 24, 2006) is 6608 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: 'TBD' on line 113 -- No information found for draft-ietf-dhc-dns-resolution- - is the name correct? -- Possible downref: Normative reference to a draft: ref. '1' ** Obsolete normative reference: RFC 2434 (ref. '5') (Obsoleted by RFC 5226) -- Obsolete informational reference (is this intentional?): RFC 2535 (ref. '7') (Obsoleted by RFC 4033, RFC 4034, RFC 4035) -- Obsolete informational reference (is this intentional?): RFC 3315 (ref. '9') (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 2845 (ref. '10') (Obsoleted by RFC 8945) Summary: 5 errors (**), 0 flaws (~~), 3 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DNSEXT M. Stapp 3 Internet-Draft Cisco Systems, Inc. 4 Expires: August 28, 2006 T. Lemon 5 Nominum, Inc. 6 A. Gustafsson 7 Araneus Information Systems Oy 8 February 24, 2006 10 A DNS RR for Encoding DHCP Information (DHCID RR) 11 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on August 28, 2006. 38 Copyright Notice 40 Copyright (C) The Internet Society (2006). 42 Abstract 44 It is possible for DHCP clients to attempt to update the same DNS 45 FQDN or attempt to update a DNS FQDN that has been added to the DNS 46 for another purpose as they obtain DHCP leases. Whether the DHCP 47 server or the clients themselves perform the DNS updates, conflicts 48 can arise. To resolve such conflicts, "Resolution of DNS Name 49 Conflicts" [1] proposes storing client identifiers in the DNS to 50 unambiguously associate domain names with the DHCP clients to which 51 they refer. This memo defines a distinct RR type for this purpose 52 for use by DHCP clients and servers, the "DHCID" RR. 54 Table of Contents 56 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3.1. DHCID RDATA format . . . . . . . . . . . . . . . . . . . . 3 60 3.2. DHCID Presentation Format . . . . . . . . . . . . . . . . 4 61 3.3. The DHCID RR Identifier Type Codes . . . . . . . . . . . . 4 62 3.4. The DHCID RR Digest Type Code . . . . . . . . . . . . . . 4 63 3.5. Computation of the RDATA . . . . . . . . . . . . . . . . . 5 64 3.6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 6 65 3.6.1. Example 1 . . . . . . . . . . . . . . . . . . . . . . 6 66 3.6.2. Example 2 . . . . . . . . . . . . . . . . . . . . . . 6 67 3.6.3. Example 3 . . . . . . . . . . . . . . . . . . . . . . 7 68 4. Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . . 7 69 5. Updater Behavior . . . . . . . . . . . . . . . . . . . . . . . 7 70 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 71 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 72 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 73 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 74 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9 75 9.2. Informative References . . . . . . . . . . . . . . . . . . 9 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 77 Intellectual Property and Copyright Statements . . . . . . . . . . 11 79 1. Terminology 81 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 82 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 83 document are to be interpreted as described in RFC 2119 [2]. 85 2. Introduction 87 A set of procedures to allow DHCP [6] [9] clients and servers to 88 automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed 89 in "Resolution of DNS Name Conflicts" [1]. 91 Conflicts can arise if multiple DHCP clients wish to use the same DNS 92 name or a DHCP client attempts to use a name added for another 93 purpose. To resolve such conflicts, "Resolution of DNS Name 94 Conflicts" [1] proposes storing client identifiers in the DNS to 95 unambiguously associate domain names with the DHCP clients using 96 them. In the interest of clarity, it is preferable for this DHCP 97 information to use a distinct RR type. This memo defines a distinct 98 RR for this purpose for use by DHCP clients or servers, the "DHCID" 99 RR. 101 In order to obscure potentially sensitive client identifying 102 information, the data stored is the result of a one-way SHA-256 hash 103 computation. The hash includes information from the DHCP client's 104 message as well as the domain name itself, so that the data stored in 105 the DHCID RR will be dependent on both the client identification used 106 in the DHCP protocol interaction and the domain name. This means 107 that the DHCID RDATA will vary if a single client is associated over 108 time with more than one name. This makes it difficult to 'track' a 109 client as it is associated with various domain names. 111 3. The DHCID RR 113 The DHCID RR is defined with mnemonic DHCID and type code [TBD]. The 114 DHCID RR is only defined in the IN class. DHCID RRs cause no 115 additional section processing. The DHCID RR is not a singleton type. 117 3.1. DHCID RDATA format 119 The RDATA section of a DHCID RR in transmission contains RDLENGTH 120 octets of binary data. The format of this data and its 121 interpretation by DHCP servers and clients are described below. 