idnits 2.17.1 

draft-cheshire-dnsext-multicastdns-09.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.

  == There are 11 instances of lines with multicast IPv4 addresses in the
     document.  If these are generic example addresses, they should be changed
     to use the 233.252.0.x range defined in RFC 5771


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but
     does not include the phrase in its RFC 2119 key words list.

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (8 March 2010) is 5163 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: 'RFC 2132' is defined on line 2484, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 3845 (Obsoleted by RFC 4033, RFC 4034,
     RFC 4035)

  -- Possible downref: Non-RFC (?) normative reference: ref. 'UAX15'

  == Outdated reference: A later version (-11) exists of
     draft-cheshire-dnsext-dns-sd-06

  == Outdated reference: A later version (-10) exists of
     draft-cheshire-dnsext-nbp-08

  -- Obsolete informational reference (is this intentional?): RFC 2461
     (Obsoleted by RFC 4861)

  -- Obsolete informational reference (is this intentional?): RFC 2462
     (Obsoleted by RFC 4862)

  -- Obsolete informational reference (is this intentional?): RFC 2535
     (Obsoleted by RFC 4033, RFC 4034, RFC 4035)

  -- Obsolete informational reference (is this intentional?): RFC 2671
     (Obsoleted by RFC 6891)

  -- Obsolete informational reference (is this intentional?): RFC 2845
     (Obsoleted by RFC 8945)


     Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	Document: draft-cheshire-dnsext-multicastdns-09.txt      Stuart Cheshire
2	Internet-Draft                                             Marc Krochmal
3	Category: Standards Track                                     Apple Inc.
4	Expires: 8 September 2010                                   8 March 2010

6	                             Multicast DNS

8	               <draft-cheshire-dnsext-multicastdns-09.txt>

10	Status of this Memo

12	   This Internet-Draft is submitted to IETF in full conformance with the
13	   provisions of BCP 78 and BCP 79.

15	   Internet-Drafts are working documents of the Internet Engineering
16	   Task Force (IETF), its areas, and its working groups.  Note that
17	   other groups may also distribute working documents as Internet-
18	   Drafts.

20	   Internet-Drafts are draft documents valid for a maximum of six months
21	   and may be updated, replaced, or obsoleted by other documents at any
22	   time.  It is inappropriate to use Internet-Drafts as reference
23	   material or to cite them other than as "work in progress."

25	   The list of current Internet-Drafts can be accessed at
26	   http://www.ietf.org/ietf/1id-abstracts.txt.

28	   The list of Internet-Draft Shadow Directories can be accessed at
29	   http://www.ietf.org/shadow.html.

31	   This Internet-Draft will expire on 8th September 2010.

33	Abstract

35	   As networked devices become smaller, more portable, and
36	   more ubiquitous, the ability to operate with less configured
37	   infrastructure is increasingly important. In particular,
38	   the ability to look up DNS resource record data types
39	   (including, but not limited to, host names) in the absence
40	   of a conventional managed DNS server is becoming essential.

42	   Multicast DNS (mDNS) provides the ability to do DNS-like operations
43	   on the local link in the absence of any conventional unicast DNS
44	   server. In addition, mDNS designates a portion of the DNS namespace
45	   to be free for local use, without the need to pay any annual fee, and
46	   without the need to set up delegations or otherwise configure a
47	   conventional DNS server to answer for those names.

49	   The primary benefits of mDNS names are that (i) they require little
50	   or no administration or configuration to set them up, (ii) they work
51	   when no infrastructure is present, and (iii) they work during
52	   infrastructure failures.

54	Table of Contents

56	Table of Contents

58	   1.  Introduction....................................................3
59	   2.  Conventions and Terminology Used in this Document...............3
60	   3.  Multicast DNS Names.............................................5
61	   4.  Source Address Check............................................7
62	   5.  Reverse Address Mapping.........................................8
63	   6.  Querying........................................................9
64	   7.  Duplicate Suppression..........................................14
65	   8.  Responding.....................................................16
66	   9.  Probing and Announcing on Startup..............................23
67	   10. Conflict Resolution............................................29
68	   11. Resource Record TTL Values and Cache Coherency.................30
69	   12. Special Characteristics of Multicast DNS Domains...............36
70	   13. Multicast DNS for Service Discovery............................37
71	   14. Enabling and Disabling Multicast DNS...........................37
72	   15. Considerations for Multiple Interfaces.........................38
73	   16. Considerations for Multiple Responders on the Same Machine.....39
74	   17. Multicast DNS Character Set....................................41
75	   18. Multicast DNS Message Size.....................................42
76	   19. Multicast DNS Message Format...................................43
77	   20. Summary of Differences Between Multicast DNS and Unicast DNS...47
78	   21. IPv6 Considerations............................................48
79	   22. Security Considerations........................................48
80	   23. IANA Considerations............................................49
81	   24. Acknowledgments................................................51
82	   25. Copyright Notice...............................................51
83	   26. Normative References...........................................52
84	   27. Informative References.........................................52
85	   28. Authors' Addresses.............................................54

87	   Appendix A. Design Rationale for Choice of UDP Port Number.........55
88	   Appendix B. Design Rationale for Not Using Hashed Mcast Addresses..56
89	   Appendix C. Design Rationale for Max Multicast DNS Name Length.....57
90	   Appendix D. Benefits of Multicast Responses........................59
91	   Appendix E. Design Rationale for Encoding Negative Responses.......60
92	   Appendix F. Use of UTF-8...........................................61
93	   Appendix G. Governing Standards Body...............................61
94	   Appendix H. Private DNS Namespaces.................................62
95	   Appendix I. Deployment History.....................................63

97	1. Introduction

99	   Multicast DNS and its companion technology DNS Service Discovery
100	   [DNS-SD] were created to provide IP networking with the ease-of-use
101	   and autoconfiguration for which AppleTalk was well known [ATalk].
102	   When reading this document, familiarity with the concepts of Zero
103	   Configuration Networking [Zeroconf] and automatic link-local
104	   addressing [RFC 2462] [RFC 3927] is helpful.

106	   This document specifies no change to the structure of DNS messages,
107	   no new operation codes or response codes, and new resource record
108	   types. This document describes how clients send DNS-like queries via
109	   IP multicast, and how a collection of hosts cooperate to collectively
110	   answer those queries in a useful manner.

112	2. Conventions and Terminology Used in this Document

114	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
115	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
116	   document are to be interpreted as described in "Key words for use in
117	   RFCs to Indicate Requirement Levels" [RFC 2119].

119	   When this document uses the term "Multicast DNS", it should be taken
120	   to mean: "Clients performing DNS-like queries for DNS-like resource
121	   records by sending DNS-like UDP query and response packets over IP
122	   Multicast to UDP port 5353." The design rationale for selecting
123	   UDP port 5353 is discussed in Appendix A.

125	   This document uses the term "host name" in the strict sense to mean a
126	   fully qualified domain name that has an IPv4 or IPv6 address record.
127	   It does not use the term "host name" in the commonly used but
128	   incorrect sense to mean just the first DNS label of a host's fully
129	   qualified domain name.

131	   A DNS (or mDNS) packet contains an IP TTL in the IP header, which
132	   is effectively a hop-count limit for the packet, to guard against
133	   routing loops. Each Resource Record also contains a TTL, which is
134	   the number of seconds for which the Resource Record may be cached.
135	   In any place where there may be potential confusion between these two
136	   types of TTL, the term "IP TTL" is used to refer to the IP header TTL
137	   (hop limit), and the term "RR TTL" is used to refer to the Resource
138	   Record TTL (cache lifetime).

140	   DNS-format messages contain a header, a Question Section, then
141	   Answer, Authority, and Additional Record Sections. The Answer,
142	   Authority, and Additional Record Sections all hold resource records
143	   in the same format. Where this document describes issues that apply
144	   equally to all three sections, it uses the term "Resource Record
145	   Sections" to refer collectively to these three sections.

147	   This document uses the terms "shared" and "unique" when referring to
148	   resource record sets:

150	   A "shared" resource record set is one where several Multicast DNS
151	   Responders may have records with that name, rrtype, and rrclass, and
152	   several Responders may respond to a particular query.

154	   A "unique" resource record set is one where all the records with
155	   that name, rrtype, and rrclass are conceptually under the control
156	   or ownership of a single Responder, and it is expected that at most
157	   one Responder should respond to a query for that name, rrtype, and
158	   rrclass. Before claiming ownership of a unique resource record set,
159	   a Responder MUST probe to verify that no other Responder already
160	   claims ownership of that set, as described in Section 9.1 "Probing".
161	   (For fault-tolerance and other reasons it is permitted sometimes to
162	   have more than one Responder answering for a particular "unique"
163	   resource record set, but such cooperating Responders MUST give
164	   answers containing identical rdata for these records. If they do
165	   not give answers containing identical rdata then the probing step
166	   will reject the data as being inconsistent with what is already
167	   being advertised on the network for those names.)

169	   Strictly speaking the terms "shared" and "unique" apply to resource
170	   record sets, not to individual resource records, but it is sometimes
171	   convenient to talk of "shared resource records" and "unique resource
172	   records". When used this way, the terms should be understood to mean
173	   a record that is a member of a "shared" or "unique" resource record
174	   set, respectively.

176	3. Multicast DNS Names

178	   This document specifies that the DNS top-level domain ".local."
179	   is a special domain with special semantics, namely that any fully-
180	   qualified name ending in ".local." is link-local, and names within
181	   this domain are meaningful only on the link where they originate.
182	   This is analogous to IPv4 addresses in the 169.254/16 prefix, which
183	   are link-local and meaningful only on the link where they originate.

185	   Any DNS query for a name ending with ".local." MUST be sent
186	   to the mDNS multicast address (224.0.0.251 or its IPv6 equivalent
187	   FF02::FB). The design rationale for using a fixed multicast address
188	   instead of selecting from a range of multicast addresses using a
189	   hash function is discussed in Appendix B.

191	   It is unimportant whether a name ending with ".local." occurred
192	   because the user explicitly typed in a fully qualified domain name
193	   ending in ".local.", or because the user entered an unqualified
194	   domain name and the host software appended the suffix ".local."
195	   because that suffix appears in the user's search list. The ".local."
196	   suffix could appear in the search list because the user manually
197	   configured it, or because it was received in a DHCP option [RFC
198	   2132], or via any other valid mechanism for configuring the DNS
199	   search list. In this respect the ".local." suffix is treated no
200	   differently to any other search domain that might appear in the DNS
201	   search list.

203	   DNS queries for names that do not end with ".local." MAY be sent to
204	   the mDNS multicast address, if no other conventional DNS server is
205	   available. This can allow hosts on the same link to continue
206	   communicating using each other's globally unique DNS names during
207	   network outages which disrupt communication with the greater
208	   Internet. When resolving global names via local multicast, it is even
209	   more important to use DNSSEC or other security mechanisms to ensure
210	   that the response is trustworthy. Resolving global names via local
211	   multicast is a contentious issue, and this document does not discuss
212	   it in detail, instead concentrating on the issue of resolving local
213	   names using DNS packets sent to a multicast address.

215	   A host that belongs to an organization or individual who has control
216	   over some portion of the DNS namespace can be assigned a globally
217	   unique name within that portion of the DNS namespace, such as,
218	   "cheshire.example.com." For those of us who have this luxury, this
219	   works very well. However, the majority of home computer users do not
220	   have easy access to any portion of the global DNS namespace within
221	   which they have the authority to create names as they wish. This
222	   leaves the majority of home computers effectively anonymous for
223	   practical purposes.

225	   To remedy this problem, this document allows any computer user to
226	   elect to give their computers link-local Multicast DNS host names of
227	   the form: "single-dns-label.local." For example, a laptop computer
228	   may answer to the name "cheshire.local." Any computer user is granted
229	   the authority to name their computer this way, provided that the
230	   chosen host name is not already in use on that link. Having named
231	   their computer this way, the user has the authority to continue using
232	   that name until such time as a name conflict occurs on the link which
233	   is not resolved in the user's favor. If this happens, the computer
234	   (or its human user) SHOULD cease using the name, and may choose to
235	   attempt to allocate a new unique name for use on that link. These
236	   conflicts are expected to be relatively rare for people who choose
237	   reasonably imaginative names, but it is still important to have a
238	   mechanism in place to handle them when they happen.

240	   This document recommends a single flat namespace for dot-local host
241	   names, (i.e. the names of DNS "A" and "AAAA" records, which map names
242	   to IPv4 and IPv6 addresses), but other DNS record types (such as
243	   those used by DNS Service Discovery [DNS-SD]) may contain as many
244	   labels as appropriate for the desired usage, up to a maximum of
245	   255 bytes, not including the terminating zero byte at the end.
246	   Name length issues are discussed further in Appendix C.

248	   Enforcing uniqueness of host names is probably desirable in the
249	   common case, but this document does not mandate that. It is
250	   permissible for a collection of coordinated hosts to agree to
251	   maintain multiple DNS address records with the same name, possibly
252	   for load balancing or fault-tolerance reasons. This document does not
253	   take a position on whether that is sensible. It is important that
254	   both modes of operation are supported. The Multicast DNS protocol
255	   allows hosts to verify and maintain unique names for resource records
256	   where that behavior is desired, and it also allows hosts to maintain
257	   multiple resource records with a single shared name where that
258	   behavior is desired. This consideration applies to all resource
259	   records, not just address records (host names). In summary: It is
260	   required that the protocol have the ability to detect and handle name
261	   conflicts, but it is not required that this ability be used for every
262	   record.

264	4. Source Address Check

266	   All Multicast DNS responses (including responses sent via unicast)
267	   SHOULD be sent with IP TTL set to 255. This is recommended to provide
268	   backwards-compatibility with older Multicast DNS clients that check
269	   the IP TTL on reception to determine whether the packet originated
270	   on the local link. These older clients discard all packets with TTLs
271	   other than 255.

273	   A host sending Multicast DNS queries to a link-local destination
274	   address (including the 224.0.0.251 and FF02::FB link-local multicast
275	   addresses) MUST only accept responses to that query that originate
276	   from the local link, and silently discard any other response packets.
277	   Without this check, it could be possible for remote rogue hosts to
278	   send spoof answer packets (perhaps unicast to the victim host) which
279	   the receiving machine could misinterpret as having originated on the
280	   local link.

282	   The test for whether a response originated on the local link
283	   is done in two ways:

285	   * All responses sent to link-local multicast address 224.0.0.251 or
286	     FF02::FB are necessarily deemed to have originated on the local
287	     link, regardless of source IP address. This is essential to allow
288	     devices to work correctly and reliably in unusual configurations,
289	     such as multiple logical IP subnets overlayed on a single link, or
290	     in cases of severe misconfiguration, where devices are physically
291	     connected to the same link, but are currently misconfigured with
292	     completely unrelated IP addresses and subnet masks.

294	   * For responses sent to a unicast destination address, the source IP
295	     address in the packet is checked to see if it is an address on a
296	     local subnet. An address is determined to be on a local subnet if,
297	     for (one of) the address(es) configured on the interface receiving
298	     the packet, (I & M) == (P & M), where I and M are the interface
299	     address and subnet mask respectively, P is the source IP address
300	     from the packet, '&' represents the bitwise logical 'and'
301	     operation, and '==' represents a bitwise equality test.

303	   Since queriers will ignore responses apparently originating outside
304	   the local subnet, a Responder SHOULD avoid generating responses that
305	   it can reasonably predict will be ignored. This applies particularly
306	   in the case of overlayed subnets. If a Responder receives a query
307	   addressed to the link-local multicast address 224.0.0.251, from a
308	   source address not apparently on the same subnet as the Responder,
309	   then even if the query indicates that a unicast response is preferred
310	   (see Section 6.5, "Questions Requesting Unicast Responses"), the
311	   Responder SHOULD elect to respond by multicast anyway, since it can
312	   reasonably predict that a unicast response with an apparently
313	   non-local source address will probably be ignored.

315	5. Reverse Address Mapping

317	   Like ".local.", the IPv4 and IPv6 reverse mapping domains are also
318	   defined to be link-local:

320	     Any DNS query for a name ending with "254.169.in-addr.arpa." MUST
321	     be sent to the mDNS multicast address 224.0.0.251. Since names
322	     under this domain correspond to IPv4 link-local addresses, it is
323	     logical that the local link is the best place to find information
324	     pertaining to those names.

326	     Likewise, any DNS query for a name within the reverse mapping
327	     domains for IPv6 Link-Local addresses ("8.e.f.ip6.arpa.",
328	     "9.e.f.ip6.arpa.", "a.e.f.ip6.arpa.", and "b.e.f.ip6.arpa.") MUST
329	     be sent to the IPv6 mDNS link-local multicast address FF02::FB.

331	6. Querying

333	   There are three kinds of Multicast DNS Queries, one-shot queries of
334	   the kind made by today's conventional DNS clients, one-shot queries
335	   accumulating multiple responses made by multicast-aware DNS clients,
336	   and continuous ongoing Multicast DNS Queries used by IP network
337	   browser software.

339	   A Multicast DNS Responder that is offering records that are intended
340	   to be unique on the local link MUST also implement a Multicast DNS
341	   Querier so that it can first verify the uniqueness of those records
342	   before it begins answering queries for them.

344	6.1 One-Shot Multicast DNS Queries

346	   The most basic kind of Multicast DNS client may simply send its DNS
347	   queries blindly to 224.0.0.251:5353, without necessarily even being
348	   aware of what a multicast address is. This change can typically be
349	   implemented with just a few lines of code in an existing DNS resolver
350	   library. Any time the name being queried for falls within one of the
351	   reserved mDNS domains (see Section 12 "Special Characteristics of
352	   Multicast DNS Domains") rather than using the configured unicast DNS
353	   server address, the query is instead sent to 224.0.0.251:5353 (or its
354	   IPv6 equivalent [FF02::FB]:5353). Typically the timeout would also be
355	   shortened to two or three seconds. It's possible to make a minimal
356	   mDNS client with only these simple changes. These queries are
357	   typically done using a high-numbered ephemeral UDP source port,
358	   but regardless of whether they are sent from a dynamic port or from
359	   a fixed port, these queries SHOULD NOT be sent using UDP source port
360	   5353, since using UDP source port 5353 signals the presence of a
361	   fully-compliant Multicast DNS client, as described below.

