idnits 2.17.1 draft-ietf-dnssd-hybrid-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC2606-compliant FQDNs in the document. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 19, 2015) is 3111 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-06) exists of draft-sekar-dns-llq-01 ** Downref: Normative reference to an Informational draft: draft-sekar-dns-llq (ref. 'I-D.sekar-dns-llq') == Outdated reference: A later version (-25) exists of draft-ietf-dnssd-push-02 Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force S. Cheshire 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track October 19, 2015 5 Expires: April 21, 2016 7 Hybrid Unicast/Multicast DNS-Based Service Discovery 8 draft-ietf-dnssd-hybrid-01 10 Abstract 12 Performing DNS-Based Service Discovery using purely link-local 13 Multicast DNS enables discovery of services that are on the local 14 link, but not (without some kind of proxy or similar special support) 15 discovery of services that are outside the local link. Using a very 16 large local link with thousands of hosts facilitates service 17 discovery, but at the cost of large amounts of multicast traffic. 19 Performing DNS-Based Service Discovery using purely Unicast DNS is 20 more efficient and doesn't require excessively large multicast 21 domains, but requires that the relevant data be available in the 22 Unicast DNS namespace. This can be achieved by manual DNS 23 configuration (as has been done for many years at IETF meetings to 24 advertise the IETF Terminal Room printer) but this is labor 25 intensive, error prone, and requires a reasonable degree of DNS 26 expertise. The Unicast DNS namespace can be populated with the 27 required data automatically by the devices themselves, but that 28 requires configuration of DNS Update keys on the devices offering the 29 services, which has proven onerous and impractical for simple devices 30 like printers and network cameras. 32 Hence a compromise is needed, that combines the ease-of-use of 33 Multicast DNS with the efficiency and scalability of Unicast DNS. 35 Status of this Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at http://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on April 21, 2016. 51 Copyright Notice 53 Copyright (c) 2015 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents 58 (http://trustee.ietf.org/license-info) in effect on the date of 59 publication of this document. Please review these documents 60 carefully, as they describe your rights and restrictions with respect 61 to this document. Code Components extracted from this document must 62 include Simplified BSD License text as described in Section 4.e of 63 the Trust Legal Provisions and are provided without warranty as 64 described in the Simplified BSD License. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 2. Conventions and Terminology Used in this Document . . . . . . 5 70 3. Hybrid Proxy Operation . . . . . . . . . . . . . . . . . . . . 6 71 3.1. Delegated Subdomain for Service Discovery Records . . . . 7 72 3.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . . 8 73 3.2.1. Domain Enumeration via Unicast Queries . . . . . . . . 8 74 3.2.2. Domain Enumeration via Multicast Queries . . . . . . . 9 75 3.3. Delegated Subdomain for LDH Host Names . . . . . . . . . . 10 76 3.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 12 77 3.5. Data Translation . . . . . . . . . . . . . . . . . . . . . 13 78 3.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . . 13 79 3.5.2. Suppressing Unusable Records . . . . . . . . . . . . . 13 80 3.5.3. Application-Specific Data Translation . . . . . . . . 14 81 3.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . . 15 82 3.6.1. Discovery of LLQ or PUSH Notification Service . . . . 17 83 4. Implementation Status . . . . . . . . . . . . . . . . . . . . 18 84 4.1. Already Implemented and Deployed . . . . . . . . . . . . . 18 85 4.2. Partially Implemented . . . . . . . . . . . . . . . . . . 18 86 4.3. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 19 87 5. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 19 88 6. Security Considerations . . . . . . . . . . . . . . . . . . . 20 89 6.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . . 20 90 6.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 20 91 6.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 20 92 7. Intelectual Property Rights . . . . . . . . . . . . . . . . . 21 93 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 94 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 95 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 96 10.1. Normative References . . . . . . . . . . . . . . . . . . . 21 97 10.2. Informative References . . . . . . . . . . . . . . . . . . 22 98 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23 100 1. Introduction 102 Multicast DNS [RFC6762] and its companion technology DNS-based 103 Service Discovery [RFC6763] were created to provide IP networking 104 with the ease-of-use and autoconfiguration for which AppleTalk was 105 well known [RFC6760] [ZC]. 107 For a small network consisting of just a single link (or several 108 physical links bridged together to appear as a single logical link to 109 IP) Multicast DNS [RFC6762] is sufficient for client devices to look 110 up the dot-local host names of peers on the same home network, and 111 perform DNS-Based Service Discovery (DNS-SD) [RFC6763] of services 112 offered on that home network. 