1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
|
Network Working Group M. Stapp
Request for Comments: 4702 B. Volz
Category: Standards Track Cisco Systems, Inc.
Y. Rekhter
Juniper Networks
October 2006
The Dynamic Host Configuration Protocol (DHCP) Client
Fully Qualified Domain Name (FQDN) Option
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document describes a Dynamic Host Configuration Protocol for
IPv4 (DHCPv4) option that can be used to exchange information about a
DHCPv4 client's fully qualified domain name and about responsibility
for updating the DNS RR related to the client's address assignment.
Stapp, et al. Standards Track [Page 1]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
Table of Contents
1. Introduction ....................................................3
1.1. Terminology ................................................3
1.2. Models of Operation ........................................3
2. The Client FQDN Option ..........................................4
2.1. The Flags Field ............................................5
2.2. The RCODE Fields ...........................................6
2.3. The Domain Name Field ......................................6
2.3.1. Deprecated ASCII Encoding ...........................7
3. DHCP Client Behavior ............................................7
3.1. Interaction with Other Options .............................7
3.2. Client Desires to Update A RRs .............................8
3.3. Client Desires Server to Do DNS Updates ....................8
3.4. Client Desires No Server DNS Updates .......................8
3.5. Domain Name and DNS Update Issues ..........................9
4. DHCP Server Behavior ...........................................10
4.1. When to Perform DNS Updates ...............................11
5. DNS RR TTLs ....................................................12
6. DNS Update Conflicts ...........................................12
7. IANA Considerations ............................................13
8. Security Considerations ........................................13
9. Acknowledgements ...............................................14
10. References ....................................................14
10.1. Normative References .....................................14
10.2. Informative References ...................................15
Stapp, et al. Standards Track [Page 2]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
1. Introduction
DNS ([2], [3]) maintains (among other things) the information about
the mapping between hosts' Fully Qualified Domain Names (FQDNs) [11]
and IP addresses assigned to the hosts. The information is
maintained in two types of Resource Records (RRs): A and PTR. The
DNS update specification ([4]) describes a mechanism that enables DNS
information to be updated over a network.
The Dynamic Host Configuration Protocol for IPv4 (DHCPv4 or just DHCP
in this document) [5] provides a mechanism by which a host (a DHCP
client) can acquire certain configuration information, along with its
address. This document specifies a DHCP option, the Client FQDN
option, which can be used by DHCP clients and servers to exchange
information about the client's fully qualified domain name for an
address and who has the responsibility for updating the DNS with the
associated A and PTR RRs.
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [1].
1.2. Models of Operation
When a DHCP client acquires a new address, a site's administrator may
desire that one or both of the A RR for the client's FQDN and the PTR
RR for the acquired address be updated. Therefore, two separate DNS
update transactions may occur. Acquiring an address via DHCP
involves two entities: a DHCP client and a DHCP server. In
principle, each of these entities could perform none, one, or both of
the transactions. However, in practice, not all permutations make
sense. The DHCP Client FQDN option is primarily intended to operate
in the following two cases:
1. DHCP client updates the A RR, DHCP server updates the PTR RR.
2. DHCP server updates both the A and the PTR RRs.
The only difference between these two cases is whether the FQDN-to-
IP-address mapping is updated by a DHCP client or by a DHCP server.
The IP-address-to-FQDN mapping is updated by a DHCP server in both
cases.
The reason these two are important, while others are unlikely, has to
do with authority over the respective DNS domain names. A DHCP
client may be given authority over mapping its own A RRs, or that
Stapp, et al. Standards Track [Page 3]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
authority may be restricted to a server to prevent the client from
listing arbitrary addresses or associating its address with arbitrary
domain names. In all cases, the only reasonable place for the
authority over the PTR RRs associated with the address is in the DHCP
server that allocates the address.
Note: A third case is supported: the client requests that the server
perform no updates. However, this case is presumed to be rare
because of the authority issues.
It is considered local policy to permit DHCP clients and servers to
perform DNS updates to zones. This document does not require any
specific administrative policy and does not propose one.
Furthermore, this specification applies only to DHCP client and
server processes; it does not apply to other processes that initiate
DNS updates.
This document describes a DHCP option which a client can use to
convey all or part of its domain name to a DHCP server. Site-
specific policy determines whether DHCP servers use the names that
clients offer or not, and what DHCP servers may do in cases where
clients do not supply domain names.
