Dynamic Host Configuration M. Stapp Internet-Draft B. Volz Expires:
January 14,March 22, 2005 Cisco Systems, Inc. July 16,September 21, 2004 Resolution of DNS Name Conflicts among DHCP Clients <draft-ietf-dhc-ddns-resolution-07.txt><draft-ietf-dhc-ddns-resolution-08.txt> Status of this Memo This document is an Internet-Draft and is subject to all provisions of section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt.http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 14,March 22, 2005. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved.Abstract DHCP provides a powerful mechanism for IP host configuration. However, the configuration capability provided by DHCP does not include updating DNS, and specifically updating the name to address and address to name mappings maintained in the DNS. This document describes techniques for the resolution of DNS name conflicts among DHCP clients. Table of Contents 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Issues with DNS Update in DHCP Environments . . . . . . . . . 3 3.1 Client Misconfiguration . . . . . . . . . . . . . . . . . 4 3.2 Multiple DHCP Servers . . . . . . . . . . . . . . . . . . 5 4. Use of the DHCID RR . . . . . . . . . . . . . . . . . . . . . 5 5. DNS RR TTLs . . . . . . . . . . . . . . . . . . . . . . . . . 6 6. Procedures for performing DNS updates . . . . . . . . . . . . 6 6.1 Error Return Codes . . . . . . . . . . . . . . . . . . . . 6 6.2 Dual IPv4/IPv6 Client Considerations . . . . . . . . . . . 7 6.3 Adding A or AAAA RRs to DNS . . . . . . . . . . . . . . . . . . .7 6.3.1 Initial DHCID RR Query . . . . . . . . . . . . . . . . 7 6.3.2 DNS UPDATE When Name Not in Use . . . . . . . . . . . 78 6.3.3 DNS UPDATE When Name in Use . . . . . . . . . . . . . 8 6.3.4 Name in Use by another Client . . . . . . . . . . . . 8 6.4 Adding PTR RR Entries to DNS . . . . . . . . . . . . . . . 9 6.5 Removing Entries from DNS . . . . . . . . . . . . . . . . 9 6.6 Updating Other RRs . . . . . . . . . . . . . . . . . . . . 910 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 9.1 Normative References . . . . . . . . . . . . . . . . . . . . 11 9.2 Informative References . . . . . . . . . . . . . . . . . . . 1112 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 1213 Intellectual Property and Copyright Statements . . . . . . . . 1314 1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 . 2. Introduction "The Client FQDN Option"  includes a description of the operation of DHCPDHCPv4  clients and servers that use the DHCPv4 client FQDN option. And, "The DHCPv6 Client FQDN Option"  includes a description of the operation of DHCPv6  clients and servers that use the DHCPv6 client FQDN option. Through the use of the client FQDN option, DHCP clients and servers can negotiate the client's FQDN and the allocation of responsibility for updating the DHCP client's A or AAAA RR. This document identifies situations in which conflicts in the use of FQDNs may arise among DHCP clients, and describes a strategy for the use of the DHCID DNS resource record  in resolving those conflicts. In any case, whether a site permits all, some, or no DHCP servers and clients to perform DNS updates (RFC 2136 , RFC 3007 )) into the zones that it controls is entirely a matter of local administrative policy. This document does not require any specific administrative policy, and does not propose one. The range of possible policies is very broad, from sites where only the DHCP servers have been given credentials that the DNS servers will accept, to sites where each individual DHCP client has been configured with credentials that allow the client to modify its own domain name. Compliant implementations MAY support some or all of these possibilities. Furthermore, this specification applies only to DHCP client and server processes: it does not apply to other processes that initiate DNS updates. 3. Issues with DNS Update in DHCP Environments There are two DNS update situations that require special consideration in DHCP environments: cases where more than one DHCP client has been configured with the same FQDN, and cases where more than one DHCP server has been given authority to perform DNS updates in a zone. In these cases, it is possible for DNS records to be modified in inconsistent ways unless the updaters have a mechanism that allows them to detect anomalous situations. If DNS updaters can detect these situations, site administrators can configure the updaters' behavior so that the site's policies can be enforced. We use the term "Name Conflict" to refer to cases where more than one DHCP client wishes to be associated with a single FQDN. This specification describes a mechanism designed to allow updaters to detect these situations, and suggests that DHCP implementations use this mechanism by default. 