363	   A simple DNS client like this will typically just take the first
364	   response it receives. It will not listen for additional UDP
365	   responses, but in many instances this may not be a serious problem.
366	   If a user types "http://cheshire.local." into their Web browser and
367	   gets to see the page they were hoping for, then the protocol has met
368	   the user's needs in this case.

370	   While a basic DNS client like this may be adequate for simple
371	   host name lookup, it may not get ideal behavior in other cases.
372	   Additional refinements that may be adopted by more sophisticated
373	   clients are described below.

375	6.2 One-Shot Queries, Accumulating Multiple Responses

377	   A compliant Multicast DNS client, which implements the rules
378	   specified in this document, MUST send its Multicast DNS Queries from
379	   UDP source port 5353 (the well-known port assigned to mDNS), and MUST
380	   listen for Multicast DNS Replies sent to UDP destination port 5353 at
381	   the mDNS multicast address (224.0.0.251 and/or its IPv6 equivalent
382	   FF02::FB).

384	   As described above, there are some cases, such as looking up the
385	   address associated with a unique host name, where a single response
386	   is sufficient, and moreover may be all that is expected. However,
387	   there are other DNS queries where more than one response is
388	   possible, and for these queries a more advanced Multicast DNS client
389	   should include the ability to wait for an appropriate period of time
390	   to collect multiple responses.

392	   A naive DNS client retransmits its query only so long as it has
393	   received no response. A more advanced Multicast DNS client is aware
394	   that having received one response is not necessarily an indication
395	   that it might not receive others, and has the ability to retransmit
396	   its query until it is satisfied with the collection of responses it
397	   has gathered. When retransmitting, the interval between the first two
398	   queries SHOULD be at least one second, and the intervals between
399	   successive queries SHOULD increase by at least a factor of two.

401	   A Multicast DNS client that is retransmitting a query for which it
402	   has already received some responses MUST implement Known Answer
403	   Suppression, as described below in Section 7.1 "Known Answer
404	   Suppression". This indicates to Responders who have already replied
405	   that their responses have been received, and they don't need to send
406	   them again in response to this repeated query.

408	6.3 Continuous Multicast DNS Querying

410	   In One-Shot Queries, with either single or multiple responses,
411	   the underlying assumption is that the transaction begins when the
412	   application issues a query, and ends when the desired responses
413	   have been received. There is another type of operation which is more
414	   akin to continuous monitoring.

416	   Apple's music management software iTunes includes the ability to
417	   discover and play music shared by other iTunes users on the local
418	   network. The list of shared music sources in the sidebar of the
419	   iTunes window is updated live as music sources come and go. There is
420	   no "refresh" button for the user to click because, the user has the
421	   expectation that the list should always be accurate, always
422	   reflecting the currently available music sources, without the user
423	   having to take any manual action to keep it that way. When a new
424	   music source becomes available it promptly appears in the list, and
425	   when a music source becomes unavailable it promptly disappears. It is
426	   important that this responsive user interface be achievable without
427	   naive polling that would place an unreasonable burden on the network.

429	   Therefore, when retransmitting mDNS queries to implement this kind of
430	   continuous monitoring, the interval between the first two queries
431	   SHOULD be at least one second, the intervals between successive
432	   queries SHOULD increase by at least a factor of two, and the querier
433	   MUST implement Known Answer Suppression, as described below in
434	   Section 7.1. When the interval between queries reaches or exceeds 60
435	   minutes, a querier MAY cap the interval to a maximum of 60 minutes,
436	   and perform subsequent queries at a steady-state rate of one query
437	   per hour. To avoid accidental synchronization when for some reason
438	   multiple clients begin querying at exactly the same moment (e.g.
439	   because of some common external trigger event), a Multicast DNS
440	   Querier SHOULD also delay the first query of the series by a
441	   randomly-chosen amount in the range 20-120ms.

443	   When a Multicast DNS Querier receives an answer, the answer contains
444	   a TTL value that indicates for how many seconds this answer is valid.
445	   After this interval has passed, the answer will no longer be valid
446	   and SHOULD be deleted from the cache. Before this time is reached,
447	   a Multicast DNS Querier which has clients with an active interest in
448	   the state of that record (e.g. a network browsing window displaying
449	   a list of discovered services to the user) SHOULD re-issue its query
450	   to determine whether the record is still valid.

452	   To perform this cache maintenance, a Multicast DNS Querier should
453	   plan to re-query for records after at least 50% of the record
454	   lifetime has elapsed. This document recommends the following
455	   specific strategy:

457	   The Querier should plan to issue a query at 80% of the record
458	   lifetime, and then if no answer is received, at 85%, 90% and 95%.
459	   If an answer is received, then the remaining TTL is reset to the
460	   value given in the answer, and this process repeats for as long as
461	   the Multicast DNS Querier has an ongoing interest in the record.
462	   If after four queries no answer is received, the record is deleted
463	   when it reaches 100% of its lifetime. A Multicast DNS Querier MUST
464	   NOT perform this cache maintenance for records for which it has no
465	   clients with an active interest. If the expiry of a particular record
466	   from the cache would result in no net effect to any client software
467	   running on the Querier device, and no visible effect to the human
468	   user, then there is no reason for the Multicast DNS Querier to
469	   waste network bandwidth checking whether the record remains valid.

471	   To avoid the case where multiple Multicast DNS Queriers on a network
472	   all issue their queries simultaneously, a random variation of 2% of
473	   the record TTL should be added, so that queries are scheduled to be
474	   performed at 80-82%, 85-87%, 90-92% and then 95-97% of the TTL.

476	   An additional efficiency optimization SHOULD be performed when
477	   a Multicast DNS response is received containing a unique answer
478	   (as indicated by the cache flush bit being set (see Section 11.3,
479	   "Announcements to Flush Outdated Cache Entries"). In this case, there
480	   is no need for the querier to continue issuing a stream of queries
481	   with exponentially-increasing intervals, since the receipt of a
482	   unique answer is a good indication that no other answers will be
483	   forthcoming. In this case, the Multicast DNS Querier SHOULD plan to
484	   issue its next query for this record at 80-82% of the record's TTL,
485	   as described above.

487	6.4 Multiple Questions per Query

489	   Multicast DNS allows a querier to place multiple questions in the
490	   Question Section of a single Multicast DNS query packet.

492	   The semantics of a Multicast DNS query packet containing multiple
493	   questions is identical to a series of individual DNS query packets
494	   containing one question each. Combining multiple questions into a
495	   single packet is purely an efficiency optimization, and has no other
496	   semantic significance.

498	6.5 Questions Requesting Unicast Responses

500	   Sending Multicast DNS responses via multicast has the benefit that
501	   all the other hosts on the network get to see those responses, and
502	   can keep their caches up to date, and can detect conflicting
503	   responses.

505	   However, there are situations where all the other hosts on the
506	   network don't need to see every response. Some examples are a laptop
507	   computer waking from sleep, or the Ethernet cable being connected to
508	   a running machine, or a previously inactive interface being activated
509	   through a configuration change. At the instant of wake-up or link
510	   activation, the machine is a brand new participant on a new network.
511	   Its Multicast DNS cache for that interface is empty, and it has no
512	   knowledge of its peers on that link. It may have a significant number
513	   of questions that it wants answered right away to discover
514	   information about its new surroundings and present that information
515	   to the user. As a new participant on the network, it has no idea
516	   whether the exact same questions may have been asked and answered
517	   just seconds ago. In this case, triggering a large sudden flood of
518	   multicast responses may impose an unreasonable burden on the network.

520	   To avoid large floods of potentially unnecessary responses in these
521	   cases, Multicast DNS defines the top bit in the class field of a DNS
522	   question as the "unicast response" bit. When this bit is set in a
523	   question, it indicates that the Querier is willing to accept unicast
524	   responses instead of the usual multicast responses. These questions
525	   requesting unicast responses are referred to as "QU" questions, to
526	   distinguish them from the more usual questions requesting multicast
527	   responses ("QM" questions). A Multicast DNS Querier sending its
528	   initial batch of questions immediately on wake from sleep or
529	   interface activation SHOULD set the "QU" bit in those questions.

531	   When a question is retransmitted (as described in Section 6.3
532	   "Continuous Multicast DNS Querying") the "QU" bit SHOULD NOT be set
533	   in subsequent retransmissions of that question. Subsequent
534	   retransmissions SHOULD be usual "QM" questions. After the first
535	   question has received its responses, the querier should have a large
536	   known-answer list (see "Known Answer Suppression" below) so that
537	   subsequent queries should elicit few, if any, further responses.
538	   Reverting to multicast responses as soon as possible is important
539	   because of the benefits that multicast responses provide (see
540	   Appendix D). In addition, the "QU" bit SHOULD be set only for
541	   questions that are active and ready to be sent the moment of wake
542	   from sleep or interface activation. New questions issued by clients
543	   afterwards should be treated as normal "QM" questions and SHOULD NOT
544	   have the "QU" bit set on the first question of the series.

546	   When receiving a question with the "unicast response" bit set, a
547	   Responder SHOULD usually respond with a unicast packet directed back
548	   to the querier. If the Responder has not multicast that record
549	   recently (within one quarter of its TTL), then the Responder SHOULD
550	   instead multicast the response so as to keep all the peer caches up
551	   to date, and to permit passive conflict detection. In the case of
552	   answering a probe question with the "unicast response" bit set, the
553	   Responder should always generate the requested unicast response, but
554	   may also send a multicast announcement too if the time since the last
555	   multicast announcement of that record is more than a quarter of its
556	   TTL.

558	   Except when defending a unique name against a probe from another
559	   host, unicast replies are subject to all the same packet generation
560	   rules as multicast replies, including the cache flush bit (see
561	   Section 11.3, "Announcements to Flush Outdated Cache Entries") and
562	   randomized delays to reduce network collisions (see Section 8,
563	   "Responding").

565	6.6 Direct Unicast Queries to port 5353

567	   In specialized applications there may be rare situations where it
568	   makes sense for a Multicast DNS Querier to send its query via unicast
569	   to a specific machine. When a Multicast DNS Responder receives a
570	   query via direct unicast, it SHOULD respond as it would for a
571	   "QU" query, as described above in Section 6.5 "Questions Requesting
572	   Unicast Responses". Since it is possible for a unicast query to be
573	   received from a machine outside the local link, Responders SHOULD
574	   check that the source address in the query packet matches the local
575	   subnet for that link, and silently ignore the packet if not.

577	   There may be specialized situations, outside the scope of this
578	   document, where it is intended and desirable to create a Responder
579	   that does answer queries originating outside the local link. Such
580	   a Responder would need to ensure that these non-local queries are
581	   always answered via unicast back to the Querier, since an answer sent
582	   via link-local multicast would not reach a Querier outside the local
583	   link.

585	7. Duplicate Suppression

587	   A variety of techniques are used to reduce the amount of redundant
588	   traffic on the network.

590	7.1 Known Answer Suppression

592	   When a Multicast DNS Querier sends a query to which it already knows
593	   some answers, it populates the Answer Section of the DNS query
594	   message with those answers.

596	   A Multicast DNS Responder MUST NOT answer a Multicast DNS Query if
597	   the answer it would give is already included in the Answer Section
598	   with an RR TTL at least half the correct value. If the RR TTL of the
599	   answer as given in the Answer Section is less than half of the true
600	   RR TTL as known by the Multicast DNS Responder, the Responder MUST
601	   send an answer so as to update the Querier's cache before the record
602	   becomes in danger of expiration.

604	   Because a Multicast DNS Responder will respond if the remaining TTL
605	   given in the known answer list is less than half the true TTL, it is
606	   superfluous for the Querier to include such records in the known
607	   answer list. Therefore a Multicast DNS Querier SHOULD NOT include
608	   records in the known answer list whose remaining TTL is less than
609	   half their original TTL. Doing so would simply consume space in the
610	   packet without achieving the goal of suppressing responses, and would
611	   therefore be a pointless waste of network bandwidth.

613	   A Multicast DNS Querier MUST NOT cache resource records observed in
614	   the Known Answer Section of other Multicast DNS Queries. The Answer
615	   Section of Multicast DNS Queries is not authoritative. By placing
616	   information in the Answer Section of a Multicast DNS Query the
617	   querier is stating that it *believes* the information to be true.
618	   It is not asserting that the information *is* true. Some of those
619	   records may have come from other hosts that are no longer on the
620	   network. Propagating that stale information to other Multicast DNS
621	   Queriers on the network would not be helpful.

623	7.2 Multi-Packet Known Answer Suppression

625	   Sometimes a Multicast DNS Querier will already have too many answers
626	   to fit in the Known Answer Section of its query packets. In this
627	   case, it should issue a Multicast DNS Query containing a question and
628	   as many Known Answer records as will fit. It MUST then set the TC
629	   (Truncated) bit in the header before sending the Query. It MUST then
630	   immediately follow the packet with another query packet containing no
631	   questions, and as many more Known Answer records as will fit. If
632	   there are still too many records remaining to fit in the packet, it
633	   again sets the TC bit and continues until all the Known Answer
634	   records have been sent.

636	   A Multicast DNS Responder seeing a Multicast DNS Query with the TC
637	   bit set defers its response for a time period randomly selected in
638	   the interval 400-500ms. This gives the Multicast DNS Querier time to
639	   send additional Known Answer packets before the Responder responds.
640	   If the Responder sees any of its answers listed in the Known Answer
641	   lists of subsequent packets from the querying host, it SHOULD delete
642	   that answer from the list of answers it is planning to give, provided
643	   that no other host on the network is also waiting to receive the same
644	   answer record.

646	   If the Responder receives additional Known Answer packets with the TC
647	   bit set, it SHOULD extend the delay as necessary to ensure a pause of
648	   400-500ms after the last such packet before it sends its answer. This
649	   opens the potential risk that a continuous stream of Known Answer
650	   packets could, theoretically, prevent a Responder from answering
651	   indefinitely. In practice answers are never actually delayed
652	   significantly, and should a situation arise where significant delays
653	   did happen, that would be a scenario where the network is so
654	   overloaded that it would be desirable to err on the side of caution.
655	   The consequence of delaying an answer may be that it takes a user
656	   longer than usual to discover all the services on the local network;
657	   in contrast the consequence of incorrectly answering before all the
658	   Known Answer packets have been received would be wasting bandwidth
659	   sending unnecessary answers on an already overloaded network. In this
660	   (rare) situation, sacrificing speed to preserve reliable network
661	   operation is the right trade-off.

663	7.3 Duplicate Question Suppression

665	   If a host is planning to send a query, and it sees another host on
666	   the network send a QM query containing the same question, and the
667	   Known Answer Section of that query does not contain any records which
668	   this host would not also put in its own Known Answer Section, then
669	   this host should treat its own query as having been sent. When
670	   multiple clients on the network are querying for the same resource
671	   records, there is no need for them to all be repeatedly asking the
672	   same question.

674	7.4 Duplicate Answer Suppression

676	   If a host is planning to send an answer, and it sees another host on
677	   the network send a response packet containing the same answer record,
678	   and the TTL in that record is not less than the TTL this host would
679	   have given, then this host SHOULD treat its own answer as having been
680	   sent, and not also send an identical answer itself. When multiple
681	   Responders on the network have the same data, there is no need for
682	   all of them to respond.

684	   This feature is particularly useful when Multicast DNS Proxy Servers
685	   are in use, where there could be more than one proxy on the network
686	   giving Multicast DNS answers on behalf of some other host (e.g.
687	   because that other host is currently asleep and is not itself
688	   responding to queries).

690	8. Responding

692	   When a Multicast DNS Responder constructs and sends a Multicast DNS
693	   response packet, the Resource Record Sections of that packet must
694	   contain only records for which that Responder is explicitly
695	   authoritative. These answers may be generated because the record
696	   answers a question received in a Multicast DNS query packet, or at
697	   certain other times that the Responder determines than an unsolicited
698	   announcement is warranted. A Multicast DNS Responder MUST NOT place
699	   records from its cache, which have been learned from other Responders
700	   on the network, in the Resource Record Sections of outgoing response
701	   packets. Only an authoritative source for a given record is allowed
702	   to issue responses containing that record.

704	   The determination of whether a given record answers a given question
705	   is done using the standard DNS rules: The record name must match the
706	   question name, the record rrtype must match the question qtype,
707	   unless the qtype is "ANY" (255), and the record rrclass must match
708	   the question qclass, unless the qclass is "ANY" (255).

710	   A Multicast DNS Responder MUST only respond when it has a positive
711	   non-null response to send, or it authoritatively knows that a
712	   particular record does not exist. For unique records, where the host
713	   has already established sole ownership of the name, it MUST return
714	   negative answers to queries for records that it knows not to exist.
715	   For example, a host with no IPv6 address, that has claimed sole
716	   ownership of the name "host.local." for all rrtypes, MUST respond to
717	   AAAA queries for "host.local." by sending a negative answer
718	   indicating that no AAAA records exist for that name. See Section 8.1
719	   "Negative Responses". For shared records, which are owned by no
720	   single host, the nonexistence of a given record is ascertained by the
721	   failure of any machine to respond to the Multicast DNS query, not by
722	   any explicit negative response. NXDOMAIN and other error responses
723	   MUST NOT be sent.

