idnits 2.17.1 draft-ietf-dnssd-hybrid-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC2606-compliant FQDNs in the document. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (March 11, 2019) is 1867 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-25) exists of draft-ietf-dnssd-push-14 == Outdated reference: A later version (-20) exists of draft-ietf-dnsop-session-signal-07 == Outdated reference: A later version (-03) exists of draft-sekar-dns-ul-01 == Outdated reference: A later version (-06) exists of draft-sekar-dns-llq-01 == Outdated reference: A later version (-02) exists of draft-sctl-service-registration-00 -- Obsolete informational reference (is this intentional?): RFC 7626 (Obsoleted by RFC 9076) Summary: 0 errors (**), 0 flaws (~~), 9 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force S. Cheshire 3 Internet-Draft Apple Inc. 4 Intended status: Standards Track March 11, 2019 5 Expires: September 12, 2019 7 Discovery Proxy for Multicast DNS-Based Service Discovery 8 draft-ietf-dnssd-hybrid-09 10 Abstract 12 This document specifies a network proxy that uses Multicast DNS to 13 automatically populate the wide-area unicast Domain Name System 14 namespace with records describing devices and services found on the 15 local link. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on September 12, 2019. 34 Copyright Notice 36 Copyright (c) 2019 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2. Operational Analogy . . . . . . . . . . . . . . . . . . . . . 6 53 3. Conventions and Terminology Used in this Document . . . . . . 7 54 4. Compatibility Considerations . . . . . . . . . . . . . . . . 7 55 5. Discovery Proxy Operation . . . . . . . . . . . . . . . . . . 8 56 5.1. Delegated Subdomain for Service Discovery Records . . . . 9 57 5.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . 11 58 5.2.1. Domain Enumeration via Unicast Queries . . . . . . . 11 59 5.2.2. Domain Enumeration via Multicast Queries . . . . . . 13 60 5.3. Delegated Subdomain for LDH Host Names . . . . . . . . . 14 61 5.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 16 62 5.5. Data Translation . . . . . . . . . . . . . . . . . . . . 18 63 5.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . 18 64 5.5.2. Suppressing Unusable Records . . . . . . . . . . . . 19 65 5.5.3. NSEC and NSEC3 queries . . . . . . . . . . . . . . . 20 66 5.5.4. No Text Encoding Translation . . . . . . . . . . . . 20 67 5.5.5. Application-Specific Data Translation . . . . . . . . 21 68 5.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . 23 69 6. Administrative DNS Records . . . . . . . . . . . . . . . . . 26 70 6.1. DNS SOA (Start of Authority) Record . . . . . . . . . . . 26 71 6.2. DNS NS Records . . . . . . . . . . . . . . . . . . . . . 27 72 6.3. DNS SRV Records . . . . . . . . . . . . . . . . . . . . . 27 73 7. DNSSEC Considerations . . . . . . . . . . . . . . . . . . . . 28 74 7.1. On-line signing only . . . . . . . . . . . . . . . . . . 28 75 7.2. NSEC and NSEC3 Records . . . . . . . . . . . . . . . . . 28 76 8. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 29 77 9. Security Considerations . . . . . . . . . . . . . . . . . . . 30 78 9.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . 30 79 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 30 80 9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 30 81 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 82 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 83 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 84 12.1. Normative References . . . . . . . . . . . . . . . . . . 32 85 12.2. Informative References . . . . . . . . . . . . . . . . . 33 86 Appendix A. Implementation Status . . . . . . . . . . . . . . . 36 87 A.1. Already Implemented and Deployed . . . . . . . . . . . . 36 88 A.2. Already Implemented . . . . . . . . . . . . . . . . . . . 36 89 A.3. Partially Implemented . . . . . . . . . . . . . . . . . . 36 90 A.4. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 37 91 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 37 93 1. Introduction 95 Multicast DNS [RFC6762] and its companion technology DNS-based 96 Service Discovery [RFC6763] were created to provide IP networking 97 with the ease-of-use and autoconfiguration for which AppleTalk was 98 well known [RFC6760] [ZC] [Roadmap]. 100 For a small home network consisting of just a single link (or a few 101 physical links bridged together to appear as a single logical link 102 from the point of view of IP) Multicast DNS [RFC6762] is sufficient 103 for client devices to look up the ".local" host names of peers on the 104 same home network, and to use Multicast DNS-Based Service Discovery 105 (DNS-SD) [RFC6763] to discover services offered on that home network. 107 For a larger network consisting of multiple links that are 108 interconnected using IP-layer routing instead of link-layer bridging, 109 link-local Multicast DNS alone is insufficient because link-local 110 Multicast DNS packets, by design, are not propagated onto other 111 links. 113 Using link-local multicast packets for Multicast DNS was a conscious 114 design choice [RFC6762]. Even when limited to a single link, 115 multicast traffic is still generally considered to be more expensive 116 than unicast, because multicast traffic impacts many devices, instead 117 of just a single recipient. In addition, with some technologies like 118 Wi-Fi [IEEE-11], multicast traffic is inherently less efficient and 119 less reliable than unicast, because Wi-Fi multicast traffic is sent 120 at lower data rates, and is not acknowledged. Increasing the amount 121 of expensive multicast traffic by flooding it across multiple links 122 would make the traffic load even worse. 124 Partitioning the network into many small links curtails the spread of 125 expensive multicast traffic, but limits the discoverability of 126 services. At the opposite end of the spectrum, using a very large 127 local link with thousands of hosts enables better service discovery, 128 but at the cost of larger amounts of multicast traffic. 130 Performing DNS-Based Service Discovery using purely Unicast DNS is 131 more efficient and doesn't require large multicast domains, but does 132 require that the relevant data be available in the Unicast DNS 133 namespace. The Unicast DNS namespace in question could fall within a 134 traditionally assigned globally unique domain name, or could use a 135 private local unicast domain name such as ".home.arpa" 136 [I-D.ietf-homenet-dot].) 138 In the DNS-SD specification [RFC6763], Section 10 ("Populating the 139 DNS with Information") discusses various possible ways that a 140 service's PTR, SRV, TXT and address records can make their way into 141 the Unicast DNS namespace, including manual zone file configuration 142 [RFC1034] [RFC1035], DNS Update [RFC2136] [RFC3007] and proxies of 143 various kinds. 145 Making the relevant data available in the Unicast DNS namespace by 146 manual DNS configuration is one option. This option has been used 147 for many years at IETF meetings to advertise the IETF Terminal Room 148 printer. Details of this example are given in Appendix A of the 149 Roadmap document [Roadmap]. However, this manual DNS configuration 150 is labor intensive, error prone, and requires a reasonable degree of 151 DNS expertise. 153 Populating the Unicast DNS namespace via DNS Update by the devices 154 offering the services themselves is another option [RegProt] 155 [DNS-UL]. However, this requires configuration of DNS Update keys on 156 those devices, which has proven onerous and impractical for simple 157 devices like printers and network cameras. 159 Hence, to facilitate efficient and reliable DNS-Based Service 160 Discovery, a compromise is needed that combines the ease-of-use of 161 Multicast DNS with the efficiency and scalability of Unicast DNS. 163 This document specifies a type of proxy called a "Discovery Proxy" 164 that uses Multicast DNS [RFC6762] to discover Multicast DNS records 165 on its local link, and makes corresponding DNS records visible in the 166 Unicast DNS namespace. 168 In principle, similar mechanisms could be defined using other local 169 service discovery protocols, to discover local information and then 170 make corresponding DNS records visible in the Unicast DNS namespace. 171 Such mechanisms for other local service discovery protocols could be 172 addressed in future documents. 174 The design of the Discovery Proxy is guided by the previously 175 published requirements document [RFC7558]. 177 In simple terms, a descriptive DNS name is chosen for each link in an 178 organization. Using a DNS NS record, responsibility for that DNS 179 name is delegated to a Discovery Proxy physically attached to that 180 link. Now, when a remote client issues a unicast query for a name 181 falling within the delegated subdomain, the normal DNS delegation 182 mechanism results in the unicast query arriving at the Discovery 183 Proxy, since it has been declared authoritative for those names. 184 Now, instead of consulting a textual zone file on disk to discover 185 the answer to the query, as a traditional DNS server would, a 186 Discovery Proxy consults its local link, using Multicast DNS, to find 187 the answer to the question. 189 For fault tolerance reasons there may be more than one Discovery 190 Proxy serving a given link. 192 Note that the Discovery Proxy uses a "pull" model. The local link is 193 not queried using Multicast DNS until some remote client has 194 requested that data. In the idle state, in the absence of client 195 requests, the Discovery Proxy sends no packets and imposes no burden 196 on the network. It operates purely "on demand". 198 An alternative proposal that has been discussed is a proxy that 199 performs DNS updates to a remote DNS server on behalf of the 200 Multicast DNS devices on the local network. The difficulty with this 201 is is that Multicast DNS devices do not routinely announce their 202 records on the network. Generally they remain silent until queried. 203 This means that the complete set of Multicast DNS records in use on a 204 link can only be discovered by active querying, not by passive 205 listening. Because of this, a proxy can only know what names exist 206 on a link by issuing queries for them, and since it would be 207 impractical to issue queries for every possible name just to find out 208 which names exist and which do not, there is no reasonable way for a 209 proxy to programmatically learn all the answers it would need to push 210 up to the remote DNS server using DNS Update. Even if such a 211 mechanism were possible, it would risk generating high load on the 212 network continuously, even when there are no clients with any 213 interest in that data. 215 Hence, having a model where the query comes to the Discovery Proxy is 216 much more efficient than a model where the Discovery Proxy pushes the 217 answers out to some other remote DNS server. 219 A client seeking to discover services and other information achieves 220 this by sending traditional DNS queries to the Discovery Proxy, or by 221 sending DNS Push Notification subscription requests [Push]. 223 How a client discovers what domain name(s) to use for its service 224 discovery queries, (and consequently what Discovery Proxy or Proxies 225 to use) is described in Section 5.2. 227 The diagram below illustrates a network topology using a Discovery 228 Proxy to provide discovery service to a remote client. 230 +--------+ Unicast +-----------+ +---------+ +---------+ 231 | Remote | Communcation | Discovery | | Network | | Network | 232 | Client |---- . . . -----| Proxy | | Printer | | Camera | 233 +--------+ +-----------+ +---------+ +---------+ 234 | | | 235 -------------------------------------------- 236 Multicast-capable LAN segment (e.g., Ethernet) 238 2. Operational Analogy 240 A Discovery Proxy does not operate as a multicast relay, or multicast 241 forwarder. There is no danger of multicast forwarding loops that 242 result in traffic storms, because no multicast packets are forwarded. 243 A Discovery Proxy operates as a *proxy* for a remote client, 244 performing queries on its behalf and reporting the results back. 246 A reasonable analogy is making a telephone call to a colleague at 247 your workplace and saying, "I'm out of the office right now. Would 248 you mind bringing up a printer browser window and telling me the 249 names of the printers you see?" That entails no risk of a forwarding 250 loop causing a traffic storm, because no multicast packets are sent 251 over the telephone call. 253 A similar analogy, instead of enlisting another human being to 254 initiate the service discovery operation on your behalf, is to log 255 into your own desktop work computer using screen sharing, and then 256 run the printer browser yourself to see the list of printers. Or log 257 in using ssh and type "dns-sd -B _ipp._tcp" and observe the list of 258 discovered printer names. In neither case is there any risk of a 259 forwarding loop causing a traffic storm, because no multicast packets 260 are being sent over the screen sharing or ssh connection. 262 The Discovery Proxy provides another way of performing remote 263 queries, just using a different protocol instead of screen sharing or 264 ssh. 266 When the Discovery Proxy software performs Multicast DNS operations, 267 the exact same Multicast DNS caching mechanisms are applied as when 268 any other client software on that Discovery Proxy device performs 269 Multicast DNS operations, whether that be running a printer browser 270 client locally, or a remote user running the printer browser client 271 via a screen sharing connection, or a remote user logged in via ssh 272 running a command-line tool like "dns-sd". 274 3. Conventions and Terminology Used in this Document 276 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 277 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", 278 and "OPTIONAL" in this document are to be interpreted as described 279 in "Key words for use in RFCs to Indicate Requirement Levels", 280 when, and only when, they appear in all capitals, as shown here 281 [RFC2119] [RFC8174]. 283 The Discovery Proxy builds on Multicast DNS, which works between 284 hosts on the same link. For the purposes of this document a set of 285 hosts is considered to be "on the same link" if: 287 o when any host from that set sends a packet to any other host in 288 that set, using unicast, multicast, or broadcast, the entire link- 289 layer packet payload arrives unmodified, and 291 o a broadcast sent over that link, by any host from that set of 292 hosts, can be received by every other host in that set. 294 The link-layer *header* may be modified, such as in Token Ring Source 295 Routing [IEEE-5], but not the link-layer *payload*. In particular, 296 if any device forwarding a packet modifies any part of the IP header 297 or IP payload then the packet is no longer considered to be on the 298 same link. This means that the packet may pass through devices such 299 as repeaters, bridges, hubs or switches and still be considered to be 300 on the same link for the purpose of this document, but not through a 301 device such as an IP router that decrements the IP TTL or otherwise 302 modifies the IP header. 304 4. Compatibility Considerations 306 No changes to existing devices are required to work with a Discovery 307 Proxy. 309 Existing devices that advertise services using Multicast DNS work 310 with Discovery Proxy. 312 Existing clients that support DNS-Based Service Discovery over 313 Unicast DNS work with Discovery Proxy. Service Discovery over 314 Unicast DNS was introduced in Mac OS X 10.4 in April 2005, as is 315 included in Apple products introduced since then, including iPhone 316 and iPad, as well as products from other vendors, such as Microsoft 317 Windows 10. 319 An overview of the larger collection of related Service Discovery 320 technologies, and how Discovery Proxy relates to those, is given in 321 the Service Discovery Road Map document [Roadmap]. 323 5. Discovery Proxy Operation 325 In a typical configuration, a Discovery Proxy is configured to be 326 authoritative [RFC1034] [RFC1035] for four or more DNS subdomains, 327 and authority for these subdomains is delegated to it via NS records: 329 A DNS subdomain for service discovery records. 330 This subdomain name may contain rich text, including spaces and 331 other punctuation. This is because this subdomain name is used 332 only in graphical user interfaces, where rich text is appropriate. 334 A DNS subdomain for host name records. 335 This subdomain name SHOULD be limited to letters, digits and 336 hyphens, to facilitate convenient use of host names in command- 337 line interfaces. 339 One or more DNS subdomains for IPv4 Reverse Mapping records. 340 These subdomains will have names that ends in "in-addr.arpa." 342 One or more DNS subdomains for IPv6 Reverse Mapping records. 343 These subdomains will have names that ends in "ip6.arpa." 345 In an enterprise network the naming and delegation of these 346 subdomains is typically performed by conscious action of the network 347 administrator. In a home network naming and delegation would 348 typically be performed using some automatic configuration mechanism 349 such as HNCP [RFC7788]. 351 These three varieties of delegated subdomains (service discovery, 352 host names, and reverse mapping) are described below in Section 5.1, 353 Section 5.3 and Section 5.4. 355 How a client discovers where to issue its service discovery queries 356 is described below in Section 5.2. 358 5.1. Delegated Subdomain for Service Discovery Records 360 In its simplest form, each link in an organization is assigned a 361 unique Unicast DNS domain name, such as "Building 1.example.com" or 362 "2nd Floor.Building 3.example.com". Grouping multiple links under a 363 single Unicast DNS domain name is to be specified in a future 364 companion document, but for the purposes of this document, assume 365 that each link has its own unique Unicast DNS domain name. In a 366 graphical user interface these names are not displayed as strings 367 with dots as shown above, but something more akin to a typical file 368 browser graphical user interface (which is harder to illustrate in a 369 text-only document) showing folders, subfolders and files in a file 370 system. 