123 DNS software should consider the RDATA section to be opaque. DHCP 124 clients or servers use the DHCID RR to associate a DHCP client's 125 identity with a DNS name, so that multiple DHCP clients and servers 126 may deterministically perform dynamic DNS updates to the same zone. 127 From the updater's perspective, the DHCID resource record RDATA 128 consists of a 2-octet identifier type, in network byte order, 129 followed by a 1-octet digest type, followed by one or more octets 130 representing the actual identifier: 132 < 2 octets > Identifier type code 133 < 1 octet > Digest type code 134 < n octets > Digest (length depends on digest type) 136 3.2. DHCID Presentation Format 138 In DNS master files, the RDATA is represented as a single block in 139 base 64 encoding identical to that used for representing binary data 140 in RFC 2535 [7]. The data may be divided up into any number of white 141 space separated substrings, down to single base 64 digits, which are 142 concatenated to form the complete RDATA. These substrings can span 143 lines using the standard parentheses. 145 3.3. The DHCID RR Identifier Type Codes 147 The DHCID RR Identifier Type Code specifies what data from the DHCP 148 client's request was used as input into the hash function. The 149 identifier type codes are defined in a registry maintained by IANA, 150 as specified in Section 7. The initial list of assigned values for 151 the identifier type code is: 153 0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [6]. 154 0x0001 = The data portion from a DHCPv4 client's Client Identifier 155 option [8]. 156 0x0002 = The client's DUID (i.e., the data portion of a DHCPv6 157 client's Client Identifier option [9] or the DUID field from a 158 DHCPv4 client's Client Identifier option [11]). 160 0x0003 - 0xfffe = Available to be assigned by IANA. 162 0xffff = RESERVED 164 3.4. The DHCID RR Digest Type Code 166 The DHCID RR Digest Type Code is an identifier for the digest 167 algorithm used. The digest is calculated over an identifier and the 168 canonical FQDN as described in the next section. 170 The digest type codes are defined in a registry maintained by IANA, 171 as specified in Section 7. The initial list of assigned values for 172 the digest type codes is: value 0 is reserved and value 1 is SHA-256. 174 Reserving other types requires IETF standards action. Defining new 175 values will also require IETF standards action to document how DNS 176 updaters are to deal with multiple digest types. 178 3.5. Computation of the RDATA 180 The DHCID RDATA is formed by concatenating the 2-octet identifier 181 type code with variable-length data. 183 The RDATA for all type codes other than 0xffff, which is reserved for 184 future expansion, is formed by concatenating the 2-octet identifier 185 type code, the 1-octet digest type code, and the digest value (32 186 octets for SHA-256). 188 < identifier-type > < digest-type > < digest > 190 The input to the digest hash function is defined to be: 192 digest = SHA-256(< identifier > < FQDN >) 194 The FQDN is represented in the buffer in unambiguous canonical form 195 as described in RFC 2535 [7], section 8.1. The identifier type code 196 and the identifier are related as specified in Section 3.3: the 197 identifier type code describes the source of the identifier. 199 A DHCPv4 updater uses the 0x0002 type code if a Client Identifier 200 option is present in the DHCPv4 messages and it is encoded as 201 specified in [11]. Otherwise, the updater uses 0x0001 if a Client 202 Identifier option is present and 0x0000 if not. 204 A DHCPv6 updater always uses the 0x0002 type code. 206 When the updater is using the Client's DUID (either from a DHCPv6 207 Client Identifier option or from a portion of the DHCPv4 Client 208 Identifier option encoded as specified in [11]), the first two octets 209 of the DHCID RR MUST be 0x0002, in network byte order. The third 210 octet is the digest type code (1 for SHA-256). The rest of the DHCID 211 RR MUST contain the results of computing the SHA-256 hash across the 212 octets of the DUID followed by the FQDN. 214 When the updater is using the DHCPv4 Client Identifier option sent by 215 the client in its DHCPREQUEST message, the first two octets of the 216 DHCID RR MUST be 0x0001, in network byte order. The third octet is 217 the digest type code (1 for SHA-256). The rest of the DHCID RR MUST 218 contain the results of computing the SHA-256 hash across the payload 219 of the option, followed by the FQDN. The payload of the option 220 consists of the octets of the option following the option code and 221 length. 223 When the updater is using the client's link-layer address as the 224 identifier, the first two octets of the DHCID RDATA MUST be zero. 225 The third octet is the digest type code (1 for SHA-256). To generate 226 the rest of the resource record, the updater computes a one-way hash 227 using the SHA-256 algorithm across a buffer containing the client's 228 network hardware type, link-layer address, and the FQDN data. 229 Specifically, the first octet of the buffer contains the network 230 hardware type as it appeared in the DHCP 'htype' field of the 231 client's DHCPREQUEST message. All of the significant octets of the 232 'chaddr' field in the client's DHCPREQUEST message follow, in the 233 same order in which the octets appear in the DHCPREQUEST message. 