DHC Working Group M. Stapp Internet-Draft Cisco Systems, Inc. Expires:
August 31, 2001 March 2,January 18, 2002 July 20, 2001 Resolution of DNS Name Conflicts Among DHCP Clients <draft-ietf-dhc-ddns-resolution-01.txt><draft-ietf-dhc-ddns-resolution-02.txt> Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 31, 2001.January 18, 2002. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved. Abstract DHCP provides a powerful mechanism for IP host configuration. However, the configuration capability provided by DHCP does not include updating DNS(RFC1034, RFC1035), and specifically updating the name to address and address to name mappings maintained in the DNS. The "Client FQDN Option"Option" specifies the client FQDN option, through which DHCP clients and servers can exchange information about client FQDNs. This document describes techniques for the resolution of DNS name conflicts among DHCP clients. Table of Contents 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Issues with DDNSDNS Update in DHCP Environments . . . . . . . . . . .3 3.1 Name Conflicts . . . .Client Mis-Configuration . . . . . . . . . . . . . . . . . . . 4 3.2 Multiple DHCP serversServers . . . . . . . . . . . . . . . . . . . 5 3.3. 4 4. Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . . 5 188.8.131.52 Format of the DHCID RRDATA . . . . . . . . . . . . . . . . . 5 3.4. 6 5. DNS RR TTLs . . . . . . . . . . . . . . . . . . . . . . . . 7 4.. 8 6. Procedures for performing DNS updates . . . . . . . . . . . 7 4.1. 8 6.1 Adding A RRs to DNS . . . . . . . . . . . . . . . . . . . . 7 4.2. 8 6.2 Adding PTR RR Entries to DNS . . . . . . . . . . . . . . . . 8 4.3. 9 6.3 Removing Entries from DNS . . . . . . . . . . . . . . . . . . 9 4.46.4 Updating otherOther RRs . . . . . . . . . . . . . . . . . . . . . 9 5.. 10 7. Security Considerations . . . . . . . . . . . . . . . . . . 9 6.. 10 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10. 11 References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 12 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 13 1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.2119. 2. Introduction "The Client FQDN Option"Option" includes a description of the operation of DHCPDHCP clients and servers that use the client FQDN option. Through the use of the client FQDN option, DHCP clients and servers can negotiate the client's FQDN and the allocation of responsibility for updating the DHCP client's A RR. This document identifies situations in which conflicts in the use of FQDNs may arise among DHCP clients, and describes a strategy for the use of the DHCID DNS resource recordrecord in resolving those conflicts. In any case, whether a site permits all, some, or no DHCP servers and clients to perform DNS updates into the zones which it controls is entirely a matter of local administrative policy. This document does not require any specific administrative policy, and does not propose one. The range of possible policies is very broad, from sites where only the DHCP servers have been given credentials that the DNS servers will accept, to sites where each individual DHCP client has been configured with credentials which allow the client to modify its own domain name. Compliant implementations MAY support some or all of these possibilities. Furthermore, this specification applies only to DHCP client and server processes: it does not apply to other processes which initiate DNS updates. 3. Issues with DDNSDNS Update in DHCP Environments There are two DNS update situations that require special consideration in DHCP environments: cases where more than one DHCP client has been configured with the same FQDN, and cases where more than one DHCP server has been given authority to perform DNS updates in a zone. In these cases, it is possible for DNS records to be modified in inconsistent ways unless the updaters have a mechanism that allows them to detect anomolous situations. If DNS updaters can detect these situations, site administrators can configure the updaters' behavior so that the site's policies can be enforced. We use the term "Name Conflict" to refer to cases where more than one DHCP client has beenwishes to be associated with a single FQDN. This specification describes a mechanism designed to allow updaters to detect these situations, and requiressuggests that DHCP implementations use this mechanism by default. 