2. The Client FQDN Option
To update the IP-address-to-FQDN mapping, a DHCP server needs to know
the FQDN of the client to which the server leases the address. To
allow the client to convey its FQDN to the server, this document
defines a new DHCP option, called "Client FQDN". The Client FQDN
option also contains Flags, which DHCP servers can use to convey
information about DNS updates to clients, and two deprecated RCODEs.
Clients MAY send the Client FQDN option, setting appropriate Flags
values, in both their DHCPDISCOVER and DHCPREQUEST messages. If a
client sends the Client FQDN option in its DHCPDISCOVER message, it
MUST send the option in subsequent DHCPREQUEST messages though the
contents of the option MAY change.
Only one Client FQDN option MAY appear in a message, though it may be
instantiated in a message as multiple options [9]. DHCP clients and
servers supporting this option MUST implement DHCP option
concatenation [9]. In the terminology of [9], the Client FQDN option
is a concatenation-requiring option.
The code for this option is 81. Len contains the number of octets
that follow the Len field, and the minimum value is 3 (octets).
Stapp, et al. Standards Track [Page 4]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
The format of the Client FQDN option is:
Code Len Flags RCODE1 RCODE2 Domain Name
+------+------+------+------+------+------+--
| 81 | n | | | | ...
+------+------+------+------+------+------+--
The above figure follows the conventions of [12].
2.1. The Flags Field
The format of the 1-octet Flags field is:
0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+
| MBZ |N|E|O|S|
+-+-+-+-+-+-+-+-+
The "S" bit indicates whether the server SHOULD or SHOULD NOT perform
the A RR (FQDN-to-address) DNS updates. A client sets the bit to 0
to indicate the server SHOULD NOT perform the updates and 1 to
indicate the server SHOULD perform the updates. The state of the bit
in the reply from the server indicates the action to be taken by the
server; if 1, the server has taken responsibility for A RR updates
for the FQDN.
The "O" bit indicates whether the server has overridden the client's
preference for the "S" bit. A client MUST set this bit to 0. A
server MUST set this bit to 1 if the "S" bit in its reply to the
client does not match the "S" bit received from the client.
The "N" bit indicates whether the server SHOULD NOT perform any DNS
updates. A client sets this bit to 0 to request that the server
SHOULD perform updates (the PTR RR and possibly the A RR based on the
"S" bit) or to 1 to request that the server SHOULD NOT perform any
DNS updates. A server sets the "N" bit to indicate whether the
server SHALL (0) or SHALL NOT (1) perform DNS updates. If the "N"
bit is 1, the "S" bit MUST be 0.
The "E" bit indicates the encoding of the Domain Name field. 1
indicates canonical wire format, without compression, as described in
[3], Section 3.1. This encoding SHOULD be used by clients and MUST
be supported by servers. 0 indicates a now-deprecated ASCII encoding
(see Section 2.3.1). A server MUST use the same encoding as that
Stapp, et al. Standards Track [Page 5]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
used by the client. A server that does not support the deprecated
ASCII encoding MUST ignore Client FQDN options that use that
encoding.
The remaining bits in the Flags field are reserved for future
assignment. DHCP clients and servers that send the Client FQDN
option MUST clear the MBZ bits, and they MUST ignore these bits.
2.2. The RCODE Fields
The two 1-octet RCODE1 and RCODE2 fields are deprecated. A client
SHOULD set these to 0 when sending the option and SHOULD ignore them
on receipt. A server SHOULD set these to 255 when sending the option
and MUST ignore them on receipt.
As this option with these fields is already in wide use, the fields
are retained. These fields were originally defined for use by a DHCP
server to indicate to a DHCP client the Response Code from any A
(RCODE1) or PTR (RCODE2) RR DNS updates it has performed, or a value
of 255 was used to indicate that an update had been initiated but had
not yet completed. Each of these fields is one octet long. These
fields were defined before EDNS0 [13], which describes a mechanism
for extending the length of a DNS RCODE to 12 bits, which is another
reason to deprecate them.
If the client needs to confirm that the DNS update has been done, it
MAY use a DNS query to check whether the mapping is up to date.
However, depending on the load on the DHCP and DNS servers and the
DNS propagation delays, the client can only infer success. If the
information is not found to be up to date in DNS, the authoritative
servers might not have completed the updates or zone transfers, or
caching resolvers may yet have updated their caches.
