idnits 2.17.1 draft-ietf-dnssd-hybrid-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC2606-compliant FQDNs in the document. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 31, 2016) is 2734 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-25) exists of draft-ietf-dnssd-push-03 == Outdated reference: A later version (-06) exists of draft-sekar-dns-llq-01 == Outdated reference: A later version (-10) exists of draft-ietf-homenet-hncp-09 Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force S. Cheshire 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track October 31, 2016 5 Expires: May 4, 2017 7 Hybrid Unicast/Multicast DNS-Based Service Discovery 8 draft-ietf-dnssd-hybrid-04 10 Abstract 12 Performing DNS-Based Service Discovery using purely link-local 13 Multicast DNS enables discovery of services that are on the local 14 link, but not (without some kind of proxy or similar special support) 15 discovery of services that are outside the local link. Using a very 16 large local link with thousands of hosts facilitates service 17 discovery, but at the cost of large amounts of multicast traffic. 19 Performing DNS-Based Service Discovery using purely Unicast DNS is 20 more efficient and doesn't require excessively large multicast 21 domains, but requires that the relevant data be available in the 22 Unicast DNS namespace. This can be achieved by manual DNS 23 configuration (as has been done for many years at IETF meetings to 24 advertise the IETF Terminal Room printer) but this is labor 25 intensive, error prone, and requires a reasonable degree of DNS 26 expertise. The Unicast DNS namespace can be populated with the 27 required data automatically by the devices themselves, but that 28 requires configuration of DNS Update keys on the devices offering the 29 services, which has proven onerous and impractical for simple devices 30 like printers and network cameras. 32 Hence, to facilitate efficient and reliable DNS-Based Service 33 Discovery, a compromise is needed that combines the ease-of-use of 34 Multicast DNS with the efficiency and scalability of Unicast DNS. 36 Status of this Memo 38 This Internet-Draft is submitted in full conformance with the 39 provisions of BCP 78 and BCP 79. 41 Internet-Drafts are working documents of the Internet Engineering 42 Task Force (IETF). Note that other groups may also distribute 43 working documents as Internet-Drafts. The list of current Internet- 44 Drafts is at http://datatracker.ietf.org/drafts/current/. 46 Internet-Drafts are draft documents valid for a maximum of six months 47 and may be updated, replaced, or obsoleted by other documents at any 48 time. It is inappropriate to use Internet-Drafts as reference 49 material or to cite them other than as "work in progress." 51 This Internet-Draft will expire on May 4, 2017. 53 Copyright Notice 55 Copyright (c) 2016 IETF Trust and the persons identified as the 56 document authors. All rights reserved. 58 This document is subject to BCP 78 and the IETF Trust's Legal 59 Provisions Relating to IETF Documents 60 (http://trustee.ietf.org/license-info) in effect on the date of 61 publication of this document. Please review these documents 62 carefully, as they describe your rights and restrictions with respect 63 to this document. Code Components extracted from this document must 64 include Simplified BSD License text as described in Section 4.e of 65 the Trust Legal Provisions and are provided without warranty as 66 described in the Simplified BSD License. 68 Table of Contents 70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 71 2. Conventions and Terminology Used in this Document . . . . . . 5 72 3. Compatibility Considerations . . . . . . . . . . . . . . . . . 6 73 4. Hybrid Proxy Operation . . . . . . . . . . . . . . . . . . . . 6 74 4.1. Delegated Subdomain for Service Discovery Records . . . . 7 75 4.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . . 8 76 4.2.1. Domain Enumeration via Unicast Queries . . . . . . . . 8 77 4.2.2. Domain Enumeration via Multicast Queries . . . . . . . 9 78 4.3. Delegated Subdomain for LDH Host Names . . . . . . . . . . 10 79 4.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 12 80 4.5. Data Translation . . . . . . . . . . . . . . . . . . . . . 13 81 4.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . . 13 82 4.5.2. Suppressing Unusable Records . . . . . . . . . . . . . 14 83 4.5.3. Text Encoding Translation . . . . . . . . . . . . . . 14 84 4.5.4. Application-Specific Data Translation . . . . . . . . 15 85 4.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . . 16 86 5. DNS SOA (Start of Authority) Record . . . . . . . . . . . . . 19 87 6. DNSSEC Issues . . . . . . . . . . . . . . . . . . . . . . . . 20 88 6.1. On-line signing only . . . . . . . . . . . . . . . . . . . 20 89 6.2. NSEC and NSEC3 Records . . . . . . . . . . . . . . . . . . 20 90 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 21 91 7.1. Already Implemented and Deployed . . . . . . . . . . . . . 21 92 7.2. Already Implemented . . . . . . . . . . . . . . . . . . . 21 93 7.3. Partially Implemented . . . . . . . . . . . . . . . . . . 21 94 7.4. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 22 95 8. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 22 96 9. Security Considerations . . . . . . . . . . . . . . . . . . . 23 97 9.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . . 23 98 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 23 99 9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 23 100 10. Intelectual Property Rights . . . . . . . . . . . . . . . . . 24 101 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 102 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24 103 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 104 13.1. Normative References . . . . . . . . . . . . . . . . . . . 24 105 13.2. Informative References . . . . . . . . . . . . . . . . . . 25 106 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 26 108 1. Introduction 110 Multicast DNS [RFC6762] and its companion technology DNS-based 111 Service Discovery [RFC6763] were created to provide IP networking 112 with the ease-of-use and autoconfiguration for which AppleTalk was 113 well known [RFC6760] [ZC]. 115 For a small network consisting of just a single link (or several 116 physical links bridged together to appear as a single logical link to 117 IP) Multicast DNS [RFC6762] is sufficient for client devices to look 118 up the dot-local host names of peers on the same home network, and 119 perform DNS-Based Service Discovery (DNS-SD) [RFC6763] of services 120 offered on that home network. 122 For a larger network consisting of multiple links that are 123 interconnected using IP-layer routing instead of link-layer bridging, 124 link-local Multicast DNS alone is insufficient because link-local 125 Multicast DNS packets, by design, do not cross between links. 126 (This was a deliberate design choice for Multicast DNS, since even on 127 a single link multicast traffic is expensive -- especially on Wi-Fi 128 links -- and multiplying the amount of multicast traffic by flooding 129 it across multiple links would make that problem even worse.) 130 In this environment, Unicast DNS would be preferable to Multicast 131 DNS. (Unicast DNS can be used either with a traditionally assigned 132 globally unique domain name, or with a private local unicast domain 133 name such as ".home" [HOME].) 135 To use Unicast DNS, the names of hosts and services need to be made 136 available in the Unicast DNS namespace. In the DNS-SD specification 137 [RFC6763] Section 10 ("Populating the DNS with Information") 138 discusses various possible ways that a service's PTR, SRV, TXT and 139 address records can make their way into the Unicast DNS namespace, 140 including manual zone file configuration [RFC1034] [RFC1035], 141 DNS Update [RFC2136] [RFC3007] and proxies of various kinds. 143 This document specifies a type of proxy called a Hybrid Proxy that 144 uses Multicast DNS [RFC6762] to discover Multicast DNS records on its 145 local link, and makes corresponding DNS records visible in the 146 Unicast DNS namespace. 148 In simple terms, a descriptive DNS name is chosen for each physical 149 link in an organization. Using a DNS NS record, responsibility for 150 that DNS name is delegated to a Hybrid Proxy physically attached to 151 that link. Now, when a remote client issues a unicast query for a 152 name falling within the delegated subdomain, the normal DNS 153 delegation mechanism results in the unicast query arriving at the 154 Hybrid Proxy, since it has been declared authoritative for those 155 names. Now, instead of consulting a textual zone file on disk to 156 discover the answer to the query, as a traditional DNS server would, 157 a Hybrid Proxy consults its local link, using Multicast DNS, to find 158 the answer to the question. 160 Note that the Hybrid Proxy uses a "pull" model. The local link is 161 not queried using Multicast DNS until a remote client has requested 162 that data. In the idle state, in the absence of client requests, the 163 Hybrid Proxy sends no packets and imposes no burden on the network. 164 It operates purely "on demand". 166 An alternative proposal has been a proxy that performs DNS updates to 167 a remote DNS server on behalf of the Multicast DNS devices on the 168 local network. The difficulty of this is that the proxy would have 169 to be issuing all possible Multicast DNS queries all the time, to 170 discover all the answers it needed to push up to the remote DNS 171 server using DNS Update. It would thus generate very high load on 172 the network continuously, even when there were no clients with any 173 interest in that data. 175 Hence, having a model where the query comes to the Hybrid Proxy is 176 much more efficient than a model where the Hybrid Proxy pushes the 177 answers out to some other remote DNS server. 179 A client can send queries to the Hybrid Proxy in the form of 180 traditional DNS queries, or by making a DNS Push Notification 181 subscription [I-D.ietf-dnssd-push]. 183 2. Conventions and Terminology Used in this Document 185 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 186 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 187 "OPTIONAL" in this document are to be interpreted as described in 188 "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119]. 190 The Hybrid Proxy builds on Multicast DNS, which works between hosts 191 on the same link. A set of hosts is considered to be "on the same 192 link" if: 194 o when any host A from that set sends a packet to any other host B 195 in that set, using unicast, multicast, or broadcast, the entire 196 link-layer packet payload arrives unmodified, and 198 o a broadcast sent over that link by any host from that set of hosts 199 can be received by every other host in that set 201 The link-layer *header* may be modified, such as in Token Ring Source 202 Routing [802.5], but not the link-layer *payload*. In particular, if 203 any device forwarding a packet modifies any part of the IP header or 204 IP payload then the packet is no longer considered to be on the same 205 link. This means that the packet may pass through devices such as 206 repeaters, bridges, hubs or switches and still be considered to be on 207 the same link for the purpose of this document, but not through a 208 device such as an IP router that decrements the IP TTL or otherwise 209 modifies the IP header. 211 3. Compatibility Considerations 213 No changes to existing devices are required to work with a Hybrid 214 Proxy. 216 Existing devices that advertise services using Multicast DNS work 217 with Hybrid Proxy. 219 Existing clients that support DNS-Based Service Discovery over 220 Unicast DNS (Mac OS X 10.4 and later, including iPhone, iPad, and 221 Bonjour for Windows) work with Hybrid Proxy. 223 4. Hybrid Proxy Operation 225 In a typical configuration, a Hybrid Proxy is configured to be 226 authoritative [RFC1034] [RFC1035] for four DNS subdomains, and 227 authority for these subdomains is delegated to it via NS records: 229 A DNS subdomain for service discovery records. 230 This subdomain name may contain rich text, including spaces and 231 other punctuation. This is because this subdomain name is used 232 only in graphical user interfaces, where rich text is appropriate. 234 A DNS subdomain for host name records. 235 This subdomain name SHOULD be limited to letters, digits and 236 hyphens, to facilitate convenient use of host names in command- 237 line interfaces. 239 A DNS subdomain for IPv6 Reverse Mapping records. 240 This subdomain name will be a name that ends in "ip6.arpa." 242 A DNS subdomain for IPv4 Reverse Mapping records. 243 This subdomain name will be a name that ends in "in-addr.arpa." 245 In an enterprise network the naming and delegation of these 246 subdomains is typically performed by conscious action of the network 247 administrator. In a home network naming and delegation would 248 typically be performed using some automatic configuration mechanism 249 such as HNCP [I-D.ietf-homenet-hncp]. 251 These three varieties of delegated subdomains (service discovery, 252 host names, and reverse mapping) are described below. 254 4.1. Delegated Subdomain for Service Discovery Records 256 In its simplest form, each physical link in an organization is 257 assigned a unique Unicast DNS domain name, such as 258 "Building 1.example.com" or "2nd Floor.Building 3.example.com". 259 Grouping multiple links under a single Unicast DNS domain name is to 260 be specified in a future companion document, but for the purposes of 261 this document, assume that each link has its own unique Unicast DNS 262 domain name. In a graphical user interface these names are not 263 displayed as strings with dots as shown above, but something more 264 akin to a typical file browser graphical user interface (which is 265 harder to illustrate in a text-only document) showing folders, 266 subfolders and files in a file system. 268 +---------------+--------------+-------------+-------------------+ 269 | *example.com* | Building 1 | 1st Floor | Alice's printer | 270 | | Building 2 | *2nd Floor* | Bob's printer | 271 | | *Building 3* | 3rd Floor | Charlie's printer | 272 | | Building 4 | 4th Floor | | 273 | | Building 5 | | | 274 | | Building 6 | | | 275 +---------------+--------------+-------------+-------------------+ 277 Figure 1: Illustrative GUI 279 Each named link in an organization has a Hybrid Proxy which serves 280 it. This Hybrid Proxy function could be performed by a router on 281 that link, or, with appropriate VLAN configuration, a single Hybrid 282 Proxy could have a logical presence on, and serve as the Hybrid Proxy 283 for, many links. In the parent domain, NS records are used to 284 delegate ownership of each defined link name 285 (e.g., "Building 1.example.com") to the Hybrid Proxy that serves the 286 named link. In other words, the Hybrid Proxy is the authoritative 287 name server for that subdomain. 289 When a DNS-SD client issues a Unicast DNS query to discover services 290 in a particular Unicast DNS subdomain 291 (e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS 292 delegation mechanism results in that query being forwarded until it 293 reaches the delegated authoritative name server for that subdomain, 294 namely the Hybrid Proxy on the link in question. Like a conventional 295 Unicast DNS server, a Hybrid Proxy implements the usual Unicast DNS 296 protocol [RFC1034] [RFC1035] over UDP and TCP. However, unlike a 297 conventional Unicast DNS server that generates answers from the data 298 in its manually-configured zone file, a Hybrid Proxy generates 299 answers using Multicast DNS. A Hybrid Proxy does this by consulting 300 its Multicast DNS cache and/or issuing Multicast DNS queries for the 301 corresponding Multicast DNS name, type and class, (e.g., in this 302 case, "_printer._tcp.local. PTR ?"). Then, from the received 303 Multicast DNS data, the Hybrid Proxy synthesizes the appropriate 304 Unicast DNS response. 306 Naturally, the existing Multicast DNS caching mechanism is used to 307 avoid issuing unnecessary Multicast DNS queries on the wire. The 308 Hybrid Proxy is acting as a client of the underlying Multicast DNS 309 subsystem, and benefits from the same caching and efficiency measures 310 as any other client using that subsystem. 312 4.2. Domain Enumeration 314 An DNS-SD client performs Domain Enumeration [RFC6763] via certain 315 PTR queries. It issues unicast Domain Enumeration queries using its 316 "home" domain (typically learned via DHCP) and using its IPv6 prefix 317 and IPv4 subnet address. These are described below in Section 4.2.1. 318 It also issues multicast Domain Enumeration queries in the "local" 319 domain [RFC6762]. These are described below in Section 4.2.2. The 320 results of all Domain Enumeration queries are combined for Service 321 Discovery purposes. 323 4.2.1. Domain Enumeration via Unicast Queries 325 The administrator creates Domain Enumeration PTR records [RFC6763] to 326 inform clients of available service discovery domains, e.g.,: 328 b._dns-sd._udp.example.com. PTR Building 1.example.com. 329 PTR Building 2.example.com. 330 PTR Building 3.example.com. 331 PTR Building 4.example.com. 333 db._dns-sd._udp.example.com. PTR Building 1.example.com. 335 lb._dns-sd._udp.example.com. PTR Building 1.example.com. 337 The "b" ("browse") records tell the client device the list of 338 browsing domains to display for the user to select from and the "db" 339 ("default browse") record tells the client device which domain in 340 that list should be selected by default. The "lb" ("legacy browse") 341 record tells the client device which domain to automatically browse 342 on behalf of applications that don't implement UI for multi-domain 343 browsing (which is most of them, as of 2015). The "lb" domain is 344 often the same as the "db" domain, or sometimes the "db" domain plus 345 one or more others that should be included in the list of automatic 346 browsing domains for legacy clients. 348 DNS responses are limited to a maximum size of 65535 bytes. This 349 limits the maximum number of domains that can be returned for a 350 Domain Enumeration query, as follows: 352 A DNS response header is 12 bytes. That's typically followed by a 353 single qname (up to 256 bytes) plus qtype (2 bytes) and qclass 354 (2 bytes), leaving 65275 for the Answer Section. 356 An Answer Section Resource Record consists of: 357 o Owner name, encoded as a two-byte compression pointer 358 o Two-byte rrtype (type PTR) 359 o Two-byte rrclass (class IN) 360 o Four-byte ttl 361 o Two-byte rdlength 362 o rdata (domain name, up to 256 bytes) 364 This means that each Resource Record in the Answer Section can take 365 up to 268 bytes total, which means that the Answer Section can 366 contain, in the worst case, no more than 243 domains. 368 In a more typical scenario, where the domain names are not all 369 maximum-sized names, and there is some similarity between names so 370 that reasonable name compression is possible, each Answer Section 371 Resource Record may average 140 bytes, which means that the Answer 372 Section can contain up to 466 domains. 374 4.2.2. Domain Enumeration via Multicast Queries 376 Since a Hybrid Proxy exists on many, if not all, the links in an 377 enterprise, it offers an additional way to provide Domain Enumeration 378 data for clients. 380 A Hybrid Proxy can be configured to generate Multicast DNS responses 381 for the following Multicast DNS Domain Enumeration queries issues by 382 clients: 384 b._dns-sd._udp.local. PTR ? 385 db._dns-sd._udp.local. PTR ? 386 lb._dns-sd._udp.local. PTR ? 388 This provides the ability for Hybrid Proxies to provide configuration 389 data on a per-link granularity to DNS-SD clients. In some 390 enterprises it may be preferable to provide this per-link 391 configuration data in the form of Hybrid Proxy configuration, rather 392 than populating the Unicast DNS servers with the same data (in the 393 "ip6.arpa" or "in-addr.arpa" domains). 395 4.3. Delegated Subdomain for LDH Host Names 397 The traditional rules for host names are more restrictive than those 398 for DNS-SD service instance names and domains. 400 Users typically interact with DNS-SD by viewing a list of discovered 401 service instance names on the display and selecting one of them by 402 pointing, touching, or clicking. Similarly, in software that 403 provides a multi-domain DNS-SD user interface, users view a list of 404 offered domains on the display and select one of them by pointing, 405 touching, or clicking. To use a service, users don't have to 406 remember domain or instance names, or type them; users just have to 407 be able to recognize what they see on the display and click on the 408 thing they want. 410 In contrast, host names are often remembered and typed. Also, host 411 names have historically been used in command-line interfaces where 412 spaces can be inconvenient. For this reason, host names have 413 traditionally been restricted to letters, digits and hyphens, with no 414 spaces or other punctuation. 