draft-ietf-dnsext-dhcid-rr-05.txt   draft-ietf-dnsext-dhcid-rr-06.txt 
DNSEXT Working Group M. Stapp DNSEXT Working Group M. Stapp
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Expires: December 20, 2002 T. Lemon Expires: May 2, 2003 T. Lemon
A. Gustafsson A. Gustafsson
Nominum, Inc. Nominum, Inc.
June 21, 2002 November 1, 2002
A DNS RR for Encoding DHCP Information (DHCID RR) A DNS RR for Encoding DHCP Information (DHCID RR)
<draft-ietf-dnsext-dhcid-rr-05.txt> <draft-ietf-dnsext-dhcid-rr-06.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 20, 2002. This Internet-Draft will expire on May 2, 2003.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract Abstract
It is possible for multiple DHCP clients to attempt to update the It is possible for multiple DHCP clients to attempt to update the
same DNS FQDN as they obtain DHCP leases. Whether the DHCP server or same DNS FQDN as they obtain DHCP leases. Whether the DHCP server or
the clients themselves perform the DNS updates, conflicts can arise. the clients themselves perform the DNS updates, conflicts can arise.
skipping to change at page 2, line 13 skipping to change at page 2, line 13
DHCP clients and servers, the "DHCID" RR. DHCP clients and servers, the "DHCID" RR.
Table of Contents Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1 DHCID RDATA format . . . . . . . . . . . . . . . . . . . . . 4 3.1 DHCID RDATA format . . . . . . . . . . . . . . . . . . . . . 4
3.2 DHCID Presentation Format . . . . . . . . . . . . . . . . . 4 3.2 DHCID Presentation Format . . . . . . . . . . . . . . . . . 4
3.3 The DHCID RR Type Codes . . . . . . . . . . . . . . . . . . 4 3.3 The DHCID RR Type Codes . . . . . . . . . . . . . . . . . . 4
3.4 Computation of the RDATA . . . . . . . . . . . . . . . . . . 4 3.4 Computation of the RDATA . . . . . . . . . . . . . . . . . . 5
3.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.5.1 Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.5.1 Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.5.2 Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.5.2 Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . 6 4. Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . 6
5. Updater Behavior . . . . . . . . . . . . . . . . . . . . . . 6 5. Updater Behavior . . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
References . . . . . . . . . . . . . . . . . . . . . . . . . 7 References . . . . . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8
Full Copyright Statement . . . . . . . . . . . . . . . . . . 9 Full Copyright Statement . . . . . . . . . . . . . . . . . . 10
1. Terminology 1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119[2]. document are to be interpreted as described in RFC 2119[2].
2. Introduction 2. Introduction
A set of procedures to allow DHCP[3] clients and servers to A set of procedures to allow DHCP[3] clients and servers to
skipping to change at page 4, line 33 skipping to change at page 4, line 33
In DNS master files, the RDATA is represented as a single block in In DNS master files, the RDATA is represented as a single block in
base 64 encoding identical to that used for representing binary data base 64 encoding identical to that used for representing binary data
in RFC2535[7]. The data may be divided up into any number of white in RFC2535[7]. The data may be divided up into any number of white
space separated substrings, down to single base 64 digits, which are space separated substrings, down to single base 64 digits, which are
concatenated to form the complete RDATA. These substrings can span concatenated to form the complete RDATA. These substrings can span
lines using the standard parentheses. lines using the standard parentheses.