3.1 Name Conflicts How canClient Mis-Configuration At many (though not all) sites, administrators wish to maintain a one-to-one relationship between active DHCP clients and domain names, and to maintain consistency between the entity updating ana host's A RR (eitherand PTR RRs. Hosts which are not represented in the DHCP clientDNS, or hosts which inadvertently share an FQDN with another host may encounter inconsistent behavior or may not be able to obtain access to network resources. Whether each DHCP server) detect thatclient is configured with a domain name has an A RR which is already in useby a different DHCP client? Similarly, should a DHCP clientits administrator or whether the DHCP server update a domain name which has an A RR that has beenis configured by an administrator? In eitherto distribute the clients' names, the consistency of these cases,the domain name in question would either have an additional A RR, or would have its original A RR replaced byDNS data is entirely dependent on the new record. Eitheraccuracy of these effectsthe configuration procedure. Sites which use Secure DNS may be considered undesirable by some sites. Different authorityconfigure credentials for each host and credential models have different levels of exposure toits assigned name conflicts. 1. Client updates A RR, uses Secure DNS Update with credentialsin a way that is more error-resistant, but this level of pre-configuration is still rare in DHCP environments. Consider an example in which two DHCP clients in the "org.nil" network are associatedboth configured with the client's FQDN, and exclusivename "foo". The clients are permitted to the client. Name conflicts in this scenario are unlikely (though not impossible), since theperform their own DNS updates. The first client, client has received credentials specific to the name it desiresA, is configured via DHCP. It adds an A RR to use. This implies that the name has already been allocated (through some implementation- or organization-specific procedure)"foo.org.nil", and its DHCP server adds a PTR RR corresponding to that client. 2. Client updates A RR, uses Secure DNS Update with credentials that are valid for any name in the zone. Name conflicts in this scenario are possible, since the credentials necessary forits IP address lease. When the second client, client B, boots, it is also configured via DHCP, and it also begins to update DNS are not necessarily name-specific. Thus, for"foo.org.nil". At this point, the client to be attempting"org.nil" administrators may wish to update a unique name requires the existence ofestablish some administrative procedure to ensure client configuration with uniquepolicy about DHCP clients' DNS names. 3. Server updatesIf the policy is that each client that boots should replace any existing A RR, uses a name forRR that matches its name, Client B can proceed, though Client A may encounter problems. If Client B replaces the client whichA RR associated with its name, Client A must have some way to recognize that when its lease is knownabout to expire, so that it can avoid removing an RR that reflects another client's DHCP lease. If the server. Name conflicts in this scenario are likely unless prevented bypolicy is that the server's name configuration procedures. See Section 5 for security issuesfirst DHCP client with this form of deployment. 4. Server updates the A RR, usesa given name supplied byshould be the client. Name conflicts in this scenario are highly likely, even with administrative procedures designed to prevent them. (This scenario is a popular one in real-world deployments in many types of organizations.) See Section 5 for security issuesonly client associated with this type of deployment. Scenarios 2, 3, and 4 rely on administrative procedures to ensure name uniqueness for DNS updates, and these procedures may break down. Experience has shown that, in fact, these procedures will break down at least occasionally. The question is what to do when these procedures break down or, for example in scenario #4, may not even exist. In all cases of name conflicts, the desire is to offer two modes of operationthat name, Client B needs to be able to determine that it is not the administrator of the combined DHCP-DNS capability: first-update-wins (i.e., the first updating entity getsclient associated with "foo.org.nil". It could be that Client A booted first, and that Client B should choose another name. Or it could be that B has booted on a new subnet, and received a new lease. It must either retain persistent state about the name)last lease it held (in addition to its current lease) or most-recent-update-wins (i.e.,it must have some other way to detect that it was the last updating entity for a name getsupdater of "foo.org.nil" in order to implement the name).site's policy. 3.2 Multiple DHCP servers If multipleServers At many sites, the difficulties with distributing DNS update credentials to all of the DHCP servers are ableclients lead to updatethe same DNS zones, or ifdesire for the DHCP servers are performingto perform A RR updates on behalf of their clients. If a single DHCP server managed all of the DHCP clients,clients at a site, it could maintain some database of the DNS names that it was managing, and check that database before initiating a DNS update for a client. Such a database is necessarily proprietary, however, and that approach does not work once more than one DHCP server may be ableis deployed. Consider an example in which DHCP Client A boots, obtains a DHCP lease from Server S1, presenting the hostname "foo" in a Client FQDN option in its DHCPREQUEST message. Server S1 updates its domain name, "foo.org.nil", adding an A RR which matches Client A's lease. The client then moves to serve addressesanother subnet, served by Server S2. When Client A boots on the new subnet, Server S2 will issue it a new lease, and will attempt to add an A RR matching the new lease to "foo.org.nil". At this point, without some proprietary communication mechanism which S2 can use to ask S1 (and every other DHCP server which updates the zone) about the client, S2 has no way to know whether Client A is currently associated with the domain name, or whether A is a different client configured with the same DHCP clients,hostname. If the DHCPservers should be able to provide reasonable and consistent DNS name update behavior for DHCP clients. 3.3cannot distinguish between these situations, they cannot enforce the site's naming policies. 4. Use of the DHCID RR A solution to both of these problems is for the updating entities (bothupdater (a DHCP clients andclient or DHCP servers)server) to be able to detect that another entitydetermine which DHCP client has been associated with a DNS name, andin order to offer administrators the opportunity to configure updateupdater behavior. Specifically,FOr this purpose, a DHCID RR, described in DHCID RR, is used to associate client identification information with a DNS name and the A or PTR RR associated with that name. When either a client or server adds an A or PTR RR for a client, it also adds a DHCID RR which specifies a unique client identity (based on a "client specifier" created from the data in the client's client-id or MAC address).DHCPREQUEST message). In this model, only one A RR is associated with a given DNS name at a time. By associating this ownership information with each A RR,DNS name, cooperating DNS updating entitiesupdaters may determine whether their client is the first or last updater of thecurrently associated with a particular DNS name (andand implement the appropriately configured administrative policy), andpolicy. In addition, DHCP clients which currently have domain names may move from one DHCP server to another without losing their DNS names. The specific algorithms utilizing the DHCID RR to signal client ownership are explained below. The algorithms only work in the case where the updating entities all cooperate -- this approach is advisory only and is not a substitute for DNS security, nor is it replaced by DNS security. 184.108.40.206 Format of the DHCID RRDATA The DHCID RR used to hold the DHCP client's identity is formatted as follows: The name of the DHCID RR is the name of the A or PTR RR which refers to the DHCP client. The RDATA section of a DHCID RR in transmission contains RDLENGTH bytes of binary data. From the perspective of DHCP clients and servers, the DHCDHCID resource record consists of a 16-bit identifier type, followed by one or more bytes representing the actual identifier. There are two possible forms for a DHCID RR - one that is used when the client's link-layer address is being used to identify it, and one that is used when some DHCP option that the DHCP client has sent is being used to identify it. DISCUSSION: Implementors should note thatThe data following the actualidentifier type code (for type codes other than 0xFFFF) is derived by digesting a buffer containing identifying information using the MD5 hash algorithm. The identifying information includes some data from the DHCP client's DHCPREQUEST message, and the FQDN which is never placed intothe DNS directly. Instead,target of the client-identity dataupdate. The domain name is usedincluded in the computation in order to ensure that the DHCID RDATA will vary if a single client is associated over time with more than one name. This makes it difficult to 'track' a client as it is associated with various domain names. The domain name is represented in the buffer in dns wire-format as described in RFC1035, section 3.1. The domain name MUST NOT be compressed as described in RFC1035, section 4.1.4. Any uppercase alphabetic ASCII character in a label MUST be converted to lowercase before being in the hash computation. The MD5 hash algorithm has been shown to be weaker than the SHA-1 algorithm; it could therefore be argued that SHA-1 is a better choice. However, SHA-1 is significantly slower than MD5. A successful attack of MD5's weakness does not reveal the original data that was used to generate the signature, but rather provides a new set of input data that will produce the same signature. Because we are using the input into a one-wayMD5 hash algorithm, andto conceal the output oforiginal data, the fact that hash is then used as DNS RRDATA. This has been specifiedan attacker could produce a different plaintext resulting in order to avoid placing data about DHCP clients that some sites might consider sensitive intothe DNS.same MD5 output is not a significant concern. When the updater is using the client's link-layer address, the first two bytes of the DHCID RRDATA MUST be zero. To generate the rest of the resource record, the updater MUST compute a one-way hash using the MD5MD5 algorithm across a buffer containing the client's network hardware type andtype, link-layer address.address, and the domain name. Specifically, the first byte of the buffer contains the network hardware type as it appears in the DHCP htype field of the client's DHCPREQUEST message. All of the significant bytes of the chaddr field in the client's DHCPREQUEST message follow, in the same order in which the bytes appear in the DHCPREQUEST message. The number of significant bytes in the chaddr field is specified in the hlen field of the DHCPREQUEST message. The fully-qualified domain name, as specified above, follows. When the updater is using a DHCP option sent by the client in its DHCPREQUEST message, the first two bytes of the DHCID RR MUST be the option code of that option, in network byte order. For example, if the DHCP client identifier option is being used, the first byte of the DHCID RR should be zero, and the second byte should be 61 decimal. The rest of the DHCID RR MUST contain the results of computing a one-way hash across the payload of the option being used,used and the FQDN (as specified above), using the MD5 algorithm. The payload of a DHCP option consists of the bytes of the option following the option code and length. The two byte identifier code 0xffff is reserved for future assignment. In order for independent DHCP implementations to be able to use the DHCID RR as a prerequisite in dynamic DNS updates, each updater must be able to reliably choose the same identifier that any other would choose. To make this possible, we specify a prioritization which will ensure that for any given DHCP client request, any updater will select the same client-identity data. All updaters MUST use this order of prioritization by default, but all implementations SHOULD be configurable to use a different prioritization if so desired by the site administrators. Because of the possibility of future changes in the DHCP protocol, implementors SHOULD check for updated versions of this draftspecification when implementing new DHCP clients and servers which can perform DDNSDNS updates, and also when releasing new versions of existing clients and servers. DHCP clients and servers should use the following forms of client identification, starting with the most preferable, and finishing with the least preferable. If the client does not send any of these forms of identification, the DHCP/DDNSDHCP/DNS interaction is not defined by this specification. The most preferable form of identification is the Globally Unique Identifier Option [TBD]. Next is the DHCP Client Identifier option. Last is the client's link-layer address, as conveyed in its DHCPREQUEST message. Implementors should note that the link-layer address cannot be used if there are no significant bytes in the chaddr field of the DHCP client's request, because this does not constitute a unique identifier. 3.45. DNS RR TTLs RRs associated with DHCP clients may be more volatile than statically configured RRs. DHCP clients and servers which perform dynamic updates should attempt to specify resource record TTLs which reflect this volatility, in order to minimize the possibility that there will be stale records in resolvers' caches. A reasonable basis for RR TTLs is the lease duration itself: TTLs of 1/2 or 1/3 the expected lease duration might be reasonable defaults. Because configured DHCP lease times vary widely from site to site, it may also be desirable to establish a fixed TTL ceiling. DHCP clients and servers MAY allow administrators to configure the TTLs they will supply, possibly as a fraction of the actual lease time, or as a fixed value. 