1 2 3Network Working Group R. Droms (ed.) 4Internet-Draft Cisco Systems 5Expires: August 29, 2003 February 28, 2003 6 7 8 DNS Configuration options for DHCPv6 9 draft-ietf-dhc-dhcpv6-opt-dnsconfig-03.txt 10 11Status of this Memo 12 13 This document is an Internet-Draft and is in full conformance with 14 all provisions of Section 10 of RFC2026. 15 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 20 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 25 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 28 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 31 32 This Internet-Draft will expire on August 29, 2003. 33 34Copyright Notice 35 36 Copyright (C) The Internet Society (2003). All Rights Reserved. 37 38Abstract 39 40 This document describes DHCPv6 options for passing a list of 41 available DNS resolvers and a domain search list to a client. 42 431. Introduction 44 45 This document describes two options for passing configuration 46 information related to Domain Name Service (DNS) [1, 6] in DHCPv6 47 [2]. 48 492. Terminology 50 51 The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, 52 53 54 55Droms (ed.) Expires August 29, 2003 [Page 1] 56 57Internet-Draft DNS Configuration Options for DHCPv6 February 2003 58 59 60 SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be 61 interpreted as described in RFC2119 [3]. 62 63 This document uses terminology specific to IPv6 and DHCPv6 as defined 64 in section "Terminology" of the DHCP specification [2]. 65 663. DNS Resolver option 67 68 The DNS Resolver option provides a list of one or more IPv6 addresses 69 of DNS recursive resolvers to which a client's DNS resolver MAY send 70 DNS queries [1]. The DNS servers are listed in the order of 71 preference for use by the client resolver. 72 73 The format of the DNS Resolver option is: 74 75 76 0 1 2 3 77 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 78 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 79 | OPTION_DNS_RESOLVERS | option-len | 80 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 81 | | 82 | DNS-resolver (IPv6 address) | 83 | | 84 | | 85 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 86 | | 87 | DNS-resolver (IPv6 address) | 88 | | 89 | | 90 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 91 | ... | 92 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 93 94 95 option-code: OPTION_DNS_RESOLVERS (tbd) 96 97 option-len: Length of the list of DNS resolvers in octets; must be a 98 multiple of 16 99 100 DNS-server: IPv6 address of DNS resolver 101 102 1034. Domain Search List option 104 105 The Domain Search List option specifies the domain search list the 106 client is to use when resolving hostnames with DNS. This option does 107 not apply to other name resolution mechanisms. 108 109 110 111Droms (ed.) Expires August 29, 2003 [Page 2] 112 113Internet-Draft DNS Configuration Options for DHCPv6 February 2003 114 115 116 The format of the Domain Search List option is: 117 118 119 0 1 2 3 120 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 121 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 122 | OPTION_DOMAIN_LIST | option-len | 123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 124 | searchstring | 125 | ... | 126 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 127 128 129 option-code: OPTION_DOMAIN_LIST (tbd) 130 131 option-len: Length of the 'searchstring' field in octets 132 133 searchstring: The specification of the list of domain names in the 134 Domain Search List 135 136 The list of domain names in the 'searchstring' MUST be encoded as 137 specified in section "Representation and use of domain names" of the 138 DHCPv6 specification [2]. 139 1405. Appearance of these options 141 142 The Domain Name Server option MUST NOT appear in other than the 143 following messages: Solicit, Advertise, Request, Renew, Rebind, 144 Information-Request, Reply. 145 146 The Domain Search List option MUST NOT appear in other than the 147 following messages: Solicit, Advertise, Request, Renew, Rebind, 148 Information-Request, Reply. 149 1506. Security Considerations 151 152 The DNS Resolver option may be used by an intruder DHCP server to 153 cause DHCP clients to send DNS queries to an intruder DNS resolver. 154 The results of these misdirected DNS queries may be used to spoof DNS 155 names. 156 157 To avoid attacks through the DNS Resolver option, the DHCP client 158 SHOULD require DHCP authentication (see section "Authentication of 159 DHCP messages" in the DHCPv6 specification) before installing a list 160 of DNS resolvers obtained through authenticated DHCP . 161 162 The Domain Search List option may be used by an intruder DHCP server 163 to cause DHCP clients to search through invalid domains for 164 165 166 167Droms (ed.) Expires August 29, 2003 [Page 3] 168 169Internet-Draft DNS Configuration Options for DHCPv6 February 2003 170 171 172 incompletely specified domain names. The results of these 173 misdirected searches may be used to spoof DNS names. Note that 174 support for DNSSEC [4] will not avert this attack, because the 175 resource records in the invalid domains may be legitimately signed. 176 177 The degree to which a host is vulnerable to attack via an invalid 178 domain search option is determined in part by DNS resolver behavior. 179 RFC1535 [7] contains a discussion of security weaknesses related to 180 implicit as well as explicit domain searchlists, and provides 181 recommendations relating to resolver searchlist processing. Section 182 6 of RFC1536 [5] also addresses this vulnerability, and recommends 183 that resolvers: 184 185 1. Use searchlists only when explicitly specified; no implicit 186 searchlists should be used. 187 188 2. Resolve a name that contains any dots by first trying it as an 189 FQDN and if that fails, with the names in the searchlist 190 appended. 191 192 3. Resolve a name containing no dots by appending with the 193 searchlist right away, but once again, no implicit searchlists 194 should be used. 195 196 In order to minimize potential vulnerabilities it is recommended 197 that: 198 199 1. Hosts implementing the domain search option SHOULD also implement 200 the searchlist recommendations of RFC1536, section 6. 201 202 2. Where DNS parameters such as the domain searchlist or DNS servers 203 have been manually configured, these parameters SHOULD NOT be 204 overridden by DHCP. 205 206 3. A host SHOULD require the use of DHCP authentication (see section 207 "Authentication of DHCP messages" in the DHCPv6 specification) 208 prior to accepting a domain search option. 209 210 2117. IANA Considerations 212 213 IANA is requested to assign an option code to these options from the 214 option-code space defined in section "DHCPv6 Options" of the DHCPv6 215 specification [2]. 216 2178. Acknowledgments 218 219 This option was originally part of the DHCPv6 specification, written 220 221 222 223Droms (ed.) Expires August 29, 2003 [Page 4] 224 225Internet-Draft DNS Configuration Options for DHCPv6 February 2003 226 227 228 by Jim Bound, Mike Carney, Charlie Perkins, Ted Lemon, Bernie Volz 229 and Ralph Droms. 230 231 The analysis of the potential attack through the domain search list 232 is taken from the specification of the DHCPv4 Domain Search option, 233 RFC3397 [8]. 234 235 Thanks to Rob Austein, Alain Durand, Peter Koch, Tony Lindstrom and 236 Pekka Savola for their contributions to this document. 237 2389. Changes from draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt 239 240 This document includes the following changes in response to comments 241 made during the dhc/dnsext WG last call: 242 243 o Combined RFC2119 reference and reference to DHCPv6 specification 244 into one "Terminology" section; added explicit normative reference 245 to DHCPv6 specification. 246 247 o Changed name of "Domain Name Server" option to "DNS Resolver" 248 option. 249 250 o Clarified and corrected filed names and descriptions of fields in 251 the option format diagrams. 252 253 o Reworded "Appearance of these options" for clarity; removed 254 Confirm from list of messages in which the options can appear. 255 256 o Clarified the type of attack that can be mounted through the 257 Domain Search List option by copying text from RFC3997 258 259Normative References 260 261 [1] Mockapetris, P., "Domain names - implementation and 262 specification", STD 13, RFC 1035, November 1987. 263 264 [2] Bound, J., Carney, M., Perkins, C., Lemon, T., Volz, B. and R. 265 Droms (ed.), "Dynamic Host Configuration Protocol for IPv6 266 (DHCPv6)", RFC XXXX, TBD 2003. 267 268 [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement 269 Levels", BCP 14, RFC 2119, March 1997. 270 271 [4] Eastlake, D., "Domain Name System Security Extensions", RFC 272 2535, March 1999. 273 274 [5] Kumar, A., Postel, J., Neuman, C., Danzig, P. and S. Miller, 275 "Common DNS Implementation Errors and Suggested Fixes", RFC 276 277 278 279Droms (ed.) Expires August 29, 2003 [Page 5] 280 281Internet-Draft DNS Configuration Options for DHCPv6 February 2003 282 283 284 1536, October 1993. 285 286Normative References 287 288 [6] Mockapetris, P., "Domain names - concepts and facilities", STD 289 13, RFC 1034, November 1987. 290 291 [7] Gavron, E., "A Security Problem and Proposed Correction With 292 Widely Deployed DNS Software", RFC 1535, October 1993. 293 294 [8] Aboba, B. and S. Cheshire, "Dynamic Host Configuration Protocol 295 (DHCP) Domain Search Option", RFC 3397, November 2002. 296 297 298Author's Address 299 300 Ralph Droms (ed.) 301 Cisco Systems 302 250 Apollo Drive 303 Chelmsford, MA 01824 304 USA 305 306 Phone: +1 978 497 4733 307 EMail: rdroms@cisco.com 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335Droms (ed.) Expires August 29, 2003 [Page 6] 336 337Internet-Draft DNS Configuration Options for DHCPv6 February 2003 338 339 340Full Copyright Statement 341 342 Copyright (C) The Internet Society (2003). All Rights Reserved. 343 344 This document and translations of it may be copied and furnished to 345 others, and derivative works that comment on or otherwise explain it 346 or assist in its implementation may be prepared, copied, published 347 and distributed, in whole or in part, without restriction of any 348 kind, provided that the above copyright notice and this paragraph are 349 included on all such copies and derivative works. However, this 350 document itself may not be modified in any way, such as by removing 351 the copyright notice or references to the Internet Society or other 352 Internet organizations, except as needed for the purpose of 353 developing Internet standards in which case the procedures for 354 copyrights defined in the Internet Standards process must be 355 followed, or as required to translate it into languages other than 356 English. 357 358 The limited permissions granted above are perpetual and will not be 359 revoked by the Internet Society or its successors or assigns. 360 361 This document and the information contained herein is provided on an 362 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 363 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 364 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 365 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 366 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 367 368Acknowledgement 369 370 Funding for the RFC Editor function is currently provided by the 371 Internet Society. 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391Droms (ed.) Expires August 29, 2003 [Page 7] 392 393