416 While we still want to allow rich text for DNS-SD service instance 417 names and domains, it is advisable, for maximum compatibility with 418 existing usage, to restrict host names to the traditional letter- 419 digit-hyphen rules. This means that while a service name 420 "My Printer._ipp._tcp.Building 1.example.com" is acceptable and 421 desirable (it is displayed in a graphical user interface as an 422 instance called "My Printer" in the domain "Building 1" at 423 "example.com"), a host name "My-Printer.Building 1.example.com" is 424 less desirable (because of the space in "Building 1"). 426 To accomodate this difference in allowable characters, a Hybrid Proxy 427 SOULD support having separate subdomains delegated to it, one whose 428 name is allowed to contain arbitrary Net-Unicode text [RFC5198], and 429 a second more constrained subdomain whose name is restricted to 430 contain only letters, digits, and hyphens, to be used for host name 431 records (names of 'A' and 'AAAA' address records). 433 For example, a Hybrid Proxy could have the two subdomains 434 "Building 1.example.com" and "bldg1.example.com" delegated to it. 435 The Hybrid Proxy would then translate these two Multicast DNS 436 records: 438 My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. 439 prnt.local. A 10.0.1.2 441 into Unicast DNS records as follows: 443 My Printer._ipp._tcp.Building 1.example.com. 444 SRV 0 0 631 prnt.bldg1.example.com. 445 prnt.bldg1.example.com. A 10.0.1.2 447 Note that the SRV record name is translated using the rich-text 448 domain name ("Building 1.example.com") and the address record name is 449 translated using the LDH domain ("bldg1.example.com"). 451 A Hybrid Proxy MAY support only a single rich text Net-Unicode 452 domain, and use that domain for all records, including 'A' and 'AAAA' 453 address records, but implementers choosing this option should be 454 aware that this choice may produce host names that are awkward to use 455 in command-line environments. Whether this is an issue depends on 456 whether users in the target environment are expected to be using 457 command-line interfaces. 459 A Hybrid Proxy MUST NOT be restricted to support only a letter-digit- 460 hyphen subdomain, because that results in an unnecessarily poor user 461 experience. 463 4.4. Delegated Subdomain for Reverse Mapping 465 A Hybrid Proxy can facilitate easier management of reverse mapping 466 domains, particularly for IPv6 addresses where manual management may 467 be more onerous than it is for IPv4 addresses. 469 To achieve this, in the parent domain, NS records are used to 470 delegate ownership of the appropriate reverse mapping domain to the 471 Hybrid Proxy. In other words, the Hybrid Proxy becomes the 472 authoritative name server for the reverse mapping domain. 474 For example, if a given link is using the IPv6 prefix 2001:0DB8/32, 475 then the domain "8.b.d.0.1.0.0.2.ip6.arpa" is delegated to the Hybrid 476 Proxy for that link. 478 If a given link is using the IPv4 subnet 10.1/16, then the domain 479 "1.10.in-addr.arpa" is delegated to the Hybrid Proxy for that link. 481 When a reverse mapping query arrives at the Hybrid Proxy, it issues 482 the identical query on its local link as a Multicast DNS query. 483 (In the Apple "/usr/include/dns_sd.h" APIs, using ForceMulticast 484 indicates that the DNSServiceQueryRecord() call should perform the 485 query using Multicast DNS.) When the host owning that IPv6 or IPv4 486 address responds with a name of the form "something.local", the 487 Hybrid Proxy rewrites that to use its configured LDH host name domain 488 instead of "local" and returns the response to the caller. 490 For example, a Hybrid Proxy with the two subdomains 491 "1.10.in-addr.arpa" and "bldg1.example.com" delegated to it would 492 translate this Multicast DNS record: 494 3.2.1.10.in-addr.arpa. PTR prnt.local. 496 into this Unicast DNS response: 498 3.2.1.10.in-addr.arpa. PTR prnt.bldg1.example.com. 500 Subsequent queries for the prnt.bldg1.example.com address record, 501 falling as it does within the bldg1.example.com domain, which is 502 delegated to the Hybrid Proxy, will arrive at the Hybrid Proxy, where 503 they are answered by issuing Multicast DNS queries and using the 504 received Multicast DNS answers to synthesize Unicast DNS responses, 505 as described above. 507 4.5. Data Translation 509 Generating the appropriate Multicast DNS queries involves, at the 510 very least, translating from the configured DNS domain 511 (e.g., "Building 1.example.com") on the Unicast DNS side to "local" 512 on the Multicast DNS side. 514 Generating the appropriate Unicast DNS responses involves translating 515 back from "local" to the configured DNS Unicast domain. 517 Other beneficial translation and filtering operations are described 518 below. 520 4.5.1. DNS TTL limiting 522 For efficiency, Multicast DNS typically uses moderately high DNS TTL 523 values. For example, the typical TTL on DNS-SD PTR records is 75 524 minutes. What makes these moderately high TTLs acceptable is the 525 cache coherency mechanisms built in to the Multicast DNS protocol 526 which protect against stale data persisting for too long. When a 527 service shuts down gracefully, it sends goodbye packets to remove its 528 PTR records immediately from neighbouring caches. If a service shuts 529 down abruptly without sending goodbye packets, the Passive 530 Observation Of Failures (POOF) mechanism described in Section 10.5 of 531 the Multicast DNS specification [RFC6762] comes into play to purge 532 the cache of stale data. 534 A traditional Unicast DNS client on a remote link does not get to 535 participate in these Multicast DNS cache coherency mechanisms on the 536 local link. For traditional Unicast DNS queries (those received 537 without any Long-Lived Query [I-D.sekar-dns-llq] or DNS Push 538 Notification [I-D.ietf-dnssd-push] option) the DNS TTLs reported in 539 the resulting Unicast DNS response SHOULD be capped to be no more 540 than ten seconds. 542 Similarly, for negative responses, the negative caching TTL indicated 543 in the SOA record [RFC2308] should also be ten seconds (Section 5). 545 This value of ten seconds is chosen based on user experience 546 considerations. 