[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG last call on draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt

To: Ralph Droms <rdroms@cisco.com>
Subject: Re: WG last call on draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt
From: Peter Koch <pk@TechFak.Uni-Bielefeld.DE>
Date: Mon, 10 Feb 2003 20:27:39 +0100
Cc: dhcwg@ietf.org, ipng@sunroof.eng.sun.com, namedroppers@ops.ietf.org
In-reply-to: Your message of "Wed, 05 Feb 2003 16:17:49 EST." <4.3.2.7.2.20030205160932.051c5948@funnel.cisco.com>

> draft-ietf-dhc-dhcpv6 opt-dnsconfig-02.txt describes two options for 
> DHCPv6: the Domain Name Server option and the Domain Search List 

>    This document uses terminology specific to IPv6 and DHCPv6 as defined
>    in section "Terminology" of the DHCP specification.

Might want to add an explicit normative reference here?

> 4. Domain Name Server option
> 
>    The Domain Name Server option provides a list of one or more IP
>    addresses of DNS servers to which a client's DNS resolver MAY send

From a purist's point of view I'm tempted to say that you're not really looking
for a DNS server here but instead for a (list of) recursive resolvers.

>    DNS-server:    IP address of DNS server

I did not follow the DHCPv6 effort too close, so I must admit not knowing
the usual "culture", but wouldn't it be better to say IPv6 address here?

>    A server sends a Domain Search List option to the DHCP client to
>    specify the domain search list the client is to use when resolving
>    hostnames with DNS.  This option does not apply to other name
>    resolution mechanisms.

The draft does not say for which kind of domain names the client is expected
to process the list, i.e. one-label names only, n-label names (how to
communicate the 'n', aka 'ndots', then?) or whether this is left to the
application(s).

>    Because the Domain Search List option may be used to spoof DNS name
>    resolution in a way that cannot be detected by DNS security
>    mechanisms like DNSSEC [5], DHCP clients and servers MUST use

Apart from the sad fact that DNSSEC isn't yet deployed I don't see why it
wouldn't be able to detect spoofing. If, however, you want to say that
using domain names in the search list you don't control is a dangerous
thing, that could be emphazised by a reference to RFC 1535.

>    authenticated DHCP when a Domain Search List option is included in a
>    DHCP message.

Why is this a MUST while there's a SHOULD only for the server option?

-Peter

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: WG last call on draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt
  - From: Ralph Droms <rdroms@cisco.com>

References:
- WG last call on draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt
  - From: Ralph Droms <rdroms@cisco.com>

Prev by Date: Re: draft-ietf-dnsext-unknown-rrs-04.txt
Next by Date: Questions on the new DNSSEC spec
Previous by thread: Re: [dhcwg] Re: WG last call on draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt
Next by thread: Re: WG last call on draft-ietf-dhc-dhcpv6-opt-dnsconfig-02.txt
Index(es):
- Date
- Thread