2.3. The Domain Name Field
The Domain Name part of the option carries all or part of the FQDN of
a DHCP client. The data in the Domain Name field SHOULD appear in
canonical wire format as specified in [3], Section 3.1. If the DHCP
client uses the canonical wire format, it MUST set the "E" bit in the
Flags field to 1. In order to determine whether the FQDN has changed
between message exchanges, the client and server MUST NOT alter the
Domain Name field contents unless the FQDN has actually changed.
A client MAY be configured with a fully qualified domain name or with
a partial name that is not fully qualified. If a client knows only
part of its name, it MAY send a name that is not fully qualified,
indicating that it knows part of the name but does not necessarily
know the zone in which the name is to be embedded.
Stapp, et al. Standards Track [Page 6]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
To send a fully qualified domain name, the Domain Name field is set
to the DNS-encoded domain name including the terminating zero-length
label. To send a partial name, the Domain Name field is set to the
DNS encoded domain name without the terminating zero-length label.
A client MAY also leave the Domain Name field empty if it desires the
server to provide a name.
2.3.1. Deprecated ASCII Encoding
A substantial population of clients implemented an earlier draft of
this specification, which permitted an ASCII encoding of the Domain
Name field. Server implementations SHOULD be aware that clients that
send the Client FQDN option with the "E" bit set to 0 are using an
ASCII encoding of the Domain Name field. Servers MAY be prepared to
return an ASCII-encoded version of the Domain Name field to such
clients. Servers that are not prepared to return an ASCII-encoded
version MUST ignore the Client FQDN option if the "E" bit is 0. The
use of ASCII encoding in this option SHOULD be considered deprecated.
A DHCP client that used ASCII encoding was permitted to suggest a
single label if it was not configured with a fully qualified name.
Such clients send a single label as a series of ASCII characters in
the Domain Name field, excluding the "." (dot) character.
Clients and servers SHOULD follow the character set rules of [6],
fourth section ("Assumptions"), first 5 sentences, as modified by
[7], Section 2.1. However, implementers SHOULD also be aware that
some client software may send data intended to be in other character
sets. This specification does not require support for other
character sets.
3. DHCP Client Behavior
The following describes the behavior of a DHCP client that implements
the Client FQDN option.
3.1. Interaction with Other Options
Other DHCP options MAY carry data that is related to the Domain Name
field of the Client FQDN option. The Host Name option [12], for
example, contains an ASCII string representation of the client's host
name. In general, a client does not need to send redundant data, and
therefore clients that send the Client FQDN option in their messages
MUST NOT also send the Host Name option. Clients that receive both
the Host Name option and the Client FQDN option from a server SHOULD
Stapp, et al. Standards Track [Page 7]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
prefer Client FQDN option data. Section 4 instructs servers to
ignore the Host Name option in client messages that include the
Client FQDN option.
3.2. Client Desires to Update A RRs
If a client that owns/maintains its own FQDN wants to be responsible
for updating the FQDN-to-IP-address mapping for the FQDN and
address(es) used by the client, the client MUST include the Client
FQDN option in the DHCPREQUEST message originated by the client. A
DHCP client MAY choose to include the Client FQDN option in its
DHCPDISCOVER messages as well as its DHCPREQUEST messages. The "S",
"O", and "N" bits in the Flags field in the option MUST be 0.
Once the client's DHCP configuration is completed (the client
receives a DHCPACK message and successfully completes a final check
on the parameters passed in the message), the client MAY originate an
update for the A RR (associated with the client's FQDN) unless the
server has set the "S" bit to 1. If the "S" is 1, the DHCP client
SHOULD NOT initiate an update for the name in the server's returned
Client FQDN option Domain Name field. However, a DHCP client that is
explicitly configured with a FQDN MAY ignore the state of the "S" bit
if the server's returned name matches the client's configured name.
3.3. Client Desires Server to Do DNS Updates
A client can choose to delegate the responsibility for updating the
FQDN-to-IP-address mapping for the FQDN and address(es) used by the
client to the server. In order to inform the server of this choice,
the client SHOULD include the Client FQDN option in its DHCPREQUEST
message and MAY include the Client FQDN option in its DHCPDISCOVER.
The "S" bit in the Flags field in the option MUST be 1, and the "O"
and "N" bits MUST be 0.
3.4. Client Desires No Server DNS Updates
A client can choose to request that the server perform no DNS updates
on its behalf. In order to inform the server of this choice, the
client SHOULD include the Client FQDN option in its DHCPREQUEST
message and MAY include the Client FQDN option in its DHCPDISCOVER.