234 The number of significant octets in the 'chaddr' field is specified 235 in the 'hlen' field of the DHCPREQUEST message. The FQDN data, as 236 specified above, follows. 238 3.6. Examples 240 RFC-Editor Note: Contact Bernie Volz for the DHCID RR RDATA encodings 241 for the 3 examples below. 243 3.6.1. Example 1 245 A DHCP server allocating the IPv4 address 10.0.0.1 to a client with 246 Ethernet MAC address 01:02:03:04:05:06 using domain name 247 "client.example.com" uses the client's link-layer address to identify 248 the client. The DHCID RDATA is composed by setting the two type 249 octets to zero, the 1-octet digest type to 1 for SHA-256, and 250 performing an SHA-256 hash computation across a buffer containing the 251 Ethernet MAC type octet, 0x01, the six octets of MAC address, and the 252 domain name (represented as specified in Section 3.5). 254 client.example.com. A 10.0.0.1 255 client.example.com. DHCID XXX - to be provided 257 3.6.2. Example 2 259 A DHCP server allocates the IPv4 address 10.0.12.99 to a client which 260 included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c 261 in its DHCP request. The server updates the name "chi.example.com" 262 on the client's behalf, and uses the DHCP client identifier option 263 data as input in forming a DHCID RR. The DHCID RDATA is formed by 264 setting the two type octets to the value 0x0001, the 1-octet digest 265 type to 1 for SHA-256, and performing a SHA-256 hash computation 266 across a buffer containing the seven octets from the client-id option 267 and the FQDN (represented as specified in Section 3.5). 269 chi.example.com. A 10.0.12.99 270 chi.example.com. DHCID XXX - to be provided 272 3.6.3. Example 3 274 A DHCP server allocates the IPv6 address 2000::1234:5678 to a client 275 which included the DHCPv6 client-identifier option data 00:01:00:06: 276 41:2d:f1:66:01:02:03:04:05:06 in its DHCPv6 request. The server 277 updates the name "chi6.example.com" on the client's behalf, and uses 278 the DHCP client identifier option data as input in forming a DHCID 279 RR. The DHCID RDATA is formed by setting the two type octets to the 280 value 0x0002, the 1-octet digest type to 1 for SHA-256, and 281 performing a SHA-256 hash computation across a buffer containing the 282 14 octets from the client-id option and the FQDN (represented as 283 specified in Section 3.5). 285 chi6.example.com. AAAA 2000::1234:5678 286 chi6.example.com. DHCID XXX - to be provided 288 4. Use of the DHCID RR 290 This RR MUST NOT be used for any purpose other than that detailed in 291 "Resolution of DNS Name Conflicts" [1]. Although this RR contains 292 data that is opaque to DNS servers, the data must be consistent 293 across all entities that update and interpret this record. 294 Therefore, new data formats may only be defined through actions of 295 the DHC Working Group, as a result of revising [1]. 297 5. Updater Behavior 299 The data in the DHCID RR allows updaters to determine whether more 300 than one DHCP client desires to use a particular FQDN. This allows 301 site administrators to establish policy about DNS updates. The DHCID 302 RR does not establish any policy itself. 304 Updaters use data from a DHCP client's request and the domain name 305 that the client desires to use to compute a client identity hash, and 306 then compare that hash to the data in any DHCID RRs on the name that 307 they wish to associate with the client's IP address. If an updater 308 discovers DHCID RRs whose RDATA does not match the client identity 309 that they have computed, the updater SHOULD conclude that a different 310 client is currently associated with the name in question. The 311 updater SHOULD then proceed according to the site's administrative 312 policy. That policy might dictate that a different name be selected, 313 or it might permit the updater to continue. 315 6. Security Considerations 316 The DHCID record as such does not introduce any new security problems 317 into the DNS. In order to obscure the client's identity information, 318 a one-way hash is used. And, in order to make it difficult to 319 'track' a client by examining the names associated with a particular 320 hash value, the FQDN is included in the hash computation. Thus, the 321 RDATA is dependent on both the DHCP client identification data and on 322 each FQDN associated with the client. 324 However, it should be noted that an attacker that has some knowledge, 325 such as of MAC addresses commonly used in DHCP client identification 326 data, may be able to discover the client's DHCP identify by using a 327 brute-force attack. Even without any additional knowledge, the 328 number of unknown bits used in computing the hash is typically only 329 48 to 80. 331 Administrators should be wary of permitting unsecured DNS updates to 332 zones, whether or not they are exposed to the global Internet. Both 333 DHCP clients and servers SHOULD use some form of update 334 authentication (e.g., TSIG [10]) when performing DNS updates. 