RE: [dhcwg] DHCP and FQDN conflicts [Re: Last Call: 'Resolution of FQDN

Pekka:

Regarding your one major issue, the updater is NOT the entity that gets
to decide whether to allow any DNS update to occur or not. It is the DNS
server that restricts who can do updates and what they can update.

We're assuming that the most likely entity to be given fairly open
access to a zone is the DHCP server and that is where the administrative
policy comes in.

A few more comments inline below (prefixed by BV>).

- Bernie

> -----Original Message-----
> From: dhcwg-bounces(_at_)ietf(_dot_)org 
> [mailto:dhcwg-bounces(_at_)ietf(_dot_)org] 
> On Behalf Of Pekka Savola
> Sent: Saturday, November 26, 2005 9:27 AM
> To: iesg(_at_)ietf(_dot_)org
> Cc: dhcwg(_at_)ietf(_dot_)org; ietf(_at_)ietf(_dot_)org
> Subject: [dhcwg] DHCP and FQDN conflicts [Re: Last Call: 
> 'Resolution of FQDN Conflicts among DHCP Clients' to Proposed 
> Standard]
>
> On Mon, 14 Nov 2005, The IESG wrote:
> > The IESG has received a request from the Dynamic Host 
> Configuration WG to
> > consider the following documents:
> >
> > - 'A DNS RR for Encoding DHCP Information (DHCID RR) '
> >   <draft-ietf-dnsext-dhcid-rr-10.txt> as a Proposed Standard
> > - 'Resolution of FQDN Conflicts among DHCP Clients '
> >   <draft-ietf-dhc-ddns-resolution-10.txt> as a Proposed Standard
> > - 'The DHCP Client FQDN Option '
> >   <draft-ietf-dhc-fqdn-option-11.txt> as a Proposed Standard
> > - 'The DHCPv6 Client FQDN Option '
> >   <draft-ietf-dhc-dhcpv6-fqdn-03.txt> as a Proposed Standard
> I have one major issue with 'Resolution of FQDN Conflicts among DHCP 
> Clients', the first issue below.  It fails to properly describe the 
> threats caused by DHCP clients requesting updating non-DHCP FQDN's 
> (like a random host from example.com requesting "www.example.com"). 
> While this may not be a problem if DHCP clients belong to different 
> zones from non-DHCP clients, this is not discussed at all in the 
> document -- except ruled out of scope.
>
> This discussion needs to be included.
>
> .......
>
> 6.3.3.  FQDN in Use by another Client
>
>     As the FQDN appears to be in use by another client or is not
>     associated with any client, the updater can decide (based on some
>     administrative configuration outside of the scope of this 
> document)
>     whether to let the existing owner of the FQDN keep that 
> FQDN, and to
>     (possibly) perform some FQDN disambiguation operation on behalf of
>     the current client, or to replace the RRs on the FQDN 
> with RRs that
>     represent the current client.  [...]
>
> ==> this is the biggest short-coming in this specification.  
> The choice of
> this "administrative configuration outside the scope of this 
> document" has
> enermous security implications which have not been discussed at all in
> Security Considerations section or here.
>
> Specifically, consider the scenario:
>
> 1) www.example.com is manually configured (no DHCP) to point 
> to 1.1.1.1,
>     hence has no DHCID records.
> 2) a node in example.com zone uses DHCP, and purports its name is
>     "www.example.com".  The DHCP server may nor may not 
> perform the update
>     based on the "admin config outside the scope of this document".
>
> When reading the specification, this specific danger should 
> be very clearly
> explained, and this should be reflected in the document.  I'd 
> also suggest
> that by default, the server MUST NOT (or SHOULD NOT) perform 
> updates if
> there is no DHCID RR.
>
> ...
>
> 6.3.2.  DNS UPDATE When FQDN in Use
>
>     2.  A delete of the existing AAAA RRs on the FQDN if the 
> updater does
>         not desire AAAA records on the FQDN or this update is 
> adding an
>         AAAA and the updater only desires a single IP address on the
>         FQDN.
>
> ==> how does the code know whether the updates only desires a 
> single IP
> address on the FQDN or not?   AFAICS, there's no way to 
> signal this from the
> DHCP client!
Agreed. That is why the language is the way it is. As a DHCP server is
likely to be doing the updates, it would be the entity to implement the
policy. In most DHCPv4 environments today, it is just a single A record
that is allowed.