The "N" bit in the Flags field in the option MUST be 1, and the "S"
and "O" bits MUST be 0.
Once the client's DHCP configuration is completed (the client
receives a DHCPACK message and successfully completes a final check
on the parameters passed in the message), the client MAY originate
Stapp, et al. Standards Track [Page 8]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
its DNS updates provided the server's "N" bit is 1. If the server's
"N" bit is 0, the server MAY perform the PTR RR updates; it MAY also
perform the A RR updates if the "S" bit is 1.
3.5. Domain Name and DNS Update Issues
As there is a possibility that the DHCP server is configured to
complete or replace a domain name that the client sends, the client
MAY find it useful to send the Client FQDN option in its DHCPDISCOVER
messages. If the DHCP server returns different Domain Name data in
its DHCPOFFER message, the client could use that data in performing
its own eventual A RR update, or in forming the Client FQDN option
that it sends in its DHCPREQUEST message. There is no requirement
that the client send identical Client FQDN option data in its
DHCPDISCOVER and DHCPREQUEST messages. In particular, if a client
has sent the Client FQDN option to its server, and the configuration
of the client changes so that its notion of its domain name changes,
it MAY send the new name data in a Client FQDN option when it
communicates with the server again. This MAY cause the DHCP server
to update the name associated with the PTR record and, if the server
updated the A record representing the client, to delete that record
and attempt an update for the client's current domain name.
A client that delegates the responsibility for updating the FQDN-to-
IP-address mapping to a server will not receive any indication
(either positive or negative) from the server as to whether the
server was able to perform the update. The client MAY use a DNS
query to check whether the mapping is up to date (see Section 2.2).
If a client releases its lease prior to the lease expiration time and
is responsible for updating its A RR, the client SHOULD delete the A
RR associated with the leased address before sending a DHCPRELEASE
message. Similarly, if a client was responsible for updating its A
RR, but is unable to renew its lease, the client SHOULD attempt to
delete the A RR before its lease expires. A DHCP client that has not
been able to delete an A RR that it added (because it has lost the
use of its DHCP IP address) SHOULD attempt to notify its
administrator, perhaps by emitting a log message.
A client that desires to perform DNS updates to A RRs SHOULD NOT do
so if the client's address is a private address [8].
Stapp, et al. Standards Track [Page 9]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
4. DHCP Server Behavior
The following describes the behavior of a DHCP server that implements
the Client FQDN option when the client's message includes the Client
FQDN option.
The server examines its configuration and the Flag bits in the
client's Client FQDN option to determine how to respond:
o If the client's "E" bit is 0 and the server does not support ASCII
encoding (Section 2.3.1), the server SHOULD ignore the Client FQDN
option.
o The server sets to 0 the "S", "O", and "N" bits in its copy of the
option it will return to the client. The server copies the
client's "E" bit.
o If the client's "N" bit is 1 and the server's configuration allows
it to honor the client's request for no server initiated DNS
updates, the server sets the "N" bit to 1.
o Otherwise, if the client's "S" bit is 1 and the server's
configuration allows it to honor the client's request for the
server to initiate A RR DNS updates, the server sets the "S" to 1.
If the server's "S" bit does not match the client's "S" bit, the
server sets the "O" bit to 1.
The server MAY be configured to use the name supplied in the client's
Client FQDN option, or it MAY be configured to modify the supplied
name or to substitute a different name. The server SHOULD send its
notion of the complete FQDN for the client in the Domain Name field.
The server MAY simply copy the Domain Name field from the Client FQDN
option that the client sent to the server. The server MUST use the
same encoding format (ASCII or DNS binary encoding) that the client
used in the Client FQDN option in its DHCPDISCOVER or DHCPREQUEST,
and it MUST set the "E" bit in the option's Flags field accordingly.
If a client sends both the Client FQDN and Host Name option, the
server SHOULD ignore the Host Name option.
The server SHOULD set the RCODE1 and RCODE2 fields to 255 before
sending the Client FQDN message to the client in a DHCPOFFER or
DHCPACK.
Stapp, et al. Standards Track [Page 10]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
4.1. When to Perform DNS Updates
The server SHOULD NOT perform any DNS updates if the "N" bit is 1 in
the Flags field of the Client FQDN option in the DHCPACK messages (to
be) sent to the client. However, the server SHOULD delete any RRs
that it previously added via DNS updates for the client.