725	   Multicast DNS Responses MUST NOT contain any questions in the
726	   Question Section. Any questions in the Question Section of a received
727	   Multicast DNS Response MUST be silently ignored. Multicast DNS
728	   Queriers receiving Multicast DNS Responses do not care what question
729	   elicited the response; they care only that the information in the
730	   response is true and accurate.

732	   A Multicast DNS Responder on Ethernet [IEEE 802] and similar shared
733	   multiple access networks SHOULD have the capability of delaying its
734	   responses by up to 500ms, as determined by the rules described below.

736	   If a large number of Multicast DNS Responders were all to respond
737	   immediately to a particular query, a collision would be virtually
738	   guaranteed. By imposing a small random delay, the number of
739	   collisions is dramatically reduced. On a full-sized Ethernet using
740	   the maximum cable lengths allowed and the maximum number of repeaters
741	   allowed, an Ethernet frame is vulnerable to collisions during the
742	   transmission of its first 256 bits. On 10Mb/s Ethernet, this equates
743	   to a vulnerable time window of 25.6us. On higher-speed variants of
744	   Ethernet, the vulnerable time window is shorter.

746	   In the case where a Multicast DNS Responder has good reason to
747	   believe that it will be the only Responder on the link that will send
748	   a response (i.e. because it is able to answer every question in the
749	   query packet, and for all of those answer records it has previously
750	   verified that the name, rrtype and rrclass are unique on the link)
751	   it SHOULD NOT impose any random delay before responding, and SHOULD
752	   normally generate its response within at most 10ms. In particular,
753	   this applies to responding to probe queries with the "unicast
754	   response" bit set. Since receiving a probe query gives a clear
755	   indication that some other Responder is planning to start using this
756	   name in the very near future, answering such probe queries to defend
757	   a unique record is a high priority and needs to be done without
758	   delay. A probe query can be distinguished from a normal query by the
759	   fact that a probe query contains a proposed record in the Authority
760	   Section which answers the question in the Question Section (for more
761	   details, see Section 9.1, "Probing").

763	   Responding without delay is appropriate for records like the address
764	   record for a particular host name, when the host name has been
765	   previously verified unique. Responding without delay is *not*
766	   appropriate for things like looking up PTR records used for DNS
767	   Service Discovery [DNS-SD], where a large number of responses may be
768	   anticipated.

770	   In any case where there may be multiple responses, such as queries
771	   where the answer is a member of a shared resource record set, each
772	   Responder SHOULD delay its response by a random amount of time
773	   selected with uniform random distribution in the range 20-120ms.
774	   The reason for requiring that the delay be at least 20ms is to
775	   accommodate the situation where two or more query packets are sent
776	   back-to-back, because in that case we want a Responder with answers
777	   to more than one of those queries to have the opportunity to
778	   aggregate all of its answers into a single response packet.

780	   In the case where the query has the TC (truncated) bit set,
781	   indicating that subsequent known answer packets will follow,
782	   Responders SHOULD delay their responses by a random amount of time
783	   selected with uniform random distribution in the range 400-500ms,
784	   to allow enough time for all the known answer packets to arrive,
785	   as described in Section 7.2 "Multi-Packet Known Answer Suppression".

787	   The source UDP port in all Multicast DNS Responses MUST be 5353 (the
788	   well-known port assigned to mDNS). Multicast DNS implementations MUST
789	   silently ignore any Multicast DNS Responses they receive where the
790	   source UDP port is not 5353.

792	   The destination UDP port in all Multicast DNS Responses MUST be 5353
793	   and the destination address must be the multicast address 224.0.0.251
794	   or its IPv6 equivalent FF02::FB, except when a unicast response has
795	   been explicitly requested:

797	    * via the "unicast response" bit,
798	    * by virtue of being a Legacy Query (Section 8.5), or
799	    * by virtue of being a direct unicast query.

801	   The benefits of sending Responses via multicast are discussed in
802	   Appendix D.

804	   To protect the network against excessive packet flooding due to
805	   software bugs or malicious attack, a Multicast DNS Responder MUST NOT
806	   (except in the one special case of answering probe queries) multicast
807	   a record on a given interface until at least one second has elapsed
808	   since the last time that record was multicast on that particular
809	   interface. A legitimate client on the network should have seen the
810	   previous transmission and cached it. A client that did not receive
811	   and cache the previous transmission will retry its request and
812	   receive a subsequent response. In the special case of answering probe
813	   queries, because of the limited time before the probing host will
814	   make its decision about whether or not to use the name, a Multicast
815	   DNS Responder MUST respond quickly. In this special case only, when
816	   responding via multicast to a probe, a Multicast DNS Responder is
817	   only required to delay its transmission as necessary to ensure an
818	   interval of at least 250ms since the last time the record was
819	   multicast on that interface.

821	8.1 Negative Responses

823	   In the early design of Multicast DNS it was assumed that explicit
824	   negative responses would never be needed. Hosts can assert the
825	   existence of the set of records which that host claims to exist, and
826	   the union of all such sets on a link is the set of Multicast DNS
827	   records that exist on that link. Asserting the non-existence of every
828	   record in the complement of that set -- i.e. all possible Multicast
829	   DNS records that could exist on this link but do not at this moment
830	   -- was felt to be impractical and unnecessary. The non-existence of
831	   a record would be ascertained by a client querying for it and failing
832	   to receive a response from any of the hosts currently attached to the
833	   link.

835	   However, operational experience showed that explicit negative
836	   responses can sometimes be valuable. One such case is when a client
837	   is querying for a AAAA record, and the host name in question has no
838	   associated IPv6 addresses. In this case the responding host knows it
839	   currently has exclusive ownership of that name, and it knows that it
840	   currently does not have any IPv6 addresses, so an explicit negative
841	   response is preferable to the client having to retransmit its query
842	   multiple times and eventually give up with a timeout before it can
843	   conclude that a given AAAA record does not exist.

845	   A Multicast DNS Responder indicates the nonexistence of a record by
846	   using a DNS NSEC record [RFC 3845]. In the case of Multicast DNS
847	   the NSEC record is not being used for its usual DNSSEC security
848	   properties, but simply as a way of expressing which records do or
849	   do not exist with a given name.

851	   Implementers working with devices with sufficient memory and CPU
852	   resources may choose to implement code to handle the full generality
853	   of DNS NSEC record [RFC 3845], including bitmaps up to 65,536 bits
854	   long. To facilitate use by clients with limited memory and CPU
855	   resources, Multicast DNS clients are only required to be able to
856	   parse a restricted form of the DNS NSEC record. All compliant
857	   Multicast DNS clients MUST at least correctly handle the restricted
858	   DNS NSEC record format described below:

860	    o The 'Next Domain Name' field contains the record's own name.
861	      When used with name compression, this means that the 'Next
862	      Domain Name' field always takes exactly two bytes in the packet.

864	    o The Type Bit Map block number is 0.

866	    o The Type Bit Map block length byte is a value in the range 1-32.

868	    o The Type Bit Map data is 1-32 bytes, as indicated by length byte.

870	   Because this restricted form of the DNS NSEC record is limited to
871	   Type Bit Map block number zero, it cannot express the existence of
872	   rrtypes above 255. Because of this, if a Multicast DNS Responder were
873	   to have records with rrtypes above 255, it MUST NOT generate these
874	   restricted-form NSEC records for those names, since to do so would
875	   imply that the name has no records with rrtypes above 255, which
876	   would be false. In such cases a Multicast DNS Responder MUST either
877	   (a) emit no NSEC record for that name, or (b) emit a full NSEC record
878	   containing the appropriate Type Bit Map block(s) with the correct
879	   bits set for all the record types that exist. In practice this is not
880	   a significant limitation, since rrtypes above 255 are not currently
881	   in widespread use.

883	   If a Multicast DNS implementation receives an NSEC record where the
884	   'Next Domain Name' field is not the record's own name, then the
885	   implementation SHOULD ignore the 'Next Domain Name' field and process
886	   the remainder of the NSEC record as usual. In Multicast DNS the 'Next
887	   Domain Name' field is not currently used, but it could be used in a
888	   future version of this protocol, which is why a Multicast DNS
889	   implementation MUST NOT reject or ignore an NSEC record it receives
890	   just because it finds an unexpected value in the 'Next Domain Name'
891	   field.

893	   If a Multicast DNS implementation receives an NSEC record containing
894	   more than one Type Bit Map, or where the Type Bit Map block number is
895	   not zero, or where the block length is not in the range 1-32, then
896	   the Multicast DNS implementation MAY silently ignore the entire NSEC
897	   record. A Multicast DNS implementation MUST NOT ignore an entire
898	   packet just because that packet contains one or more NSEC record(s)
899	   that the Multicast DNS implementation cannot parse. This provision
900	   is to allow future enhancements to the protocol to be introduced in
901	   a backwards-compatible way that does not break compatibility with
902	   older Multicast DNS implementations.

904	   To help differentiate these synthesized NSEC records (generated
905	   programmatically on-the-fly) from conventional Unicast DNS NSEC
906	   records (which actually exist in a signed DNS zone) the synthesized
907	   Multicast DNS NSEC records MUST NOT have the 'NSEC' bit set in the
908	   Type Bit Map, whereas conventional Unicast DNS NSEC records do have
909	   the 'NSEC' bit set.

911	   The TTL of the NSEC record indicates the intended lifetime of the
912	   negative cache entry. In general, the TTL given for an NSEC record
913	   SHOULD be the same as the TTL that the record would have had, had it
914	   existed. For example, the TTL for address records in Multicast DNS is
915	   typically 120 seconds, so the negative cache lifetime for an address
916	   record that does not exist should also be 120 seconds.

918	   A Responder should only generate negative responses to queries for
919	   which it has legitimate ownership of the name/rrtype/rrclass in
920	   question, and can legitimately assert that no record with that
921	   name/rrtype/rrclass exists. A Responder can assert that a specified
922	   rrtype does not exist for one of its names only if it previously
923	   claimed unique ownership of that name using probe queries for rrtype
924	   "ANY". (If it were to use probe queries for a specific rrtype, then
925	   it would only own the name for that rrtype, and could not assert that
926	   other rrtypes do not exist.) On receipt of a question for a
927	   particular name/rrtype/rrclass which a Responder knows not to exist
928	   by virtue of previous successful probing, the Responder MUST send a
929	   response packet containing the appropriate NSEC record, if it can do
930	   so using the restricted form of the NSEC record described above. If a
931	   legitimate restricted-form NSEC record cannot be created (because
932	   rrtypes above 255 exist for that name) the Responder MAY emit a full
933	   NSEC record, or it MAY emit no NSEC record, at the implementer's
934	   discretion.

936	   The design rationale for this mechanism for encoding Negative
937	   Responses is discussed further in Appendix E.

939	8.2 Responding to Address Queries

941	   In Multicast DNS, whenever a Responder places an IPv4 or IPv6 address
942	   record (rrtype "A" or "AAAA") into a response packet, it SHOULD also
943	   place the corresponding other address type into the additional
944	   section, if there is space in the packet.

946	   This is to provide fate sharing, so that all a device's addresses are
947	   delivered atomically in a single packet, to reduce the risk that
948	   packet loss could cause a querier to receive only the IPv4 addresses
949	   and not the IPv6 addresses, or vice versa.

951	   In the event that a device has only IPv4 addresses but no IPv6
952	   addresses, or vice versa, then the appropriate NSEC record SHOULD
953	   be placed into the additional section, so that queriers can know
954	   with certainty that the device has no addresses of that kind.

956	   Some Multicast DNS Responders treat a physical interface with both
957	   IPv4 and IPv6 address as a single interface with two addresses. Other
958	   Multicast DNS Responders treat this case as logically two interfaces,
959	   each with one address, but Responders that operate this way MUST NOT
960	   put the corresponding automatic NSEC records in replies they send
961	   (i.e. a negative IPv4 assertion in their IPv6 responses, and a
962	   negative IPv6 assertion in their IPv4 responses) because this would
963	   cause incorrect operation in Responders on the network that work the
964	   former way.

966	8.3 Responding to Multi-Question Queries

968	   Multicast DNS Responders MUST correctly handle DNS query packets
969	   containing more than one question, by answering any or all of the
970	   questions to which they have answers. Any (non-defensive) answers
971	   generated in response to query packets containing more than one
972	   question SHOULD be randomly delayed in the range 20-120ms, or
973	   400-500ms if the TC (truncated) bit is set, as described above.
974	   (Answers defending a name, in response to a probe for that name,
975	   are not subject to this delay rule and are still sent immediately.)

977	8.4 Response Aggregation

979	   When possible, a Responder SHOULD, for the sake of network
980	   efficiency, aggregate as many responses as possible into a single
981	   Multicast DNS response packet. For example, when a Responder has
982	   several responses it plans to send, each delayed by a different
983	   interval, then earlier responses SHOULD be delayed by up to an
984	   additional 500ms if that will permit them to be aggregated with
985	   other responses scheduled to go out a little later.

987	8.5 Wildcard Queries (qtype "ANY" and qclass "ANY")

989	   When responding to queries using qtype "ANY" (255) and/or qclass
990	   "ANY" (255), a Multicast DNS Responder MUST respond with *ALL* of its
991	   records that match the query. This is subtly different to how qtype
992	   "ANY" and qclass "ANY" work in Unicast DNS.

994	   A common misconception is that a Unicast DNS query for qtype "ANY"
995	   will elicit a response containing all matching records. This is
996	   incorrect. If there are any records that match the query, the
997	   response is required only to contain at least one of them, not
998	   necessarily all of them.

1000	   This somewhat surprising behavior is commonly seen with caching
1001	   (recursive) name servers. If a caching server receives a qtype "ANY"
1002	   query for which it has at least one valid answer, it is allowed to
1003	   return only those matching answers it happens to have already in its
1004	   cache, and is not required to reconsult the authoritative name server
1005	   to check if there are any more records that also match the qtype
1006	   "ANY" query.

1008	   For example, one might imagine that a query for qtype "ANY" for name
1009	   "host.example.com" would return both the IPv4 (A) and the IPv6 (AAAA)
1010	   address records for that host. In reality what happens is that it
1011	   depends on the history of what queries have been previously received
1012	   by intervening caching servers. If a caching server has no records
1013	   for "host.example.com" then it will consult another server (usually
1014	   the authoritative name server for the name in question) and in that
1015	   case it will typically return all IPv4 and IPv6 address records. If
1016	   however some other host has recently done a query for qtype "A" for
1017	   name "host.example.com", so that the caching server already has IPv4
1018	   address records for "host.example.com" in its cache, but no IPv6
1019	   address records, then it will return only the IPv4 address records
1020	   it already has cached, and no IPv6 address records.

1022	   Multicast DNS does not share this property that qtype "ANY" and
1023	   qclass "ANY" queries return some undefined subset of the matching
1024	   records. When responding to queries using qtype "ANY" (255) and/or
1025	   qclass "ANY" (255), a Multicast DNS Responder MUST respond with *ALL*
1026	   of its records that match the query.

1028	8.6 Legacy Unicast Responses

1030	   If the source UDP port in a received Multicast DNS Query is not port
1031	   5353, this indicates that the client originating the query is a
1032	   simple client that does not fully implement all of Multicast DNS.
1033	   In this case, the Multicast DNS Responder MUST send a UDP response
1034	   directly back to the client, via unicast, to the query packet's
1035	   source IP address and port. This unicast response MUST be a
1036	   conventional unicast response as would be generated by a conventional
1037	   unicast DNS server; for example, it MUST repeat the query ID and the
1038	   question given in the query packet. In addition, the "cache flush"
1039	   bit described in Section 11.3 "Announcements to Flush Outdated Cache
1040	   Entries" is specific to Multicast DNS, and MUST NOT be set in legacy
1041	   unicast responses.

1043	   The resource record TTL given in a legacy unicast response SHOULD NOT
1044	   be greater than ten seconds, even if the true TTL of the Multicast
1045	   DNS resource record is higher. This is because Multicast DNS
1046	   Responders that fully participate in the protocol use the cache
1047	   coherency mechanisms described in Section 11 "Resource Record TTL
1048	   Values and Cache Coherency" to update and invalidate stale data. Were
1049	   unicast responses sent to legacy clients to use the same high TTLs,
1050	   these legacy clients, which do not implement these cache coherency
1051	   mechanisms, could retain stale cached resource record data long after
1052	   it is no longer valid.

1054	   Having sent this unicast response, if the Responder has not sent this
1055	   record in any multicast response recently, it SHOULD schedule the
1056	   record to be sent via multicast as well, to facilitate passive
1057	   conflict detection. "Recently" in this context means "if the time
1058	   since the record was last sent via multicast is less than one quarter
1059	   of the record's TTL".

1061	9. Probing and Announcing on Startup

1063	   Typically a Multicast DNS Responder should have, at the very least,
1064	   address records for all of its active interfaces. Creating and
1065	   advertising an HINFO record on each interface as well can be useful
1066	   to network administrators.

1068	   Whenever a Multicast DNS Responder starts up, wakes up from sleep,
1069	   receives an indication of an Ethernet "Link Change" event, or has any
1070	   other reason to believe that its network connectivity may have
1071	   changed in some relevant way, it MUST perform the two startup steps
1072	   below: Probing (Section 9.1) and Announcing (Section 9.3).

1074	9.1 Probing

1076	   The first startup step is that for all those resource records that a
1077	   Multicast DNS Responder desires to be unique on the local link, it
1078	   MUST send a Multicast DNS Query asking for those resource records, to
1079	   see if any of them are already in use. The primary example of this is
1080	   its address records which map its unique host name to its unique IPv4
1081	   and/or IPv6 addresses. All Probe Queries SHOULD be done using the
1082	   desired resource record name and query type "ANY" (255), to elicit
1083	   answers for all types of records with that name. This allows a single
1084	   question to be used in place of several questions, which is more
1085	   efficient on the network. It also allows a host to verify exclusive
1086	   ownership of a name for all rrtypes, which is desirable in most
1087	   cases. It would be confusing, for example, if one host owned the "A"
1088	   record for "myhost.local.", but a different host owned the HINFO
1089	   record for that name.

