idnits 2.17.1 draft-ietf-dnssd-hybrid-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC2606-compliant FQDNs in the document. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 4, 2016) is 2997 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-25) exists of draft-ietf-dnssd-push-03 == Outdated reference: A later version (-06) exists of draft-sekar-dns-llq-01 == Outdated reference: A later version (-10) exists of draft-ietf-homenet-hncp-09 Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force S. Cheshire 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track February 4, 2016 5 Expires: August 7, 2016 7 Hybrid Unicast/Multicast DNS-Based Service Discovery 8 draft-ietf-dnssd-hybrid-03 10 Abstract 12 Performing DNS-Based Service Discovery using purely link-local 13 Multicast DNS enables discovery of services that are on the local 14 link, but not (without some kind of proxy or similar special support) 15 discovery of services that are outside the local link. Using a very 16 large local link with thousands of hosts facilitates service 17 discovery, but at the cost of large amounts of multicast traffic. 19 Performing DNS-Based Service Discovery using purely Unicast DNS is 20 more efficient and doesn't require excessively large multicast 21 domains, but requires that the relevant data be available in the 22 Unicast DNS namespace. This can be achieved by manual DNS 23 configuration (as has been done for many years at IETF meetings to 24 advertise the IETF Terminal Room printer) but this is labor 25 intensive, error prone, and requires a reasonable degree of DNS 26 expertise. The Unicast DNS namespace can be populated with the 27 required data automatically by the devices themselves, but that 28 requires configuration of DNS Update keys on the devices offering the 29 services, which has proven onerous and impractical for simple devices 30 like printers and network cameras. 32 Hence, to facilitate efficient and reliable DNS-Based Service 33 Discovery, a compromise is needed that combines the ease-of-use of 34 Multicast DNS with the efficiency and scalability of Unicast DNS. 36 Status of this Memo 38 This Internet-Draft is submitted in full conformance with the 39 provisions of BCP 78 and BCP 79. 41 Internet-Drafts are working documents of the Internet Engineering 42 Task Force (IETF). Note that other groups may also distribute 43 working documents as Internet-Drafts. The list of current Internet- 44 Drafts is at http://datatracker.ietf.org/drafts/current/. 46 Internet-Drafts are draft documents valid for a maximum of six months 47 and may be updated, replaced, or obsoleted by other documents at any 48 time. It is inappropriate to use Internet-Drafts as reference 49 material or to cite them other than as "work in progress." 51 This Internet-Draft will expire on August 7, 2016. 53 Copyright Notice 55 Copyright (c) 2016 IETF Trust and the persons identified as the 56 document authors. All rights reserved. 58 This document is subject to BCP 78 and the IETF Trust's Legal 59 Provisions Relating to IETF Documents 60 (http://trustee.ietf.org/license-info) in effect on the date of 61 publication of this document. Please review these documents 62 carefully, as they describe your rights and restrictions with respect 63 to this document. Code Components extracted from this document must 64 include Simplified BSD License text as described in Section 4.e of 65 the Trust Legal Provisions and are provided without warranty as 66 described in the Simplified BSD License. 68 Table of Contents 70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 71 2. Conventions and Terminology Used in this Document . . . . . . 5 72 3. Compatibility Considerations . . . . . . . . . . . . . . . . . 5 73 4. Hybrid Proxy Operation . . . . . . . . . . . . . . . . . . . . 6 74 4.1. Delegated Subdomain for Service Discovery Records . . . . 7 75 4.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . . 8 76 4.2.1. Domain Enumeration via Unicast Queries . . . . . . . . 8 77 4.2.2. Domain Enumeration via Multicast Queries . . . . . . . 9 78 4.3. Delegated Subdomain for LDH Host Names . . . . . . . . . . 10 79 4.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 12 80 4.5. Data Translation . . . . . . . . . . . . . . . . . . . . . 13 81 4.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . . 13 82 4.5.2. Suppressing Unusable Records . . . . . . . . . . . . . 14 83 4.5.3. Application-Specific Data Translation . . . . . . . . 15 84 4.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . . 16 85 4.6.1. Discovery of LLQ and/or PUSH Notification Service . . 19 86 5. DNS SOA (Start of Authority) Record . . . . . . . . . . . . . 20 87 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 20 88 6.1. Already Implemented and Deployed . . . . . . . . . . . . . 20 89 6.2. Already Implemented . . . . . . . . . . . . . . . . . . . 21 90 6.3. Partially Implemented . . . . . . . . . . . . . . . . . . 21 91 6.4. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 21 92 7. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 22 93 8. Security Considerations . . . . . . . . . . . . . . . . . . . 22 94 8.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . . 22 95 8.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 22 96 8.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 23 97 9. Intelectual Property Rights . . . . . . . . . . . . . . . . . 23 98 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 99 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23 100 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 101 12.1. Normative References . . . . . . . . . . . . . . . . . . . 23 102 12.2. Informative References . . . . . . . . . . . . . . . . . . 24 103 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 25 105 1. Introduction 107 Multicast DNS [RFC6762] and its companion technology DNS-based 108 Service Discovery [RFC6763] were created to provide IP networking 109 with the ease-of-use and autoconfiguration for which AppleTalk was 110 well known [RFC6760] [ZC]. 112 For a small network consisting of just a single link (or several 113 physical links bridged together to appear as a single logical link to 114 IP) Multicast DNS [RFC6762] is sufficient for client devices to look 115 up the dot-local host names of peers on the same home network, and 116 perform DNS-Based Service Discovery (DNS-SD) [RFC6763] of services 117 offered on that home network. 119 For a larger network consisting of multiple links that are 120 interconnected using IP-layer routing instead of link-layer bridging, 121 link-local Multicast DNS alone is insufficient because link-local 122 Multicast DNS packets, by design, do not cross between links. 