Re: New I-Ds on ftp.bucknell.edu

"Edie E. Gunter" <edie@watson.ibm.com> Tue, 20 February 1996 18:09 UTC

Date: Tue, 20 Feb 1996 12:54:58 -0500
Message-Id: <9602201553.AA20109@edisto.watson.ibm.com>
Errors-To: droms@bucknell.edu
Reply-To: dhcp-v4@bucknell.edu
Originator: dhcp-v4@bucknell.edu
Precedence: bulk
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: "Edie E. Gunter" <edie@watson.ibm.com>
To: Multiple recipients of list <dhcp-v4@bucknell.edu>
Subject: Re: New I-Ds on ftp.bucknell.edu

Jim,

> Before we even discuss the use of leases for DNS records we need to
> determine if DNS needs a lease for each A or AAAA record.  I maintain as
> an initial discussion that this is not necessary.

I would agree -- DNS doesn't *need* a lease.  DHCP-v4, however, does.
So, to make them work together nicely, you'll want the corresponding
DNS records to go away when the DHCP addresses expire.

> Because renumbering is not inherent yet in IPv4 or DHCPv4 I will use my
> stateless IPv6 implementation as an example on a "client".

> I process IPv6 ND RAs prefix options for valid and preferred liftetimes.
> Before an address goes invalid I could delete the DNS AAAA record or
> right after.  DNSSEC is not an issue and you need to point out your
> concerns in "detail" where it is an issue.  Because if it is I have
> input for DNSSEC.  Realize the use of SIG records initially suggested
> has completely been re-done so I am not sure which dynDNS security model
> your alluding to at this point in the discussion?

> Now if the DHCPv6 server wants to delete the clients A record I will put
> the same code (reuse) for that on my server.

I can't comment on renumbering, IPV6, or DHCPv6.  My comments were
directed at DHCPv4 and DNS. There were two issues in Michael Lewis's
mail where I made comments related to DNS security.  One was that if
a DHCP server is updating A RR's and the client is moving among
multiple domains then managing the KEY is going to be quite difficult
since each DHCP server where the client goes will need the KEY to
use back at the client's home DNS server to perform the update.

The other DNS security related comment was in
in response to a suggestion that a DHCP client/server
be responsible for updating DNS after lease expiration.  Here I
pointed out that in secure DNS, the SIG determines when data
expires.  When the A/PTR RR is updated, if the SIG
expiration is not modified then the life of this data may not
correspond to the DHCP lease time.  If the DNS data expires before
the DHCP lease then the client is crippled (DNS no longer knows
him).  If the DNS data expires after the DHCP lease then there is
a potential security exposure.  My concern was not with DNSSEC,
but with the mechanism Michael suggested.  It seems to me it would
be better to set up the expiration in DNS when the RRs are updated than
to assume the data will last forever (which it won't with secure
DNS) and then have a DHCP client/server delete or update the data
after the DHCP lease expires.

  (If you're allowing dynamic updates and *not* using security,
   expiration of data is DNS is the least of your problems.  But,
   in this case, Michael's suggestion might work just fine.)

> We need to discuss this in detail but in the present draft per Yakov the
> TTL will not work as a strategy.  Nor should the TTL be used in that
> manner.  I also have an architecture problem with leases in the DNS
> until we talk this through a bit more.

TTLs are completely inappropriate for this.

Edie
  (should this discussion be moved to the dhcp-dns list?)

New I-Ds on ftp.bucknell.edu Ralph Droms
Re: New I-Ds on ftp.bucknell.edu Michael J. Lewis
Re: New I-Ds on ftp.bucknell.edu bound
Re: New I-Ds on ftp.bucknell.edu Yakov Rekhter
Re: New I-Ds on ftp.bucknell.edu Yakov Rekhter
Re: New I-Ds on ftp.bucknell.edu Edie E. Gunter
Re: New I-Ds on ftp.bucknell.edu bound
Re: New I-Ds on ftp.bucknell.edu Edie E. Gunter
Re: New I-Ds on ftp.bucknell.edu bound