1091	   The ability to place more than one question in a Multicast DNS Query
1092	   is useful here, because it can allow a host to use a single packet
1093	   for all of its resource records instead of needing a separate packet
1094	   for each. For example, a host can simultaneously probe for uniqueness
1095	   of its "A" record and all its SRV records [DNS-SD] in the same query
1096	   packet.

1098	   When ready to send its mDNS probe packet(s) the host should first
1099	   wait for a short random delay time, uniformly distributed in the
1100	   range 0-250ms. This random delay is to guard against the case where a
1101	   group of devices are powered on simultaneously, or a group of devices
1102	   are connected to an Ethernet hub which is then powered on, or some
1103	   other external event happens that might cause a group of hosts to all
1104	   send synchronized probes.

1106	   250ms after the first query the host should send a second, then
1107	   250ms after that a third. If, by 250ms after the third probe, no
1108	   conflicting Multicast DNS responses have been received, the host may
1109	   move to the next step, announcing. (Note that this is the one
1110	   exception from the normal rule that there should be at least one
1111	   second between repetitions of the same question, and the interval
1112	   between subsequent repetitions should at least double.)

1114	   When sending probe queries, a host MUST NOT consult its cache for
1115	   potential answers. Only conflicting Multicast DNS responses received
1116	   "live" from the network are considered valid for the purposes of
1117	   determining whether probing has succeeded or failed.

1119	   In order to allow services to announce their presence without
1120	   unreasonable delay, the time window for probing is intentionally set
1121	   quite short. As a result of this, from the time the first probe
1122	   packet is sent, another device on the network using that name has
1123	   just 750ms to respond to defend its name. On networks that are slow,
1124	   or busy, or both, it is possible for round-trip latency to account
1125	   for a few hundred milliseconds, and software delays in slow devices
1126	   can add additional delay. For this reason, it is important that when
1127	   a device receives a probe query for a name that it is currently using
1128	   for unique records, it SHOULD generate its response to defend that
1129	   name immediately and send it as quickly as possible. The usual rules
1130	   about random delays before responding, to avoid sudden bursts of
1131	   simultaneous answers from different hosts, do not apply here since
1132	   at most one host should ever respond to a given probe question. Even
1133	   when a single DNS query packet contains multiple probe questions,
1134	   it would be unusual for that packet to elicit a defensive response
1135	   from more than one other host. Because of the mDNS multicast rate
1136	   limiting rules, the first two probes SHOULD be sent as "QU" questions
1137	   with the "unicast response" bit set, to allow a defending host to
1138	   respond immediately via unicast, instead of potentially having to
1139	   wait before replying via multicast. At the present time, this
1140	   document recommends that the third probe SHOULD be sent as a standard
1141	   "QM" question, for backwards compatibility with the small number of
1142	   old devices still in use that don't implement unicast responses.

1144	   If, at any time during probing, from the beginning of the initial
1145	   random 0-250ms delay onward, any conflicting Multicast DNS responses
1146	   are received, then the probing host MUST defer to the existing host,
1147	   and MUST choose new names for some or all of its resource records as
1148	   appropriate. In the case of a host probing using query type "ANY" as
1149	   recommended above, any answer containing a record with that name, of
1150	   any type, MUST be considered a conflicting response and handled
1151	   accordingly.

1153	   If fifteen failures occur within any ten-second period, then the host
1154	   MUST wait at least five seconds before each successive additional
1155	   probe attempt. This is to help ensure that in the event of software
1156	   bugs or other unanticipated problems, errant hosts do not flood the
1157	   network with a continuous stream of multicast traffic. For very
1158	   simple devices, a valid way to comply with this requirement is
1159	   to always wait five seconds after any failed probe attempt before
1160	   trying again.

1162	   If a Responder knows by other means, with absolute certainty, that
1163	   its unique resource record set name, rrtype and rrclass cannot
1164	   already be in use by any other Responder on the network, then it
1165	   MAY skip the probing step for that resource record set. For example,
1166	   when creating the reverse address mapping PTR records, the host can
1167	   reasonably assume that no other host will be trying to create those
1168	   same PTR records, since that would imply that the two hosts were
1169	   trying to use the same IP address, and if that were the case, the
1170	   two hosts would be suffering communication problems beyond the scope
1171	   of what Multicast DNS is designed to solve.

1173	9.2 Simultaneous Probe Tie-Breaking

1175	   The astute reader will observe that there is a race condition
1176	   inherent in the previous description. If two hosts are probing for
1177	   the same name simultaneously, neither will receive any response to
1178	   the probe, and the hosts could incorrectly conclude that they may
1179	   both proceed to use the name. To break this symmetry, each host
1180	   populates the Query packets's Authority Section with the record or
1181	   records with the rdata that it would be proposing to use, should its
1182	   probing be successful. The Authority Section is being used here in a
1183	   way analogous to the way it is used as the "Update Section" in a DNS
1184	   Update packet [RFC 2136].

1186	   When a host is probing for a group of related records with the same
1187	   name (e.g. the SRV and TXT record describing a DNS-SD service), only
1188	   a single question need be placed in the Question Section, since query
1189	   type "ANY" (255) is used, which will elicit answers for all records
1190	   with that name. However, for tie-breaking to work correctly in all
1191	   cases, the Authority Section must contain *all* the records and
1192	   proposed rdata being probed for uniqueness.

1194	   When a host that is probing for a record sees another host issue a
1195	   query for the same record, it consults the Authority Section of that
1196	   query. If it finds any resource record(s) there which answers the
1197	   query, then it compares the data of that (those) resource record(s)
1198	   with its own tentative data. We consider first the simple case of a
1199	   host probing for a single record, receiving a simultaneous probe from
1200	   another host also probing for a single record. The two records are
1201	   compared and the lexicographically later data wins. This means that
1202	   if the host finds that its own data is lexicographically later, it
1203	   simply ignores the other host's probe. If the host finds that its own
1204	   data is lexicographically earlier, then it treats this exactly as if
1205	   it had received a positive answer to its query, and concludes that it
1206	   may not use the desired name.

1208	   The determination of "lexicographically later" is performed by first
1209	   comparing the record class (excluding the cache flush bit described
1210	   in Section 11.3), then the record type, then raw comparison of the
1211	   binary content of the rdata without regard for meaning or structure.
1212	   If the record classes differ, then the numerically greater class is
1213	   considered "lexicographically later". Otherwise, if the record types
1214	   differ, then the numerically greater type is considered
1215	   "lexicographically later". If the rrtype and rrclass both match then
1216	   the rdata is compared.

1218	   In the case of resource records containing rdata that is subject to
1219	   name compression [RFC 1035], the names MUST be uncompressed before
1220	   comparison. (The details of how a particular name is compressed is an
1221	   artifact of how and where the record is written into the DNS message;
1222	   it is not an intrinsic property of the resource record itself.)
1223	   The bytes of the raw uncompressed rdata are compared in turn,
1224	   interpreting the bytes as eight-bit UNSIGNED values, until a byte
1225	   is found whose value is greater than that of its counterpart (in
1226	   which case the rdata whose byte has the greater value is deemed
1227	   lexicographically later) or one of the resource records runs out
1228	   of rdata (in which case the resource record which still has
1229	   remaining data first is deemed lexicographically later).

1231	   The following is an example of a conflict:

1233	   cheshire.local. A 169.254.99.200
1234	   cheshire.local. A 169.254.200.50

1236	   In this case 169.254.200.50 is lexicographically later (the third
1237	   byte, with value 200, is greater than its counterpart with value 99),
1238	   so it is deemed the winner.

1240	   Note that it is vital that the bytes are interpreted as UNSIGNED
1241	   values in the range 0-255, or the wrong outcome may result. In
1242	   the example above, if the byte with value 200 had been incorrectly
1243	   interpreted as a signed eight-bit value then it would be interpreted
1244	   as value -56, and the wrong address record would be deemed the
1245	   winner.

1247	9.2.1 Simultaneous Probe Tie-Breaking for Multiple Records

1249	   When a host is probing for a set of records with the same name, or a
1250	   packet is received containing multiple tie-breaker records answering
1251	   a given probe question in the Question Section, the host's records
1252	   and the tie-breaker records from the packet are each sorted into
1253	   order, and then compared pairwise, using the same comparison
1254	   technique described above, until a difference is found.

1256	   The records are sorted using the same lexicographical order as
1257	   described above, that is: if the record classes differ, the record
1258	   with the lower class number comes first. If the classes are the same
1259	   but the rrtypes differ, the record with the lower rrtype number comes
1260	   first. If the class and rrtype match, then the rdata is compared
1261	   bytewise until a difference is found. For example, in the common case
1262	   of advertising DNS-SD services with a TXT record and an SRV record,
1263	   the TXT record comes first (the rrtype for TXT is 16) and the SRV
1264	   record comes second (the rrtype for SRV is 33).

1266	   When comparing the records, if the first records match perfectly,
1267	   then the second records are compared, and so on. If either list of
1268	   records runs out of records before any difference is found, then the
1269	   list with records remaining is deemed to have won the tie-break. If
1270	   both lists run out of records at the same time without any difference
1271	   being found, then this indicates that two devices are advertising
1272	   identical sets of records, as is sometimes done for fault tolerance,
1273	   and there is in fact no conflict.

1275	9.3 Announcing

1277	   The second startup step is that the Multicast DNS Responder MUST send
1278	   a gratuitous Multicast DNS Response containing, in the Answer
1279	   Section, all of its resource records (both shared records, and unique
1280	   records that have completed the probing step). If there are too many
1281	   resource records to fit in a single packet, multiple packets should
1282	   be used.

1284	   In the case of shared records (e.g. the PTR records used by DNS
1285	   Service Discovery [DNS-SD]), the records are simply placed as-is
1286	   into the Answer Section of the DNS Response.

1288	   In the case of records that have been verified to be unique in the
1289	   previous step, they are placed into the Answer Section of the DNS
1290	   Response with the most significant bit of the rrclass set to one.
1291	   The most significant bit of the rrclass for a record in the Answer
1292	   Section of a response packet is the mDNS "cache flush" bit and is
1293	   discussed in more detail below in Section 11.3 "Announcements to
1294	   Flush Outdated Cache Entries".

1296	   The Multicast DNS Responder MUST send at least two gratuitous
1297	   responses, one second apart. A Responder MAY send up to eight
1298	   gratuitous Responses, provided that the interval between gratuitous
1299	   responses doubles with every response sent.

1301	   A Multicast DNS Responder MUST NOT send announcements in the absence
1302	   of information that its network connectivity may have changed in
1303	   some relevant way. In particular, a Multicast DNS Responder MUST NOT
1304	   send regular periodic announcements as a matter of course.

1306	   Whenever a Multicast DNS Responder receives any Multicast DNS
1307	   response (gratuitous or otherwise) containing a conflicting resource
1308	   record, the conflict MUST be resolved as described below in "Conflict
1309	   Resolution".

1311	9.4 Updating

1313	   At any time, if the rdata of any of a host's Multicast DNS records
1314	   changes, the host MUST repeat the Announcing step described above to
1315	   update neighboring caches. For example, if any of a host's IP
1316	   addresses change, it MUST re-announce those address records.

1318	   In the case of shared records, a host MUST send a "goodbye"
1319	   announcement with TTL zero (see Section 11.2 "Goodbye Packets")
1320	   for the old rdata, to cause it to be deleted from peer caches,
1321	   before announcing the new rdata. In the case of unique records,
1322	   a host SHOULD omit the "goodbye" announcement, since the cache
1323	   flush bit on the newly announced records will cause old rdata
1324	   to be flushed from peer caches anyway.

1326	   A host may update the contents of any of its records at any time,
1327	   though a host SHOULD NOT update records more frequently than ten
1328	   times per minute. Frequent rapid updates impose a burden on the
1329	   network. If a host has information to disseminate which changes more
1330	   frequently than ten times per minute, then it may be more appropriate
1331	   to design a protocol for that specific purpose.

1333	10. Conflict Resolution

1335	   A conflict occurs when a Multicast DNS Responder has a unique record
1336	   for which it is authoritative, and it receives a Multicast DNS
1337	   response packet containing a record with the same name, rrtype and
1338	   rrclass, but inconsistent rdata. What may be considered inconsistent
1339	   is context sensitive, except that resource records with identical
1340	   rdata are never considered inconsistent, even if they originate from
1341	   different hosts. This is to permit use of proxies and other
1342	   fault-tolerance mechanisms that may cause more than one Responder
1343	   to be capable of issuing identical answers on the network.

1345	   A common example of a resource record type that is intended to be
1346	   unique, not shared between hosts, is the address record that maps a
1347	   host's name to its IP address. Should a host witness another host
1348	   announce an address record with the same name but a different IP
1349	   address, then that is considered inconsistent, and that address
1350	   record is considered to be in conflict.

1352	   Whenever a Multicast DNS Responder receives any Multicast DNS
1353	   response (gratuitous or otherwise) containing a conflicting resource
1354	   record in any of the Resource Record Sections, the Multicast DNS
1355	   Responder MUST immediately reset its conflicted unique record to
1356	   probing state, and go through the startup steps described above in
1357	   Section 9, "Probing and Announcing on Startup". The protocol used in
1358	   the Probing phase will determine a winner and a loser, and the loser
1359	   MUST cease using the name, and reconfigure.

1361	   It is very important that any host receiving a resource record that
1362	   conflicts with one of its own MUST take action as described above.
1363	   In the case of two hosts using the same host name, where one has been
1364	   configured to require a unique host name and the other has not, the
1365	   one that has not been configured to require a unique host name will
1366	   not perceive any conflict, and will not take any action. By reverting
1367	   to Probing state, the host that desires a unique host name will go
1368	   through the necessary steps to ensure that a unique host name is
1369	   obtained.

1371	   The recommended course of action after probing and failing is as
1372	   follows:

1374	   o Programmatically change the resource record name in an attempt to
1375	     find a new name that is unique. This could be done by adding some
1376	     further identifying information (e.g. the model name of the
1377	     hardware) if it is not already present in the name, appending the
1378	     digit "2" to the name, or incrementing a number at the end of the
1379	     name if one is already present.

1381	   o Probe again, and repeat until a unique name is found.

1383	   o Record this newly chosen name in persistent storage so that the
1384	     device will use the same name the next time it is power-cycled.

1386	   o Display a message to the user or operator informing them of the
1387	     name change. For example:

1389	        The name "Bob's Music" is in use by another iTunes music
1390	        server on the network. Your music has been renamed to
1391	        "Bob's Music (MacBook)". If you want to change this name,
1392	        use [describe appropriate menu item or preference dialog].

1394	   o If after one minute of probing the Multicast DNS Responder has been
1395	     unable to find any unused name, it should display a message to the
1396	     user or operator informing them of this fact. This situation should
1397	     never occur in normal operation. The only situations that would
1398	     cause this to happen would be either a deliberate denial-of-service
1399	     attack, or some kind of very obscure hardware or software bug that
1400	     acts like a deliberate denial-of-service attack.

1402	   How the user or operator is informed depends on context. A desktop
1403	   computer with a screen might put up a dialog box. A headless server
1404	   in the closet may write a message to a log file, or use whatever
1405	   mechanism (email, SNMP trap, etc.) it uses to inform the
1406	   administrator of error conditions. On the other hand a headless
1407	   server in the closet may not inform the user at all -- if the user
1408	   cares, they will notice the name has changed, and connect to the
1409	   server in the usual way (e.g. via Web Browser) to configure a new
1410	   name.

1412	   These considerations apply to address records (i.e. host names) and
1413	   to all resource records where uniqueness (or maintenance of some
1414	   other defined constraint) is desired.

1416	11. Resource Record TTL Values and Cache Coherency

1418	   As a general rule, the recommended TTL value for Multicast DNS
1419	   resource records with a host name as the resource record's name
1420	   (e.g. A, AAAA, HINFO, etc.) or contained within the resource record's
1421	   rdata (e.g. SRV, reverse mapping PTR record, etc.) is 120 seconds.

1423	   The recommended TTL value for other Multicast DNS resource records
1424	   is 75 minutes.

1426	   A client with an active outstanding query will issue a query packet
1427	   when one or more of the resource record(s) in its cache is (are) 80%
1428	   of the way to expiry. If the TTL on those records is 75 minutes,
1429	   this ongoing cache maintenance process yields a steady-state query
1430	   rate of one query every 60 minutes.

1432	   Any distributed cache needs a cache coherency protocol. If Multicast
1433	   DNS resource records follow the recommendation and have a TTL of 75
1434	   minutes, that means that stale data could persist in the system for
1435	   a little over an hour. Making the default TTL significantly lower
1436	   would reduce the lifetime of stale data, but would produce too much
1437	   extra traffic on the network. Various techniques are available to
1438	   minimize the impact of such stale data.

1440	11.1 Cooperating Multicast DNS Responders

1442	   If a Multicast DNS Responder ("A") observes some other Multicast DNS
1443	   Responder ("B") send a Multicast DNS Response packet containing a
1444	   resource record with the same name, rrtype and rrclass as one of A's
1445	   resource records, but different rdata, then:

1447	   o If A's resource record is intended to be a shared resource record,
1448	     then this is no conflict, and no action is required.

1450	   o If A's resource record is intended to be a member of a unique
1451	     resource record set owned solely by that Responder, then this
1452	     is a conflict and MUST be handled as described in Section 10
1453	     "Conflict Resolution".

1455	   If a Multicast DNS Responder ("A") observes some other Multicast DNS
1456	   Responder ("B") send a Multicast DNS Response packet containing a
1457	   resource record with the same name, rrtype and rrclass as one of A's
1458	   resource records, and identical rdata, then:

1460	   o If the TTL of B's resource record given in the packet is at least
1461	     half the true TTL from A's point of view, then no action is
1462	     required.