4.6. Procedures for performing DNS updates 4.16.1 Adding A RRs to DNS When a DHCP client or server intends to update an A RR, it first prepares a DNS UPDATE query which includes as a prerequisite the assertion that the name does not exist. The update section of the query attempts to add the new name and its IP address mapping (an A RR), and the DHCID RR with its unique client-identity. If this update operation succeeds, the updater can conclude that it has added a new name whose only RRs are the A and DHCID RR records. The A RR update is now complete (and a client updater is finished, while a server might proceed to perform a PTR RR update). If the first update operation fails with YXDOMAIN, the updater can conclude that the intended name is in use. The updater then attempts to confirm that the DNS name is not being used by some other host. The updater prepares a second UPDATE query in which the prerequisite is that the desired name has attached to it a DHCID RR whose contents match the client identity. The update section of this query deletes the existing A records on the name, and adds the A record that matches the DHCP binding and the DHCID RR with the client identity. If this query succeeds, the updater can conclude that the current client was the last client associated with the domain name, and that the name now contains the updated A RR. The A RR update is now complete (and a client updater is finished, while a server would then proceed to perform a PTR RR update). If the second query fails with NXRRSET, the updater must conclude that the client's desired name is in use by another host. At this juncture, the updater can decide (based on some administrative configuration outside of the scope of this document) whether to let the existing owner of the name keep that name, and to (possibly) perform some name disambiguation operation on behalf of the current client, or to replace the RRs on the name with RRs that represent the current client. If the configured policy allows replacement of existing records, the updater submits a query that deletes the existing A RR and the existing DHCID RR, adding A and DHCID RRs that represent the IP address and client-identity of the new client. DISCUSSION: The updating entity may be configured to allow the existing DNS records on the domain name to remain unchanged, and to perform disambiguation on the name of the current client in order to attempt to generate a similar but unique name for the current client. In this case, once another candidate name has been generated, the updater should restart the process of adding an A RR as specified in this section. 4.26.2 Adding PTR RR Entries to DNS The DHCP server submits a DNS query which deletes all of the PTR RRs associated with the lease IP address, and adds a PTR RR whose data is the client's (possibly disambiguated) host name. The server also adds a DHCID RR as specified in Section 3.3. 4.34. 6.3 Removing Entries from DNS The most important consideration in removing DNS entries is be sure that an entity removing a DNS entry is only removing an entry that it added, or for which an administrator has explicitly assigned it responsibility. When a lease expires or a DHCP client issues a DHCPRELEASE request, the DHCP server SHOULD delete the PTR RR that matches the DHCP binding, if one was successfully added. The server's update query SHOULD assert that the name in the PTR record matches the name of the client whose lease has expired or been released. The entity chosen to handle the A record for this client (either the client or the server) SHOULD delete the A record that was added when the lease was made to the client. In order to perform this delete, the updater prepares an UPDATE query which contains two prerequisites. The first prerequisite asserts that the DHCID RR exists whose data is the client identity described in Section 3.3.4. The second prerequisite asserts that the data in the A RR contains the IP address of the lease that has expired or been released. If the query fails, the updater MUST NOT delete the DNS name. It may be that the hostclient whose lease on the serverhas expired has moved to another network and obtained a lease from a different server, which has caused the client's A RR to be replaced. It may also be that some other client has been configured with a name that matches the name of the DHCP client, and the policy was that the last client to specify the name would get the name. In this case,these cases, the DHCID RR will no longer match the updater's notion of the client-identity of the host pointed to by the DNS name. 4.46.4 Updating otherOther RRs The procedures described in this document only cover updates to the A and PTR RRs. Updating other types of RRs is outside the scope of this document. 