Re: [dhcwg] Trust model of Client FQDN option

Ted Lemon <mellon@fugue.com> Wed, 04 August 2004 17:55 UTC

Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA23574; Wed, 4 Aug 2004 13:55:40 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1BsPsv-0007Tm-JQ; Wed, 04 Aug 2004 13:49:05 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1BsPnO-0006P2-CU for dhcwg@megatron.ietf.org; Wed, 04 Aug 2004 13:43:22 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA22471 for <dhcwg@ietf.org>; Wed, 4 Aug 2004 13:43:21 -0400 (EDT)
Received: from toccata.fugue.com ([204.152.186.142]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1BsPqh-0004X5-LN for dhcwg@ietf.org; Wed, 04 Aug 2004 13:46:49 -0400
Received: from [66.93.162.248] (0127bhost247.starwoodbroadband.com [12.105.247.247]) by toccata.fugue.com (Postfix) with ESMTP id 9F1041B2219; Wed, 4 Aug 2004 12:42:23 -0500 (CDT)
In-Reply-To: <002101c47a46$f10e92a0$3f428182@amer.cisco.com>
References: <002101c47a46$f10e92a0$3f428182@amer.cisco.com>
Mime-Version: 1.0 (Apple Message framework v618)
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Message-Id: <C3FD5408-E63D-11D8-8860-000A95D9C74C@fugue.com>
Content-Transfer-Encoding: 7bit
From: Ted Lemon <mellon@fugue.com>
Subject: Re: [dhcwg] Trust model of Client FQDN option
Date: Wed, 04 Aug 2004 10:43:16 -0700
To: Bernie Volz <volz@cisco.com>
X-Mailer: Apple Mail (2.618)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Content-Transfer-Encoding: 7bit
Cc: "<dhcwg@ietf.org>" <dhcwg@ietf.org>
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org
Content-Transfer-Encoding: 7bit

On Aug 4, 2004, at 10:17 AM, Bernie Volz wrote:
> -> If the query returns NODATA, the updater can conclude that the 
> target
> -> name is in use, but that no DHCID RR is present.  This indicates 
> that
> -> some records have been configured by an administrator.  Whether the
> -> updater proceeds with an update is a matter of local administrative
> -> policy.

Hm, this is interesting.   As a point of information, the two 
implementations with which I am familiar do not give the administrator 
a knob to tweak here.  We just assume that if the name is in the DNS 
and doesn't have a DHCID (well, TXT) record, we shouldn't scribble on 
it.

I think a stronger statement here might be better:

Whether the updater proceeds with an update is a matter of local 
administrative policy.   DHCP servers MUST NOT proceed with the update 
unless explicitly configured to do so.

The draft should talk about these two issues in the security 
considerations section, and the FQDN drafts should mention in the 
security considerations section that these security considerations are 
addressed in the resolution draft.   I don't think we can make any 
requirements to address this, but the answers we came up with in 
response to Pekka's query could reasonably go into the security 
considerations section of one or all of the drafts:

1. If the DHCP server does updates, there is no way to prevent one 
client from getting a name after another client had it, but that 
client's lease expired.

2. If the DHCP server does updates, it will be possible for DHCP 
clients to request names that might have special meaning, like www or 
wwww.   This can be handled in one of two ways:
   a. Use a special zone for dynamic names, so that it doesn't
      matter that the client gets www.dyndns.bigcompany.org, or
   b. If the DHCP server provides this capability, set up a
      filter on the DHCP server that prevents certain names from
      being claimed by clients, even if they do not currently
      appear in the DNS.

3. If the DHCP server does updates, and is allowed to override names 
that do not have DHCID records, this can mean that a client will get a 
name that is already registered for some purpose in the DNS.   This 
behavior is required to be disabled by default, so it should not be a 
problem in practice, but we mention it here to raise awareness of the 
implications of configuring your DHCP server to allow it.

Hm, one other problem that occurs to me is that a client could send 
something like "www.students" in the fqdn option, and this could turn 
into "www.students.littlecollege.edu".   That is a vaguely 
official-looking name.   So any filtering that needs doing based on 
specific reserved names like "www" needs to be on the first label in 
the name, not on the entire name.


_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg