DHC Working Group M. Stapp Internet-Draft Y. Rekhter Expires: September 2000 Cisco Systems, Inc. March 10, 2000 Interaction between DHCP and DNS Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To view the entire list of Internet-Draft Shadow Directories, see http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 2000. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. Abstract DHCP provides a powerful mechanism for IP host configuration. However, the configuration capability provided by DHCP does not include updating DNS, and specifically updating the name to address and address to name mappings maintained in the DNS. This document specifies how DHCP clients and servers should use the Dynamic DNS Updates mechanism in RFC2136[5] to update the DNS name to address and address to name mappings so that the mappings for DHCP clients will be consistent with the IP addresses that the clients acquire via DHCP. Stapp & Rekhter Expires September 2000 [Page 1] Internet-Draft Interaction between DHCP and DNS March 2000 Table of Contents 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Models of Operation . . . . . . . . . . . . . . . . . . . . 3 4. Issues with DDNS in DHCP Environments . . . . . . . . . . . 4 4.1 Name Collisions . . . . . . . . . . . . . . . . . . . . . . 5 4.2 Multiple DHCP servers . . . . . . . . . . . . . . . . . . . 6 4.3 Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . 6 4.3.1 Format of the DHCID RRDATA . . . . . . . . . . . . . . . . . 6 4.4 DNS RR TTLs . . . . . . . . . . . . . . . . . . . . . . . . 8 5. Client FQDN Option . . . . . . . . . . . . . . . . . . . . . 8 5.1 The Flags Field . . . . . . . . . . . . . . . . . . . . . . 9 5.2 The RCODE Fields . . . . . . . . . . . . . . . . . . . . . . 10 5.3 The Domain Name Field . . . . . . . . . . . . . . . . . . . 10 6. DHCP Client behavior . . . . . . . . . . . . . . . . . . . . 10 7. DHCP Server behavior . . . . . . . . . . . . . . . . . . . . 12 8. Procedures for performing DNS updates . . . . . . . . . . . 14 8.1 Adding A RRs to DNS . . . . . . . . . . . . . . . . . . . . 14 8.2 Adding PTR RR Entries to DNS . . . . . . . . . . . . . . . . 15 8.3 Removing Entries from DNS . . . . . . . . . . . . . . . . . 15 8.4 Updating other RRs . . . . . . . . . . . . . . . . . . . . . 16 9. Security Considerations . . . . . . . . . . . . . . . . . . 16 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 References . . . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 18 Full Copyright Statement . . . . . . . . . . . . . . . . . . 19 Stapp & Rekhter Expires September 2000 [Page 2] Internet-Draft Interaction between DHCP and DNS March 2000 1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119[6]. 2. Introduction DNS (RFC1034[1], RFC1035[2]) maintains (among other things) the information about mapping between hosts' Fully Qualified Domain Names (FQDNs) RFC1594[4] and IP addresses assigned to the hosts. The information is maintained in two types of Resource Records (RRs): A and PTR. The A RR contains mapping from a FQDN to an IP address; the PTR RR contains mapping from an IP address to a FQDN. The Dynamic DNS Updates specification (RFC2136[5]) describes a mechanism that enables DNS information to be updated over a network. DHCP RFC2131[3] provides a mechanism by which a host (a DHCP client) can acquire certain configuration information, along with its IP address(es). However, DHCP does not provide any mechanisms to update the DNS RRs that contain the information about mapping between the host's FQDN and its IP address(es) (A and PTR RRs). Thus the information maintained by DNS for a DHCP client may be incorrect - a host (the client) could acquire its address by using DHCP, but the A RR for the host's FQDN wouldn't reflect the address that the host acquired, and the PTR RR for the acquired address wouldn't reflect the host's FQDN. The Dynamic DNS Update protocol can be used to maintain consistency between the information stored in the A and PTR RRs and the actual address assignment done via DHCP. When a host with a particular FQDN acquires its IP address via DHCP, the A RR associated with the host's FQDN would be updated (by using the Dynamic DNS Updates protocol) to reflect the new address. Likewise, when an IP address is assigned to a host with a particular FQDN, the PTR RR associated with this address would be updated (using the Dynamic DNS Updates protocol) to reflect the new FQDN. Although this document refers to the A and PTR DNS record types and to DHCP assignment of IPv4 addresses, the same procedures and requirements apply for updates to the analogous RR types that are used when clients are assigned IPv6 addresses via DHCPv6. 