123 (This was a deliberate design choice for Multicast DNS, since even on 124 a single link multicast traffic is expensive -- especially on Wi-Fi 125 links -- and multiplying the amount of multicast traffic by flooding 126 it across multiple links would make that problem even worse.) 127 In this environment, Unicast DNS would be preferable to Multicast 128 DNS. (Unicast DNS can be used either with a traditionally assigned 129 globally unique domain name, or with a private local unicast domain 130 name such as ".home" [HOME].) 132 To use Unicast DNS, the names of hosts and services need to be made 133 available in the Unicast DNS namespace. In the DNS-SD specification 134 [RFC6763] Section 10 ("Populating the DNS with Information") 135 discusses various possible ways that a service's PTR, SRV, TXT and 136 address records can make their way into the Unicast DNS namespace, 137 including manual zone file configuration [RFC1034] [RFC1035], 138 DNS Update [RFC2136] [RFC3007] and proxies of various kinds. 140 This document specifies a type of proxy called a Hybrid Proxy that 141 uses Multicast DNS [RFC6762] to discover Multicast DNS records on its 142 local link, and makes corresponding DNS records visible in the 143 Unicast DNS namespace. 145 2. Conventions and Terminology Used in this Document 147 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 148 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 149 "OPTIONAL" in this document are to be interpreted as described in 150 "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119]. 152 The Hybrid Proxy builds on Multicast DNS, which works between hosts 153 on the same link. A set of hosts is considered to be "on the same 154 link" if: 156 o when any host A from that set sends a packet to any other host B 157 in that set, using unicast, multicast, or broadcast, the entire 158 link-layer packet payload arrives unmodified, and 160 o a broadcast sent over that link by any host from that set of hosts 161 can be received by every other host in that set 163 The link-layer *header* may be modified, such as in Token Ring Source 164 Routing [802.5], but not the link-layer *payload*. In particular, if 165 any device forwarding a packet modifies any part of the IP header or 166 IP payload then the packet is no longer considered to be on the same 167 link. This means that the packet may pass through devices such as 168 repeaters, bridges, hubs or switches and still be considered to be on 169 the same link for the purpose of this document, but not through a 170 device such as an IP router that decrements the IP TTL or otherwise 171 modifies the IP header. 173 3. Compatibility Considerations 175 No changes to existing devices are required to work with a Hybrid 176 Proxy. 178 Existing devices that advertise services using Multicast DNS work 179 with Hybrid Proxy. 181 Existing clients that support DNS-Based Service Discovery over 182 Unicast DNS (Mac OS X 10.4 and later, including iPhone, iPad, and 183 Bonjour for Windows) work with Hybrid Proxy. 185 4. Hybrid Proxy Operation 187 In a typical configuration, a Hybrid Proxy is configured to be 188 authoritative [RFC1034] [RFC1035] for four DNS subdomains, and 189 authority for these subdomains is delegated to it via NS records: 191 A DNS subdomain for service discovery records. 192 This subdomain name may contain rich text, including spaces and 193 other punctuation. This is because this subdomain name is used 194 only in graphical user interfaces, where rich text is appropriate. 196 A DNS subdomain for host name records. 197 This subdomain name SHOULD be limited to letters, digits and 198 hyphens, to facilitate convenient use of host names in command- 199 line interfaces. 201 A DNS subdomain for IPv6 Reverse Mapping records. 202 This subdomain name will be a name that ends in "ip6.arpa." 204 A DNS subdomain for IPv4 Reverse Mapping records. 205 This subdomain name will be a name that ends in "in-addr.arpa." 207 In an enterprise network the naming and delegation of these 208 subdomains is typically performed by conscious action of the network 209 administrator. In a home network naming and delegation would 210 typically be performed using some automatic configuration mechanism 211 such as HNCP [I-D.ietf-homenet-hncp]. 213 These three varieties of delegated subdomains (service discovery, 214 host names, and reverse mapping) are described below. 216 4.1. Delegated Subdomain for Service Discovery Records 218 In its simplest form, each physical link in an organization is 219 assigned a unique Unicast DNS domain name, such as 220 "Building 1.example.com" or "2nd Floor.Building 3.example.com". 221 Grouping multiple links under a single Unicast DNS domain name is to 222 be specified in a future companion document, but for the purposes of 223 this document, assume that each link has its own unique Unicast DNS 224 domain name. In a graphical user interface these names are not 225 displayed as strings with dots as shown above, but something more 226 akin to a typical file browser graphical user interface (which is 227 harder to illustrate in a text-only document) showing folders, 228 subfolders and files in a file system. 230 +---------------+--------------+-------------+-------------------+ 231 | *example.com* | Building 1 | 1st Floor | Alice's printer | 232 | | Building 2 | *2nd Floor* | Bob's printer | 233 | | *Building 3* | 3rd Floor | Charlie's printer | 234 | | Building 4 | 4th Floor | | 235 | | Building 5 | | | 236 | | Building 6 | | | 237 +---------------+--------------+-------------+-------------------+ 239 Figure 1: Illustrative GUI 241 Each named link in an organization has a Hybrid Proxy which serves 242 it. This Hybrid Proxy function could be performed by a router on 243 that link, or, with appropriate VLAN configuration, a single Hybrid 244 Proxy could have a logical presence on, and serve as the Hybrid Proxy 245 for, many links. In the parent domain, NS records are used to 246 delegate ownership of each defined link name 247 (e.g., "Building 1.example.com") to the Hybrid Proxy that serves the 248 named link. In other words, the Hybrid Proxy is the authoritative 249 name server for that subdomain. 