114 For a larger network consisting of multiple links that are 115 interconnected using IP-layer routing instead of link-layer bridging, 116 link-local Multicast DNS alone is insufficient because link-local 117 Multicast DNS packets, by design, do not cross between links. 118 (This was a deliberate design choice for Multicast DNS, since even on 119 a single link multicast traffic is expensive -- especially on Wi-Fi 120 links -- and multiplying the amount of multicast traffic by flooding 121 it across multiple links would make that problem even worse.) 122 In this environment, Unicast DNS would be preferable to Multicast 123 DNS. (Unicast DNS can be used either with a traditionally assigned 124 globally unique domain name, or with a private local unicast domain 125 name such as ".home" [HOME].) 127 To use Unicast DNS, the names of hosts and services need to be made 128 available in the Unicast DNS namespace. In the DNS-SD specification 129 [RFC6763] Section 10 ("Populating the DNS with Information") 130 discusses various possible ways that a service's PTR, SRV, TXT and 131 address records can make their way into the Unicast DNS namespace, 132 including manual zone file configuration [RFC1034] [RFC1035], 133 DNS Update [RFC2136] [RFC3007] and proxies of various kinds. 135 This document specifies a type of proxy called a Hybrid Proxy that 136 uses Multicast DNS [RFC6762] to discover Multicast DNS records on its 137 local link, and makes corresponding DNS records visible in the 138 Unicast DNS namespace. 140 2. Conventions and Terminology Used in this Document 142 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 143 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 144 "OPTIONAL" in this document are to be interpreted as described in 145 "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119]. 147 The Hybrid Proxy builds on Multicast DNS, which works between hosts 148 on the same link. A set of hosts is considered to be "on the same 149 link" if: 151 o when any host A from that set sends a packet to any other host B 152 in that set, using unicast, multicast, or broadcast, the entire 153 link-layer packet payload arrives unmodified, and 155 o a broadcast sent over that link by any host from that set of hosts 156 can be received by every other host in that set 158 The link-layer *header* may be modified, such as in Token Ring Source 159 Routing [802.5], but not the link-layer *payload*. In particular, if 160 any device forwarding a packet modifies any part of the IP header or 161 IP payload then the packet is no longer considered to be on the same 162 link. This means that the packet may pass through devices such as 163 repeaters, bridges, hubs or switches and still be considered to be on 164 the same link for the purpose of this document, but not through a 165 device such as an IP router that decrements the IP TTL or otherwise 166 modifies the IP header. 168 3. Hybrid Proxy Operation 170 In a typical configuration, a Hybrid Proxy is configured to be 171 authoritative for four DNS subdomains, and authority for these 172 subdomains is delegated to it via NS records: 174 A DNS subdomain for service discovery records. 175 This subdomain name may contain rich text, including spaces and 176 other punctuation. This is because this subdomain name is used 177 only in graphical user interfaces, where rich text is appropriate. 179 A DNS subdomain for host name records. 180 This subdomain name SHOULD be limited to letters, digits and 181 hyphens, to facilitate convenient use of host names in command- 182 line interfaces. 184 A DNS subdomain for IPv6 Reverse Mapping records. 185 This subdomain name will be a name that ends in "ip6.arpa." 187 A DNS subdomain for IPv4 Reverse Mapping records. 188 This subdomain name will be a name that ends in "in-addr.arpa." 190 These three varieties of delegated subdomains (service discovery, 191 host names, and reverse mapping) are described below. 193 3.1. Delegated Subdomain for Service Discovery Records 195 In its simplest form, each physical link in an organization is 196 assigned a unique Unicast DNS domain name, such as 197 "Building 1.example.com" or "4th Floor.Building 1.example.com". 198 Grouping multiple links under a single Unicast DNS domain name is to 199 be specified in a future companion document, but for the purposes of 200 this document, assume that each link has its own unique Unicast DNS 201 domain name. In a graphical user interface these names are not 202 displayed as strings with dots as shown above, but something more 203 akin to a typical file browser graphical user interface (which is 204 harder to illustrate in a text-only document) showing folders, 205 subfolders and files in a file system. 207 Each named link in an organization has a Hybrid Proxy which serves 208 it. This Hybrid Proxy function could be performed by a router on 209 that link, or, with appropriate VLAN configuration, a single Hybrid 210 Proxy could have a logical presence on, and serve as the Hybrid Proxy 211 for, many links. In the parent domain, NS records are used to 212 delegate ownership of each defined link name 213 (e.g., "Building 1.example.com") to the Hybrid Proxy that serves the 214 named link. In other words, the Hybrid Proxy is the authoritative 215 name server for that subdomain. 