3. Models of Operation When a DHCP client acquires a new address, a site's administrator may desire that one or both of the A RR for the client's FQDN and the PTR RR for the acquired address be updated. Therefore, two separate Dynamic DNS Update transactions occur. Acquiring an address Stapp & Rekhter Expires September 2000 [Page 3] Internet-Draft Interaction between DHCP and DNS March 2000 via DHCP involves two entities: a DHCP client and a DHCP server. In principle each of these entities could perform none, one, or both of the transactions. However, in practice not all permutations make sense. This document covers these possible design permutations: 1. DHCP client updates the A RR, DHCP server updates the PTR RR 2. DHCP server updates both the A and the PTR RRs The only difference between these two cases is whether the FQDN to IP address mapping is updated by a DHCP client or by a DHCP server. The IP address to FQDN mapping is updated by a DHCP server in both cases. The reason these two are important, while others are unlikely, has to do with authority over the respective DNS domain names. A DHCP client may be given authority over mapping its own A RRs, or that authority may be restricted to a server to prevent the client from listing arbitrary addresses or associating its address with arbitrary domain names. In all cases, the only reasonable place for the authority over the PTR RRs associated with the address is in the DHCP server that allocates the address. In any case, whether a site permits all, some, or no DHCP servers and clients to perform DNS updates into the zones which it controls is entirely a matter of local administrative policy. This document does not require any specific administrative policy, and does not propose one. The range of possible policies is very broad, from sites where only the DHCP servers have been given credentials that the DNS servers will accept, to sites where each individual DHCP client has been configured with credentials which allow the client to modify its own domain name. Compliant implementations MAY support some or all of these possibilities. Furthermore, this specification applies only to DHCP client and server processes: it does not apply to other processes which initiate dynamic DNS updates. This document describes a new DHCP option which a client can use to convey all or part of its domain name to a DHCP server. Site-specific policy determines whether DHCP servers use the names that clients offer or not, and what DHCP servers may do in cases where clients do not supply domain names. 4. Issues with DDNS in DHCP Environments There are two DNS update situations that require special consideration in DHCP environments: cases where more than one DHCP client has been configured with the same FQDN, and cases where more than one DHCP server has been given authority to perform DNS updates in a zone. In these cases, it is possible for DNS records to be modified in inconsistent ways unless the updaters have a mechanism that allows them to detect anomolous situations. If DNS updaters can Stapp & Rekhter Expires September 2000 [Page 4] Internet-Draft Interaction between DHCP and DNS March 2000 detect these situations, site administrators can configure the updaters' behavior so that the site's policies can be enforced. We use the term "Name Collisions" to refer to cases where more than one DHCP client has been associated with a single FQDN. This specification describes a mechanism designed to allow updaters to detect these situations, and requires that DHCP implementations use this mechanism by default. 4.1 Name Collisions How can the entity updating an A RR (either the DHCP client or DHCP server) detect that a domain name has an A RR which is already in use by a different DHCP client? Similarly, should a DHCP client or server update a domain name which has an A RR that has been configured by an administrator? In either of these cases, the domain name in question would either have an additional A RR, or would have its original A RR replaced by the new record. Either of these effects may be considered undesirable by some sites. Different authority and credential models have different levels of exposure to name collisions. 1. Client updates A RR, uses Secure DNS Update with credentials that are associated with the client's FQDN, and exclusive to the client. Name collisions in this scenario are unlikely (though not impossible), since the client has received credentials specific to the name it desires to use. This implies that the name has already been allocated (through some implementation- or organization-specific procedure) to that client. 2. Client updates A RR, uses Secure DNS Update with credentials that are valid for any name in the zone. Name collisions in this scenario are possible, since the credentials necessary for the client to update DNS are not necessarily name-specific. Thus, for the client to be attempting to update a unique name requires the existence of some administrative procedure to ensure client configuration with unique names. 3. Server updates the A RR, uses a name for the client which is known to the server. Name collisions in this scenario are likely unless prevented by the server's name configuration procedures. See Section 9 for security issues with this form of deployment. 4. Server updates the A RR, uses a name supplied by the client. Name collisions in this scenario are highly likely, even with administrative procedures designed to prevent them. (This scenario is a popular one in real-world deployments in many types of organizations.) See Section 9 for security issues with this type of deployment. Scenarios 2, 3, and 4 rely on administrative procedures to ensure name uniqueness for DNS updates, and these procedures may break down. Experience has shown that, in fact, these procedures will break down at least occasionally. The question is what to do when Stapp & Rekhter Expires September 2000 [Page 5] Internet-Draft Interaction between DHCP and DNS March 2000 these procedures break down or, for example in scenario #4, may not even exist. In all cases of name collisions, the desire is to offer two modes of operation to the administrator of the combined DHCP-DNS capability: first-update-wins (i.e., the first updating entity gets the name) or most-recent-update-wins (i.e., the last updating entity for a name gets the name). 