251 When a DNS-SD client issues a Unicast DNS query to discover services 252 in a particular Unicast DNS subdomain 253 (e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS 254 delegation mechanism results in that query being forwarded until it 255 reaches the delegated authoritative name server for that subdomain, 256 namely the Hybrid Proxy on the link in question. Like a conventional 257 Unicast DNS server, a Hybrid Proxy implements the usual Unicast DNS 258 protocol [RFC1034] [RFC1035] over UDP and TCP. However, unlike a 259 conventional Unicast DNS server that generates answers from the data 260 in its manually-configured zone file, a Hybrid Proxy generates 261 answers using Multicast DNS. A Hybrid Proxy does this by consulting 262 its Multicast DNS cache and/or issuing Multicast DNS queries for the 263 corresponding Multicast DNS name, type and class, (e.g., in this 264 case, "_printer._tcp.local. PTR ?"). Then, from the received 265 Multicast DNS data, the Hybrid Proxy synthesizes the appropriate 266 Unicast DNS response. 268 Naturally, the existing Multicast DNS caching mechanism is used to 269 avoid issuing unnecessary Multicast DNS queries on the wire. The 270 Hybrid Proxy is acting as a client of the underlying Multicast DNS 271 subsystem, and benefits from the same caching and efficiency measures 272 as any other client using that subsystem. 274 4.2. Domain Enumeration 276 An DNS-SD client performs Domain Enumeration [RFC6763] via certain 277 PTR queries. It issues unicast Domain Enumeration queries using its 278 "home" domain (typically learned via DHCP) and using its IPv6 prefix 279 and IPv4 subnet address. These are described below in Section 4.2.1. 280 It also issues multicast Domain Enumeration queries in the "local" 281 domain [RFC6762]. These are described below in Section 4.2.2. The 282 results of all Domain Enumeration queries are combined for Service 283 Discovery purposes. 285 4.2.1. Domain Enumeration via Unicast Queries 287 The administrator creates Domain Enumeration PTR records [RFC6763] to 288 inform clients of available service discovery domains, e.g.,: 290 b._dns-sd._udp.example.com. PTR Building 1.example.com. 291 PTR Building 2.example.com. 292 PTR Building 3.example.com. 293 PTR Building 4.example.com. 295 db._dns-sd._udp.example.com. PTR Building 1.example.com. 297 lb._dns-sd._udp.example.com. PTR Building 1.example.com. 299 The "b" ("browse") records tell the client device the list of 300 browsing domains to display for the user to select from and the "db" 301 ("default browse") record tells the client device which domain in 302 that list should be selected by default. The "lb" ("legacy browse") 303 record tells the client device which domain to automatically browse 304 on behalf of applications that don't implement UI for multi-domain 305 browsing (which is most of them, as of 2015). The "lb" domain is 306 often the same as the "db" domain, or sometimes the "db" domain plus 307 one or more others that should be included in the list of automatic 308 browsing domains for legacy clients. 310 DNS responses are limited to a maximum size of 65535 bytes. This 311 limits the maximum number of domains that can be returned for a 312 Domain Enumeration query, as follows: 314 A DNS response header is 12 bytes. That's typically followed by a 315 single qname (up to 256 bytes) plus qtype (2 bytes) and qclass 316 (2 bytes), leaving 65275 for the Answer Section. 318 An Answer Section Resource Record consists of: 319 o Owner name, encoded as a two-byte compression pointer 320 o Two-byte rrtype (type PTR) 321 o Two-byte rrclass (class IN) 322 o Four-byte ttl 323 o Two-byte rdlength 324 o rdata (domain name, up to 256 bytes) 326 This means that each Resource Record in the Answer Section can take 327 up to 268 bytes total, which means that the Answer Section can 328 contain, in the worst case, no more than 243 domains. 330 In a more typical scenario, where the domain names are not all 331 maximum-sized names, and there is some similarity between names so 332 that reasonable name compression is possible, each Answer Section 333 Resource Record may average 140 bytes, which means that the Answer 334 Section can contain up to 466 domains. 336 4.2.2. Domain Enumeration via Multicast Queries 338 Since a Hybrid Proxy exists on many, if not all, the links in an 339 enterprise, it offers an additional way to provide Domain Enumeration 340 data for clients. 342 A Hybrid Proxy can be configured to generate Multicast DNS responses 343 for the following Multicast DNS Domain Enumeration queries issues by 344 clients: 346 b._dns-sd._udp.local. PTR ? 347 db._dns-sd._udp.local. PTR ? 348 lb._dns-sd._udp.local. PTR ? 350 This provides the ability for Hybrid Proxies to provide configuration 351 data on a per-link granularity to DNS-SD clients. In some 352 enterprises it may be preferable to provide this per-link 353 configuration data in the form of Hybrid Proxy configuration, rather 354 than populating the Unicast DNS servers with the same data (in the 355 "ip6.arpa" or "in-addr.arpa" domains). 357 4.3. Delegated Subdomain for LDH Host Names 359 The traditional rules for host names are more restrictive than those 360 for DNS-SD service instance names and domains. 362 Users typically interact with DNS-SD by viewing a list of discovered 363 service instance names on the display and selecting one of them by 364 pointing, touching, or clicking. Similarly, in software that 365 provides a multi-domain DNS-SD user interface, users view a list of 366 offered domains on the display and select one of them by pointing, 367 touching, or clicking. To use a service, users don't have to 368 remember domain or instance names, or type them; users just have to 369 be able to recognize what they see on the display and click on the 370 thing they want. 372 In contrast, host names are often remembered and typed. Also, host 373 names have historically been used in command-line interfaces where 374 spaces can be inconvenient. For this reason, host names have 375 traditionally been restricted to letters, digits and hyphens, with no 376 spaces or other punctuation. 378 While we still want to allow rich text for DNS-SD service instance 379 names and domains, it is advisable, for maximum compatibility with 380 existing usage, to restrict host names to the traditional letter- 381 digit-hyphen rules. This means that while a service name 382 "My Printer._ipp._tcp.Building 1.example.com" is acceptable and 383 desirable (it is displayed in a graphical user interface as an 384 instance called "My Printer" in the domain "Building 1" at 385 "example.com"), a host name "My-Printer.Building 1.example.com" is 386 less desirable (because of the space in "Building 1"). 