idnits 2.17.1 draft-gulbrandsen-dns-rr-srvcs-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-26) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. ** Expected the document's filename to be given on the first page, but didn't find any Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) == There are 25 instances of lines with non-RFC2606-compliant FQDNs in the document. == There are 8 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 105: '...ty of this target host. A client MUST...' RFC 2119 keyword, line 107: '...et hosts with the same priority SHOULD...' RFC 2119 keyword, line 113: '... one first SHOULD be proportiona...' RFC 2119 keyword, line 124: '...ame of the target host. There MUST be...' RFC 2119 keyword, line 203: '...cognizant client SHOULD use this proce...' (6 more instances...) == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == Couldn't figure out when the document was first submitted -- there may comments or warnings related to the use of a disclaimer for pre-RFC5378 work that could not be issued because of this. Please check the Legal Provisions document at https://trustee.ietf.org/license-info to determine if you need the pre-RFC5378 disclaimer. -- The document date (January 1996) is 10329 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- No issues found here. Summary: 9 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group Arnt Gulbrandsen 3 INTERNET-DRAFT Troll Technologies 4 Updates: RFC1035, RFC1183 Paul Vixie 5 Category: Experimental Vixie Enterprises 6 January 1996 8 A DNS RR for specifying the location of services 10 Abstract 12 This document describes a DNS RR which specifies the location of the 13 server(s) for a specific protocol and domain (like a more general 14 form of MX). 16 Status of this memo 18 This document is an Internet-Draft. Internet-Drafts are working doc- 19 uments of the Internet Engineering Task Force (IETF), its areas, and 20 its working groups. Note that other groups may also distribute work- 21 ing documents as Internet-Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference mate- 26 rial or to cite them other than as ``work in progress.'' 28 To learn the current status of any Internet-Draft, please check the 29 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 30 Directories on ds.internic.net (US East Coast), nic.nordu.net 31 (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific 32 Rim). 34 This draft has file name "draft-gulbrandsen-dns-rr-srvcs-02.txt" and 35 expires on July 20, 1996. 37 Overview and rationale 39 Currently, one must either know the exact address of a server to con- 40 tact it, or broadcast a question. This has led to e.g. 41 ftp.whatever.com aliases, the SMTP-specific MX RR, and using MAC- 42 level broadcasts to locate servers. 44 The SRV RR allows administrators to use several servers for a single 45 domain, to move services from host to host with little fuss, and to 46 designate some hosts as primary servers for a service and others as 47 backups. 49 Clients ask for a specific service/protocol for a specific domain 50 (the word domain is used here in the strict RFC1034 sense), and get 51 back the names of any available servers. 53 Introductory example 55 When a SRV-cognizant web browser wants to retrieve 57 http://www.asdf.com/ 59 it does a lookup of 61 http.tcp.www.asdf.com 63 and retrieves the document from one of the servers in the reply. The 64 example zone file near the end of the draft contains answering RRs 65 for this query. 67 The format of the SRV RR 69 Here is the format of the SRV RR: 71 service.protocol.name ttl class SRV priority weight port target 73 (There is an example near the end of the RFC.) 75 Service 76 The symbolic name of the desired service, as defined in Assigned 77 Numbers or locally. 79 Some widely used services, notably POP, don't have a single uni- 80 versal name. If Assigned Numbers names the service indicated, 81 that name is the only name which is legal for SRV lookups. Only 82 locally defined services may be named locally. 84 The Service is case insensitive (it has to be, it's part of the 85 DNS look-up key). 87 Protocol 88 The symbolic name of the desired protocol. TCP and UDP are at 89 present the most useful values for this field, though any name 90 defined by Assigned Numbers or locally may be used (as for Ser- 91 vice). Case insensitive. 