4.2 Multiple DHCP servers If multiple DHCP servers are able to update the same DNS zones, or if DHCP servers are performing A RR updates on behalf of DHCP clients, and more than one DHCP server may be able to serve addresses to the same DHCP clients, the DHCP servers should be able to provide reasonable and consistent DNS name update behavior for DHCP clients. 4.3 Use of the DHCID RR A solution to both of these problems is for the updating entities (both DHCP clients and DHCP servers) to be able to detect that another entity has been associated with a DNS name, and to offer administrators the opportunity to configure update behavior. Specifically, a DHCID RR, described in DHCID RR[12] is used to associate client identification information with a DNS name and the A RR associated with that name. When either a client or server adds an A RR for a client, it also adds a DHCID RR which specifies a unique client identity (based on a "client specifier" created from the client's client-id or MAC address). In this model, only one A RR is associated with a given DNS name at a time. By associating this ownership information with each A RR, cooperating DNS updating entities may determine whether their client is the first or last updater of the name (and implement the appropriately configured administrative policy), and DHCP clients which currently have a host name may move from one DHCP server to another without losing their DNS name. The specific algorithms utilizing the DHCID RR to signal client ownership are explained below. The algorithms only work in the case where the updating entities all cooperate -- this approach is advisory only and is not substitute for DNS security, nor is it replaced by DNS security. 4.3.1 Format of the DHCID RRDATA The DHCID RR used to hold the DHCP client's identity is formatted as Stapp & Rekhter Expires September 2000 [Page 6] Internet-Draft Interaction between DHCP and DNS March 2000 follows: The name of the DHCID RR is the name of the A or PTR RR which refers to the DHCP client. The RDATA section of a DHCID RR in transmission contains RDLENGTH bytes of binary data. From the perspective of DHCP clients and servers, the DHC resource record consists of a 16-bit identifier type, followed by one or more bytes representing the actual identifier. There are two possible forms for a DHCID RR - one that is used when the client's link-layer address is being used to identify it, and one that is used when some DHCP option that the DHCP client has sent is being used to identify it. DISCUSSION: Implementors should note that the actual identifying data is never placed into the DNS directly. Instead, the client-identity data is used as the input into a one-way hash algorithm, and the output of that hash is then used as DNS RRDATA. This has been specified in order to avoid placing data about DHCP clients that some sites might consider sensitive into the DNS. When the updater is using the client's link-layer address, the first two bytes of the DHCID RRDATA MUST be zero. To generate the rest of the resource record, the updater MUST compute a one-way hash using the MD5[13] algorithm across a buffer containing the client's network hardware type and link-layer address. Specifically, the first byte of the buffer contains the network hardware type as it appears in the DHCP htype field of the client's DHCPREQUEST message. All of the significant bytes of the chaddr field in the client's DHCPREQUEST message follow, in the same order in which the bytes appear in the DHCPREQUEST message. The number of significant bytes in the chaddr field is specified in the hlen field of the DHCPREQUEST message. When the updater is using a DHCP option sent by the client in its DHCPREQUEST message, the first two bytes of the DHCID RR MUST be the option code of that option, in network byte order. For example, if the DHCP client identifier option is being used, the first byte of the DHCID RR should be zero, and the second byte should be 61 decimal. The rest of the DHCID RR MUST contain the results of computing a one-way hash across the payload of the option being used, using the MD5 algorithm. The payload of a DHCP option consists of the bytes of the option following the option code and length. In order for independent DHCP implementations to be able to use the DHCID RR as a prerequisite in dynamic DNS updates, each updater must be able to reliably choose the same identifier that any other would choose. To make this possible, we specify a prioritization which Stapp & Rekhter Expires September 2000 [Page 7] Internet-Draft Interaction between DHCP and DNS March 2000 will ensure that for any given DHCP client request, any updater will select the same client-identity data. All updaters MUST use this order of prioritization by default, but all implementations SHOULD be configurable to use a different prioritization if so desired by the site administrators. Because of the possibility of future changes in the DHCP protocol, implementors SHOULD check for updated versions of this draft when implementing new DHCP clients and servers which can perform DDNS updates, and also when releasing new versions of existing clients and servers. DHCP clients and servers should use the following forms of client identification, starting with the most preferable, and finishing with the least preferable. If the client does not send any of these forms of identification, the DHCP/DDNS interaction is not defined by this specification. The most preferable form of identification is the Globally Unique Identifier Option [TBD]. Next is the DHCP Client Identifier option. Last is the client's link-layer address, as conveyed in its DHCPREQUEST message. Implementors should note that the link-layer address cannot be used if there are no significant bytes in the chaddr field of the DHCP client's request, because this does not constitute a unique identifier. 4.4 DNS RR TTLs RRs associated with DHCP clients may be more volatile than statically configured RRs. DHCP clients and servers which perform dynamic updates should attempt to specify resource record TTLs which reflect this volatility, in order to minimize the possibility that there will be stale records in resolvers' caches. A reasonable basis for RR TTLs is the lease duration itself: TTLs of 1/2 or 1/3 the expected lease duration might be reasonable defaults. Because configured DHCP lease times vary widely from site to site, it may also be desirable to establish a fixed TTL ceiling. DHCP clients and servers MAY allow administrators to configure the TTLs they will supply, possibly as a fraction of the actual lease time, or as a fixed value. 5. Client FQDN Option To update the IP address to FQDN mapping a DHCP server needs to know the FQDN of the client to which the server leases the address. To allow the client to convey its FQDN to the server this document defines a new DHCP option, called "Client FQDN". The FQDN Option also contains Flags and RCode fields which DHCP servers can use to convey information about DNS updates to clients. Clients MAY send the FQDN option, setting appropriate Flags values, in both their DISCOVER and REQUEST messages. If a client sends the FQDN option in its DISCOVER message, it MUST send the option in Stapp & Rekhter Expires September 2000 [Page 8] Internet-Draft Interaction between DHCP and DNS March 2000 subsequent REQUEST messages. The code for this option is 81. Its minimum length is 4. Code Len Flags RCODE1 RCODE2 Domain Name +------+------+------+------+------+------+-- | 81 | n | | | | ... +------+------+------+------+------+------+-- 5.1 The Flags Field 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ | MBZ |E|O|S| +-+-+-+-+-+-+-+-+ When a DHCP client sends the FQDN option in its DHCPDISCOVER and/or DHCPREQUEST messages, it sets the right-most bit (labelled "S") to indicate that it will not perform any Dynamic DNS updates, and that it expects the DHCP server to perform any FQDN-to-IP (the A RR) DNS update on its behalf. If this bit is clear, the client indicates that it intends to maintain its own FQDN-to-IP mapping update. If a DHCP server intends to take responsibility for the A RR update whether or not the client sending the FQDN option has set the "S" bit, it sets both the "O" bit and the "S" bit, and sends the FQDN option in its DHCPOFFER and/or DHCPACK messages. The data in the Domain Name field may appear in one of two formats: ASCII, or DNS-style binary encoding (without compression, of course), as described in RFC1035[2]. A client which sends the FQDN option MUST set the "E" bit to indicate that the data in the Domain Name field is DNS binary encoded. If a server receives an FQDN option from a client, and intends to include an FQDN option in its reply, it MUST use the same encoding that the client used. The DNS encoding is recommended. The use of ASCII-encoded domain-names is fragile, and the use of ASCII encoding in this option should be considered deprecated. The remaining bits in the Flags field are reserved for future assignment. DHCP clients and servers which send the FQDN option MUST set the MBZ bits to 0, and they MUST ignore values in the part of the field labelled "MBZ". Stapp & Rekhter Expires September 2000 [Page 9] Internet-Draft Interaction between DHCP and DNS March 2000 5.2 The RCODE Fields The RCODE1 and RCODE2 fields are used by a DHCP server to indicate to a DHCP client the Response Code from any A or PTR RR Dynamic DNS Updates it has performed. The server may also use these fields to indicate whether it has attempted such an update before sending the DHCPACK message. Each of these fields is one byte long. Implementors should note that EDNS0 describes a mechanism for extending the length of a DNS RCODE to 12 bits. EDNS0 is specified in RFC2671[8]. Only the least-significant 8 bits of the RCODE from a Dynamic DNS Update will be carried in the Client FQDN DHCP Option. This provides enough number space to accomodate the RCODEs defined in the Dynamic DNS Update specification. 