idnits 2.17.1 draft-ietf-dnssd-hybrid-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC2606-compliant FQDNs in the document. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 16, 2016) is 2719 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-25) exists of draft-ietf-dnssd-push-09 == Outdated reference: A later version (-06) exists of draft-sekar-dns-llq-01 -- Obsolete informational reference (is this intentional?): RFC 7626 (Obsoleted by RFC 9076) Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force S. Cheshire 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track November 16, 2016 5 Expires: May 20, 2017 7 Hybrid Unicast/Multicast DNS-Based Service Discovery 8 draft-ietf-dnssd-hybrid-05 10 Abstract 12 This document specifies a mechanism that uses Multicast DNS to 13 automatically populate the wide-area unicast Domain Name System 14 namespace with records describing devices and services found on the 15 local link. 17 Status of this Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on May 20, 2017. 34 Copyright Notice 36 Copyright (c) 2016 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2. Operational Analogy . . . . . . . . . . . . . . . . . . . . . 6 53 3. Conventions and Terminology Used in this Document . . . . . . 7 54 4. Compatibility Considerations . . . . . . . . . . . . . . . . . 7 55 5. Hybrid Proxy Operation . . . . . . . . . . . . . . . . . . . . 8 56 5.1. Delegated Subdomain for Service Discovery Records . . . . 9 57 5.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . . 10 58 5.2.1. Domain Enumeration via Unicast Queries . . . . . . . . 10 59 5.2.2. Domain Enumeration via Multicast Queries . . . . . . . 12 60 5.3. Delegated Subdomain for LDH Host Names . . . . . . . . . . 13 61 5.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 15 62 5.5. Data Translation . . . . . . . . . . . . . . . . . . . . . 16 63 5.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . . 16 64 5.5.2. Suppressing Unusable Records . . . . . . . . . . . . . 17 65 5.5.3. NSEC and NSEC3 queries . . . . . . . . . . . . . . . . 18 66 5.5.4. Text Encoding Translation . . . . . . . . . . . . . . 18 67 5.5.5. Application-Specific Data Translation . . . . . . . . 18 68 5.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . . 20 69 6. Administrative DNS Records . . . . . . . . . . . . . . . . . . 23 70 6.1. DNS SOA (Start of Authority) Record . . . . . . . . . . . 23 71 6.2. DNS NS Records . . . . . . . . . . . . . . . . . . . . . . 23 72 6.3. DNS SRV Records . . . . . . . . . . . . . . . . . . . . . 23 73 7. DNSSEC Issues . . . . . . . . . . . . . . . . . . . . . . . . 24 74 7.1. On-line signing only . . . . . . . . . . . . . . . . . . . 24 75 7.2. NSEC and NSEC3 Records . . . . . . . . . . . . . . . . . . 24 76 8. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 25 77 9. Security Considerations . . . . . . . . . . . . . . . . . . . 25 78 9.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . . 25 79 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 25 80 9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 26 81 10. Intelectual Property Rights . . . . . . . . . . . . . . . . . 26 82 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 83 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27 84 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 85 13.1. Normative References . . . . . . . . . . . . . . . . . . . 27 86 13.2. Informative References . . . . . . . . . . . . . . . . . . 28 87 Appendix A. Implementation Status . . . . . . . . . . . . . . . . 30 88 A.1. Already Implemented and Deployed . . . . . . . . . . . . . 30 89 A.2. Already Implemented . . . . . . . . . . . . . . . . . . . 30 90 A.3. Partially Implemented . . . . . . . . . . . . . . . . . . 30 91 A.4. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 31 92 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 31 94 1. Introduction 96 Multicast DNS [RFC6762] and its companion technology DNS-based 97 Service Discovery [RFC6763] were created to provide IP networking 98 with the ease-of-use and autoconfiguration for which AppleTalk was 99 well known [RFC6760] [ZC]. 101 For a small home network consisting of just a single link (or a few 102 physical links bridged together to appear as a single logical link to 103 IP) Multicast DNS [RFC6762] is sufficient for client devices to look 104 up the ".local" host names of peers on the same home network, and to 105 use DNS-Based Service Discovery (DNS-SD) [RFC6763] to discover 106 services offered on that home network. 108 For a larger network consisting of multiple links that are 109 interconnected using IP-layer routing instead of link-layer bridging, 110 link-local Multicast DNS alone is insufficient because link-local 111 Multicast DNS packets, by design, are not propagated onto other 112 links. 114 Using link-local multicast packets for Multicast DNS was a conscious 115 design choice [RFC6762]. Even when limited to a single link, 116 multicast traffic is still generally considered to be more expensive 117 than unicast, because multicast traffic impacts many devices, instead 118 of just a single recipient. In addition, with some technologies like 119 Wi-Fi [802.11], multicast traffic is inherently less efficient and 120 less reliable than unicast, because Wi-Fi multicast traffic is sent 121 using the lower data rates, and is not acknowledged. Multiplying the 122 amount of expensive multicast traffic by flooding it across multiple 123 links would make the traffic load even worse. 125 Partitioning the network into many small links curtails the spread of 126 expensive multicast traffic, but limits the discoverability of 127 services. Using a very large local link with thousands of hosts 128 enables better service discovery, but at the cost of larger amounts 129 of multicast traffic. 131 Performing DNS-Based Service Discovery using purely Unicast DNS is 132 more efficient and doesn't require excessively large multicast 133 domains, but requires that the relevant data be available in the 134 Unicast DNS namespace. The Unicast DNS namespace in question could 135 fall within a traditionally assigned globally unique domain name, or 136 could use a private local unicast domain name such as ".home" 137 [HOME].) 139 In the DNS-SD specification [RFC6763], Section 10 ("Populating the 140 DNS with Information") discusses various possible ways that a 141 service's PTR, SRV, TXT and address records can make their way into 142 the Unicast DNS namespace, including manual zone file configuration 143 [RFC1034] [RFC1035], DNS Update [RFC2136] [RFC3007] and proxies of 144 various kinds. 146 Making the relevant data available in the Unicast DNS namespace by 147 manual DNS configuration (as has been done for many years at IETF 148 meetings to advertise the IETF Terminal Room printer) is labor 149 intensive, error prone, and requires a reasonable degree of DNS 150 expertise. 152 Populating the Unicast DNS namespace via DNS Update by the devices 153 offering the services themselves requires configuration of DNS Update 154 keys on those devices, which has proven onerous and impractical for 155 simple devices like printers and network cameras. 157 Hence, to facilitate efficient and reliable DNS-Based Service 158 Discovery, a compromise is needed that combines the ease-of-use of 159 Multicast DNS with the efficiency and scalability of Unicast DNS. 161 This document specifies a type of proxy called a Hybrid Proxy that 162 uses Multicast DNS [RFC6762] to discover Multicast DNS records on its 163 local link, and makes corresponding DNS records visible in the 164 Unicast DNS namespace. 166 In principle, similar mechanisms could be defined using other local 167 service discovery protocols, to discover local information and then 168 make corresponding DNS records visible in the Unicast DNS namespace. 169 Such mechanisms for other local service discovery protocols could be 170 addressed in future documents. 172 The design of the Hybrid Proxy is guided by the previously published 173 Requirements for Scalable DNS-Based Service [RFC7558]. 