548 For negative caching, suppose a user is attempting to access a remote 549 device (e.g., a printer), and they are unsuccessful because that 550 device is powered off. Suppose they then place a telephone call and 551 ask for the device to be powered on. We want the device to become 552 available to the user within a reasonable time period. It is 553 reasonble to expect it to take on the order of ten seconds for a 554 simple device with a simple embedded operating system to power on. 556 Once the device is powered on and has announced its presence on the 557 network via Multicast DNS, we would like it to take no more than a 558 further ten seconds for stale negative cache entries to expire from 559 Unicast DNS caches, making the device available to the user desiring 560 to access it. 562 Similar reasoning applies to capping positive TTLs at ten seconds. 563 In the event of a device moving location, getting a new DHCP address, 564 or other renumbering events, we would like the updated information to 565 be available to remote clients in a relatively timely fashion. 567 However, network administrators should be aware that many recursive 568 (caching) DNS servers by default are configured to impose a minimum 569 TTL of 30 seconds. If stale data appears to be persisting in the 570 network to the extent that it adversely impacts user experience, 571 network administrators are advised to check the configuration of 572 their recursive DNS servers. 574 For received Unicast DNS queries that contain an LLQ or DNS Push 575 Notification option, the Multicast DNS record's TTL SHOULD be 576 returned unmodified, because the Push Notification channel exists to 577 inform the remote client as records come and go. For further details 578 about Long-Lived Queries, and its newer replacement, DNS Push 579 Notifications, see Section 4.6. 581 4.5.2. Suppressing Unusable Records 583 A Hybrid Proxy SHOULD suppress Unicast DNS answers for records that 584 are not useful outside the local link. For example, DNS A and AAAA 585 records for IPv6 link-local addresses [RFC4862] and IPv4 link-local 586 addresses [RFC3927] should be suppressed. Similarly, for sites that 587 have multiple private address realms [RFC1918], private addresses 588 from one private address realm SHOULD NOT be communicated to clients 589 in a different private address realm. 591 By the same logic, DNS SRV records that reference target host names 592 that have no addresses usable by the requester should be suppressed, 593 and likewise, DNS PTR records that point to unusable SRV records 594 should be similarly be suppressed. 596 4.5.3. Text Encoding Translation 598 A Hybrid Proxy does no translation between text encodings. 599 Specifically, a Hybrid Proxy does no translation between Punycode and 600 UTF-8, either in the owner name of DNS records, or anywhere in the 601 RDATA of DNS records (such as the RDATA of PTR records, SRV records, 602 NS records, or other record types like TXT, where it is ambiguous 603 whether the RDATA may contain DNS names). All bytes are treated 604 as-is, with no attempt at text encoding translation. A client 605 implementing DNS-based Service Discovery [RFC6763] will use UTF-8 606 encoding for its service discovery queries, which the Hybrid Proxy 607 passes through without any text encoding translation to the Multicast 608 DNS subsystem. Responses from the Multicast DNS subsystem are 609 similarly returned, without any text encoding translation, back to 610 the requesting client. 612 4.5.4. Application-Specific Data Translation 614 There may be cases where Application-Specific Data Translation is 615 appropriate. 617 For example, AirPrint printers tend to advertise fairly verbose 618 information about their capabilities in their DNS-SD TXT record. TXT 619 record sizes in the range 500-1000 bytes are not uncommon. This 620 information is a legacy from LPR printing, because LPR does not have 621 in-band capability negotiation, so all of this information is 622 conveyed using the DNS-SD TXT record instead. IPP printing does have 623 in-band capability negotiation, but for convenience printers tend to 624 include the same capability information in their IPP DNS-SD TXT 625 records as well. For local mDNS use this extra TXT record 626 information is inefficient, but not fatal. However, when a Hybrid 627 Proxy aggregates data from multiple printers on a link, and sends it 628 via unicast (via UDP or TCP) this amount of unnecessary TXT record 629 information can result in large responses. A DNS reply over TCP 630 carrying information about 70 printers with an average of 700 bytes 631 per printer adds up to about 50 kilobytes of data. Therefore, a 632 Hybrid Proxy that is aware of the specifics of an application-layer 633 protocol such as AirPrint (which uses IPP) can elide unnecessary key/ 634 value pairs from the DNS-SD TXT record for better network efficiency. 636 Also, the DNS-SD TXT record for many printers contains an "adminurl" 637 key something like "adminurl=http://printername.local/status.html". 638 For this URL to be useful outside the local link, the embedded dot- 639 local hostname needs to be translated to an appropriate name with 640 larger scope. Dot-local names are easily translated when they appear 641 in well-defined places, either as a record's name, or in the rdata of 642 record types like PTR and SRV. In the printing case, some 643 application-specific knowledge about the semantics of the "adminurl" 644 key is needed for the Hybrid Proxy to know that it contains a name 645 that needs to be translated. This is somewhat analogous to the need 646 for NAT gateways to contain ALGs (Application-Specific Gateways) to 647 facilitate the correct translation of protocols that embed addresses 648 in unexpected places. 650 As is the case with NAT ALGs, protocol designers are advised to avoid 651 communicating names and addresses in nonstandard locations, because 652 those "hidden" names and addresses are at risk of not being 653 translated when necessary, resulting in operational failures. In the 654 printing case, the operational failure of failing to translate the 655 "adminurl" key correctly is that, when accessed from a different 656 link, printing will still work, but clicking the "Admin" UI button 657 will fail to open the printer's administration page. Rather than 658 duplicating the host name from the service's SRV record in its 659 "adminurl" key, thereby having the same host name appear in two 660 places, a better design might have been to omit the host name from 661 the "adminurl" key, and instead have the client implicitly substitute 662 the target host name from the service's SRV record in place of a 663 missing host name in the "adminurl" key. That way the desired host 664 name only appears once, and it is in a well-defined place where 665 software like the Hybrid Proxy is expecting to find it. 667 Note that this kind of Application-Specific Data Translation is 668 expected to be very rare. It is the exception, rather than the rule. 669 This is an example of a common theme in computing. It is frequently 670 the case that it is wise to start with a clean, layered design, with 671 clear boundaries. Then, in certain special cases, those layer 672 boundaries may be violated, where the performance and efficiency 673 benefits outweigh the inelegance of the layer violation. 