idnits 2.17.1 draft-ietf-dnssd-srp-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 153: '...rvices using SRP MUST use the domain n...' RFC 2119 keyword, line 156: '...e than one domain name, it MUST NOT be...' RFC 2119 keyword, line 229: '...ce Instance Name MUST be referenced by...' RFC 2119 keyword, line 340: '...s case a service MAY attempt to regist...' RFC 2119 keyword, line 347: '...t implements SRP MUST first attempt to...' (24 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 23, 2018) is 2009 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'RFC8375' is defined on line 763, but no explicit reference was found in the text == Unused Reference: 'RFC1034' is defined on line 777, but no explicit reference was found in the text == Unused Reference: 'RFC3152' is defined on line 806, but no explicit reference was found in the text == Outdated reference: A later version (-03) exists of draft-sekar-dns-ul-02 -- Obsolete informational reference (is this intentional?): RFC 3152 (Obsoleted by RFC 3596) == Outdated reference: A later version (-10) exists of draft-ietf-dnssd-hybrid-08 == Outdated reference: A later version (-25) exists of draft-ietf-dnssd-push-15 == Outdated reference: A later version (-03) exists of draft-cheshire-dnssd-roadmap-02 Summary: 1 error (**), 0 flaws (~~), 8 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force S. Cheshire 3 Internet-Draft Apple Inc. 4 Intended status: Informational T. Lemon 5 Expires: April 26, 2019 Nibbhaya Consulting 6 October 23, 2018 8 Service Registration Protocol for DNS-Based Service Discovery 9 draft-ietf-dnssd-srp-00 11 Abstract 13 The Service Registration Protocol for DNS-Based Service Discovery 14 uses the standard DNS Update mechanism to enable DNS-Based Service 15 Discovery using only unicast packets. This eliminates the dependency 16 on Multicast DNS as the foundation layer, which greatly improves 17 scalability and improves performance on networks where multicast 18 service is not an optimal choice, particularly 802.11 (Wi-Fi) and 19 802.15.4 (IoT) networks. DNS-SD Service registration uses public 20 keys and SIG(0) to allow services to defend their registrations 21 against attack. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on April 26, 2019. 40 Copyright Notice 42 Copyright (c) 2018 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Service Registration Protocol . . . . . . . . . . . . . . . . 4 59 2.1. What to publish . . . . . . . . . . . . . . . . . . . . . 5 60 2.2. Where to publish it . . . . . . . . . . . . . . . . . . . 6 61 2.3. How to publish it . . . . . . . . . . . . . . . . . . . . 6 62 2.3.1. How DNS-SD Service Registration differs from standard 63 RFC2136 DNS Update . . . . . . . . . . . . . . . . . 7 64 2.3.2. Testing using standard RFC2136-compliant servers . . 7 65 2.3.3. How to allow services to update standard 66 RFC2136-compliant servers . . . . . . . . . . . . . . 7 67 2.4. How to secure it . . . . . . . . . . . . . . . . . . . . 8 68 2.4.1. First-Come First-Served Naming . . . . . . . . . . . 8 69 2.4.2. SRP Server Behavior . . . . . . . . . . . . . . . . . 9 70 2.5. TTL Consistency . . . . . . . . . . . . . . . . . . . . . 12 71 2.6. Maintenance . . . . . . . . . . . . . . . . . . . . . . . 12 72 2.6.1. Cleaning up stale data . . . . . . . . . . . . . . . 12 73 2.6.2. Sleep Proxy . . . . . . . . . . . . . . . . . . . . . 13 74 3. Security Considerations . . . . . . . . . . . . . . . . . . . 14 75 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 15 76 5. Delegation of 'services.arpa.' . . . . . . . . . . . . . . . 15 77 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 78 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 79 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 80 8.1. Normative References . . . . . . . . . . . . . . . . . . 16 81 8.2. Informative References . . . . . . . . . . . . . . . . . 17 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 84 1. Introduction 86 DNS-Based Service Discovery [RFC6763] is a component of Zero 87 Configuration Networking [RFC6760] [ZC] [I-D.cheshire-dnssd-roadmap]. 89 This document describes an enhancement to DNS-Based Service Discovery 90 [RFC6763] that allows services to automatically register their 91 services using the DNS protocol rather than using Multicast DNS 92 [RFC6762] (mDNS). There is already a large installed base of DNS-SD 93 clients that can do service discovery using the DNS protocol. This 94 extension makes it much easier to take advantage of this existing 95 functionality. 97 This document is intended for three audiences: implementors of 98 software that provides services that should be advertised using DNS- 99 SD, implementors of DNS servers that will be used in contexts where 100 DNS-SD registration is needed, and administrators of networks where 101 DNS-SD service is required. The document is intended to provide 102 sufficient information to allow interoperable implementation of the 103 registration protocol. 105 DNS-Based Service Discovery (DNS-SD) allows services to advertise the 106 fact that they provide service, and to provide the information 107 required to access that service. Clients can then discover the set 108 of services of a particular type that are available. They can then 109 select a service from among those that are available and obtain the 110 information required to use it. 112 The Service Registration Protocol for DNS-SD (SRP), described in this 113 document, provides a reasonably secure mechanism for publishing this 114 information. Once published, these services can be readily 115 discovered by clients using standard DNS lookups. 