175 In simple terms, a descriptive DNS name is chosen for each link in an 176 organization. Using a DNS NS record, responsibility for that DNS 177 name is delegated to a Hybrid Proxy physically attached to that link. 178 Now, when a remote client issues a unicast query for a name falling 179 within the delegated subdomain, the normal DNS delegation mechanism 180 results in the unicast query arriving at the Hybrid Proxy, since it 181 has been declared authoritative for those names. Now, instead of 182 consulting a textual zone file on disk to discover the answer to the 183 query, as a traditional DNS server would, a Hybrid Proxy consults its 184 local link, using Multicast DNS, to find the answer to the question. 186 For fault tolerance reasons there may be more than one Hybrid Proxy 187 serving a given link. 189 Note that the Hybrid Proxy uses a "pull" model. The local link is 190 not queried using Multicast DNS until a remote client has requested 191 that data. In the idle state, in the absence of client requests, the 192 Hybrid Proxy sends no packets and imposes no burden on the network. 193 It operates purely "on demand". 195 An alternative proposal has been a proxy that performs DNS updates to 196 a remote DNS server on behalf of the Multicast DNS devices on the 197 local network. The difficulty of this is that the proxy would have 198 to be issuing all possible Multicast DNS queries all the time, to 199 discover all the answers it needed to push up to the remote DNS 200 server using DNS Update. It would thus generate very high load on 201 the network continuously, even when there were no clients with any 202 interest in that data. 204 Hence, having a model where the query comes to the Hybrid Proxy is 205 much more efficient than a model where the Hybrid Proxy pushes the 206 answers out to some other remote DNS server. 208 A client can send queries to the Hybrid Proxy in the form of 209 traditional DNS queries, or by making a DNS Push Notification 210 subscription [I-D.ietf-dnssd-push]. 212 2. Operational Analogy 214 A Hybrid Proxy does not operate as a multicast relay, or multicast 215 forwarder. There is no danger of multicast forwarding loops that 216 result in traffic storms, because no multicast packets are forwarded. 217 A Hybrid Proxy operates as a *proxy* for a remote client, performing 218 queries on its behalf and reporting the results back. 220 A reasonable analogy would be making a telephone call to a colleague 221 at your workplace and saying, "I'm out of the office right now. 222 Would you mind bringing up a printer browser window and telling me 223 the names of the printers you see?" That entails no risk of a 224 forwarding loop causing a traffic storm, because no multicast packets 225 are sent over the telephone call. 227 A similar analogy, instead of enlisting another human being to 228 initiate the service discovery operation on your behalf, would be to 229 log into your own desktop work computer using screen sharing, and 230 then run the printer browser yourself to see the list of printers. 231 Or log in using ssh and type "dns-sd -B _ipp._tcp" and observe the 232 list of discovered printer names. In neither case is there any risk 233 of a forwarding loop causing a traffic storm, because no multicast 234 packets are being sent over the screen sharing or ssh connection. 236 The Hybrid Proxy provides another way of performing remote queries, 237 just using a different protocol instead of screen sharing or ssh. 239 When the Hybrid Proxy software performs Multicast DNS operations, the 240 exact same Multicast DNS caching mechanisms are applied as when any 241 other client software on that Hybrid Proxy device performs Multicast 242 DNS operations, whether that be running a printer browser client 243 locally, or a remote user running the printer browser client via a 244 screen sharing connection, or a remote user logged in via ssh running 245 a command-line tool like "dns-sd". 247 3. Conventions and Terminology Used in this Document 249 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 250 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 251 "OPTIONAL" in this document are to be interpreted as described in 252 "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119]. 254 The Hybrid Proxy builds on Multicast DNS, which works between hosts 255 on the same link. A set of hosts is considered to be "on the same 256 link" if: 258 o when any host A from that set sends a packet to any other host B 259 in that set, using unicast, multicast, or broadcast, the entire 260 link-layer packet payload arrives unmodified, and 262 o a broadcast sent over that link by any host from that set of hosts 263 can be received by every other host in that set 265 The link-layer *header* may be modified, such as in Token Ring Source 266 Routing [802.5], but not the link-layer *payload*. In particular, if 267 any device forwarding a packet modifies any part of the IP header or 268 IP payload then the packet is no longer considered to be on the same 269 link. This means that the packet may pass through devices such as 270 repeaters, bridges, hubs or switches and still be considered to be on 271 the same link for the purpose of this document, but not through a 272 device such as an IP router that decrements the IP TTL or otherwise 273 modifies the IP header. 275 4. Compatibility Considerations 277 No changes to existing devices are required to work with a Hybrid 278 Proxy. 280 Existing devices that advertise services using Multicast DNS work 281 with Hybrid Proxy. 283 Existing clients that support DNS-Based Service Discovery over 284 Unicast DNS work with Hybrid Proxy. Service Discovery over Unicast 285 DNS was introduced in Mac OS X 10.4 in April 2005, as is included in 286 Apple products introduced since then, including iPhone and iPad, as 287 well as products from other vendors, such as Microsoft Windows 10. 289 5. Hybrid Proxy Operation 291 In a typical configuration, a Hybrid Proxy is configured to be 292 authoritative [RFC1034] [RFC1035] for four DNS subdomains, and 293 authority for these subdomains is delegated to it via NS records: 295 A DNS subdomain for service discovery records. 296 This subdomain name may contain rich text, including spaces and 297 other punctuation. This is because this subdomain name is used 298 only in graphical user interfaces, where rich text is appropriate. 300 A DNS subdomain for host name records. 301 This subdomain name SHOULD be limited to letters, digits and 302 hyphens, to facilitate convenient use of host names in command- 303 line interfaces. 305 A DNS subdomain for IPv6 Reverse Mapping records. 306 This subdomain name will be a name that ends in "ip6.arpa." 308 A DNS subdomain for IPv4 Reverse Mapping records. 309 This subdomain name will be a name that ends in "in-addr.arpa." 311 In an enterprise network the naming and delegation of these 312 subdomains is typically performed by conscious action of the network 313 administrator. In a home network naming and delegation would 314 typically be performed using some automatic configuration mechanism 315 such as HNCP [RFC7788]. 317 These three varieties of delegated subdomains (service discovery, 318 host names, and reverse mapping) are described below in sections 319 Section 5.1, Section 5.3 and Section 5.4. 321 How a client discovers where to issue its service discovery queries 322 is described below in section Section 5.2. 324 5.1. Delegated Subdomain for Service Discovery Records 326 In its simplest form, each link in an organization is assigned a 327 unique Unicast DNS domain name, such as "Building 1.example.com" or 328 "2nd Floor.Building 3.example.com". Grouping multiple links under a 329 single Unicast DNS domain name is to be specified in a future 330 companion document, but for the purposes of this document, assume 331 that each link has its own unique Unicast DNS domain name. In a 332 graphical user interface these names are not displayed as strings 333 with dots as shown above, but something more akin to a typical file 334 browser graphical user interface (which is harder to illustrate in a 335 text-only document) showing folders, subfolders and files in a file 336 system. 