DNSEXT Working Group M. Stapp Internet-Draft Cisco Systems, Inc. Expires:
August 31, 2001January 18, 2002 T. Lemon A. Gustafsson Nominum, Inc. March 2,July 20, 2001 A DNS RR for Encoding DHCP Information <draft-ietf-dnsext-dhcid-rr-02.txt>(DHCID RR) <draft-ietf-dnsext-dhcid-rr-03.txt> Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 31, 2001.January 18, 2002. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved. Abstract A situation can arise whereIt is possible for multiple DHCP clients requestto attempt to update the same DNS name from their (possibly distinct)FQDN as they obtain DHCP leases. Whether the DHCP servers.server or the clients themselves perform the DNS updates, conflicts can arise. To resolve such conflicts, 'Resolution"Resolution of DNS Name Conflicts'Conflicts" proposes storing client identifiers in the DNS to unambiguously associate domain names with the DHCP clients "owning" them.to which they refer. This memo defines a distinct RR type for this purpose for use by DHCP clients and servers, the "DHCID" RR. Table of Contents 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . .3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . .3 3. The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . .3 4.3.1 DHCID RDATA format . . . . . . . . . . . . . . . . . . . . . .3 4.1 Example3.2 DHCID Presentation Format . . . . . . . . . . . . . . . . . 4 3.3 The DHCID RR Type Codes . . . . . . . . . . . . . 4 5. Security Considerations. . . . . 4 3.4 Computation of the RDATA . . . . . . . . . . . . . . . 4 6. IANA Considerations. . . 4 3.5 Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . 5 7. Appendix A: Base 64 Encoding3.6 Updater Behavior . . . . . . . . . . . . . . . . . . . . . . 5 References3.7 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses3.7.1 Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.7.2 Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7 References . . . . . . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 89 1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.2119. 2. Introduction A set of procedures to allow DHCPDHCP clients and servers to automatically update the DNS (RFC1034, RFC1035) is proposed in "Resolution of DNS Name Conflicts". A situationConflicts". Conflicts can arise whereif multiple DHCP clients wish to use the same DNS name. To resolve such conflicts, Resolution"Resolution of DNS Name ConflictsConflicts" proposes storing client identifiers in the DNS to unambiguously associate domain names with the DHCP clients using them. In the interest of clarity, it would beis preferable for this DHCP information to use a distinct RR type. This memo defines a distinct RR typefor this purpose for use by DHCP clients or servers, the "DHCID" RR. 3. The DHCID RR The DHCID RRIn order to avoid exposing potentially sensitive identifying information, the data stored is defined with mnemonic DHCID and type code [TBD]. 4. DHCID RDATA format The RDATA sectionthe result of a DHCID RR inone-way MD5 hash computation. The hash includes information from the DHCP client's REQUEST message as well as the domain name itself, so that the data stored in the DHCID RR will be dependent on both the client identification used in the DHCP protocol interaction and the domain name. This means that the DHCID RDATA will vary if a single client is associated over time with more than one name. This makes it difficult to 'track' a client as it is associated with various domain names. The MD5 hash algorithm has been shown to be weaker than the SHA-1 algorithm; it could therefore be argued that SHA-1 is a better choice. However, SHA-1 is significantly slower than MD5. A successful attack of MD5's weakness does not reveal the original data that was used to generate the signature, but rather provides a new set of input data that will produce the same signature. Because we are using the MD5 hash to conceal the original data, the fact that an attacker could produce a different plaintext resulting in the same MD5 output is not significant concern. 3. The DHCID RR The DHCID RR is defined with mnemonic DHCID and type code [TBD]. 3.1 DHCID RDATA format The RDATA section of a DHCID RR in transmission contains RDLENGTH bytes of binary data. The format of this data and its interpretation by DHCP servers and clients are described below. DNS software should consider the RDATA section to be opaque. In DNS master files, the RDATA is represented in base 64 encoding (see Appendix A (Section 7)) and may be divided up into any number of white space separated substrings, down to single base 64 digits, which are concatenated to obtain the full signature. These substrings can span lines using the standard parenthesis. This format is identical to that used for representing binary data in DNSSEC (RFC2535).DHCP clients or servers use the DHCID RR to associate a DHCP client's identity with a DNS name, so that multiple DHCP clients and servers may safelydeterministically perform dynamic DNS updates to the same zone. From the updater's perspective, the DHCID resource record RDATA consists of a 16-bit identifier type, in network byte order, followed by one or more bytes representing the actual identifier. The type code can have one of three classes of values. The first class contains just the value zero. This type indicates that the remaining contents of the DHCID record encode anidentifier: < 16 bits > DHCP identifier that is based onused < n bytes > MD5 digest 3.2 DHCID Presentation Format In DNS master files, the client's link-layer network address. TheRDATA is represented as a single block in base 64 encoding and may be divided up into any number of white space separated substrings, down to single base 64 digits, which are concatenated to form the complete RDATA. These substrings can span lines using the standard parentheses. This format is identical to that used for representing binary data in RFC2535. 