336 7. IANA Considerations 338 IANA is requested to allocate a DNS RR type number for the DHCID 339 record type. 341 This specification defines a new number-space for the 2-octet 342 identifier type codes associated with the DHCID RR. IANA is 343 requested to establish a registry of the values for this number- 344 space. Three initial values are assigned in Section 3.3, and the 345 value 0xFFFF is reserved for future use. New DHCID RR identifier 346 type codes are assigned through Standards Action, as defined in RFC 347 2434 [5]. 349 This specification defines a new number-space for the 1-octet digest 350 type codes associated with the DHCID RR. IANA is requested to 351 establish a registry of the values for this number-space. Two 352 initial values are assigned in Section 3.4. New DHCID RR digest type 353 codes are assigned through Standards Action, as defined in RFC 2434 354 [5]. 356 8. Acknowledgements 358 Many thanks to Harald Alvestrand, Ralph Droms, Olafur Gudmundsson, 359 Sam Hartman, Josh Littlefield, Pekka Savola, and especially Bernie 360 Volz for their review and suggestions. 362 9. References 364 9.1. Normative References 366 [1] Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among 367 DHCP Clients (draft-ietf-dhc-dns-resolution-*)", February 2006. 369 [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement 370 Levels", BCP 14, RFC 2119, March 1997. 372 [3] Mockapetris, P., "Domain names - concepts and facilities", 373 STD 13, RFC 1034, November 1987. 375 [4] Mockapetris, P., "Domain names - implementation and 376 specification", STD 13, RFC 1035, November 1987. 378 [5] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA 379 Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. 381 9.2. Informative References 383 [6] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, 384 March 1997. 386 [7] Eastlake, D., "Domain Name System Security Extensions", 387 RFC 2535, March 1999. 389 [8] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 390 Extensions", RFC 2132, March 1997. 392 [9] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. 393 Carney, "Dynamic Host Configuration Protocol for IPv6 394 (DHCPv6)", RFC 3315, July 2003. 396 [10] Vixie, P., Gudmundsson, O., Eastlake, D., and B. Wellington, 397 "Secret Key Transaction Authentication for DNS (TSIG)", 398 RFC 2845, May 2000. 400 [11] Lemon, T. and B. Sommerfeld, "Node-specific Client Identifiers 401 for Dynamic Host Configuration Protocol Version Four (DHCPv4)", 402 RFC 4361, February 2006. 404 Authors' Addresses 406 Mark Stapp 407 Cisco Systems, Inc. 408 1414 Massachusetts Ave. 409 Boxborough, MA 01719 410 USA 412 Phone: 978.936.1535 413 Email: mjs@cisco.com 415 Ted Lemon 416 Nominum, Inc. 417 950 Charter St. 418 Redwood City, CA 94063 419 USA 421 Email: mellon@nominum.com 423 Andreas Gustafsson 424 Araneus Information Systems Oy 425 Ulappakatu 1 426 02320 Espoo 427 Finland 429 Email: gson@araneus.fi 431 Intellectual Property Statement 433 The IETF takes no position regarding the validity or scope of any 434 Intellectual Property Rights or other rights that might be claimed to 435 pertain to the implementation or use of the technology described in 436 this document or the extent to which any license under such rights 437 might or might not be available; nor does it represent that it has 438 made any independent effort to identify any such rights. Information 439 on the procedures with respect to rights in RFC documents can be 440 found in BCP 78 and BCP 79. 442 Copies of IPR disclosures made to the IETF Secretariat and any 443 assurances of licenses to be made available, or the result of an 444 attempt made to obtain a general license or permission for the use of 445 such proprietary rights by implementers or users of this 446 specification can be obtained from the IETF on-line IPR repository at 447 http://www.ietf.org/ipr. 449 The IETF invites any interested party to bring to its attention any 450 copyrights, patents or patent applications, or other proprietary 451 rights that may cover technology that may be required to implement 452 this standard. Please address the information to the IETF at 453 ietf-ipr@ietf.org. 455 Disclaimer of Validity 457 This document and the information contained herein are provided on an 458 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 459 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 460 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 461 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 462 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 463 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 465 Copyright Statement 467 Copyright (C) The Internet Society (2006). This document is subject 468 to the rights, licenses and restrictions contained in BCP 78, and 469 except as set forth therein, the authors retain all their rights. 471 Acknowledgment 473 Funding for the RFC Editor function is currently provided by the 474 Internet Society.