draft-ietf-dnsext-dhcid-rr-02.txt   draft-ietf-dnsext-dhcid-rr-03.txt 
DNSEXT Working Group M. Stapp DNSEXT Working Group M. Stapp
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Expires: August 31, 2001 T. Lemon Expires: January 18, 2002 T. Lemon
A. Gustafsson A. Gustafsson
Nominum, Inc. Nominum, Inc.
March 2, 2001 July 20, 2001
A DNS RR for Encoding DHCP Information A DNS RR for Encoding DHCP Information (DHCID RR)
<draft-ietf-dnsext-dhcid-rr-02.txt> <draft-ietf-dnsext-dhcid-rr-03.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 31, 2001. This Internet-Draft will expire on January 18, 2002.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract Abstract
A situation can arise where multiple DHCP clients request the same It is possible for multiple DHCP clients to attempt to update the
DNS name from their (possibly distinct) DHCP servers. To resolve same DNS FQDN as they obtain DHCP leases. Whether the DHCP server or
such conflicts, 'Resolution of DNS Name Conflicts'[6] proposes the clients themselves perform the DNS updates, conflicts can arise.
storing client identifiers in the DNS to unambiguously associate To resolve such conflicts, "Resolution of DNS Name Conflicts"[1]
domain names with the DHCP clients "owning" them. This memo defines proposes storing client identifiers in the DNS to unambiguously
a distinct RR type for use by DHCP servers, the "DHCID" RR. associate domain names with the DHCP clients to which they refer.
This memo defines a distinct RR type for this purpose for use by
DHCP clients and servers, the "DHCID" RR.
Table of Contents Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . 3
4. DHCID RDATA format . . . . . . . . . . . . . . . . . . . . . . 3 3.1 DHCID RDATA format . . . . . . . . . . . . . . . . . . . . . 3
4.1 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2 DHCID Presentation Format . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 3.3 The DHCID RR Type Codes . . . . . . . . . . . . . . . . . . 4
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 3.4 Computation of the RDATA . . . . . . . . . . . . . . . . . . 4
7. Appendix A: Base 64 Encoding . . . . . . . . . . . . . . . . . 5 3.5 Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . 5
References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.6 Updater Behavior . . . . . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 7 3.7 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 8 3.7.1 Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.7.2 Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7
References . . . . . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8
Full Copyright Statement . . . . . . . . . . . . . . . . . . 9
1. Terminology 1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119[1]. document are to be interpreted as described in RFC 2119[2].
2. Introduction 2. Introduction
A set of procedures to allow DHCP[2] clients and servers to A set of procedures to allow DHCP[3] clients and servers to
automatically update the DNS (RFC1034[4], RFC1035[5]) is proposed in automatically update the DNS (RFC1034[4], RFC1035[5]) is proposed in
"Resolution of DNS Name Conflicts"[6]. "Resolution of DNS Name Conflicts"[1].
A situation can arise where multiple DHCP clients wish to use the Conflicts can arise if multiple DHCP clients wish to use the same
same DNS name. To resolve such conflicts, Resolution of DNS Name DNS name. To resolve such conflicts, "Resolution of DNS Name
Conflicts[6] proposes storing client identifiers in the DNS to Conflicts"[1] proposes storing client identifiers in the DNS to
unambiguously associate domain names with the DHCP clients using unambiguously associate domain names with the DHCP clients using
them. In the interest of clarity, it would be preferable for this them. In the interest of clarity, it is preferable for this DHCP
DHCP information to use a distinct RR type. information to use a distinct RR type. This memo defines a distinct
RR for this purpose for use by DHCP clients or servers, the "DHCID"
RR.
This memo defines a distinct RR type for this purpose for use by In order to avoid exposing potentially sensitive identifying
DHCP clients or servers, the "DHCID" RR. information, the data stored is the result of a one-way MD5[6] hash
computation. The hash includes information from the DHCP client's
REQUEST message as well as the domain name itself, so that the data
stored in the DHCID RR will be dependent on both the client
identification used in the DHCP protocol interaction and the domain
name. This means that the DHCID RDATA will vary if a single client
is associated over time with more than one name. This makes it
difficult to 'track' a client as it is associated with various
domain names.
The MD5 hash algorithm has been shown to be weaker than the SHA-1
algorithm; it could therefore be argued that SHA-1 is a better
choice. However, SHA-1 is significantly slower than MD5. A
successful attack of MD5's weakness does not reveal the original
data that was used to generate the signature, but rather provides a
new set of input data that will produce the same signature. Because
we are using the MD5 hash to conceal the original data, the fact
that an attacker could produce a different plaintext resulting in
the same MD5 output is not significant concern.
3. The DHCID RR 3. The DHCID RR
The DHCID RR is defined with mnemonic DHCID and type code [TBD]. The DHCID RR is defined with mnemonic DHCID and type code [TBD].
4. DHCID RDATA format 3.1 DHCID RDATA format
The RDATA section of a DHCID RR in transmission contains RDLENGTH The RDATA section of a DHCID RR in transmission contains RDLENGTH
bytes of binary data. The format of this data and its bytes of binary data. The format of this data and its
interpretation by DHCP servers and clients are described below. interpretation by DHCP servers and clients are described below.
DNS software should consider the RDATA section to be opaque. In DNS DNS software should consider the RDATA section to be opaque. DHCP
master files, the RDATA is represented in base 64 encoding (see clients or servers use the DHCID RR to associate a DHCP client's
Appendix A (Section 7)) and may be divided up into any number of identity with a DNS name, so that multiple DHCP clients and servers
white space separated substrings, down to single base 64 digits, may deterministically perform dynamic DNS updates to the same zone.
which are concatenated to obtain the full signature. These From the updater's perspective, the DHCID resource record RDATA
substrings can span lines using the standard parenthesis. This consists of a 16-bit identifier type, in network byte order,
format is identical to that used for representing binary data in followed by one or more bytes representing the actual identifier:
DNSSEC (RFC2535[7]).
DHCP clients or servers use the DHCID RR to associate a DHCP < 16 bits > DHCP identifier used
client's identity with a DNS name, so that multiple DHCP clients and < n bytes > MD5 digest
servers may safely perform dynamic DNS updates to the same zone.
From the updater's perspective, the DHCID resource record consists 3.2 DHCID Presentation Format
of a 16-bit identifier type, followed by one or more bytes
representing the actual identifier. In DNS master files, the RDATA is represented as a single block in
base 64 encoding and may be divided up into any number of white
space separated substrings, down to single base 64 digits, which are
concatenated to form the complete RDATA. These substrings can span
lines using the standard parentheses. This format is identical to
that used for representing binary data in RFC2535[7].
3.3 The DHCID RR Type Codes
The type code can have one of three classes of values. The first The type code can have one of three classes of values. The first
class contains just the value zero. This type indicates that the class contains just the value zero. This type indicates that the
remaining contents of the DHCID record encode an identifier that is remaining contents of the DHCID record encode an identifier that is
based on the client's link-layer network address. based on the client's link-layer network address.
The second class of types contains just the value 0xFFFF. This type The second class of types contains just the value 0xFFFF. This type
code is reserved for future extensibility. code is reserved for future extensibility.
The third class of types contains all the values not included in the The third class of types contains all the values not included in the
first two - that is, every value other than zero or 0xFFFF. Types in first two - that is, every value other than zero or 0xFFFF. Types in
this class indicate that the remaining contents of the DHCID record this class indicate that the remaining contents of the DHCID record
encode an identifier that is based on the DHCP option whose code is encode an identifier that is based on the DHCP option whose code is
the same as the specified type. The most common value in this class the same as the specified type. The most common value in this class
at the time of the writing of this draft is 61, which is the DHCP at the time of the writing of this specification is 0x3d (61
option code[3] for the Client Identifier option. decimal), which is the DHCP option code for the Client Identifier
option [8].
3.4 Computation of the RDATA
The data following the type code (for type codes other than 0xFFFF) The data following the type code (for type codes other than 0xFFFF)
is derived by running a one-way hash across the identifying is derived by running the MD5 hash algorithm across a buffer
information. The details of this are specified in "Resolution of containing the identifying information. The identifying information
DNS Name Conflicts"[6]. includes some data from the DHCP client's DHCPREQUEST message, and
the FQDN which is the target of the update.
The domain name is represented in the buffer in dns wire-format as
described in RFC1035[5], section 3.1. The domain name MUST NOT be
compressed as described in RFC1035[5], section 4.1.4. Any uppercase
alphabetic ASCII character in a label MUST be converted to lowercase
before being used to compute the hash.
When the updater is using the client's link-layer address as the
identifier, the first two bytes of the DHCID RDATA MUST be zero. To
generate the rest of the resource record, the updater computes a
one-way hash using the MD5 algorithm across a buffer containing the
client's network hardware type, link-layer address, and the FQDN
data. Specifically, the first byte of the buffer contains the
network hardware type as it appeared in the DHCP 'htype' field of
the client's DHCPREQUEST message. All of the significant bytes of
the chaddr field in the client's DHCPREQUEST message follow, in the
same order in which the bytes appear in the DHCPREQUEST message. The
number of significant bytes in the 'chaddr' field is specified in
the 'hlen' field of the DHCPREQUEST message. The FQDN data, as
specified above, follows.