The server MAY perform the PTR RR DNS update (unless the "N" bit is
1).
The server MAY perform the A RR DNS update if the "S" bit is 1 in the
Flags field of the Client FQDN option in the DHCPACK message (to be)
sent to the client.
The server MAY perform these updates even if the client's DHCPREQUEST
did not carry the Client FQDN option. The server MUST NOT initiate
DNS updates when responding to DHCPDISCOVER messages from a client.
The server MAY perform its DNS updates (PTR RR or PTR and A RR)
before or after sending the DHCPACK message to the client.
If the server's A RR DNS update does not complete until after the
server has replied to the DHCP client, the server's interaction with
the DNS server MAY cause the DHCP server to change the domain name
that it associates with the client. This can occur, for example, if
the server detects and resolves a domain-name conflict [10]. In such
cases, the domain name that the server returns to the DHCP client
would change between two DHCP exchanges.
If the server previously performed DNS updates for the client and the
client's information has not changed, the server MAY skip performing
additional DNS updates.
When a server detects that a lease on an address that the server
leases to a client has expired, the server SHOULD delete any PTR RR
that it added via DNS update. In addition, if the server added an A
RR on the client's behalf, the server SHOULD also delete the A RR.
When a server terminates a lease on an address prior to the lease's
expiration time (for instance, by sending a DHCPNAK to a client), the
server SHOULD delete any PTR RR that it associated with the address
via DNS update. In addition, if the server took responsibility for
an A RR, the server SHOULD also delete that A RR.
Stapp, et al. Standards Track [Page 11]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
5. DNS RR TTLs
RRs associated with DHCP clients may be more volatile than statically
configured RRs. DHCP clients and servers that perform dynamic
updates should attempt to specify resource-record TTLs that reflect
this volatility, in order to minimize the possibility that answers to
DNS queries will return records that refer to DHCP IP address
assignments that have expired or been released.
The coupling among primary, secondary, and caching DNS servers is
'loose'; that is a fundamental part of the design of the DNS. This
looseness makes it impossible to prevent all possible situations in
which a resolver may return a record reflecting a DHCP-assigned IP
address that has expired or been released. In deployment, this
rarely, if ever, represents a significant problem. Most DHCP-managed
clients are infrequently looked up by name in the DNS, and the
deployment of IXFR ([16]) and NOTIFY ([17]) can reduce the latency
between updates and their visibility at secondary servers.
We suggest these basic guidelines for implementers. In general, the
TTLs for RRs added as a result of DHCP IP address assignment activity
SHOULD be less than the initial lease time. The RR TTL on a DNS
record added SHOULD NOT exceed 1/3 of the lease time, but SHOULD NOT
be less than 10 minutes. We recognize that individual administrators
will have varying requirements: DHCP servers and clients SHOULD allow
administrators to configure TTLs and upper and lower bounds on the
TTL values, either as an absolute time interval or as a percentage of
the lease time.
While clients and servers MAY update the TTL of the records as the
lease is about to expire, there is no requirement that they do so, as
this puts additional load on the DNS system with likely little
benefit.
6. DNS Update Conflicts
This document does not resolve how a DHCP client or server prevents
name conflicts. This document addresses only how a DHCP client and
server negotiate who will perform the DNS updates and the fully
qualified domain name requested or used.
Implementers of this work will need to consider how name conflicts
will be prevented. If a DNS updater needs a security token in order
to successfully perform DNS updates on a specific name, name
conflicts can only occur if multiple updaters are given a security
token for that name. Or, if the fully qualified domains are based on
Stapp, et al. Standards Track [Page 12]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
the specific address bound to a client, conflicts will not occur.
Or, a name conflict resolution technique as described in "Resolving
Name Conflicts" [10] SHOULD be used.
7. IANA Considerations
IANA has already assigned DHCP option 81 to the Client FQDN option.
As this document describes the option's use, IANA is requested to
reference this document for option 81.
8. Security Considerations
Unauthenticated updates to the DNS can lead to tremendous confusion,
through malicious attack or through inadvertent misconfiguration.
Administrators need to be wary of permitting unsecured DNS updates to
zones that are exposed to the global Internet. Both DHCP clients and
servers should use some form of update request origin authentication
procedure (e.g., Secure DNS Dynamic Update [14]) when performing DNS
updates.