93 Name 94 The domain this RR refers to. The SRV RR is unique in that the 95 name one searches for is not this name; the example near the end 96 shows this clearly. 98 TTL 99 Standard DNS meaning. 101 Class 102 Standard DNS meaning. 104 Priority 105 As for MX, the priority of this target host. A client MUST 106 attempt to contact the target host with the lowest-numbered pri- 107 ority it can reach; target hosts with the same priority SHOULD 108 be tried in pseudorandom order. The range is 0-65535. 110 Weight 111 Load balancing mechanism. When selecting a target host among 112 the those that have the same priority, the chance of trying this 113 one first SHOULD be proportional to its weight. The range of 114 this number is 1-65535. Domain administrators are urged to use 115 Weight 0 when there isn't any load balancing to do, to make the 116 RR easier to read for humans (less noisy). 118 Port 119 The port on this target host of this service. The range is 120 0-65535. This is often as specified in Assigned Numbers but 121 need not be. 123 Target 124 As for MX, the domain name of the target host. There MUST be 125 one or more A records for this name. Implementors are urged, but 126 not required, to return the A record(s) in the Additional Data 127 section. Name compression is to be used for this field. 129 A Target of "." means that the service is decidedly not avail- 130 able at this domain. 132 Domain administrator advice 134 Asking everyone to update their telnet (for example) clients when the 135 first internet site adds a SRV RR for Telnet/TCP is futile (even if 136 desirable). Therefore SRV will have to coexist with A record lookups 137 for a long time, and DNS administrators should try to provide A 138 records to support old clients: 140 - Where the services for a single domain are spread over several 141 hosts, it seems advisable to have a list of A RRs at the same 142 DNS node as the SRV RR, listing reasonable (if perhaps subopti- 143 mal) fallback hosts for Telnet, NNTP and other protocols likely 144 to be used with this name. Note that some programs only try the 145 first address they get back from e.g. gethostbyname(), and we 146 don't know how widespread this behaviour is. 148 - Where one service is provided by several hosts, one can either 149 provide A records for all the hosts (in which case the round- 150 robin mechanism, where available, will share the load equally) 151 or just for one (presumably the fastest). 153 - If a host is intended to provide a service only when the main 154 server(s) is/are down, it probably shouldn't be listed in A 155 records. 157 - Hosts that are referenced by backup A records must use the port 158 number specified in Assigned Numbers for the service. 160 Currently there's a practical limit of 512 bytes for DNS replies. 161 Until all resolvers can handle larger responses, domain administra- 162 tors are strongly advised to keep their SRV replies below 512 bytes. 164 All round numbers, wrote Dr. Johnson, are false, and these numbers 165 are very round: A reply packet has a 30-byte overhead plus the name 166 of the service ("telnet.tcp.asdf.com" for instance); each SRV RR adds 167 20 bytes plus the name of the target host; each NS RR in the NS sec- 168 tion is 15 bytes plus the name of the name server host; and finally 169 each A RR in the additional data section is 20 bytes or so, and there 170 are A's for each SRV and NS RR mentioned in the answer. This size 171 estimate is extremely crude, but shouldn't underestimate the actual 172 answer size by much. If an answer may be close to the limit, using 173 e.g. "dig" to look at the actual answer is a good idea. 175 The "Weight" field 177 Weight, the load balancing field, is not quite satisfactory, but the 178 actual load on typical servers changes much too quickly to be kept 179 around in DNS caches. It seems to the authors that offering adminis- 180 trators a way to say "this machine is three times as fast as that 181 one" is the best that can practically be done. 183 The only way the authors can see of getting a "better" load figure is 184 asking a separate server when the client selects a server and con- 185 tacts it. For short-lived services like SMTP an extra step in the 186 connection establishment seems too expensive, and for long-lived 187 services like telnet, the load figure may well be thrown off a minute 188 after the connection is established when someone else starts or fin- 189 ishes a heavy job. 191 The Port number 193 Currently, the translation from service name to port number happens 194 at the client, often using a file such as /etc/services. 