idnits 2.17.1 draft-ietf-dnsext-rfc2782bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing document type: Expected "INTERNET-DRAFT" in the upper left hand corner of the first page ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents -- however, there's a paragraph with a matching beginning. Boilerplate error? == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 65 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 12 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([RFC1035], [BCP14], [STD2], [RFC2181], [ARM]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 2 instances of lines with non-RFC2606-compliant FQDNs in the document. == There are 4 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? RFC 2119 keyword, line 67: '...he SRV record. Such specification MUST...' RFC 2119 keyword, line 69: '...d below. It also MUST include security...' RFC 2119 keyword, line 70: '...vice SRV records SHOULD NOT be used in...' RFC 2119 keyword, line 130: '...target host. A client MUST attempt to...' RFC 2119 keyword, line 132: '...he same priority SHOULD be tried in an...' (9 more instances...) -- The abstract seems to indicate that this document obsoletes RFC2181, but the header doesn't have an 'Obsoletes:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Unrecognized Status in 'Category: INTERNET-DRAFT', assuming Proposed Standard (Expected one of 'Standards Track', 'Full Standard', 'Draft Standard', 'Proposed Standard', 'Best Current Practice', 'Informational', 'Experimental', 'Informational', 'Historic'.) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'BCP 14' on line 62 looks like a reference -- Missing reference section? 'ARM' on line 81 looks like a reference -- Missing reference section? 'STD 2' on line 100 looks like a reference -- Missing reference section? 'RFC 1035' on line 126 looks like a reference -- Missing reference section? 'RFC 2181' on line 334 looks like a reference Summary: 6 errors (**), 0 flaws (~~), 6 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Gulbrandsen 3 Category: INTERNET-DRAFT Trolltech AS 4 Obsoletes: 2782 P. Vixie 5 draft-ietf-dnsext-rfc2782bis-01.txt Internet Software Consortium 6 June 6, 2001 L. Esibov 7 Expires: December 6, 2001 Microsoft Corp. 9 A DNS RR for specifying the location of services (DNS SRV) 11 Status of this Memo 12 This document is an Internet-Draft and is in full conformance with all 13 provisions of Section 10 of RFC2026. 15 Internet-Drafts are working documents of the Internet Engineering Task 16 Force (IETF), its areas, and its working groups. Note that other groups 17 may also distribute working documents as Internet- Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet-Drafts as reference material 22 or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at 25 http://www.ietf.org/ietf/1id-abstracts.txt 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html. 30 Copyright Notice 32 Copyright (C) The Internet Society (2001). All Rights Reserved. 34 Abstract 36 This document describes a DNS RR which specifies the location of the 37 server(s) for a specific protocol and domain. 39 Overview and rationale 41 Currently, one must either know the exact address of a server to 42 contact it, or broadcast a question. 44 The SRV RR allows administrators to use several servers for a single 45 domain, to move services from host to host with little fuss, and to 46 designate some hosts as primary servers for a service and others as 47 backups. 49 Clients ask for a specific service/protocol for a specific domain 50 (the word domain is used here in the strict RFC 1034 sense), and get 51 back the names of any available servers. 53 Note that where this document refers to "address records", it means A 54 RR's, AAAA RR's, or their most modern equivalent. 56 Definitions 58 The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT" and "MAY" 59 used in this document are to be interpreted as specified in [BCP 14]. 60 Other terms used in this document are defined in the DNS 61 specification, RFC 1034. 63 Applicability Statement 65 In general, it is expected that SRV records will be used by clients 66 for applications where the relevant protocol specification indicates 67 that clients should use the SRV record. Such specification MUST 68 define the symbolic name to be used in the Service field of the SRV 69 record as described below. It also MUST include security 70 considerations. Service SRV records SHOULD NOT be used in the absence 71 of such specification. 73 Introductory example 75 If a SRV-cognizant LDAP client wants to discover a LDAP server that 76 supports TCP protocol and provides LDAP service for the domain 77 example.com., it does a lookup of 79 _ldap._tcp.example.com 81 as described in [ARM]. The example zone file near the end of this 82 memo contains answering RRs for an SRV query. 