217 When a DNS-SD client issues a Unicast DNS query to discover services 218 in a particular Unicast DNS subdomain 219 (e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS 220 delegation mechanism results in that query being forwarded until it 221 reaches the delegated authoritative name server for that subdomain, 222 namely the Hybrid Proxy on the link in question. Like a conventional 223 Unicast DNS server, a Hybrid Proxy implements the usual Unicast DNS 224 protocol [RFC1034] [RFC1035] over UDP and TCP. However, unlike a 225 conventional Unicast DNS server that generates answers from the data 226 in its manually-configured zone file, a Hybrid Proxy generates 227 answers using Multicast DNS. A Hybrid Proxy does this by consulting 228 its Multicast DNS cache and/or issuing Multicast DNS queries for the 229 corresponding Multicast DNS name, type and class, (e.g., in this 230 case, "_printer._tcp.local. PTR ?"). Then, from the received 231 Multicast DNS data, the Hybrid Proxy synthesizes the appropriate 232 Unicast DNS response. 234 Naturally, the existing Multicast DNS caching mechanism is used to 235 avoid issuing unnecessary Multicast DNS queries on the wire. The 236 Hybrid Proxy is acting as a client of the underlying Multicast DNS 237 subsystem, and benefits from the same caching and efficiency measures 238 as any other client using that subsystem. 240 3.2. Domain Enumeration 242 An DNS-SD client performs Domain Enumeration [RFC6763] via certain 243 PTR queries. It issues unicast Domain Enumeration queries using its 244 "home" domain (typically learned learned via DHCP) and using its IPv6 245 prefix and IPv4 subnet address. These are described below in 246 Section 3.2.1. It also issues multicast Domain Enumeration queries 247 in the "local" domain [RFC6762]. These are described below in 248 Section 3.2.2. The results of all Domain Enumeration queries are 249 combined for Service Discovery purposes. 251 3.2.1. Domain Enumeration via Unicast Queries 253 The administrator creates Domain Enumeration PTR records [RFC6763] to 254 inform clients of available service discovery domains, e.g.,: 256 b._dns-sd._udp.example.com. PTR Building 1.example.com. 257 PTR Building 2.example.com. 258 PTR Building 3.example.com. 259 PTR Building 4.example.com. 261 db._dns-sd._udp.example.com. PTR Building 1.example.com. 263 lb._dns-sd._udp.example.com. PTR Building 1.example.com. 265 The "b" ("browse") records tell the client device the list of 266 browsing domains to display for the user to select from and the "db" 267 ("default browse") record tells the client device which domain in 268 that list should be selected by default. The "lb" ("legacy browse") 269 record tells the client device which domain to automatically browse 270 on behalf of applications that don't implement UI for multi-domain 271 browsing (which is most of them, today). The "lb" domain is often 272 the same as the "db" domain, or sometimes the "db" domain plus one or 273 more others that should be included in the list of automatic browsing 274 domains for legacy clients. 276 DNS responses are limited to a maximum size of 65535 bytes. This 277 limits the maximum number of domains that can be returned for a 278 Domain Enumeration query, as follows: 280 A DNS response header is 12 bytes. That's typically followed by a 281 single qname (up to 256 bytes) plus qtype (2 bytes) and qclass 282 (2 bytes), leaving 65275 for the Answer Section. 284 An Answer Section Resource Record consists of: 285 o Owner name, encoded as a two-byte compression pointer 286 o Two-byte rrtype (type PTR) 287 o Two-byte rrclass (class IN) 288 o Four-byte ttl 289 o Two-byte rdlength 290 o rdata (domain name, up to 256 bytes) 292 This means that each Resource Record in the Answer Section can take 293 up to 268 bytes total, which means that the Answer Section can 294 contain, in the worst case, no more than 243 domains. 296 In a more typical scenario, where the domain names are not all 297 maximum-sized names, and there is some similarity between names so 298 that reasonable name compression is possible, each Answer Section 299 Resource Record may average 140 bytes, which means that the Answer 300 Section can contain up to 466 domains. 302 3.2.2. Domain Enumeration via Multicast Queries 304 Since a Hybrid Proxy exists on many, if not all, the links in an 305 enterprise, it offers an additional way to provide Domain Enumeration 306 data for clients. 308 A Hybrid Proxy can be configured to generate Multicast DNS responses 309 for the following Multicast DNS Domain Enumeration queries issues by 310 clients: 312 b._dns-sd._udp.local. PTR ? 313 db._dns-sd._udp.local. PTR ? 314 lb._dns-sd._udp.local. PTR ? 316 This provides the ability for Hybrid Proxies to provide configuration 317 data on a per-link granularity to DNS-SD clients. In some 318 enterprises it may be preferable to provide this per-link 319 configuration data in the form of Hybrid Proxy configuration, rather 320 than populating the Unicast DNS servers with the same data (in the 321 "ip6.arpa" or "in-addr.arpa" domains). 323 3.3. Delegated Subdomain for LDH Host Names 325 The traditional rules for host names are more restrictive than those 326 for DNS-SD service instance names and domains. 