1
2
3Network Working Group R. Droms (ed.)
4Internet-Draft Cisco Systems
5Expires: August 29, 2003 February 28, 2003
6
7
8 DNS Configuration options for DHCPv6
9 draft-ietf-dhc-dhcpv6-opt-dnsconfig-03.txt
10
11Status of this Memo
12
13 This document is an Internet-Draft and is in full conformance with
14 all provisions of Section 10 of RFC2026.
15
16 Internet-Drafts are working documents of the Internet Engineering
17 Task Force (IETF), its areas, and its working groups. Note that
18 other groups may also distribute working documents as Internet-
19 Drafts.
20
21 Internet-Drafts are draft documents valid for a maximum of six months
22 and may be updated, replaced, or obsoleted by other documents at any
23 time. It is inappropriate to use Internet-Drafts as reference
24 material or to cite them other than as "work in progress."
25
26 The list of current Internet-Drafts can be accessed at
27 http://www.ietf.org/ietf/1id-abstracts.txt.
28
29 The list of Internet-Draft Shadow Directories can be accessed at
30 http://www.ietf.org/shadow.html.
31
32 This Internet-Draft will expire on August 29, 2003.
33
34Copyright Notice
35
36 Copyright (C) The Internet Society (2003). All Rights Reserved.
37
38Abstract
39
40 This document describes DHCPv6 options for passing a list of
41 available DNS resolvers and a domain search list to a client.
42
431. Introduction
44
45 This document describes two options for passing configuration
46 information related to Domain Name Service (DNS) [1, 6] in DHCPv6
47 [2].
48
492. Terminology
50
51 The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
52
53
54
55Droms (ed.) Expires August 29, 2003 [Page 1]
56�
57Internet-Draft DNS Configuration Options for DHCPv6 February 2003
58
59
60 SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be
61 interpreted as described in RFC2119 [3].
62
63 This document uses terminology specific to IPv6 and DHCPv6 as defined
64 in section "Terminology" of the DHCP specification [2].
65
663. DNS Resolver option
67
68 The DNS Resolver option provides a list of one or more IPv6 addresses
69 of DNS recursive resolvers to which a client's DNS resolver MAY send
70 DNS queries [1]. The DNS servers are listed in the order of
71 preference for use by the client resolver.
72
73 The format of the DNS Resolver option is:
74
75
76 0 1 2 3
77 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
78 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
79 | OPTION_DNS_RESOLVERS | option-len |
80 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
81 | |
82 | DNS-resolver (IPv6 address) |
83 | |
84 | |
85 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
86 | |
87 | DNS-resolver (IPv6 address) |
88 | |
89 | |
90 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
91 | ... |
92 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
93
94
95 option-code: OPTION_DNS_RESOLVERS (tbd)
96
97 option-len: Length of the list of DNS resolvers in octets; must be a
98 multiple of 16
99
100 DNS-server: IPv6 address of DNS resolver
101
102
1034. Domain Search List option
104
105 The Domain Search List option specifies the domain search list the
106 client is to use when resolving hostnames with DNS. This option does
107 not apply to other name resolution mechanisms.
108
109
110
111Droms (ed.) Expires August 29, 2003 [Page 2]
112�
113Internet-Draft DNS Configuration Options for DHCPv6 February 2003
114
115
116 The format of the Domain Search List option is:
117
118
119 0 1 2 3
120 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
121 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
122 | OPTION_DOMAIN_LIST | option-len |
123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
124 | searchstring |
125 | ... |
126 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
127
128
129 option-code: OPTION_DOMAIN_LIST (tbd)
130
131 option-len: Length of the 'searchstring' field in octets
132
133 searchstring: The specification of the list of domain names in the
134 Domain Search List
135
136 The list of domain names in the 'searchstring' MUST be encoded as
137 specified in section "Representation and use of domain names" of the
138 DHCPv6 specification [2].
139
1405. Appearance of these options
141
142 The Domain Name Server option MUST NOT appear in other than the
143 following messages: Solicit, Advertise, Request, Renew, Rebind,
144 Information-Request, Reply.
145
146 The Domain Search List option MUST NOT appear in other than the
147 following messages: Solicit, Advertise, Request, Renew, Rebind,
148 Information-Request, Reply.
149
1506. Security Considerations
151
152 The DNS Resolver option may be used by an intruder DHCP server to
153 cause DHCP clients to send DNS queries to an intruder DNS resolver.
154 The results of these misdirected DNS queries may be used to spoof DNS
155 names.
156
157 To avoid attacks through the DNS Resolver option, the DHCP client
158 SHOULD require DHCP authentication (see section "Authentication of
159 DHCP messages" in the DHCPv6 specification) before installing a list
160 of DNS resolvers obtained through authenticated DHCP .
161
162 The Domain Search List option may be used by an intruder DHCP server
163 to cause DHCP clients to search through invalid domains for
164
165
166
167Droms (ed.) Expires August 29, 2003 [Page 3]
168�
169Internet-Draft DNS Configuration Options for DHCPv6 February 2003
170
171
172 incompletely specified domain names. The results of these
173 misdirected searches may be used to spoof DNS names. Note that
174 support for DNSSEC [4] will not avert this attack, because the
175 resource records in the invalid domains may be legitimately signed.
176
177 The degree to which a host is vulnerable to attack via an invalid
178 domain search option is determined in part by DNS resolver behavior.
179 RFC1535 [7] contains a discussion of security weaknesses related to
180 implicit as well as explicit domain searchlists, and provides
181 recommendations relating to resolver searchlist processing. Section
182 6 of RFC1536 [5] also addresses this vulnerability, and recommends
183 that resolvers:
184
185 1. Use searchlists only when explicitly specified; no implicit
186 searchlists should be used.