5.3 The Domain Name Field The Domain Name part of the option carries all or part of the FQDN of a DHCP client. A client may be configured with a fully-qualified domain name, or with a partial name that is not fully-qualified. If a client knows only part of its name, it MAY send a single label, indicating that it knows part of the name but does not necessarily know the zone in which the name is to be embedded. The data in the Domain Name field may appear in one of two formats: ASCII (with no terminating NULL), or DNS encoding as specified in RFC1035[2]. If the DHCP client wishes to use DNS encoding, it MUST set the third-from-rightmost bit in the Flags field (the "E" bit); if it uses ASCII encoding, it MUST clear the "E" bit. A DHCP client that can only send a single label using ASCII encoding includes a series of ASCII characters in the Domain Name field, excluding the "." (dot) character. The client SHOULD follow the character-set recommendations of RFC1034[1] and RFC1035[2]. A client using DNS binary encoding which wants to suggest part of its FQDN MAY send a non-terminal sequence of labels in the Domain Name part of the option. 6. DHCP Client behavior The following describes the behavior of a DHCP client that implements the Client FQDN option. If a client that owns/maintains its own FQDN wants to be responsible for updating the FQDN to IP address mapping for the FQDN and address(es) used by the client, then the client MUST include the Client FQDN option in the DHCPREQUEST message originated by the client. A DHCP client MAY choose to include the Client FQDN option in its DISCOVER messages as well as its REQUEST messages. The rightmost ("S") bit in the Flags field in the option MUST be set to Stapp & Rekhter Expires September 2000 [Page 10] Internet-Draft Interaction between DHCP and DNS March 2000 0. Once the client's DHCP configuration is completed (the client receives a DHCPACK message, and successfully completes a final check on the parameters passed in the message), the client MAY originate an update for the A RR (associated with the client's FQDN). The update MUST be originated following the procedures described in RFC2136[5] and Section 8. If the DHCP server from which the client is requesting a lease includes the FQDN option in its ACK message, and if the server sets both the "S" and the "O" bits (the two rightmost bits) in the option's flags field, the DHCP client MUST NOT initiate an update for the name in the Domain Name field. A client can choose to delegate the responsibility for updating the FQDN to IP address mapping for the FQDN and address(es) used by the client to the server. In order to inform the server of this choice, the client SHOULD include the Client FQDN option in its DHCPREQUEST message. The rightmost (or "S") bit in the Flags field in the option MUST be set to 1. A client which delegates this responsibility MUST NOT attempt to perform a Dynamic DNS update for the name in the Domain Name field of the FQDN option. The client MAY supply an FQDN in the Client FQDN option, or it MAY supply a single label (the most-specific label), or it MAY leave that field empty as a signal to the server to generate an FQDN for the client in any manner the server chooses. Since there is a possibility that the DHCP server may be configured to complete or replace a domain name that the client was configured to send, the client might find it useful to send the FQDN option in its DISCOVER messages. If the DHCP server returns different Domain Name data in its OFFER message, the client could use that data in performing its own eventual A RR update, or in forming the FQDN option that it sends in its REQUEST message. There is no requirement that the client send identical FQDN option data in its DISCOVER and REQUEST messages. In particular, if a client has sent the FQDN option to its server, and the configuration of the client changes so that its notion of its domain name changes, it MAY send the new name data in an FQDN option when it communicates with the server again. This may allow the DHCP server to update the name associated with the PTR record, and, if the server updated the A record representing the client, to delete that record and attempt an update for the client's current domain name. A client that delegates the responsibility for updating the FQDN to IP address mapping to a server might not receive any indication (either positive or negative) from the server whether the server was able to perform the update. In this case the client MAY use a DNS query to check whether the mapping is updated. A client MUST set the RCODE1 and RCODE2 fields in the Client FQDN option to 0 when sending the option. Stapp & Rekhter Expires September 2000 [Page 11] Internet-Draft Interaction between DHCP and DNS March 2000 If a client releases its lease prior to the lease expiration time and the client is responsible for updating its A RR, the client SHOULD delete the A RR (following the procedures described in Section 8) associated with the leased address before sending a DHCP RELEASE message. Similarly, if a client was responsible for updating its A RR, but is unable to renew its lease, the client SHOULD attempt to delete the A RR before its lease expires. A DHCP client which has not been able to delete an A RR which it added (because it has lost the use of its DHCP IP address) should attempt to notify its administrator. 