328 Users typically interact with DNS-SD by viewing a list of discovered 329 service instance names on the display and selecting one of them by 330 pointing, touching, or clicking. Similarly, in software that 331 provides a multi-domain DNS-SD user interface, users view a list of 332 offered domains on the display and select one of them by pointing, 333 touching, or clicking. To use a service, users don't have to 334 remember domain or instance names, or type them; users just have to 335 be able to recognize what they see on the display and click on the 336 thing they want. 338 In contrast, host names are often remembered and typed. Also, host 339 names are often used in command-line interfaces where spaces can be 340 inconvenient. For this reason, host names have traditionally been 341 restricted to letters, digits and hyphens, with no spaces or other 342 punctuation. 344 While we still want to allow rich text for DNS-SD service instance 345 names and domains, it is advisable, for maximum compatibility with 346 existing software, to restrict host names to the traditional letter- 347 digit-hyphen rules. This means that while a service name 348 "My Printer._ipp._tcp.Building 1.example.com" is acceptable and 349 desirable (it is displayed in a graphical user interface as an 350 instance called "My Printer" in the domain "Building 1" at 351 "example.com"), a host name "My-Printer.Building 1.example.com" is 352 not advisable (because of the space in "Building 1"). 354 To accomodate this difference in allowable characters, a Hybrid Proxy 355 MUST support having separate subdomains delegated to it, one to be 356 used for host names (names of 'A' and 'AAAA' address records), which 357 is restricted to the traditional letter-digit-hyphen rules, and 358 another to be used for other records (including the PTR, SRV and TXT 359 records used by DNS-SD), which is allowed to be arbitrary Net-Unicode 360 text [RFC5198]. 362 For example, a Hybrid Proxy could have the two subdomains 363 "Building 1.example.com" and "bldg1.example.com" delegated to it. 364 The Hybrid Proxy would then translate these two Multicast DNS 365 records: 367 My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. 368 prnt.local. A 10.0.1.2 370 into Unicast DNS records as follows: 372 My Printer._ipp._tcp.Building 1.example.com. 373 SRV 0 0 631 prnt.bldg1.example.com. 374 prnt.bldg1.example.com. A 10.0.1.2 376 Note that the SRV record name is translated using the rich-text 377 domain name ("Building 1.example.com") and the address record name is 378 translated using the LDH domain ("bldg1.example.com"). 380 3.4. Delegated Subdomain for Reverse Mapping 382 A Hybrid Proxy can facilitate easier management of reverse mapping 383 domains, particularly for IPv6 addresses where manual management may 384 be more onerous than it is for IPv4 addresses. 386 To achieve this, in the parent domain, NS records are used to 387 delegate ownership of the appropriate reverse mapping domain to the 388 Hybrid Proxy. In other words, the Hybrid Proxy becomes the 389 authoritative name server for the reverse mapping domain. 391 For example, if a given link is using the IPv6 prefix 2001:0DB8/32, 392 then the domain "8.b.d.0.1.0.0.2.ip6.arpa" is delegated to the Hybrid 393 Proxy for that link. 395 If a given link is using the IPv4 subnet 10.1/16, then the domain 396 "1.10.in-addr.arpa" is delegated to the Hybrid Proxy for that link. 398 When a reverse mapping query arrives at the Hybrid Proxy, it issues 399 the identical query on its local link as a Multicast DNS query. 400 (In the Apple "/usr/include/dns_sd.h" APIs, using ForceMulticast 401 indicates that the DNSServiceQueryRecord() call should perform the 402 query using Multicast DNS.) When the host owning that IPv6 or IPv4 403 address responds with a name of the form "something.local", the 404 Hybrid Proxy rewrites that to use its configured LDH host name domain 405 instead of "local" and returns the response to the caller. 407 For example, a Hybrid Proxy with the two subdomains 408 "1.10.in-addr.arpa" and "bldg1.example.com" delegated to it would 409 translate this Multicast DNS record: 411 3.2.1.10.in-addr.arpa. PTR prnt.local. 413 into this Unicast DNS response: 415 3.2.1.10.in-addr.arpa. PTR prnt.bldg1.example.com. 417 Subsequent queries for the prnt.bldg1.example.com address record, 418 falling as it does within the bldg1.example.com domain, which is 419 delegated to the Hybrid Proxy, will arrive at the Hybrid Proxy, where 420 they are answered by issuing Multicast DNS queries and using the 421 received Multicast DNS answers to synthesize Unicast DNS responses, 422 as described above. 424 3.5. Data Translation 426 Generating the appropriate Multicast DNS queries involves, at the 427 very least, translating from the configured DNS domain 428 (e.g., "Building 1.example.com") on the Unicast DNS side to "local" 429 on the Multicast DNS side. 431 Generating the appropriate Unicast DNS responses involves translating 432 back from "local" to the configured DNS Unicast domain. 434 Other beneficial translation and filtering operations are described 435 below. 