1464	   o If the TTL of B's resource record given in the packet is less than
1465	     half the true TTL from A's point of view, then A MUST mark its
1466	     record to be announced via multicast. Clients receiving the record
1467	     from B would use the TTL given by B, and hence may delete the
1468	     record sooner than A expects. By sending its own multicast response
1469	     correcting the TTL, A ensures that the record will be retained for
1470	     the desired time.

1472	   These rules allow multiple Multicast DNS Responders to offer the same
1473	   data on the network (perhaps for fault tolerance reasons) without
1474	   conflicting with each other.

1476	11.2 Goodbye Packets

1478	   In the case where a host knows that certain resource record data is
1479	   about to become invalid (for example when the host is undergoing a
1480	   clean shutdown) the host SHOULD send a gratuitous announcement mDNS
1481	   response packet, giving the same resource record name, rrtype,
1482	   rrclass and rdata, but an RR TTL of zero. This has the effect of
1483	   updating the TTL stored in neighboring hosts' cache entries to zero,
1484	   causing that cache entry to be promptly deleted.

1486	   Clients receiving a Multicast DNS Response with a TTL of zero SHOULD
1487	   NOT immediately delete the record from the cache, but instead record
1488	   a TTL of 1 and then delete the record one second later. In the case
1489	   of multiple Multicast DNS Responders on the network described in
1490	   Section 11.1 above, if one of the Responders shuts down and
1491	   incorrectly sends goodbye packets for its records, it gives the other
1492	   cooperating Responders one second to send out their own response to
1493	   "rescue" the records before they expire and are deleted.

1495	11.3 Announcements to Flush Outdated Cache Entries

1497	   Whenever a host has a resource record with new data, or with what
1498	   might potentially be new data (e.g. after rebooting, waking from
1499	   sleep, connecting to a new network link, changing IP address, etc.),
1500	   the host needs to inform peers of that new data. In cases where the
1501	   host has not been continuously connected and participating on the
1502	   network link, it MUST first Probe to re-verify uniqueness of its
1503	   unique records, as described above in Section 9.1 "Probing".

1505	   Having completed the Probing step if necessary, the host MUST then
1506	   send a series of gratuitous announcements to update cache entries in
1507	   its neighbor hosts. In these gratuitous announcements, if the record
1508	   is one that has been verified unique, the host sets the most
1509	   significant bit of the rrclass field of the resource record. This
1510	   bit, the "cache flush" bit, tells neighboring hosts that this is not
1511	   a shared record type. Instead of merging this new record additively
1512	   into the cache in addition to any previous records with the same
1513	   name, rrtype and rrclass, all old records with that name, type and
1514	   class that were received more than one second ago are declared
1515	   invalid, and marked to expire from the cache in one second.

1517	   The semantics of the cache flush bit are as follows: Normally when
1518	   a resource record appears in a Resource Record Section of the DNS
1519	   Response, it means, "This is an assertion that this information is
1520	   true." When a resource record appears in a Resource Record Section of
1521	   the DNS Response with the "cache flush" bit set, it means, "This is
1522	   an assertion that this information is the truth and the whole truth,
1523	   and anything you may have heard more than a second ago regarding
1524	   records of this name/rrtype/rrclass is no longer valid".

1526	   To accommodate the case where the set of records from one host
1527	   constituting a single unique RRSet is too large to fit in a single
1528	   packet, only cache records that are more than one second old are
1529	   flushed. This allows the announcing host to generate a quick burst of
1530	   packets back-to-back on the wire containing all the members
1531	   of the RRSet. When receiving records with the "cache flush" bit set,
1532	   all records older than one second are marked to be deleted one second
1533	   in the future. One second after the end of the little packet burst,
1534	   any records not represented within that packet burst will then be
1535	   expired from all peer caches.

1537	   Any time a host sends a response packet containing some members of a
1538	   unique RRSet, it SHOULD send the entire RRSet, preferably in a single
1539	   packet, or if the entire RRSet will not fit in a single packet, in a
1540	   quick burst of packets sent as close together as possible. The host
1541	   SHOULD set the cache flush bit on all members of the unique RRSet.
1542	   In the event that for some reason the host chooses not to send the
1543	   entire unique RRSet in a single packet or a rapid packet burst,
1544	   it MUST NOT set the cache flush bit on any of those records.

1546	   The reason for waiting one second before deleting stale records from
1547	   the cache is to accommodate bridged networks. For example, a host's
1548	   address record announcement on a wireless interface may be bridged
1549	   onto a wired Ethernet, and cause that same host's Ethernet address
1550	   records to be flushed from peer caches. The one-second delay gives
1551	   the host the chance to see its own announcement arrive on the wired
1552	   Ethernet, and immediately re-announce its Ethernet interface's
1553	   address records so that both sets remain valid and live in peer
1554	   caches.

1556	   These rules, about when to set the cache flush bit and sending the
1557	   entire rrset, apply regardless of *why* the response packet is being
1558	   generated. They apply to startup announcements as described in
1559	   Section 9.3 "Announcing", and to responses generated as a result
1560	   of receiving query packets.

1562	   The "cache flush" bit is only set in records in the Resource Record
1563	   Sections of Multicast DNS responses sent to UDP port 5353. The "cache
1564	   flush" bit MUST NOT be set in any resource records in a response
1565	   packet sent in legacy unicast responses to UDP ports other than 5353.

1567	   The "cache flush" bit MUST NOT be set in any resource records in the
1568	   known-answer list of any query packet.

1570	   The "cache flush" bit MUST NOT ever be set in any shared resource
1571	   record. To do so would cause all the other shared versions of this
1572	   resource record with different rdata from different Responders to be
1573	   immediately deleted from all the caches on the network.

1575	   The "cache flush" bit does *not* apply to questions listed in the
1576	   Question Section of a Multicast DNS packet. The top bit of the
1577	   rrclass field in questions is used for an entirely different purpose
1578	   (see Section 6.5, "Questions Requesting Unicast Responses").

1580	   Note that the "cache flush" bit is NOT part of the resource record
1581	   class. The "cache flush" bit is the most significant bit of the
1582	   second 16-bit word of a resource record in a Resource Record Section
1583	   of an mDNS packet (the field conventionally referred to as the
1584	   rrclass field), and the actual resource record class is the
1585	   least-significant fifteen bits of this field. There is no mDNS
1586	   resource record class 0x8001. The value 0x8001 in the rrclass field
1587	   of a resource record in an mDNS response packet indicates a resource
1588	   record with class 1, with the "cache flush" bit set. When receiving
1589	   a resource record with the "cache flush" bit set, implementations
1590	   should take care to mask off that bit before storing the resource
1591	   record in memory.

1593	   The re-use of the top bit of the rrclass field only applies to
1594	   conventional Resource Record types that are subject to caching, not
1595	   to pseudo-RRs like OPT [RFC 2671], TSIG [RFC 2845], TKEY [RFC 2930],
1596	   SIG0 [RFC 2931], etc., that pertain only to a particular transport
1597	   level message and not to any actual DNS data. Since pseudo-RRs should
1598	   never go into the mDNS cache, the concept of a "cache flush" bit for
1599	   these types is not applicable. In particular the rrclass field of
1600	   an OPT records encodes the sender's UDP payload size, and should
1601	   be interpreted as a 16-bit length value in the range 0-65535, not
1602	   a one-bit flag and a 15-bit length.

1604	11.4 Cache Flush on Topology change

1606	   If the hardware on a given host is able to indicate physical changes
1607	   of connectivity, then when the hardware indicates such a change, the
1608	   host should take this information into account in its mDNS cache
1609	   management strategy. For example, a host may choose to immediately
1610	   flush all cache records received on a particular interface when that
1611	   cable is disconnected. Alternatively, a host may choose to adjust the
1612	   remaining TTL on all those records to a few seconds so that if the
1613	   cable is not reconnected quickly, those records will expire from the
1614	   cache.

1616	   Likewise, when a host reboots, or wakes from sleep, or undergoes some
1617	   other similar discontinuous state change, the cache management
1618	   strategy should take that information into account.

1620	11.5 Cache Flush on Failure Indication

1622	   Sometimes a cache record can be determined to be stale when a client
1623	   attempts to use the rdata it contains, and finds that rdata to be
1624	   incorrect.

1626	   For example, the rdata in an address record can be determined to be
1627	   incorrect if attempts to contact that host fail, either because
1628	   ARP/ND requests for that address go unanswered (for an address on a
1629	   local subnet) or because a router returns an ICMP "Host Unreachable"
1630	   error (for an address on a remote subnet).

1632	   The rdata in an SRV record can be determined to be incorrect if
1633	   attempts to communicate with the indicated service at the host and
1634	   port number indicated are not successful.

1636	   The rdata in a DNS-SD PTR record can be determined to be incorrect if
1637	   attempts to look up the SRV record it references are not successful.

1639	   In any such case, the software implementing the mDNS resource record
1640	   cache should provide a mechanism so that clients detecting stale
1641	   rdata can inform the cache.

1643	   When the cache receives this hint that it should reconfirm some
1644	   record, it MUST issue two or more queries for the resource record in
1645	   question. If no response is received in a reasonable amount of time,
1646	   then, even though its TTL may indicate that it is not yet due to
1647	   expire, that record SHOULD be promptly flushed from the cache.

1649	   The end result of this is that if a printer suffers a sudden power
1650	   failure or other abrupt disconnection from the network, its name
1651	   may continue to appear in DNS-SD browser lists displayed on users'
1652	   screens. Eventually that entry will expire from the cache naturally,
1653	   but if a user tries to access the printer before that happens, the
1654	   failure to successfully contact the printer will trigger the more
1655	   hasty demise of its cache entries. This is a sensible trade-off
1656	   between good user-experience and good network efficiency. If we were
1657	   to insist that printers should disappear from the printer list within
1658	   30 seconds of becoming unavailable, for all failure modes, the only
1659	   way to achieve this would be for the client to poll the printer at
1660	   least every 30 seconds, or for the printer to announce its presence
1661	   at least every 30 seconds, both of which would be an unreasonable
1662	   burden on most networks.

1664	11.6 Passive Observation of Failures

1666	   A host observes the multicast queries issued by the other hosts on
1667	   the network. One of the major benefits of also sending responses
1668	   using multicast is that it allows all hosts to see the responses (or
1669	   lack thereof) to those queries.

1671	   If a host sees queries, for which a record in its cache would be
1672	   expected to be given as an answer in a multicast response, but no
1673	   such answer is seen, then the host may take this as an indication
1674	   that the record may no longer be valid.

1676	   After seeing two or more of these queries, and seeing no multicast
1677	   response containing the expected answer within a reasonable amount of
1678	   time, then even though its TTL may indicate that it is not yet due to
1679	   expire, that record MAY be flushed from the cache. The host SHOULD
1680	   NOT perform its own queries to re-confirm that the record is truly
1681	   gone. If every host on a large network were to do this, it would
1682	   cause a lot of unnecessary multicast traffic. If host A sends
1683	   multicast queries that remain unanswered, then there is no reason
1684	   to suppose that host B or any other host is likely to be any more
1685	   successful.

1687	   The previous section, "Cache Flush on Failure Indication", describes
1688	   a situation where a user trying to print discovers that the printer
1689	   is no longer available. By implementing the passive observation
1690	   described here, when one user fails to contact the printer, all
1691	   hosts on the network observe that failure and update their caches
1692	   accordingly.

1694	12. Special Characteristics of Multicast DNS Domains

1696	   Unlike conventional DNS names, names that end in ".local." or
1697	   "254.169.in-addr.arpa." have only local significance. The same is
1698	   true of names within the IPv6 Link-Local reverse mapping domains.

1700	   Conventional Unicast DNS seeks to provide a single unified namespace,
1701	   where a given DNS query yields the same answer no matter where on the
1702	   planet it is performed or to which recursive DNS server the query is
1703	   sent. In contrast, each IP link has its own private ".local.",
1704	   "254.169.in-addr.arpa." and IPv6 Link-Local reverse mapping
1705	   namespaces, and the answer to any query for a name within those
1706	   domains depends on where that query is asked. (This characteristic is
1707	   not unique to Multicast DNS. Although the original concept of DNS was
1708	   a single global namespace, in recent years split views, firewalls,
1709	   intranets, and the like have increasingly meant that the answer to a
1710	   given DNS query has become dependent on the location of the querier.)

1712	   The IPv4 name server for a Multicast DNS Domain is 224.0.0.251. The
1713	   IPv6 name server for a Multicast DNS Domain is FF02::FB. These are
1714	   multicast addresses; therefore they identify not a single host but a
1715	   collection of hosts, working in cooperation to maintain some
1716	   reasonable facsimile of a competently managed DNS zone. Conceptually
1717	   a Multicast DNS Domain is a single DNS zone, however its server is
1718	   implemented as a distributed process running on a cluster of loosely
1719	   cooperating CPUs rather than as a single process running on a single
1720	   CPU.

1722	   Multicast DNS Domains are not delegated from their parent domain via
1723	   use of NS records, and there is also no concept of delegation of
1724	   subdomains within a Multicast DNS Domain. Just because a particular
1725	   host on the network may answer queries for a particular record type
1726	   with the name "example.local." does not imply anything about whether
1727	   that host will answer for the name "child.example.local.", or indeed
1728	   for other record types with the name "example.local."

1730	   There are no NS records anywhere in Multicast DNS Domains. Instead,
1731	   the Multicast DNS Domains are reserved by IANA and there is
1732	   effectively an implicit delegation of all Multicast DNS Domains to
1733	   the IP addresses 224.0.0.251 and FF02::FB, by virtue of client
1734	   software implementing the protocol rules specified in this document.

1736	   Multicast DNS Zones have no SOA record. A conventional DNS zone's
1737	   SOA record contains information such as the email address of the zone
1738	   administrator and the monotonically increasing serial number of the
1739	   last zone modification. There is no single human administrator for
1740	   any given Multicast DNS Zone, so there is no email address. Because
1741	   the hosts managing any given Multicast DNS Zone are only loosely
1742	   coordinated, there is no readily available monotonically increasing
1743	   serial number to determine whether or not the zone contents have
1744	   changed. A host holding part of the shared zone could crash or be
1745	   disconnected from the network at any time without informing the other
1746	   hosts. There is no reliable way to provide a zone serial number that
1747	   would, whenever such a crash or disconnection occurred, immediately
1748	   change to indicate that the contents of the shared zone had changed.

1750	   Zone transfers are not possible for any Multicast DNS Zone.

1752	13. Multicast DNS for Service Discovery

1754	   This document does not describe using Multicast DNS for network
1755	   browsing or service discovery. However, the mechanisms this document
1756	   describes are compatible with and enable the browsing and service
1757	   discovery mechanisms specified in "DNS-Based Service Discovery"
1758	   [DNS-SD].

1760	14. Enabling and Disabling Multicast DNS

1762	   The option to fail-over to Multicast DNS for names not ending
1763	   in ".local." SHOULD be a user-configured option, and SHOULD
1764	   be disabled by default because of the possible security issues
1765	   related to unintended local resolution of apparently global names.

1767	   The option to lookup unqualified (relative) names by appending
1768	   ".local." (or not) is controlled by whether ".local." appears
1769	   (or not) in the client's DNS search list.

1771	   No special control is needed for enabling and disabling Multicast DNS
1772	   for names explicitly ending with ".local." as entered by the user.
1773	   The user doesn't need a way to disable Multicast DNS for names ending
1774	   with ".local.", because if the user doesn't want to use Multicast
1775	   DNS, they can achieve this by simply not using those names. If a user
1776	   *does* enter a name ending in ".local.", then we can safely assume
1777	   the user's intention was probably that it should work. Having user
1778	   configuration options that can be (intentionally or unintentionally)
1779	   set so that local names don't work is just one more way of
1780	   frustrating the user's ability to perform the tasks they want,
1781	   perpetuating the view that, "IP networking is too complicated to
1782	   configure and too hard to use."

1784	15. Considerations for Multiple Interfaces

1786	   A host SHOULD defend its dot-local host name on all active interfaces
1787	   on which it is answering Multicast DNS queries.

1789	   In the event of a name conflict on *any* interface, a host should
1790	   configure a new host name, if it wishes to maintain uniqueness of its
1791	   host name.

1793	   A host may choose to use the same name for all of its address records
1794	   on all interfaces, or it may choose to manage its Multicast DNS host
1795	   name(s) independently on each interface, potentially answering to
1796	   different names on different interfaces.

1798	   When answering a Multicast DNS query, a multi-homed host with a
1799	   link-local address (or addresses) SHOULD take care to ensure that
1800	   any address going out in a Multicast DNS response is valid for use
1801	   on the interface on which the response is going out.

1803	   Just as the same link-local IP address may validly be in use
1804	   simultaneously on different links by different hosts, the same
1805	   link-local host name may validly be in use simultaneously on
1806	   different links, and this is not an error. A multi-homed host with
1807	   connections to two different links may be able to communicate with
1808	   two different hosts that are validly using the same name. While this
1809	   kind of name duplication should be rare, it means that a host that
1810	   wants to fully support this case needs network programming APIs that
1811	   allow applications to specify on what interface to perform a
1812	   link-local Multicast DNS query, and to discover on what interface a
1813	   Multicast DNS response was received.