388 To accomodate this difference in allowable characters, a Hybrid Proxy 389 SOULD support having separate subdomains delegated to it, one whose 390 name is allowed to contain arbitrary Net-Unicode text [RFC5198], and 391 a second more constrained subdomain whose name is restricted to 392 contain only letters, digits, and hyphens, to be used for host name 393 records (names of 'A' and 'AAAA' address records). 395 For example, a Hybrid Proxy could have the two subdomains 396 "Building 1.example.com" and "bldg1.example.com" delegated to it. 397 The Hybrid Proxy would then translate these two Multicast DNS 398 records: 400 My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. 401 prnt.local. A 10.0.1.2 403 into Unicast DNS records as follows: 405 My Printer._ipp._tcp.Building 1.example.com. 406 SRV 0 0 631 prnt.bldg1.example.com. 407 prnt.bldg1.example.com. A 10.0.1.2 409 Note that the SRV record name is translated using the rich-text 410 domain name ("Building 1.example.com") and the address record name is 411 translated using the LDH domain ("bldg1.example.com"). 413 A Hybrid Proxy MAY support only a single rich text Net-Unicode 414 domain, and use that domain for all records, including 'A' and 'AAAA' 415 address records, but implementers choosing this option should be 416 aware that this choice may produce host names that are awkward to use 417 in command-line environments. Whether this is an issue depends on 418 whether users in the target environment are expected to be using 419 command-line interfaces. 421 A Hybrid Proxy MUST NOT be restricted to support only a letter-digit- 422 hyphen subdomain, because that results in an unnecessarily poor user 423 experience. 425 4.4. Delegated Subdomain for Reverse Mapping 427 A Hybrid Proxy can facilitate easier management of reverse mapping 428 domains, particularly for IPv6 addresses where manual management may 429 be more onerous than it is for IPv4 addresses. 431 To achieve this, in the parent domain, NS records are used to 432 delegate ownership of the appropriate reverse mapping domain to the 433 Hybrid Proxy. In other words, the Hybrid Proxy becomes the 434 authoritative name server for the reverse mapping domain. 436 For example, if a given link is using the IPv6 prefix 2001:0DB8/32, 437 then the domain "8.b.d.0.1.0.0.2.ip6.arpa" is delegated to the Hybrid 438 Proxy for that link. 440 If a given link is using the IPv4 subnet 10.1/16, then the domain 441 "1.10.in-addr.arpa" is delegated to the Hybrid Proxy for that link. 443 When a reverse mapping query arrives at the Hybrid Proxy, it issues 444 the identical query on its local link as a Multicast DNS query. 445 (In the Apple "/usr/include/dns_sd.h" APIs, using ForceMulticast 446 indicates that the DNSServiceQueryRecord() call should perform the 447 query using Multicast DNS.) When the host owning that IPv6 or IPv4 448 address responds with a name of the form "something.local", the 449 Hybrid Proxy rewrites that to use its configured LDH host name domain 450 instead of "local" and returns the response to the caller. 452 For example, a Hybrid Proxy with the two subdomains 453 "1.10.in-addr.arpa" and "bldg1.example.com" delegated to it would 454 translate this Multicast DNS record: 456 3.2.1.10.in-addr.arpa. PTR prnt.local. 458 into this Unicast DNS response: 460 3.2.1.10.in-addr.arpa. PTR prnt.bldg1.example.com. 462 Subsequent queries for the prnt.bldg1.example.com address record, 463 falling as it does within the bldg1.example.com domain, which is 464 delegated to the Hybrid Proxy, will arrive at the Hybrid Proxy, where 465 they are answered by issuing Multicast DNS queries and using the 466 received Multicast DNS answers to synthesize Unicast DNS responses, 467 as described above. 469 4.5. Data Translation 471 Generating the appropriate Multicast DNS queries involves, at the 472 very least, translating from the configured DNS domain 473 (e.g., "Building 1.example.com") on the Unicast DNS side to "local" 474 on the Multicast DNS side. 476 Generating the appropriate Unicast DNS responses involves translating 477 back from "local" to the configured DNS Unicast domain. 479 Other beneficial translation and filtering operations are described 480 below. 482 4.5.1. DNS TTL limiting 484 For efficiency, Multicast DNS typically uses moderately high DNS TTL 485 values. For example, the typical TTL on DNS-SD PTR records is 75 486 minutes. What makes these moderately high TTLs acceptable is the 487 cache coherency mechanisms built in to the Multicast DNS protocol 488 which protect against stale data persisting for too long. When a 489 service shuts down gracefully, it sends goodbye packets to remove its 490 PTR records immediately from neighbouring caches. If a service shuts 491 down abruptly without sending goodbye packets, the Passive 492 Observation Of Failures (POOF) mechanism described in Section 10.5 of 493 the Multicast DNS specification [RFC6762] comes into play to purge 494 the cache of stale data. 496 A traditional Unicast DNS client on a remote link does not get to 497 participate in these Multicast DNS cache coherency mechanisms on the 498 local link. For traditional Unicast DNS queries (those received 499 without any Long-Lived Query [I-D.sekar-dns-llq] or DNS Push 500 Notification [I-D.ietf-dnssd-push] option) the DNS TTLs reported in 501 the resulting Unicast DNS response SHOULD be capped to be no more 502 than ten seconds. 504 Similarly, for negative responses, the negative caching TTL indicated 505 in the SOA record [RFC2308] should also be ten seconds (Section 5). 507 This value of ten seconds is chosen based on user experience 508 considerations. 510 For negative caching, suppose a user is attempting to access a remote 511 device (e.g., a printer), and they are unsuccessful because that 512 device is powered off. Suppose they then place a telephone call and 513 ask for the device to be powered on. We want the device to become 514 available to the user within a reasonable time period. It is 515 reasonble to expect it to take on the order of ten seconds for a 516 simple device with a simple embedded operating system to power on. 518 Once the device is powered on and has announced its presence on the 519 network via Multicast DNS, we would like it to take no more than a 520 further ten seconds for stale negative cache entries to expire from 521 Unicast DNS caches, making the device available to the user desiring 522 to access it. 524 Similar reasoning applies to capping positive TTLs at ten seconds. 525 In the event of a device moving location, getting a new DHCP address, 526 or other renumbering events, we would like the updated information to 527 be available to remote clients in a relatively timely fashion. 