3.1 Client Misconfiguration At many (though not all) sites, administrators wish to maintain a one-to-one relationship between active DHCP clients and domain names, and to maintain consistency between a host's A and PTR RRs. Hosts that are not represented in the DNS, or hosts which inadvertently share an FQDN with another host may encounter inconsistent behavior or may not be able to obtain access to network resources. Whether each DHCP client is configured with a domain name by its administrator or whether the DHCP server is configured to distribute the clients' names, the consistency of the DNS data is entirely dependent on the accuracy of the configuration procedure. Sites that deploy Secure DNS  may configure credentials for each host and its assigned name in a way that is more error-resistant, but this level of pre-configuration is still rare in DHCP environments. Consider an example in which two DHCP clients in the "org.nil" network are both configured with the name "foo". The clients are permitted to perform their own DNS updates. The first client, client A, is configured via DHCP. It adds an A RR to "foo.org.nil", and its DHCP server adds a PTR RR corresponding to its IP address lease. When the second client, client B, boots, it is also configured via DHCP, and it also begins to update "foo.org.nil". At this point, the "org.nil" administrators may wish to establish some policy about DHCP clients' DNS names. If the policy is that each client that boots should replace any existing A RR that matches its name, Client B can proceed, though Client A may encounter problems. In this example, Client B replaces the A RR associated with "foo.org.nil". Client A must have some way to recognize that the RR associated with "foo.org.nil" now contains information for Client B, so that it can avoid modifying the RR. When Client A's lease expires, for example, it should not remove an RR that reflects Client B's DHCP lease. If the policy is that the first DHCP client with a given name should be the only client associated with that name, Client B needs to be able to determine that it is not the client associated with "foo.org.nil". It could be that Client A booted first, and that Client B should choose another name. Or it could be that B has booted on a new subnet, and received a new lease. It must either retain persistent state about the last lease it held (in addition to its current lease) or it must have some other way to detect that it was the last updater of "foo.org.nil" in order to implement the site's policy. 3.2 Multiple DHCP Servers At many sites, the difficulties with distributing DNS update credentials to all of the DHCP clients lead to the desire for the DHCP servers to perform A RR updates on behalf of their clients. If a single DHCP server managed all of the DHCP clients at a site, it could maintain some database of the DNS names that it was managing, and check that database before initiating a DNS update for a client. Such a database is necessarily proprietary, however, and that approach does not work once more than one DHCP server is deployed. Consider an example in which DHCP Client A boots, obtains a DHCP lease from Server S1, presenting the hostname "foo" in a Client FQDN option  in its DHCPREQUEST message. Server S1 updates its domain name, "foo.org.nil", adding an A RR that matches Client A's lease. The client then moves to another subnet, served by Server S2. When Client A boots on the new subnet, Server S2 will issue it a new lease, and will attempt to add an A RR matching the new lease to "foo.org.nil". At this point, without some communication mechanism which S2 can use to ask S1 (and every other DHCP server that updates the zone) about the client, S2 has no way to know whether Client A is currently associated with the domain name, or whether A is a different client configured with the same hostname. If the servers cannot distinguish between these situations, they cannot enforce the site's naming policies. 4. Use of the DHCID RR A solution to both of these problems is for the updater (a DHCP client or DHCP server) to be able to determine which DHCP client has been associated with a DNS name, in order to offer administrators the opportunity to configure updater behavior. For this purpose, a DHCID RR, specified in , is used to associate client identification information with a DNS name and the A or PTR RR associated with that name. When either a client or server adds an A or PTR RR for a client, it also adds a DHCID RR that specifies a unique client identity, based on data from the client's DHCPREQUEST message. In this model, only one A RR is associated with a given DNS name at a time. By associating this ownership information with each DNS name, cooperating DNS updaters may determine whether their client is currently associated with a particular DNS name and implement the appropriately configured administrative policy. In addition, DHCP clients which currently have domain names may move from one DHCP server to another without losing their DNS names. The specific algorithms utilizing the DHCID RR to signal client ownership are explained below. The algorithms only work in the case where the updating entities all cooperate -- this approach is advisory only and is not a substitute for DNS security, nor is it replaced by DNS security. 5. DNS RR TTLs RRs associated with DHCP clients may be more volatile than statically configured RRs. DHCP clients and servers that perform dynamic updates should attempt to specify resource record TTLs which reflect this volatility, in order to minimize the possibility that answers to DNS queries will return records that refer to DHCP lease bindings that have expired. The coupling among primary, secondary, and caching DNS servers is 'loose'; that is a fundamental part of the design of the DNS. This looseness makes it impossible to prevent all possible situations in which a resolver may return a record reflecting a DHCP lease binding that has expired. In deployment, this rarely if ever represents a significant problem. Most DHCP-managed hosts are rarely looked-up by name in the DNS, and the deployment of IXFR (RFC 1995 )) and NOTIFY (RFC 1996 )) can reduce the latency between updates and their visibility at secondary servers. We suggest these basic guidelines for implementers. In general, the TTLs for RRs added as a result of DHCP lease activity SHOULD be less than the initial lease time. The RR TTL on a DNS record added for a DHCP lease SHOULD NOT exceed 1/3 of the lease time, and SHOULD be at least 10 minutes. We recognize that individual administrators will have varying requirements: DHCP servers and clients SHOULD allow administrators to configure TTLs, either as an absolute time interval or as a percentage of the lease time. 6. Procedures for performing DNS updates 6.1 Error Return Codes Certain RCODEs defined in RFC 2136  indicate that the destination DNS server cannot perform an update: FORMERR, SERVFAIL, REFUSED, NOTIMP. If one of these RCODEs is returned, the updater MUST terminate its update attempt. Because these errors may indicate a misconfiguration of the updater or of the DNS server, the updater MAY attempt to signal to its administrator that an error has occurred, e.g. through a log message. 6.2 Dual IPv4/IPv6 Client Considerations At the time of publication of this document, a small minority of DHCP clients support both IPv4 and IPv6. We anticipate, however, that a transition will take place over a period of time, and more sites will have dual-stack clients present. IPv6 clients will be represented by AAAA RRs; IPv4 clients by A RRs. The administrators of somemixed deployments maywill likely wish to permit a single name to contain A and AAAA RRs from different clients. Other deployments maythe same client. Sites that wish to restrict the use ofpermit a DNSsingle name to a single DHCP client, and allow onlycontain both A and AAAA RRs reflectingMUST make use of DHCPv4 clients and servers that client'ssupport using the DHCP leases.Unique Identifier for DHCPv4 client identifiers, see Node-Specific Client Identifiers for DHCPv4 . Otherwise, a dual-stack client that uses older-style DHCPv4 client identifiers (see  and ) will only be able to have either its A or AAAA record in DNS under a name because of the DHCID RR conflicts that result. 6.3 Adding A or AAAA RRs to DNS 6.3.1 Initial DHCID RR Query When a DHCP client or server intends to update an A or AAAA RR, it performs a DNS query with QNAME of the target name and with QTYPE of DHCID. If the query returns NXDOMAIN, the updater can conclude that the name is not in use and proceeds to Section 6.3.2. If the query returns NODATA,NOERROR but without an answer, the updater can conclude that the target name is in use, but that no DHCID RR is present. This indicates that some records have been configured by an administrator. Whether the updater proceeds with an update is a matter of local administrative policy. If the DHCID rrset is returned, the updater uses the hash calculation defined in the DHCID RR specification  to determine whether the client associated with the name matches the current client's identity. If so, the updater proceeds to Section 6.3.3. Otherwise the updater must conclude that the client's desired name is in use by another host and proceeds to Section 6.3.4. If any other status is returned, the updater MUST NOT attempt an update. 6.3.2 DNS UPDATE When Name Not in Use The updater prepares a DNS UPDATE query that includes as a prerequisite the assertion that the name does not exist. The update section of the query attempts to add the new name and its IP address mapping (an A or AAAA RR), and the DHCID RR with its unique client-identity. If the update operation succeeds, the A or AAAA RR update is now complete (and a client updater is finished, while a server would then proceed to perform a PTR RR update). If the update returns YXDOMAIN, the updater can now conclude that the intended name is in use and proceeds to Section 6.3.3. 