5.7. Security Considerations Unauthenticated updates to the DNS can lead to tremendous confusion, through malicious attack or through inadvertent misconfiguration. Administrators should be wary of permitting unsecured DNS updates to zones which are exposed to the global Internet. Both DHCP clients and servers SHOULD use some form of update request originauthentication procedure(e.g., Secure DNS Dynamic Update)TSIG) when performing DNS updates. Whether a DHCP client may be responsible for updating an FQDN to IP address mapping, or whether this is the responsibility of the DHCP server is a site-local matter. The choice between the two alternatives may be based on the security model that is used with the Dynamic DNS Update protocol (e.g., only a client may have sufficient credentials to perform updates to the FQDN to IP address mapping for its FQDN). Whether a DHCP server is always responsible for updating the FQDN to IP address mapping (in addition to updating the IP to FQDN mapping), regardless of the wishes of an individual DHCP client, is also a site-local matter. The choice between the two alternatives may be based on the security model that is being used with dynamic DNS updates. In cases where a DHCP server is performing DNS updates on behalf of a client, the DHCP server should be sure of the DNS name to use for the client, and of the identity of the client. Currently, it is difficult for DHCP servers to develop much confidence in the identities of itstheir clients, given the absence of entity authentication from the DHCP protocol itself. There are many ways for a DHCP server to develop a DNS name to use for a client, but only in certain relatively unusualrare circumstances will the DHCP server know for certain the identity of the client. If DHCP AuthenticationAuthentication becomes widely deployed this may become more customary. One example of a situation which offers some extra assurances is one where the DHCP client is connected to a network through an MCNS cable modem, and the CMTS (head-end) of the cable modem ensures that MAC address spoofing simply does not occur. Another example of a configuration that might be trusted is one where clients obtain network access via a network access server using PPP. The NAS itself might be obtaining IP addresses via DHCP, encoding a client identification into the DHCP client-id option. In this case, the network access server as well as the DHCP server might be operating within a trusted environment, in which case the DHCP server could be configured to trust that the user authentication and authorization procedureprocessing of the remote access server was sufficient, and would therefore trust the client identification encoded within the DHCP client-id. 6.8. Acknowledgements Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter Ford, Edie Gunter, Andreas Gustafsson, R. Barr Hibbs, Kim Kinnear, Stuart Kwan, Ted Lemon, Ed Lewis, Michael Lewis, Josh Littlefield, Michael Patton, and Glenn Stump for their review and comments. References  Mockapetris, P., "Domain names - Concepts and Facilities", RFC 1034, Nov 1987.  Mockapetris, P., "Domain names - Implementation and Specification", RFC 1035, Nov 1987.  Stapp, M. and Y. Rekhter, "The DHCP Client FQDN Option (draft-ietf-dhc-fqdn-option-*.txt)", March 2001.  Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997.  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997.  Stapp, M., Gustafsson, A. and T. Lemon, "A DNS RR for Encoding DHCP Information (draft-ietf-dnsext-dhcid-rr-*)", March 2001.  Marine, A., Reynolds, J. and G. Malkin, "FYI on Questions and Answers to Commonly asked ``New Internet User'' Questions", RFC 1594, March 1994.  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic Updates in the Domain Name System", RFC 2136, April 1997.  Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", Eastlake, D., "Domain Name System Security Extensions", RFC 2119,2535, March 1997.  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, August1999.  Wellington, B., "Secure Domain Name System (DNS) Dynamic Update", RFC 3007, November 2000.  Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, April 1992.  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington, "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845, May 2000.  Droms, R. and W. Arbaugh, "Authentication for DHCP Messages (draft-ietf-dhc-authentication-*)", June 1999.  Wellington, B., "Secure DNS Dynamic Update", RFC 3007, November 2000.  Stapp, M., Gustafsson, A. and T. Lemon, "A DNS RR for Encoding DHCP Information (draft-ietf-dnsext-dhcid-rr-*)", November 2000.  Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, April 1992.  Stapp, M. and Y. Rekhter, "The DHCP Client FQDN Option (draft-ietf-dhc-fqdn-option-*.txt)", July 2000.January 2001. Author's Address Mark Stapp Cisco Systems, Inc. 250 Apollo Dr. Chelmsford, MA 01824 USA Phone: 978.244.8498 EMail: firstname.lastname@example.org Full Copyright Statement Copyright (C) The Internet Society (2001). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC editor function is currently provided by the Internet Society.