117 The DNS-SD specification [RFC6763], Section 10 ("Populating the DNS 118 with Information"), briefly discusses ways that services can publish 119 their information in the DNS namespace. In the case of mDNS, it 120 allows services to publish their information on the local link, using 121 names in the ".local" namespace, which makes their services directly 122 discoverable by peers attached to that same local link. 124 RFC6763 also allows clients to discover services using the DNS 125 protocol [RFC1035]. This can be done by having a system 126 administrator manually configure service information in the DNS, but 127 manually populating DNS authoritative server databases is costly and 128 potentially error-prone, and requires a knowledgable network 129 administrator. Consequently, although all DNS-SD client 130 implementations of which we are aware support DNS-SD using DNS 131 queries, in practice it is used much less frequently than mDNS. 133 The Discovery Proxy [I-D.ietf-dnssd-hybrid] provides one way to 134 automatically populate the DNS namespace, but is only appropriate on 135 networks where services are easily advertised using mDNS. This 136 document describes a solution more suitable for networks where 137 multicast is inefficient, or where sleepy devices are common, by 138 supporting both offering of services, and discovery of services, 139 using unicast. 141 2. Service Registration Protocol 143 Services that implement SRP use DNS Update [RFC2136] [RFC3007] to 144 publish service information in the DNS. Two variants exist, one for 145 full-featured hosts, and one for devices designed for "Constrained- 146 Node Networks" [RFC7228]. 148 Full-featured hosts are either configured manually with a 149 registration domain, or use the "dr._dns-sd._udp." query 150 ([RFC6763] Section 11) to learn the default registration domain from 151 the network. RFC6763 says to discover the registration domain using 152 either ".local" or a network-supplied domain name for . 153 Services using SRP MUST use the domain name received through the 154 DHCPv4 Domain Name option ([RFC2132] section 3.17), if available, or 155 the Neighbor Discovery DNS Search List option [RFC8106]. If the DNS 156 Search List option contains more than one domain name, it MUST NOT be 157 used. If neither option is available, the Service Registration 158 protocol is not available on the local network. 160 Manual configuration of the registraton domain can be done either by 161 querying the list of available registration zones ("r._dns-sd._udp") 162 and allowing the user to select one from the UI, or by any other 163 means appropriate to the particular use case being addressed. Full- 164 featured devices construct the names of the SRV, TXT, and PTR records 165 describing their service(s) as subdomains of the chosen service 166 registration domain. For these names they then discover the zone 167 apex of the closest enclosing DNS zone using SOA queries 168 [I-D.ietf-dnssd-push]. Having discovered the enclosing DNS zone, 169 they query for the "_dnssd-srp._tcp" SRV record to discover the 170 server to which they should send DNS updates. 172 For devices designed for Constrained-Node Networks [RFC7228] some 173 simplifications are used. Instead of being configured with (or 174 discovering) the service registration domain, the (proposed) special- 175 use domain name [RFC6761] "services.arpa" is used. Instead of 176 learning the server to which they should send DNS updates, a fixed 177 IPv6 anycast address is used (value TBD). Anycasts are sent using 178 UDP unless TCP is required due to the size of the update. It is the 179 responsibility of a Constrained-Node Network supporting SRP to 180 provide appropriate anycast routing to deliver the DNS updates to the 181 appropriate server. It is the responsibility of the SRP server 182 supporting a Constrained-Node Network to handle the updates 183 appropriately. In some network environments, updates may be accepted 184 directly into a local "services.arpa" zone, which has only local 185 visibility. In other network environments, updates for names ending 186 in "services.arpa" may be rewritten internally to names with broader 187 visibility. 189 The reason for these different assumptions is that Constrained-Node 190 Networks generally require special egress support, and Anycast 191 packets captured at the Constrained-Node Network egress can be 192 assumed to have originated locally. Low-power devices that typically 193 use Constrained-Node Networks may have very limited battery power. 194 The additional DNS lookups required to discover an SRP server and 195 then communicate with it will increase the power required to 196 advertise a service; for low-power devices, the additional 197 flexibility this provides does not justify the additional use of 198 power. 200 General networks have the potential to have more complicated 201 topologies at the Internet layer, which makes anycast routing more 202 difficult. Such networks may or may not have the infrastructure 203 required to route anycast to a server that can process it. However, 204 they can be assumed to be able to provide registration domain 205 discovery and routing. By requiring the use of TCP, the possibility 206 of off-network spoofing is eliminated. 208 We will discuss several parts to this process: how to know what to 209 publish, how to know where to publish it (under what name), how to 210 publish it, how to secure its publication, and how to maintain the 211 information once published. 