6.3.3 DNS UPDATE When Name in Use The updater next attempts to confirm that the DNS name is not being used by some other host. The updater prepares a UPDATE query in which the prerequisite is that the desired name has attached to it a DHCID RR whose contents match the client identity. The update section of this query deletesthe UPDATE query contains: 1. A delete of any existing A RRs on the name if this is an A update or an AAAA update and the updater does not desire A records on the name,name. 2. A delete of the existing AAAA RRs on the name if the updater does not desire AAAA records on the name or this update is adding an AAAA and addsthe updater only desires a single address on the name. 3. An add of the A recordRR that matches the DHCP binding andif this is an A update. 4. An add of the DHCIDAAAA RR withthat matches the client identity.DHCP binding if this is an AAAA update. If the update succeeds, the updater can conclude that the current client was the last client associated with the domain name, and that the name now contains the updated A or AAAA RR. The A RRupdate is now complete (and a client updater is finished, while a server would then proceed to perform a PTR RR update). If the update returns NXRRSET, the updater must conclude that the client's desired name is in use by another host and proceeds to Section 18.104.22.168.3.4. 6.3.4 Name in Use by another Client At this juncture, the updater can decide (based on some administrative configuration outside of the scope of this document) whether to let the existing owner of the name keep that name, and to (possibly) perform some name disambiguation operation on behalf of the current client, or to replace the RRs on the name with RRs that represent the current client. If the configured policy allows replacement of existing records, the updater submits a query that deletes all RRs for the existing A RRname and adds the existing DHCID RR, addingA or AAAA and DHCID RRs that represent the IPaddress and client-identity of the new client. DISCUSSION: The updating entity may be configured to allow the existing DNS records on the domain name to remain unchanged, and to perform disambiguation on the name of the current client in order to attempt to generate a similar but unique name for the current client. In this case, once another candidate name has been generated, the updater should restart the process of adding an A RR as specified in this section. 6.4 Adding PTR RR Entries to DNS The DHCP server submits a DNS query that deletes all of the PTR RRs associated with the lease IP address, and adds a PTR RR whose data is the client's (possibly disambiguated) host name. The server MAY also add a DHCID RR as specified in Section 4.4, in which case it would include a delete of all of the DHCID RRs associated with the lease IP address, and adds a DHCID RR for the client. 6.5 Removing Entries from DNS The most important consideration in removing DNS entries is be sure that an entity removing a DNS entry is only removing an entry that it added, or for which an administrator has explicitly assigned it responsibility. When a lease expires or a DHCP client issues a DHCPRELEASE  or Release  request, the DHCP server SHOULD delete the PTR RR that matches the DHCP binding, if one was successfully added. The server's update query SHOULD assert that the name in the PTR record matches the name of the client whose lease has expired or been released.released and should delete all RRs for the name. The entity chosen to handle the A or AAAA record for this client (either the client or the server) SHOULD delete the A or AAAA record that was added when the lease was made to the client. However, the updater should only remove the DHCID RR if there are no A or AAAA RRs for the client. In order to perform this A or AAAA RR delete, the updater prepares an UPDATE query that contains two prerequisites.a prerequisite that asserts that the DHCID RR exists whose data is the client identity described in Section 4 and contains an update section that deletes the client's specific A or AAAA RR. If the query succeeds, the updater prepares a second UPDATE query that contains three prerequisites and deletes all RRs for the name. The first prerequisite asserts that the DHCID RR exists whose data is the client identity described in Section 4. The second prerequisite asserts that the data in thethere are no A RR contains the IP address of the leaseRRs. The third prerequisite asserts that has expired or been released.there are no AAAA RRs. If theeither query fails, the updater MUST NOT delete the DNS name. It may be that the client whose lease onhas expired has moved to another network and obtained a lease from a different server, which has caused the client's A or AAAA RR to be replaced. It may also be that some other client has been configured with a name that matches the name of the DHCP client, and the policy was that the last client to specify the name would get the name. In these cases, the DHCID RR will no longer match the updater's notion of the client-identity of the host pointed to by the DNS name. 6.6 Updating Other RRs The procedures described in this document only cover updates to the AA, AAAA, PTR, and PTRDHCID RRs. Updating other types of RRs is outside the scope of this document. 