When the updater is using a DHCP option sent by the client in its
DHCPREQUEST message, the first two bytes of the DHCID RR MUST be the
option code of that option, in network byte order. For example, if
the DHCP client identifier option is being used, the first byte of
the DHCID RR should be zero, and the second byte should be 61
decimal. The rest of the DHCID RR MUST contain the results of
computing an MD5 hash across the payload of the option being used,
followed by the FQDN. The payload of a DHCP option consists of the
bytes of the option following the option code and length.
The "Resolution of DNS Name Conflicts"[1] specification describes
the selection process that updaters follow to choose an identifier
from the information presented in a client's DHCPREQUEST message.
3.5 Use of the DHCID RR
This RR MUST NOT be used for any purpose other than that detailed in This RR MUST NOT be used for any purpose other than that detailed in
"Resolution of DNS Name Conflicts"[6]. Althought this RR contains "Resolution of DNS Name Conflicts"[1]. Although this RR contains
data that is opaque to DNS servers, the data must be consistent data that is opaque to DNS servers, the data must be consistent
across all entities that update and interpret this record. across all entities that update and interpret this record.
Therefore, new data formats may only be defined through actions of Therefore, new data formats may only be defined through actions of
the DHC Working Group, as a result of revising [6]. the DHC Working Group, as a result of revising [1].
4.1 Example
A DHCP server allocating the IPv4 address 10.0.0.1 to a client
"client.org.nil" might use the client's link-layer address to
identify the client:
client.org.nil. A 10.0.0.1 3.6 Updater Behavior
client.org.nil. DHCID AAAYKREXIgqtwYgQo93/yNlJ
A DHCP server allocating the IPv4 address 10.0.12.99 to a client The data in the DHCID RR allows updaters to determine whether more
"chi.org.nil" might use the DHCP client identifier option to than one DHCP client desires to use a particular FQDN. This allows
identify the client: site administrators to establish policy about DNS updates. The DHCID
RR does not establish any policy itself.
chi.org.nil. A 10.0.12.99 Updaters use data from a DHCP client's request and the domain name
chi.org.nil. DHCID AGGScSLaAYjdOhGMHKD/lJ2B that the client desires to use to compute a client identity hash,
and then compare that hash to the data in any DHCID RRs on the name
that they wish to associate with the client's IP address. If an
updater discovers DHCID RRs whose RDATA does not match the client
identity that they have computed, the updater SHOULD conclude that a
different client is currently associated with the name in question.
The updater SHOULD then proceed according to the site's
administrative policy. That policy might dictate that a different
name be selected, or it might permit the updater to continue.
5. Security Considerations 3.7 Examples
The DHCID record as such does not introduce any new security 3.7.1 Example 1
problems into the DNS. In order to avoid exposing private
information about DHCP clients to public scrutiny, a one-way-hash is
used to obscure all client information.
6. IANA Considerations A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
Ethernet MAC address 01:02:03:04:05:06 using domain name
"client.org.nil" uses the client's link-layer address to identify
the client. The DHCID RDATA is composed by setting the two type
bytes to zero, and performing an MD5 hash computation across a
buffer containing the Ethernet MAC type byte, 0x01, the six bytes of
MAC address, and the domain name (represented as specified in
Section 3.4).
IANA is requested to allocate an RR type number for the DHCID record client.org.nil. A 10.0.0.1
type. client.org.nil. DHCID AAAUMru0ZM5OK/PdVAJgZ/HU
7. Appendix A: Base 64 Encoding 3.7.2 Example 2
The following encoding technique is taken from RFC 2045[8] by N. A DHCP server allocates the IPv4 address 10.0.12.99 to a client
Borenstein and N. Freed. It is reproduced here in an edited form which included the DHCP client-identifier option data
for convenience. 01:07:08:09:0a:0b:0c in its DHCP request. The server updates the
name "chi.org.nil" on the client's behalf, and uses the DHCP client
identifier option data as input in forming a DHCID RR. The DHCID
RDATA is formed by setting the two type bytes to the option code,
0x003d, and performing an MD5 hash computation across a buffer
containing the seven bytes from the client-id option and the FQDN
(represented as specified in Section 3.4).