1815	   There is one other special precaution that multi-homed hosts need to
1816	   take. It's common with today's laptop computers to have an Ethernet
1817	   connection and an 802.11 [IEEE W] wireless connection active at the
1818	   same time. What the software on the laptop computer can't easily tell
1819	   is whether the wireless connection is in fact bridged onto the same
1820	   network segment as its Ethernet connection. If the two networks are
1821	   bridged together, then packets the host sends on one interface will
1822	   arrive on the other interface a few milliseconds later, and care must
1823	   be taken to ensure that this bridging does not cause problems:

1825	   When the host announces its host name (i.e. its address records) on
1826	   its wireless interface, those announcement records are sent with the
1827	   cache-flush bit set, so when they arrive on the Ethernet segment,
1828	   they will cause all the peers on the Ethernet to flush the host's
1829	   Ethernet address records from their caches. The mDNS protocol has a
1830	   safeguard to protect against this situation: when records are
1831	   received with the cache-flush bit set, other records are not deleted
1832	   from peer caches immediately, but are marked for deletion in one
1833	   second. When the host sees its own wireless address records arrive on
1834	   its Ethernet interface, with the cache-flush bit set, this one-second
1835	   grace period gives the host time to respond and re-announce its
1836	   Ethernet address records, to reinstate those records in peer caches
1837	   before they are deleted.

1839	   As described, this solves one problem, but creates another, because
1840	   when those Ethernet announcement records arrive back on the wireless
1841	   interface, the host would again respond defensively to reinstate its
1842	   wireless records, and this process would continue forever,
1843	   continuously flooding the network with traffic. The mDNS protocol has
1844	   a second safeguard, to solve this problem: the cache-flush bit does
1845	   not apply to records received very recently, within the last second.
1846	   This means that when the host sees its own Ethernet address records
1847	   arrive on its wireless interface, with the cache-flush bit set, it
1848	   knows there's no need to re-announce its wireless address records
1849	   again because it already sent them less than a second ago, and this
1850	   makes them immune from deletion from peer caches.

1852	16. Considerations for Multiple Responders on the Same Machine

1854	   It is possible to have more than one Multicast DNS Responder and/or
1855	   Querier implementation coexist on the same machine, but there are
1856	   some known issues.

1858	16.1 Receiving Unicast Responses

1860	   In most operating systems, incoming multicast packets can be
1861	   delivered to *all* open sockets bound to the right port number,
1862	   provided that the clients take the appropriate steps to allow this.
1863	   For this reason, all Multicast DNS implementations SHOULD use the
1864	   SO_REUSEPORT and/or SO_REUSEADDR options (or equivalent as
1865	   appropriate for the operating system in question) so they will all be
1866	   able to bind to UDP port 5353 and receive incoming multicast packets
1867	   addressed to that port. However, incoming unicast UDP packets are
1868	   typically delivered only to the first socket to bind to that port.
1869	   This means that "QU" responses and other packets sent via unicast
1870	   will be received only by the first Multicast DNS Responder and/or
1871	   Querier on a system. This limitation can be partially mitigated if
1872	   Multicast DNS implementations detect when they are not the first
1873	   to bind to port 5353, and in that case they do not request "QU"
1874	   responses. One way to detect if there is another Multicast DNS
1875	   implementation already running is to attempt binding to port 5353
1876	   without using SO_REUSEPORT and/or SO_REUSEADDR, and if that fails
1877	   it indicates that some other socket is already bound to this port.

1879	16.2 Multi-Packet Known-Answer lists

1881	   When a Multicast DNS Querier issues a query with too many known
1882	   answers to fit into a single packet, it divides the known answer list
1883	   into two or more packets. Multicast DNS Responders associate the
1884	   initial truncated query with its continuation packets by examining
1885	   the source IP address in each packet. Since two independent Multicast
1886	   DNS Queriers running on the same machine will be sending packets with
1887	   the same source IP address, from an outside perspective they appear
1888	   to be a single entity. If both Queriers happened to send the same
1889	   multi-packet query at the same time, with different known answer
1890	   lists, then they could each end up suppressing answers that the other
1891	   needs.

1893	16.3 Efficiency

1895	   If different clients on a machine were to each have their own
1896	   separate independent Multicast DNS implementation, they would lose
1897	   certain efficiency benefits. Apart from the unnecessary code
1898	   duplication, memory usage, and CPU load, the clients wouldn't get the
1899	   benefit of a shared system-wide cache, and they would not be able to
1900	   aggregate separate queries into single packets to reduce network
1901	   traffic.

1903	16.4 Recommendation

1905	   Because of these issues, this document encourages implementers to
1906	   design systems with a single Multicast DNS implementation that
1907	   provides Multicast DNS services shared by all clients on that
1908	   machine, much as most operating systems today have a single TCP
1909	   implementation, which is shared between all clients on that machine.
1910	   Due to engineering constraints, there may be situations where
1911	   embedding a Multicast DNS implementation in the client is the most
1912	   expedient solution, and while this will usually work in practice,
1913	   implementers should be aware of the issues outlined in this section.

1915	17. Multicast DNS Character Set

1917	   Historically, unicast DNS has been plagued by the lack of any support
1918	   for non-US characters. Indeed, conventional DNS is usually limited to
1919	   just letters, digits and hyphens, not even allowing spaces or other
1920	   punctuation. Attempts to remedy this for unicast DNS have been badly
1921	   constrained by the perceived need to accommodate old buggy legacy DNS
1922	   implementations. In reality, the DNS specification actually imposes
1923	   no limits on what characters may be used in names, and good DNS
1924	   implementations handle any arbitrary eight-bit data without trouble.
1925	   "Clarifications to the DNS Specification" [RFC 2181] directly
1926	   discusses the subject of allowable character set in Section 11 ("Name
1927	   syntax"), and explicitly states that DNS names may contain arbitrary
1928	   eight-bit data. However, the old rules for ARPANET host names back in
1929	   the 1980s required host names to be just letters, digits, and hyphens
1930	   [RFC 1034], and since the predominant use of DNS is to store host
1931	   address records, many have assumed that the DNS protocol itself
1932	   suffers from the same limitation. It might be accurate to say that
1933	   there could be hypothetical bad implementations that do not handle
1934	   eight-bit data correctly, but it would not be accurate to say that
1935	   the protocol doesn't allow names containing eight-bit data.

1937	   Multicast DNS is a new protocol and doesn't (yet) have old buggy
1938	   legacy implementations to constrain the design choices. Accordingly,
1939	   it adopts the simple obvious elegant solution: all names in Multicast
1940	   DNS are encoded using precomposed UTF-8 [RFC 3629]. The characters
1941	   SHOULD conform to Unicode Normalization Form C (NFC) [UAX15]: Use
1942	   precomposed characters instead of combining sequences where possible,
1943	   e.g. use U+00C4 ("Latin capital letter A with diaeresis") instead of
1944	   U+0041 U+0308 ("Latin capital letter A", "combining diaeresis").

1946	   Some users of 16-bit Unicode have taken to stuffing a "zero-width
1947	   non-breaking space" character (U+FEFF) at the start of each UTF-16
1948	   file, as a hint to identify whether the data is big-endian or
1949	   little-endian, and calling it a "Byte Order Mark" (BOM). Since there
1950	   is only one possible byte order for UTF-8 data, a BOM is neither
1951	   necessary nor permitted. Multicast DNS names MUST NOT contain a "Byte
1952	   Order Mark". Any occurrence of the Unicode character U+FEFF at the
1953	   start or anywhere else in a Multicast DNS name MUST be interpreted as
1954	   being an actual intended part of the name, representing (just as for
1955	   any other legal unicode value) an actual literal instance of that
1956	   character (in this case a zero-width non-breaking space character).

1958	   For names that are restricted to letters, digits and hyphens, the
1959	   UTF-8 encoding is identical to the US-ASCII encoding, so this is
1960	   entirely compatible with existing host names. For characters outside
1961	   the US-ASCII range, UTF-8 encoding is used.

1963	   Multicast DNS implementations MUST NOT use any other encodings apart
1964	   from precomposed UTF-8 (US-ASCII being considered a compatible subset
1965	   of UTF-8). The reasons for selecting UTF-8 instead of Punycode
1966	   [RFC 3492] are discussed in Appendix F.

1968	   The simple rules for case-insensitivity in Unicast DNS also apply in
1969	   Multicast DNS; that is to say, in name comparisons, the lower-case
1970	   letters "a" to "z" (0x61 to 0x7A) match their upper-case equivalents
1971	   "A" to "Z" (0x41 to 0x5A). Hence, if a client issues a query for an
1972	   address record with the name "cheshire.local.", then a Responder
1973	   having an address record with the name "Cheshire.local." should
1974	   issue a response. No other automatic equivalences should be assumed.
1975	   In particular all UTF-8 multi-byte characters (codes 0x80 and higher)
1976	   are compared by simple binary comparison of the raw byte values.
1977	   Accented characters are *not* defined to be automatically equivalent
1978	   to their unaccented counterparts. Where automatic equivalences are
1979	   desired, this may be achieved through the use of programmatically-
1980	   generated CNAME records. For example, if a Responder has an address
1981	   record for an accented name Y, and a client issues a query for a name
1982	   X, where X is the same as Y with all the accents removed, then the
1983	   Responder may issue a response containing two resource records:
1984	   A CNAME record "X CNAME Y", asserting that the requested name X
1985	   (unaccented) is an alias for the true (accented) name Y, followed
1986	   by the address record for Y.

1988	18. Multicast DNS Message Size

1990	   RFC 1035 restricts DNS Messages carried by UDP to no more than 512
1991	   bytes (not counting the IP or UDP headers) [RFC 1035]. For UDP
1992	   packets carried over the wide-area Internet in 1987, this was
1993	   appropriate. For link-local multicast packets on today's networks,
1994	   there is no reason to retain this restriction. Given that the packets
1995	   are by definition link-local, there are no Path MTU issues to
1996	   consider.

1998	   Multicast DNS Messages carried by UDP may be up to the IP MTU of the
1999	   physical interface, less the space required for the IP header (20
2000	   bytes for IPv4; 40 bytes for IPv6) and the UDP header (8 bytes).

2002	   In the case of a single mDNS Resource Record which is too large to
2003	   fit in a single MTU-sized multicast response packet, a Multicast DNS
2004	   Responder SHOULD send the Resource Record alone, in a single IP
2005	   datagram, sent using multiple IP fragments. Resource Records this
2006	   large SHOULD be avoided, except in the very rare cases where they
2007	   really are the appropriate solution to the problem at hand.
2008	   Implementers should be aware that many simple devices do not
2009	   re-assemble fragmented IP datagrams, so large Resource Records
2010	   SHOULD NOT be used except in specialized cases where the implementer
2011	   knows that all receivers implement reassembly.

2013	   A Multicast DNS packet larger than the interface MTU, which is sent
2014	   using fragments, MUST NOT contain more than one Resource Record.

2016	   Even when fragmentation is used, a Multicast DNS packet, including IP
2017	   and UDP headers, MUST NOT exceed 9000 bytes. 9000 bytes is the
2018	   maximum payload size of an Ethernet "Jumbo" packet, which makes it a
2019	   convenient upper limit to specify for the maximum Multicast DNS
2020	   packet size. (In practice Ethernet "Jumbo" packets are not widely
2021	   used, so it is advantageous to keep packets under 1500 bytes whenever
2022	   possible.)

2024	19. Multicast DNS Message Format

2026	   This section describes specific rules pertaining to the allowable
2027	   values for the header fields of a Multicast DNS message, and other
2028	   message format considerations.

2030	19.1 ID (Query Identifier)

2032	   Multicast DNS clients SHOULD listen for gratuitous responses
2033	   issued by hosts booting up (or waking up from sleep or otherwise
2034	   joining the network). Since these gratuitous responses may contain a
2035	   useful answer to a question for which the client is currently
2036	   awaiting an answer, Multicast DNS clients SHOULD examine all received
2037	   Multicast DNS response messages for useful answers, without regard to
2038	   the contents of the ID field or the Question Section. In Multicast
2039	   DNS, knowing which particular query message (if any) is responsible
2040	   for eliciting a particular response message is less interesting than
2041	   knowing whether the response message contains useful information.

2043	   Multicast DNS clients MAY cache any or all Multicast DNS response
2044	   messages they receive, for possible future use, provided of course
2045	   that normal TTL aging is performed on these cached resource records.

2047	   In multicast query messages, the Query ID SHOULD be set to zero on
2048	   transmission.

2050	   In multicast responses, including gratuitous multicast responses, the
2051	   Query ID MUST be set to zero on transmission, and MUST be ignored on
2052	   reception.

2054	   In unicast response messages generated specifically in response to a
2055	   particular (unicast or multicast) query, the Query ID MUST match the
2056	   ID from the query message.

2058	19.2 QR (Query/Response) Bit

2060	   In query messages, MUST be zero.
2061	   In response messages, MUST be one.

2063	19.3 OPCODE

2065	   In both multicast query and multicast response messages, MUST be zero
2066	   (only standard queries are currently supported over multicast).

2068	19.4 AA (Authoritative Answer) Bit

2070	   In query messages, the Authoritative Answer bit MUST be zero on
2071	   transmission, and MUST be ignored on reception.

2073	   In response messages for Multicast Domains, the Authoritative Answer
2074	   bit MUST be set to one (not setting this bit would imply there's some
2075	   other place where "better" information may be found) and MUST be
2076	   ignored on reception.

2078	19.5 TC (Truncated) Bit

2080	   In query messages, if the TC bit is set, it means that additional
2081	   Known Answer records may be following shortly. A Responder SHOULD
2082	   record this fact, and wait for those additional Known Answer records,
2083	   before deciding whether to respond. If the TC bit is clear, it means
2084	   that the querying host has no additional Known Answers.

2086	   In multicast response messages, the TC bit MUST be zero on
2087	   transmission, and MUST be ignored on reception.

2089	   In legacy unicast response messages, the TC bit has the same meaning
2090	   as in conventional unicast DNS: it means that the response was too
2091	   large to fit in a single packet, so the client SHOULD re-issue its
2092	   query using TCP in order to receive the larger response.

2094	19.6 RD (Recursion Desired) Bit

2096	   In both multicast query and multicast response messages, the
2097	   Recursion Desired bit SHOULD be zero on transmission, and MUST be
2098	   ignored on reception.

2100	19.7 RA (Recursion Available) Bit

2102	   In both multicast query and multicast response messages, the
2103	   Recursion Available bit MUST be zero on transmission, and MUST be
2104	   ignored on reception.

2106	19.8 Z (Zero) Bit

2108	   In both query and response messages, the Zero bit MUST be zero on
2109	   transmission, and MUST be ignored on reception.

2111	19.9 AD (Authentic Data) Bit [RFC 2535]

2113	   In both multicast query and multicast response messages the Authentic
2114	   Data bit MUST be zero on transmission, and MUST be ignored on
2115	   reception.

2117	19.10 CD (Checking Disabled) Bit [RFC 2535]

2119	   In both multicast query and multicast response messages, the Checking
2120	   Disabled bit MUST be zero on transmission, and MUST be ignored on
2121	   reception.

2123	19.11 RCODE (Response Code)

2125	   In both multicast query and multicast response messages, the Response
2126	   Code MUST be zero on transmission. Multicast DNS messages received
2127	   with non-zero Response Codes MUST be silently ignored.

2129	19.12 Repurposing of top bit of qclass in Question Section

2131	   In the Question Section of a Multicast DNS Query, the top bit of the
2132	   qclass field is used to indicate that unicast responses are preferred
2133	   for this particular question.

2135	19.13 Repurposing of top bit of rrclass in Resource Record Sections

2137	   In the Resource Record Sections of a Multicast DNS Response, the top
2138	   bit of the rrclass field is used to indicate that the record is a
2139	   member of a unique RRSet, and the entire RRSet has been sent together
2140	   (in the same packet, or in consecutive packets if there are too many
2141	   records to fit in a single packet).

2143	19.14 Name Compression

2145	   When generating Multicast DNS packets, implementations SHOULD use
2146	   name compression wherever possible to compress the names of resource
2147	   records, by replacing some or all of the resource record name with a
2148	   compact two-byte reference to an appearance of that data somewhere
2149	   earlier in the packet [RFC 1035].

2151	   This applies not only to Multicast DNS Responses, but also to
2152	   Queries. When a Query contains more than one question, successive
2153	   questions often contain similar names, and consequently name
2154	   compression SHOULD be used, to save bytes. In addition, Queries
2155	   may also contain Known Answers in the Answer Section, or probe
2156	   tie-breaking data in the Authority Section, and these names SHOULD
2157	   similarly be compressed for network efficiency.

2159	   In addition to compressing the *names* of resource records, names
2160	   that appear within the *rdata* of the following rrtypes SHOULD also
2161	   be compressed in all Multicast DNS packets:

2163	     NS, CNAME, PTR, DNAME, SOA, MX, AFSDB, RT, KX, RP, PX, SRV, NSEC

2165	   Until future IETF Standards Action specifying that names in the rdata
2166	   of other types should be compressed, names that appear within the
2167	   rdata of any type not listed above MUST NOT be compressed.

2169	   Implementations receiving Multicast DNS packets MUST correctly decode
2170	   compressed names appearing in the Question Section, and compressed
2171	   names of resource records appearing in other sections.

2173	   In addition, implementations MUST correctly decode compressed names
2174	   appearing within the *rdata* of the rrtypes listed above. Where
2175	   possible, implementations SHOULD also correctly decode compressed
2176	   names appearing within the *rdata* of other rrtypes known to the
2177	   implementers at the time of implementation, because such
2178	   forward-thinking planning helps facilitate the deployment of future
2179	   implementations that may have reason to compress those rrtypes. It is
2180	   possible that no future IETF Standards Action will be created which
2181	   mandates or permits the compression of rdata in new types, but having
2182	   implementations designed such that they are capable of decompressing
2183	   all known types known helps keep future options open.

2185	   One specific difference between Unicast DNS and Multicast DNS is that
2186	   Unicast DNS does not allow name compression for the target host in an
2187	   SRV record, because Unicast DNS implementations before the first SRV
2188	   specification in 1996 [RFC 2052] may not decode these compressed
2189	   records properly. Since all Multicast DNS implementations were
2190	   created after 1996, all Multicast DNS implementations are REQUIRED to
2191	   decode compressed SRV records correctly.

2193	   In legacy unicast responses generated to answer legacy queries, name
2194	   compression MUST NOT be performed on SRV records.

2196	20. Summary of Differences Between Multicast DNS and Unicast DNS

2198	   The value of Multicast DNS is that it shares, as much as possible,
2199	   the familiar APIs, naming syntax, resource record types, etc., of
2200	   Unicast DNS. There are of course necessary differences by virtue of
2201	   it using multicast, and by virtue of it operating in a community of
2202	   cooperating peers, rather than a precisely defined hierarchy
2203	   controlled by a strict chain of formal delegations from the root.
2204	   These differences are summarized below:

2206	   Multicast DNS...
2207	   * uses multicast
2208	   * uses UDP port 5353 instead of port 53
2209	   * operates in well-defined parts of the DNS namespace
2210	   * uses UTF-8, and only UTF-8, to encode resource record names
2211	   * allows names up to 255 bytes plus a terminating zero byte
2212	   * allows name compression in rdata for SRV and other record types
2213	   * allows larger UDP packets
2214	   * allows more than one question in a query packet
2215	   * defines consistent results for qtype "ANY" and qclass "ANY" queries
2216	   * uses the Answer Section of a query to list Known Answers
2217	   * uses the TC bit in a query to indicate additional Known Answers
2218	   * uses the Authority Section of a query for probe tie-breaking
2219	   * ignores the Query ID field (except for generating legacy responses)
2220	   * doesn't require the question to be repeated in the response packet
2221	   * uses gratuitous responses to announce new records to the peer group
2222	   * uses NSEC records to signal non-existence of records
2223	   * defines a "unicast response" bit in the rrclass of query questions
2224	   * defines a "cache flush" bit in the rrclass of response answers
2225	   * uses DNS TTL 0 to indicate that a record has been deleted
2226	   * recommends AAAA records in the additional section when responding
2227	     to rrtype "A" queries, and vice versa
2228	   * monitors queries to perform Duplicate Question Suppression
2229	   * monitors responses to perform Duplicate Answer Suppression...
2230	   * ... and Ongoing Conflict Detection
2231	   * ... and Opportunistic Caching

2233	21. IPv6 Considerations

2235	   An IPv4-only host and an IPv6-only host behave as "ships that pass in
2236	   the night". Even if they are on the same Ethernet, neither is aware
2237	   of the other's traffic. For this reason, each physical link may have
2238	   *two* unrelated ".local." zones, one for IPv4 and one for IPv6.
2239	   Since for practical purposes, a group of IPv4-only hosts and a group
2240	   of IPv6-only hosts on the same Ethernet act as if they were on two
2241	   entirely separate Ethernet segments, it is unsurprising that their
2242	   use of the ".local." zone should occur exactly as it would if
2243	   they really were on two entirely separate Ethernet segments.

2245	   A dual-stack (v4/v6) host can participate in both ".local."
2246	   zones, and should register its name(s) and perform its lookups both
2247	   using IPv4 and IPv6. This enables it to reach, and be reached by,
2248	   both IPv4-only and IPv6-only hosts. In effect this acts like a
2249	   multi-homed host, with one connection to the logical "IPv4 Ethernet
2250	   segment", and a connection to the logical "IPv6 Ethernet segment".

2252	22. Security Considerations

2254	   The algorithm for detecting and resolving name conflicts is, by its
2255	   very nature, an algorithm that assumes cooperating participants. Its
2256	   purpose is to allow a group of hosts to arrive at a mutually disjoint
2257	   set of host names and other DNS resource record names, in the absence
2258	   of any central authority to coordinate this or mediate disputes. In
2259	   the absence of any higher authority to resolve disputes, the only
2260	   alternative is that the participants must work together cooperatively
2261	   to arrive at a resolution.

2263	   In an environment where the participants are mutually antagonistic
2264	   and unwilling to cooperate, other mechanisms are appropriate, like
2265	   manually configured DNS.

2267	   In an environment where there is a group of cooperating participants,
2268	   but there may be other antagonistic participants on the same physical
2269	   link, the cooperating participants need to use IPSEC signatures
2270	   and/or DNSSEC [RFC 2535] signatures so that they can distinguish mDNS
2271	   messages from trusted participants (which they process as usual) from
2272	   mDNS messages from untrusted participants (which they silently
2273	   discard).

2275	   When DNS queries for *global* DNS names are sent to the mDNS
2276	   multicast address (during network outages which disrupt communication
2277	   with the greater Internet) it is *especially* important to use
2278	   DNSSEC, because the user may have the impression that he or she is
2279	   communicating with some authentic host, when in fact he or she is
2280	   really communicating with some local host that is merely masquerading
2281	   as that name. This is less critical for names ending with ".local.",
2282	   because the user should be aware that those names have only local
2283	   significance and no global authority is implied.

2285	   Most computer users neglect to type the trailing dot at the end of a
2286	   fully qualified domain name, making it a relative domain name (e.g.
2287	   "www.example.com"). In the event of network outage, attempts to
2288	   positively resolve the name as entered will fail, resulting in
2289	   application of the search list, including ".local.", if present.
2290	   A malicious host could masquerade as "www.example.com." by answering
2291	   the resulting Multicast DNS query for "www.example.com.local."
2292	   To avoid this, a host MUST NOT append the search suffix
2293	   ".local.", if present, to any relative (partially qualified)
2294	   host name containing two or more labels. Appending ".local." to
2295	   single-label relative host names is acceptable, since the user
2296	   should have no expectation that a single-label host name will
2297	   resolve as-is. However, users who have both "example.com" and "local"
2298	   in their search lists should be aware that if they type "www" into
2299	   their web browser, it may not be immediately clear to them whether
2300	   the page that appears is "www.example.com" or "www.local".

2302	   Multicast DNS uses UDP port 5353. On operating systems where only
2303	   privileged processes are allowed to use ports below 1024, no such
2304	   privilege is required to use port 5353.

2306	23. IANA Considerations

2308	   IANA has allocated the IPv4 link-local multicast address 224.0.0.251
2309	   for the use described in this document.

2311	   IANA has allocated the IPv6 multicast address set FF0X::FB
2312	   for the use described in this document. Only address FF02::FB
2313	   (Link-Local Scope) is currently in use by deployed software,
2314	   but it is possible that in future implementers may experiment
2315	   with Multicast DNS using larger-scoped addresses, such as FF05::FB
2316	   (Site-Local Scope) [RFC 4291].

2318	   When this document is published, IANA should designate a list of
2319	   domains which are deemed to have only link-local significance, as
2320	   described in Section 12 of this document ("Special Characteristics of
2321	   Multicast DNS Domains"). For discussion of why maintaining this list
2322	   of reserved domains is an IANA funtion rather than an ICANN function,
2323	   see Appendix G. For discussion of other "private" DNS Namespaces see
2324	   Appendix H.

2326	   Specifically, the designated link-local domains are:

2328	      local.
2329	      254.169.in-addr.arpa.
2330	      8.e.f.ip6.arpa.
2331	      9.e.f.ip6.arpa.
2332	      a.e.f.ip6.arpa.
2333	      b.e.f.ip6.arpa.

2335	   These domains, and any of their subdomains (e.g. "myprinter.local.",
2336	   "34.12.254.169.in-addr.arpa.", "Ink-Jet._pdl-datastream._tcp.local.")
2337	   are special in the following ways:

2339	    1. Users may use these names as they would other DNS names, entering
2340	       them anywhere that they would otherwise enter a conventional
2341	       DNS name, or a dotted decimal IPv4 address, or a literal IPv6
2342	       address.

2344	       Since there is no central authority responsible for assigning
2345	       dot-local names, and all devices on the local network are equally
2346	       entitled to claim any dot-local name, users SHOULD be aware of
2347	       this and SHOULD exercise appropriate caution. In an untrusted or
2348	       unfamiliar network environment, users SHOULD be aware that using
2349	       a name like "www.local" may not actually connect them to the web
2350	       site they expected, and could easily connect them to a different
2351	       web page, or even a fake or spoof of their intended web site,
2352	       designed to trick them into revealing confidential information.
2353	       As always with networking, end-to-end cryptographic security can
2354	       be a useful tool. For example, when connecting with ssh, the ssh
2355	       host key verification process will inform the user if it detects
2356	       that the identity of the entity they are communicating with has
2357	       changed since the last time they connected to that name.

2359	    2. Application software may use these names as they would other
2360	       similar DNS names, and is not required to recognize the names
2361	       and treat them specially. Due to the relative ease of spoofing
2362	       dot-local names, end-to-end cryptographic security remains
2363	       important when communicating across a local network, as it
2364	       is when communicating across the global Internet.

2366	    3. Name resolutions APIs and libraries SHOULD recognize these names
2367	       as special and SHOULD NOT send queries for these names to their
2368	       configured (unicast) caching DNS server(s).

2370	    4. Caching DNS servers SHOULD recognize these names as special and
2371	       SHOULD NOT attempt to look up NS records for them or otherwise
2372	       query authoritative DNS servers in an attempt to resolve these
2373	       names. Instead, caching DNS servers SHOULD generate immediate
2374	       NXDOMAIN responses for all such queries they may receive (from
2375	       misbehaving name resolver libraries).

2377	    5. Authoritative DNS servers SHOULD NOT by default be configurable
2378	       to answer queries for these names, and, like caching DNS servers,
2379	       SHOULD generate immediate NXDOMAIN responses for all such queries
2380	       they may receive. DNS server software MAY provide a configuration
2381	       option to override this default, for testing purposes or other
2382	       specialized uses.

2384	    6. DNS server operators SHOULD NOT attempt to configure
2385	       authoritative DNS servers to act as authoritative for any of
2386	       these names. Configuring an authoritative DNS server to act as
2387	       authoritative for any of these names may not, in many cases,
2388	       yield the expected result, since name resolver libraries and
2389	       caching DNS servers SHOULD NOT send queries for those names
2390	       (see 3 and 4 above), so such queries SHOULD be suppressed before
2391	       they even reach the authoritative DNS server in question, and
2392	       consequently it will not get the opportunity to answer them.

2394	    7. DNS Registrars MUST NOT allow any of these names to be registered
2395	       in the normal way to any person or entity. These names are
2396	       reserved protocol identifiers with special meaning and fall
2397	       outside the set of names available for allocation by registrars.
2398	       Attempting to allocate one of these names as if it were a normal
2399	       DNS domain name will probably not work as desired, for reasons 3,
2400	       4 and 6 above.

2402	   These names function primarily as protocol identifiers, rather than
2403	   as user-visible identifiers, and even though they may occasionally be
2404	   visible to end users, that is not their primary purpose. As such
2405	   these names should be treated as opaque identifiers. In particular,
2406	   the string "local" should not be translated or localized into
2407	   different languages, much as the name "localhost" is not translated
2408	   or localized into different languages.

2410	   The re-use of the top bit of the rrclass field in the Question and
2411	   Resource Record Sections means that Multicast DNS can only carry DNS
2412	   records with classes in the range 0-32767. Classes in the range 32768
2413	   to 65535 are incompatible with Multicast DNS. However, since to-date
2414	   only three DNS classes have been assigned by IANA (1, 3 and 4), and
2415	   only one (1, "Internet") is actually in widespread use, this
2416	   limitation is likely to remain a purely theoretical one.

2418	   No other IANA services are required by this document.

2420	24. Acknowledgments

2422	   The concepts described in this document have been explored, developed
2423	   and implemented with help from Freek Dijkstra, Erik Guttman, Paul
2424	   Vixie, Bill Woodcock, and others. Special thanks go to Bob Bradley,
2425	   Josh Graessley, Scott Herscher, Rory McGuire, Roger Pantos and Kiren
2426	   Sekar for their significant contributions.

2428	25. Copyright Notice

2430	   Copyright (c) 2010 IETF Trust and the persons identified as the
2431	   document authors.  All rights reserved.

2433	   This document is subject to BCP 78 and the IETF Trust's Legal
2434	   Provisions Relating to IETF Documents
2435	   (http://trustee.ietf.org/license-info) in effect on the date of
2436	   publication of this document.  Please review these documents
2437	   carefully, as they describe your rights and restrictions with respect
2438	   to this document.

2440	26. Normative References

2442	   [RFC 1034] Mockapetris, P., "Domain Names - Concepts and
2443	              Facilities", STD 13, RFC 1034, November 1987.

2445	   [RFC 1035] Mockapetris, P., "Domain Names - Implementation and
2446	              Specification", STD 13, RFC 1035, November 1987.

2448	   [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
2449	              Requirement Levels", RFC 2119, March 1997.

2451	   [RFC 3629] Yergeau, F., "UTF-8, a transformation format of ISO
2452	              10646", RFC 3629, November 2003.

2454	   [RFC 3845] Schlyter, J., "DNS Security (DNSSEC) NextSECure (NSEC)
2455	              RDATA Format", RFC 3845, August 2004.

2457	   [UAX15]    "Unicode Normalization Forms"
2458	              <http://www.unicode.org/reports/tr15/>

2460	27. Informative References

2462	   [B4W]      Bonjour for Windows
2463	              <http://en.wikipedia.org/wiki/Bonjour_(software)>

2465	   [DNS-SD]   Cheshire, S., and M. Krochmal, "DNS-Based Service
2466	              Discovery", Internet-Draft (work in progress),
2467	              draft-cheshire-dnsext-dns-sd-06.txt, March 2010.

2469	   [IEEE 802] IEEE Standards for Local and Metropolitan Area Networks:
2470	              Overview and Architecture.
2471	              Institute of Electrical and Electronic Engineers,
2472	              IEEE Standard 802, 1990.

2474	   [IEEE W]   <http://standards.ieee.org/wireless/>

2476	   [ATalk]    Cheshire, S., and M. Krochmal,
2477	              "Requirements for a Protocol to Replace AppleTalk NBP",
2478	              Internet-Draft (work in progress),
2479	              draft-cheshire-dnsext-nbp-08.txt, March 2010.

2481	   [RFC 2052] Gulbrandsen, A., et al., "A DNS RR for specifying the
2482	              location of services (DNS SRV)", RFC 2782, October 1996.

2484	   [RFC 2132] Alexander, S., and Droms, R., "DHCP Options and BOOTP
2485	              Vendor Extensions", RFC 2132, March 1997.

2487	   [RFC 2136] Vixie, P., et al., "Dynamic Updates in the Domain Name
2488	              System (DNS UPDATE)", RFC 2136, April 1997.

2490	   [RFC 2181] Elz, R., and Bush, R., "Clarifications to the DNS
2491	              Specification", RFC 2181, July 1997.

2493	   [RFC 2461] T. Narten, E. Nordmark, and W. Simpson, "Neighbor
2494	              Discovery for IP Version 6", RFC 2461, December 1998.

2496	   [RFC 2462] S. Thomson and T. Narten, "IPv6 Stateless Address
2497	              Autoconfiguration", RFC 2462, December 1998.

2499	   [RFC 2535] Eastlake, D., "Domain Name System Security Extensions",
2500	              RFC 2535, March 1999.

2502	   [RFC 2606] Eastlake, D., and A. Panitz, "Reserved Top Level DNS
2503	              Names", RFC 2606, June 1999.

2505	   [RFC 2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
2506	              RFC 2671, August 1999.

2508	   [RFC 2845] Vixie, P., et al., "Secret Key Transaction Authentication
2509	              for DNS (TSIG)", RFC 2845, May 2000.

2511	   [RFC 2860] Carpenter, B., Baker, F. and M. Roberts, "Memorandum
2512	              of Understanding Concerning the Technical Work of the
2513	              Internet Assigned Numbers Authority", RFC 2860, June
2514	              2000.

2516	   [RFC 2930] Eastlake, D., "Secret Key Establishment for DNS
2517	              (TKEY RR)", RFC 2930, September 2000.

2519	   [RFC 2931] Eastlake, D., "DNS Request and Transaction Signatures
2520	              ( SIG(0)s )", RFC 2931, September 2000.

2522	   [RFC 3492] Costello, A., "Punycode: A Bootstring encoding of
2523	              Unicode for use with Internationalized Domain Names
2524	              in Applications (IDNA)", RFC 3492, March 2003.

2526	   [RFC 3927] Cheshire, S., B. Aboba, and E. Guttman,
2527	              "Dynamic Configuration of IPv4 Link-Local Addresses",
2528	              RFC 3927, May 2005.

2530	   [RFC 4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
2531	              Architecture", RFC 4291, February 2006.

2533	   [Zeroconf] Cheshire, S. and D. Steinberg, "Zero Configuration
2534	              Networking: The Definitive Guide", O'Reilly Media, Inc.,
2535	              December 2005.

2537	28. Authors' Addresses

2539	   Stuart Cheshire
2540	   Apple Inc.
2541	   1 Infinite Loop
2542	   Cupertino
2543	   California 95014
2544	   USA

2546	   Phone: +1 408 974 3207
2547	   EMail: cheshire@apple.com

2549	   Marc Krochmal
2550	   Apple Inc.
2551	   1 Infinite Loop
2552	   Cupertino
2553	   California 95014
2554	   USA

2556	   Phone: +1 408 974 4368
2557	   EMail: marc@apple.com

2559	Appendix A. Design Rationale for Choice of UDP Port Number

2561	   Arguments were made for and against using Multicast on UDP port 53.
2562	   The final decision was to use UDP port 5353. Some of the arguments
2563	   for and against are given below.

2565	   Arguments for using UDP port 53:

2567	   * This is "just DNS", so it should be the same port.

2569	   * There is less work to be done updating old clients to do simple
2570	     mDNS queries. Only the destination address need be changed.
2571	     In some cases, this can be achieved without any code changes,
2572	     just by adding the address 224.0.0.251 to a configuration file.