675 These layer violations are optional. They are done primarily for 676 efficiency reasons, and generally should not be required for correct 677 operation. A Hybrid Proxy MAY operate solely at the mDNS layer, 678 without any knowledge of semantics at the DNS-SD layer or above. 680 4.6. Answer Aggregation 682 In a simple analysis, simply gathering multicast answers and 683 forwarding them in a unicast response seems adequate, but it raises 684 the question of how long the Hybrid Proxy should wait to be sure that 685 it has received all the Multicast DNS answers it needs to form a 686 complete Unicast DNS response. If it waits too little time, then it 687 risks its Unicast DNS response being incomplete. If it waits too 688 long, then it creates a poor user experience at the client end. In 689 fact, there may be no time which is both short enough to produce a 690 good user experience and at the same time long enough to reliably 691 produce complete results. 693 Similarly, the Hybrid Proxy -- the authoritative name server for the 694 subdomain in question -- needs to decide what DNS TTL to report for 695 these records. If the TTL is too long then the recursive (caching) 696 name servers issuing queries on behalf of their clients risk caching 697 stale data for too long. If the TTL is too short then the amount of 698 network traffic will be more than necessary. In fact, there may be 699 no TTL which is both short enough to avoid undesirable stale data and 700 at the same time long enough to be efficient on the network. 702 Both these dilemmas are solved by use of DNS Long-Lived Queries 703 (DNS LLQ) [I-D.sekar-dns-llq] or its newer replacement, DNS Push 704 Notifications [I-D.ietf-dnssd-push]. (Clients and Hybrid Proxies can 705 support both DNS LLQ and DNS Push, and when talking to a Hybrid Proxy 706 that supports both the client may use either protocol, as it chooses, 707 though it is expected that only DNS Push will continue to be 708 supported in the long run.) 710 When a Hybrid Proxy receives a query containing a DNS LLQ or DNS Push 711 Notification option, it responds immediately using the Multicast DNS 712 records it already has in its cache (if any). This provides a good 713 client user experience by providing a near-instantaneous response. 714 Simultaneously, the Hybrid Proxy issues a Multicast DNS query on the 715 local link to discover if there are any additional Multicast DNS 716 records it did not already know about. Should additional Multicast 717 DNS responses be received, these are then delivered to the client 718 using DNS LLQ or DNS Push Notification update messages. The 719 timeliness of such update messages is limited only by the timeliness 720 of the device responding to the Multicast DNS query. If the 721 Multicast DNS device responds quickly, then the update message is 722 delivered quickly. If the Multicast DNS device responds slowly, then 723 the update message is delivered slowly. The benefit of using update 724 messages is that the Hybrid Proxy can respond promptly because it 725 doesn't have to delay its unicast response to allow for the expected 726 worst-case delay for receiving all the Multicast DNS responses. Even 727 if a proxy were to try to provide reliability by assuming an 728 excessively pessimistic worst-case time (thereby giving a very poor 729 user experience) there would still be the risk of a slow Multicast 730 DNS device taking even longer than that (e.g., a device that is not 731 even powered on until ten seconds after the initial query is 732 received) resulting in incomplete responses. Using update message 733 solves this dilemma: even very late responses are not lost; they are 734 delivered in subsequent update messages. 736 There are two factors that determine specifically how responses are 737 generated: 739 The first factor is whether the query from the client included an LLQ 740 or DNS Push Notification option (typical with long-lived service 741 browsing PTR queries) or not (typical with one-shot operations like 742 SRV or address record queries). Note that queries containing the LLQ 743 or PUSH option are received directly from the client. Queries 744 containing no LLQ or PUSH option are generally received via the 745 client's configured recursive (caching) name server. 747 The second factor is whether the Hybrid Proxy already has at least 748 one record in its cache that positively answers the question. 750 o No LLQ or PUSH option; no answer in cache: 751 Issue an mDNS query, exactly as a local client would issue an mDNS 752 query on the local link for the desired record name, type and 753 class, including retransmissions, as appropriate, according to the 754 established mDNS retransmission schedule [RFC6762]. As soon as 755 any Multicast DNS response packet is received that contains one or 756 more positive answers to that question (with or without the Cache 757 Flush bit [RFC6762] set), or a negative answer (signified via an 758 NSEC record [RFC6762]), the Hybrid Proxy generates a Unicast DNS 759 response packet containing the corresponding (filtered and 760 translated) answers and sends it to the remote client. If after 761 six seconds no Multicast DNS answers have been received, return a 762 negative response to the remote client. 763 DNS TTLs in responses are capped to at most ten seconds. 765 o No LLQ or PUSH option; at least one answer in cache: 766 Send response right away to minimise delay. 767 DNS TTLs in responses are capped to at most ten seconds. 768 No local mDNS queries are performed. 769 (Reasoning: Given RRSet TTL harmonisation, if the proxy has one 770 Multicast DNS answer in its cache, it can reasonably assume that 771 it has all of them.) 773 o Query contains LLQ or PUSH option; no answer in cache: 774 As in the case above with no answer in the cache, perform mDNS 775 querying for six seconds, and send a response to the remote client 776 as soon as any relevant mDNS response is received. 777 If after six seconds no relevant mDNS response has been received, 778 return negative response to the remote client. (Reasoning: We 779 don't need to rush to send an empty answer.) 780 Whether or not a relevant mDNS response is received within six 781 seconds, the query remains active for as long as the client 782 maintains the LLQ or PUSH state, and if mDNS answers are received 783 later, LLQ or PUSH update messages are sent. 785 DNS TTLs in responses are returned unmodified. 787 o Query contains LLQ or PUSH option; at least one answer in cache: 788 As in the case above with at least one answer in cache, send 789 response right away to minimise delay. 