7. DHCP Server behavior When a server receives a DHCPREQUEST message from a client, if the message contains the Client FQDN option, and the server replies to the message with a DHCPACK message, the server may be configured to originate an update for the PTR RR (associated with the address leased to the client). Any such update MUST be originated following the procedures described in Section 8. The server MAY complete the update before the server sends the DHCPACK message to the client. In this case the RCODE from the update MUST be carried to the client in the RCODE1 field of the Client FQDN option in the DHCPACK message. Alternatively, the server MAY send the DHCPACK message to the client without waiting for the update to be completed. In this case the RCODE1 field of the Client FQDN option in the DHCPACK message MUST be set to 255. The choice between the two alternatives is entirely determined by the configuration of the DHCP server. Servers SHOULD support both configuration options. When a server receives a DHCPREQUEST message containing the Client FQDN option, the server MUST ignore the values carried in the RCODE1 and RCODE2 fields of the option. In addition, if the Client FQDN option carried in the DHCPREQUEST message has the "S" bit in its Flags field set, then the server MAY originate an update for the A RR (associated with the FQDN carried in the option) if it is configured to do so by the site's administrator, and if it has the necessary credentials. The server MAY be configured to use the name supplied in the client's FQDN option, or it MAY be configured to modify the supplied name, or substitute a different name. Any such update MUST be originated following the procedures described in Section 8. The server MAY originate the update before the server sends the DHCPACK message to the client. In this case the RCODE from the update [RFC2136] MUST be carried to the client in the RCODE2 field of the Client FQDN option in the DHCPACK message. Alternatively the server MAY send the DHCPACK message to the client without waiting for the update to be completed. In this case the Stapp & Rekhter Expires September 2000 [Page 12] Internet-Draft Interaction between DHCP and DNS March 2000 RCODE2 field of the Client FQDN option in the DHCPACK message MUST be set to 255. The choice between the two alternatives is entirely up to the DHCP server. In either case, if the server intends to perform the DNS update and the client's REQUEST message included the FQDN option, the server SHOULD include the FQDN option in its ACK message, and MUST set the "S" bit in the option's Flags field. Even if the Client FQDN option carried in the DHCPREQUEST message has the "S" bit in its Flags field clear (indicating that the client wants to update the A RR), the server MAY be configured by the local administrator to update the A RR on the client's behalf. A server which is configured to override the client's preference SHOULD include an FQDN option in its ACK message, and MUST set both the "O" and "S" bits in the FQDN option's Flags field. The update MUST be originated following the procedures described in Section 8. The server MAY originate the update before the server sends the DHCPACK message to the client. In this case the RCODE from the update [RFC2136] MUST be carried to the client in the RCODE2 field of the Client FQDN option in the DHCPACK message. Alternatively, the server MAY send the DHCPACK message to the client without waiting for the update to be completed. In this case the RCODE2 field of the Client FQDN option in the DHCPACK message MUST be set to 255. Whether the DNS update occurs before or after the DHCPACK is sent is entirely up to the DHCP server's configuration. When a DHCP server sends the Client FQDN option to a client in the DHCPACK message, the DHCP server SHOULD send its notion of the complete FQDN for the client in the Domain Name field. The server MAY simply copy the Domain Name field from the Client FQDN option that the client sent to the server in the DHCPREQUEST message. The DHCP server MAY be configured to complete or modify the domain name which a client sent, or it MAY be configured to substitute a different name. If the server initiates a DDNS update which is not complete until after the server has replied to the DHCP client, the server's The server MUST use the same encoding format (ASCII or DNS binary encoding) that the client used in the FQDN option in its DHCPREQUEST, and MUST set the "E" bit in the option's Flags field accordingly. If a client's DHCPREQUEST message doesn't carry the Client FQDN option (e.g., the client doesn't implement the Client FQDN option), the server MAY be configured to update either or both of the A and PTR RRs. The updates MUST be originated following the procedures described in Section 8. If a server detects that a lease on an address that the server leases to a client has expired, the server SHOULD delete any PTR RR which it added via dynamic update. In addition, if the server added an A RR on the client's behalf, the server SHOULD also delete the A Stapp & Rekhter Expires September 2000 [Page 13] Internet-Draft Interaction between DHCP and DNS March 2000 RR. The deletion MUST follow the procedures described in Section 8. If a server terminates a lease on an address prior to the lease's expiration time, for instance by sending a DHCPNAK to a client, the server SHOULD delete any PTR RR which it associated with the address via DNS Dynamic Update. In addition, if the server took responsibility for an A RR, the server SHOULD also delete that A RR. The deletion MUST follow the procedures described in Section 8. 