84 Note: LDAP is chosen as an example for illustrative purposes only, 85 and the LDAP examples used in this document should not be considered 86 a definitive statement on the recommended way for LDAP to use SRV 87 records. As described in the earlier applicability section, consult 88 the appropriate LDAP documents for the recommended procedures. 90 The format of the SRV RR 92 Here is the format of the SRV RR, whose DNS type code is 33: 94 _Service._Proto.Domain TTL Class SRV Priority Weight Port Target 96 (There is an example near the end of this document.) 98 Service 99 The symbolic name of the desired service, as defined in Assigned 100 Numbers [STD 2] or locally. An underscore (_) is prepended to 101 the service identifier to avoid collisions with DNS labels that 102 occur in nature. 104 Some widely used services, notably POP, don't have a single 105 universal name. If Assigned Numbers names the service 106 indicated, that name is the only name which is legal for SRV 107 lookups. The Service is case insensitive. 109 Proto 110 The symbolic name of the desired protocol, with an underscore 111 (_) prepended to prevent collisions with DNS labels that occur 112 in nature. _TCP and _UDP are at present the most useful values 113 for this field, though any name defined by Assigned Numbers or 114 locally may be used (as for Service). The Proto is case 115 insensitive. 117 Domain 118 The domain this RR refers to. The SRV RR is unique in that the 119 name one searches for is not this Domain name; the example near 120 the end shows this clearly. 122 TTL 123 Standard DNS meaning [RFC 1035]. 125 Class 126 Standard DNS meaning [RFC 1035]. SRV records occur in the IN 127 Class. 129 Priority 130 The priority of this target host. A client MUST attempt to 131 contact the target host with the lowest-numbered priority it can 132 reach; target hosts with the same priority SHOULD be tried in an 133 order defined by the weight field. The range is 0-65535. This 134 is a 16 bit unsigned integer in network byte order. 136 Weight 137 A server selection mechanism. The weight field specifies a 138 relative weight for entries with the same priority. Larger 139 weights SHOULD be given a proportionately higher probability of 140 being selected. The range of this number is 0-65535. This is a 141 16 bit unsigned integer in network byte order. Domain 142 administrators SHOULD use Weight 0 when there isn't any server 143 selection to do, to make the RR easier to read for humans (less 144 noisy). In the presence of records containing weights greater 145 than 0, records with weight 0 should have a very small chance of 146 being selected. 148 In the absence of a protocol whose specification calls for the 149 use of other weighting information, a client arranges the SRV 150 RRs of the same Priority in the order in which target hosts, 151 specified by the SRV RRs, will be contacted. The following 152 algorithm SHOULD be used to order the SRV RRs of the same 153 priority: 155 To select a target to be contacted next, arrange all SRV RRs 156 (that have not been ordered yet) in any order, except that all 157 those with weight 0 are placed at the beginning of the list. 159 Compute the sum of the weights of those RRs, and with each RR 160 associate the running sum in the selected order. Then choose a 161 uniform random real number between 0 and the sum computed 162 (inclusive), and select the RR whose running sum value is the 163 first in the selected order which is greater than or equal to 164 the random number selected. The target host specified in the 165 selected SRV RR is the next one to be contacted by the client. 166 Remove this SRV RR from the set of the unordered SRV RRs and 167 apply the described algorithm to the unordered SRV RRs to select 168 the next target host. Continue the ordering process until there 169 are no unordered SRV RRs. This process is repeated for each 170 Priority. 172 Port 173 The port on this target host of this service. The range is 0- 174 65535. This is a 16 bit unsigned integer in network byte order. 175 This is often as specified in Assigned Numbers but need not be. 177 Target 178 The domain name of the target host. There MUST be one or more 179 address records for this name, the name MUST NOT be an alias (in 180 the sense of RFC 1034 or RFC 2181). Implementors are urged, but 181 not required, to return the address record(s) in the Additional 182 Data section. Unless and until permitted by future standards 183 action, name compression is not to be used for this field. 185 A Target of "." means that the service is decidedly not 186 available at this domain. 188 Domain administrator advice 190 Expecting everyone to update their client applications when the first 191 server publishes a SRV RR is futile (even if desirable). Therefore 192 SRV would have to coexist with address record lookups for existing 193 protocols, and DNS administrators should try to provide address 194 records to support old clients: 196 - Where the services for a single domain are spread over several 197 hosts, it seems advisable to have a list of address records at 198 the same DNS node as the SRV RR, listing reasonable (if perhaps 199 suboptimal) fallback hosts for Telnet, NNTP and other protocols 200 likely to be used with this name. Note that some programs only 201 try the first address they get back from e.g. gethostbyname(), 202 and we don't know how widespread this behavior is. 204 - Where one service is provided by several hosts, one can either 205 provide address records for all the hosts (in which case the 206 round-robin mechanism, where available, will share the load 207 equally) or just for one (presumably the fastest). 209 - If a host is intended to provide a service only when the main 210 server(s) is/are down, it probably shouldn't be listed in 211 address records. 213 - Hosts that are referenced by backup address records must use the 214 port number specified in Assigned Numbers for the service. 216 - Designers of future protocols for which "secondary servers" is 217 not useful (or meaningful) may choose to not use SRV's support 218 for secondary servers. Clients for such protocols may use or 219 ignore SRV RRs with Priority higher than the RR with the lowest 220 Priority for a domain. 222 Currently there's a practical limit of 512 bytes for DNS replies. 223 Until all resolvers can handle larger responses, domain 224 administrators are strongly advised to keep their SRV replies below 225 512 bytes. 227 All round numbers, wrote Dr. Johnson, are false, and these numbers 228 are very round: A reply packet has a 30-byte overhead plus the name 229 of the service ("_ldap._tcp.example.com" for instance); each SRV RR 230 adds 20 bytes plus the name of the target host; each NS RR in the NS 231 section is 15 bytes plus the name of the name server host; and 232 finally each A RR in the additional data section is 20 bytes or so, 233 and there are A's for each SRV and NS RR mentioned in the answer. 234 This size estimate is extremely crude, but shouldn't underestimate 235 the actual answer size by much. If an answer may be close to the 236 limit, using a DNS query tool (e.g. "dig") to look at the actual 237 answer is a good idea. 239 The "Weight" field 241 Weight, the server selection field, is not quite satisfactory, but 242 the actual load on typical servers changes much too quickly to be 243 kept around in DNS caches. It seems to the authors that offering 244 administrators a way to say "this machine is three times as fast as 245 that one" is the best that can practically be done. 247 The only way the authors can see of getting a "better" load figure is 248 asking a separate server when the client selects a server and 249 contacts it. For short-lived services an extra step in the 250 connection establishment seems too expensive, and for long-lived 251 services, the load figure may well be thrown off a minute after the 252 connection is established when someone else starts or finishes a 253 heavy job. 255 Note: There are currently various experiments at providing relative 256 network proximity estimation, available bandwidth estimation, and 257 similar services. Use of the SRV record with such facilities, and in 258 particular the interpretation of the Weight field when these 259 facilities are used, is for further study. Weight is only intended 260 for static, not dynamic, server selection. Using SRV weight for 261 dynamic server selection would require assigning unreasonably short 262 TTLs to the SRV RRs, which would limit the usefulness of the DNS 263 caching mechanism, thus increasing overall network load and 264 decreasing overall reliability. Server selection via SRV is only 265 intended to express static information such as "this server has a 266 faster CPU than that one" or "this server has a much better network 267 connection than that one". 269 The Port number 271 Currently, the translation from service name to port number happens 272 at the client, often using a file such as /etc/services. 274 Moving this information to the DNS makes it less necessary to update 275 these files on every single computer of the net every time a new 276 service is added, and makes it possible to move standard services out 277 of the "root-only" port range on unix. 279 Usage rules 281 A SRV-cognizant client SHOULD use this procedure to locate a list of 282 servers and connect to the preferred one: 284 Do a lookup for QNAME=_service._protocol.domain, QCLASS=IN, 285 QTYPE=SRV. 287 If the reply is NOERROR, ANCOUNT>0 and there is at least one 288 SRV RR which specifies the requested Service and Protocol in 289 the reply: 291 If there is precisely one SRV RR, and its Target is "." 292 (the root domain), abort and do not attempt lookup for 293 QNAME=domain, QCLASS=IN, QTYPE=A. 295 Else, for all such RR's, build a list of (Priority, Weight, 296 Target) tuples 298 Sort the list by priority (lowest number first) 300 Create a new empty list 302 For each distinct priority level 303 While there are still elements left at this priority 304 level 306 Select an element as specified above, in the 307 description of Weight in "The format of the SRV 308 RR" Section, and move it to the tail of the new 309 list 311 For each element in the new list 313 query the DNS for address records for the Target or 314 use any such records found in the Additional Data 315 section of the earlier SRV response. 317 for each address record found, try to connect to the 318 (protocol, address, service). 320 else 322 Do a lookup for QNAME=domain, QCLASS=IN, QTYPE=A 324 for each address record found, try to connect to the 325 (protocol, address, service) 327 Notes: 329 - Port numbers SHOULD NOT be used in place of the symbolic service 330 or protocol names (for the same reason why variant names cannot 331 be allowed: Applications would have to do two or more lookups). 333 - If a truncated response comes back from an SRV query, the rules 334 described in [RFC 2181] shall apply. 336 - A client MUST parse all of the RR's in the reply. 338 - If the Additional Data section doesn't contain address records 339 for all the SRV RR's and the client may want to connect to the 340 target host(s) involved, the client MUST look up the address 341 record(s). (This happens quite often when the address record 342 has shorter TTL than the SRV or NS RR's.) 344 - Future protocols could be designed to use SRV RR lookups as the 345 means by which clients locate their servers. 347 Fictional example 349 This example uses fictional service "foobar" as an aid in 350 understanding SRV records. If ever service "foobar" is implemented, 351 it is not intended that it will necessarily use SRV records. This is 352 (part of) the zone file for example.com, a still-unused domain: 354 $ORIGIN example.com. 355 @ SOA server.example.com. root.example.com. ( 356 1995032001 3600 3600 604800 86400 ) 357 NS server.example.com. 358 NS ns1.ip-provider.net. 359 NS ns2.ip-provider.net. 360 ; foobar - use old-slow-box or new-fast-box if either is 361 ; available, make three quarters of the logins go to 362 ; new-fast-box. 363 _foobar._tcp SRV 0 1 9 old-slow-box.example.com. 364 SRV 0 3 9 new-fast-box.example.com. 365 ; if neither old-slow-box or new-fast-box is up, switch to 366 ; using the sysdmin's box and the server 367 SRV 1 0 9 sysadmins-box.example.com. 368 SRV 1 0 9 server.example.com. 369 server A 172.30.79.10 370 old-slow-box A 172.30.79.11 371 sysadmins-box A 172.30.79.12 372 new-fast-box A 172.30.79.13 373 ; NO other services are supported 374 *._tcp SRV 0 0 0 . 375 *._udp SRV 0 0 0 . 377 In this example, a client of the "foobar" service in the 378 "example.com." domain needs an SRV lookup of 379 "_foobar._tcp.example.com." and possibly A lookups of "new-fast- 380 box.example.com." and/or the other hosts named. The size of the SRV 381 reply is approximately 365 bytes: 383 30 bytes general overhead 384 20 bytes for the query string, "_foobar._tcp.example.com." 385 130 bytes for 4 SRV RR's, 20 bytes each plus the lengths of "new- 386 fast-box", "old-slow-box", "server" and "sysadmins-box" - 387 "example.com" in the query section is quoted here and doesn't 388 need to be counted again. 389 75 bytes for 3 NS RRs, 15 bytes each plus the lengths of "server", 390 "ns1.ip-provider.net." and "ns2" - again, "ip-provider.net." is 391 quoted and only needs to be counted once. 392 120 bytes for the 6 address records (assuming IPv4 only) mentioned 393 by the SRV and NS RR's. 395 IANA Considerations 397 The IANA has assigned RR type value 33 to the SRV RR. No other IANA 398 services are required by this document. 400 Changes from RFC 2782 402 This document obsoletes RFC 2782 403 Only editorial clarifications were made to this document. Namely 405 - it was clarified that "Weight" subsection refers to real "random 406 number" rather than integer number; 408 - it was clarified that the "Name" used in the owner name of the SRV 409 record used in "The format of the SRV RR" section is a "Domain" 410 name; 412 - the "QNAME=_service._protocol.target" was replaced by 413 "QNAME=_service._protocol.domain" in "Usage rules" section to 414 eliminate a possibility of confusion with the Target field of the 415 SRV record. 417 - client's behavior when response to a query contains a single SRV 418 RR and its Target is "." is clarified in "Usage rules" section. 420 Security Considerations 422 The authors believe this RR to not cause any new security problems. 423 Some problems become more visible, though. 425 - The ability to specify ports on a fine-grained basis obviously 426 changes how a router can filter packets. It becomes impossible 427 to block internal clients from accessing specific external 428 services, slightly harder to block internal users from running 429 unauthorized services, and more important for the router 430 operations and DNS operations personnel to cooperate. 432 - There is no way a site can keep its hosts from being referenced 433 as servers. This could lead to denial of service. 435 - With SRV, DNS spoofers can supply false port numbers, as well as 436 host names and addresses. Because this vulnerability exists 437 already, with names and addresses, this is not a new 438 vulnerability, merely a slightly extended one, with little 439 practical effect. 441 References 443 STD 2: Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC 444 1700, October 1994. 446 RFC 1034: Mockapetris, P., "Domain names - concepts and facilities", 447 STD 13, RFC 1034, November 1987. 449 RFC 1035: Mockapetris, P., "Domain names - Implementation and 450 Specification", STD 13, RFC 1035, November 1987. 452 RFC 974: Partridge, C., "Mail routing and the domain system", STD 453 14, RFC 974, January 1986. 455 BCP 14: Bradner, S., "Key words for use in RFCs to Indicate 456 Requirement Levels", BCP 14, RFC 2119, March 1997. 458 RFC 2181: Elz, R. and R. Bush, "Clarifications to the DNS 459 Specification", RFC 2181, July 1997. 461 RFC 2219: Hamilton, M. and R. Wright, "Use of DNS Aliases for Network 462 Services", BCP 17, RFC 2219, October 1997. 464 BCP 14: Bradner, S., "Key words for use in RFCs to Indicate 465 Requirement Levels", BCP 14, RFC 2119, March 1997. 467 ARM: Armijo, M., Esibov, L. and P. Leach, "Discovering LDAP 468 Services with DNS", Work in Progress. 470 KDC-DNS: Hornstein, K. and J. Altman, "Distributing Kerberos KDC and 471 Realm Information with DNS", Work in Progress. 473 Acknowledgements 475 The algorithm used to select from the weighted SRV RRs of equal 476 priority is adapted from one supplied by Dan Bernstein. 478 Authors' Addresses 480 Arnt Gulbrandsen 481 Trolltech AS 482 Waldemar Thranes gate 98 483 N-0175 Oslo, Norway 485 Fax: +47 21604800 486 Phone: +47 21604801 487 EMail: arnt@trolltech.com 489 Paul Vixie 490 Internet Software Consortium 491 950 Charter Street 492 Redwood City, CA 94063 494 Phone: +1 650 779 7001 496 Levon Esibov 497 Microsoft Corporation 498 One Microsoft Way 499 Redmond, WA 98052 501 EMail: levone@microsoft.com 503 Full Copyright Statement 505 Copyright (C) The Internet Society (2001). All Rights Reserved. 507 This document and translations of it may be copied and furnished to 508 others, and derivative works that comment on or otherwise explain it 509 or assist in its implementation may be prepared, copied, published 510 and distributed, in whole or in part, without restriction of any 511 kind, provided that the above copyright notice and this paragraph are 512 included on all such copies and derivative works. However, this 513 document itself may not be modified in any way, such as by removing 514 the copyright notice or references to the Internet Society or other 515 Internet organizations, except as needed for the purpose of 516 developing Internet standards in which case the procedures for 517 copyrights defined in the Internet Standards process must be 518 followed, or as required to translate it into languages other than 519 English. 521 The limited permissions granted above are perpetual and will not be 522 revoked by the Internet Society or its successors or assigns. 524 This document and the information contained herein is provided on an 525 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 526 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 527 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 528 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 529 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 531 Acknowledgement 533 Funding for the RFC Editor function is currently provided by the 534 Internet Society.