Skip to main content

A DNS Resource Record (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR)
draft-ietf-dnsext-dhcid-rr-13

Yes

(Margaret Cullen)

No Objection

(Alex Zinin)
(Bill Fenner)
(Mark Townsley)
(Russ Housley)
(Sam Hartman)

Note: This ballot was opened for revision 13 and is now closed.

Margaret Cullen Former IESG member
Yes
Yes () Unknown

                            
Alex Zinin Former IESG member
No Objection
No Objection () Unknown

                            
Allison Mankin Former IESG member
No Objection
No Objection (2006-03-15) Unknown
The hash function they implemented in the dhcid is fine now (updating
my old comment).
Bert Wijnen Former IESG member
No Objection
No Objection (2006-03-16) Unknown
In: draft-ietf-dnsext-dhcid-rr-12.txt

- sect 3.6.1.
     client.example.com.   A       10.0.0.1
  IP address in examples ought to be from 192.0.2.0/24 range as
  per RFC3330

- sect 3.6.2
   A DHCP server allocates the IPv4 address 10.0.12.99 to a client which
  and
     chi.example.com.      A       10.0.12.99
  Same here, IP address should be from 192.0.2.0/24 range as per
  RFC3330

- Sect 3.6.4
    A DHCP server allocates the IPv6 address 2000::1234:5678 to a client
  and
     chi.example.com.      A       10.0.12.99
  IPv6 addresses in examples should be in the  2001:DB8::/32 range as
  per RFC3849.
Bill Fenner Former IESG member
No Objection
No Objection () Unknown

                            
Brian Carpenter Former IESG member
(was Discuss) No Objection
No Objection (2006-03-06) Unknown
re draft-ietf-dhc-fqdn-option-11.txt

Comments from Gen-ART review by Harald Alverstrand:

A smaller piece of missing material is this, from section 3.3.1 of the v4 document:

  Clients and servers SHOULD follow the character-set recommendations
  of RFC 1034 [2] and RFC 1035 [3].  However, implementers SHOULD also
  be aware that some client software could be using UTF-8 [10]
  character encoding.  This specification does not require any support
  for UTF-8.

Given DNS experts' insistence that the DNS protocol does not place any limits on character sets, it would be good to have a clearer pointer to what recommendations are intended here.
Given that it's in section 3.3.1 (Deprecated ASCII encoding), one can assume that this refers to a character set recommendation for characters in the ASCII encoding; a DNS encoded name should probably be used "as is", no matter what it contains (although it would be good if the doc said so).

It's also unclear from the text whether or not there's a trailing dot on the name in the deprecated ASCII encoding (there's no need for one, since a non-FQDN name can only be one component, but other fields of use have done this in the past, so it's best to be clear that this field does not do so).


-------------------------

Many lesser comments on the document set at these URLs:
http://www.alvestrand.no/ietf/gen/reviews/draft-ietf-dnsext-dhcid-rr-10-alvestrand.txt
http://www.alvestrand.no/ietf/gen/reviews/draft-ietf-dhc-ddns-resolution-10-alvestrand.txt
David Kessens Former IESG member
(was Discuss, No Objection) No Objection
No Objection (2006-03-16) Unknown
I received a few very detailed reviews from the DNS review team. The number of isssues is that large that I believe that a revised ID is warranted. However,
I don't believe that any issue in itself is enough to block this document, there 
are just too many of them that can easily fixed with RFC editor notes or
in 48 hours.

Therefore, my DISCUSS is as follows:

---

Please consider the reviews form the DNS review team and update the documents where you believe it makes sense. I explicitly am not requiring you to make the 
proposed changes, I only want you to consider them and make the updates where you believe it makes sense.

I actually ran out of space here to include all reviews so I am going to forward them to you seperately. 

I am also willing to clear my DISCUSS with the condition that the shepherding
AD will take this issue up and deal with the revised ID.

----

I received the following comments from the DNS review team by Roy Arends that you might want to consider:

This is a review of draft-ietf-dnsext-dhcid-rr-12:

 In general, an informative reference needs to be fixed. Terminology             
 and examples need to be fixed, and the input construction for the               
 digest algorithm is not clear.  

Review of draft-ietf-dhc-ddns-resolution-11:                                    
                                                                                
 There is some wording that needs to be fixed, i.e. "update query" and           
 the likes. Some references need to be fixed.