529 However, network administrators should be aware that many recursive 530 (caching) DNS servers by default are configured to impose a minimum 531 TTL of 30 seconds. If stale data appears to be persisting in the 532 network to the extent that it adversely impacts user experience, 533 network administrators are advised to check the configuration of 534 their recursive DNS servers. 536 For received Unicast DNS queries that contain an LLQ or DNS Push 537 Notification option, the Multicast DNS record's TTL SHOULD be 538 returned unmodified, because the Push Notification channel exists to 539 inform the remote client as records come and go. For further details 540 about Long-Lived Queries, and its newer replacement, DNS Push 541 Notifications, see Section 4.6. 543 4.5.2. Suppressing Unusable Records 545 A Hybrid Proxy SHOULD suppress Unicast DNS answers for records that 546 are not useful outside the local link. For example, DNS A and AAAA 547 records for IPv6 link-local addresses [RFC4862] and IPv4 link-local 548 addresses [RFC3927] should be suppressed. Similarly, for sites that 549 have multiple private address realms [RFC1918], private addresses 550 from one private address realm should not be communicated to clients 551 in a different private address realm. 553 By the same logic, DNS SRV records that reference target host names 554 that have no addresses usable by the requester should be suppressed, 555 and likewise, DNS PTR records that point to unusable SRV records 556 should be similarly be suppressed. 558 4.5.3. Application-Specific Data Translation 560 There may be cases where Application-Specific Data Translation is 561 appropriate. 563 For example, AirPrint printers tend to advertise fairly verbose 564 information about their capabilities in their DNS-SD TXT record. TXT 565 record sizes in the range 500-1000 bytes are not uncommon. This 566 information is a legacy from LPR printing, because LPR does not have 567 in-band capability negotiation, so all of this information is 568 conveyed using the DNS-SD TXT record instead. IPP printing does have 569 in-band capability negotiation, but for convenience printers tend to 570 include the same capability information in their IPP DNS-SD TXT 571 records as well. For local mDNS use this extra TXT record 572 information is inefficient, but not fatal. However, when a Hybrid 573 Proxy aggregates data from multiple printers on a link, and sends it 574 via unicast (via UDP or TCP) this amount of unnecessary TXT record 575 information can result in large responses. A DNS reply over TCP 576 carrying information about 70 printers with an average of 700 bytes 577 per printer adds up to about 50 kilobytes of data. Therefore, a 578 Hybrid Proxy that is aware of the specifics of an application-layer 579 protocol such as AirPrint (which uses IPP) can elide unnecessary key/ 580 value pairs from the DNS-SD TXT record for better network efficiency. 582 Also, the DNS-SD TXT record for many printers contains an "adminurl" 583 key something like "adminurl=http://printername.local/status.html". 584 For this URL to be useful outside the local link, the embedded dot- 585 local hostname needs to be translated to an appropriate name with 586 larger scope. Dot-local names are easily translated when they appear 587 in well-defined places, either as a record's name, or in the rdata of 588 record types like PTR and SRV. In the printing case, some 589 application-specific knowledge about the semantics of the "adminurl" 590 key is needed for the Hybrid Proxy to know that it contains a name 591 that needs to be translated. This is somewhat analogous to the need 592 for NAT gateways to contain ALGs (Application-Specific Gateways) to 593 facilitate the correct translation of protocols that embed addresses 594 in unexpected places. 596 As is the case with NAT ALGs, protocol designers are advised to avoid 597 communicating names and addresses in nonstandard locations, because 598 those "hidden" names and addresses are at risk of not being 599 translated when necessary, resulting in operational failures. In the 600 printing case, the operational failure of failing to translate the 601 "adminurl" key correctly is that, when accessed from a different 602 link, printing will still work, but clicking the "Admin" UI button 603 will fail to open the printer's administration page. Rather than 604 duplicating the host name from the service's SRV record in its 605 "adminurl" key, thereby having the same host name appear in two 606 places, a better design might have been to omit the host name from 607 the "adminurl" key, and instead have the client implicitly substitute 608 the target host name from the service's SRV record in place of a 609 missing host name in the "adminurl" key. That way the desired host 610 name only appears once, and it is in a well-defined place where 611 software like the Hybrid Proxy is expecting to find it. 613 Note that this kind of Application-Specific Data Translation is 614 expected to be very rare. It is the exception, rather than the rule. 615 This is an example of a common theme in computing. It is frequently 616 the case that it is wise to start with a clean, layered design, with 617 clear boundaries. Then, in certain special cases, those layer 618 boundaries may be violated, where the performance and efficiency 619 benefits outweigh the inelegance of the layer violation. 621 These layer violations are optional. They are done primarily for 622 efficiency reasons, and generally should not be required for correct 623 operation. A Hybrid Proxy MAY operate solely at the mDNS layer, 624 without any knowledge of semantics at the DNS-SD layer or above. 626 4.6. Answer Aggregation 628 In a simple analysis, simply gathering multicast answers and 629 forwarding them in a unicast response seems adequate, but it raises 630 the question of how long the Hybrid Proxy should wait to be sure that 631 it has received all the Multicast DNS answers it needs to form a 632 complete Unicast DNS response. If it waits too little time, then it 633 risks its Unicast DNS response being incomplete. If it waits too 634 long, then it creates a poor user experience at the client end. In 635 fact, there may be no time which is both short enough to produce a 636 good user experience and at the same time long enough to reliably 637 produce complete results. 