790 The query remains active for as long as the client maintains the 791 LLQ or PUSH state, and if additional mDNS answers are received 792 later, LLQ or PUSH update messages are sent. 793 (Reasoning: We want UI that is displayed very rapidly, yet 794 continues to remain accurate even as the network environment 795 changes.) 796 DNS TTLs in responses are returned unmodified. 798 Note that the "negative responses" referred to above are "no error no 799 answer" negative responses, not NXDOMAIN. This is because the Hybrid 800 Proxy cannot know all the Multicast DNS domain names that may exist 801 on a link at any given time, so any name with no answers may have 802 child names that do exist, making it an "empty nonterminal" name. 804 5. DNS SOA (Start of Authority) Record 806 The MNAME field SHOULD contain the host name of the Hybrid Proxy 807 device (i.e., the same domain name as the rdata of the NS record 808 delegating the relevant zone(s) to this Hybrid Proxy device). 810 The RNAME field SHOULD contain the mailbox of the person responsible 811 for administering this Hybrid Proxy device. 813 The SERIAL field MUST be zero. 815 Since zone transfers are undefined for Hybrid Proxy zones, the 816 REFRESH, RETRY and EXPIRE fields have no useful meaning for Hybrid 817 Proxy zones. These fields SHOULD contain reasonable default values. 818 The RECOMMENDED values are: REFRESH 7200, RETRY 3600, EXPIRE 86400. 820 The MINIMUM field (used to control the lifetime of negative cache 821 entries) SHOULD contain the value 10. The value of ten seconds is 822 chosen based on user experience considerations (see Section 4.5.1). 824 6. DNSSEC Issues 826 6.1. On-line signing only 828 Auth server must possess key, to generate signed data from mDNS 829 responses. Therefore off-line signing not applicable to Hybrid 830 Proxy. 832 6.2. NSEC and NSEC3 Records 834 In DNSSEC, NSEC and NSEC3 records are used to assert the nonexistence 835 of certain names, also described as "authenticated denial of 836 existence". 838 Since a Hybrid Proxy only knows what names exist on the local link by 839 issuing queries for them, and since it would be impractical to issue 840 queries for every possible name just to find out which names exist 841 and which do not, a Hybrid Proxy cannot programatically synthesize 842 the traditional NSEC and NSEC3 records which assert the nonexistence 843 of a large range names. Instead, when generating a negative 844 response, a Hybrid Proxy programatically synthesizes a single NSEC 845 record assert the nonexistence of just the specific name queried, and 846 no others. Since the Hybrid Proxy has the zone signing key, it can 847 do this on demand. Since the NSEC record asserts the nonexistence of 848 only a single name, zone walking is not a concern, so NSEC3 is not 849 necessary. Note that this applies only to traditional immediate DNS 850 queries, which may return immediate negative answers when no 851 immediate positive answer is available. When used with a DNS Push 852 Notification subscription [I-D.ietf-dnssd-push] there are no negative 853 answers, merely the absence of answers so far, which may change in 854 the future if answers become available. 856 7. Implementation Status 858 Some aspects of the mechanism specified in this document already 859 exist in deployed software. Some aspects are new. This section 860 outlines which aspects already exist and which are new. 862 7.1. Already Implemented and Deployed 864 Domain enumeration by the client (the "b._dns-sd._udp" queries) is 865 already implemented and deployed. 867 Unicast queries to the indicated discovery domain is already 868 implemented and deployed. 870 These are implemented and deployed in Mac OS X 10.4 and later 871 (including all versions of Apple iOS, on all iPhone and iPads), in 872 Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16) 873 and later. 875 Domain enumeration and unicast querying have been used for several 876 years at IETF meetings to make Terminal Room printers discoverable 877 from outside the Terminal room. When you Press Cmd-P on your Mac, or 878 select AirPrint on your iPad or iPhone, and the Terminal room 879 printers appear, that is because your client is sending unicast DNS 880 queries to the IETF DNS servers. 882 7.2. Already Implemented 884 A minimal portable Hybrid Proxy implementation has been produced by 885 Markus Stenberg and Steven Barth, which runs on OS X and several 886 Linux variants including OpenWrt [ohp]. It was demonstrated at the 887 Berlin IETF in July 2013. 889 Tom Pusateri also has an implementation that runs on any Unix/Linux. 890 It has a RESTful interface for management and an experimental demo 891 CLI and web interface. 893 7.3. Partially Implemented 895 The current APIs make multiple domains visible to client software, 896 but most client UI today lumps all discovered services into a single 897 flat list. This is largely a chicken-and-egg problem. Application 898 writers were naturally reluctant to spend time writing domain-aware 899 UI code when few customers today would benefit from it. If Hybrid 900 Proxy deployment becomes common, then application writers will have a 901 reason to provide better UI. Existing applications will work with 902 the Hybrid Proxy, but will show all services in a single flat list. 903 Applications with improved UI will group services by domain. 905 The Long-Lived Query mechanism [I-D.sekar-dns-llq] referred to in 906 this specification exists and is deployed, but has not been 907 standardized by the IETF. The IETF is considering standardizing a 908 superior Long-Lived Query mechanism called DNS Push Notifications 909 [I-D.ietf-dnssd-push]. The pragmatic short-term deployment approach 910 is for vendors to produce Hybrid Proxies that implement both the 911 deployed Long-Lived Query mechanism [I-D.sekar-dns-llq] (for today's 912 clients) and the new DNS Push Notifications mechanism 913 [I-D.ietf-dnssd-push] as the preferred long-term direction. 915 The translating/filtering Hybrid Proxy specified in this document. 916 Implementations are under development, and operational experience 917 with these implementations has guided updates to this document. 919 7.4. Not Yet Implemented 921 Client implementations of the new DNS Push Notifications mechanism 922 [I-D.ietf-dnssd-push] are currently underway. 924 A mechanism to 'stitch' together multiple ".local." zones so that 925 they appear as one. Such a stitching mechanism will be specified in 926 a future companion document. This stitching mechanism addresses the 927 issue that if a printer is physically moved from one link to another, 928 then conceptually the old service has disappeared from the DNS 929 namespace, and a new service with a similar name has appeared. This 930 stitching mechanism will allow a service to change its point of 931 attachment without changing the name by which it can be found. 