Review of DRAFT-IETF-DHC-FQDN-OPTION-12:                     
                                                                               
 In general, draft-ietf-dhc-dhcpv6-fqdn-04.txt is mostly the same as            
 this document. As I only review this wrt DNS, my comments will                 
 apply to both documents.



---

Detailed review draft-ietf-dnsext-dhcid-rr-12:

   1.  Terminology                                                              
                                                                                
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",          
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this         
   document are to be interpreted as described in RFC 2119 [2].                 
                                                                                
please put terminology after intro.

   The DHCID RR is defined with mnemonic DHCID and type code [TBD].             
   The                                                                             
   DHCID RR is only defined in the IN class.  DHCID RRs cause no                
   additional section processing.  The DHCID RR is not a singleton              
   type.                                                                           
                                                                                
The term "singleton type" is not a DNS term. Where is it defined ?

  In DNS master files, the RDATA is represented as a single block in           
   base 64 encoding identical to that used for representing binary data         
   in RFC 3548 [7].                                                             
                                                                                
There are two alphabets in RFC3548 for base 64. Which one is used here ?  

   The DHCID RR Digest Type Code is an identifier for the digest                
   algorithm used.  The digest is calculated over an identifier and the         
   canonical FQDN as described in the next section.                             
                                                                                
Is it ? How do I exactly calculate the digest ? See next section for            
more comments.

   The input to the digest hash function is defined to be:                      
                                                                                
       digest = SHA-256(< identifier > < FQDN >)                                
                                                                                
what is <identifier> ?                                                          
                                                                                
This is terribly unclear.                                                       
                                                                                
   The FQDN is represented in the buffer in unambiguous canonical form          
                                                                                
"unambiguous canonical form" is a pleonasm. Please use "Canonical               
Wire Format"                                                                    
                                                                                
   as described in RFC 4034 [8], section 6.1.                                   
                                                                                
RFC 4034 section 6.1 deals with canonical ordering of names. Please             
refer to 6.2. 

   The identifier type code                                                     
   and the identifier are related as specified in Section 3.3: the              
   identifier type code describes the source of the identifier.                 
                                                                                
   A DHCPv4 updater uses the 0x0002 type code if a Client Identifier            
   option is present in the DHCPv4 messages and it is encoded as                
   specified in [12].                                                           
                                                                                
[12] is informative, not normative. If one is required to know the              
encoding to determine a type-code, please refer to the encoding as              
normative. 


   the client.  The DHCID RDATA is composed by setting the two type             
   octets to zero, the 1-octet digest type to 1 for SHA-256, and                
   performing an SHA-256 hash computation across a buffer containing            
   the                                                                             
   Ethernet MAC type octet,                                                     
                                                                                
What is the Ethernet Mac type octet ? is that "htype, chaddr from a             
DHCPv4 client's DHCPREQUEST" ? 

  If the DHCID RR type is not supported, the RDATA would be encoded            
   [13] as:                                                                     
                                                                                
     \# 35 ( 000001c4b9a5b249651343158dde7bcc77169841f7a4243a572b5c283          
             fffedeb3f75e6 )                                                    
                                                                                
I tried to this, and this is my result:                                         
                                                                                
\# 35                                                                           
000001457811a1e592b6f52a81e6a7767281fb4b1379fbf2cc9645d5a2ffc9b1dd54f7          
                                                                                
The input I used, exactly following the description in the example is           
as follows (base 16 string):                                                    
                                                                                
00000101020304050606636c69656e74076578616d706c6503636f6d00                      
                                                                                
Which breaks down to  0000 identifier type code                                                      
     01 digest type                                                             
       010203040506 The six octets of the mac address                           
                                                                                
and the wireformat of client.example.com, which is                              
                                                                                
                  (6)c l i e n t(7)e x a m p l e(3)c o m(0)                     
                   06636c69656e74076578616d706c6503636f6d00                     
                                                                                
When I follow the construction as specified in the previous chapter,            
I do not need to use the identifier type code and the digest type as            
input for the hash function.                                                    
                
 I tried that too, but again, different results from what you have:             
                                                                                
\# 35                                                                           
0000016388f0e5221a5faa6b109dab9bdd4c2f1a3408d59c3c60b8fb45c5b6e4f0ed94          
                                                                                
Please tell me what I did wrong.                                                
                           
  type to 1 for SHA-256, and performing a SHA-256 hash computation             
   across a buffer containing the seven octets from the client-id               
option                                                                          
   and the FQDN (represented as specified in Section 3.5).                      
                                                                                
In this example, the input buffer does not contain the identifier               
type and the digest type, which seems correct to me.                            
                                                                                
     chi.example.com.      A       10.0.12.99                                   
     chi.example.com.      DHCID   ( AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdW          
                                     L3b/NaiUDlW2No= )                          
                                                                                
   If the DHCID RR type is not supported, the RDATA would be encoded            
   [13] as:                                                                     
                                                                                
     \# 35 ( 0001013920fe5d1dceb3fd0ba3379756a70d73b17009f41d58bddbfcd          
             6a2503956d8da )                                                    
                                                                                
Okay, perfect. I got the same result.   

=========================================================================

Detailed review draft-ietf-dnsext-dhcid-rr-12:

   of the DNS data is entirely dependent on the accuracy of the                 
   configuration procedure.  Sites that deploy Secure DNS [11] may              
                                                                                
[11] (rfc 2535) reference is updated by rfc 4033/4034/4035                      
                  
   configure credentials for each client and its assigned FQDN in a way         
   that is more error-resistant, as both the FQDN and credentials must          
   match.                                                                       
                                                                                
rfc 2535 and its replacements deal with origin authentication and               
data integrity. This is, the actual DNS data. If you mean                       
"transaction security" such as SIG(0) and TSIG for dynamic updates,             
please refer to Secure Dynamic Update [10].                                     
                 
   Certain RCODEs defined in RFC 2136 [3] indicate that the destination         
                                                                                
Nit: Don't use names and references together.  please just say                  
"Certain RCODEs defined in [3] indicate that the destination"                   
                 
   Because these errors may indicate a           
   misconfiguration of the updater or of the DNS server, the updater            
   MAY                                                                             
   attempt to signal to its administrator that an error has occurred,           
   e.g. through a log message.                                                  
                                                                                
What about errorcodes specific for TSIG or SIG(0) ?

   5.3.  Adding A and/or AAAA RRs to DNS                                        
                                                                                
   When a DHCP client or server intends to update A and/or AAAA RRs, it         
   starts with the update query in Section 5.3.1.                               
                                                                                
A DNS message is either a Request or Response. The Request has an               
opcode. This opcode can be UPDATE or QUERY. So update query is                  
confusing. This should be update request.                                       
                                 
===========================================================

Detailed review DRAFT-IETF-DHC-FQDN-OPTION-12:                     

   This document specifies a Dynamic Host Configuration Protocol for           
   IPv4, DHCPv4, option which can be used to exchange information              
   about                                                                          
   a DHCPv4 client's fully-qualified domain name and about                     
   responsibility for updating the DNS RR related to the client's              
   address assignment.                                                         
                                                                               
I understand this option already exists, and this document updates             
and extends its use. I would rephrase this to:                                 
                                                                               
This document updates and extends the DHCP Client FQDN option for the          
Dynamic Host Configuration Protocol IPv4.  This option can be used to          
exchange information about the a DHCPv4 client's fully qualified               
domain name. This information includes the FQDN and information about          
the responsibility for updating the DNS RR related to the client's             
address assignment.

Please put terminology after the introduction.                                 
                                                                               
   1.  Terminology                                                             
                                                                               
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",         
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in                    
   this                                                                           
   document are to be interpreted as described in RFC 2119 [1].                
   
   In any case, whether a site permits all, some, or no DHCP                 
   servers and                                                                    
   clients to perform DNS updates into the zones which it controls is          
   entirely a matter of local administrative policy.                           
                                                                               
Please rephrase to:                                                            
                                                                               
It is considered local policy to permit DHCP clients and servers to            perform DNS updates to zones.                                                

   This document does                                                          
   not require any specific administrative policy, and does not                
   propose                                                                        
   one.                                                                        
                                                                               
Yet, the document continues to specify a range of possible policies:           
                                                                               >              
    The range of possible policies is very broad, from sites where         
    only the DHCP servers have been given credentials that the DNS              
    servers will accept, to sites where each individual DHCP client has         
    been configured with credentials which allow the client to                  
    modify its                                                                     
   own domain name.  Compliant implementations may support some or all         
   of these possibilities.  Furthermore,                                       
                                                                               
I'd delete the previous paragraph.  
        