If the client is doing the updates, it is aware of what it has and
therefore can do the correct thing.

> 5.  DNS RR TTLs
>
> ==> this section describes which TTLs to use in DNS RRs with 
> DHCP.  This has
> nothing to do with conflict resolution, though it's 
> convenient to specify
> this (which applies to both DHCPv4 and DHCPv6) here instead 
> of duplicating
> the same text in both DHCPv4/v6 specifications.  But should 
> this still be
> moved there?
>
>
> semi-editorial
> --------------
>
>     There are two DNS update situations that require special
>     consideration in DHCP environments: cases where more than one DHCP
>     client has been configured with the same FQDN and cases where more
>     than one DHCP server has been given authority to perform 
> DNS updates
>     in a zone.
>
> ==> the first point is actually more generic than that 
> (though you cover it
> as well in section 6.3.3), but rewording would be useful.  How about:
>
>     There are two DNS update situations that require special
>     consideration in DHCP environments: cases where more than 
> one node is
>     configured with the same FQDN and cases where more
>     than one DHCP server has been given authority to perform 
> DNS updates
>     in a zone.
>
> (and similar, "s/DHCP clients/nodes/" throughout -- it's 
> sufficient that one
> node uses DHCP, the others don't need to..)
>
>
> editorial
> ---------
>
>     FQDN, or Fully Qualified Domain Name, is the full name of 
> a system,
>     rather than just its hostname.  For example, "venera" is 
> a hostname
>     and "venera.isi.edu" is an FQDN.  See RFC 1983 [7].
>
> ==> use "example.com", please.
>
>      Through the use of the client
>     FQDN option, DHCP clients and servers can negotiate the 
> client's FQDN
>     and the allocation of responsibility for updating the 
> DHCP client's A
>     and/or AAAA RRs.
>
> ==> also PTR records, not just A/AAAA..
>
> When either a client or server
>     adds A, AAAA, or PTR RRs for a client, it also adds a 
> DHCID RR that
>     specifies a unique client identity, based on data from 
> the client's
>     DHCPREQUEST message.
>
> ==> seems to use DHCPv4-specific terminology, also add DHCPv6 wording?
>
>     The most important consideration in removing DNS entries 
> is be sure
>     that an entity removing a DNS entry is only removing an 
> entry that it
>     added, or for which an administrator has explicitly assigned it
>     responsibility.
>
> ==> s/be/being/ ?
>
> 9.2.  Informative References
>
>     [5]   Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
>           March 1997.
>
>     [6]   Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, 
> C., and M.
>           Carney, "Dynamic Host Configuration Protocol for IPv6
>           (DHCPv6)", RFC 3315, July 2003.
>
> ==> These should likely be normative references.
>
>     Sites that wish to permit a single FQDN to contain both A and AAAA
>     RRs MUST make use of DHCPv4 clients and servers that support using
>     the DHCP Unique Identifier (DUID) for DHCPv4 client 
> identifiers such
>     that this DUID is used in computing the RDATA of the 
> DHCID RR by both
>     DHCPv4 and DHCPv6 for the client, see Node-Specific Client
>     Identifiers for DHCPv4 [14].
>
> ==> [14] should likely be a normative reference.  The good 
> news is that it's
> already in RFC editor's queue! :)
>
> -- 
> Pekka Savola                 "You each name yourselves king, yet the
> Netcore Oy                    kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>
> _______________________________________________
> dhcwg mailing list
> dhcwg(_at_)ietf(_dot_)org
> https://www1.ietf.org/mailman/listinfo/dhcwg
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf