idnits 2.17.1 draft-ietf-dnssd-hybrid-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC2606-compliant FQDNs in the document. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 13, 2017) is 2417 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-25) exists of draft-ietf-dnssd-push-12 == Outdated reference: A later version (-14) exists of draft-ietf-homenet-dot-07 == Outdated reference: A later version (-06) exists of draft-sekar-dns-llq-01 -- Obsolete informational reference (is this intentional?): RFC 7626 (Obsoleted by RFC 9076) Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force S. Cheshire 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track September 13, 2017 5 Expires: March 17, 2018 7 Discovery Proxy for Multicast DNS-Based Service Discovery 8 draft-ietf-dnssd-hybrid-07 10 Abstract 12 This document specifies a mechanism that uses Multicast DNS to 13 automatically populate the wide-area unicast Domain Name System 14 namespace with records describing devices and services found on the 15 local link. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on March 17, 2018. 34 Copyright Notice 36 Copyright (c) 2017 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2. Operational Analogy . . . . . . . . . . . . . . . . . . . . . 6 53 3. Conventions and Terminology Used in this Document . . . . . . 7 54 4. Compatibility Considerations . . . . . . . . . . . . . . . . 7 55 5. Discovery Proxy Operation . . . . . . . . . . . . . . . . . . 8 56 5.1. Delegated Subdomain for Service Discovery Records . . . . 9 57 5.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . 11 58 5.2.1. Domain Enumeration via Unicast Queries . . . . . . . 11 59 5.2.2. Domain Enumeration via Multicast Queries . . . . . . 13 60 5.3. Delegated Subdomain for LDH Host Names . . . . . . . . . 14 61 5.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 16 62 5.5. Data Translation . . . . . . . . . . . . . . . . . . . . 18 63 5.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . 18 64 5.5.2. Suppressing Unusable Records . . . . . . . . . . . . 19 65 5.5.3. NSEC and NSEC3 queries . . . . . . . . . . . . . . . 20 66 5.5.4. No Text Encoding Translation . . . . . . . . . . . . 20 67 5.5.5. Application-Specific Data Translation . . . . . . . . 21 68 5.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . 23 69 6. Administrative DNS Records . . . . . . . . . . . . . . . . . 26 70 6.1. DNS SOA (Start of Authority) Record . . . . . . . . . . . 26 71 6.2. DNS NS Records . . . . . . . . . . . . . . . . . . . . . 27 72 6.3. DNS SRV Records . . . . . . . . . . . . . . . . . . . . . 27 73 7. DNSSEC Considerations . . . . . . . . . . . . . . . . . . . . 28 74 7.1. On-line signing only . . . . . . . . . . . . . . . . . . 28 75 7.2. NSEC and NSEC3 Records . . . . . . . . . . . . . . . . . 28 76 8. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 29 77 9. Security Considerations . . . . . . . . . . . . . . . . . . . 30 78 9.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . 30 79 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 30 80 9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 31 81 10. Intelectual Property Rights . . . . . . . . . . . . . . . . . 32 82 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 83 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 32 84 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 33 85 13.1. Normative References . . . . . . . . . . . . . . . . . . 33 86 13.2. Informative References . . . . . . . . . . . . . . . . . 34 87 Appendix A. Implementation Status . . . . . . . . . . . . . . . 36 88 A.1. Already Implemented and Deployed . . . . . . . . . . . . 36 89 A.2. Already Implemented . . . . . . . . . . . . . . . . . . . 36 90 A.3. Partially Implemented . . . . . . . . . . . . . . . . . . 36 91 A.4. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 37 92 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 37 94 1. Introduction 96 Multicast DNS [RFC6762] and its companion technology DNS-based 97 Service Discovery [RFC6763] were created to provide IP networking 98 with the ease-of-use and autoconfiguration for which AppleTalk was 99 well known [RFC6760] [ZC]. 101 For a small home network consisting of just a single link (or a few 102 physical links bridged together to appear as a single logical link 103 from the point of view of IP) Multicast DNS [RFC6762] is sufficient 104 for client devices to look up the ".local" host names of peers on the 105 same home network, and to use Multicast DNS-Based Service Discovery 106 (DNS-SD) [RFC6763] to discover services offered on that home network. 108 For a larger network consisting of multiple links that are 109 interconnected using IP-layer routing instead of link-layer bridging, 110 link-local Multicast DNS alone is insufficient because link-local 111 Multicast DNS packets, by design, are not propagated onto other 112 links. 114 Using link-local multicast packets for Multicast DNS was a conscious 115 design choice [RFC6762]. Even when limited to a single link, 116 multicast traffic is still generally considered to be more expensive 117 than unicast, because multicast traffic impacts many devices, instead 118 of just a single recipient. In addition, with some technologies like 119 Wi-Fi [IEEE-11], multicast traffic is inherently less efficient and 120 less reliable than unicast, because Wi-Fi multicast traffic is sent 121 using the lower data rates, and is not acknowledged. Multiplying the 122 amount of expensive multicast traffic by flooding it across multiple 123 links would make the traffic load even worse. 125 Partitioning the network into many small links curtails the spread of 126 expensive multicast traffic, but limits the discoverability of 127 services. Using a very large local link with thousands of hosts 128 enables better service discovery, but at the cost of larger amounts 129 of multicast traffic. 131 Performing DNS-Based Service Discovery using purely Unicast DNS is 132 more efficient and doesn't require excessively large multicast 133 domains, but requires that the relevant data be available in the 134 Unicast DNS namespace. The Unicast DNS namespace in question could 135 fall within a traditionally assigned globally unique domain name, or 136 could use a private local unicast domain name such as ".home.arpa" 137 [HOME].) 139 In the DNS-SD specification [RFC6763], Section 10 ("Populating the 140 DNS with Information") discusses various possible ways that a 141 service's PTR, SRV, TXT and address records can make their way into 142 the Unicast DNS namespace, including manual zone file configuration 143 [RFC1034] [RFC1035], DNS Update [RFC2136] [RFC3007] and proxies of 144 various kinds. 146 Making the relevant data available in the Unicast DNS namespace by 147 manual DNS configuration (as has been done for many years at IETF 148 meetings to advertise the IETF Terminal Room printer) is labor 149 intensive, error prone, and requires a reasonable degree of DNS 150 expertise. 152 Populating the Unicast DNS namespace via DNS Update by the devices 153 offering the services themselves requires configuration of DNS Update 154 keys on those devices, which has proven onerous and impractical for 155 simple devices like printers and network cameras. 157 Hence, to facilitate efficient and reliable DNS-Based Service 158 Discovery, a compromise is needed that combines the ease-of-use of 159 Multicast DNS with the efficiency and scalability of Unicast DNS. 161 This document specifies a type of proxy called a "Multicast Discovery 162 Proxy" (or just "Discovery Proxy") that uses Multicast DNS [RFC6762] 163 to discover Multicast DNS records on its local link, and makes 164 corresponding DNS records visible in the Unicast DNS namespace. 166 In principle, similar mechanisms could be defined using other local 167 service discovery protocols, to discover local information and then 168 make corresponding DNS records visible in the Unicast DNS namespace. 169 Such mechanisms for other local service discovery protocols could be 170 addressed in future documents. 172 The design of the Discovery Proxy is guided by the previously 173 published Requirements for Scalable DNS-Based Service [RFC7558]. 