3.3 The DHCID RR Type Codes 3.3 The DHCID RR Type Codes
The type code can have one of three classes of values. The first The DHCID RR Type Code specifies what data from the DHCP client's
class contains just the value zero. This type indicates that the request was used as input into the hash function. The type codes are
remaining contents of the DHCID record encode an identifier that is defined in a registry maintained by IANA, as specified in Section 7.
based on the client's link-layer network address. The initial list of assigned values for the type code is:
The second class of types contains just the value 0xFFFF. This type 0x0000 = htype, chaddr from a DHCPv4 client's
code is reserved for future extensibility. DHCPREQUEST (RFC 2131)
0x0001 = The data portion from a DHCPv4 client's Client
Identifier option (RFC 2132)
0x0002 = The data portion (i.e., the DUID) from a DHCPv6
client's Client Identifier option
(draft-ietf-dhc-dhcpv6-*.txt)
The third class of types contains all the values not included in the 0x0003 - 0xfffe = Available to be assigned by IANA
first two - that is, every value other than zero or 0xFFFF. Types in
this class indicate that the remaining contents of the DHCID record 0xffff = RESERVED
encode an identifier that is based on the DHCP option whose code is
the same as the specified type. The most common value in this class
at the time of the writing of this specification is 0x3d (61
decimal), which is the DHCP option code for the Client Identifier
option [8].
3.4 Computation of the RDATA 3.4 Computation of the RDATA
The DHCID RDATA is formed by concatenating the two type bytes with The DHCID RDATA is formed by concatenating the two type bytes with
some variable-length identifying data. some variable-length identifying data.
< type > < data > < type > < data >
The RDATA for all type codes other than 0xffff, which is reserved The RDATA for all type codes other than 0xffff, which is reserved
for future expansion, is formed by concatenating the two type bytes for future expansion, is formed by concatenating the two type bytes
and a 16-byte MD5 hash value. The input to the hash function is and a 16-byte MD5 hash value. The input to the hash function is
defined to be: defined to be:
data = MD5(< identifier > < FQDN >) data = MD5(< identifier > < FQDN >)
The FQDN is represented in the buffer in unambiguous canonical form The FQDN is represented in the buffer in unambiguous canonical form
as described in RFC2535[7], section 8.1. The type code and the as described in RFC2535[7], section 8.1. The type code and the
identifier are related as specified in Section 3.3: the type code identifier are related as specified in Section 3.3: the type code
describes the source of the identifier. describes the source of the identifier.
type code identifier
0x0000 htype,hlen,chaddr from the client's DHCPREQUEST
0x0001- 'data' portion of a DHCP option from the
0xfffe client's DHCPREQUEST
0xffff RESERVED
The "Resolution of DNS Name Conflicts"[1] specification describes
the selection process that updaters follow to choose an identifier
from the information presented in a client's DHCPREQUEST message.
When the updater is using the client's link-layer address as the When the updater is using the client's link-layer address as the
identifier, the first two bytes of the DHCID RDATA MUST be zero. To identifier, the first two bytes of the DHCID RDATA MUST be zero. To
generate the rest of the resource record, the updater computes a generate the rest of the resource record, the updater computes a
one-way hash using the MD5 algorithm across a buffer containing the one-way hash using the MD5 algorithm across a buffer containing the
client's network hardware type, link-layer address, and the FQDN client's network hardware type, link-layer address, and the FQDN
data. Specifically, the first byte of the buffer contains the data. Specifically, the first byte of the buffer contains the
network hardware type as it appeared in the DHCP 'htype' field of network hardware type as it appeared in the DHCP 'htype' field of
the client's DHCPREQUEST message. All of the significant bytes of the client's DHCPREQUEST message. All of the significant bytes of
the chaddr field in the client's DHCPREQUEST message follow, in the the chaddr field in the client's DHCPREQUEST message follow, in the
same order in which the bytes appear in the DHCPREQUEST message. The same order in which the bytes appear in the DHCPREQUEST message. The
number of significant bytes in the 'chaddr' field is specified in number of significant bytes in the 'chaddr' field is specified in
the 'hlen' field of the DHCPREQUEST message. The FQDN data, as the 'hlen' field of the DHCPREQUEST message. The FQDN data, as
specified above, follows. specified above, follows.