A 65-character subset of US-ASCII is used, enabling 6 bits to be chi.org.nil. A 10.0.12.99
represented per printable character. (The extra 65th character, "=", chi.org.nil. DHCID AD3dquu0xNqYn/4zw2FXy8X3
is used to signify a special processing function.)
The encoding process represents 24-bit groups of input bits as 4. Security Considerations
output strings of 4 encoded characters. Proceeding from left to
right, a 24-bit input group is formed by concatenating 3 8-bit input
groups. These 24 bits are then treated as 4 concatenated 6-bit
groups, each of which is translated into a single digit in the base
64 alphabet.
Each 6-bit group is used as an index into an array of 64 printable The DHCID record as such does not introduce any new security
characters. The character referenced by the index is placed in the problems into the DNS. In order to avoid exposing private
output string. information about DHCP clients to public scrutiny, a one-way hash is
used to obscure all client information. In order to make it
difficult to 'track' a client by examining the names associated with
a particular hash value, the FQDN is included in the hash
computation. Thus, the RDATA is dependent on both the DHCP client
identification data and on each FQDN associated with the client.
The Base 64 Alphabet Administrators should be wary of permitting unsecured DNS updates to
zones which are exposed to the global Internet. Both DHCP clients
and servers SHOULD use some form of update authentication (e.g.,
TSIG[9]) when performing DNS updates.
Value Encoding Value Encoding Value Encoding Value Encoding 5. IANA Considerations
0 A 17 R 34 i 51 z
1 B 18 S 35 j 52 0
2 C 19 T 36 k 53 1
3 D 20 U 37 l 54 2
4 E 21 V 38 m 55 3
5 F 22 W 39 n 56 4
6 G 23 X 40 o 57 5
7 H 24 Y 41 p 58 6
8 I 25 Z 42 q 59 7
9 J 26 a 43 r 60 8
10 K 27 b 44 s 61 9
11 L 28 c 45 t 62 +
12 M 29 d 46 u 63 /
13 N 30 e 47 v
14 O 31 f 48 w (pad) =
15 P 32 g 49 x
16 Q 33 h 50 y
Special processing is performed if fewer than 24 bits are available IANA is requested to allocate an RR type number for the DHCID record
at the end of the data being encoded. A full encoding quantum is type.
always completed at the end of a quantity. When fewer than 24 input
bits are available in an input group, zero bits are added (on the
right) to form an integral number of 6-bit groups. Padding at the
end of the data is performed using the '=' character. Since all
base 64 input is an integral number of octets, only the following
cases can arise: (1) the final quantum of encoding input is an
integral multiple of 24 bits; here, the final unit of encoded output
will be an integral multiple of 4 characters with no "=" padding,
(2) the final quantum of encoding input is exactly 8 bits; here, the
final unit of encoded output will be two characters followed by two
"=" padding characters, or (3) the final quantum of encoding input
is exactly 16 bits; here, the final unit of encoded output will be
three characters followed by one "=" padding character.
References References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement [1] Stapp, M., "Resolution of DNS Name Conflicts Among DHCP Clients
(draft-ietf-dhc-dns-resolution-*)", March 2001.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, March 1997. Levels", RFC 2119, March 1997.
[2] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, Mar [3] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, Mar
1997. 1997.
[3] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, Mar 1997.
[4] Mockapetris, P., "Domain names - Concepts and Facilities", RFC [4] Mockapetris, P., "Domain names - Concepts and Facilities", RFC
1034, Nov 1987. 1034, Nov 1987.
[5] Mockapetris, P., "Domain names - Implementation and [5] Mockapetris, P., "Domain names - Implementation and
Specification", RFC 1035, Nov 1987. Specification", RFC 1035, Nov 1987.
[6] Stapp, M., "Resolution of DNS Name Conflicts Among DHCP Clients [6] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, April
(draft-ietf-dhc-dns-resolution-*)", July 2000. 1992.
[7] Eastlake, D., "Domain Name System Security Extensions", RFC [7] Eastlake, D., "Domain Name System Security Extensions", RFC
2535, March 1999. 2535, March 1999.
[8] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [8] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions (MIME) Part One: Format of Internet Message Bodies", Extensions", RFC 2132, Mar 1997.
RFC 2045, November 1996.
[9] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
"Secret Key Transaction Authentication for DNS (TSIG)", RFC
2845, May 2000.
Authors' Addresses Authors' Addresses
Mark Stapp Mark Stapp
Cisco Systems, Inc. Cisco Systems, Inc.
250 Apollo Dr. 250 Apollo Dr.
Chelmsford, MA 01824 Chelmsford, MA 01824
USA USA
Phone: 978.244.8498 Phone: 978.244.8498
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/