7. Security Considerations Unauthenticated updates to the DNS can lead to tremendous confusion, through malicious attack or through inadvertent misconfiguration. Administrators should be wary of permitting unsecured DNS updates to zones that are exposed to the global Internet. Both DHCP clients and servers SHOULD use some form of update request authentication (e.g., TSIG )) when performing DNS updates. Whether a DHCP client may be responsible for updating an FQDN to IP address mapping, or whether this is the responsibility of the DHCP server is a site-local matter. The choice between the two alternatives may be based on the security model that is used with the Dynamic DNS Update protocol (e.g., only a client may have sufficient credentials to perform updates to the FQDN to IP address mapping for its FQDN). Whether a DHCP server is always responsible for updating the FQDN to IP address mapping (in addition to updating the IP to FQDN mapping), regardless of the wishes of an individual DHCP client, is also a site-local matter. The choice between the two alternatives may be based on the security model that is being used with dynamic DNS updates. In cases where a DHCP server is performing DNS updates on behalf of a client, the DHCP server should be sure of the DNS name to use for the client, and of the identity of the client. Currently, it is difficult for DHCP servers to develop much confidence in the identities of their clients, given the absence of entity authentication from the DHCP protocol itself. There are many ways for a DHCP server to develop a DNS name to use for a client, but only in certain relatively rare circumstances will the DHCP server know for certain the identity of the client. If DHCP Authentication  becomes widely deployed this may become more customary. One example of a situation that offers some extra assurances is one where the DHCP client is connected to a network through an MCNS cable modem, and the CMTS (head-end) of the cable modem ensures that MAC address spoofing simply does not occur. Another example of a configuration that might be trusted is one where clients obtain network access via a network access server using PPP. The NAS itself might be obtaining IP addresses via DHCP, encoding a client identification into the DHCP client-id option. In this case, the network access server as well as the DHCP server might be operating within a trusted environment, in which case the DHCP server could be configured to trust that the user authentication and authorization processing of the remote access server was sufficient, and would therefore trust the client identification encoded within the DHCP client-id. 8. Acknowledgements Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter Ford, Olafur Gudmundsson, Edie Gunter, Andreas Gustafsson, R. Barr Hibbs, Kim Kinnear, Stuart Kwan, Ted Lemon, Ed Lewis, Michael Lewis, Josh Littlefield, Michael Patton, and Glenn Stump for their review and comments. 9. References 9.1 Normative References  Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.  Stapp, M., Gustafsson, A. and T. Lemon, "A DNS RR for Encoding DHCP Information (draft-ietf-dnsext-dhcid-rr-*)", July 2004.  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136, April 1997. 9.2 Informative References  Stapp, M. and Y. Rekhter, "The DHCP Client FQDN Option (draft-ietf-dhc-fqdn-option-*.txt)", July 2004.  Volz, B., "The DHCPv6 Client FQDN Option (draft-ietf-dhc-dhcpv6-fqdn-*.txt)", September 2004.  Lemon, T. and B. Sommerfeld, "Node-Specific Client Identifiers for DHCPv4 (draft-ietf-dhc-3315id-for-v4-*txt)", July 2004.  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997.  Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, March 1997.  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.  Eastlake, D., "Domain Name System Security Extensions", RFC 2535, March 1999.  Wellington, B., "Secure Domain Name System (DNS) Dynamic Update", RFC 3007, November 2000.  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington, "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845, May 2000.  Droms, R. and W. Arbaugh, "Authentication for DHCP Messages", RFC 3118, June 2001.  Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, August 1996.  Vixie, P., "A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)", RFC 1996, August 1996. Authors' Addresses Mark Stapp Cisco Systems, Inc. 1414 Massachusetts Ave. Boxborough, MA 01719 USA Phone: 978.936.1535 EMail: firstname.lastname@example.org Bernie Volz Cisco Systems, Inc. 1414 Massachusetts Ave. Boxborough, MA 01719 USA Phone: 978.936.0382 EMail: email@example.com Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at firstname.lastname@example.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society.