372 +---------------+--------------+-------------+-------------------+ 373 | *example.com* | Building 1 | 1st Floor | Alice's printer | 374 | | Building 2 | *2nd Floor* | Bob's printer | 375 | | *Building 3* | 3rd Floor | Charlie's printer | 376 | | Building 4 | 4th Floor | | 377 | | Building 5 | | | 378 | | Building 6 | | | 379 +---------------+--------------+-------------+-------------------+ 381 Figure 1: Illustrative GUI 383 Each named link in an organization has one or more Discovery Proxies 384 which serve it. This Discovery Proxy function for each link could be 385 performed by a device like a router or switch that is physically 386 attached to that link. In the parent domain, NS records are used to 387 delegate ownership of each defined link name 388 (e.g., "Building 1.example.com") to the one or more Discovery Proxies 389 that serve the named link. In other words, the Discovery Proxies are 390 the authoritative name servers for that subdomain. As in the rest of 391 DNS-Based Service Discovery, all names are represented as-is using 392 plain UTF-8 encoding, and, as described in Section 5.5.4, no text 393 encoding translations are performed. 395 With appropriate VLAN configuration [IEEE-1Q] a single Discovery 396 Proxy device could have a logical presence on many links, and serve 397 as the Discovery Proxy for all those links. In such a configuration 398 the Discovery Proxy device would have a single physical Ethernet 399 [IEEE-3] port, configured as a VLAN trunk port, which would appear to 400 software on that device as multiple virtual Ethernet interfaces, one 401 connected to each of the VLAN links. 403 As an alternative to using VLAN technology, using a Multicast DNS 404 Discovery Relay [Relay] is another way that a Discovery Proxy can 405 have a 'virtual' presence on a remote link. 407 When a DNS-SD client issues a Unicast DNS query to discover services 408 in a particular Unicast DNS subdomain 409 (e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS 410 delegation mechanism results in that query being forwarded until it 411 reaches the delegated authoritative name server for that subdomain, 412 namely the Discovery Proxy on the link in question. Like a 413 conventional Unicast DNS server, a Discovery Proxy implements the 414 usual Unicast DNS protocol [RFC1034] [RFC1035] over UDP and TCP. 415 However, unlike a conventional Unicast DNS server that generates 416 answers from the data in its manually-configured zone file, a 417 Discovery Proxy generates answers using Multicast DNS. A Discovery 418 Proxy does this by consulting its Multicast DNS cache and/or issuing 419 Multicast DNS queries, as appropriate, according to the usual 420 protocol rules of Multicast DNS [RFC6762], for the corresponding 421 Multicast DNS name, type and class, (e.g., in this case, 422 "_printer._tcp.local. PTR ?"). Then, from the received Multicast DNS 423 data, the Discovery Proxy synthesizes the appropriate Unicast DNS 424 response. How long the Discovery Proxy should wait to accumulate 425 Multicast DNS responses is described below in Section 5.6. 427 The existing Multicast DNS caching mechanism is used to minimize 428 unnecessary Multicast DNS queries on the wire. The Discovery Proxy 429 is acting as a client of the underlying Multicast DNS subsystem, and 430 benefits from the same caching and efficiency measures as any other 431 client using that subsystem. 433 5.2. Domain Enumeration 435 A DNS-SD client performs Domain Enumeration [RFC6763] via certain PTR 436 queries, using both unicast and multicast. If it receives a Domain 437 Name configuration via DHCP option 15 [RFC2132], then it issues 438 unicast queries using this domain. It issues unicast queries using 439 names derived from its IPv4 subnet address(es) and IPv6 prefix(es). 440 These are described below in Section 5.2.1. It also issues multicast 441 Domain Enumeration queries in the "local" domain [RFC6762]. These 442 are described below in Section 5.2.2. The results of all the Domain 443 Enumeration queries are combined for Service Discovery purposes. 445 5.2.1. Domain Enumeration via Unicast Queries 447 The administrator creates Domain Enumeration PTR records [RFC6763] to 448 inform clients of available service discovery domains. Two varieties 449 of such Domain Enumeration PTR records exist; those with names 450 derived from the domain name communicated to the clients via DHCP, 451 and those with names derived from IPv4 subnet address(es) and IPv6 452 prefix(es) in use by the clients. Below is an example showing the 453 name-based variety: 455 b._dns-sd._udp.example.com. PTR Building 1.example.com. 456 PTR Building 2.example.com. 457 PTR Building 3.example.com. 458 PTR Building 4.example.com. 460 db._dns-sd._udp.example.com. PTR Building 1.example.com. 462 lb._dns-sd._udp.example.com. PTR Building 1.example.com. 464 The meaning of these records is defined in the DNS Service Discovery 465 specification [RFC6763] but for convenience is repeated here. The 466 "b" ("browse") records tell the client device the list of browsing 467 domains to display for the user to select from. The "db" ("default 468 browse") record tells the client device which domain in that list 469 should be selected by default. The "db" domain MUST be one of the 470 domains in the "b" list; if not then no domain is selected by 471 default. The "lb" ("legacy browse") record tells the client device 472 which domain to automatically browse on behalf of applications that 473 don't implement UI for multi-domain browsing (which is most of them, 474 at the time of writing). The "lb" domain is often the same as the 475 "db" domain, or sometimes the "db" domain plus one or more others 476 that should be included in the list of automatic browsing domains for 477 legacy clients. 479 Note that in the example above, for clarity, space characters in 480 names are shown as actual spaces. If this data is manually entered 481 into a textual zone file for authoritative server software such as 482 BIND, care must be taken because the space character is used as a 483 field separator, and other characters like dot ('.'), semicolon 484 (';'), dollar ('$'), backslash ('\'), etc., also have special 485 meaning. These characters have to be escaped when entered into a 486 textual zone file, following the rules in Section 5.1 of the DNS 487 specification [RFC1035]. For example, a literal space in a name is 488 represented in the textual zone file using '\032', so "Building 489 1.example.com." is entered as "Building\0321.example.com." 491 DNS responses are limited to a maximum size of 65535 bytes. This 492 limits the maximum number of domains that can be returned for a 493 Domain Enumeration query, as follows: 495 A DNS response header is 12 bytes. That's typically followed by a 496 single qname (up to 256 bytes) plus qtype (2 bytes) and qclass 497 (2 bytes), leaving 65275 for the Answer Section. 499 An Answer Section Resource Record consists of: 501 o Owner name, encoded as a two-byte compression pointer 502 o Two-byte rrtype (type PTR) 503 o Two-byte rrclass (class IN) 504 o Four-byte ttl 505 o Two-byte rdlength 506 o rdata (domain name, up to 256 bytes) 508 This means that each Resource Record in the Answer Section can take 509 up to 268 bytes total, which means that the Answer Section can 510 contain, in the worst case, no more than 243 domains. 512 In a more typical scenario, where the domain names are not all 513 maximum-sized names, and there is some similarity between names so 514 that reasonable name compression is possible, each Answer 515 Section Resource Record may average 140 bytes, which means that the 516 Answer Section can contain up to 466 domains. 518 It is anticipated that this should be sufficient for even a large 519 corporate network or university campus. 521 5.2.2. Domain Enumeration via Multicast Queries 523 In the case where Discovery Proxy functionality is widely deployed 524 within an enterprise (either by having a Discovery Proxy on each 525 link, or by having a Discovery Proxy with a remote 'virtual' presence 526 on each link using VLANs or Multicast DNS Discovery Relays [Relay]) 527 this offers an additional way to provide Domain Enumeration data for 528 clients. 530 A Discovery Proxy can be configured to generate Multicast DNS 531 responses for the following Multicast DNS Domain Enumeration queries 532 issued by clients: 534 b._dns-sd._udp.local. PTR ? 535 db._dns-sd._udp.local. PTR ? 536 lb._dns-sd._udp.local. PTR ? 538 This provides the ability for Discovery Proxies to indicate 539 recommended browsing domains to DNS-SD clients on a per-link 540 granularity. In some enterprises it may be preferable to provide 541 this per-link configuration data in the form of Discovery Proxy 542 configuration, rather than populating the Unicast DNS servers with 543 the same data (in the "ip6.arpa" or "in-addr.arpa" domains). 545 Regardless of how the network operator chooses to provide this 546 configuration data, clients will perform Domain Enumeration via both 547 unicast and multicast queries, and then combine the results of these 548 queries. 550 5.3. Delegated Subdomain for LDH Host Names 552 DNS-SD service instance names and domains are allowed to contain 553 arbitrary Net-Unicode text [RFC5198], encoded as precomposed UTF-8 554 [RFC3629]. 556 Users typically interact with service discovery software by viewing a 557 list of discovered service instance names on a display, and selecting 558 one of them by pointing, touching, or clicking. Similarly, in 559 software that provides a multi-domain DNS-SD user interface, users 560 view a list of offered domains on the display and select one of them 561 by pointing, touching, or clicking. To use a service, users don't 562 have to remember domain or instance names, or type them; users just 563 have to be able to recognize what they see on the display and touch 564 or click on the thing they want. 566 In contrast, host names are often remembered and typed. Also, host 567 names have historically been used in command-line interfaces where 568 spaces can be inconvenient. For this reason, host names have 569 traditionally been restricted to letters, digits and hyphens (LDH), 570 with no spaces or other punctuation. 572 While we do want to allow rich text for DNS-SD service instance names 573 and domains, it is advisable, for maximum compatibility with existing 574 usage, to restrict host names to the traditional letter-digit-hyphen 575 rules. This means that while a service name 576 "My Printer._ipp._tcp.Building 1.example.com" is acceptable and 577 desirable (it is displayed in a graphical user interface as an 578 instance called "My Printer" in the domain "Building 1" at 579 "example.com"), a host name "My-Printer.Building 1.example.com" is 580 less desirable (because of the space in "Building 1"). 582 To accomodate this difference in allowable characters, a Discovery 583 Proxy SHOULD support having two separate subdomains delegated to it 584 for each link it serves, one whose name is allowed to contain 585 arbitrary Net-Unicode text [RFC5198], and a second more constrained 586 subdomain whose name is restricted to contain only letters, digits, 587 and hyphens, to be used for host name records (names of 'A' and 588 'AAAA' address records). The restricted names may be any valid name 589 consisting of only letters, digits, and hyphens, including Punycode- 590 encoded names [RFC3492]. 592 For example, a Discovery Proxy could have the two subdomains 593 "Building 1.example.com" and "bldg1.example.com" delegated to it. 594 The Discovery Proxy would then translate these two Multicast DNS 595 records: 597 My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. 598 prnt.local. A 203.0.113.2 600 into Unicast DNS records as follows: 602 My Printer._ipp._tcp.Building 1.example.com. 603 SRV 0 0 631 prnt.bldg1.example.com. 604 prnt.bldg1.example.com. A 203.0.113.2 606 Note that the SRV record name is translated using the rich-text 607 domain name ("Building 1.example.com") and the address record name is 608 translated using the LDH domain ("bldg1.example.com"). 610 A Discovery Proxy MAY support only a single rich text Net-Unicode 611 domain, and use that domain for all records, including 'A' and 'AAAA' 612 address records, but implementers choosing this option should be 613 aware that this choice may produce host names that are awkward to use 614 in command-line environments. Whether this is an issue depends on 615 whether users in the target environment are expected to be using 616 command-line interfaces. 618 A Discovery Proxy MUST NOT be restricted to support only a letter- 619 digit-hyphen subdomain, because that results in an unnecessarily poor 620 user experience. 622 As described above in Section 5.2.1, for clarity, space characters in 623 names are shown as actual spaces. If this data were to be manually 624 entered into a textual zone file (which it isn't) then spaces would 625 need to be represented using '\032', so 626 "My Printer._ipp._tcp.Building 1.example.com." would become 627 "My\032Printer._ipp._tcp.Building\0321.example.com." 628 Note that the '\032' representation does not appear in the network 629 packets sent over the air. In the wire format of DNS messages, 630 spaces are sent as spaces, not as '\032', and likewise, in a 631 graphical user interface at the client device, spaces are shown as 632 spaces, not as '\032'. 634 5.4. Delegated Subdomain for Reverse Mapping 636 A Discovery Proxy can facilitate easier management of reverse mapping 637 domains, particularly for IPv6 addresses where manual management may 638 be more onerous than it is for IPv4 addresses. 640 To achieve this, in the parent domain, NS records are used to 641 delegate ownership of the appropriate reverse mapping domain to the 642 Discovery Proxy. In other words, the Discovery Proxy becomes the 643 authoritative name server for the reverse mapping domain. For fault 644 tolerance reasons there may be more than one Discovery Proxy serving 645 a given link. 647 If a given link is using the IPv4 subnet 203.0.113/24, 648 then the domain "113.0.203.in-addr.arpa" 649 is delegated to the Discovery Proxy for that link. 651 For example, if a given link is using the 652 IPv6 prefix 2001:0DB8:1234:5678/64, 653 then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa" 654 is delegated to the Discovery Proxy for that link. 656 When a reverse mapping query arrives at the Discovery Proxy, it 657 issues the identical query on its local link as a Multicast DNS 658 query. The mechanism to force an apparently unicast name to be 659 resolved using link-local Multicast DNS varies depending on the API 660 set being used. For example, in the "dns_sd.h" APIs 661 (available on macOS, iOS, Bonjour for Windows, Linux and Android), 662 using kDNSServiceFlagsForceMulticast indicates that the 663 DNSServiceQueryRecord() call should perform the query using Multicast 664 DNS. Other APIs sets have different ways of forcing multicast 665 queries. When the host owning that IPv4 or IPv6 address responds 666 with a name of the form "something.local", the Discovery Proxy 667 rewrites that to use its configured LDH host name domain instead of 668 "local", and returns the response to the caller. 670 For example, a Discovery Proxy with the two subdomains 671 "113.0.203.in-addr.arpa" and "bldg1.example.com" delegated to it 672 would translate this Multicast DNS record: 674 2.113.0.203.in-addr.arpa. PTR prnt.local. 676 into this Unicast DNS response: 678 2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com. 680 Subsequent queries for the prnt.bldg1.example.com address record, 681 falling as it does within the bldg1.example.com domain, which is 682 delegated to the Discovery Proxy, will arrive at the Discovery Proxy, 683 where they are answered by issuing Multicast DNS queries and using 684 the received Multicast DNS answers to synthesize Unicast DNS 685 responses, as described above. 687 Note that this design assumes that all addresses on a given IPv4 688 subnet or IPv6 prefix are mapped to hostnames using the Discovery 689 Proxy mechanism. It would be possible to implement a Discovery Proxy 690 that can be configured so that some address-to-name mappings are 691 performed using Multicast DNS on the local link, while other address- 692 to-name mappings within the same IPv4 subnet or IPv6 prefix are 693 configured manually. 695 5.5. Data Translation 697 Generating the appropriate Multicast DNS queries involves, 698 at the very least, translating from the configured DNS domain 699 (e.g., "Building 1.example.com") on the Unicast DNS side to "local" 700 on the Multicast DNS side. 702 Generating the appropriate Unicast DNS responses involves translating 703 back from "local" to the appropriate configured DNS Unicast domain. 705 Other beneficial translation and filtering operations are described 706 below. 708 5.5.1. DNS TTL limiting 710 For efficiency, Multicast DNS typically uses moderately high DNS TTL 711 values. For example, the typical TTL on DNS-SD PTR records is 75 712 minutes. What makes these moderately high TTLs acceptable is the 713 cache coherency mechanisms built in to the Multicast DNS protocol 714 which protect against stale data persisting for too long. When a 715 service shuts down gracefully, it sends goodbye packets to remove its 716 PTR records immediately from neighboring caches. If a service shuts 717 down abruptly without sending goodbye packets, the Passive 718 Observation Of Failures (POOF) mechanism described in Section 10.5 of 719 the Multicast DNS specification [RFC6762] comes into play to purge 720 the cache of stale data. 722 A traditional Unicast DNS client on a distant remote link does not 723 get to participate in these Multicast DNS cache coherency mechanisms 724 on the local link. For traditional Unicast DNS queries (those 725 received without using Long-Lived Query [DNS-LLQ] or DNS Push 726 Notification subscriptions [Push]) the DNS TTLs reported in the 727 resulting Unicast DNS response MUST be capped to be no more than ten 728 seconds. 730 Similarly, for negative responses, the negative caching TTL indicated 731 in the SOA record [RFC2308] should also be ten seconds (Section 6.1). 733 This value of ten seconds is chosen based on user-experience 734 considerations. 736 For negative caching, suppose a user is attempting to access a remote 737 device (e.g., a printer), and they are unsuccessful because that 738 device is powered off. Suppose they then place a telephone call and 739 ask for the device to be powered on. We want the device to become 740 available to the user within a reasonable time period. It is 741 reasonable to expect it to take on the order of ten seconds for a 742 simple device with a simple embedded operating system to power on. 744 Once the device is powered on and has announced its presence on the 745 network via Multicast DNS, we would like it to take no more than a 746 further ten seconds for stale negative cache entries to expire from 747 Unicast DNS caches, making the device available to the user desiring 748 to access it. 750 Similar reasoning applies to capping positive TTLs at ten seconds. 