639 Similarly, the Hybrid Proxy -- the authoritative name server for the 640 subdomain in question -- needs to decide what DNS TTL to report for 641 these records. If the TTL is too long then the recursive (caching) 642 name servers issuing queries on behalf of their clients risk caching 643 stale data for too long. If the TTL is too short then the amount of 644 network traffic will be more than necessary. In fact, there may be 645 no TTL which is both short enough to avoid undesirable stale data and 646 at the same time long enough to be efficient on the network. 648 Both these dilemmas are solved by use of DNS Long-Lived Queries 649 (DNS LLQ) [I-D.sekar-dns-llq] or its newer replacement, DNS Push 650 Notifications [I-D.ietf-dnssd-push]. (Clients and Hybrid Proxies can 651 support both DNS LLQ and DNS Push, and when talking to a Hybrid Proxy 652 that supports both the client may use either protocol, as it chooses, 653 though it is expected that only DNS Push will continue to be 654 supported in the long run.) 656 When a Hybrid Proxy receives a query containing a DNS LLQ or DNS Push 657 Notification option, it responds immediately using the Multicast DNS 658 records it already has in its cache (if any). This provides a good 659 client user experience by providing a near-instantaneous response. 660 Simultaneously, the Hybrid Proxy issues a Multicast DNS query on the 661 local link to discover if there are any additional Multicast DNS 662 records it did not already know about. Should additional Multicast 663 DNS responses be received, these are then delivered to the client 664 using DNS LLQ or DNS Push Notification update messages. The 665 timeliness of such update messages is limited only by the timeliness 666 of the device responding to the Multicast DNS query. If the 667 Multicast DNS device responds quickly, then the update message is 668 delivered quickly. If the Multicast DNS device responds slowly, then 669 the update message is delivered slowly. The benefit of using update 670 messages is that the Hybrid Proxy can respond promptly because it 671 doesn't have to delay its unicast response to allow for the expected 672 worst-case delay for receiving all the Multicast DNS responses. Even 673 if a proxy were to try to provide reliability by assuming an 674 excessively pessimistic worst-case time (thereby giving a very poor 675 user experience) there would still be the risk of a slow Multicast 676 DNS device taking even longer than that (e.g, a device that is not 677 even powered on until ten seconds after the initial query is 678 received) resulting in incomplete responses. Using update message 679 solves this dilemma: even very late responses are not lost; they are 680 delivered in subsequent update messages. 682 There are two factors that determine specifically how responses are 683 generated: 685 The first factor is whether the query from the client included an LLQ 686 or DNS Push Notification option (typical with long-lived service 687 browsing PTR queries) or not (typical with one-shot operations like 688 SRV or address record queries). Note that queries containing the LLQ 689 or PUSH option are received directly from the client (see 690 Section 4.6.1). Queries containing no LLQ or PUSH option are 691 generally received via the client's configured recursive (caching) 692 name server. 694 The second factor is whether the Hybrid Proxy already has at least 695 one record in its cache that positively answers the question. 697 o No LLQ or PUSH option; no answer in cache: 698 Issue an mDNS query, exactly as a local client would issue an mDNS 699 query on the local link for the desired record name, type and 700 class, including retransmissions, as appropriate, according to the 701 established mDNS retransmission schedule [RFC6762]. As soon as 702 any Multicast DNS response packet is received that contains one or 703 more positive answers to that question (with or without the Cache 704 Flush bit [RFC6762] set), or a negative answer (signified via an 705 NSEC record [RFC6762]), the Hybrid Proxy generates a Unicast DNS 706 response packet containing the corresponding (filtered and 707 translated) answers and sends it to the remote client. If after 708 six seconds no Multicast DNS answers have been received, return a 709 negative response to the remote client. 710 DNS TTLs in responses are capped to at most ten seconds. 712 o No LLQ or PUSH option; at least one answer in cache: 713 Send response right away to minimise delay. 714 DNS TTLs in responses are capped to at most ten seconds. 715 No local mDNS queries are performed. 716 (Reasoning: Given RRSet TTL harmonisation, if the proxy has one 717 Multicast DNS answer in its cache, it can reasonably assume that 718 it has all of them.) 720 o Query contains LLQ or PUSH option; no answer in cache: 721 As in the case above with no answer in the cache, perform mDNS 722 querying for six seconds, and send a response to the remote client 723 as soon as any relevant mDNS response is received. 724 If after six seconds no relevant mDNS response has been received, 725 return negative response to the remote client. (Reasoning: We 726 don't need to rush to send an empty answer.) 727 Whether or not a relevant mDNS response is received within six 728 seconds, the query remains active for as long as the client 729 maintains the LLQ or PUSH state, and if mDNS answers are received 730 later, LLQ or PUSH update messages are sent. 731 DNS TTLs in responses are returned unmodified. 733 o Query contains LLQ or PUSH option; at least one answer in cache: 734 As in the case above with at least one answer in cache, send 735 response right away to minimise delay. 736 The query remains active for as long as the client maintains the 737 LLQ or PUSH state, and if additional mDNS answers are received 738 later, LLQ or PUSH update messages are sent. 739 (Reasoning: We want UI that is displayed very rapidly, yet 740 continues to remain accurate even as the network environment 741 changes.) 742 DNS TTLs in responses are returned unmodified. 744 Note that the "negative responses" referred to above are "no error no 745 answer" negative responses, not NXDOMAIN. This is because the Hybrid 746 Proxy cannot know all the Multicast DNS domain names that may exist 747 on a link at any given time, so any name with no answers may have 748 child names that do exist, making it an "empty nonterminal" name. 750 4.6.1. Discovery of LLQ and/or PUSH Notification Service 752 To issue LLQ or PUSH queries, clients need to communicate directly 753 with the authoritative Hybrid Proxy. The procedure by which the 754 client locates the authoritative Hybrid Proxy is described in the LLQ 755 specification [I-D.sekar-dns-llq] and the DNS Push Notifications 756 specification [I-D.ietf-dnssd-push]. 