draft-ietf-dhc-dhcpv6-opt-dnsconfig-01.txt   draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt 
Network Working Group R. Droms (ed.) Network Working Group R. Droms (ed.)
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Expires: September 30, 2002 Apr 2002 Expires: September 30, 2002 Apr 2002
DNS Configuration options for DHCPv6 DNS Configuration options for DHCPv6
draft-ietf-dhc-dhcpv6-opt-dnsconfig-01.txt draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract Abstract
This document describes DHCPv6 options for passing a list of This document describes DHCPv6 options for passing a list of
available DNS Servers and a domain search list to a client. available DNS Servers and a domain search list to a client.
1. Introduction 1. Introduction
This document describes three options for configuration information This document describes two options for passing configuration
related to Domain Name Service (DNS) [1, 2] in DHCPv6 [4]. information related to Domain Name Service (DNS) [1, 2] in DHCPv6
[4].
2. Requirements 2. Requirements
The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be
interpreted as described in RFC2119 [3]. interpreted as described in RFC2119 [3].
3. Terminology 3. Terminology
This document uses terminology specific to IPv6 and DHCPv6 as defined This document uses terminology specific to IPv6 and DHCPv6 as defined
skipping to change at page 3, line 7 skipping to change at page 3, line 12
DNS-server: IP address of DNS server DNS-server: IP address of DNS server
5. Domain Search List option 5. Domain Search List option
A server sends a Domain Search List option to the DHCP client to A server sends a Domain Search List option to the DHCP client to
specify the domain search list the client is to use when resolving specify the domain search list the client is to use when resolving
hostnames with DNS. This option does not apply to other name hostnames with DNS. This option does not apply to other name
resolution mechanisms. resolution mechanisms.
The format of the Domain Search option is: The format of the Domain Search List option is:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_DOMAIN_LIST | option-len | | OPTION_DOMAIN_LIST | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| searchstring | | searchstring |
| ... | | ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 3, line 33 skipping to change at page 3, line 38
Domain Search List Domain Search List
The list of domain names in the 'searchstring' MUST be encoded as The list of domain names in the 'searchstring' MUST be encoded as
specified in section "Representation and use of domain names" of the specified in section "Representation and use of domain names" of the
DHCPv6 specification [4]. DHCPv6 specification [4].
6. Appearance of these options 6. Appearance of these options
The Domain Name Server option MUST appear only in the following The Domain Name Server option MUST appear only in the following
messages: Solicit, Advertise, Request, Confirm, Renew, Rebind, messages: Solicit, Advertise, Request, Confirm, Renew, Rebind,
Information-Request, Reply Information-Request, Reply.
The Domain Search List option MUST appear only in the following The Domain Search List option MUST appear only in the following
messages: Solicit, Advertise, Request, Confirm, Renew, Rebind, messages: Solicit, Advertise, Request, Confirm, Renew, Rebind,
Information-Request, Reply Information-Request, Reply.
7. Security Considerations 7. Security Considerations
The Domain Name Server option may be used by an intruder DHCP server The Domain Name Server option may be used by an intruder DHCP server
to cause DHCP clients to send DNS queries to an intruder DNS server. to cause DHCP clients to send DNS queries to an intruder DNS server.
The results of these misdirected DNS queries may be used to spoof DNS The results of these misdirected DNS queries may be used to spoof DNS
names. names.
The Domain Name option may be used by an intruder DHCP server to
configure a DHCP client with an invalid domain name, which could be
used as a denial of service attack.
The Domain Search List option may be used by an intruder DHCP server The Domain Search List option may be used by an intruder DHCP server
to cause DHCP clients to search through invalid domains for to cause DHCP clients to search through invalid domains for
incompletely specified domain names. The results of these incompletely specified domain names. The results of these
misdirected searches may be used to spoof DNS names. misdirected searches may be used to spoof DNS names.
To avoid attacks through the Domain Name Server option and the Domain To avoid attacks through the Domain Name Server option, the DHCP
Name option, the DHCP client SHOULD use authenticated DHCP (see client SHOULD use authenticated DHCP (see section "Authentication of
section "Authentication of DHCP messages" in the DHCPv6 DHCP messages" in the DHCPv6 specification).
specification).
Because the Domain Search List option may be used to spoof DNS name Because the Domain Search List option may be used to spoof DNS name
resolution in a way that cannot be detected by DNS security resolution in a way that cannot be detected by DNS security
mechanisms like DNSSEC [5], DHCP clients and servers MUST use mechanisms like DNSSEC [5], DHCP clients and servers MUST use
authenticated DHCP when a Domain Search List option is included in a authenticated DHCP when a Domain Search List option is included in a
DHCP message. DHCP message.
8. IANA Considerations 8. IANA Considerations
IANA is requested to assign an option code to these options from the IANA is requested to assign an option code to these options from the
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/