Whether a DHCP client is responsible for updating an FQDN-to-IP-
address mapping or whether this is the responsibility of the DHCP
server is a site-local matter. The choice between the two
alternatives is likely based on the security model that is used with
the DNS update protocol (e.g., only a client may have sufficient
credentials to perform updates to the FQDN-to-IP-address mapping for
its FQDN).
Whether a DHCP server is always responsible for updating the FQDN-
to-IP-address mapping (in addition to updating the IP to FQDN
mapping), regardless of the wishes of an individual DHCP client, is
also a site-local matter. The choice between the two alternatives is
likely based on the security model that is being used with DNS
updates. In cases where a DHCP server is performing DNS updates on
behalf of a client, the DHCP server should be sure of the DNS name to
use for the client, and of the identity of the client.
Currently, it is difficult for DHCP servers to develop much
confidence in the identities of its clients, given the absence of
entity authentication from the DHCP protocol itself. There are many
ways for a DHCP server to develop a DNS name to use for a client, but
only in certain relatively unusual circumstances will the DHCP server
know for certain the identity of the client. If DHCP Authentication
[15] becomes widely deployed, this may become more customary.
One example of a situation that offers some extra assurances is when
the DHCP client is connected to a network through an Multimedia Cable
Network System (MCNS) cable modem, and the cable modem termination
Stapp, et al. Standards Track [Page 13]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
system (CMTS), i.e., head-end, ensures that MAC address spoofing
simply does not occur. Another example of a configuration that might
be trusted is one where clients obtain network access via a network
access server using PPP. The NAS itself might be obtaining IP
addresses via DHCP, encoding a client identification into the DHCP
client-id option. In this case, the network access server as well as
the DHCP server might be operating within a trusted environment, in
which case the DHCP server could be configured to trust that the user
authentication and authorization procedure of the remote access
server was sufficient, and would therefore trust the client
identification encoded within the DHCP client-id.
It is critical to implement proper conflict resolution, and the
security considerations of conflict resolution apply [10].
9. Acknowledgements
Many thanks to Mark Beyer, Jim Bound, Ralph Droms, Robert Elz, Peter
Ford, Olafur Gudmundsson, Edie Gunter, Andreas Gustafsson, David W.
Hankins, R. Barr Hibbs, Kim Kinnear, Stuart Kwan, Ted Lemon, Ed
Lewis, Michael Lewis, Josh Littlefield, Michael Patton, Pekka Savola,
Jyrki Soini, and Glenn Stump for their review and comments.
10. References
10.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[3] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[4] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
April 1997.
[5] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
March 1997.
[6] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet host
table specification", RFC 952, October 1985.
[7] Braden, R., "Requirements for Internet Hosts - Application and
Support", STD 3, RFC 1123, October 1989.
Stapp, et al. Standards Track [Page 14]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
[8] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E.
Lear, "Address Allocation for Private Internets", BCP 5,
RFC 1918, February 1996.
[9] Lemon, T. and S. Cheshire, "Encoding Long Options in the
Dynamic Host Configuration Protocol (DHCPv4)", RFC 3396,
November 2002.
[10] Stapp, M. and B. Volz, "Resolution of Fully Qualified Domain
Name (FQDN) Conflicts among Dynamic Host Configuration Protocol
(DHCP) Clients", RFC 4703, October 2006.
10.2. Informative References
[11] Marine, A., Reynolds, J., and G. Malkin, "FYI on Questions and
Answers - Answers to Commonly asked "New Internet User"
Questions", FYI 4, RFC 1594, March 1994.
[12] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, March 1997.
[13] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
August 1999.
[14] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, November 2000.
[15] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
RFC 3118, June 2001.
[16] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
August 1996.
[17] Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
(DNS NOTIFY)", RFC 1996, August 1996.
Stapp, et al. Standards Track [Page 15]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
Authors' Addresses
Mark Stapp
Cisco Systems, Inc.
1414 Massachusetts Ave.
Boxborough, MA 01719
USA
Phone: 978.936.1535
EMail: mjs@cisco.com
Bernie Volz
Cisco Systems, Inc.
1414 Massachusetts Ave.
Boxborough, MA 01719
USA
Phone: 978.936.0382
EMail: volz@cisco.com
Yakov Rekhter
Juniper Networks
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
Phone: 408.745.2000
EMail: yakov@juniper.net
Stapp, et al. Standards Track [Page 16]
^L
RFC 4702 The DHCP Client FQDN Option October 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Stapp, et al. Standards Track [Page 17]
^L
|
