Network Working Group M. Stapp Request for Comments: 4702 B. Volz Category: Standards Track Cisco Systems, Inc. Y. Rekhter Juniper Networks October 2006 The Dynamic Host Configuration Protocol (DHCP) Client Fully Qualified Domain Name (FQDN) Option Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006).
AbstractThis document describes a Dynamic Host Configuration Protocol for IPv4 (DHCPv4) option that can be used to exchange information about a DHCPv4 client's fully qualified domain name and about responsibility for updating the DNS RR related to the client's address assignment.
1. Introduction ....................................................3 1.1. Terminology ................................................3 1.2. Models of Operation ........................................3 2. The Client FQDN Option ..........................................4 2.1. The Flags Field ............................................5 2.2. The RCODE Fields ...........................................6 2.3. The Domain Name Field ......................................6 2.3.1. Deprecated ASCII Encoding ...........................7 3. DHCP Client Behavior ............................................7 3.1. Interaction with Other Options .............................7 3.2. Client Desires to Update A RRs .............................8 3.3. Client Desires Server to Do DNS Updates ....................8 3.4. Client Desires No Server DNS Updates .......................8 3.5. Domain Name and DNS Update Issues ..........................9 4. DHCP Server Behavior ...........................................10 4.1. When to Perform DNS Updates ...............................11 5. DNS RR TTLs ....................................................12 6. DNS Update Conflicts ...........................................12 7. IANA Considerations ............................................13 8. Security Considerations ........................................13 9. Acknowledgements ...............................................14 10. References ....................................................14 10.1. Normative References .....................................14 10.2. Informative References ...................................15
2], ) maintains (among other things) the information about the mapping between hosts' Fully Qualified Domain Names (FQDNs)  and IP addresses assigned to the hosts. The information is maintained in two types of Resource Records (RRs): A and PTR. The DNS update specification () describes a mechanism that enables DNS information to be updated over a network. The Dynamic Host Configuration Protocol for IPv4 (DHCPv4 or just DHCP in this document)  provides a mechanism by which a host (a DHCP client) can acquire certain configuration information, along with its address. This document specifies a DHCP option, the Client FQDN option, which can be used by DHCP clients and servers to exchange information about the client's fully qualified domain name for an address and who has the responsibility for updating the DNS with the associated A and PTR RRs. 1].
authority may be restricted to a server to prevent the client from listing arbitrary addresses or associating its address with arbitrary domain names. In all cases, the only reasonable place for the authority over the PTR RRs associated with the address is in the DHCP server that allocates the address. Note: A third case is supported: the client requests that the server perform no updates. However, this case is presumed to be rare because of the authority issues. It is considered local policy to permit DHCP clients and servers to perform DNS updates to zones. This document does not require any specific administrative policy and does not propose one. Furthermore, this specification applies only to DHCP client and server processes; it does not apply to other processes that initiate DNS updates. This document describes a DHCP option which a client can use to convey all or part of its domain name to a DHCP server. Site- specific policy determines whether DHCP servers use the names that clients offer or not, and what DHCP servers may do in cases where clients do not supply domain names. 9]. DHCP clients and servers supporting this option MUST implement DHCP option concatenation . In the terminology of , the Client FQDN option is a concatenation-requiring option. The code for this option is 81. Len contains the number of octets that follow the Len field, and the minimum value is 3 (octets).
The format of the Client FQDN option is: Code Len Flags RCODE1 RCODE2 Domain Name +------+------+------+------+------+------+-- | 81 | n | | | | ... +------+------+------+------+------+------+-- The above figure follows the conventions of . 3], Section 3.1. This encoding SHOULD be used by clients and MUST be supported by servers. 0 indicates a now-deprecated ASCII encoding (see Section 2.3.1). A server MUST use the same encoding as that
used by the client. A server that does not support the deprecated ASCII encoding MUST ignore Client FQDN options that use that encoding. The remaining bits in the Flags field are reserved for future assignment. DHCP clients and servers that send the Client FQDN option MUST clear the MBZ bits, and they MUST ignore these bits. 13], which describes a mechanism for extending the length of a DNS RCODE to 12 bits, which is another reason to deprecate them. If the client needs to confirm that the DNS update has been done, it MAY use a DNS query to check whether the mapping is up to date. However, depending on the load on the DHCP and DNS servers and the DNS propagation delays, the client can only infer success. If the information is not found to be up to date in DNS, the authoritative servers might not have completed the updates or zone transfers, or caching resolvers may yet have updated their caches. 3], Section 3.1. If the DHCP client uses the canonical wire format, it MUST set the "E" bit in the Flags field to 1. In order to determine whether the FQDN has changed between message exchanges, the client and server MUST NOT alter the Domain Name field contents unless the FQDN has actually changed. A client MAY be configured with a fully qualified domain name or with a partial name that is not fully qualified. If a client knows only part of its name, it MAY send a name that is not fully qualified, indicating that it knows part of the name but does not necessarily know the zone in which the name is to be embedded.
To send a fully qualified domain name, the Domain Name field is set to the DNS-encoded domain name including the terminating zero-length label. To send a partial name, the Domain Name field is set to the DNS encoded domain name without the terminating zero-length label. A client MAY also leave the Domain Name field empty if it desires the server to provide a name. 6], fourth section ("Assumptions"), first 5 sentences, as modified by , Section 2.1. However, implementers SHOULD also be aware that some client software may send data intended to be in other character sets. This specification does not require support for other character sets. 12], for example, contains an ASCII string representation of the client's host name. In general, a client does not need to send redundant data, and therefore clients that send the Client FQDN option in their messages MUST NOT also send the Host Name option. Clients that receive both the Host Name option and the Client FQDN option from a server SHOULD
prefer Client FQDN option data. Section 4 instructs servers to ignore the Host Name option in client messages that include the Client FQDN option.
its DNS updates provided the server's "N" bit is 1. If the server's "N" bit is 0, the server MAY perform the PTR RR updates; it MAY also perform the A RR updates if the "S" bit is 1. Section 2.2). If a client releases its lease prior to the lease expiration time and is responsible for updating its A RR, the client SHOULD delete the A RR associated with the leased address before sending a DHCPRELEASE message. Similarly, if a client was responsible for updating its A RR, but is unable to renew its lease, the client SHOULD attempt to delete the A RR before its lease expires. A DHCP client that has not been able to delete an A RR that it added (because it has lost the use of its DHCP IP address) SHOULD attempt to notify its administrator, perhaps by emitting a log message. A client that desires to perform DNS updates to A RRs SHOULD NOT do so if the client's address is a private address .
Section 2.3.1), the server SHOULD ignore the Client FQDN option. o The server sets to 0 the "S", "O", and "N" bits in its copy of the option it will return to the client. The server copies the client's "E" bit. o If the client's "N" bit is 1 and the server's configuration allows it to honor the client's request for no server initiated DNS updates, the server sets the "N" bit to 1. o Otherwise, if the client's "S" bit is 1 and the server's configuration allows it to honor the client's request for the server to initiate A RR DNS updates, the server sets the "S" to 1. If the server's "S" bit does not match the client's "S" bit, the server sets the "O" bit to 1. The server MAY be configured to use the name supplied in the client's Client FQDN option, or it MAY be configured to modify the supplied name or to substitute a different name. The server SHOULD send its notion of the complete FQDN for the client in the Domain Name field. The server MAY simply copy the Domain Name field from the Client FQDN option that the client sent to the server. The server MUST use the same encoding format (ASCII or DNS binary encoding) that the client used in the Client FQDN option in its DHCPDISCOVER or DHCPREQUEST, and it MUST set the "E" bit in the option's Flags field accordingly. If a client sends both the Client FQDN and Host Name option, the server SHOULD ignore the Host Name option. The server SHOULD set the RCODE1 and RCODE2 fields to 255 before sending the Client FQDN message to the client in a DHCPOFFER or DHCPACK.
10]. In such cases, the domain name that the server returns to the DHCP client would change between two DHCP exchanges. If the server previously performed DNS updates for the client and the client's information has not changed, the server MAY skip performing additional DNS updates. When a server detects that a lease on an address that the server leases to a client has expired, the server SHOULD delete any PTR RR that it added via DNS update. In addition, if the server added an A RR on the client's behalf, the server SHOULD also delete the A RR. When a server terminates a lease on an address prior to the lease's expiration time (for instance, by sending a DHCPNAK to a client), the server SHOULD delete any PTR RR that it associated with the address via DNS update. In addition, if the server took responsibility for an A RR, the server SHOULD also delete that A RR.