175 In simple terms, a descriptive DNS name is chosen for each link in an 176 organization. Using a DNS NS record, responsibility for that DNS 177 name is delegated to a Discovery Proxy physically attached to that 178 link. Now, when a remote client issues a unicast query for a name 179 falling within the delegated subdomain, the normal DNS delegation 180 mechanism results in the unicast query arriving at the Discovery 181 Proxy, since it has been declared authoritative for those names. 182 Now, instead of consulting a textual zone file on disk to discover 183 the answer to the query, as a traditional DNS server would, a 184 Discovery Proxy consults its local link, using Multicast DNS, to find 185 the answer to the question. 187 For fault tolerance reasons there may be more than one Discovery 188 Proxy serving a given link. 190 Note that the Discovery Proxy uses a "pull" model. The local link is 191 not queried using Multicast DNS until some remote client has 192 requested that data. In the idle state, in the absence of client 193 requests, the Discovery Proxy sends no packets and imposes no burden 194 on the network. It operates purely "on demand". 196 An alternative proposal that has been suggested is a proxy that 197 performs DNS updates to a remote DNS server on behalf of the 198 Multicast DNS devices on the local network. The difficulty of this 199 is that the proxy would have to be issuing all possible Multicast DNS 200 queries all the time, to discover all the answers it needed to push 201 up to the remote DNS server using DNS Update. It would thus generate 202 very high load on the network continuously, even when there were no 203 clients with any interest in that data. 205 Hence, having a model where the query comes to the Discovery Proxy is 206 much more efficient than a model where the Discovery Proxy pushes the 207 answers out to some other remote DNS server. 209 A client seeking to discover services and other information achieves 210 this by sending traditional DNS queries to the Discovery Proxy, or by 211 sending DNS Push Notification subscription requests [PUSH]. 213 2. Operational Analogy 215 A Discovery Proxy does not operate as a multicast relay, or multicast 216 forwarder. There is no danger of multicast forwarding loops that 217 result in traffic storms, because no multicast packets are forwarded. 218 A Discovery Proxy operates as a *proxy* for a remote client, 219 performing queries on its behalf and reporting the results back. 221 A reasonable analogy would be making a telephone call to a colleague 222 at your workplace and saying, "I'm out of the office right now. 223 Would you mind bringing up a printer browser window and telling me 224 the names of the printers you see?" That entails no risk of a 225 forwarding loop causing a traffic storm, because no multicast packets 226 are sent over the telephone call. 228 A similar analogy, instead of enlisting another human being to 229 initiate the service discovery operation on your behalf, would be to 230 log into your own desktop work computer using screen sharing, and 231 then run the printer browser yourself to see the list of printers. 232 Or log in using ssh and type "dns-sd -B _ipp._tcp" and observe the 233 list of discovered printer names. In neither case is there any risk 234 of a forwarding loop causing a traffic storm, because no multicast 235 packets are being sent over the screen sharing or ssh connection. 237 The Discovery Proxy provides another way of performing remote 238 queries, just using a different protocol instead of screen sharing or 239 ssh. 241 When the Discovery Proxy software performs Multicast DNS operations, 242 the exact same Multicast DNS caching mechanisms are applied as when 243 any other client software on that Discovery Proxy device performs 244 Multicast DNS operations, whether that be running a printer browser 245 client locally, or a remote user running the printer browser client 246 via a screen sharing connection, or a remote user logged in via ssh 247 running a command-line tool like "dns-sd". 249 3. Conventions and Terminology Used in this Document 251 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 252 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 253 "OPTIONAL" in this document are to be interpreted as described in 254 "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119]. 256 The Discovery Proxy builds on Multicast DNS, which works between 257 hosts on the same link. A set of hosts is considered to be "on the 258 same link" if: 260 o when any host A from that set sends a packet to any other host B 261 in that set, using unicast, multicast, or broadcast, the entire 262 link-layer packet payload arrives unmodified, and 264 o a broadcast sent over that link by any host from that set of hosts 265 can be received by every other host in that set 267 The link-layer *header* may be modified, such as in Token Ring Source 268 Routing [IEEE-5], but not the link-layer *payload*. In particular, 269 if any device forwarding a packet modifies any part of the IP header 270 or IP payload then the packet is no longer considered to be on the 271 same link. This means that the packet may pass through devices such 272 as repeaters, bridges, hubs or switches and still be considered to be 273 on the same link for the purpose of this document, but not through a 274 device such as an IP router that decrements the IP TTL or otherwise 275 modifies the IP header. 277 4. Compatibility Considerations 279 No changes to existing devices are required to work with a Discovery 280 Proxy. 282 Existing devices that advertise services using Multicast DNS work 283 with Discovery Proxy. 285 Existing clients that support DNS-Based Service Discovery over 286 Unicast DNS work with Discovery Proxy. Service Discovery over 287 Unicast DNS was introduced in Mac OS X 10.4 in April 2005, as is 288 included in Apple products introduced since then, including iPhone 289 and iPad, as well as products from other vendors, such as Microsoft 290 Windows 10. 292 5. Discovery Proxy Operation 294 In a typical configuration, a Discovery Proxy is configured to be 295 authoritative [RFC1034] [RFC1035] for four DNS subdomains, and 296 authority for these subdomains is delegated to it via NS records: 298 A DNS subdomain for service discovery records. 299 This subdomain name may contain rich text, including spaces and 300 other punctuation. This is because this subdomain name is used 301 only in graphical user interfaces, where rich text is appropriate. 303 A DNS subdomain for host name records. 304 This subdomain name SHOULD be limited to letters, digits and 305 hyphens, to facilitate convenient use of host names in command- 306 line interfaces. 308 A DNS subdomain for IPv6 Reverse Mapping records. 309 This subdomain name will be a name that ends in "ip6.arpa." 311 A DNS subdomain for IPv4 Reverse Mapping records. 312 This subdomain name will be a name that ends in "in-addr.arpa." 314 In an enterprise network the naming and delegation of these 315 subdomains is typically performed by conscious action of the network 316 administrator. In a home network naming and delegation would 317 typically be performed using some automatic configuration mechanism 318 such as HNCP [RFC7788]. 320 These three varieties of delegated subdomains (service discovery, 321 host names, and reverse mapping) are described below in sections 322 Section 5.1, Section 5.3 and Section 5.4. 324 How a client discovers where to issue its service discovery queries 325 is described below in section Section 5.2. 327 5.1. Delegated Subdomain for Service Discovery Records 329 In its simplest form, each link in an organization is assigned a 330 unique Unicast DNS domain name, such as "Building 1.example.com" or 331 "2nd Floor.Building 3.example.com". Grouping multiple links under a 332 single Unicast DNS domain name is to be specified in a future 333 companion document, but for the purposes of this document, assume 334 that each link has its own unique Unicast DNS domain name. In a 335 graphical user interface these names are not displayed as strings 336 with dots as shown above, but something more akin to a typical file 337 browser graphical user interface (which is harder to illustrate in a 338 text-only document) showing folders, subfolders and files in a file 339 system. 