3.3 The DHCID RR Type Codes The type code can have one of three classes of values. The first class contains just the value zero. This type indicates that the remaining contents of the DHCID record encode an identifier that is based on the client's link-layer network address. The second class of types contains just the value 0xFFFF. This type code is reserved for future extensibility. The third class of types contains all the values not included in the first two - that is, every value other than zero or 0xFFFF. Types in this class indicate that the remaining contents of the DHCID record encode an identifier that is based on the DHCP option whose code is the same as the specified type. The most common value in this class at the time of the writing of this draftspecification is 61,0x3d (61 decimal), which is the DHCP option codecode for the Client Identifier option.option . 3.4 Computation of the RDATA The data following the type code (for type codes other than 0xFFFF) is derived by running a one-waythe MD5 hash algorithm across a buffer containing the identifying information. The detailsidentifying information includes some data from the DHCP client's DHCPREQUEST message, and the FQDN which is the target of this are specifiedthe update. The domain name is represented in "Resolution of DNS Name Conflicts". This RRthe buffer in dns wire-format as described in RFC1035, section 3.1. The domain name MUST NOT be used for any purpose other than that detailedcompressed as described in "Resolution of DNS Name Conflicts". Althought this RR contains data that is opaqueRFC1035, section 4.1.4. Any uppercase alphabetic ASCII character in a label MUST be converted to DNS servers,lowercase before being used to compute the data must be consistent across all entities that update and interpret this record. Therefore, new data formats may onlyhash. When the updater is using the client's link-layer address as the identifier, the first two bytes of the DHCID RDATA MUST be defined through actionszero. To generate the rest of the DHC Working Group, asresource record, the updater computes a result of revising . 4.1 Example A DHCP server allocatingone-way hash using the IPv4 address 10.0.0.1 toMD5 algorithm across a client "client.org.nil" might usebuffer containing the client's network hardware type, link-layer address to identifyaddress, and the FQDN data. Specifically, the first byte of the buffer contains the network hardware type as it appeared in the DHCP 'htype' field of the client's DHCPREQUEST message. All of the significant bytes of the chaddr field in the client's DHCPREQUEST message follow, in the same order in which the bytes appear in the DHCPREQUEST message. The number of significant bytes in the 'chaddr' field is specified in the 'hlen' field of the DHCPREQUEST message. The FQDN data, as specified above, follows. When the updater is using a DHCP option sent by the client in its DHCPREQUEST message, the first two bytes of the client: client.org.nil. A 10.0.0.1 client.org.nil.DHCID AAAYKREXIgqtwYgQo93/yNlJRR MUST be the option code of that option, in network byte order. For example, if the DHCP client identifier option is being used, the first byte of the DHCID RR should be zero, and the second byte should be 61 decimal. The rest of the DHCID RR MUST contain the results of computing an MD5 hash across the payload of the option being used, followed by the FQDN. The payload of a DHCP option consists of the bytes of the option following the option code and length. The "Resolution of DNS Name Conflicts" specification describes the selection process that updaters follow to choose an identifier from the information presented in a client's DHCPREQUEST message. 3.5 Use of the DHCID RR This RR MUST NOT be used for any purpose other than that detailed in "Resolution of DNS Name Conflicts". Although this RR contains data that is opaque to DNS servers, the data must be consistent across all entities that update and interpret this record. Therefore, new data formats may only be defined through actions of the DHC Working Group, as a result of revising . 3.6 Updater Behavior The data in the DHCID RR allows updaters to determine whether more than one DHCP client desires to use a particular FQDN. This allows site administrators to establish policy about DNS updates. The DHCID RR does not establish any policy itself. Updaters use data from a DHCP client's request and the domain name that the client desires to use to compute a client identity hash, and then compare that hash to the data in any DHCID RRs on the name that they wish to associate with the client's IP address. If an updater discovers DHCID RRs whose RDATA does not match the client identity that they have computed, the updater SHOULD conclude that a different client is currently associated with the name in question. The updater SHOULD then proceed according to the site's administrative policy. That policy might dictate that a different name be selected, or it might permit the updater to continue. 3.7 Examples 3.7.1 Example 1 A DHCP server allocating the IPv4 address 10.0.12.9910.0.0.1 to a client "chi.org.nil" might usewith Ethernet MAC address 01:02:03:04:05:06 using domain name "client.org.nil" uses the DHCP client identifier optionclient's link-layer address to identify the client: chi.org.nil. A 10.0.12.99 chi.org.nil. DHCID AGGScSLaAYjdOhGMHKD/lJ2B 5. Security Considerationsclient. The DHCID record as such does not introduce any new security problems into the DNS. In order to avoid exposing private information about DHCP clients to public scrutiny, a one-way-hash is used to obscure all client information. 6. IANA Considerations IANARDATA is requestedcomposed by setting the two type bytes to allocatezero, and performing an RRMD5 hash computation across a buffer containing the Ethernet MAC type number forbyte, 0x01, the DHCID record type. 7. Appendix A: Base 64 Encoding The following encoding technique is taken from RFC 2045 by N. Borensteinsix bytes of MAC address, and N. Freed. It is reproduced herethe domain name (represented as specified in an edited form for convenience.Section 3.4). client.org.nil. A 65-character subset of US-ASCII is used, enabling 6 bits to be represented per printable character. (The extra 65th character, "=", is used to signify a special processing function.) The encoding process represents 24-bit groups of input bits as output strings of 4 encoded characters. Proceeding from left10.0.0.1 client.org.nil. DHCID AAAUMru0ZM5OK/PdVAJgZ/HU 3.7.2 Example 2 A DHCP server allocates the IPv4 address 10.0.12.99 to right,a 24-bit input group is formed by concatenating 3 8-bit input groups. These 24 bits are then treated as 4 concatenated 6-bit groups, each ofclient which is translated into a single digitincluded the DHCP client-identifier option data 01:07:08:09:0a:0b:0c in its DHCP request. The server updates the base 64 alphabet. Each 6-bit group is usedname "chi.org.nil" on the client's behalf, and uses the DHCP client identifier option data as an index into an array of 64 printable characters.input in forming a DHCID RR. The character referencedDHCID RDATA is formed by setting the index is placed intwo type bytes to the output string. The Base 64 Alphabet Value Encoding Value Encoding Value Encoding Value Encoding 0 A 17 R 34 i 51 z 1 B 18 S 35 j 52 0 2 C 19 T 36 k 53 1 3 D 20 U 37 l 54 2 4 E 21 V 38 m 55 3 5 F 22 W 39 n 56 4 6 G 23 X 40 o 57 5 7 H 24 Y 41 p 58 6 8 I 25 Z 42 q 59 7 9 J 26option code, 0x003d, and performing an MD5 hash computation across a 43 r 60 8 10 K 27 b 44 s 61 9 11 L 28 c 45 t 62 + 12 M 29 d 46 u 63 / 13 N 30 e 47 v 14 O 31 f 48 w (pad) = 15 P 32 g 49 x 16 Q 33 h 50 y Special processing is performed if fewer than 24 bits are available atbuffer containing the seven bytes from the end ofclient-id option and the data being encoded.FQDN (represented as specified in Section 3.4). chi.org.nil. A full encoding quantum is always completed at10.0.12.99 chi.org.nil. DHCID AD3dquu0xNqYn/4zw2FXy8X3 4. Security Considerations The DHCID record as such does not introduce any new security problems into the end ofDNS. In order to avoid exposing private information about DHCP clients to public scrutiny, a quantity. When fewer than 24 input bits are available in an input group, zero bits are added (on the right)one-way hash is used to form an integral number of 6-bit groups. Padding at the end ofobscure all client information. In order to make it difficult to 'track' a client by examining the data is performed usingnames associated with a particular hash value, the '=' character. Since all base 64 inputFQDN is an integral number of octets, onlyincluded in the following cases can arise: (1)hash computation. Thus, the final quantum of encoding inputRDATA is an integral multiple of 24 bits; here,dependent on both the final unit of encoded output will be an integral multiple of 4 charactersDHCP client identification data and on each FQDN associated with no "=" padding, (2) the final quantum of encoding input is exactly 8 bits; here,the final unit of encoded output willclient. Administrators should be two characters followed by two "=" padding characters, or (3)wary of permitting unsecured DNS updates to zones which are exposed to the final quantumglobal Internet. Both DHCP clients and servers SHOULD use some form of encoding inputupdate authentication (e.g., TSIG) when performing DNS updates. 5. IANA Considerations IANA is exactly 16 bits; here,requested to allocate an RR type number for the final unit of encoded output will be three characters followed by one "=" padding character.DHCID record type. References  Stapp, M., "Resolution of DNS Name Conflicts Among DHCP Clients (draft-ietf-dhc-dns-resolution-*)", March 2001.  Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997.  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, Mar 1997.  Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, Mar 1997. Mockapetris, P., "Domain names - Concepts and Facilities", RFC 1034, Nov 1987.  Mockapetris, P., "Domain names - Implementation and Specification", RFC 1035, Nov 1987.  Stapp, M., "Resolution of DNS Name Conflicts Among DHCP Clients (draft-ietf-dhc-dns-resolution-*)", July 2000.Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, April 1992.  Eastlake, D., "Domain Name System Security Extensions", RFC 2535, March 1999.  Freed, N.Alexander, S. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies",R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, Mar 1997.  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington, "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2045, November 1996.2845, May 2000. Authors' Addresses Mark Stapp Cisco Systems, Inc. 250 Apollo Dr. Chelmsford, MA 01824 USA Phone: 978.244.8498 EMail: firstname.lastname@example.org Ted Lemon Nominum, Inc. 950 Charter St. Redwood City, CA 94063 USA EMail: email@example.com Andreas Gustafsson Nominum, Inc. 950 Charter St. Redwood City, CA 94063 USA EMail: firstname.lastname@example.org Full Copyright Statement Copyright (C) The Internet Society (2001). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC editor function is currently provided by the Internet Society.