2574	   Arguments for using a different port (UDP port 5353):

2576	   * This is not "just DNS". This is a DNS-like protocol, but different.

2578	   * Changing client code to use a different port number is not hard.

2580	   * Using the same port number makes it hard to run an mDNS Responder
2581	     and a conventional unicast DNS server on the same machine. If a
2582	     conventional unicast DNS server wishes to implement mDNS as well,
2583	     it can still do that, by opening two sockets. Having two different
2584	     port numbers allows this flexibility.

2586	   * Some VPN software hijacks all outgoing traffic to port 53 and
2587	     redirects it to a special DNS server set up to serve those VPN
2588	     clients while they are connected to the corporate network. It is
2589	     questionable whether this is the right thing to do, but it is
2590	     common, and redirecting link-local multicast DNS packets to a
2591	     remote server rarely produces any useful results. It does mean,
2592	     for example, that the user becomes unable to access their local
2593	     network printer sitting on their desk right next to their computer.
2594	     Using a different UDP port helps avoid this particular problem.

2596	   * On many operating systems, unprivileged clients may not send or
2597	     receive packets on low-numbered ports. This means that any client
2598	     sending or receiving mDNS packets on port 53 would have to run
2599	     as "root", which is an undesirable security risk. Using a higher-
2600	     numbered UDP port avoids this restriction.

2602	Appendix B. Design Rationale for Not Using Hashed Multicast Addresses

2604	   Some discovery protocols use a range of multicast addresses, and
2605	   determine the address to be used by a hash function of the name being
2606	   sought. Queries are sent via multicast to the address as indicated by
2607	   the hash function, and responses are returned to the querier via
2608	   unicast. Particularly in IPv6, where multicast addresses are
2609	   extremely plentiful, this approach is frequently advocated.
2610	   For example, IPv6 Neighbor Discovery [RFC 2461] sends Neighbor
2611	   Solicitation messages to the "solicited-node multicast address",
2612	   which is computed as a function of the solicited IPv6 address.

2614	   There are some disadvantages to using hashed multicast addresses
2615	   like this in a service discovery protocol:

2617	   * When a host has a large number of records with different names, the
2618	     host may have to join a large number of multicast groups. This can
2619	     place undue burden on the Ethernet hardware, which typically
2620	     supports a limited number of multicast addresses efficiently. When
2621	     this number is exceeded, the Ethernet hardware may have to resort
2622	     to receiving all multicasts and passing them up to the host
2623	     networking code for filtering in software, thereby defeating much
2624	     of the point of using a multicast address range in the first place.

2626	   * Multiple questions cannot be placed in one packet if they don't all
2627	     hash to the same multicast address.

2629	   * Duplicate Question Suppression doesn't work if queriers are not
2630	     seeing each other's queries.

2632	   * Duplicate Answer Suppression doesn't work if Responders are not
2633	     seeing each other's responses.

2635	   * Opportunistic Caching doesn't work.

2637	   * Ongoing Conflict Detection doesn't work.

2639	Appendix C. Design Rationale for Maximum Multicast DNS Name Length

2641	   Multicast DNS domain names may be up to 255 bytes long, not counting
2642	   the terminating zero byte at the end.

2644	   "Domain Names - Implementation and Specification" [RFC 1035] says:

2646	     Various objects and parameters in the DNS have size limits.
2647	     They are listed below.  Some could be easily changed, others
2648	     are more fundamental.

2650	     labels          63 octets or less

2652	     names           255 octets or less

2654	     ...

2656	     the total length of a domain name (i.e., label octets and
2657	     label length octets) is restricted to 255 octets or less.

2659	   This text does not state whether this 255-byte limit includes the
2660	   terminating zero at the end of every name.

2662	   Several factors lead us to conclude that the 255-byte limit does
2663	   *not* include the terminating zero:

2665	   o It is common in software engineering to have size limits that
2666	     are a power of two, or a multiple of a power of two, for
2667	     efficiency. For example, an integer on a modern processor is
2668	     typically 2, 4, or 8 bytes, not 3 or 5 bytes. The number 255 is not
2669	     a power of two, nor is it to most people a particularly noteworthy
2670	     number. It is noteworthy to computer scientists for only one reason
2671	     -- because it is exactly one *less* than a power of two. When a
2672	     size limit is exactly one less than a power of two, that suggests
2673	     strongly that the one extra byte is being reserved for some
2674	     specific reason -- in this case reserved perhaps to leave room
2675	     for a terminating zero at the end.

2677	   o In the case of DNS label lengths, the stated limit is 63 bytes.
2678	     As with the total name length, this limit is exactly one less than
2679	     a power of two. This label length limit also excludes the label
2680	     length byte at the start of every label. Including that extra byte,
2681	     a 63-byte label takes 64 bytes of space in memory or in a DNS
2682	     packet.

2684	   o It is common in software engineering for the semantic "length"
2685	     of an object to be one less than the number of bytes it takes to
2686	     store that object. For example, in C, strlen("foo") is 3, but
2687	     sizeof("foo") (which includes the terminating zero byte at the end)
2688	     is 4.

2690	   o The text describing the total length of a domain name mentions
2691	     explicitly that label length and data octets are included, but does
2692	     not mention the terminating zero at the end. The zero byte at the
2693	     end of a domain name is not a label length. Indeed, the value zero
2694	     is chosen as the terminating marker precisely because it is not a
2695	     legal length byte value -- DNS prohibits empty labels. For example,
2696	     a name like "bad..name." is not a valid domain name because it
2697	     contains a zero-length label in the middle, which cannot be
2698	     expressed in a DNS packet, because software parsing the packet
2699	     would misinterpret a zero label-length byte as being a zero
2700	     "end of name" marker instead.

2702	   Finally, "Clarifications to the DNS Specification" [RFC 2181] offers
2703	   additional confirmation that in the context of DNS specifications the
2704	   stated "length" of a domain name does not include the terminating
2705	   zero byte at the end. That document refers to the root name, which
2706	   is typically written as "." and is represented in a DNS packet by
2707	   a single lone zero byte (i.e. zero bytes of data plus a terminating
2708	   zero), as the "zero length full name":

2710	     The zero length full name is defined as representing the root
2711	     of the DNS tree, and is typically written and displayed as ".".

2713	   This wording supports the interpretation that, in a DNS context, when
2714	   talking about lengths of names, the terminating zero byte at the end
2715	   is not counted. If the root name (".") is considered to be zero
2716	   length, then to be consistent, the length (for example) of "org" has
2717	   to be 4 and the length of "ietf.org" has to be 9, as shown below:

2719	                                                  ------
2720	                                                 | 0x00 |   length = 0
2721	                                                  ------

2723	                             ------------------   ------
2724	                            | 0x03 | o | r | g | | 0x00 |   length = 4
2725	                             ------------------   ------

2727	      -----------------------------------------   ------
2728	     | 0x04 | i | e | t | f | 0x03 | o | r | g | | 0x00 |   length = 9
2729	      -----------------------------------------   ------

2731	   This means that the maximum length of a domain name, as represented
2732	   in a Multicast DNS packet, up to but not including the final
2733	   terminating zero, must not exceed 255 bytes.

2735	   However, many unicast DNS implementers have read these RFCs
2736	   differently, and argue that the 255-byte limit does include
2737	   the terminating zero, and that the "Clarifications to the DNS
2738	   Specification" [RFC 2181] statement that "." is the "zero length
2739	   full name" was simply a mistake.

2741	   Hence, implementers should be aware that other unicast DNS
2742	   implementations may limit the maximum domain name to 254 bytes plus
2743	   a terminating zero, depending on how that implementer interpreted
2744	   the DNS specifications.

2746	   Compliant Multicast DNS implementations must support names up to
2747	   255 bytes plus a terminating zero, i.e. 256 bytes total.

2749	Appendix D. Benefits of Multicast Responses

2751	   Some people have argued that sending responses via multicast is
2752	   inefficient on the network. In fact using multicast responses can
2753	   result in a net lowering of overall multicast traffic for a variety
2754	   of reasons, and provides other benefits too:

2756	   * Opportunistic Caching. One multicast response can update the caches
2757	     on all machines on the network. If another machine later wants to
2758	     issue the same query, it already has the answer in its cache, so it
2759	     may not need to even transmit that multicast query on the network
2760	     at all.

2762	   * Duplicate Query Suppression. When more than one machine has the
2763	     same ongoing long-lived query running, every machine does not have
2764	     to transmit its own independent query. When one machine transmits
2765	     a query, all the other hosts see the answers, so they can suppress
2766	     their own queries.

2768	   * Passive Observation of Failures (POOF). When a host sees a
2769	     multicast query, but does not see the corresponding multicast
2770	     response, it can use this information to promptly delete stale data
2771	     from its cache. To achieve the same level of user-interface quality
2772	     and responsiveness without multicast responses would require lower
2773	     cache lifetimes and more frequent network polling, resulting in a
2774	     higher packet rate.

2776	   * Passive Conflict Detection. Just because a name has been previously
2777	     verified unique does not guarantee it will continue to be
2778	     so indefinitely. By allowing all Multicast DNS Responders to
2779	     constantly monitor their peers' responses, conflicts arising out
2780	     of network topology changes can be promptly detected and resolved.
2781	     If responses were not sent via multicast, some other conflict
2782	     detection mechanism would be needed, imposing its own additional
2783	     burden on the network.

2785	   * Use on devices with constrained memory resources: When using
2786	     delayed responses to reduce network collisions, clients need to
2787	     maintain a list recording to whom each answer should be sent. The
2788	     option of multicast responses allows clients with limited storage,
2789	     which cannot store an arbitrarily long list of response addresses,
2790	     to choose to fail-over to a single multicast response in place of
2791	     multiple unicast responses, when appropriate.

2793	   * Overlayed Subnets. In the case of overlayed subnets, multicast
2794	     responses allow a receiver to know with certainty that a response
2795	     originated on the local link, even when its source address may
2796	     apparently suggest otherwise.

2798	   * Robustness in the face of misconfiguration: Link-local multicast
2799	     transcends virtually every conceivable network misconfiguration.
2800	     Even if you have a collection of devices where every device's IP
2801	     address, subnet mask, default gateway, and DNS server address are
2802	     all wrong, packets sent by any of those devices addressed to a
2803	     link-local multicast destination address will still be delivered to
2804	     all peers on the local link. This can be extremely helpful when
2805	     diagnosing and rectifying network problems, since it facilitates a
2806	     direct communication channel between client and server that works
2807	     without reliance on ARP, IP routing tables, etc. Being able to
2808	     discover what IP address a device has (or thinks it has) is
2809	     frequently a very valuable first step in diagnosing why it is
2810	     unable to communicate on the local network.

2812	Appendix E. Design Rationale for Encoding Negative Responses

2814	   Alternative methods of asserting nonexistence were considered, such
2815	   as using an NXDOMAIN response, or emitting a resource record with
2816	   zero-length rdata.

2818	   Using an NXDOMAIN response does not work well with Multicast DNS.
2819	   A Unicast DNS NXDOMAIN response applies to the entire packet, but
2820	   for efficiency Multicast DNS allows (and encourages) multiple
2821	   responses in a single packet. If the error code in the header were
2822	   NXDOMAIN, it would not be clear to which name(s) that error code
2823	   applied.

2825	   Asserting nonexistence by emitting a resource record with zero-length
2826	   rdata would mean that there would be no way to differentiate between
2827	   a record that doesn't exist, and a record that does exist, with
2828	   zero-length rdata. By analogy, most file systems today allow empty
2829	   files, so a file that exists with zero bytes of data is not
2830	   considered equivalent to a filename that does not exist.

2832	   A benefit of asserting nonexistence through NSEC records instead of
2833	   through NXDOMAIN responses is that NSEC records can be added to the
2834	   Additional Section of a DNS Response to offer additional information
2835	   beyond what the client explicitly requested. For example, in a
2836	   response to an SRV query, a Responder should include 'A' record(s)
2837	   giving its IPv4 addresses in the Additional Section, and if it has no
2838	   IPv6 addresses then it should include an NSEC record indicating this
2839	   fact in the Additional Section too. In effect, the Responder is
2840	   saying, "Here's my SRV record, and here are my IPv4 addresses, and
2841	   no, I don't have any IPv6 addresses, so don't waste your time
2842	   asking." Without this information in the Additional Section it would
2843	   take the client an additional round-trip to perform an additional
2844	   Query to ascertain that the target host has no AAAA records.
2845	   (Arguably Unicast DNS could also benefit from this ability to express
2846	   nonexistence in the Additional Section, but that is outside the scope
2847	   of this document.)

2849	Appendix F. Use of UTF-8

2851	   After many years of debate, as a result of the perceived need to
2852	   accommodate certain DNS implementations that apparently couldn't
2853	   handle any character that's not a letter, digit or hyphen (and
2854	   apparently never would be updated to remedy this limitation) the
2855	   unicast DNS community settled on an extremely baroque encoding called
2856	   "Punycode" [RFC 3492]. Punycode is a remarkably ingenious encoding
2857	   solution, but it is complicated, hard to understand, and hard to
2858	   implement, using sophisticated techniques including insertion unsort
2859	   coding, generalized variable-length integers, and bias adaptation.
2860	   The resulting encoding is remarkably compact given the constraints,
2861	   but it's still not as good as simple straightforward UTF-8, and it's
2862	   hard even to predict whether a given input string will encode to a
2863	   Punycode string that fits within DNS's 63-byte limit, except by
2864	   simply trying the encoding and seeing whether it fits. Indeed, the
2865	   encoded size depends not only on the input characters, but on the
2866	   order they appear, so the same set of characters may or may not
2867	   encode to a legal Punycode string that fits within DNS's 63-byte
2868	   limit, depending on the order the characters appear. This is
2869	   extremely hard to present in a user interface that explains to users
2870	   why one name is allowed, but another name containing the exact same
2871	   characters is not. Neither Punycode nor any other of the "Ascii
2872	   Compatible Encodings" proposed for Unicast DNS may be used in
2873	   Multicast DNS packets. Any text being represented internally in some
2874	   other representation must be converted to canonical precomposed UTF-8
2875	   before being placed in any Multicast DNS packet.

2877	Appendix G. Governing Standards Body

2879	   Note that this use of the ".local." suffix falls under IETF/IANA
2880	   jurisdiction, not ICANN jurisdiction. DNS is an IETF network
2881	   protocol, governed by protocol rules defined by the IETF. These IETF
2882	   protocol rules dictate character set, maximum name length, packet
2883	   format, etc. ICANN determines additional rules that apply when the
2884	   IETF's DNS protocol is used on the public Internet. In contrast,
2885	   private uses of the DNS protocol on isolated private networks are not
2886	   governed by ICANN. Since this change is a change to the core DNS
2887	   protocol rules, it affects everyone, not just those machines using
2888	   the public Internet. Hence this change falls into the category of an
2889	   IETF protocol rule, not an ICANN usage rule.

2891	   This allocation of responsibility is formally established in
2892	   "Memorandum of Understanding Concerning the Technical Work of the
2893	   Internet Assigned Numbers Authority" [RFC 2860]. Exception (a) of
2894	   clause 4.3 states that the IETF has the authority to instruct IANA
2895	   to reserve pseudo-TLDs as required for protocol design purposes.
2896	   For example, "Reserved Top Level DNS Names" [RFC 2606] defines
2897	   the following pseudo-TLDs:

2899	      .test
2900	      .example
2901	      .invalid
2902	      .localhost

2904	Appendix H. Private DNS Namespaces

2906	   The special treatment of names ending in ".local." has been
2907	   implemented in Macintosh computers since the days of Mac OS 9, and
2908	   continues today in Mac OS X. There are also implementations for
2909	   Microsoft Windows [B4W], Linux and other platforms. Operators setting
2910	   up private internal networks ("intranets") are advised that their
2911	   lives may be easier if they avoid using the suffix ".local." in names
2912	   in their private internal DNS server. Alternative possibilities
2913	   include:

2915	      .intranet
2916	      .internal
2917	      .private
2918	      .corp
2919	      .home
2920	      .lan

2922	   At sites where the DNS operator has decided to use the suffix
2923	   ".local." for private internal names, clients can be configured to
2924	   send both Multicast and Unicast DNS queries in parallel for these
2925	   names. This allows names to be looked up both ways, but it is NOT
2926	   RECOMMENDED because it results in additional network traffic and
2927	   additional delays in name resolution, as well as potentially creating
2928	   user confusion when it is not clear whether any given result was
2929	   received via link-local multicast from a peer on the same link,
2930	   or from the configured unicast name server.

2932	Appendix I. Deployment History

2934	   Multicast DNS client software first became available to the public
2935	   in Mac OS 9 in 2001. Multicast DNS Responder software first began
2936	   shipping to end users in large volumes with the launch of Mac OS X
2937	   10.2 Jaguar in August 2002, and became available for Microsoft
2938	   Windows users with the launch of Apple's "Rendezvous for Windows"
2939	   (now "Bonjour for Windows") in June 2004 [B4W].

2941	   Apple released the source code for the mDNSResponder daemon as Open
2942	   Source in September 2002, first under Apple's standard Apple Public
2943	   Source License, and then later, in August 2006, under the Apache
2944	   License, Version 2.0.

2946	   In addition to desktop and laptop computers running Mac OS X and
2947	   Microsoft Windows, Multicast DNS is implemented in a wide range of
2948	   hardware devices, such as Apple's "AirPort" wireless base stations,
2949	   iPhone and iPad, and in home gateways from other vendors, network
2950	   printers, network cameras, TiVo DVRs, etc.

2952	   The Open Source community has produced many independent
2953	   implementations of Multicast DNS, some in C like Apple's
2954	   mDNSResponder daemon, and others in a variety of different languages
2955	   including Java, Python, Perl, and C#/Mono.