196 Moving this information to the DNS makes it less necessary to update 197 these files on every single computer of the net every time a new ser- 198 vice is added, and makes it possible to move standard services out of 199 the "root-only" port range on unix. 201 Usage rules 203 A SRV-cognizant client SHOULD use this procedure to locate a list of 204 servers and connect to the preferred one: 206 Do a lookup for QNAME=service.protocol.target, QCLASS=IN, 207 QTYPE=SRV. 209 If the reply is NOERROR, ANCOUNT>0 and there is at least one SRV 210 RR which specifies the requested Service and Protocol in the 211 reply: 213 If there is precisely one SRV RR, and its Target is "." 214 (the root domain), abort. 216 Else, for all such RR's, build a list of (Priority, Weight, 217 Target) tuples 219 Sort the list by priority (lowest number first) 221 Create a new empty list 223 For each distinct priority level 224 While there are still elements left at this priority 225 level 226 Select an element randomly, with probability 227 Weight, and move it to the tail of the new list 229 For each element in the new list 231 query the DNS for A RR's for the Target or use any 232 RR's found in the Additional Data secion of the 233 earlier SRV query. 235 for each A RR found, try to connect to the (protocol, 236 address, service). 238 else if the service desired is SMTP 240 skip to RFC974 (MX). 242 else 244 Do a lookup for QNAME=target, QCLASS=IN, QTYPE=A 246 for each A RR found, try to connect to the (protocol, 247 address, service) 249 Notes: 251 - Port numbers SHOULD NOT be used in place of the symbolic service 252 or protocol names (for the same reason why variant names cannot 253 be allowed: Applications would have to do two or more lookups). 255 - If a truncated response comes back from an SRV query, and the 256 Additional Data section has at least one complete RR in it, the 257 answer MUST be considered complete and the client resolver 258 SHOULD NOT retry the query using TCP, but use normal UDP queries 259 for A RR's missing from the Additional Data section. 261 - A client MAY use means other than Weight to choose among target 262 hosts with equal Priority. 264 - A client MUST parse all of the RR's in the reply. 266 - If the Additional Data section doesn't contain A RR's for all 267 the SRV RR's and the client may want to connect to the target 268 host(s) involved, the client MUST look up the A RR(s). (This 269 happens quite often when the A RR has shorter TTL than the SRV 270 or NS RR's.) 272 - SRV RRs with Protocol TCP and Service SMTP override MX RR's. 273 This allows firewalled organizations with several SMTP relays to 274 control the load distribution using the Weight field. 276 - Designers of new protocols are urged to specify that SRV lookups 277 be mandatory for those protocols. 279 Fictional example 280 This is (part of) the zone file for asdf.com, a still-unused domain: 282 $ORIGIN asdf.com. 283 @ SOA server.asdf.com. root.asdf.com. ( 284 1995032001 3600 3600 604800 86400 ) 285 NS server.asdf.com. 286 NS ns1.ip-provider.net. 287 NS ns2.ip-provider.net. 288 ftp.tcp SRV 0 0 21 server.asdf.com. 289 finger.tcp SRV 0 0 79 server.asdf.com. 290 ; telnet - use old-slow-box or new-fast-box if either is 291 ; available, make three quarters of the logins go to 292 ; new-fast-box. 293 telnet.tcp SRV 0 1 23 old-slow-box.asdf.com. 294 SRV 0 3 23 new-fast-box.asdf.com. 295 ; if neither old-slow-box or new-fast-box is up, switch to 296 ; using the sysdmin's box and the server 297 SRV 1 0 23 sysadmins-box.asdf.com. 298 SRV 1 0 23 server.asdf.com. 299 ; HTTP - server is the main server, new-fast-box is the backup 300 ; (On new-fast-box, the HTTP daemon runs on port 8000) 301 http.tcp SRV 0 0 80 server.asdf.com. 302 SRV 10 0 8000 new-fast-box.asdf.com. 303 ; since we want to support both http://asdf.com/ and 304 ; http://www.asdf.com/ we need the next two RRs as well 305 http.tcp.www SRV 0 0 80 