341 +---------------+--------------+-------------+-------------------+ 342 | *example.com* | Building 1 | 1st Floor | Alice's printer | 343 | | Building 2 | *2nd Floor* | Bob's printer | 344 | | *Building 3* | 3rd Floor | Charlie's printer | 345 | | Building 4 | 4th Floor | | 346 | | Building 5 | | | 347 | | Building 6 | | | 348 +---------------+--------------+-------------+-------------------+ 350 Figure 1: Illustrative GUI 352 Each named link in an organization has one or more Discovery Proxies 353 which serve it. This Discovery Proxy function for each link could be 354 performed by a device like a router or switch that is physically 355 attached to that link. In the parent domain, NS records are used to 356 delegate ownership of each defined link name 357 (e.g., "Building 1.example.com") to the one or more Discovery Proxies 358 that serve the named link. In other words, the Discovery Proxies are 359 the authoritative name servers for that subdomain. 361 With appropriate VLAN configuration [IEEE-1Q] a single Discovery 362 Proxy device could have a logical presence on many links, and serve 363 as the Discovery Proxy for all those links. In such a configuration 364 the Discovery Proxy device would have a single physical Ethernet 365 [IEEE-3] port, configured as a VLAN trunk port, which would appear to 366 software on that device as multiple virtual Ethernet interfaces, one 367 connected to each of the VLAN links. 369 When a DNS-SD client issues a Unicast DNS query to discover services 370 in a particular Unicast DNS subdomain 371 (e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS 372 delegation mechanism results in that query being forwarded until it 373 reaches the delegated authoritative name server for that subdomain, 374 namely the Discovery Proxy on the link in question. Like a 375 conventional Unicast DNS server, a Discovery Proxy implements the 376 usual Unicast DNS protocol [RFC1034] [RFC1035] over UDP and TCP. 377 However, unlike a conventional Unicast DNS server that generates 378 answers from the data in its manually-configured zone file, a 379 Discovery Proxy generates answers using Multicast DNS. A Discovery 380 Proxy does this by consulting its Multicast DNS cache and/or issuing 381 Multicast DNS queries for the corresponding Multicast DNS name, type 382 and class, (e.g., in this case, "_printer._tcp.local. PTR ?"). Then, 383 from the received Multicast DNS data, the Discovery Proxy synthesizes 384 the appropriate Unicast DNS response. How long the Discovery Proxy 385 should wait to accumulate Multicast DNS responses is described below 386 in section Section 5.6. 388 Naturally, the existing Multicast DNS caching mechanism is used to 389 minimize unnecessary Multicast DNS queries on the wire. The 390 Discovery Proxy is acting as a client of the underlying Multicast DNS 391 subsystem, and benefits from the same caching and efficiency measures 392 as any other client using that subsystem. 394 5.2. Domain Enumeration 396 A DNS-SD client performs Domain Enumeration [RFC6763] via certain PTR 397 queries, using both unicast and multicast. If it receives a Domain 398 Name configuration via DHCP option 15 [RFC2132], then it issues 399 unicast queries using this domain. It issues unicast queries using 400 names derived from its IPv6 prefix(es) and IPv4 subnet address(es). 401 These are described below in Section 5.2.1. It also issues multicast 402 Domain Enumeration queries in the "local" domain [RFC6762]. These 403 are described below in Section 5.2.2. The results of all the Domain 404 Enumeration queries are combined for Service Discovery purposes. 406 5.2.1. Domain Enumeration via Unicast Queries 408 The administrator creates Domain Enumeration PTR records [RFC6763] to 409 inform clients of available service discovery domains, e.g.,: 411 b._dns-sd._udp.example.com. PTR Building 1.example.com. 412 PTR Building 2.example.com. 413 PTR Building 3.example.com. 414 PTR Building 4.example.com. 416 db._dns-sd._udp.example.com. PTR Building 1.example.com. 418 lb._dns-sd._udp.example.com. PTR Building 1.example.com. 420 The "b" ("browse") records tell the client device the list of 421 browsing domains to display for the user to select from and the "db" 422 ("default browse") record tells the client device which domain in 423 that list should be selected by default. The "lb" ("legacy browse") 424 record tells the client device which domain to automatically browse 425 on behalf of applications that don't implement UI for multi-domain 426 browsing (which is most of them, as of 2017). The "lb" domain is 427 often the same as the "db" domain, or sometimes the "db" domain plus 428 one or more others that should be included in the list of automatic 429 browsing domains for legacy clients. 431 DNS responses are limited to a maximum size of 65535 bytes. This 432 limits the maximum number of domains that can be returned for a 433 Domain Enumeration query, as follows: 435 A DNS response header is 12 bytes. That's typically followed by a 436 single qname (up to 256 bytes) plus qtype (2 bytes) and qclass 437 (2 bytes), leaving 65275 for the Answer Section. 439 An Answer Section Resource Record consists of: 441 o Owner name, encoded as a two-byte compression pointer 442 o Two-byte rrtype (type PTR) 443 o Two-byte rrclass (class IN) 444 o Four-byte ttl 445 o Two-byte rdlength 446 o rdata (domain name, up to 256 bytes) 448 This means that each Resource Record in the Answer Section can take 449 up to 268 bytes total, which means that the Answer Section can 450 contain, in the worst case, no more than 243 domains. 452 In a more typical scenario, where the domain names are not all 453 maximum-sized names, and there is some similarity between names so 454 that reasonable name compression is possible, each Answer 455 Section Resource Record may average 140 bytes, which means that the 456 Answer Section can contain up to 466 domains. 458 It is anticipated that this should be sufficient for even a large 459 corporate network or university campus. 461 5.2.2. Domain Enumeration via Multicast Queries 463 Since a Discovery Proxy exists on many, if not all, the links in an 464 enterprise, it offers an additional way to provide Domain Enumeration 465 data for clients. 467 A Discovery Proxy can be configured to generate Multicast DNS 468 responses for the following Multicast DNS Domain Enumeration queries 469 issued by clients: 471 b._dns-sd._udp.local. PTR ? 472 db._dns-sd._udp.local. PTR ? 473 lb._dns-sd._udp.local. PTR ? 475 This provides the ability for Discovery Proxies to indicate 476 recommended browsing domains to DNS-SD clients on a per-link 477 granularity. In some enterprises it may be preferable to provide 478 this per-link configuration data in the form of Discovery Proxy 479 configuration, rather than populating the Unicast DNS servers with 480 the same data (in the "ip6.arpa" or "in-addr.arpa" domains). 482 Regardless of how the network operator chooses to provide this 483 configuration data, clients will perform Domain Enumeration via both 484 unicast and multicast queries, and then combine the results of these 485 queries. 487 5.3. Delegated Subdomain for LDH Host Names 489 DNS-SD service instance names and domains are allowed to contain 490 arbitrary Net-Unicode text [RFC5198], encoded as precomposed UTF-8 491 [RFC3629]. 493 Users typically interact with service discovery software by viewing a 494 list of discovered service instance names on a display, and selecting 495 one of them by pointing, touching, or clicking. Similarly, in 496 software that provides a multi-domain DNS-SD user interface, users 497 view a list of offered domains on the display and select one of them 498 by pointing, touching, or clicking. To use a service, users don't 499 have to remember domain or instance names, or type them; users just 500 have to be able to recognize what they see on the display and touch 501 or click on the thing they want. 503 In contrast, host names are often remembered and typed. Also, host 504 names have historically been used in command-line interfaces where 505 spaces can be inconvenient. For this reason, host names have 506 traditionally been restricted to letters, digits and hyphens (LDH), 507 with no spaces or other punctuation. 509 While we still want to allow rich text for DNS-SD service instance 510 names and domains, it is advisable, for maximum compatibility with 511 existing usage, to restrict host names to the traditional letter- 512 digit-hyphen rules. This means that while a service name 513 "My Printer._ipp._tcp.Building 1.example.com" is acceptable and 514 desirable (it is displayed in a graphical user interface as an 515 instance called "My Printer" in the domain "Building 1" at 516 "example.com"), a host name "My-Printer.Building 1.example.com" is 517 less desirable (because of the space in "Building 1"). 519 To accomodate this difference in allowable characters, a Discovery 520 Proxy SHOULD support having two separate subdomains delegated to it 521 for each link it serves, one whose name is allowed to contain 522 arbitrary Net-Unicode text [RFC5198], and a second more constrained 523 subdomain whose name is restricted to contain only letters, digits, 524 and hyphens, to be used for host name records (names of 'A' and 525 'AAAA' address records). 527 For example, a Discovery Proxy could have the two subdomains 528 "Building 1.example.com" and "bldg1.example.com" delegated to it. 529 The Discovery Proxy would then translate these two Multicast DNS 530 records: 532 My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. 533 prnt.local. A 203.0.113.2 535 into Unicast DNS records as follows: 537 My Printer._ipp._tcp.Building 1.example.com. 538 SRV 0 0 631 prnt.bldg1.example.com. 539 prnt.bldg1.example.com. A 203.0.113.2 541 Note that the SRV record name is translated using the rich-text 542 domain name ("Building 1.example.com") and the address record name is 543 translated using the LDH domain ("bldg1.example.com"). 545 A Discovery Proxy MAY support only a single rich text Net-Unicode 546 domain, and use that domain for all records, including 'A' and 'AAAA' 547 address records, but implementers choosing this option should be 548 aware that this choice may produce host names that are awkward to use 549 in command-line environments. Whether this is an issue depends on 550 whether users in the target environment are expected to be using 551 command-line interfaces. 553 A Discovery Proxy MUST NOT be restricted to support only a letter- 554 digit-hyphen subdomain, because that results in an unnecessarily poor 555 user experience. 557 5.4. Delegated Subdomain for Reverse Mapping 559 A Discovery Proxy can facilitate easier management of reverse mapping 560 domains, particularly for IPv6 addresses where manual management may 561 be more onerous than it is for IPv4 addresses. 563 To achieve this, in the parent domain, NS records are used to 564 delegate ownership of the appropriate reverse mapping domain to the 565 Discovery Proxy. In other words, the Discovery Proxy becomes the 566 authoritative name server for the reverse mapping domain. For fault 567 tolerance reasons there may be more than one Discovery Proxy serving 568 a given link. 570 For example, if a given link is using the 571 IPv6 prefix 2001:0DB8:1234:5678/64, 572 then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa" 573 is delegated to the Discovery Proxy for that link. 575 If a given link is using the IPv4 subnet 203.0.113/24, 576 then the domain "113.0.203.in-addr.arpa" 577 is delegated to the Discovery Proxy for that link. 579 When a reverse mapping query arrives at the Discovery Proxy, it 580 issues the identical query on its local link as a Multicast DNS 581 query. The mechanism to force an apparently unicast name to be 582 resolved using link-local Multicast DNS varies depending on the API 583 set being used. For example, in the "/usr/include/dns_sd.h" APIs 584 (available on macOS, iOS, Bonjour for Windows, Linux and Android), 585 using kDNSServiceFlagsForceMulticast indicates that the 586 DNSServiceQueryRecord() call should perform the query using Multicast 587 DNS. Other APIs sets have different ways of forcing multicast 588 queries. When the host owning that IPv6 or IPv4 address responds 589 with a name of the form "something.local", the Discovery Proxy 590 rewrites that to use its configured LDH host name domain instead of 591 "local", and returns the response to the caller. 593 For example, a Discovery Proxy with the two subdomains 594 "113.0.203.in-addr.arpa" and "bldg1.example.com" delegated to it 595 would translate this Multicast DNS record: 597 2.113.0.203.in-addr.arpa. PTR prnt.local. 599 into this Unicast DNS response: 601 2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com. 603 Subsequent queries for the prnt.bldg1.example.com address record, 604 falling as it does within the bldg1.example.com domain, which is 605 delegated to the Discovery Proxy, will arrive at the Discovery Proxy, 606 where they are answered by issuing Multicast DNS queries and using 607 the received Multicast DNS answers to synthesize Unicast DNS 608 responses, as described above. 610 5.5. Data Translation 612 Generating the appropriate Multicast DNS queries involves, 613 at the very least, translating from the configured DNS domain 614 (e.g., "Building 1.example.com") on the Unicast DNS side to "local" 615 on the Multicast DNS side. 617 Generating the appropriate Unicast DNS responses involves translating 618 back from "local" to the appropriate configured DNS Unicast domain. 620 Other beneficial translation and filtering operations are described 621 below. 623 5.5.1. DNS TTL limiting 625 For efficiency, Multicast DNS typically uses moderately high DNS TTL 626 values. For example, the typical TTL on DNS-SD PTR records is 75 627 minutes. What makes these moderately high TTLs acceptable is the 628 cache coherency mechanisms built in to the Multicast DNS protocol 629 which protect against stale data persisting for too long. When a 630 service shuts down gracefully, it sends goodbye packets to remove its 631 PTR records immediately from neighbouring caches. If a service shuts 632 down abruptly without sending goodbye packets, the Passive 633 Observation Of Failures (POOF) mechanism described in Section 10.5 of 634 the Multicast DNS specification [RFC6762] comes into play to purge 635 the cache of stale data. 637 A traditional Unicast DNS client on a remote link does not get to 638 participate in these Multicast DNS cache coherency mechanisms on the 639 local link. For traditional Unicast DNS queries (those received 640 without using Long-Lived Query [LLQ] or DNS Push Notification [PUSH]) 641 the DNS TTLs reported in the resulting Unicast DNS response SHOULD be 642 capped to be no more than ten seconds. 644 Similarly, for negative responses, the negative caching TTL indicated 645 in the SOA record [RFC2308] should also be ten seconds (Section 6.1). 647 This value of ten seconds is chosen based on user-experience 648 considerations. 650 For negative caching, suppose a user is attempting to access a remote 651 device (e.g., a printer), and they are unsuccessful because that 652 device is powered off. Suppose they then place a telephone call and 653 ask for the device to be powered on. We want the device to become 654 available to the user within a reasonable time period. It is 655 reasonable to expect it to take on the order of ten seconds for a 656 simple device with a simple embedded operating system to power on. 657 Once the device is powered on and has announced its presence on the 658 network via Multicast DNS, we would like it to take no more than a 659 further ten seconds for stale negative cache entries to expire from 660 Unicast DNS caches, making the device available to the user desiring 661 to access it. 663 Similar reasoning applies to capping positive TTLs at ten seconds. 664 In the event of a device moving location, getting a new DHCP address, 665 or other renumbering events, we would like the updated information to 666 be available to remote clients in a relatively timely fashion. 668 However, network administrators should be aware that many recursive 669 (caching) DNS servers by default are configured to impose a minimum 670 TTL of 30 seconds. If stale data appears to be persisting in the 671 network to the extent that it adversely impacts user experience, 672 network administrators are advised to check the configuration of 673 their recursive DNS servers. 675 For received Unicast DNS queries that use LLQ or DNS Push 676 Notification, the Multicast DNS record's TTL SHOULD be returned 677 unmodified, because the Push Notification channel exists to inform 678 the remote client as records come and go. For further details about 679 Long-Lived Queries, and its newer replacement, DNS Push 680 Notifications, see Section 5.6. 682 5.5.2. Suppressing Unusable Records 684 A Discovery Proxy SHOULD suppress Unicast DNS answers for records 685 that are not useful outside the local link. For example, DNS AAAA 686 and A records for IPv6 link-local addresses [RFC4862] and IPv4 link- 687 local addresses [RFC3927] SHOULD be suppressed. Similarly, for sites 688 that have multiple private address realms [RFC1918], in cases where 689 the Discovery Proxy can determine that the querying client is in a 690 different address realm, private addresses MUST NOT be communicated 691 to that client. IPv6 Unique Local Addresses [RFC4193] SHOULD be 692 suppressed in cases where the Discovery Proxy can determine that the 693 querying client is in a different IPv6 address realm. 695 By the same logic, DNS SRV records that reference target host names 696 that have no addresses usable by the requester should be suppressed, 697 and likewise, DNS PTR records that point to unusable SRV records 698 should be similarly be suppressed. 700 5.5.3. NSEC and NSEC3 queries 702 Since a Discovery Proxy only knows what names exist on the local link 703 by issuing queries for them, and since it would be impractical to 704 issue queries for every possible name just to find out which names 705 exist and which do not, a Discovery Proxy cannot programatically 706 generate the traditional NSEC and NSEC3 records which assert the 707 nonexistence of a large range of names. 709 When queried for an NSEC or NSEC3 record type, the Discovery Proxy 710 issues a qtype "ANY" query using Multicast DNS on the local link, and 711 then generates an NSEC or NSEC3 response signifying which record 712 types do and do not exist just the specific name queried, and no 713 others. 715 Multicast DNS NSEC records received on the local link MUST NOT be 716 forwarded unmodified to a unicast querier, because there are slight 717 differences in the NSEC record data. In particular, Multicast DNS 718 NSEC records do not have the NSEC bit set in the Type Bit Map, 719 whereas conventional Unicast DNS NSEC records do have the NSEC bit 720 set. 722 5.5.4. No Text Encoding Translation 724 A Discovery Proxy does no translation between text encodings. 725 Specifically, a Discovery Proxy does no translation between Punycode 726 and UTF-8, either in the owner name of DNS records, or anywhere in 727 the RDATA of DNS records (such as the RDATA of PTR records, SRV 728 records, NS records, or other record types like TXT, where it is 729 ambiguous whether the RDATA may contain DNS names). All bytes are 730 treated as-is, with no attempt at text encoding translation. A 731 client implementing DNS-based Service Discovery [RFC6763] will use 732 UTF-8 encoding for its service discovery queries, which the Discovery 733 Proxy passes through without any text encoding translation to the 734 Multicast DNS subsystem. Responses from the Multicast DNS subsystem 735 are similarly returned, without any text encoding translation, back 736 to the requesting client. 738 5.5.5. Application-Specific Data Translation 740 There may be cases where Application-Specific Data Translation is 741 appropriate. 743 For example, AirPrint printers tend to advertise fairly verbose 744 information about their capabilities in their DNS-SD TXT record. TXT 745 record sizes in the range 500-1000 bytes are not uncommon. This 746 information is a legacy from LPR printing, because LPR does not have 747 in-band capability negotiation, so all of this information is 748 conveyed using the DNS-SD TXT record instead. IPP printing does have 749 in-band capability negotiation, but for convenience printers tend to 750 include the same capability information in their IPP DNS-SD TXT 751 records as well. For local mDNS use this extra TXT record 752 information is inefficient, but not fatal. However, when a Discovery 753 Proxy aggregates data from multiple printers on a link, and sends it 754 via unicast (via UDP or TCP) this amount of unnecessary TXT record 755 information can result in large responses. A DNS reply over TCP 756 carrying information about 70 printers with an average of 700 bytes 757 per printer adds up to about 50 kilobytes of data. Therefore, a 758 Discovery Proxy that is aware of the specifics of an application- 759 layer protocol such as AirPrint (which uses IPP) can elide 760 unnecessary key/value pairs from the DNS-SD TXT record for better 761 network efficiency. 763 Also, the DNS-SD TXT record for many printers contains an "adminurl" 764 key something like "adminurl=http://printername.local/status.html". 765 For this URL to be useful outside the local link, the embedded 766 ".local" hostname needs to be translated to an appropriate name with 767 larger scope. It is easy to translate ".local" names when they 768 appear in well-defined places, either as a record's name, or in the 769 rdata of record types like PTR and SRV. In the printing case, some 770 application-specific knowledge about the semantics of the "adminurl" 771 key is needed for the Discovery Proxy to know that it contains a name 772 that needs to be translated. This is somewhat analogous to the need 773 for NAT gateways to contain ALGs (Application-Specific Gateways) to 774 facilitate the correct translation of protocols that embed addresses 775 in unexpected places. 777 As is the case with NAT ALGs, protocol designers are advised to avoid 778 communicating names and addresses in nonstandard locations, because 779 those "hidden" names and addresses are at risk of not being 780 translated when necessary, resulting in operational failures. In the 781 printing case, the operational failure of failing to translate the 782 "adminurl" key correctly is that, when accessed from a different 783 link, printing will still work, but clicking the "Admin" UI button 784 will fail to open the printer's administration page. Rather than 785 duplicating the host name from the service's SRV record in its 786 "adminurl" key, thereby having the same host name appear in two 787 places, a better design might have been to omit the host name from 788 the "adminurl" key, and instead have the client implicitly substitute 789 the target host name from the service's SRV record in place of a 790 missing host name in the "adminurl" key. That way the desired host 791 name only appears once, and it is in a well-defined place where 792 software like the Discovery Proxy is expecting to find it. 794 Note that this kind of Application-Specific Data Translation is 795 expected to be very rare. It is the exception, rather than the rule. 796 This is an example of a common theme in computing. It is frequently 797 the case that it is wise to start with a clean, layered design, with 798 clear boundaries. Then, in certain special cases, those layer 799 boundaries may be violated, where the performance and efficiency 800 benefits outweigh the inelegance of the layer violation. 802 These layer violations are optional. They are done primarily for 803 efficiency reasons, and generally should not be required for correct 804 operation. A Discovery Proxy MAY operate solely at the mDNS layer, 805 without any knowledge of semantics at the DNS-SD layer or above. 807 5.6. Answer Aggregation 809 In a simple analysis, simply gathering multicast answers and 810 forwarding them in a unicast response seems adequate, but it raises 811 the question of how long the Discovery Proxy should wait to be sure 812 that it has received all the Multicast DNS answers it needs to form a 813 complete Unicast DNS response. If it waits too little time, then it 814 risks its Unicast DNS response being incomplete. If it waits too 815 long, then it creates a poor user experience at the client end. In 816 fact, there may be no time which is both short enough to produce a 817 good user experience and at the same time long enough to reliably 818 produce complete results. 820 Similarly, the Discovery Proxy -- the authoritative name server for 821 the subdomain in question -- needs to decide what DNS TTL to report 822 for these records. If the TTL is too long then the recursive 823 (caching) name servers issuing queries on behalf of their clients 824 risk caching stale data for too long. If the TTL is too short then 825 the amount of network traffic will be more than necessary. In fact, 826 there may be no TTL which is both short enough to avoid undesirable 827 stale data and at the same time long enough to be efficient on the 828 network. 830 Both these dilemmas are solved by use of DNS Long-Lived Queries 831 (DNS LLQ) [LLQ] or its newer replacement, DNS Push Notifications 832 [PUSH]. 834 Clients supporting unicast DNS Service Discovery SHOULD implement DNS 835 Push Notifications [PUSH] for improved user experience. 837 Clients and Discovery Proxies MAY support both DNS LLQ and DNS Push, 838 and when talking to a Discovery Proxy that supports both, the client 839 may use either protocol, as it chooses, though it is expected that 840 only DNS Push will continue to be supported in the long run. 842 When a Discovery Proxy receives a query using DNS LLQ or DNS Push 843 Notification, it responds immediately using the Multicast DNS records 844 it already has in its cache (if any). This provides a good client 845 user experience by providing a near-instantaneous response. 846 Simultaneously, the Discovery Proxy issues a Multicast DNS query on 847 the local link to discover if there are any additional Multicast DNS 848 records it did not already know about. Should additional Multicast 849 DNS responses be received, these are then delivered to the client 850 using additional DNS LLQ or DNS Push Notification update messages. 851 The timeliness of such update messages is limited only by the 852 timeliness of the device responding to the Multicast DNS query. If 853 the Multicast DNS device responds quickly, then the update message is 854 delivered quickly. If the Multicast DNS device responds slowly, then 855 the update message is delivered slowly. The benefit of using update 856 messages is that the Discovery Proxy can respond promptly because it 857 doesn't have to delay its unicast response to allow for the expected 858 worst-case delay for receiving all the Multicast DNS responses. Even 859 if a proxy were to try to provide reliability by assuming an 860 excessively pessimistic worst-case time (thereby giving a very poor 861 user experience) there would still be the risk of a slow Multicast 862 DNS device taking even longer than that (e.g., a device that is not 863 even powered on until ten seconds after the initial query is 864 received) resulting in incomplete responses. Using update message 865 solves this dilemma: even very late responses are not lost; they are 866 delivered in subsequent update messages. 868 There are two factors that determine specifically how responses are 869 generated: 871 The first factor is whether the query from the client used LLQ or DNS 872 Push Notification (typical with long-lived service browsing PTR 873 queries) or not (typical with one-shot operations like SRV or address 874 record queries). Note that queries using LLQ or DNS Push 875 Notification are received directly from the client. Queries not 876 using LLQ or DNS Push Notification are generally received via the 877 client's configured recursive (caching) name server. 879 The second factor is whether the Discovery Proxy already has at least 880 one record in its cache that positively answers the question. 882 o Not using LLQ or Push Notification; no answer in cache: 883 Issue an mDNS query, exactly as a local client would issue an mDNS 884 query on the local link for the desired record name, type and 885 class, including retransmissions, as appropriate, according to the 886 established mDNS retransmission schedule [RFC6762]. As soon as 887 any Multicast DNS response packet is received that contains one or 888 more positive answers to that question (with or without the Cache 889 Flush bit [RFC6762] set), or a negative answer (signified via a 890 Multicast DNS NSEC record [RFC6762]), the Discovery Proxy 891 generates a Unicast DNS response packet containing the 892 corresponding (filtered and translated) answers and sends it to 893 the remote client. If after six seconds no Multicast DNS answers 894 have been received, return a negative response to the remote 895 client. Six seconds is enough time to transmit three mDNS 896 queries, and allow some time for responses to arrive. 897 DNS TTLs in responses are capped to at most ten seconds. 899 o Not using LLQ or Push Notification; at least one answer in cache: 901 Send response right away to minimise delay. 902 DNS TTLs in responses are capped to at most ten seconds. 903 No local mDNS queries are performed. 904 (Reasoning: Given RRSet TTL harmonisation, if the proxy has one 905 Multicast DNS answer in its cache, it can reasonably assume that 906 it has all of them.) 908 o Using LLQ or Push Notification; no answer in cache: 909 As in the case above with no answer in the cache, perform mDNS 910 querying for six seconds, and send a response to the remote client 911 as soon as any relevant mDNS response is received. 912 If after six seconds no relevant mDNS response has been received, 913 return negative response to the remote client (for LLQ; not 914 applicable for PUSH). 915 (Reasoning: We don't need to rush to send an empty answer.) 916 Whether or not a relevant mDNS response is received within six 917 seconds, the query remains active for as long as the client 918 maintains the LLQ or PUSH state, and if mDNS answers are received 919 later, LLQ or PUSH update messages are sent. 920 DNS TTLs in responses are returned unmodified. 922 o Using LLQ or Push Notification; at least one answer in cache: 923 As in the case above with at least one answer in cache, send 924 response right away to minimise delay. 925 The query remains active for as long as the client maintains the 926 LLQ or PUSH state, and if additional mDNS answers are received 927 later, LLQ or PUSH update messages are sent. 928 (Reasoning: We want UI that is displayed very rapidly, yet 929 continues to remain accurate even as the network environment 930 changes.) 931 DNS TTLs in responses are returned unmodified. 933 Note that the "negative responses" referred to above are "no error no 934 answer" negative responses, not NXDOMAIN. This is because the 935 Discovery Proxy cannot know all the Multicast DNS domain names that 936 may exist on a link at any given time, so any name with no answers 937 may have child names that do exist, making it an "empty nonterminal" 938 name. 940 6. Administrative DNS Records 942 6.1. DNS SOA (Start of Authority) Record 944 The MNAME field SHOULD contain the host name of the Discovery Proxy 945 device (i.e., the same domain name as the rdata of the NS record 946 delegating the relevant zone(s) to this Discovery Proxy device). 948 The RNAME field SHOULD contain the mailbox of the person responsible 949 for administering this Discovery Proxy device. 951 The SERIAL field MUST be zero. 953 Zone transfers are undefined for Discovery Proxy zones, and 954 consequently the REFRESH, RETRY and EXPIRE fields have no useful 955 meaning for Discovery Proxy zones. These fields SHOULD contain 956 reasonable default values. The RECOMMENDED values are: REFRESH 7200, 957 RETRY 3600, EXPIRE 86400. 959 The MINIMUM field (used to control the lifetime of negative cache 960 entries) SHOULD contain the value 10. The value of ten seconds is 961 chosen based on user-experience considerations (see Section 5.5.1). 963 In the event that there are multiple Discovery Proxy devices on a 964 link for fault tolerance reasons, this will result in clients 965 receiving inconsistent SOA records (different MNAME, and possibly 966 RNAME) depending on which Discovery Proxy answers their SOA query. 967 However, since clients generally have no reason to use the MNAME or 968 RNAME data, this is unlikely to cause any problems. 970 6.2. DNS NS Records 972 In the event that there are multiple Discovery Proxy devices on a 973 link for fault tolerance reasons, the parent zone MUST be configured 974 with glue records giving the names and addresses of all the Discovery 975 Proxy devices on the link. 977 Each Discovery Proxy device MUST be configured with its own NS 978 record, and with the NS records of its fellow Discovery Proxy devices 979 on the same link, so that it can return the correct answers for NS 980 queries. 982 6.3. DNS SRV Records 984 In the event that a Discovery Proxy implements Long-Lived Queries 985 [LLQ] and/or DNS Push Notifications [PUSH] (as most SHOULD) they MUST 986 generate answers for the appropriate corresponding 987 _dns-llq._udp. and/or _dns-push-tls._tcp. SRV record 988 queries. These records are conceptually inserted into the namespace 989 of the corresponding zones. They do not exist in the ".local" 990 namespace of the local link. 992 7. DNSSEC Considerations 994 7.1. On-line signing only 996 The Discovery Proxy acts as the authoritative name server for 997 designated subdomains, and if DNSSEC is to be used, the Discovery 998 Proxy needs to possess a copy of the signing keys, in order to 999 generate authoritative signed data from the local Multicast DNS 1000 responses it receives. Off-line signing not applicable to Discovery 1001 Proxy. 1003 7.2. NSEC and NSEC3 Records 1005 In DNSSEC, NSEC and NSEC3 records are used to assert the nonexistence 1006 of certain names, also described as "authenticated denial of 1007 existence". 1009 Since a Discovery Proxy only knows what names exist on the local link 1010 by issuing queries for them, and since it would be impractical to 1011 issue queries for every possible name just to find out which names 1012 exist and which do not, a Discovery Proxy cannot programatically 1013 synthesize the traditional NSEC and NSEC3 records which assert the 1014 nonexistence of a large range names. Instead, when generating a 1015 negative response, a Discovery Proxy programatically synthesizes a 1016 single NSEC record assert the nonexistence of just the specific name 1017 queried, and no others. Since the Discovery Proxy has the zone 1018 signing key, it can do this on demand. Since the NSEC record asserts 1019 the nonexistence of only a single name, zone walking is not a 1020 concern, so NSEC3 is not necessary. 1022 Note that this applies only to traditional immediate DNS queries, 1023 which may return immediate negative answers when no immediate 1024 positive answer is available. When used with a DNS Push Notification 1025 subscription [PUSH] there are no negative answers, merely the absence 1026 of answers so far, which may change in the future if answers become 1027 available. 1029 8. IPv6 Considerations 1031 An IPv6-only host and an IPv4-only host behave as "ships that pass in 1032 the night". Even if they are on the same Ethernet [IEEE-3], neither 1033 is aware of the other's traffic. For this reason, each link may have 1034 *two* unrelated ".local." zones, one for IPv6 and one for IPv4. 1035 Since for practical purposes, a group of IPv6-only hosts and a group 1036 of IPv4-only hosts on the same Ethernet act as if they were on two 1037 entirely separate Ethernet segments, it is unsurprising that their 1038 use of the ".local." zone should occur exactly as it would if they 1039 really were on two entirely separate Ethernet segments. 1041 It will be desirable to have a mechanism to 'stitch' together these 1042 two unrelated ".local." zones so that they appear as one. Such 1043 mechanism will need to be able to differentiate between a dual-stack 1044 (v4/v6) host participating in both ".local." zones, and two different 1045 hosts, one IPv6-only and the other IPv4-only, which are both trying 1046 to use the same name(s). Such a mechanism will be specified in a 1047 future companion document. 1049 At present, it is RECOMMENDED that a Discovery Proxy be configured 1050 with a single domain name for both the IPv4 and IPv6 ".local." zones 1051 on the local link, and when a unicast query is received, it should 1052 issue Multicast DNS queries using both IPv4 and IPv6 on the local 1053 link, and then combine the results. 1055 9. Security Considerations 1057 9.1. Authenticity 1059 A service proves its presence on a link by its ability to answer 1060 link-local multicast queries on that link. If greater security is 1061 desired, then the Discovery Proxy mechanism should not be used, and 1062 something with stronger security should be used instead, such as 1063 authenticated secure DNS Update [RFC2136] [RFC3007]. 1065 9.2. Privacy 1067 The Domain Name System is, generally speaking, a global public 1068 database. Records that exist in the Domain Name System name 1069 hierarchy can be queried by name from, in principle, anywhere in the 1070 world. If services on a mobile device (like a laptop computer) are 1071 made visible via the Discovery Proxy mechanism, then when those 1072 services become visible in a domain such as "My House.example.com" 1073 that might indicate to (potentially hostile) observers that the 1074 mobile device is in my house. When those services disappear from 1075 "My House.example.com" that change could be used by observers to 1076 infer when the mobile device (and possibly its owner) may have left 1077 the house. The privacy of this information may be protected using 1078 techniques like firewalls, split-view DNS, and Virtual Private 1079 Networks (VPNs), as are customarily used today to protect the privacy 1080 of corporate DNS information. 1082 The Discovery Proxy could also provide sensitive records only to 1083 authenticated users. This is a general DNS problem, not specific to 1084 the Discovery Proxy. Work is underway in the IETF to tackle this 1085 problem [RFC7626]. 1087 9.3. Denial of Service 1089 A remote attacker could use a rapid series of unique Unicast DNS 1090 queries to induce a Discovery Proxy to generate a rapid series of 1091 corresponding Multicast DNS queries on one or more of its local 1092 links. Multicast traffic is generally more expensive than unicast 1093 traffic -- especially on Wi-Fi links -- which makes this attack 1094 particularly serious. To limit the damage that can be caused by such 1095 attacks, a Discovery Proxy (or the underlying Multicast DNS subsystem 1096 which it utilizes) MUST implement Multicast DNS query rate limiting 1097 appropriate to the link technology in question. For today's 1098 802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast 1099 packets per second is sufficient to consume approximately 100% of the 1100 wireless spectrum) a limit of 20 Multicast DNS query packets per 1101 second is RECOMMENDED. On other link technologies like Gigabit 1102 Ethernet higher limits may be appropriate. A consequence of this 1103 rate limiting is that a rogue remote client could issue an excessive 1104 number of queries, resuling in denial of service to other remote 1105 clients attempting to use that Discovery Proxy. However, this is 1106 preferable to a rogue remote client being able to inflict even 1107 greater harm on the local network, which could impact the correct 1108 operation of all local clients on that network. 1110 10. Intelectual Property Rights 1112 Apple has submitted an IPR disclosure concerning the technique 1113 proposed in this document. Details are available on the IETF IPR 1114 disclosure page [IPR2119]. 1116 11. IANA Considerations 1118 This document has no IANA Considerations. 1120 12. Acknowledgments 1122 Thanks to Markus Stenberg for helping develop the policy regarding 1123 the four styles of unicast response according to what data is 1124 immediately available in the cache. Thanks to Anders Brandt, Tim 1125 Chown, Ralph Droms, Ray Hunter, Ted Lemon, Tom Pusateri, Markus 1126 Stenberg, Dave Thaler, and Andrew Yourtchenko for their comments. 1128 13. References 1130 13.1. Normative References 1132 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 1133 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 1134 . 1136 [RFC1035] Mockapetris, P., "Domain names - implementation and 1137 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 1138 November 1987, . 1140 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 1141 and E. Lear, "Address Allocation for Private Internets", 1142 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 1143 . 1145 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1146 Requirement Levels", BCP 14, RFC 2119, 1147 DOI 10.17487/RFC2119, March 1997, 1148 . 1150 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS 1151 NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, 1152 . 1154 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 1155 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 1156 2003, . 1158 [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic 1159 Configuration of IPv4 Link-Local Addresses", RFC 3927, 1160 DOI 10.17487/RFC3927, May 2005, 1161 . 1163 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 1164 Address Autoconfiguration", RFC 4862, 1165 DOI 10.17487/RFC4862, September 2007, 1166 . 1168 [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network 1169 Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, 1170 . 1172 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 1173 December 2012. 1175 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 1176 Discovery", RFC 6763, December 2012. 1178 [PUSH] Pusateri, T. and S. Cheshire, "DNS Push Notifications", 1179 draft-ietf-dnssd-push-12 (work in progress), July 2017. 1181 13.2. Informative References 1183 [HOME] Pfister, P. and T. Lemon, "Special Use Domain 1184 '.home.arpa'", draft-ietf-homenet-dot-07 (work in 1185 progress), June 2017. 1187 [IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid 1188 Unicast/Multicast DNS-Based Service Discovery", 1189 . 1191 [ohp] "Discovery Proxy (Hybrid Proxy) implementation for 1192 OpenWrt", . 1194 [LLQ] Sekar, K., "DNS Long-Lived Queries", draft-sekar-dns- 1195 llq-01 (work in progress), August 2006. 1197 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 1198 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 1199 . 1201 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 1202 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 1203 RFC 2136, DOI 10.17487/RFC2136, April 1997, 1204 . 1206 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 1207 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 1208 . 1210 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 1211 Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, 1212 . 1214 [RFC7558] Lynn, K., Cheshire, S., Blanchet, M., and D. Migault, 1215 "Requirements for Scalable DNS-Based Service Discovery 1216 (DNS-SD) / Multicast DNS (mDNS) Extensions", RFC 7558, 1217 DOI 10.17487/RFC7558, July 2015, 1218 . 1220 [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, 1221 DOI 10.17487/RFC7626, August 2015, 1222 . 1224 [RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking 1225 Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April 1226 2016, . 1228 [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol 1229 to Replace the AppleTalk Name Binding Protocol (NBP)", 1230 RFC 6760, December 2012. 1232 [ZC] Cheshire, S. and D. Steinberg, "Zero Configuration 1233 Networking: The Definitive Guide", O'Reilly Media, Inc. , 1234 ISBN 0-596-10100-7, December 2005. 1236 [IEEE-1Q] "IEEE Standard for Local and metropolitan area networks -- 1237 Bridges and Bridged Networks", IEEE Std 802.1Q-2014, 1238 November 2014, . 1241 [IEEE-3] "Information technology - Telecommunications and 1242 information exchange between systems - Local and 1243 metropolitan area networks - Specific requirements - Part 1244 3: Carrier Sense Multiple Access with Collision Detection 1245 (CMSA/CD) Access Method and Physical Layer 1246 Specifications", IEEE Std 802.3-2008, December 2008, 1247 . 1249 [IEEE-5] Institute of Electrical and Electronics Engineers, 1250 "Information technology - Telecommunications and 1251 information exchange between systems - Local and 1252 metropolitan area networks - Specific requirements - Part 1253 5: Token ring access method and physical layer 1254 specification", IEEE Std 802.5-1998, 1995. 1256 [IEEE-11] "Information technology - Telecommunications and 1257 information exchange between systems - Local and 1258 metropolitan area networks - Specific requirements - Part 1259 11: Wireless LAN Medium Access Control (MAC) and Physical 1260 Layer (PHY) Specifications", IEEE Std 802.11-2007, June 1261 2007, . 1263 Appendix A. Implementation Status 1265 Some aspects of the mechanism specified in this document already 1266 exist in deployed software. Some aspects are new. This section 1267 outlines which aspects already exist and which are new. 1269 A.1. Already Implemented and Deployed 1271 Domain enumeration by the client (the "b._dns-sd._udp" queries) is 1272 already implemented and deployed. 1274 Unicast queries to the indicated discovery domain is already 1275 implemented and deployed. 1277 These are implemented and deployed in Mac OS X 10.4 and later 1278 (including all versions of Apple iOS, on all iPhone and iPads), in 1279 Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16) 1280 and later. 1282 Domain enumeration and unicast querying have been used for several 1283 years at IETF meetings to make Terminal Room printers discoverable 1284 from outside the Terminal room. When an IETF attendee presses Cmd-P 1285 on a Mac, or selects AirPrint on an iPad or iPhone, and the Terminal 1286 room printers appear, that is because the client is sending unicast 1287 DNS queries to the IETF DNS servers. 1289 A.2. Already Implemented 1291 A minimal portable Discovery Proxy implementation has been produced 1292 by Markus Stenberg and Steven Barth, which runs on OS X and several 1293 Linux variants including OpenWrt [ohp]. It was demonstrated at the 1294 Berlin IETF in July 2013. 1296 Tom Pusateri also has an implementation that runs on any Unix/Linux. 1297 It has a RESTful interface for management and an experimental demo 1298 CLI and web interface. 1300 A.3. Partially Implemented 1302 The current APIs make multiple domains visible to client software, 1303 but most client UI today lumps all discovered services into a single 1304 flat list. This is largely a chicken-and-egg problem. Application 1305 writers were naturally reluctant to spend time writing domain-aware 1306 UI code when few customers today would benefit from it. If Discovery 1307 Proxy deployment becomes common, then application writers will have a 1308 reason to provide better UI. Existing applications will work with 1309 the Discovery Proxy, but will show all services in a single flat 1310 list. Applications with improved UI will group services by domain. 1312 The Long-Lived Query mechanism [LLQ] referred to in this 1313 specification exists and is deployed, but has not been standardized 1314 by the IETF. The IETF is considering standardizing a superior Long- 1315 Lived Query mechanism called DNS Push Notifications [PUSH]. The 1316 pragmatic short-term deployment approach is for vendors to produce 1317 Discovery Proxies that implement both the deployed Long-Lived Query 1318 mechanism [LLQ] (for today's clients) and the new DNS Push 1319 Notifications mechanism [PUSH] as the preferred long-term direction. 1321 The translating/filtering Discovery Proxy specified in this document. 1322 Implementations are under development, and operational experience 1323 with these implementations has guided updates to this document. 1325 A.4. Not Yet Implemented 1327 Client implementations of the new DNS Push Notifications mechanism 1328 [PUSH] are currently underway. 1330 A mechanism to 'stitch' together multiple ".local." zones so that 1331 they appear as one. Such a stitching mechanism will be specified in 1332 a future companion document. This stitching mechanism addresses the 1333 issue that if a printer is physically moved from one link to another, 1334 then conceptually the old service has disappeared from the DNS 1335 namespace, and a new service with a similar name has appeared. This 1336 stitching mechanism will allow a service to change its point of 1337 attachment without changing the name by which it can be found. 1339 Author's Address 1341 Stuart Cheshire 1342 Apple Inc. 1343 1 Infinite Loop 1344 Cupertino, California 95014 1345 USA 1347 Phone: +1 408 974 3207 1348 Email: cheshire@apple.com