338 +---------------+--------------+-------------+-------------------+ 339 | *example.com* | Building 1 | 1st Floor | Alice's printer | 340 | | Building 2 | *2nd Floor* | Bob's printer | 341 | | *Building 3* | 3rd Floor | Charlie's printer | 342 | | Building 4 | 4th Floor | | 343 | | Building 5 | | | 344 | | Building 6 | | | 345 +---------------+--------------+-------------+-------------------+ 347 Figure 1: Illustrative GUI 349 Each named link in an organization has one or more Hybrid Proxies 350 which serves it. This Hybrid Proxy function for each link could be 351 performed by a device like a router or switch that is physically 352 attached to that link. In the parent domain, NS records are used to 353 delegate ownership of each defined link name 354 (e.g., "Building 1.example.com") to the one or more Hybrid Proxies 355 that serve the named link. In other words, the Hybrid Proxies are 356 the authoritative name servers for that subdomain. 358 With appropriate VLAN configuration [802.1Q] a single Hybrid Proxy 359 device could have a logical presence on many links, and serve as the 360 Hybrid Proxy for all those links. In such a configuration the Hybrid 361 Proxy device would have a single physical Ethernet [802.3] port, 362 configured as a VLAN trunk port, which would appear to software on 363 that device as multiple virtual Ethernet interfaces, one connected to 364 each of the VLAN links. 366 When a DNS-SD client issues a Unicast DNS query to discover services 367 in a particular Unicast DNS subdomain 368 (e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS 369 delegation mechanism results in that query being forwarded until it 370 reaches the delegated authoritative name server for that subdomain, 371 namely the Hybrid Proxy on the link in question. Like a conventional 372 Unicast DNS server, a Hybrid Proxy implements the usual Unicast DNS 373 protocol [RFC1034] [RFC1035] over UDP and TCP. However, unlike a 374 conventional Unicast DNS server that generates answers from the data 375 in its manually-configured zone file, a Hybrid Proxy generates 376 answers using Multicast DNS. A Hybrid Proxy does this by consulting 377 its Multicast DNS cache and/or issuing Multicast DNS queries for the 378 corresponding Multicast DNS name, type and class, (e.g., in this 379 case, "_printer._tcp.local. PTR ?"). Then, from the received 380 Multicast DNS data, the Hybrid Proxy synthesizes the appropriate 381 Unicast DNS response. How long the Hybrid Proxy should wait to 382 accumulate Multicast DNS responses is described below in section 383 Section 5.6. 385 Naturally, the existing Multicast DNS caching mechanism is used to 386 minimize unnecessary Multicast DNS queries on the wire. The Hybrid 387 Proxy is acting as a client of the underlying Multicast DNS 388 subsystem, and benefits from the same caching and efficiency measures 389 as any other client using that subsystem. 391 5.2. Domain Enumeration 393 A DNS-SD client performs Domain Enumeration [RFC6763] via certain PTR 394 queries, using both unicast and multicast. If it receives a Domain 395 Name configuration via DHCP option 15 [RFC2132], then it issues 396 unicast queries using this domain. It issues unicast queries using 397 names derived from its IPv6 prefix(es) and IPv4 subnet address(es). 398 These are described below in Section 5.2.1. It also issues multicast 399 Domain Enumeration queries in the "local" domain [RFC6762]. These 400 are described below in Section 5.2.2. The results of all the Domain 401 Enumeration queries are combined for Service Discovery purposes. 403 5.2.1. Domain Enumeration via Unicast Queries 405 The administrator creates Domain Enumeration PTR records [RFC6763] to 406 inform clients of available service discovery domains, e.g.,: 408 b._dns-sd._udp.example.com. PTR Building 1.example.com. 409 PTR Building 2.example.com. 410 PTR Building 3.example.com. 411 PTR Building 4.example.com. 413 db._dns-sd._udp.example.com. PTR Building 1.example.com. 415 lb._dns-sd._udp.example.com. PTR Building 1.example.com. 417 The "b" ("browse") records tell the client device the list of 418 browsing domains to display for the user to select from and the "db" 419 ("default browse") record tells the client device which domain in 420 that list should be selected by default. The "lb" ("legacy browse") 421 record tells the client device which domain to automatically browse 422 on behalf of applications that don't implement UI for multi-domain 423 browsing (which is most of them, as of 2015). The "lb" domain is 424 often the same as the "db" domain, or sometimes the "db" domain plus 425 one or more others that should be included in the list of automatic 426 browsing domains for legacy clients. 428 DNS responses are limited to a maximum size of 65535 bytes. This 429 limits the maximum number of domains that can be returned for a 430 Domain Enumeration query, as follows: 432 A DNS response header is 12 bytes. That's typically followed by a 433 single qname (up to 256 bytes) plus qtype (2 bytes) and qclass 434 (2 bytes), leaving 65275 for the Answer Section. 436 An Answer Section Resource Record consists of: 437 o Owner name, encoded as a two-byte compression pointer 438 o Two-byte rrtype (type PTR) 439 o Two-byte rrclass (class IN) 440 o Four-byte ttl 441 o Two-byte rdlength 442 o rdata (domain name, up to 256 bytes) 444 This means that each Resource Record in the Answer Section can take 445 up to 268 bytes total, which means that the Answer Section can 446 contain, in the worst case, no more than 243 domains. 448 In a more typical scenario, where the domain names are not all 449 maximum-sized names, and there is some similarity between names so 450 that reasonable name compression is possible, each Answer Section 451 Resource Record may average 140 bytes, which means that the Answer 452 Section can contain up to 466 domains. 454 It is anticipated that this should be sufficient for even a large 455 corporate network or university campus. 457 5.2.2. Domain Enumeration via Multicast Queries 459 Since a Hybrid Proxy exists on many, if not all, the links in an 460 enterprise, it offers an additional way to provide Domain Enumeration 461 data for clients. 463 A Hybrid Proxy can be configured to generate Multicast DNS responses 464 for the following Multicast DNS Domain Enumeration queries issued by 465 clients: 467 b._dns-sd._udp.local. PTR ? 468 db._dns-sd._udp.local. PTR ? 469 lb._dns-sd._udp.local. PTR ? 471 This provides the ability for Hybrid Proxies to indicate recommended 472 browsing domains to DNS-SD clients on a per-link granularity. In 473 some enterprises it may be preferable to provide this per-link 474 configuration data in the form of Hybrid Proxy configuration, rather 475 than populating the Unicast DNS servers with the same data (in the 476 "ip6.arpa" or "in-addr.arpa" domains). 478 Regardless of how the network operator chooses to provide this 479 configuration data, clients will perform Domain Enumeration via both 480 unicast and multicast queries, and then combine the results of these 481 queries. 483 5.3. Delegated Subdomain for LDH Host Names 485 DNS-SD service instance names and domains are allowed to contain 486 arbitrary Net-Unicode text [RFC5198], encoded as precomposed UTF-8 487 [RFC3629]. 489 Users typically interact with service discovery software by viewing a 490 list of discovered service instance names on a display, and selecting 491 one of them by pointing, touching, or clicking. Similarly, in 492 software that provides a multi-domain DNS-SD user interface, users 493 view a list of offered domains on the display and select one of them 494 by pointing, touching, or clicking. To use a service, users don't 495 have to remember domain or instance names, or type them; users just 496 have to be able to recognize what they see on the display and touch 497 or click on the thing they want. 499 In contrast, host names are often remembered and typed. Also, host 500 names have historically been used in command-line interfaces where 501 spaces can be inconvenient. For this reason, host names have 502 traditionally been restricted to letters, digits and hyphens (LDH), 503 with no spaces or other punctuation. 505 While we still want to allow rich text for DNS-SD service instance 506 names and domains, it is advisable, for maximum compatibility with 507 existing usage, to restrict host names to the traditional letter- 508 digit-hyphen rules. This means that while a service name 509 "My Printer._ipp._tcp.Building 1.example.com" is acceptable and 510 desirable (it is displayed in a graphical user interface as an 511 instance called "My Printer" in the domain "Building 1" at 512 "example.com"), a host name "My-Printer.Building 1.example.com" is 513 less desirable (because of the space in "Building 1"). 515 To accomodate this difference in allowable characters, a Hybrid Proxy 516 SHOULD support having two separate subdomains delegated to it for 517 each link it serves, one whose name is allowed to contain arbitrary 518 Net-Unicode text [RFC5198], and a second more constrained subdomain 519 whose name is restricted to contain only letters, digits, and 520 hyphens, to be used for host name records (names of 'A' and 'AAAA' 521 address records). 523 For example, a Hybrid Proxy could have the two subdomains 524 "Building 1.example.com" and "bldg1.example.com" delegated to it. 525 The Hybrid Proxy would then translate these two Multicast DNS 526 records: 528 My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. 529 prnt.local. A 203.0.113.2 531 into Unicast DNS records as follows: 533 My Printer._ipp._tcp.Building 1.example.com. 534 SRV 0 0 631 prnt.bldg1.example.com. 535 prnt.bldg1.example.com. A 203.0.113.2 537 Note that the SRV record name is translated using the rich-text 538 domain name ("Building 1.example.com") and the address record name is 539 translated using the LDH domain ("bldg1.example.com"). 541 A Hybrid Proxy MAY support only a single rich text Net-Unicode 542 domain, and use that domain for all records, including 'A' and 'AAAA' 543 address records, but implementers choosing this option should be 544 aware that this choice may produce host names that are awkward to use 545 in command-line environments. Whether this is an issue depends on 546 whether users in the target environment are expected to be using 547 command-line interfaces. 549 A Hybrid Proxy MUST NOT be restricted to support only a letter-digit- 550 hyphen subdomain, because that results in an unnecessarily poor user 551 experience. 553 5.4. Delegated Subdomain for Reverse Mapping 555 A Hybrid Proxy can facilitate easier management of reverse mapping 556 domains, particularly for IPv6 addresses where manual management may 557 be more onerous than it is for IPv4 addresses. 559 To achieve this, in the parent domain, NS records are used to 560 delegate ownership of the appropriate reverse mapping domain to the 561 Hybrid Proxy. In other words, the Hybrid Proxy becomes the 562 authoritative name server for the reverse mapping domain. For fault 563 tolerance reasons there may be more than one Hybrid Proxy serving a 564 given link. 566 For example, if a given link is using the IPv6 prefix 567 2001:0DB8:1234:5678/64, then the domain 568 "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa" is delegated to the Hybrid 569 Proxy for that link. 571 If a given link is using the IPv4 subnet 203.0.113/24, then the 572 domain "113.0.203.in-addr.arpa" is delegated to the Hybrid Proxy for 573 that link. 575 When a reverse mapping query arrives at the Hybrid Proxy, it issues 576 the identical query on its local link as a Multicast DNS query. 577 The mechanism to force an apparently unicast name to be resolved 578 using link-local Multicast DNS varies depending on the API set being 579 used. For example, in the "/usr/include/dns_sd.h" APIs 580 (available on macOS, iOS, Microsoft Windows, Linux and Android), 581 using kDNSServiceFlagsForceMulticast indicates that the 582 DNSServiceQueryRecord() call should perform the query using Multicast 583 DNS. Other APIs sets have different ways of forcing multicast 584 queries. When the host owning that IPv6 or IPv4 address responds 585 with a name of the form "something.local", the Hybrid Proxy rewrites 586 that to use its configured LDH host name domain instead of "local", 587 and returns the response to the caller. 589 For example, a Hybrid Proxy with the two subdomains 590 "113.0.203.in-addr.arpa" and "bldg1.example.com" delegated to it 591 would translate this Multicast DNS record: 593 2.113.0.203.in-addr.arpa. PTR prnt.local. 595 into this Unicast DNS response: 597 2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com. 599 Subsequent queries for the prnt.bldg1.example.com address record, 600 falling as it does within the bldg1.example.com domain, which is 601 delegated to the Hybrid Proxy, will arrive at the Hybrid Proxy, where 602 they are answered by issuing Multicast DNS queries and using the 603 received Multicast DNS answers to synthesize Unicast DNS responses, 604 as described above. 606 5.5. Data Translation 608 Generating the appropriate Multicast DNS queries involves, at the 609 very least, translating from the configured DNS domain 610 (e.g., "Building 1.example.com") on the Unicast DNS side to "local" 611 on the Multicast DNS side. 613 Generating the appropriate Unicast DNS responses involves translating 614 back from "local" to the configured DNS Unicast domain. 616 Other beneficial translation and filtering operations are described 617 below. 619 5.5.1. DNS TTL limiting 621 For efficiency, Multicast DNS typically uses moderately high DNS TTL 622 values. For example, the typical TTL on DNS-SD PTR records is 75 623 minutes. What makes these moderately high TTLs acceptable is the 624 cache coherency mechanisms built in to the Multicast DNS protocol 625 which protect against stale data persisting for too long. When a 626 service shuts down gracefully, it sends goodbye packets to remove its 627 PTR records immediately from neighbouring caches. If a service shuts 628 down abruptly without sending goodbye packets, the Passive 629 Observation Of Failures (POOF) mechanism described in Section 10.5 of 630 the Multicast DNS specification [RFC6762] comes into play to purge 631 the cache of stale data. 633 A traditional Unicast DNS client on a remote link does not get to 634 participate in these Multicast DNS cache coherency mechanisms on the 635 local link. For traditional Unicast DNS queries (those received 636 without any Long-Lived Query [I-D.sekar-dns-llq] or DNS Push 637 Notification [I-D.ietf-dnssd-push] option) the DNS TTLs reported in 638 the resulting Unicast DNS response SHOULD be capped to be no more 639 than ten seconds. 641 Similarly, for negative responses, the negative caching TTL indicated 642 in the SOA record [RFC2308] should also be ten seconds (Section 6.1). 644 This value of ten seconds is chosen based on user experience 645 considerations. 647 For negative caching, suppose a user is attempting to access a remote 648 device (e.g., a printer), and they are unsuccessful because that 649 device is powered off. Suppose they then place a telephone call and 650 ask for the device to be powered on. We want the device to become 651 available to the user within a reasonable time period. It is 652 reasonable to expect it to take on the order of ten seconds for a 653 simple device with a simple embedded operating system to power on. 654 Once the device is powered on and has announced its presence on the 655 network via Multicast DNS, we would like it to take no more than a 656 further ten seconds for stale negative cache entries to expire from 657 Unicast DNS caches, making the device available to the user desiring 658 to access it. 660 Similar reasoning applies to capping positive TTLs at ten seconds. 661 In the event of a device moving location, getting a new DHCP address, 662 or other renumbering events, we would like the updated information to 663 be available to remote clients in a relatively timely fashion. 665 However, network administrators should be aware that many recursive 666 (caching) DNS servers by default are configured to impose a minimum 667 TTL of 30 seconds. If stale data appears to be persisting in the 668 network to the extent that it adversely impacts user experience, 669 network administrators are advised to check the configuration of 670 their recursive DNS servers. 672 For received Unicast DNS queries that contain an LLQ or DNS Push 673 Notification option, the Multicast DNS record's TTL SHOULD be 674 returned unmodified, because the Push Notification channel exists to 675 inform the remote client as records come and go. For further details 676 about Long-Lived Queries, and its newer replacement, DNS Push 677 Notifications, see Section 5.6. 679 5.5.2. Suppressing Unusable Records 681 A Hybrid Proxy SHOULD suppress Unicast DNS answers for records that 682 are not useful outside the local link. For example, DNS A and AAAA 683 records for IPv6 link-local addresses [RFC4862] and IPv4 link-local 684 addresses [RFC3927] SHOULD be suppressed. Similarly, for sites that 685 have multiple private address realms [RFC1918], in cases where the 686 Hybrid Proxy can determine that the querying client is in a different 687 address realm, private addresses MUST NOT be communicated to that 688 client. IPv6 Unique Local Addresses [RFC4193] SHOULD be suppressed 689 in cases where the Hybrid Proxy can determine that the querying 690 client is in a different IPv6 address realm. 692 By the same logic, DNS SRV records that reference target host names 693 that have no addresses usable by the requester should be suppressed, 694 and likewise, DNS PTR records that point to unusable SRV records 695 should be similarly be suppressed. 697 5.5.3. NSEC and NSEC3 queries 699 Since a Hybrid Proxy only knows what names exist on the local link by 700 issuing queries for them, and since it would be impractical to issue 701 queries for every possible name just to find out which names exist 702 and which do not, a Hybrid Proxy cannot programatically generate the 703 traditional NSEC and NSEC3 records which assert the nonexistence of a 704 large range names. 706 When queried for an NSEC or NSEC3 record type, the Hybrid Proxy 707 issues a qtype "ANY" query using Multicast DNS on the local link, and 708 then generates an NSEC or NSEC3 response signifying which record 709 types do and do not exist just the specific name queried, and no 710 others. 712 Multicast DNS NSEC records received on the local link MUST NOT be 713 forwarded unmodified to a unicast querier, because there are slight 714 differences in the NSEC record data. In particular, Multicast DNS 715 NSEC records do not have the NSEC bit set in the Type Bit Map, 716 whereas conventional Unicast DNS NSEC records do have the NSEC bit 717 set. 719 5.5.4. Text Encoding Translation 721 A Hybrid Proxy does no translation between text encodings. 722 Specifically, a Hybrid Proxy does no translation between Punycode and 723 UTF-8, either in the owner name of DNS records, or anywhere in the 724 RDATA of DNS records (such as the RDATA of PTR records, SRV records, 725 NS records, or other record types like TXT, where it is ambiguous 726 whether the RDATA may contain DNS names). All bytes are treated 727 as-is, with no attempt at text encoding translation. A client 728 implementing DNS-based Service Discovery [RFC6763] will use UTF-8 729 encoding for its service discovery queries, which the Hybrid Proxy 730 passes through without any text encoding translation to the Multicast 731 DNS subsystem. Responses from the Multicast DNS subsystem are 732 similarly returned, without any text encoding translation, back to 733 the requesting client. 735 5.5.5. Application-Specific Data Translation 737 There may be cases where Application-Specific Data Translation is 738 appropriate. 740 For example, AirPrint printers tend to advertise fairly verbose 741 information about their capabilities in their DNS-SD TXT record. TXT 742 record sizes in the range 500-1000 bytes are not uncommon. This 743 information is a legacy from LPR printing, because LPR does not have 744 in-band capability negotiation, so all of this information is 745 conveyed using the DNS-SD TXT record instead. IPP printing does have 746 in-band capability negotiation, but for convenience printers tend to 747 include the same capability information in their IPP DNS-SD TXT 748 records as well. For local mDNS use this extra TXT record 749 information is inefficient, but not fatal. However, when a Hybrid 750 Proxy aggregates data from multiple printers on a link, and sends it 751 via unicast (via UDP or TCP) this amount of unnecessary TXT record 752 information can result in large responses. A DNS reply over TCP 753 carrying information about 70 printers with an average of 700 bytes 754 per printer adds up to about 50 kilobytes of data. Therefore, a 755 Hybrid Proxy that is aware of the specifics of an application-layer 756 protocol such as AirPrint (which uses IPP) can elide unnecessary key/ 757 value pairs from the DNS-SD TXT record for better network efficiency. 759 Also, the DNS-SD TXT record for many printers contains an "adminurl" 760 key something like "adminurl=http://printername.local/status.html". 761 For this URL to be useful outside the local link, the embedded 762 ".local" hostname needs to be translated to an appropriate name with 763 larger scope. It is easy to translate ".local" names when they 764 appear in well-defined places, either as a record's name, or in the 765 rdata of record types like PTR and SRV. In the printing case, some 766 application-specific knowledge about the semantics of the "adminurl" 767 key is needed for the Hybrid Proxy to know that it contains a name 768 that needs to be translated. This is somewhat analogous to the need 769 for NAT gateways to contain ALGs (Application-Specific Gateways) to 770 facilitate the correct translation of protocols that embed addresses 771 in unexpected places. 773 As is the case with NAT ALGs, protocol designers are advised to avoid 774 communicating names and addresses in nonstandard locations, because 775 those "hidden" names and addresses are at risk of not being 776 translated when necessary, resulting in operational failures. In the 777 printing case, the operational failure of failing to translate the 778 "adminurl" key correctly is that, when accessed from a different 779 link, printing will still work, but clicking the "Admin" UI button 780 will fail to open the printer's administration page. Rather than 781 duplicating the host name from the service's SRV record in its 782 "adminurl" key, thereby having the same host name appear in two 783 places, a better design might have been to omit the host name from 784 the "adminurl" key, and instead have the client implicitly substitute 785 the target host name from the service's SRV record in place of a 786 missing host name in the "adminurl" key. That way the desired host 787 name only appears once, and it is in a well-defined place where 788 software like the Hybrid Proxy is expecting to find it. 790 Note that this kind of Application-Specific Data Translation is 791 expected to be very rare. It is the exception, rather than the rule. 792 This is an example of a common theme in computing. It is frequently 793 the case that it is wise to start with a clean, layered design, with 794 clear boundaries. Then, in certain special cases, those layer 795 boundaries may be violated, where the performance and efficiency 796 benefits outweigh the inelegance of the layer violation. 798 These layer violations are optional. They are done primarily for 799 efficiency reasons, and generally should not be required for correct 800 operation. A Hybrid Proxy MAY operate solely at the mDNS layer, 801 without any knowledge of semantics at the DNS-SD layer or above. 803 5.6. Answer Aggregation 805 In a simple analysis, simply gathering multicast answers and 806 forwarding them in a unicast response seems adequate, but it raises 807 the question of how long the Hybrid Proxy should wait to be sure that 808 it has received all the Multicast DNS answers it needs to form a 809 complete Unicast DNS response. If it waits too little time, then it 810 risks its Unicast DNS response being incomplete. If it waits too 811 long, then it creates a poor user experience at the client end. In 812 fact, there may be no time which is both short enough to produce a 813 good user experience and at the same time long enough to reliably 814 produce complete results. 