933 8. IPv6 Considerations 935 An IPv6-only host and an IPv4-only host behave as "ships that pass in 936 the night". Even if they are on the same Ethernet, neither is aware 937 of the other's traffic. For this reason, each physical link may have 938 *two* unrelated ".local." zones, one for IPv6 and one for IPv4. 939 Since for practical purposes, a group of IPv6-only hosts and a group 940 of IPv4-only hosts on the same Ethernet act as if they were on two 941 entirely separate Ethernet segments, it is unsurprising that their 942 use of the ".local." zone should occur exactly as it would if they 943 really were on two entirely separate Ethernet segments. 945 It will be desirable to have a mechanism to 'stitch' together these 946 two unrelated ".local." zones so that they appear as one. Such 947 mechanism will need to be able to differentiate between a dual-stack 948 (v4/v6) host participating in both ".local." zones, and two different 949 hosts, one IPv6-only and the other IPv4-only, which are both trying 950 to use the same name(s). Such a mechanism will be specified in a 951 future companion document. 953 9. Security Considerations 955 9.1. Authenticity 957 A service proves its presence on a link by its ability to answer 958 link-local multicast queries on that link. If greater security is 959 desired, then the Hybrid Proxy mechanism should not be used, and 960 something with stronger security should be used instead, such as 961 authenticated secure DNS Update [RFC2136] [RFC3007]. 963 9.2. Privacy 965 The Domain Name System is, generally speaking, a global public 966 database. Records that exist in the Domain Name System name 967 hierarchy can be queried by name from, in principle, anywhere in the 968 world. If services on a mobile device (like a laptop computer) are 969 made visible via the Hybrid Proxy mechanism, then when those services 970 become visible in a domain such as "My House.example.com" that might 971 indicate to (potentially hostile) observers that the mobile device is 972 in my house. When those services disappear from 973 "My House.example.com" that change could be used by observers to 974 infer when the mobile device (and possibly its owner) may have left 975 the house. The privacy of this information may be protected using 976 techniques like firewalls and split-view DNS, as are customarily used 977 today to protect the privacy of corporate DNS information. 979 9.3. Denial of Service 981 A remote attacker could use a rapid series of unique Unicast DNS 982 queries to induce a Hybrid Proxy to generate a rapid series of 983 corresponding Multicast DNS queries on one or more of its local 984 links. Multicast traffic is expensive -- especially on Wi-Fi links 985 -- which makes this attack particularly serious. To limit the damage 986 that can be caused by such attacks, a Hybrid Proxy (or the underlying 987 Multicast DNS subsystem which it utilizes) MUST implement Multicast 988 DNS query rate limiting appropriate to the link technology in 989 question. For Wi-Fi links the Multicast DNS subsystem SHOULD NOT 990 issue more than 20 Multicast DNS query packets per second. On other 991 link technologies like Gigabit Ethernet higher limits may be 992 appropriate. 994 10. Intelectual Property Rights 996 Apple has submitted an IPR disclosure concerning the technique 997 proposed in this document. Details are available on the IETF IPR 998 disclosure page [IPR2119]. 1000 11. IANA Considerations 1002 This document has no IANA Considerations. 1004 12. Acknowledgments 1006 Thanks to Markus Stenberg for helping develop the policy regarding 1007 the four styles of unicast response according to what data is 1008 immediately available in the cache. Thanks to Anders Brandt, Tim 1009 Chown, Ralph Droms, Ray Hunter, Ted Lemon, Tom Pusateri, Markus 1010 Stenberg, Dave Thaler, and Andrew Yourtchenko for their comments. 1011 [Partial list; more names to be added.] 1013 13. References 1015 13.1. Normative References 1017 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 1018 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 1019 . 1021 [RFC1035] Mockapetris, P., "Domain names - implementation and 1022 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 1023 November 1987, . 1025 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., J. de Groot, 1026 G., and E. Lear, "Address Allocation for Private 1027 Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, 1028 February 1996, . 1030 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1031 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 1032 RFC2119, March 1997, 1033 . 1035 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS 1036 NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, 1037 . 1039 [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic 1040 Configuration of IPv4 Link-Local Addresses", RFC 3927, 1041 DOI 10.17487/RFC3927, May 2005, 1042 . 1044 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 1045 Address Autoconfiguration", RFC 4862, DOI 10.17487/ 1046 RFC4862, September 2007, 1047 . 1049 [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network 1050 Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, 1051 . 1053 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 1054 December 2012. 1056 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 1057 Discovery", RFC 6763, December 2012. 1059 [I-D.ietf-dnssd-push] 1060 Pusateri, T. and S. Cheshire, "DNS Push Notifications", 1061 draft-ietf-dnssd-push-03 (work in progress), 1062 November 2015. 1064 13.2. Informative References 1066 [HOME] Cheshire, S., "Special Use Top Level Domain 'home'", 1067 draft-cheshire-homenet-dot-home (work in progress), 1068 November 2015. 1070 [IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid 1071 Unicast/Multicast DNS-Based Service Discovery", 1072 . 1074 [ohp] "Hybrid Proxy implementation for OpenWrt", 1075 . 1077 [I-D.sekar-dns-llq] 1078 Sekar, K., "DNS Long-Lived Queries", 1079 draft-sekar-dns-llq-01 (work in progress), August 2006. 1081 [I-D.ietf-homenet-hncp] 1082 Stenberg, M., Barth, S., and P. Pfister, "Home Networking 1083 Control Protocol", draft-ietf-homenet-hncp-09 (work in 1084 progress), August 2015. 1086 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 1087 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 1088 RFC 2136, DOI 10.17487/RFC2136, April 1997, 1089 . 1091 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 1092 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 1093 . 1095 [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol 1096 to Replace the AppleTalk Name Binding Protocol (NBP)", 1097 RFC 6760, December 2012. 1099 [ZC] Cheshire, S. and D. Steinberg, "Zero Configuration 1100 Networking: The Definitive Guide", O'Reilly Media, Inc. , 1101 ISBN 0-596-10100-7, December 2005. 1103 Author's Address 1105 Stuart Cheshire 1106 Apple Inc. 1107 1 Infinite Loop 1108 Cupertino, California 95014 1109 USA 1111 Phone: +1 408 974 3207 1112 Email: cheshire@apple.com