187
188 2. Resolve a name that contains any dots by first trying it as an
189 FQDN and if that fails, with the names in the searchlist
190 appended.
191
192 3. Resolve a name containing no dots by appending with the
193 searchlist right away, but once again, no implicit searchlists
194 should be used.
195
196 In order to minimize potential vulnerabilities it is recommended
197 that:
198
199 1. Hosts implementing the domain search option SHOULD also implement
200 the searchlist recommendations of RFC1536, section 6.
201
202 2. Where DNS parameters such as the domain searchlist or DNS servers
203 have been manually configured, these parameters SHOULD NOT be
204 overridden by DHCP.
205
206 3. A host SHOULD require the use of DHCP authentication (see section
207 "Authentication of DHCP messages" in the DHCPv6 specification)
208 prior to accepting a domain search option.
209
210
2117. IANA Considerations
212
213 IANA is requested to assign an option code to these options from the
214 option-code space defined in section "DHCPv6 Options" of the DHCPv6
215 specification [2].
216
2178. Acknowledgments
218
219 This option was originally part of the DHCPv6 specification, written
220
221
222
223Droms (ed.) Expires August 29, 2003 [Page 4]
224�
225Internet-Draft DNS Configuration Options for DHCPv6 February 2003
226
227
228 by Jim Bound, Mike Carney, Charlie Perkins, Ted Lemon, Bernie Volz
229 and Ralph Droms.
230
231 The analysis of the potential attack through the domain search list
232 is taken from the specification of the DHCPv4 Domain Search option,
233 RFC3397 [8].
234
235 Thanks to Rob Austein, Alain Durand, Peter Koch, Tony Lindstrom and
236 Pekka Savola for their contributions to this document.
237
2389. Changes from draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt
239
240 This document includes the following changes in response to comments
241 made during the dhc/dnsext WG last call:
242
243 o Combined RFC2119 reference and reference to DHCPv6 specification
244 into one "Terminology" section; added explicit normative reference
245 to DHCPv6 specification.
246
247 o Changed name of "Domain Name Server" option to "DNS Resolver"
248 option.
249
250 o Clarified and corrected filed names and descriptions of fields in
251 the option format diagrams.
252
253 o Reworded "Appearance of these options" for clarity; removed
254 Confirm from list of messages in which the options can appear.
255
256 o Clarified the type of attack that can be mounted through the
257 Domain Search List option by copying text from RFC3997
258
259Normative References
260
261 [1] Mockapetris, P., "Domain names - implementation and
262 specification", STD 13, RFC 1035, November 1987.
263
264 [2] Bound, J., Carney, M., Perkins, C., Lemon, T., Volz, B. and R.
265 Droms (ed.), "Dynamic Host Configuration Protocol for IPv6
266 (DHCPv6)", RFC XXXX, TBD 2003.
267
268 [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
269 Levels", BCP 14, RFC 2119, March 1997.
270
271 [4] Eastlake, D., "Domain Name System Security Extensions", RFC
272 2535, March 1999.
273
274 [5] Kumar, A., Postel, J., Neuman, C., Danzig, P. and S. Miller,
275 "Common DNS Implementation Errors and Suggested Fixes", RFC
276
277
278
279Droms (ed.) Expires August 29, 2003 [Page 5]
280�
281Internet-Draft DNS Configuration Options for DHCPv6 February 2003
282
283
284 1536, October 1993.
285
286Normative References
287
288 [6] Mockapetris, P., "Domain names - concepts and facilities", STD
289 13, RFC 1034, November 1987.
290
291 [7] Gavron, E., "A Security Problem and Proposed Correction With
292 Widely Deployed DNS Software", RFC 1535, October 1993.
293
294 [8] Aboba, B. and S. Cheshire, "Dynamic Host Configuration Protocol
295 (DHCP) Domain Search Option", RFC 3397, November 2002.
296
297
298Author's Address
299
300 Ralph Droms (ed.)
301 Cisco Systems
302 250 Apollo Drive
303 Chelmsford, MA 01824
304 USA
305
306 Phone: +1 978 497 4733
307 EMail: rdroms@cisco.com
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335Droms (ed.) Expires August 29, 2003 [Page 6]
336�
337Internet-Draft DNS Configuration Options for DHCPv6 February 2003
338
339
340Full Copyright Statement
341
342 Copyright (C) The Internet Society (2003). All Rights Reserved.
343
344 This document and translations of it may be copied and furnished to
345 others, and derivative works that comment on or otherwise explain it
346 or assist in its implementation may be prepared, copied, published
347 and distributed, in whole or in part, without restriction of any
348 kind, provided that the above copyright notice and this paragraph are
349 included on all such copies and derivative works. However, this
350 document itself may not be modified in any way, such as by removing
351 the copyright notice or references to the Internet Society or other
352 Internet organizations, except as needed for the purpose of
353 developing Internet standards in which case the procedures for
354 copyrights defined in the Internet Standards process must be
355 followed, or as required to translate it into languages other than
356 English.
357
358 The limited permissions granted above are perpetual and will not be
359 revoked by the Internet Society or its successors or assigns.
360
361 This document and the information contained herein is provided on an
362 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
363 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
364 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
365 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
366 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
367
368Acknowledgement
369
370 Funding for the RFC Editor function is currently provided by the
371 Internet Society.
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391Droms (ed.) Expires August 29, 2003 [Page 7]
392�
393