816 Similarly, the Hybrid Proxy -- the authoritative name server for the 817 subdomain in question -- needs to decide what DNS TTL to report for 818 these records. If the TTL is too long then the recursive (caching) 819 name servers issuing queries on behalf of their clients risk caching 820 stale data for too long. If the TTL is too short then the amount of 821 network traffic will be more than necessary. In fact, there may be 822 no TTL which is both short enough to avoid undesirable stale data and 823 at the same time long enough to be efficient on the network. 825 Both these dilemmas are solved by use of DNS Long-Lived Queries 826 (DNS LLQ) [I-D.sekar-dns-llq] or its newer replacement, DNS Push 827 Notifications [I-D.ietf-dnssd-push]. (Clients and Hybrid Proxies can 828 support both DNS LLQ and DNS Push, and when talking to a Hybrid Proxy 829 that supports both the client may use either protocol, as it chooses, 830 though it is expected that only DNS Push will continue to be 831 supported in the long run.) Clients supporting unicast DNS Service 832 Discovery SHOULD implement DNS Push Notifications 833 [I-D.ietf-dnssd-push] for improved user experience. 835 When a Hybrid Proxy receives a query containing a DNS LLQ or DNS Push 836 Notification option, it responds immediately using the Multicast DNS 837 records it already has in its cache (if any). This provides a good 838 client user experience by providing a near-instantaneous response. 839 Simultaneously, the Hybrid Proxy issues a Multicast DNS query on the 840 local link to discover if there are any additional Multicast DNS 841 records it did not already know about. Should additional Multicast 842 DNS responses be received, these are then delivered to the client 843 using DNS LLQ or DNS Push Notification update messages. The 844 timeliness of such update messages is limited only by the timeliness 845 of the device responding to the Multicast DNS query. If the 846 Multicast DNS device responds quickly, then the update message is 847 delivered quickly. If the Multicast DNS device responds slowly, then 848 the update message is delivered slowly. The benefit of using update 849 messages is that the Hybrid Proxy can respond promptly because it 850 doesn't have to delay its unicast response to allow for the expected 851 worst-case delay for receiving all the Multicast DNS responses. Even 852 if a proxy were to try to provide reliability by assuming an 853 excessively pessimistic worst-case time (thereby giving a very poor 854 user experience) there would still be the risk of a slow Multicast 855 DNS device taking even longer than that (e.g., a device that is not 856 even powered on until ten seconds after the initial query is 857 received) resulting in incomplete responses. Using update message 858 solves this dilemma: even very late responses are not lost; they are 859 delivered in subsequent update messages. 861 There are two factors that determine specifically how responses are 862 generated: 864 The first factor is whether the query from the client included an LLQ 865 or DNS Push Notification option (typical with long-lived service 866 browsing PTR queries) or not (typical with one-shot operations like 867 SRV or address record queries). Note that queries containing the LLQ 868 or PUSH option are received directly from the client. Queries 869 containing no LLQ or PUSH option are generally received via the 870 client's configured recursive (caching) name server. 872 The second factor is whether the Hybrid Proxy already has at least 873 one record in its cache that positively answers the question. 875 o No LLQ or PUSH option; no answer in cache: 876 Issue an mDNS query, exactly as a local client would issue an mDNS 877 query on the local link for the desired record name, type and 878 class, including retransmissions, as appropriate, according to the 879 established mDNS retransmission schedule [RFC6762]. As soon as 880 any Multicast DNS response packet is received that contains one or 881 more positive answers to that question (with or without the Cache 882 Flush bit [RFC6762] set), or a negative answer (signified via a 883 Multicast DNS NSEC record [RFC6762]), the Hybrid Proxy generates a 884 Unicast DNS response packet containing the corresponding (filtered 885 and translated) answers and sends it to the remote client. If 886 after six seconds no Multicast DNS answers have been received, 887 return a negative response to the remote client. Six seconds is 888 enough time to transmit three mDNS queries, and allow some time 889 for responses to arrive. 890 DNS TTLs in responses are capped to at most ten seconds. 892 o No LLQ or PUSH option; at least one answer in cache: 893 Send response right away to minimise delay. 894 DNS TTLs in responses are capped to at most ten seconds. 895 No local mDNS queries are performed. 896 (Reasoning: Given RRSet TTL harmonisation, if the proxy has one 897 Multicast DNS answer in its cache, it can reasonably assume that 898 it has all of them.) 900 o Query contains LLQ or PUSH option; no answer in cache: 901 As in the case above with no answer in the cache, perform mDNS 902 querying for six seconds, and send a response to the remote client 903 as soon as any relevant mDNS response is received. 904 If after six seconds no relevant mDNS response has been received, 905 return negative response to the remote client (for LLQ; not 906 applicable for PUSH). (Reasoning: We don't need to rush to send 907 an empty answer.) 908 Whether or not a relevant mDNS response is received within six 909 seconds, the query remains active for as long as the client 910 maintains the LLQ or PUSH state, and if mDNS answers are received 911 later, LLQ or PUSH update messages are sent. 912 DNS TTLs in responses are returned unmodified. 914 o Query contains LLQ or PUSH option; at least one answer in cache: 915 As in the case above with at least one answer in cache, send 916 response right away to minimise delay. 917 The query remains active for as long as the client maintains the 918 LLQ or PUSH state, and if additional mDNS answers are received 919 later, LLQ or PUSH update messages are sent. 920 (Reasoning: We want UI that is displayed very rapidly, yet 921 continues to remain accurate even as the network environment 922 changes.) 923 DNS TTLs in responses are returned unmodified. 925 Note that the "negative responses" referred to above are "no error no 926 answer" negative responses, not NXDOMAIN. This is because the Hybrid 927 Proxy cannot know all the Multicast DNS domain names that may exist 928 on a link at any given time, so any name with no answers may have 929 child names that do exist, making it an "empty nonterminal" name. 931 6. Administrative DNS Records 933 6.1. DNS SOA (Start of Authority) Record 935 The MNAME field SHOULD contain the host name of the Hybrid Proxy 936 device (i.e., the same domain name as the rdata of the NS record 937 delegating the relevant zone(s) to this Hybrid Proxy device). 939 The RNAME field SHOULD contain the mailbox of the person responsible 940 for administering this Hybrid Proxy device. 942 The SERIAL field MUST be zero. 944 Zone transfers are undefined for Hybrid Proxy zones, and consequently 945 the REFRESH, RETRY and EXPIRE fields have no useful meaning for 946 Hybrid Proxy zones. These fields SHOULD contain reasonable default 947 values. The RECOMMENDED values are: REFRESH 7200, RETRY 3600, EXPIRE 948 86400. 950 The MINIMUM field (used to control the lifetime of negative cache 951 entries) SHOULD contain the value 10. The value of ten seconds is 952 chosen based on user experience considerations (see Section 5.5.1). 954 In the event that there are multiple Hybrid Proxy devices on a link 955 for fault tolerance reasons, this will result in clients receiving 956 inconsistent SOA records (different MNAME, and possibly RNAME) 957 depending on which Hybrid Proxy answers their SOA query. However, 958 since clients generally have no reason to use the MNAME or RNAME 959 data, this is unlikely to cause any problems. 