758 Briefly, the procedure is as follows: 760 To discover the LLQ service for a given domain name, a client first 761 performs DNS zone apex discovery, and then, having discovered , 762 the client then issues a DNS query for the SRV record with the name 763 _dns-llq._udp. to find the target host and port for the LLQ 764 service for that zone. By default LLQ service runs on UDP port 5352, 765 but since SRV records are used, the LLQ service can be offered on any 766 port. 768 To discover the DNS Push Notification service for a given domain 769 name, a client first performs DNS zone apex discovery, and then, 770 having discovered , the client then issues a DNS query for the 771 SRV record with the name _dns-push-tls._tcp. to find the target 772 host and port for the DNS Push Notification service for that zone. 773 By default DNS Push Notification service runs on TCP port 5352, but 774 since SRV records are used, the DNS Push Notification service can be 775 offered on any port. 777 A client performs DNS zone apex discovery using the procedure below: 779 1. The client issues a DNS query for the SOA record with the given 780 domain name. 782 2. A conformant recursive (caching) name server will either send a 783 positive response, or a negative response containing the SOA 784 record of the zone apex in the Authority Section. 786 3. If the name server sends a negative response that does not 787 contain the SOA record of the zone apex, the client trims the 788 first label off the given domain name and returns to step 1 to 789 try again. 791 By this method, the client iterates until it learns the name of the 792 zone apex, or (in pathological failure cases) reaches the root and 793 gives up. 795 Normal DNS caching is used to avoid repetitive queries on the wire. 797 5. DNS SOA (Start of Authority) Record 799 The MNAME field SHOULD contain the host name of the Hybrid Proxy 800 device (i.e., the same domain name as the rdata of the NS record 801 delegating the relevant zone(s) to this Hybrid Proxy device). 803 The RNAME field SHOULD contain the mailbox of the person responsible 804 for administering this Hybrid Proxy device. 806 The SERIAL field SHOULD contain a sequence number that increments 807 each time the Hybrid Proxy returns an SOA record to any client. 808 [Author's note: Or maybe it could just be zero?] 810 Since zone transfers are undefined for Hybrid Proxy zones, the 811 REFRESH, RETRY and EXPIRE fields have no useful meaning for Hybrid 812 Proxy zones. These fields SHOULD contain reasonable default values. 813 The RECOMMENDED values are: REFRESH 7200, RETRY 3600, EXPIRE 86400. 815 The MINIMUM field (used to control the lifetime of negative cache 816 entries) SHOULD contain the value 10. The value of ten seconds is 817 chosen based on user experience considerations (see Section 4.5.1). 819 [Author's note: Discussion of these recommendations is requested.] 821 6. Implementation Status 823 Some aspects of the mechanism specified in this document already 824 exist in deployed software. Some aspects are new. This section 825 outlines which aspects already exist and which are new. 827 6.1. Already Implemented and Deployed 829 Domain enumeration by the client (the "b._dns-sd._udp" queries) is 830 already implemented and deployed. 832 Unicast queries to the indicated discovery domain is already 833 implemented and deployed. 835 These are implemented and deployed in Mac OS X 10.4 and later 836 (including all versions of Apple iOS, on all iPhone and iPads), in 837 Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16) 838 and later. 840 Domain enumeration and unicast querying have been used for several 841 years at IETF meetings to make Terminal Room printers discoverable 842 from outside the Terminal room. When you Press Cmd-P on your Mac, or 843 select AirPrint on your iPad or iPhone, and the Terminal room 844 printers appear, that is because your client is sending unicast DNS 845 queries to the IETF DNS servers. 847 6.2. Already Implemented 849 A minimal portable Hybrid Proxy implementation has been produced by 850 Markus Stenberg and Steven Barth, which runs on OS X and several 851 Linux variants including OpenWrt [ohp]. It was demonstrated at the 852 Berlin IETF in July 2013. 854 Tom Pusateri also has an implementation that runs on any Unix/Linux. 855 It has a RESTful interface for management and an experimental demo 856 CLI and web interface. 858 6.3. Partially Implemented 860 The current APIs make multiple domains visible to client software, 861 but most client UI today lumps all discovered services into a single 862 flat list. This is largely a chicken-and-egg problem. Application 863 writers were naturally reluctant to spend time writing domain-aware 864 UI code when few customers today would benefit from it. If Hybrid 865 Proxy deployment becomes common, then application writers will have a 866 reason to provide better UI. Existing applications will work with 867 the Hybrid Proxy, but will show all services in a single flat list. 868 Applications with improved UI will group services by domain. 870 The Long-Lived Query mechanism [I-D.sekar-dns-llq] referred to in 871 this specification exists and is deployed, but has not been 872 standardized by the IETF. The IETF is considering standardizing a 873 superior Long-Lived Query mechanism called DNS Push Notifications 874 [I-D.ietf-dnssd-push]. The pragmatic short-term deployment approach 875 is for vendors to produce Hybrid Proxies that implement both the 876 deployed Long-Lived Query mechanism [I-D.sekar-dns-llq] (for today's 877 clients) and the new DNS Push Notifications mechanism 878 [I-D.ietf-dnssd-push] as the preferred long-term direction. 880 The translating/filtering Hybrid Proxy specified in this document. 881 Implementations are under development, and operational experience 882 with these implementations has guided updates to this document. 884 6.4. Not Yet Implemented 886 Client implementations of the new DNS Push Notifications mechanism 887 [I-D.ietf-dnssd-push] are currently underway. 889 A mechanism to 'stitch' together multiple ".local." zones so that 890 they appear as one. Such a mechanism will be specified in a future 891 companion document. 893 7. IPv6 Considerations 895 An IPv6-only host and an IPv4-only host behave as "ships that pass in 896 the night". Even if they are on the same Ethernet, neither is aware 897 of the other's traffic. For this reason, each physical link may have 898 *two* unrelated ".local." zones, one for IPv6 and one for IPv4. 899 Since for practical purposes, a group of IPv6-only hosts and a group 900 of IPv4-only hosts on the same Ethernet act as if they were on two 901 entirely separate Ethernet segments, it is unsurprising that their 902 use of the ".local." zone should occur exactly as it would if they 903 really were on two entirely separate Ethernet segments. 905 It will be desirable to have a mechanism to 'stitch' together these 906 two unrelated ".local." zones so that they appear as one. Such 907 mechanism will need to be able to differentiate between a dual-stack 908 (v4/v6) host participating in both ".local." zones, and two different 909 hosts, one IPv6-only and the other IPv4-only, which are both trying 910 to use the same name(s). Such a mechanism will be specified in a 911 future companion document. 913 8. Security Considerations 915 8.1. Authenticity 917 A service proves its presence on a link by its ability to answer 918 link-local multicast queries on that link. If greater security is 919 desired, then the Hybrid Proxy mechanism should not be used, and 920 something with stronger security should be used instead, such as 921 authenticated secure DNS Update [RFC2136] [RFC3007]. 923 8.2. Privacy 925 The Domain Name System is, generally speaking, a global public 926 database. Records that exist in the Domain Name System name 927 hierarchy can be queried by name from, in principle, anywhere in the 928 world. If services on a mobile device (like a laptop computer) are 929 made visible via the Hybrid Proxy mechanism, then when those services 930 become visibile in a domain such as "My House.example.com" that might 931 indicate to (potentially hostile) observers that the mobile device is 932 in my house. When those services disappear from 933 "My House.example.com" that change could be used by observers to 934 infer when the mobile device (and possibly its owner) may have left 935 the house. The privacy of this information may be protected using 936 techniques like firewalls and split-view DNS, as are customarily used 937 today to protect the privacy of corporate DNS information. 939 8.3. Denial of Service 941 A remote attacker could use a rapid series of unique Unicast DNS 942 queries to induce a Hybrid Proxy to generate a rapid series of 943 corresponding Multicast DNS queries on one or more of its local 944 links. Multicast traffic is expensive -- especially on Wi-Fi links 945 -- which makes this attack particularly serious. To limit the damage 946 that can be caused by such attacks, a Hybrid Proxy (or the underlying 947 Multicast DNS subsystem which it utilizes) MUST implement Multicast 948 DNS query rate limiting appropriate to the link technology in 949 question. For Wi-Fi links the Multicast DNS subsystem SHOULD NOT 950 issue more than 20 Multicast DNS query packets per second. On other 951 link technologies like Gigabit Ethernet higher limits may be 952 appropriate. 954 9. Intelectual Property Rights 956 Apple has submitted an IPR disclosure concerning the technique 957 proposed in this document. Details are available on the IETF IPR 958 disclosure page [IPR2119]. 960 10. IANA Considerations 962 This document has no IANA Considerations. 964 11. Acknowledgments 966 Thanks to Markus Stenberg for helping develop the policy regarding 967 the four styles of unicast response according to what data is 968 immediately available in the cache. Thanks to Anders Brandt and 969 Andrew Yourtchenko for their comments. [Partial list; more names to 970 be added.] 972 12. References 974 12.1. Normative References 976 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 977 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 978 . 980 [RFC1035] Mockapetris, P., "Domain names - implementation and 981 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 982 November 1987, . 984 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., J. de Groot, 985 G., and E. Lear, "Address Allocation for Private 986 Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, 987 February 1996, . 989 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 990 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 991 RFC2119, March 1997, 992 . 994 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS 995 NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, 996 . 998 [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic 999 Configuration of IPv4 Link-Local Addresses", RFC 3927, 1000 DOI 10.17487/RFC3927, May 2005, 1001 . 1003 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 1004 Address Autoconfiguration", RFC 4862, DOI 10.17487/ 1005 RFC4862, September 2007, 1006 . 1008 [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network 1009 Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, 1010 . 1012 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 1013 December 2012. 1015 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 1016 Discovery", RFC 6763, December 2012. 1018 [I-D.ietf-dnssd-push] 1019 Pusateri, T. and S. Cheshire, "DNS Push Notifications", 1020 draft-ietf-dnssd-push-03 (work in progress), 1021 November 2015. 1023 12.2. Informative References 1025 [HOME] Cheshire, S., "Special Use Top Level Domain 'home'", 1026 draft-cheshire-homenet-dot-home (work in progress), 1027 November 2015. 1029 [IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid 1030 Unicast/Multicast DNS-Based Service Discovery", 1031 . 1033 [ohp] "Hybrid Proxy implementation for OpenWrt", 1034 . 1036 [I-D.sekar-dns-llq] 1037 Sekar, K., "DNS Long-Lived Queries", 1038 draft-sekar-dns-llq-01 (work in progress), August 2006. 1040 [I-D.ietf-homenet-hncp] 1041 Stenberg, M., Barth, S., and P. Pfister, "Home Networking 1042 Control Protocol", draft-ietf-homenet-hncp-09 (work in 1043 progress), August 2015. 1045 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 1046 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 1047 RFC 2136, DOI 10.17487/RFC2136, April 1997, 1048 . 1050 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 1051 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 1052 . 1054 [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol 1055 to Replace the AppleTalk Name Binding Protocol (NBP)", 1056 RFC 6760, December 2012. 1058 [ZC] Cheshire, S. and D. Steinberg, "Zero Configuration 1059 Networking: The Definitive Guide", O'Reilly Media, Inc. , 1060 ISBN 0-596-10100-7, December 2005. 1062 Author's Address 1064 Stuart Cheshire 1065 Apple Inc. 1066 1 Infinite Loop 1067 Cupertino, California 95014 1068 USA 1070 Phone: +1 408 974 3207 1071 Email: cheshire@apple.com