437 3.5.1. DNS TTL limiting 439 For efficiency, Multicast DNS typically uses moderately high DNS TTL 440 values. For example, the typical TTL on DNS-SD PTR records is 75 441 minutes. What makes these moderately high TTLs acceptable is the 442 cache coherency mechanisms built in to the Multicast DNS protocol 443 which protect against stale data persisting for too long. When a 444 service shuts down gracefully, it sends goodbye packets to remove its 445 PTR records immediately from neighbouring caches. If a service shuts 446 down abruptly without sending goodbye packets, the Passive 447 Observation Of Failures (POOF) mechanism described in Section 10.5 of 448 the Multicast DNS specification [RFC6762] comes into play to purge 449 the cache of stale data. 451 A traditional Unicast DNS client on a remote link does not get to 452 participate in these Multicast DNS cache coherency mechanisms on the 453 local link. For traditional Unicast DNS requests (those received 454 without any Long-Lived Query [I-D.sekar-dns-llq] or DNS Push 455 Notification [I-D.ietf-dnssd-push] option) the DNS TTLs reported in 456 the resulting Unicast DNS response SHOULD be capped to be no more 457 than ten seconds. For received Unicast DNS requests that contain an 458 LLQ or DNS Push Notification option, the Multicast DNS record's TTL 459 SHOULD be returned unmodified, because the Push Notification channel 460 exists to inform the remote client as records come and go. For 461 further details about Long-Lived Queries, and its newer replacement, 462 DNS Push Notifications, see Section 3.6. 464 3.5.2. Suppressing Unusable Records 466 A Hybrid Proxy SHOULD suppress Unicast DNS answers for records that 467 are not useful outside the local link. For example, DNS A and AAAA 468 records for IPv6 link-local addresses [RFC4862] and IPv4 link-local 469 addresses [RFC3927] should be suppressed. Similarly, for sites that 470 have multiple private address realms [RFC1918], private addresses 471 from one private address realm should not be communicated to clients 472 in a different private address realm. 474 By the same logic, DNS SRV records that reference target host names 475 that have no addresses usable by the requester should be suppressed, 476 and likewise, DNS PTR records that point to unusable SRV records 477 should be similarly be suppressed. 479 3.5.3. Application-Specific Data Translation 481 There may be cases where Application-Specific Data Translation is 482 appropriate. 484 For example, AirPrint printers tend to advertise fairly verbose 485 information about their capabilities in their DNS-SD TXT record. 486 This information is a legacy from LPR printing, because LPR does not 487 have in-band capability negotiation, so all of this information is 488 conveyed using the DNS-SD TXT record instead. IPP printing does have 489 in-band capability negotiation, but for convenience printers tend to 490 include the same capability information in their IPP DNS-SD TXT 491 records as well. For local mDNS use this extra TXT record 492 information is inefficient, but not fatal. However, when a Hybrid 493 Proxy aggregates data from multiple printers on a link, and sends it 494 via unicast (via UDP or TCP) this amount of unnecessary TXT record 495 information can result in large responses. Therefore, a Hybrid Proxy 496 that is aware of the specifics of an application-layer protocol such 497 as AirPrint (which uses IPP) can elide unnecessary key/value pairs 498 from the DNS-SD TXT record for better network efficiency. 500 Note that this kind of Application-Specific Data Translation is 501 expected to be very rare. It is the exception, rather than the rule. 502 This is an example of a common theme in computing. It is frequently 503 the case that it is wise to start with a clean, layered design, with 504 clear boundaries. Then, in certain special cases, those layer 505 boundaries may be violated, where the performance and efficiency 506 benefits outweigh the inelegance of the layer violation. 508 As in other similar situations, these layer violations are optional. 509 They are done only for efficiency reasons, and are not required for 510 correct operation. A Hybrid Proxy can operate solely at the mDNS 511 layer, without any knowledge of semantics at the DNS-SD layer or 512 above. 514 3.6. Answer Aggregation 516 In a simple analysis, simply gathering multicast answers and 517 forwarding them in a unicast response seems adequate, but it raises 518 the question of how long the Hybrid Proxy should wait to be sure that 519 it has received all the Multicast DNS answers it needs to form a 520 complete Unicast DNS response. If it waits too little time, then it 521 risks its Unicast DNS response being incomplete. If it waits too 522 long, then it creates a poor user experience at the client end. In 523 fact, there may no time which is both short enough to produce a good 524 user experience and at the same time long enough to reliably produce 525 complete results. 527 Similarly, the Hybrid Proxy -- the authoritative name server for the 528 subdomain in question -- needs to decide what DNS TTL to report for 529 these records. If the TTL is too long then the recursive (caching) 530 name servers issuing queries on behalf of their clients risk caching 531 stale data for too long. If the TTL is too short then the amount of 532 network traffic will be more than necessary. In fact, there may no 533 TTL which is both short enough to avoid undesirable stale data and at 534 the same time long enough to be efficient on the network. 536 Both these dilemmas are solved by use of DNS Long-Lived Queries (DNS 537 LLQ) [I-D.sekar-dns-llq] or its newer replacement, DNS Push 538 Notifications [I-D.ietf-dnssd-push]. When a Hybrid Proxy recieves a 539 query containing a DNS LLQ or DNS Push Notification option, it 540 responds immediately using the Multicast DNS records it already has 541 in its cache (if any). This provides a good client user experience 542 by providing a near-instantaneous response. Simultaneously, the 543 Hybrid Proxy issues a Multicast DNS query on the local link to 544 discover if there are any additional Multicast DNS records it did not 545 already know about. Should additional Multicast DNS responses be 546 received, these are then delivered to the client using DNS LLQ or DNS 547 Push Notification update messages. The timeliness of such update 548 messages is limited only by the timeliness of the device responding 549 to the Multicast DNS query. If the Multicast DNS device responds 550 quickly, then the update message is delivered quickly. If the 551 Multicast DNS device responds slowly, then the update message is 552 delivered slowly. The benefit of using update messages is that the 553 Hybrid Proxy can respond promptly because it doesn't have to delay 554 its unicast response to allow for the expected worst-case delay for 555 receiving all the Multicast DNS responses. Even if a proxy were to 556 try to provide reliability by assuming an excessively pessimistic 557 worst-case time (thereby giving a very poor user experience) there 558 would still be the risk of a slow Multicast DNS device taking even 559 longer than that (e.g, a device that is not even powered on until ten 560 seconds after the initial query is received) resulting in incomplete 561 responses. Using update message solves this dilemma: even very late 562 responses are not lost; they are delivered in subsequent update 563 messages. 565 There are two factors that determine specifically how responses are 566 generated: 568 The first factor is whether the query from the client included an LLQ 569 or DNS Push Notification option (typical with long-lived service 570 browsing PTR queries) or not (typical with one-shot operations like 571 SRV or address record queries). Note that queries containing the 572 LLQ/PUSH option are received directly from the client (see 573 Section 3.6.1). Queries containing no LLQ/PUSH option are generally 574 received via the client's configured recursive (caching) name server. 576 The second factor is whether the Hybrid Proxy already has at least 577 one record in its cache that positively answers the question. 579 o No LLQ/PUSH option; no answer in cache: 580 Do local mDNS query up to three times, return answers if received, 581 otherwise return negative response if no answer after three tries. 582 DNS TTLs in responses are capped to at most ten seconds. 584 o No LLQ/PUSH option; at least one answer in cache: 585 Send response right away to minimise delay. 586 DNS TTLs in responses are capped to at most ten seconds. 587 No local mDNS queries are performed. 588 (Reasoning: Given RRSet TTL harmonisation, if the proxy has one 589 Multicast DNS answer in its cache, it can reasonably assume that 590 it has all of them.) 592 o Query contains LLQ/PUSH option; no answer in cache: 593 As above, do local mDNS query up to three times, and return 594 answers if received. 595 If no answer after three tries, return negative response. 596 (Reasoning: We don't need to rush to send an empty answer.) 597 In both cases the query remains active for as long as the client 598 maintains the LLQ/PUSH state, and if mDNS answers are received 599 later, LLQ/PUSH update messages are sent. 600 DNS TTLs in responses are returned unmodified. 602 o Query contains LLQ/PUSH option; at least one answer in cache: 603 As above, send response right away to minimise delay. 604 The query remains active for as long as the client maintains the 605 LLQ/PUSH state, and if additional mDNS answers are received later, 606 LLQ/PUSH update messages are sent. 607 (Reasoning: We want UI that is displayed very rapidly, yet 608 continues to remain accurate even as the network environment 609 changes.) 610 DNS TTLs in responses are returned unmodified. 612 Note that the "negative responses" referred to above are "no error no 613 answer" negative responses, not NXDOMAIN. This is because the Hybrid 614 Proxy cannot know all the Multicast DNS domain names that may exist 615 on a link at any given time, so any name with no answers may have 616 child names that do exist, making it an "empty nonterminal" name. 618 3.6.1. Discovery of LLQ or PUSH Notification Service 620 To issue LLQ/PUSH queries, clients need to communicate directly with 621 the authoritative Hybrid Proxy. The procedure by which the client 622 locates the authoritative Hybrid Proxy is described in the LLQ 623 specification [I-D.sekar-dns-llq] and the DNS Push Notifications 624 specification [I-D.ietf-dnssd-push]. 626 Briefly, the procedure is as follows: 628 To discover the LLQ service for a given domain name, a client first 629 performs DNS zone apex discovery, and then, having discovered , 630 the client then issues a DNS query for the SRV record with the name 631 _dns-llq._udp. to find the target host and port for the LLQ 632 service for that zone. By default LLQ service runs on UDP port 5352, 633 but since SRV records are used, the LLQ service can be offered on any 634 port. 636 To discover the DNS Push Notification service for a given domain 637 name, a client first performs DNS zone apex discovery, and then, 638 having discovered , the client then issues a DNS query for the 639 SRV record with the name _dns-push-tls._tcp. to find the target 640 host and port for the DNS Push Notification service for that zone. 641 By default DNS Push Notification service runs on TCP port 5352, but 642 since SRV records are used, the DNS Push Notification service can be 643 offered on any port. 645 A client performs DNS zone apex discovery using the procedure below: 647 1. The client issues a DNS query for the SOA record with the given 648 domain name. 650 2. A conformant recursive (caching) name server will either send a 651 positive response, or a negative response containing the SOA 652 record of the zone apex in the Authority Section. 654 3. If the name server sends a negative response that does not 655 contain the SOA record of the zone apex, the client trims the 656 first label off the given domain name and returns to step 1 to 657 try again. 659 By this method, the client iterates until it learns the name of the 660 zone apex, or (in pathological failure cases) reaches the root and 661 gives up. 663 Normal DNS caching is used to avoid repetitive queries on the wire. 665 4. Implementation Status 667 Some aspects of the mechanism specified in this document already 668 exist in deployed software. Some aspects are new. This section 669 outlines which aspects already exist and which are new. 671 4.1. Already Implemented and Deployed 673 Domain enumeration by the client (the "b._dns-sd._udp" queries) is 674 already implemented and deployed. 676 Unicast queries to the indicated discovery domain is already 677 implemented and deployed. 679 These are implemented and deployed in Mac OS X 10.4 and later 680 (including all versions of Apple iOS, on all iPhone and iPads), in 681 Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16) 682 and later. 684 Domain enumeration and unicast querying have been used for several 685 years at IETF meetings to make Terminal Room printers discoverable 686 from outside the Terminal room. When you Press Cmd-P on your Mac, or 687 select AirPrint on your iPad or iPhone, and the Terminal room 688 printers appear, that is because your client is doing unicast DNS 689 queries to the IETF DNS servers. 691 4.2. Partially Implemented 693 The current APIs make multiple domains visible to client software, 694 but most client UI today lumps all discovered services into a single 695 flat list. This is largely a chicken-and-egg problem. Application 696 writers were naturally reluctant to spend time writing domain-aware 697 UI code when few customers today would benefit from it. If Hybrid 698 Proxy deployment becomes common, then application writers will have a 699 reason to provide better UI. Existing applications will work with 700 the Hybrid Proxy, but will show all services in a single flat list. 701 Applications with improved UI will group services by domain. 703 The Long-Lived Query mechanism [I-D.sekar-dns-llq] referred to in 704 this specification exists and is deployed, but has not been 705 standardized by the IETF. The IETF is considering standardizing a 706 superior Long-Lived Query mechanism called DNS Push Notifications 707 [I-D.ietf-dnssd-push]. The pragmatic short-term deployment approach 708 is for vendors to produce Hybrid Proxies that implement both the 709 deployed Long-Lived Query mechanism [I-D.sekar-dns-llq] (for today's 710 clients) and the new DNS Push Notifications mechanism 711 [I-D.ietf-dnssd-push] as the preferred long-term direction. 713 The translating/filtering Hybrid Proxy specified in this document. 714 Implementations are under development, and operational experience 715 with these implementations has guided updates to this document. 717 4.3. Not Yet Implemented 719 Client implementations of the new DNS Push Notifications mechanism 720 [I-D.ietf-dnssd-push] are currently underway. 722 A mechanism to 'stitch' together multiple ".local." zones so that 723 they appear as one. Such a mechanism will be specified in a future 724 companion document. 726 5. IPv6 Considerations 728 An IPv6-only host and an IPv4-only host behave as "ships that pass in 729 the night". Even if they are on the same Ethernet, neither is aware 730 of the other's traffic. For this reason, each physical link may have 731 *two* unrelated ".local." zones, one for IPv6 and one for IPv4. 732 Since for practical purposes, a group of IPv6-only hosts and a group 733 of IPv4-only hosts on the same Ethernet act as if they were on two 734 entirely separate Ethernet segments, it is unsurprising that their 735 use of the ".local." zone should occur exactly as it would if they 736 really were on two entirely separate Ethernet segments. 738 It will be desirable to have a mechanism to 'stitch' together these 739 two unrelated ".local." zones so that they appear as one. Such 740 mechanism will need to be able to differentiate between a dual-stack 741 (v4/v6) host participating in both ".local." zones, and two different 742 hosts, one IPv6-only and the other IPv4-only, which are both trying 743 to use the same name(s). Such a mechanism will be specified in a 744 future companion document. 746 6. Security Considerations 748 6.1. Authenticity 750 A service proves its presence on a link by its ability to answer 751 link-local multicast queries on that link. If greater security is 752 desired, then the Hybrid Proxy mechanism should not be used, and 753 something with stronger security should be used instead, such as 754 authenticated secure DNS Update [RFC2136] [RFC3007]. 756 6.2. Privacy 758 The Domain Name System is, generally speaking, a global public 759 database. Records that exist in the Domain Name System name 760 hierarchy can be queried by name from, in principle, anywhere in the 761 world. If services on a mobile device (like a laptop computer) are 762 made visible via the Hybrid Proxy mechanism, then when those services 763 become visibile in a domain such as "My House.example.com" that might 764 indicate to (potentially hostile) observers that the mobile device is 765 in my house. When those services disappear from 766 "My House.example.com" that change could be used by observers to 767 infer when the mobile device (and possibly its owner) may have left 768 the house. The privacy of this information may be protected using 769 techniques like firewalls and split-view DNS, as are customarily used 770 today to protect the privacy of corporate DNS information. 772 6.3. Denial of Service 774 A remote attacker could use a rapid series of unique Unicast DNS 775 queries to induce a Hybrid Proxy to generate a rapid series of 776 corresponding Multicast DNS queries on one or more of its local 777 links. Multicast traffic is expensive -- especially on Wi-Fi links 778 -- which makes this attack particularly serious. To limit the damage 779 that can be caused by such attacks, a Hybrid Proxy (or the underlying 780 Multicast DNS subsystem which it utilizes) MUST implement Multicast 781 DNS query rate limiting appropriate to the link technology in 782 question. For Wi-Fi links the Multicast DNS subsystem SHOULD NOT 783 issue more than 20 Multicast DNS query packets per second. On other 784 link technologies like Gigabit Ethernet higher limits may be 785 appropriate. 787 7. Intelectual Property Rights 789 Apple has submitted an IPR disclosure concerning the technique 790 proposed in this document. Details are available on the IETF IPR 791 disclosure page [IPR2119]. 793 8. IANA Considerations 795 This document has no IANA Considerations. 797 9. Acknowledgments 799 Thanks to Markus Stenberg for helping develop the policy regarding 800 the four styles of unicast response according to what data is 801 immediately available in the cache. Thanks to Andrew Yourtchenko for 802 comments about privacy issues. [Partial list; more names to be 803 added.] 805 10. References 807 10.1. Normative References 809 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 810 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 811 . 813 [RFC1035] Mockapetris, P., "Domain names - implementation and 814 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 815 November 1987, . 817 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., J. de Groot, 818 G., and E. Lear, "Address Allocation for Private 819 Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, 820 February 1996, . 822 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 823 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 824 RFC2119, March 1997, 825 . 827 [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic 828 Configuration of IPv4 Link-Local Addresses", RFC 3927, 829 DOI 10.17487/RFC3927, May 2005, 830 . 832 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 833 Address Autoconfiguration", RFC 4862, DOI 10.17487/ 834 RFC4862, September 2007, 835 . 837 [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network 838 Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, 839 . 841 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 842 December 2012. 844 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 845 Discovery", RFC 6763, December 2012. 847 [I-D.sekar-dns-llq] 848 Sekar, K., "DNS Long-Lived Queries", 849 draft-sekar-dns-llq-01 (work in progress), August 2006. 851 [I-D.ietf-dnssd-push] 852 Pusateri, T. and S. Cheshire, "DNS Push Notifications", 853 draft-ietf-dnssd-push-02 (work in progress), October 2015. 855 10.2. Informative References 857 [HOME] Cheshire, S., "Special Use Top Level Domain 'home'", 858 draft-cheshire-homenet-dot-home (work in progress), 859 November 2014. 861 [IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid 862 Unicast/Multicast DNS-Based Service Discovery", 863 . 865 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 866 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 867 RFC 2136, DOI 10.17487/RFC2136, April 1997, 868 . 870 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 871 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 872 . 874 [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol 875 to Replace the AppleTalk Name Binding Protocol (NBP)", 876 RFC 6760, December 2012. 878 [ZC] Cheshire, S. and D. Steinberg, "Zero Configuration 879 Networking: The Definitive Guide", O'Reilly Media, Inc. , 880 ISBN 0-596-10100-7, December 2005. 882 Author's Address 884 Stuart Cheshire 885 Apple Inc. 886 1 Infinite Loop 887 Cupertino, California 95014 888 USA 890 Phone: +1 408 974 3207 891 Email: cheshire@apple.com