751 In the event of a device moving location, getting a new DHCP address, 752 or other renumbering events, we would like the updated information to 753 be available to remote clients in a relatively timely fashion. 755 However, network administrators should be aware that many recursive 756 (caching) DNS servers by default are configured to impose a minimum 757 TTL of 30 seconds. If stale data appears to be persisting in the 758 network to the extent that it adversely impacts user experience, 759 network administrators are advised to check the configuration of 760 their recursive DNS servers. 762 For received Unicast DNS queries that use LLQ [DNS-LLQ] or DNS Push 763 Notifications [Push], the Multicast DNS record's TTL SHOULD be 764 returned unmodified, because the Push Notification channel exists to 765 inform the remote client as records come and go. For further details 766 about Long-Lived Queries, and its newer replacement, DNS Push 767 Notifications, see Section 5.6. 769 5.5.2. Suppressing Unusable Records 771 A Discovery Proxy SHOULD suppress Unicast DNS answers for records 772 that are not useful outside the local link. For example, DNS A and 773 AAAA records for IPv4 link-local addresses [RFC3927] and IPv6 link- 774 local addresses [RFC4862] SHOULD be suppressed. Similarly, for sites 775 that have multiple private address realms [RFC1918], in cases where 776 the Discovery Proxy can determine that the querying client is in a 777 different address realm, private addresses SHOULD NOT be communicated 778 to that client. IPv6 Unique Local Addresses [RFC4193] SHOULD be 779 suppressed in cases where the Discovery Proxy can determine that the 780 querying client is in a different IPv6 address realm. 782 By the same logic, DNS SRV records that reference target host names 783 that have no addresses usable by the requester should be suppressed, 784 and likewise, DNS PTR records that point to unusable SRV records 785 should be similarly be suppressed. 787 5.5.3. NSEC and NSEC3 queries 789 Multicast DNS devices do not routinely announce their records on the 790 network. Generally they remain silent until queried. This means 791 that the complete set of Multicast DNS records in use on a link can 792 only be discovered by active querying, not by passive listening. 793 Because of this, a Discovery Proxy can only know what names exist on 794 a link by issuing queries for them, and since it would be impractical 795 to issue queries for every possible name just to find out which names 796 exist and which do not, a Discovery Proxy cannot programmatically 797 generate the traditional NSEC [RFC4034] and NSEC3 [RFC5155] records 798 which assert the nonexistence of a large range of names. 800 When queried for an NSEC or NSEC3 record type, the Discovery Proxy 801 issues a qtype "ANY" query using Multicast DNS on the local link, and 802 then generates an NSEC or NSEC3 response with a Type Bit Map 803 signifying which record types do and do not exist for just the 804 specific name queried, and no other names. 806 Multicast DNS NSEC records received on the local link MUST NOT be 807 forwarded unmodified to a unicast querier, because there are slight 808 differences in the NSEC record data. In particular, Multicast DNS 809 NSEC records do not have the NSEC bit set in the Type Bit Map, 810 whereas conventional Unicast DNS NSEC records do have the NSEC bit 811 set. 813 5.5.4. No Text Encoding Translation 815 A Discovery Proxy does no translation between text encodings. 816 Specifically, a Discovery Proxy does no translation between Punycode 817 encoding [RFC3492] and UTF-8 encoding [RFC3629], either in the owner 818 name of DNS records, or anywhere in the RDATA of DNS records (such as 819 the RDATA of PTR records, SRV records, NS records, or other record 820 types like TXT, where it is ambiguous whether the RDATA may contain 821 DNS names). All bytes are treated as-is, with no attempt at text 822 encoding translation. A client implementing DNS-based Service 823 Discovery [RFC6763] will use UTF-8 encoding for its service discovery 824 queries, which the Discovery Proxy passes through without any text 825 encoding translation to the Multicast DNS subsystem. Responses from 826 the Multicast DNS subsystem are similarly returned, without any text 827 encoding translation, back to the requesting client. 829 5.5.5. Application-Specific Data Translation 831 There may be cases where Application-Specific Data Translation is 832 appropriate. 834 For example, AirPrint printers tend to advertise fairly verbose 835 information about their capabilities in their DNS-SD TXT record. TXT 836 record sizes in the range 500-1000 bytes are not uncommon. This 837 information is a legacy from LPR printing, because LPR does not have 838 in-band capability negotiation, so all of this information is 839 conveyed using the DNS-SD TXT record instead. IPP printing does have 840 in-band capability negotiation, but for convenience printers tend to 841 include the same capability information in their IPP DNS-SD TXT 842 records as well. For local mDNS use this extra TXT record 843 information is inefficient, but not fatal. However, when a Discovery 844 Proxy aggregates data from multiple printers on a link, and sends it 845 via unicast (via UDP or TCP) this amount of unnecessary TXT record 846 information can result in large responses. A DNS reply over TCP 847 carrying information about 70 printers with an average of 700 bytes 848 per printer adds up to about 50 kilobytes of data. Therefore, a 849 Discovery Proxy that is aware of the specifics of an application- 850 layer protocol such as AirPrint (which uses IPP) can elide 851 unnecessary key/value pairs from the DNS-SD TXT record for better 852 network efficiency. 854 Also, the DNS-SD TXT record for many printers contains an "adminurl" 855 key something like "adminurl=http://printername.local/status.html". 856 For this URL to be useful outside the local link, the embedded 857 ".local" hostname needs to be translated to an appropriate name with 858 larger scope. It is easy to translate ".local" names when they 859 appear in well-defined places, either as a record's name, or in the 860 rdata of record types like PTR and SRV. In the printing case, some 861 application-specific knowledge about the semantics of the "adminurl" 862 key is needed for the Discovery Proxy to know that it contains a name 863 that needs to be translated. This is somewhat analogous to the need 864 for NAT gateways to contain ALGs (Application-Specific Gateways) to 865 facilitate the correct translation of protocols that embed addresses 866 in unexpected places. 868 To avoid the need for application-specific knowledge about the 869 semantics of particular TXT record keys, protocol designers are 870 advised to avoid placing link-local names or link-local IP addresses 871 in TXT record keys, if translation of those names or addresses would 872 be required for off-link operation. In the printing case, the 873 operational failure of failing to translate the "adminurl" key 874 correctly is that, when accessed from a different link, printing will 875 still work, but clicking the "Admin" UI button will fail to open the 876 printer's administration page. Rather than duplicating the host name 877 from the service's SRV record in its "adminurl" key, thereby having 878 the same host name appear in two places, a better design might have 879 been to omit the host name from the "adminurl" key, and instead have 880 the client implicitly substitute the target host name from the 881 service's SRV record in place of a missing host name in the 882 "adminurl" key. That way the desired host name only appears once, 883 and it is in a well-defined place where software like the Discovery 884 Proxy is expecting to find it. 886 Note that this kind of Application-Specific Data Translation is 887 expected to be very rare. It is the exception, rather than the rule. 888 This is an example of a common theme in computing. It is frequently 889 the case that it is wise to start with a clean, layered design, with 890 clear boundaries. Then, in certain special cases, those layer 891 boundaries may be violated, where the performance and efficiency 892 benefits outweigh the inelegance of the layer violation. 894 These layer violations are optional. They are done primarily for 895 efficiency reasons, and generally should not be required for correct 896 operation. A Discovery Proxy MAY operate solely at the mDNS layer, 897 without any knowledge of semantics at the DNS-SD layer or above. 899 5.6. Answer Aggregation 901 In a simple analysis, simply gathering multicast answers and 902 forwarding them in a unicast response seems adequate, but it raises 903 the question of how long the Discovery Proxy should wait to be sure 904 that it has received all the Multicast DNS answers it needs to form a 905 complete Unicast DNS response. If it waits too little time, then it 906 risks its Unicast DNS response being incomplete. If it waits too 907 long, then it creates a poor user experience at the client end. In 908 fact, there may be no time which is both short enough to produce a 909 good user experience and at the same time long enough to reliably 910 produce complete results. 912 Similarly, the Discovery Proxy -- the authoritative name server for 913 the subdomain in question -- needs to decide what DNS TTL to report 914 for these records. If the TTL is too long then the recursive 915 (caching) name servers issuing queries on behalf of their clients 916 risk caching stale data for too long. If the TTL is too short then 917 the amount of network traffic will be more than necessary. In fact, 918 there may be no TTL which is both short enough to avoid undesirable 919 stale data and at the same time long enough to be efficient on the 920 network. 922 Both these dilemmas are solved by use of DNS Long-Lived Queries 923 (DNS LLQ) [DNS-LLQ] or its newer replacement, DNS Push Notifications 924 [Push]. 926 Clients supporting unicast DNS Service Discovery SHOULD implement DNS 927 Push Notifications [Push] for improved user experience. 929 Clients and Discovery Proxies MAY support both DNS LLQ and DNS Push, 930 and when talking to a Discovery Proxy that supports both, the client 931 may use either protocol, as it chooses, though it is expected that 932 only DNS Push will continue to be supported in the long run. 934 When a Discovery Proxy receives a query using DNS LLQ or DNS Push 935 Notifications, it responds immediately using the Multicast DNS 936 records it already has in its cache (if any). This provides a good 937 client user experience by providing a near-instantaneous response. 938 Simultaneously, the Discovery Proxy issues a Multicast DNS query on 939 the local link to discover if there are any additional Multicast DNS 940 records it did not already know about. Should additional Multicast 941 DNS responses be received, these are then delivered to the client 942 using additional DNS LLQ or DNS Push Notification update messages. 943 The timeliness of such update messages is limited only by the 944 timeliness of the device responding to the Multicast DNS query. If 945 the Multicast DNS device responds quickly, then the update message is 946 delivered quickly. If the Multicast DNS device responds slowly, then 947 the update message is delivered slowly. The benefit of using update 948 messages is that the Discovery Proxy can respond promptly because it 949 doesn't have to delay its unicast response to allow for the expected 950 worst-case delay for receiving all the Multicast DNS responses. Even 951 if a proxy were to try to provide reliability by assuming an 952 excessively pessimistic worst-case time (thereby giving a very poor 953 user experience) there would still be the risk of a slow Multicast 954 DNS device taking even longer than that (e.g., a device that is not 955 even powered on until ten seconds after the initial query is 956 received) resulting in incomplete responses. Using update message 957 solves this dilemma: even very late responses are not lost; they are 958 delivered in subsequent update messages. 960 There are two factors that determine specifically how responses are 961 generated: 963 The first factor is whether the query from the client used LLQ or DNS 964 Push Notifications (used for long-lived service browsing PTR queries) 965 or not (used for one-shot operations like SRV or address record 966 queries). Note that queries using LLQ or DNS Push Notifications are 967 received directly from the client. Queries not using LLQ or DNS Push 968 Notifications are generally received via the client's configured 969 recursive (caching) name server. 971 The second factor is whether the Discovery Proxy already has at least 972 one record in its cache that positively answers the question. 974 o Not using LLQ or Push Notifications; no answer in cache: 975 Issue an mDNS query, exactly as a local client would issue an mDNS 976 query on the local link for the desired record name, type and 977 class, including retransmissions, as appropriate, according to the 978 established mDNS retransmission schedule [RFC6762]. As soon as 979 any Multicast DNS response packet is received that contains one or 980 more positive answers to that question (with or without the Cache 981 Flush bit [RFC6762] set), or a negative answer (signified via a 982 Multicast DNS NSEC record [RFC6762]), the Discovery Proxy 983 generates a Unicast DNS response packet containing the 984 corresponding (filtered and translated) answers and sends it to 985 the remote client. If after six seconds no Multicast DNS answers 986 have been received, return a negative response to the remote 987 client. Six seconds is enough time to transmit three mDNS 988 queries, and allow some time for responses to arrive. 989 DNS TTLs in responses MUST be capped to at most ten seconds. 990 (Reasoning: Queries not using LLQ or Push Notifications are 991 generally queries that that expect an answer from only one device, 992 so the first response is also the only response.) 994 o Not using LLQ or Push Notifications; at least one answer in cache: 995 Send response right away to minimise delay. 996 DNS TTLs in responses MUST be capped to at most ten seconds. 997 No local mDNS queries are performed. 998 (Reasoning: Queries not using LLQ or Push Notifications are 999 generally queries that that expect an answer from only one device. 1000 Given RRSet TTL harmonisation, if the proxy has one Multicast DNS 1001 answer in its cache, it can reasonably assume that it has all of 1002 them.) 1004 o Using LLQ or Push Notifications; no answer in cache: 1005 As in the case above with no answer in the cache, perform mDNS 1006 querying for six seconds, and send a response to the remote client 1007 as soon as any relevant mDNS response is received. 1008 If after six seconds no relevant mDNS response has been received, 1009 return negative response to the remote client (for LLQ; not 1010 applicable for Push Notifications). 1011 (Reasoning: We don't need to rush to send an empty answer.) 1012 Whether or not a relevant mDNS response is received within six 1013 seconds, the query remains active for as long as the client 1014 maintains the LLQ or Push Notification state, and if mDNS answers 1015 are received later, LLQ or Push Notification messages are sent. 1016 DNS TTLs in responses are returned unmodified. 1018 o Using LLQ or Push Notifications; at least one answer in cache: 1019 As in the case above with at least one answer in cache, send 1020 response right away to minimise delay. 1021 The query remains active for as long as the client maintains the 1022 LLQ or Push Notification state, and results in transmission of 1023 mDNS queries, with appropriate Known Answer lists, to determine if 1024 further answers are available. If additional mDNS answers are 1025 received later, LLQ or Push Notification messages are sent. 1026 (Reasoning: We want UI that is displayed very rapidly, yet 1027 continues to remain accurate even as the network environment 1028 changes.) 1029 DNS TTLs in responses are returned unmodified. 1031 Note that the "negative responses" referred to above are "no error no 1032 answer" negative responses, not NXDOMAIN. This is because the 1033 Discovery Proxy cannot know all the Multicast DNS domain names that 1034 may exist on a link at any given time, so any name with no answers 1035 may have child names that do exist, making it an "empty nonterminal" 1036 name. 1038 6. Administrative DNS Records 1040 6.1. DNS SOA (Start of Authority) Record 1042 The MNAME field SHOULD contain the host name of the Discovery Proxy 1043 device (i.e., the same domain name as the rdata of the NS record 1044 delegating the relevant zone(s) to this Discovery Proxy device). 1046 The RNAME field SHOULD contain the mailbox of the person responsible 1047 for administering this Discovery Proxy device. 1049 The SERIAL field MUST be zero. 1051 Zone transfers are undefined for Discovery Proxy zones, and 1052 consequently the REFRESH, RETRY and EXPIRE fields have no useful 1053 meaning for Discovery Proxy zones. These fields SHOULD contain 1054 reasonable default values. The RECOMMENDED values are: REFRESH 7200, 1055 RETRY 3600, EXPIRE 86400. 1057 The MINIMUM field (used to control the lifetime of negative cache 1058 entries) SHOULD contain the value 10. The value of ten seconds is 1059 chosen based on user-experience considerations (see Section 5.5.1). 1061 In the event that there are multiple Discovery Proxy devices on a 1062 link for fault tolerance reasons, this will result in clients 1063 receiving inconsistent SOA records (different MNAME, and possibly 1064 RNAME) depending on which Discovery Proxy answers their SOA query. 1065 However, since clients generally have no reason to use the MNAME or 1066 RNAME data, this is unlikely to cause any problems. 1068 6.2. DNS NS Records 1070 In the event that there are multiple Discovery Proxy devices on a 1071 link for fault tolerance reasons, the parent zone MUST be configured 1072 with glue records giving the names and addresses of all the Discovery 1073 Proxy devices on the link. 1075 Each Discovery Proxy device MUST be configured with its own NS 1076 record, and with the NS records of its fellow Discovery Proxy devices 1077 on the same link, so that it can return the correct answers for NS 1078 queries. 