8. Procedures for performing DNS updates 8.1 Adding A RRs to DNS When a DHCP client or server intends to update an A RR, it first prepares a DNS UPDATE query which includes as a prerequisite the assertion that the name does not exist. The update section of the query attempts to add the new name and its IP address mapping (an A RR), and the DHCID RR with its unique client-identity. If this update operation succeeds, the updater can conclude that it has added a new name whose only RRs are the A and DHCID RR records. The A RR update is now complete (and a client updater is finished, while a server might proceed to perform a PTR RR update). If the first update operation fails with YXDOMAIN, the updater can conclude that the intended name is in use. The updater then attempts to confirm that the DNS name is not being used by some other host. The updater prepares a second UPDATE query in which the prerequisite is that the desired name has attached to it a DHCID RR whose contents match the client identity. The update section of this query deletes the existing A records on the name, and adds the A record that matches the DHCP binding and the DHCID RR with the client identity. If this query succeeds, the updater can conclude that the current client was the last client associated with the domain name, and that the name now contains the updated A RR. The A RR update is now complete (and a client updater is finished, while a server would then proceed to perform a PTR RR update). If the second query fails with NXRRSET, the updater must conclude that the client's desired name is in use by another host. At this juncture, the updater can decide (based on some administrative configuration outside of the scope of this document) whether to let the existing owner of the name keep that name, and to (possibly) perform some name disambiguation operation on behalf of the current client, or to replace the RRs on the name with RRs that represent the current client. If the configured policy allows replacement of existing records, the updater submits a query that deletes the Stapp & Rekhter Expires September 2000 [Page 14] Internet-Draft Interaction between DHCP and DNS March 2000 existing A RR and the existing DHCID RR, adding A and DHCID RRs that represent the IP address and client-identity of the new client. DISCUSSION: The updating entity may be configured to allow the existing DNS records on the domain name to remain unchanged, and to perform disambiguation on the name of the current client in order to attempt to generate a similar but unique name for the current client. In this case, once another candidate name has been generated, the updater should restart the process of adding an A RR as specified in this section. 8.2 Adding PTR RR Entries to DNS The DHCP server submits a DNS query which deletes all of the PTR RRs associated with the lease IP address, and adds a PTR RR whose data is the client's (possibly disambiguated) host name. The server also adds a DHCID RR specified in Section 4.3. 8.3 Removing Entries from DNS The most important consideration in removing DNS entries is be sure that an entity removing a DNS entry is only removing an entry that it added, or for which an administrator has explicitly assigned it responsibility. When a lease expires or a DHCP client issues a DHCPRELEASE request, the DHCP server SHOULD delete the PTR RR that matches the DHCP binding, if one was successfully added. The server's update query SHOULD assert that the name in the PTR record matches the name of the client whose lease has expired or been released. The entity chosen to handle the A record for this client (either the client or the server) SHOULD delete the A record that was added when the lease was made to the client. In order to perform this delete, the updater prepares an UPDATE query which contains two prerequisites. The first prerequisite asserts that the DHCID RR exists whose data is the client identity described in Section 4.3. The second prerequisite asserts that the data in the A RR contains the IP address of the lease that has expired or been released. If the query fails, the updater MUST NOT delete the DNS name. It may be that the host whose lease on the server has expired has moved to another network and obtained a lease from a different server, which has caused the client's A RR to be replaced. It may also be that some other client has been configured with a name that matches the name of the DHCP client, and the policy was that the last client Stapp & Rekhter Expires September 2000 [Page 15] Internet-Draft Interaction between DHCP and DNS March 2000 to specify the name would get the name. In this case, the DHCID RR will no longer match the updater's notion of the client-identity of the host pointed to by the DNS name. 8.4 Updating other RRs The procedures described in this document only cover updates to the A and PTR RRs. Updating other types of RRs is outside the scope of this document. 