DNS DHCID Records Explained
DNS DHCID (DHCP Identifier) records are used to associate DHCP clients with their DNS records. They prevent conflicts when multiple DHCP clients attempt to update the same DNS name, ensuring that only the legitimate client can modify its own records.
What is a DHCID record?
A DHCID record contains an identifier type code, a digest type, and a digest value. The digest is computed from the DHCP client's unique identifier (such as a MAC address or client DUID) combined with the DNS name, creating a binding between the client and its DNS entry.
Defined in RFC 4701, DHCID records solve the problem of multiple DHCP clients claiming the same hostname. When a DHCP server performs a DNS update on behalf of a client, it creates a DHCID record alongside the A or AAAA record. Subsequent update attempts are checked against the existing DHCID to verify the requesting client's identity.
How do DHCID records work?
When a DHCP server assigns an IP address and updates DNS on behalf of a client, it computes a DHCID digest from the client's identifier and the fully qualified domain name. This digest is stored as a DHCID record in DNS alongside the client's address record.
Before performing any subsequent DNS update for the same name, the DHCP server computes a new DHCID digest and compares it with the existing one. If they match, the update proceeds. If they don't match, the update is rejected because it indicates a different client is trying to claim the same name.
This mechanism is essential in environments with dynamic DNS updates, where multiple DHCP clients might request the same hostname. Without DHCID records, a rogue or misconfigured client could overwrite another client's DNS entries, causing network disruptions.
Example
Here's what a DHCID record looks like for the domain example.com: