IETF Logo Mail Archive

[dhcwg] Re: WG last call on draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt

Peter Koch <pk@TechFak.Uni-Bielefeld.DE> Mon, 10 February 2003 19:39 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA22144 for <dhcwg-archive@odin.ietf.org>; Mon, 10 Feb 2003 14:39:14 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h1AJljd06588 for dhcwg-archive@odin.ietf.org; Mon, 10 Feb 2003 14:47:45 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1AJljp06585 for <dhcwg-web-archive@optimus.ietf.org>; Mon, 10 Feb 2003 14:47:45 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA22117 for <dhcwg-web-archive@ietf.org>; Mon, 10 Feb 2003 14:38:42 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1AJkDp06535; Mon, 10 Feb 2003 14:46:13 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1AJcsp06108 for <dhcwg@optimus.ietf.org>; Mon, 10 Feb 2003 14:38:54 -0500
Received: from momotombo.TechFak.Uni-Bielefeld.DE (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA21719 for <dhcwg@ietf.org>; Mon, 10 Feb 2003 14:29:51 -0500 (EST)
Received: from grimsvotn.TechFak.Uni-Bielefeld.DE (grimsvotn.TechFak.Uni-Bielefeld.DE [129.70.137.40]) by momotombo.TechFak.Uni-Bielefeld.DE (8.11.6+Sun/8.11.6/TechFak/pk+ro20010720) with ESMTP id h1AJRdU09073; Mon, 10 Feb 2003 20:27:39 +0100 (MET)
Received: from localhost (pk@localhost) by grimsvotn.TechFak.Uni-Bielefeld.DE (8.11.6+Sun/8.9.1) with SMTP id h1AJRdu16843; Mon, 10 Feb 2003 20:27:39 +0100 (MET)
Message-Id: <200302101927.h1AJRdu16843@grimsvotn.TechFak.Uni-Bielefeld.DE>
X-Authentication-Warning: grimsvotn.TechFak.Uni-Bielefeld.DE: pk owned process doing -bs
X-Authentication-Warning: grimsvotn.TechFak.Uni-Bielefeld.DE: pk@localhost didn't use HELO protocol
To: Ralph Droms <rdroms@cisco.com>
Cc: dhcwg@ietf.org, ipng@sunroof.eng.sun.com, namedroppers@ops.ietf.org
In-reply-to: Your message of "Wed, 05 Feb 2003 16:17:49 EST." <4.3.2.7.2.20030205160932.051c5948@funnel.cisco.com>
X-Organization: Uni Bielefeld, Technische Fakultaet
X-Phone: +49 521 106 2902
Date: Mon, 10 Feb 2003 20:27:39 +0100
From: Peter Koch <pk@TechFak.Uni-Bielefeld.DE>
Subject: [dhcwg] Re: WG last call on draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>

> draft-ietf-dhc-dhcpv6 opt-dnsconfig-02.txt describes two options for 
> DHCPv6: the Domain Name Server option and the Domain Search List 

>    This document uses terminology specific to IPv6 and DHCPv6 as defined
>    in section "Terminology" of the DHCP specification.

Might want to add an explicit normative reference here?

> 4. Domain Name Server option
> 
>    The Domain Name Server option provides a list of one or more IP
>    addresses of DNS servers to which a client's DNS resolver MAY send

From a purist's point of view I'm tempted to say that you're not really looking
for a DNS server here but instead for a (list of) recursive resolvers.

>    DNS-server:    IP address of DNS server

I did not follow the DHCPv6 effort too close, so I must admit not knowing
the usual "culture", but wouldn't it be better to say IPv6 address here?

>    A server sends a Domain Search List option to the DHCP client to
>    specify the domain search list the client is to use when resolving
>    hostnames with DNS.  This option does not apply to other name
>    resolution mechanisms.

The draft does not say for which kind of domain names the client is expected
to process the list, i.e. one-label names only, n-label names (how to
communicate the 'n', aka 'ndots', then?) or whether this is left to the
application(s).

>    Because the Domain Search List option may be used to spoof DNS name
>    resolution in a way that cannot be detected by DNS security
>    mechanisms like DNSSEC [5], DHCP clients and servers MUST use

Apart from the sad fact that DNSSEC isn't yet deployed I don't see why it
wouldn't be able to detect spoofing. If, however, you want to say that
using domain names in the search list you don't control is a dangerous
thing, that could be emphazised by a reference to RFC 1535.

>    authenticated DHCP when a Domain Search List option is included in a
>    DHCP message.

Why is this a MUST while there's a SHOULD only for the server option?

-Peter
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.30.2 | Report a Bug | By Email | System Status