When the updater is using a DHCP option sent by the client in its When the updater is using the DHCPv4 Client Identifier option sent
DHCPREQUEST message, the first two bytes of the DHCID RR MUST be the by the client in its DHCPREQUEST message, the first two bytes of the
option code of that option, in network byte order. For example, if DHCID RR MUST be 0x0001, in network byte order. The rest of the
the DHCP client identifier option is being used, the first byte of DHCID RR MUST contain the results of computing an MD5 hash across
the DHCID RR should be zero, and the second byte should be 61 the payload of the option, followed by the FQDN. The payload of the
decimal. The rest of the DHCID RR MUST contain the results of option consists of the bytes of the option following the option code
computing an MD5 hash across the payload of the option being used, and length.
followed by the FQDN. The payload of a DHCP option consists of the
When the updater is using the DHCPv6 DUID sent by the client in its
REQUEST message, the first two bytes of the DHCID RR MUST be 0x0002,
in network byte order. The rest of the DHCID RR MUST contain the
results of computing an MD5 hash across the payload of the option,
followed by the FQDN. The payload of the option consists of the
bytes of the option following the option code and length. bytes of the option following the option code and length.
3.5 Examples 3.5 Examples
3.5.1 Example 1 3.5.1 Example 1
A DHCP server allocating the IPv4 address 10.0.0.1 to a client with A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
Ethernet MAC address 01:02:03:04:05:06 using domain name Ethernet MAC address 01:02:03:04:05:06 using domain name
"client.example.com" uses the client's link-layer address to "client.example.com" uses the client's link-layer address to
identify the client. The DHCID RDATA is composed by setting the two identify the client. The DHCID RDATA is composed by setting the two
skipping to change at page 6, line 29 skipping to change at page 6, line 28
client.example.com. A 10.0.0.1 client.example.com. A 10.0.0.1
client.example.com. DHCID AAAUMru0ZM5OK/PdVAJgZ/HU client.example.com. DHCID AAAUMru0ZM5OK/PdVAJgZ/HU
3.5.2 Example 2 3.5.2 Example 2
A DHCP server allocates the IPv4 address 10.0.12.99 to a client A DHCP server allocates the IPv4 address 10.0.12.99 to a client
which included the DHCP client-identifier option data which included the DHCP client-identifier option data
01:07:08:09:0a:0b:0c in its DHCP request. The server updates the 01:07:08:09:0a:0b:0c in its DHCP request. The server updates the
name "chi.example.com" on the client's behalf, and uses the DHCP name "chi.example.com" on the client's behalf, and uses the DHCP
client identifier option data as input in forming a DHCID RR. The client identifier option data as input in forming a DHCID RR. The
DHCID RDATA is formed by setting the two type bytes to the option DHCID RDATA is formed by setting the two type bytes to the value
code, 0x003d, and performing an MD5 hash computation across a buffer 0x0001, and performing an MD5 hash computation across a buffer
containing the seven bytes from the client-id option and the FQDN containing the seven bytes from the client-id option and the FQDN
(represented as specified in Section 3.4). (represented as specified in Section 3.4).
chi.example.com. A 10.0.12.99 chi.example.com. A 10.0.12.99
chi.example.com. DHCID AD3dquu0xNqYn/4zw2FXy8X3 chi.example.com. DHCID AAHdd5jiQ3kEjANDm82cbObk\012
4. Use of the DHCID RR 4. Use of the DHCID RR
This RR MUST NOT be used for any purpose other than that detailed in This RR MUST NOT be used for any purpose other than that detailed in
"Resolution of DNS Name Conflicts"[1]. Although this RR contains "Resolution of DNS Name Conflicts"[1]. Although this RR contains
data that is opaque to DNS servers, the data must be consistent data that is opaque to DNS servers, the data must be consistent
across all entities that update and interpret this record. across all entities that update and interpret this record.
Therefore, new data formats may only be defined through actions of Therefore, new data formats may only be defined through actions of
the DHC Working Group, as a result of revising [1]. the DHC Working Group, as a result of revising [1].
skipping to change at page 7, line 30 skipping to change at page 7, line 27
information about DHCP clients to public scrutiny, a one-way hash is information about DHCP clients to public scrutiny, a one-way hash is
used to obscure all client information. In order to make it used to obscure all client information. In order to make it
difficult to 'track' a client by examining the names associated with difficult to 'track' a client by examining the names associated with
a particular hash value, the FQDN is included in the hash a particular hash value, the FQDN is included in the hash
computation. Thus, the RDATA is dependent on both the DHCP client computation. Thus, the RDATA is dependent on both the DHCP client
identification data and on each FQDN associated with the client. identification data and on each FQDN associated with the client.
Administrators should be wary of permitting unsecured DNS updates to Administrators should be wary of permitting unsecured DNS updates to
zones which are exposed to the global Internet. Both DHCP clients zones which are exposed to the global Internet. Both DHCP clients
and servers SHOULD use some form of update authentication (e.g., and servers SHOULD use some form of update authentication (e.g.,
TSIG[9]) when performing DNS updates. TSIG[10]) when performing DNS updates.
7. IANA Considerations 7. IANA Considerations
IANA is requested to allocate an RR type number for the DHCID record IANA is requested to allocate an RR type number for the DHCID record
type. type.
This specification defines a new number-space for the 16-bit type
codes associated with the DHCID RR. IANA is requested to establish a
registry of the values for this number-space.
Three initial values are assigned in Section 3.3, and the value
0xFFFF is reserved for future use. New DHCID RR type codes are
tentatively assigned after the specification for the associated type
code, published as an Internet Draft, has received expert review by
a designated expert. The final assignment of DHCID RR type codes is
through Standards Action, as defined in RFC2434[11].
8. Acknowledgements
Many thanks to Josh Littlefield, Olafur Gudmundsson, Bernie Volz,
and Ralph Droms for their review and suggestions.
References References
[1] Stapp, M., "Resolution of DNS Name Conflicts Among DHCP Clients [1] Stapp, M., "Resolution of DNS Name Conflicts Among DHCP
(draft-ietf-dhc-dns-resolution-*)", March 2001. Clients (draft-ietf-dhc-dns-resolution-*)", March 2001.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement [2] Bradner, S., "Key words for use in RFCs to Indicate
Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[3] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, Mar [3] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
1997. Mar 1997.
[4] Mockapetris, P., "Domain names - Concepts and Facilities", RFC [4] Mockapetris, P., "Domain names - Concepts and Facilities", RFC
1034, Nov 1987. 1034, Nov 1987.
[5] Mockapetris, P., "Domain names - Implementation and [5] Mockapetris, P., "Domain names - Implementation and
Specification", RFC 1035, Nov 1987. Specification", RFC 1035, Nov 1987.
[6] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, April [6] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321,
1992. April 1992.
[7] Eastlake, D., "Domain Name System Security Extensions", RFC [7] Eastlake, D., "Domain Name System Security Extensions", RFC
2535, March 1999. 2535, March 1999.
[8] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [8] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, Mar 1997. Extensions", RFC 2132, Mar 1997.
[9] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington, [9] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
(draft-ietf-dhc-dhcpv6-*.txt)", November 2002.
[10] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
"Secret Key Transaction Authentication for DNS (TSIG)", RFC "Secret Key Transaction Authentication for DNS (TSIG)", RFC
2845, May 2000. 2845, May 2000.
[11] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", RFC 2434, October 1998.
Authors' Addresses Authors' Addresses
Mark Stapp Mark Stapp
Cisco Systems, Inc. Cisco Systems, Inc.
250 Apollo Dr. 250 Apollo Dr.
Chelmsford, MA 01824 Chelmsford, MA 01824
USA USA
Phone: 978.244.8498 Phone: 978.244.8498
EMail: mjs@cisco.com EMail: mjs@cisco.com
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/