[dhcwg] Re: Last Call: 'Resolution of FQDN Conflicts among DHCP Clients' to Proposed Standard
Pekka Savola <pekkas@netcore.fi> Sat, 26 November 2005 14:35 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Eg19S-0001kV-4N; Sat, 26 Nov 2005 09:35:42 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Eg19Q-0001kD-PW; Sat, 26 Nov 2005 09:35:40 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA16743; Sat, 26 Nov 2005 09:34:57 -0500 (EST)
Received: from netcore.fi ([193.94.160.1]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Eg1Su-0003Fj-LP; Sat, 26 Nov 2005 09:55:49 -0500
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id jAQEZUb27036; Sat, 26 Nov 2005 16:35:30 +0200
Date: Sat, 26 Nov 2005 16:35:30 +0200
From: Pekka Savola <pekkas@netcore.fi>
To: iesg@ietf.org
In-Reply-To: <E1EbpXa-0007U9-4f@newodin.ietf.org>
Message-ID: <Pine.LNX.4.64.0511261627310.26558@netcore.fi>
References: <E1EbpXa-0007U9-4f@newodin.ietf.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 386e0819b1192672467565a524848168
Cc: dhcwg@ietf.org
Subject: [dhcwg] Re: Last Call: 'Resolution of FQDN Conflicts among DHCP Clients' to Proposed Standard
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org
On Mon, 14 Nov 2005, The IESG wrote:
> The IESG has received a request from the Dynamic Host Configuration WG to
> consider the following documents:
>
> - 'A DNS RR for Encoding DHCP Information (DHCID RR) '
> <draft-ietf-dnsext-dhcid-rr-10.txt> as a Proposed Standard
> - 'Resolution of FQDN Conflicts among DHCP Clients '
> <draft-ietf-dhc-ddns-resolution-10.txt> as a Proposed Standard
> - 'The DHCP Client FQDN Option '
> <draft-ietf-dhc-fqdn-option-11.txt> as a Proposed Standard
> - 'The DHCPv6 Client FQDN Option '
> <draft-ietf-dhc-dhcpv6-fqdn-03.txt> as a Proposed Standard
I read draft-ietf-dhc-dhcpv6-fqdn-03.txt. I believe most of the
comments also apply to the DHCPv4 option. I think the document set
was overall well written, though there seemed to be a couple of issues
which need to be resolved.
substantial
-----------
The Client FQDN option MUST only appear in a message's options field
and applies to all addresses for all IA_NA bindings in the
transaction.
==> shouldn't this be rather specified the other way around, i.e., in
which cases the receivers MUST discard Client FQDN options? Sooner or
later someone will send the option in a wrong place, and it makes
sense to guard against this in the receiver's implementation.
o Otherwise, if the client's "S" bit is 1 and the servers's
configuration allows it to honor the client's request for the
server to initiate AAAA RR DNS updates and if it has the necessary
credentials, the server sets the "S" to 1. If the server's "S"
bit does not match the client's "S" bit, the server sets the "O"
bit to 1.
==> the server cannot know, before it has tried DNS update, whether it has
"the necessary credentials", right?
The server MAY perform these updates even if the client's message did
not carry the Client FQDN option. The server MUST NOT initiate DNS
updates when responding with an ADVERTISE message to the client.
The server MAY complete its DNS updates (PTR RR or PTR and AAAA RR)
before the server sends the REPLY message to the client.
Alternatively, the server MAY send the REPLY message to the client
without waiting for the update to be completed. Whether the DNS
update occurs before or after the REPLY is sent is entirely up to the
DHCPv6 server's configuration.
If the server's AAAA RR DNS update does not complete until after the
server has replied to the DHCPv6 client, the server's interaction
with the DNS server MAY cause the DHCPv6 server to change the domain
name that it associates with the client. This can occur, for
example, if the server detects and resolves a domain-name conflict
[8]. In such cases, the domain name that the server returns to the
DHCPv6 client would change between two DHCPv6 exchanges.
==> does the first paragraph work with Rapid Commit, as there are no
messages beyond Advertise?
==> actually, the 2nd sentence of 1st paragraph should maybe be placed at
the end of the second paragraph -- it'd seem more logical there.
==> how does the resolution process described in 3rd paragraph work with
Rapid Commit? If DNS update is done after the last communication with the
client, it's not clear how you signal the changed FQDN to the client?
9. Security Considerations
==> this section should provide a pointer to ddns-resolution's
security considerations section, highlighting the necessity of
implementing conflict resolution properly. For example, something
like,
It is critical to implement proper conflict resolution, and the
security properties of conflict resolution apply [8]. For example,
a DHCP-client from example.com should not be able to override,
e.g., www.example.com.
editorial
---------
Depending on the prescence of or type of authentication used with the
==> s/prescence/presence/
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Last Call: 'Resolution of FQDN Conflicts … The IESG
- [dhcwg] DHCID and the use of MD5 [Re: Last Call: … Pekka Savola
- [dhcwg] DHCP and FQDN conflicts [Re: Last Call: '… Pekka Savola
- [dhcwg] Re: Last Call: 'Resolution of FQDN Confli… Pekka Savola
- [dhcwg] Re: DHCID and the use of MD5 [Re: Last Ca… Ted Lemon
- [dhcwg] Re: DHCID and the use of MD5 [Re: Last Ca… Pekka Savola
- RE: [dhcwg] Re: Last Call: 'Resolution of FQDN Co… Bernie Volz (volz)
- RE: [dhcwg] Re: Last Call: 'Resolution of FQDN Co… Pekka Savola
- [dhcwg] Re: DHCID and the use of MD5 [Re: Last Ca… Ted Lemon
- [dhcwg] Re: DHCID and the use of MD5 [Re: Last Ca… Steven M. Bellovin
- [dhcwg] Re: DHCID and the use of MD5 [Re: Last Ca… Sam Hartman
- [dhcwg] Re: DHCID and the use of MD5 [Re: Last Ca… Steven M. Bellovin
- Re: [dhcwg] Re: DHCID and the use of MD5 [Re: Las… Ted Lemon
- [dhcwg] Re: DHCID and the use of MD5 [Re: Last Ca… Ted Lemon
- Re: [dhcwg] Re: DHCID and the use of MD5 [Re: Las… Steven M. Bellovin
- Re: [dhcwg] Re: DHCID and the use of MD5 [Re: Las… Mark Stapp
- Re: [dhcwg] Re: DHCID and the use of MD5 [Re: Las… Sam Hartman
- Re: [dhcwg] DHCP and FQDN conflicts [Re: Last Cal… David W. Hankins
- Re: [dhcwg] DHCP and FQDN conflicts [Re: Last Cal… Pekka Savola
- Re: [dhcwg] DHCP and FQDN conflicts [Re: Last Cal… David W. Hankins