1080 6.3. DNS SRV Records 1082 There are certain special DNS records that logically fall within the 1083 delegated unicast DNS subdomain, but rather than mapping to their 1084 corresponding ".local" namesakes, they actually contain metadata 1085 pertaining to the operation of the delegated unicast DNS subdomain 1086 itself. They do not exist in the corresponding ".local" namespace of 1087 the local link. For these queries a Discovery Proxy MUST generate 1088 immediate answers, whether positive or negative, to avoid delays 1089 while clients wait for their query to be answered. For example, if a 1090 Discovery Proxy does not implement Long-Lived Queries [DNS-LLQ] then 1091 it MUST return an immediate negative answer to tell the client this 1092 without delay, instead of passing the query through to the local 1093 network as a query for "_dns-llq._udp.local.", and then waiting 1094 unsuccessfully for answers that will not be forthcoming. 1096 If a Discovery Proxy implements Long-Lived Queries [DNS-LLQ] then it 1097 MUST positively respond to "_dns-llq._udp. SRV" queries, 1098 "_dns-llq._tcp. SRV" queries, and "_dns-llq-tls._tcp. 1099 SRV" queries as appropriate, else it MUST return an immediate 1100 negative answer for those queries. 1102 If a Discovery Proxy implements DNS Push Notifications [Push] then it 1103 MUST positively respond to "_dns-push-tls._tcp." queries, else 1104 it MUST return an immediate negative answer for those queries. 1106 A Discovery Proxy MUST return an immediate negative answer for 1107 "_dns-update._udp. SRV" queries, "_dns-update._tcp. SRV" 1108 queries, and "_dns-update-tls._tcp. SRV" queries, since using 1109 DNS Update [RFC2136] to change zones generated dynamically from local 1110 Multicast DNS data is not possible. 1112 7. DNSSEC Considerations 1114 7.1. On-line signing only 1116 The Discovery Proxy acts as the authoritative name server for 1117 designated subdomains, and if DNSSEC is to be used, the Discovery 1118 Proxy needs to possess a copy of the signing keys, in order to 1119 generate authoritative signed data from the local Multicast DNS 1120 responses it receives. Off-line signing is not applicable to 1121 Discovery Proxy. 1123 7.2. NSEC and NSEC3 Records 1125 In DNSSEC NSEC [RFC4034] and NSEC3 [RFC5155] records are used to 1126 assert the nonexistence of certain names, also described as 1127 "authenticated denial of existence". 1129 Since a Discovery Proxy only knows what names exist on the local link 1130 by issuing queries for them, and since it would be impractical to 1131 issue queries for every possible name just to find out which names 1132 exist and which do not, a Discovery Proxy cannot programmatically 1133 synthesize the traditional NSEC and NSEC3 records which assert the 1134 nonexistence of a large range of names. Instead, when generating a 1135 negative response, a Discovery Proxy programmatically synthesizes a 1136 single NSEC record assert the nonexistence of just the specific name 1137 queried, and no others. Since the Discovery Proxy has the zone 1138 signing key, it can do this on demand. Since the NSEC record asserts 1139 the nonexistence of only a single name, zone walking is not a 1140 concern, so NSEC3 is not necessary. 1142 Note that this applies only to traditional immediate DNS queries, 1143 which may return immediate negative answers when no immediate 1144 positive answer is available. When used with a DNS Push Notification 1145 subscription [Push] there are no negative answers, merely the absence 1146 of answers so far, which may change in the future if answers become 1147 available. 1149 8. IPv6 Considerations 1151 An IPv4-only host and an IPv6-only host behave as "ships that pass in 1152 the night". Even if they are on the same Ethernet [IEEE-3], neither 1153 is aware of the other's traffic. For this reason, each link may have 1154 *two* unrelated ".local." zones, one for IPv4 and one for IPv6. 1155 Since for practical purposes, a group of IPv4-only hosts and a group 1156 of IPv6-only hosts on the same Ethernet act as if they were on two 1157 entirely separate Ethernet segments, it is unsurprising that their 1158 use of the ".local." zone should occur exactly as it would if they 1159 really were on two entirely separate Ethernet segments. 1161 It will be desirable to have a mechanism to 'stitch' together these 1162 two unrelated ".local." zones so that they appear as one. Such 1163 mechanism will need to be able to differentiate between a dual-stack 1164 (v4/v6) host participating in both ".local." zones, and two different 1165 hosts, one IPv4-only and the other IPv6-only, which are both trying 1166 to use the same name(s). Such a mechanism will be specified in a 1167 future companion document. 1169 At present, it is RECOMMENDED that a Discovery Proxy be configured 1170 with a single domain name for both the IPv4 and IPv6 ".local." zones 1171 on the local link, and when a unicast query is received, it should 1172 issue Multicast DNS queries using both IPv4 and IPv6 on the local 1173 link, and then combine the results. 1175 9. Security Considerations 1177 9.1. Authenticity 1179 A service proves its presence on a link by its ability to answer 1180 link-local multicast queries on that link. If greater security is 1181 desired, then the Discovery Proxy mechanism should not be used, and 1182 something with stronger security should be used instead, such as 1183 authenticated secure DNS Update [RFC2136] [RFC3007]. 1185 9.2. Privacy 1187 The Domain Name System is, generally speaking, a global public 1188 database. Records that exist in the Domain Name System name 1189 hierarchy can be queried by name from, in principle, anywhere in the 1190 world. If services on a mobile device (like a laptop computer) are 1191 made visible via the Discovery Proxy mechanism, then when those 1192 services become visible in a domain such as "My House.example.com" 1193 that might indicate to (potentially hostile) observers that the 1194 mobile device is in my house. When those services disappear from 1195 "My House.example.com" that change could be used by observers to 1196 infer when the mobile device (and possibly its owner) may have left 1197 the house. The privacy of this information may be protected using 1198 techniques like firewalls, split-view DNS, and Virtual Private 1199 Networks (VPNs), as are customarily used today to protect the privacy 1200 of corporate DNS information. 1202 The privacy issue is particularly serious for the IPv4 and IPv6 1203 reverse zones. If the public delegation of the reverse zones points 1204 to the Discovery Proxy, and the Discovery Proxy is reachable 1205 globally, then it could leak a significant amount of information. 1206 Attackers could discover hosts that otherwise might not be easy to 1207 identify, and learn their hostnames. Attackers could also discover 1208 the existence of links where hosts frequently come and go. 1210 The Discovery Proxy could also provide sensitive records only to 1211 authenticated users. This is a general DNS problem, not specific to 1212 the Discovery Proxy. Work is underway in the IETF to tackle this 1213 problem [RFC7626]. 1215 9.3. Denial of Service 1217 A remote attacker could use a rapid series of unique Unicast DNS 1218 queries to induce a Discovery Proxy to generate a rapid series of 1219 corresponding Multicast DNS queries on one or more of its local 1220 links. Multicast traffic is generally more expensive than unicast 1221 traffic -- especially on Wi-Fi links -- which makes this attack 1222 particularly serious. To limit the damage that can be caused by such 1223 attacks, a Discovery Proxy (or the underlying Multicast DNS subsystem 1224 which it utilizes) MUST implement Multicast DNS query rate limiting 1225 appropriate to the link technology in question. For today's 1226 802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast 1227 packets per second is sufficient to consume approximately 100% of the 1228 wireless spectrum) a limit of 20 Multicast DNS query packets per 1229 second is RECOMMENDED. On other link technologies like Gigabit 1230 Ethernet higher limits may be appropriate. A consequence of this 1231 rate limiting is that a rogue remote client could issue an excessive 1232 number of queries, resulting in denial of service to other legitimate 1233 remote clients attempting to use that Discovery Proxy. However, this 1234 is preferable to a rogue remote client being able to inflict even 1235 greater harm on the local network, which could impact the correct 1236 operation of all local clients on that network. 1238 10. IANA Considerations 1240 This document has no IANA Considerations. 1242 11. Acknowledgments 1244 Thanks to Markus Stenberg for helping develop the policy regarding 1245 the four styles of unicast response according to what data is 1246 immediately available in the cache. Thanks to Anders Brandt, Ben 1247 Campbell, Tim Chown, Alissa Cooper, Spencer Dawkins, Ralph Droms, 1248 Joel Halpern, Ray Hunter, Joel Jaeggli, Warren Kumari, Ted Lemon, 1249 Alexey Melnikov, Kathleen Moriarty, Tom Pusateri, Eric Rescorla, Adam 1250 Roach, David Schinazi, Markus Stenberg, Dave Thaler, and Andrew 1251 Yourtchenko for their comments. 1253 12. References 1255 12.1. Normative References 1257 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 1258 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 1259 . 1261 [RFC1035] Mockapetris, P., "Domain names - implementation and 1262 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 1263 November 1987, . 