server.asdf.com. 306 SRV 10 0 8000 new-fast-box.asdf.com. 307 ; SMTP - mail goes to the server, and to the IP provider if 308 ; the net is down 309 smtp.tcp SRV 0 0 25 server.asdf.com. 310 SRV 1 0 25 mailhost.ip-provider.net. 311 @ MX 0 server.asdf.com. 312 MX 1 mailhost.ip-provider.net. 313 ; NNTP - use the IP providers's NNTP server 314 nntp.tcp SRV 0 0 119 nntphost.ip-provider.net. 315 ; IDB is an locally defined protocol 316 idb.tcp SRV 0 0 2025 new-fast-box.asdf.com. 317 ; addresses 318 server A 172.30.79.10 319 old-slow-box A 172.30.79.11 320 sysadmins-box A 172.30.79.12 321 new-fast-box A 172.30.79.13 322 ; backup A records - new-fast-box and old-slow-box are 323 ; included, naturally, and server is too, but might go 324 ; if the load got too bad 325 @ A 172.30.79.10 326 A 172.30.79.11 327 A 172.30.79.13 329 ; backup A RR for www.asdf.com 330 www A 172.30.79.10 331 ; NO other services are supported 332 *.tcp SRV 0 0 0 . 333 *.udp SRV 0 0 0 . 335 In this example, a telnet connection to "asdf.com." needs an SRV 336 lookup of "telnet.tcp.asdf.com." and possibly A lookups of "new-fast- 337 box.asdf.com." and/or the other hosts named. The size of the SRV 338 reply is approximately 365 bytes: 340 30 bytes general overhead 341 20 bytes for the query string, "telnet.tcp.asdf.com." 342 130 bytes for 4 SRV RR's, 20 bytes each plus the lengths of "new- 343 fast-box", "old-slow-box", "server" and "sysadmins-box" - 344 "asdf.com" in the query section is quoted here and doesn't need 345 to be counted again. 346 75 bytes for 3 NS RRs, 15 bytes each plus the lengths of "server", 347 "ns1.ip-provider.net." and "ns2" - again, "ip-provider.net." is 348 quoted and only needs to be counted once. 349 120 bytes for the 6 A RR's mentioned by the SRV and NS RR's. 351 Refererences 353 RFC 1794: T. Brisco, "DNS Support for Load Balancing", 04/20/1995. 355 RFC 1713: A. Romao, "Tools for DNS debugging", 11/03/1994. 357 RFC 1712: C. Farrell, M. Schulze, S. Pleitner, D. Baldoni, "DNS 358 Encoding of Geographical Location", 11/01/1994. 360 RFC 1706: B. Manning, R. Colella, "DNS NSAP Resource Records", 361 10/26/1994. 363 RFC 1700: J. Reynolds, J. Postel, "ASSIGNED NUMBERS", 10/20/1994. 365 RFC 1536: A. Kumar, J. Postel, C. Neuman, P. Danzig, S. Miller, "Com- 366 mon DNS Implementation Errors and Suggested Fixes.", 10/06/1993. 368 RFC 1183: R. Ullmann, P. Mockapetris, L. Mamakos, C. Everhart, "New 369 DNS RR Definitions", 10/08/1990. 371 RFC 1101: P. Mockapetris, "DNS encoding of network names and other 372 types", 04/01/1989. 374 RFC 1035: P. Mockapetris, "Domain names - implementation and specifi- 375 cation", 11/01/1987. 377 RFC 1034: P. Mockapetris, "Domain names - concepts and facilities", 378 11/01/1987. 380 RFC 1033: M. Lottor, "Domain administrators operations guide", 381 11/01/1987. 383 RFC 1032: M. Stahl, "Domain administrators guide", 11/01/1987. 385 RFC 974: C. Partridge, "Mail routing and the domain system", 386 01/01/1986. 388 Security Considerations 390 The authors believes this RR to not cause any new security problems. 391 Some problems become more visible, though. 393 - The ability to specify ports on a fine-grained basis obviously 394 changes how a router can filter packets. It becomes impossible 395 to block internal clients from accessing specific external ser- 396 vices, slightly harder to block internal users from running 397 unautorised services, and more important for the router opera- 398 tions and DNS operations personnel to cooperate. 400 - There is no way a site can keep its hosts from being referenced 401 as servers (as, indeed, some sites become unwilling secondary 402 MXes today). This could lead to denial of service. 404 - With SRV, DNS spoofers can supply false port numbers, as well as 405 host names and addresses. The authors do not see any practical 406 effect of this. 408 We assume that as the DNS-security people invent new features, DNS 409 servers will return the relevant RRs in the Additional Data section 410 when answering an SRV query. 412 Authors' Addresses 414 Arnt Gulbrandsen 415 Troll Tech 416 Postboks 6133 Etterstad 417 N-0602 Oslo 418 Norway 420 Phone: +47 22646966 422 Mail: agulbra@troll.no 423 Paul Vixie 424 Vixie Enterprises 425 Star Route 159A 426 Woodside, CA 94062 428 Phone: (415) 747-0204 430 Mail: paul@vix.com