16]) and NOTIFY () can reduce the latency between updates and their visibility at secondary servers. We suggest these basic guidelines for implementers. In general, the TTLs for RRs added as a result of DHCP IP address assignment activity SHOULD be less than the initial lease time. The RR TTL on a DNS record added SHOULD NOT exceed 1/3 of the lease time, but SHOULD NOT be less than 10 minutes. We recognize that individual administrators will have varying requirements: DHCP servers and clients SHOULD allow administrators to configure TTLs and upper and lower bounds on the TTL values, either as an absolute time interval or as a percentage of the lease time. While clients and servers MAY update the TTL of the records as the lease is about to expire, there is no requirement that they do so, as this puts additional load on the DNS system with likely little benefit.
the specific address bound to a client, conflicts will not occur. Or, a name conflict resolution technique as described in "Resolving Name Conflicts"  SHOULD be used. 14]) when performing DNS updates. Whether a DHCP client is responsible for updating an FQDN-to-IP- address mapping or whether this is the responsibility of the DHCP server is a site-local matter. The choice between the two alternatives is likely based on the security model that is used with the DNS update protocol (e.g., only a client may have sufficient credentials to perform updates to the FQDN-to-IP-address mapping for its FQDN). Whether a DHCP server is always responsible for updating the FQDN- to-IP-address mapping (in addition to updating the IP to FQDN mapping), regardless of the wishes of an individual DHCP client, is also a site-local matter. The choice between the two alternatives is likely based on the security model that is being used with DNS updates. In cases where a DHCP server is performing DNS updates on behalf of a client, the DHCP server should be sure of the DNS name to use for the client, and of the identity of the client. Currently, it is difficult for DHCP servers to develop much confidence in the identities of its clients, given the absence of entity authentication from the DHCP protocol itself. There are many ways for a DHCP server to develop a DNS name to use for a client, but only in certain relatively unusual circumstances will the DHCP server know for certain the identity of the client. If DHCP Authentication  becomes widely deployed, this may become more customary. One example of a situation that offers some extra assurances is when the DHCP client is connected to a network through an Multimedia Cable Network System (MCNS) cable modem, and the cable modem termination
system (CMTS), i.e., head-end, ensures that MAC address spoofing simply does not occur. Another example of a configuration that might be trusted is one where clients obtain network access via a network access server using PPP. The NAS itself might be obtaining IP addresses via DHCP, encoding a client identification into the DHCP client-id option. In this case, the network access server as well as the DHCP server might be operating within a trusted environment, in which case the DHCP server could be configured to trust that the user authentication and authorization procedure of the remote access server was sufficient, and would therefore trust the client identification encoded within the DHCP client-id. It is critical to implement proper conflict resolution, and the security considerations of conflict resolution apply .  Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.  Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987.  Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987.  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136, April 1997.  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997.  Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet host table specification", RFC 952, October 1985.  Braden, R., "Requirements for Internet Hosts - Application and Support", STD 3, RFC 1123, October 1989.
 Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996.  Lemon, T. and S. Cheshire, "Encoding Long Options in the Dynamic Host Configuration Protocol (DHCPv4)", RFC 3396, November 2002.  Stapp, M. and B. Volz, "Resolution of Fully Qualified Domain Name (FQDN) Conflicts among Dynamic Host Configuration Protocol (DHCP) Clients", RFC 4703, October 2006.  Marine, A., Reynolds, J., and G. Malkin, "FYI on Questions and Answers - Answers to Commonly asked "New Internet User" Questions", FYI 4, RFC 1594, March 1994.  Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, March 1997.  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, August 1999.  Wellington, B., "Secure Domain Name System (DNS) Dynamic Update", RFC 3007, November 2000.  Droms, R. and W. Arbaugh, "Authentication for DHCP Messages", RFC 3118, June 2001.  Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, August 1996.  Vixie, P., "A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)", RFC 1996, August 1996.
Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at firstname.lastname@example.org. Acknowledgement Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).