   This document describes a new DHCP option which a client can use to         
                                                                               
Is it new ? If it is new, why are there deprecated elements ?                  
                                                                               
   convey all or part of its domain name to a DHCP server.  Site-              
   specific policy determines whether DHCP servers use the names that          
   clients offer or not, and what DHCP servers may do in cases where           
   clients do not supply domain names.                                         
                                                                               
Note that a 'part of its domain name' is not a FQDN.                           

      client sends the Client FQDN option in its DHCPDISCOVER message, it         
   MUST send the option in subsequent DHCPREQUEST messages though the          
   contents of the option MAY change.                                          
                                                                               
   Only one Client FQDN option MAY appear in a message.                        
                                                                               
What if a client has more than one name ? It is possible to have               
more than one PTR per address.                                                 
                                                                               
   The code for this option is 81.  Its minimum length is 3 (octets).          
                                                                               
To avoid ambiguity, please specify that the length is excluding the            
Code and Len field.

        Code   Len    Flags  RCODE1 RCODE2   Domain Name                       
       +------+------+------+------+------+------+--                           
       |  81  |   n  |      |      |      |       ...                          
       +------+------+------+------+------+------+--                           
                                                                               
Please state somewhere that the above convention restrict name                 
lengths to 253. In DNS, a name has a maximum length of 255.  

   MUST send the option in subsequent DHCPREQUEST messages though the          
   contents of the option MAY change.                                          
                                                                               
   Only one Client FQDN option MAY appear in a message.                        
                                                                               
What if a client has more than one name ? It is possible to have               
more than one PTR per address.                                                 

   The format of the Client FQDN option is:                                    
                                                                               
        Code   Len    Flags  RCODE1 RCODE2   Domain Name                       
       +------+------+------+------+------+------+--                           
       |  81  |   n  |      |      |      |       ...                          
       +------+------+------+------+------+------+--                           
                                                                               
Please state somewhere that the above convention restrict name                 
lengths to 253. In DNS, a name has a maximum length of 255.                    
                                             
   The format of the 1-octet Flags field is:                                   
                                                                               
        0 1 2 3 4 5 6 7                                                        
       +-+-+-+-+-+-+-+-+                                                       
       |  MBZ  |N|E|O|S|                                                       
       +-+-+-+-+-+-+-+-+                                                       
                                                                               
The order of the flags below is not as it appears in the field.                
                                                                               
Does "S" indicate "Server" ?                                                   
                                                                               
Please be consistent in using "Flags" or "Bits"                                
        

   in the reply from the server indicates the action to be taken by            
   the                                                                            
   server; if 1, the server has taken responsibility for A RR updates          
   for the FQDN.                                                               
                                                                               
Does "O" indicate "Override" ?

   The "O" bit indicates whether the server has overridden the                 
   client's                                                                       
   preference for the "S" bit.  A client MUST set this bit to 0.  A            
   server MUST set this bit to 1 if the "S" bit in its reply to the            
   client does not match the "S" bit received from the client.                 
                                                                               
What does "N" indicate ?
Jon Peterson Former IESG member
No Objection
No Objection (2005-11-30) Unknown
nit: dhc-ddns-resolution, Security Considerations, first sentence: "where or not" should be "whether or not"?
Mark Townsley Former IESG member
No Objection
No Objection () Unknown

                            
Russ Housley Former IESG member
(was Discuss) No Objection
No Objection () Unknown

                            
Sam Hartman Former IESG member
(was Discuss) No Objection
No Objection () Unknown

                            
Scott Hollenbeck Former IESG member
(was Discuss, No Objection) No Objection
No Objection (2005-11-29) Unknown
draft-ietf-dhc-ddns-resolution: Reserved domains from RFC 2606 might be better than "org.nil" in the examples.
Ted Hardie Former IESG member
No Objection
No Objection (2005-11-28) Unknown
In the introduction to fqdn-option, the document says:

DNS ([2], [3]) maintains (among other things) the information about
   the mapping between hosts' Fully Qualified Domain Names (FQDNs) [8]
   and IP addresses assigned to the hosts.  The information is
   maintained in two types of Resource Records (RRs): A and PTR.

Obviously, there are AAAA records as well.  Since they are being treated
together, an informative pointer from this document to dhcpv6-fqdn seems like
a good idea, especially since the ddns-resolution doc cites consistency among
A, AAAA, and PTR records as one of its issues.

In draft-ietf-dhc-ddns-resolution, the language in 6.3.2 was hard to follow for
the case where a DHC client has multiple interfaces and wishes to associate
AAAA or records containing the same fqdn with the v6 or v4 addresses associated
with those interfaces.