1265 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 1266 and E. Lear, "Address Allocation for Private Internets", 1267 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 1268 . 1270 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1271 Requirement Levels", BCP 14, RFC 2119, 1272 DOI 10.17487/RFC2119, March 1997, . 1275 [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS 1276 NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, 1277 . 1279 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 1280 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 1281 2003, . 1283 [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic 1284 Configuration of IPv4 Link-Local Addresses", RFC 3927, 1285 DOI 10.17487/RFC3927, May 2005, . 1288 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 1289 Rose, "Resource Records for the DNS Security Extensions", 1290 RFC 4034, DOI 10.17487/RFC4034, March 2005, 1291 . 1293 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 1294 Address Autoconfiguration", RFC 4862, 1295 DOI 10.17487/RFC4862, September 2007, . 1298 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS 1299 Security (DNSSEC) Hashed Authenticated Denial of 1300 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, 1301 . 1303 [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network 1304 Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, 1305 . 1307 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 1308 DOI 10.17487/RFC6762, February 2013, . 1311 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 1312 Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, 1313 . 1315 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1316 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1317 May 2017, . 1319 [Push] Pusateri, T. and S. Cheshire, "DNS Push Notifications", 1320 draft-ietf-dnssd-push-14 (work in progress), March 2018. 1322 [DSO] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S., 1323 Lemon, T., and T. Pusateri, "DNS Stateful Operations", 1324 draft-ietf-dnsop-session-signal-07 (work in progress), 1325 March 2018. 1327 12.2. Informative References 1329 [I-D.ietf-homenet-dot] 1330 Pfister, P. and T. Lemon, "Special Use Domain 1331 'home.arpa.'", draft-ietf-homenet-dot-14 (work in 1332 progress), September 2017. 1334 [Roadmap] Cheshire, S., "Service Discovery Road Map", draft- 1335 cheshire-dnssd-roadmap-03 (work in progress), October 1336 2018. 1338 [DNS-UL] Sekar, K., "Dynamic DNS Update Leases", draft-sekar-dns- 1339 ul-01 (work in progress), August 2006. 1341 [DNS-LLQ] Sekar, K., "DNS Long-Lived Queries", draft-sekar-dns- 1342 llq-01 (work in progress), August 2006. 1344 [RegProt] Cheshire, S. and T. Lemon, "Service Registration Protocol 1345 for DNS-Based Service Discovery", draft-sctl-service- 1346 registration-00 (work in progress), July 2017. 1348 [Relay] Cheshire, S. and T. Lemon, "Multicast DNS Discovery 1349 Relay", draft-sctl-dnssd-mdns-relay-04 (work in progress), 1350 March 2018. 1352 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 1353 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 1354 . 1356 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 1357 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 1358 RFC 2136, DOI 10.17487/RFC2136, April 1997, 1359 . 1361 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 1362 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 1363 . 1365 [RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode 1366 for Internationalized Domain Names in Applications 1367 (IDNA)", RFC 3492, DOI 10.17487/RFC3492, March 2003, 1368 . 1370 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 1371 Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, 1372 . 1374 [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol 1375 to Replace the AppleTalk Name Binding Protocol (NBP)", 1376 RFC 6760, DOI 10.17487/RFC6760, February 2013, 1377 . 1379 [RFC7558] Lynn, K., Cheshire, S., Blanchet, M., and D. Migault, 1380 "Requirements for Scalable DNS-Based Service Discovery 1381 (DNS-SD) / Multicast DNS (mDNS) Extensions", RFC 7558, 1382 DOI 10.17487/RFC7558, July 2015, . 1385 [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, 1386 DOI 10.17487/RFC7626, August 2015, . 1389 [RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking 1390 Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April 1391 2016, . 1393 [ohp] "Discovery Proxy (Hybrid Proxy) implementation for 1394 OpenWrt", . 1396 [ZC] Cheshire, S. and D. Steinberg, "Zero Configuration 1397 Networking: The Definitive Guide", O'Reilly Media, Inc. , 1398 ISBN 0-596-10100-7, December 2005. 1400 [IEEE-1Q] "IEEE Standard for Local and metropolitan area networks -- 1401 Bridges and Bridged Networks", IEEE Std 802.1Q-2014, 1402 November 2014, . 1405 [IEEE-3] "Information technology - Telecommunications and 1406 information exchange between systems - Local and 1407 metropolitan area networks - Specific requirements - Part 1408 3: Carrier Sense Multiple Access with Collision Detection 1409 (CMSA/CD) Access Method and Physical Layer 1410 Specifications", IEEE Std 802.3-2008, December 2008, 1411 . 1413 [IEEE-5] Institute of Electrical and Electronics Engineers, 1414 "Information technology - Telecommunications and 1415 information exchange between systems - Local and 1416 metropolitan area networks - Specific requirements - Part 1417 5: Token ring access method and physical layer 1418 specification", IEEE Std 802.5-1998, 1995. 1420 [IEEE-11] "Information technology - Telecommunications and 1421 information exchange between systems - Local and 1422 metropolitan area networks - Specific requirements - Part 1423 11: Wireless LAN Medium Access Control (MAC) and Physical 1424 Layer (PHY) Specifications", IEEE Std 802.11-2007, June 1425 2007, . 1427 Appendix A. Implementation Status 1429 Some aspects of the mechanism specified in this document already 1430 exist in deployed software. Some aspects are new. This section 1431 outlines which aspects already exist and which are new. 1433 A.1. Already Implemented and Deployed 1435 Domain enumeration by the client (the "b._dns-sd._udp" queries) is 1436 already implemented and deployed. 1438 Unicast queries to the indicated discovery domain is already 1439 implemented and deployed. 1441 These are implemented and deployed in Mac OS X 10.4 and later 1442 (including all versions of Apple iOS, on all iPhone and iPads), in 1443 Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16) 1444 and later. 1446 Domain enumeration and unicast querying have been used for several 1447 years at IETF meetings to make Terminal Room printers discoverable 1448 from outside the Terminal room. When an IETF attendee presses Cmd-P 1449 on a Mac, or selects AirPrint on an iPad or iPhone, and the Terminal 1450 room printers appear, that is because the client is sending unicast 1451 DNS queries to the IETF DNS servers. A walk-through giving the 1452 details of this particular specific example is given in Appendix A of 1453 the Roadmap document [Roadmap]. 1455 A.2. Already Implemented 1457 A minimal portable Discovery Proxy implementation has been produced 1458 by Markus Stenberg and Steven Barth, which runs on OS X and several 1459 Linux variants including OpenWrt [ohp]. It was demonstrated at the 1460 Berlin IETF in July 2013. 1462 Tom Pusateri also has an implementation that runs on any Unix/Linux. 1463 It has a RESTful interface for management and an experimental demo 1464 CLI and web interface. 1466 A.3. Partially Implemented 1468 The current APIs make multiple domains visible to client software, 1469 but most client UI today lumps all discovered services into a single 1470 flat list. This is largely a chicken-and-egg problem. Application 1471 writers were naturally reluctant to spend time writing domain-aware 1472 UI code when few customers today would benefit from it. If Discovery 1473 Proxy deployment becomes common, then application writers will have a 1474 reason to provide better UI. Existing applications will work with 1475 the Discovery Proxy, but will show all services in a single flat 1476 list. Applications with improved UI will group services by domain. 1478 The Long-Lived Query mechanism [DNS-LLQ] referred to in this 1479 specification exists and is deployed, but has not been standardized 1480 by the IETF. The IETF is developing a superior Long-Lived Query 1481 mechanism called DNS Push Notifications [Push], which is based on DNS 1482 Stateful Operations [DSO],. The pragmatic short-term deployment 1483 approach is for vendors to produce Discovery Proxies that implement 1484 both the deployed Long-Lived Query mechanism [DNS-LLQ] (for today's 1485 clients) and the new DNS Push Notifications mechanism [Push] as the 1486 preferred long-term direction. 1488 Implementations of the translating/filtering Discovery Proxy 1489 specified in this document are under development, and operational 1490 experience with these implementations has guided updates to this 1491 document. 1493 A.4. Not Yet Implemented 1495 Client implementations of the new DNS Push Notifications mechanism 1496 [Push] are currently underway. 1498 Author's Address 1500 Stuart Cheshire 1501 Apple Inc. 1502 One Apple Park Way 1503 Cupertino, California 95014 1504 USA 1506 Phone: +1 (408) 996-1010 1507 Email: cheshire@apple.com