961 6.2. DNS NS Records 963 In the event that there are multiple Hybrid Proxy devices on a link 964 for fault tolerance reasons, the parent zone MUST be configured with 965 glue records giving the names and addresses of all the Hybrid Proxy 966 devices on the link. 968 Each Hybrid Proxy device MUST be configured with its own NS record, 969 and with the NS records of its fellow Hybrid Proxy devices on the 970 same link, so that it can return the correct answers for NS queries. 972 6.3. DNS SRV Records 974 In the event that a Hybrid Proxy implements LLQ [I-D.sekar-dns-llq] 975 and/or DNS Push Notifications [I-D.ietf-dnssd-push] (as most SHOULD) 976 they MUST generate answers for the appropriate corresponding _dns- 977 llq._udp. and/or _dns-push-tls._tcp. SRV record queries. 978 These records are conceptually inserted into the namespace of the 979 corresponding zones. They do not exist in the ".local" namespace of 980 the local link. 982 7. DNSSEC Issues 984 7.1. On-line signing only 986 Auth server must possess key, to generate signed data from mDNS 987 responses. Therefore off-line signing not applicable to Hybrid 988 Proxy. 990 7.2. NSEC and NSEC3 Records 992 In DNSSEC, NSEC and NSEC3 records are used to assert the nonexistence 993 of certain names, also described as "authenticated denial of 994 existence". 996 Since a Hybrid Proxy only knows what names exist on the local link by 997 issuing queries for them, and since it would be impractical to issue 998 queries for every possible name just to find out which names exist 999 and which do not, a Hybrid Proxy cannot programatically synthesize 1000 the traditional NSEC and NSEC3 records which assert the nonexistence 1001 of a large range names. Instead, when generating a negative 1002 response, a Hybrid Proxy programatically synthesizes a single NSEC 1003 record assert the nonexistence of just the specific name queried, and 1004 no others. Since the Hybrid Proxy has the zone signing key, it can 1005 do this on demand. Since the NSEC record asserts the nonexistence of 1006 only a single name, zone walking is not a concern, so NSEC3 is not 1007 necessary. 1009 Note that this applies only to traditional immediate DNS queries, 1010 which may return immediate negative answers when no immediate 1011 positive answer is available. When used with a DNS Push Notification 1012 subscription [I-D.ietf-dnssd-push] there are no negative answers, 1013 merely the absence of answers so far, which may change in the future 1014 if answers become available. 1016 8. IPv6 Considerations 1018 An IPv6-only host and an IPv4-only host behave as "ships that pass in 1019 the night". Even if they are on the same Ethernet [802.3], neither 1020 is aware of the other's traffic. For this reason, each link may have 1021 *two* unrelated ".local." zones, one for IPv6 and one for IPv4. 1022 Since for practical purposes, a group of IPv6-only hosts and a group 1023 of IPv4-only hosts on the same Ethernet act as if they were on two 1024 entirely separate Ethernet segments, it is unsurprising that their 1025 use of the ".local." zone should occur exactly as it would if they 1026 really were on two entirely separate Ethernet segments. 1028 It will be desirable to have a mechanism to 'stitch' together these 1029 two unrelated ".local." zones so that they appear as one. Such 1030 mechanism will need to be able to differentiate between a dual-stack 1031 (v4/v6) host participating in both ".local." zones, and two different 1032 hosts, one IPv6-only and the other IPv4-only, which are both trying 1033 to use the same name(s). Such a mechanism will be specified in a 1034 future companion document. 1036 At present, it is RECOMMENDED that a Hybrid Proxy be configured with 1037 a single domain name for both the IPv4 and IPv6 ".local." zones on 1038 the local link, and when a unicast query is received, it should issue 1039 Multicast DNS queries using both IPv4 and IPv6 on the local link, and 1040 then combine the results. 1042 9. Security Considerations 1044 9.1. Authenticity 1046 A service proves its presence on a link by its ability to answer 1047 link-local multicast queries on that link. If greater security is 1048 desired, then the Hybrid Proxy mechanism should not be used, and 1049 something with stronger security should be used instead, such as 1050 authenticated secure DNS Update [RFC2136] [RFC3007]. 1052 9.2. Privacy 1054 The Domain Name System is, generally speaking, a global public 1055 database. Records that exist in the Domain Name System name 1056 hierarchy can be queried by name from, in principle, anywhere in the 1057 world. If services on a mobile device (like a laptop computer) are 1058 made visible via the Hybrid Proxy mechanism, then when those services 1059 become visible in a domain such as "My House.example.com" that might 1060 indicate to (potentially hostile) observers that the mobile device is 1061 in my house. When those services disappear from 1062 "My House.example.com" that change could be used by observers to 1063 infer when the mobile device (and possibly its owner) may have left 1064 the house. The privacy of this information may be protected using 1065 techniques like firewalls and split-view DNS, as are customarily used 1066 today to protect the privacy of corporate DNS information. 1068 The Hybrid Proxy could also provide sensitive records only to 1069 authenticated users. This is a general DNS problem, not specific to 1070 the Hybrid Proxy. Work is underway in the IETF to tackle this 1071 problem [RFC7626]. 1073 9.3. Denial of Service 1075 A remote attacker could use a rapid series of unique Unicast DNS 1076 queries to induce a Hybrid Proxy to generate a rapid series of 1077 corresponding Multicast DNS queries on one or more of its local 1078 links. Multicast traffic is generally more expensive than unicast 1079 traffic -- especially on Wi-Fi links -- which makes this attack 1080 particularly serious. To limit the damage that can be caused by such 1081 attacks, a Hybrid Proxy (or the underlying Multicast DNS subsystem 1082 which it utilizes) MUST implement Multicast DNS query rate limiting 1083 appropriate to the link technology in question. For today's 802.11b/ 1084 g/n/ac Wi-Fi links (for which approximately 200 multicast packets per 1085 second is sufficient to consume approximately 100% of the wireless 1086 spectrum) a limit of 20 Multicast DNS query packets per second is 1087 RECOMMENDED. On other link technologies like Gigabit Ethernet higher 1088 limits may be appropriate. A consequence of this rate limiting is 1089 that a rogue remote client could issue an excessive number of 1090 queries, resuling in denial of service to other remote clients 1091 attempting to use that Hybrid Proxy. However, this is preferable to 1092 a rogue remote client being able to inflict even greater harm on the 1093 local network, which could impact the correct operation of all local 1094 clients on that network. 1096 10. Intelectual Property Rights 1098 Apple has submitted an IPR disclosure concerning the technique 1099 proposed in this document. Details are available on the IETF IPR 1100 disclosure page [IPR2119]. 1102 11. IANA Considerations 1104 This document has no IANA Considerations. 1106 12. Acknowledgments 1108 Thanks to Markus Stenberg for helping develop the policy regarding 1109 the four styles of unicast response according to what data is 1110 immediately available in the cache. Thanks to Anders Brandt, Tim 1111 Chown, Ralph Droms, Ray Hunter, Ted Lemon, Tom Pusateri, Markus 1112 Stenberg, Dave Thaler, and Andrew Yourtchenko for their comments. 1114 13. References 1116 13.1. Normative References 1118 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 1119 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 1120 . 1122 [RFC1035] Mockapetris, P., "Domain names - implementation and 1123 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 1124 November 1987, . 1126 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 1127 and E. Lear, "Address Allocation for Private Internets", 1128 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 1129 . 1131 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1132 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 1133 RFC2119, March 1997, 1134 . 1136 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS 1137 NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, 1138 . 1140 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 1141 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, 1142 November 2003, . 1144 [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic 1145 Configuration of IPv4 Link-Local Addresses", RFC 3927, 1146 DOI 10.17487/RFC3927, May 2005, 1147 . 1149 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 1150 Address Autoconfiguration", RFC 4862, DOI 10.17487/ 1151 RFC4862, September 2007, 1152 . 1154 [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network 1155 Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, 1156 . 1158 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 1159 December 2012. 1161 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 1162 Discovery", RFC 6763, December 2012. 1164 [I-D.ietf-dnssd-push] 1165 Pusateri, T. and S. Cheshire, "DNS Push Notifications", 1166 draft-ietf-dnssd-push-09 (work in progress), October 2016. 1168 13.2. Informative References 1170 [HOME] Cheshire, S., "Special Use Top Level Domain 'home'", 1171 draft-cheshire-homenet-dot-home (work in progress), 1172 November 2015. 1174 [IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid 1175 Unicast/Multicast DNS-Based Service Discovery", 1176 . 1178 [ohp] "Hybrid Proxy implementation for OpenWrt", 1179 . 1181 [I-D.sekar-dns-llq] 1182 Sekar, K., "DNS Long-Lived Queries", 1183 draft-sekar-dns-llq-01 (work in progress), August 2006. 1185 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 1186 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 1187 . 1189 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 1190 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 1191 RFC 2136, DOI 10.17487/RFC2136, April 1997, 1192 . 1194 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 1195 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 1196 . 1198 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 1199 Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, 1200 . 1202 [RFC7558] Lynn, K., Cheshire, S., Blanchet, M., and D. Migault, 1203 "Requirements for Scalable DNS-Based Service Discovery 1204 (DNS-SD) / Multicast DNS (mDNS) Extensions", RFC 7558, 1205 DOI 10.17487/RFC7558, July 2015, 1206 . 1208 [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, 1209 DOI 10.17487/RFC7626, August 2015, 1210 . 1212 [RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking 1213 Control Protocol", RFC 7788, DOI 10.17487/RFC7788, 1214 April 2016, . 1216 [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol 1217 to Replace the AppleTalk Name Binding Protocol (NBP)", 1218 RFC 6760, December 2012. 1220 [ZC] Cheshire, S. and D. Steinberg, "Zero Configuration 1221 Networking: The Definitive Guide", O'Reilly Media, Inc. , 1222 ISBN 0-596-10100-7, December 2005. 1224 [802.1Q] "IEEE Standard for Local and metropolitan area networks -- 1225 Bridges and Bridged Networks", IEEE Std 802.1Q-2014, 1226 November 2014, . 1229 [802.3] "Information technology - Telecommunications and 1230 information exchange between systems - Local and 1231 metropolitan area networks - Specific requirements - Part 1232 3: Carrier Sense Multiple Access with Collision Detection 1233 (CMSA/CD) Access Method and Physical Layer 1234 Specifications", IEEE Std 802.3-2008, December 2008, 1235 . 1237 [802.5] "ISO/IEC 8802-5 Information technology - 1238 Telecommunications and information exchange between 1239 systems - Local and metropolitan area networks - Common 1240 specifications - Part 5: Token ring access method and 1241 physical layer specifications, (also ANSI/IEEE Std 802.5- 1242 1998), 1998.", IEEE Std 802.5-1998, October 1998, 1243 . 1245 [802.11] "Information technology - Telecommunications and 1246 information exchange between systems - Local and 1247 metropolitan area networks - Specific requirements - Part 1248 11: Wireless LAN Medium Access Control (MAC) and Physical 1249 Layer (PHY) Specifications", IEEE Std 802.11-2007, 1250 June 2007, 1251 . 1253 Appendix A. Implementation Status 1255 Some aspects of the mechanism specified in this document already 1256 exist in deployed software. Some aspects are new. This section 1257 outlines which aspects already exist and which are new. 1259 A.1. Already Implemented and Deployed 1261 Domain enumeration by the client (the "b._dns-sd._udp" queries) is 1262 already implemented and deployed. 1264 Unicast queries to the indicated discovery domain is already 1265 implemented and deployed. 1267 These are implemented and deployed in Mac OS X 10.4 and later 1268 (including all versions of Apple iOS, on all iPhone and iPads), in 1269 Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16) 1270 and later. 1272 Domain enumeration and unicast querying have been used for several 1273 years at IETF meetings to make Terminal Room printers discoverable 1274 from outside the Terminal room. When an IETF attendee presses Cmd-P 1275 on a Mac, or selects AirPrint on an iPad or iPhone, and the Terminal 1276 room printers appear, that is because the client is sending unicast 1277 DNS queries to the IETF DNS servers. 1279 A.2. Already Implemented 1281 A minimal portable Hybrid Proxy implementation has been produced by 1282 Markus Stenberg and Steven Barth, which runs on OS X and several 1283 Linux variants including OpenWrt [ohp]. It was demonstrated at the 1284 Berlin IETF in July 2013. 1286 Tom Pusateri also has an implementation that runs on any Unix/Linux. 1287 It has a RESTful interface for management and an experimental demo 1288 CLI and web interface. 1290 A.3. Partially Implemented 1292 The current APIs make multiple domains visible to client software, 1293 but most client UI today lumps all discovered services into a single 1294 flat list. This is largely a chicken-and-egg problem. Application 1295 writers were naturally reluctant to spend time writing domain-aware 1296 UI code when few customers today would benefit from it. If Hybrid 1297 Proxy deployment becomes common, then application writers will have a 1298 reason to provide better UI. Existing applications will work with 1299 the Hybrid Proxy, but will show all services in a single flat list. 1300 Applications with improved UI will group services by domain. 1302 The Long-Lived Query mechanism [I-D.sekar-dns-llq] referred to in 1303 this specification exists and is deployed, but has not been 1304 standardized by the IETF. The IETF is considering standardizing a 1305 superior Long-Lived Query mechanism called DNS Push Notifications 1306 [I-D.ietf-dnssd-push]. The pragmatic short-term deployment approach 1307 is for vendors to produce Hybrid Proxies that implement both the 1308 deployed Long-Lived Query mechanism [I-D.sekar-dns-llq] (for today's 1309 clients) and the new DNS Push Notifications mechanism 1310 [I-D.ietf-dnssd-push] as the preferred long-term direction. 1312 The translating/filtering Hybrid Proxy specified in this document. 1313 Implementations are under development, and operational experience 1314 with these implementations has guided updates to this document. 1316 A.4. Not Yet Implemented 1318 Client implementations of the new DNS Push Notifications mechanism 1319 [I-D.ietf-dnssd-push] are currently underway. 1321 A mechanism to 'stitch' together multiple ".local." zones so that 1322 they appear as one. Such a stitching mechanism will be specified in 1323 a future companion document. This stitching mechanism addresses the 1324 issue that if a printer is physically moved from one link to another, 1325 then conceptually the old service has disappeared from the DNS 1326 namespace, and a new service with a similar name has appeared. This 1327 stitching mechanism will allow a service to change its point of 1328 attachment without changing the name by which it can be found. 1330 Author's Address 1332 Stuart Cheshire 1333 Apple Inc. 1334 1 Infinite Loop 1335 Cupertino, California 95014 1336 USA 1338 Phone: +1 408 974 3207 1339 Email: cheshire@apple.com