9. Security Considerations Unauthenticated updates to the DNS can lead to tremendous confusion, through malicious attack or through inadvertent misconfiguration. Administrators should be wary of permitting unsecured DNS updates to zones which are exposed to the global Internet. Both DHCP clients and servers SHOULD use some form of update request origin authentication procedure (e.g., Simple Secure DNS Update[11]) when performing DNS updates. Whether a DHCP client may be responsible for updating an FQDN to IP address mapping, or whether this is the responsibility of the DHCP server is a site-local matter. The choice between the two alternatives may be based on the security model that is used with the Dynamic DNS Update protocol (e.g., only a client may have sufficient credentials to perform updates to the FQDN to IP address mapping for its FQDN). Whether a DHCP server is always responsible for updating the FQDN to IP address mapping (in addition to updating the IP to FQDN mapping), regardless of the wishes of an individual DHCP client, is also a site-local matter. The choice between the two alternatives may be based on the security model that is being used with dynamic DNS updates. In cases where a DHCP server is performing DNS updates on behalf of a client, the DHCP server should be sure of the DNS name to use for the client, and of the identity of the client. Currently, it is difficult for DHCP servers to develop much confidence in the identities of its clients, given the absence of entity authentication from the DHCP protocol itself. There are many ways for a DHCP server to develop a DNS name to use for a client, but only in certain relatively unusual circumstances will the DHCP server know for certain the identity of the client. If DHCP Authentication[10] becomes widely deployed this may become more customary. One example of a situation which offers some extra assurances is one where the DHCP client is connected to a network through an MCNS cable modem, and the CMTS (head-end) of the cable modem ensures that Stapp & Rekhter Expires September 2000 [Page 16] Internet-Draft Interaction between DHCP and DNS March 2000 MAC address spoofing simply does not occur. Another example of a configuration that might be trusted is one where clients obtain network access via a network access server using PPP. The NAS itself might be obtaining IP addresses via DHCP, encoding a client identification into the DHCP client-id option. In this case, the network access server as well as the DHCP server might be operating within a trusted environment, in which case the DHCP server could be configured to trust that the user authentication and authorization procedure of the remote access server was sufficient, and would therefore trust the client identification encoded within the DHCP client-id. 10. Acknowledgements Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter Ford, Edie Gunter, Andreas Gustafsson, R. Barr Hibbs, Kim Kinnear, Stuart Kwan, Ted Lemon, Ed Lewis, Michael Lewis, Josh Littlefield, Michael Patton, and Glenn Stump for their review and comments. References [1] Mockapetris, P., "Domain names - Concepts and Facilities", RFC 1034, Nov 1987. [2] Mockapetris, P., "Domain names - Implementation and Specification", RFC 1035, Nov 1987. [3] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997. [4] Marine, A., Reynolds, J. and G. Malkin, "FYI on Questions and Answers to Commonly asked ``New Internet User'' Questions", RFC 1594, March 1994. [5] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic Updates in the Domain Name System", RFC 2136, April 1997. [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [7] Eastlake, D., "Domain Name System Security Extensions", RFC 2535, March 1999. [8] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, August 1999. [9] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington, "Secret Key Transaction Authentication for DNS (TSIG) (draft-ietf-dnsext-tsig-*)", July 1999. Stapp & Rekhter Expires September 2000 [Page 17] Internet-Draft Interaction between DHCP and DNS March 2000 [10] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages (draft-ietf-dhc-authentication-*)", June 1999. [11] Wellington, B., "Simple Secure DNS Dynamic Updates (draft-ietf-dnsext-simple-secure-update-*)", June 1999. [12] Gustafsson, A., "A DNS RR for encoding DHCP client identity (draft-ietf-dnsext-dhcid-rr-*)", October 1999. [13] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, April 1992. Authors' Addresses Mark Stapp Cisco Systems, Inc. 250 Apollo Dr. Chelmsford, MA 01824 US Phone: 978.244.8498 EMail: mjs@cisco.com Yakov Rekhter Cisco Systems, Inc. 170 Tasman Dr. San Jose, CA 95134 US Phone: 914.235.2128 EMail: yakov@cisco.com Stapp & Rekhter Expires September 2000 [Page 18] Internet-Draft Interaction between DHCP and DNS March 2000 Full Copyright Statement Copyright (C) The Internet Society (2000). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implmentation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC editor function is currently provided by the Internet Society. Stapp & Rekhter Expires September 2000 [Page 19]