213 2.1. What to publish 215 We refer to the DNS Update message sent by services using SRP as an 216 SRP update. Three types of updates appear in an SRP update: Service 217 Discovery records, Service Description records, and Host Description 218 records. 220 o Service Discovery records are one or more PTR RRs, mapping from 221 the generic service type (or subtype) to the specific Service 222 Instance Name. 224 o Service Description records are exactly one SRV RR, exactly one 225 KEY RR, and one or more TXT RRs, both with the same name, the 226 Service Instance Name ([RFC6763] section 4.1). In principle 227 Service Description records can include other record types, with 228 the same Service Instance Name, though in practice they rarely do. 229 The Service Instance Name MUST be referenced by one or more 230 Service Discovery PTR records, unless it is a placeholder service 231 registration for an intentionally non-discoverable service name. 233 o The Host Description records for a service are a KEY RR, used to 234 claim exclusive ownership of the service registration, and one or 235 more RRs of type A or AAAA, giving the IPv4 or IPv6 address(es) of 236 the host where the service resides. 238 RFC 6763 describes the details of what each of these types of updates 239 contains and is the definitive source for information about what to 240 publish; the reason for summarizing this here is to provide the 241 reader with enough information about what will be published that the 242 service registration process can be understood at a high level 243 without first learning the full details of DNS-SD. Also, the 244 "Service Instance Name" is an important aspect of first-come, first- 245 serve naming, which we describe later on in this document. 247 2.2. Where to publish it 249 Multicast DNS uses a single namespace, ".local", which is valid on 250 the local link. This convenience is not available for DNS-SD using 251 the DNS protocol: services must exist in some specific unicast 252 namespace. 254 As described above, full-featured devices are responsible for knowing 255 in what domain they should register their services. Devices made for 256 Constrained-Node Networks register in the (proposed) special use 257 domain name [RFC6761] "services.arpa", and let the SRP server handle 258 rewriting that to a different domain if necessary. 260 2.3. How to publish it 262 It is possible to issue a DNS Update that does several things at 263 once; this means that it's possible to do all the work of adding a 264 PTR resource record to the PTR RRset on the Service Name if it 265 already exists, or creating one if it doesn't, and creating or 266 updating the Service Instance Name and Host Description in a single 267 transaction. 269 An SRP update is therefore implemented as a single DNS Update message 270 that contains a service's Service Discovery records, Service 271 Description records, and Host Description records. 273 Updates done according to this specification are somewhat different 274 than regular DNS Updates as defined in RFC2136. RFC2136 uses a 275 fairly heavyweight process for updating: you might first attempt to 276 add a name if it doesn't exist; if that fails, then in a second 277 message you might update the name if it does exist but matches 278 certain preconditions. Because the registration protocol uses a 279 single transaction, some of this adaptability is lost. 281 In order to allow updates to happen in a single transaction, SRP 282 updates do not include update constraints. The constraints specified 283 in Section 2.4.2 are implicit in the processing of SRP updates, and 284 so there is no need for the service sending the SRP update to put in 285 any explicit constraints. 287 2.3.1. How DNS-SD Service Registration differs from standard RFC2136 288 DNS Update 290 DNS-SD Service Registration is based on standard RFC2136 DNS Update, 291 with some differences: 293 o It implements first-come first-served name allocation, protected 294 using SIG(0) [RFC2931]. 296 o It enforces policy about what updates are allowed. 298 o It optionally performs rewriting of "services.arpa" to some other 299 domain. 301 o It optionally performs automatic population of the address-to-name 302 reverse mapping domains. 304 o An SRP server is not required to implement general DNS Update 305 prerequsite processing. 307 o Simplified clients are allowed to send updates to an anycast 308 address, for names ending in "services.arpa" 310 2.3.2. Testing using standard RFC2136-compliant servers 312 It may be useful to set up a DNS server for testing that does not 313 implement SRP. This can be done by configuring the server to listen 314 on the anycast address, or advertising it in the _dnssd-srp._tcp SRV 315 record. It must be configured to be authoritative for 316 "services.arpa", and to accept updates from hosts on local networks 317 for names under "services.arpa" without authentication, since such 318 servers will not have support for FCFS authentication Section 2.4.1. 320 A server configured in this way will be able to successfully accept 321 and process SRP updates from services that send SRP updates. 322 However, no constraints will be applied, and this means that the test 323 server will accept internally inconsistent SRP updates, and will not 324 stop two SRP updates, sent by different services, that claim the same 325 name(s), from overwriting each other. 327 2.3.3. How to allow services to update standard RFC2136-compliant 328 servers 330 Ordinarily SRP updates will fail when sent to an RFC 2136-compliant 331 server that does not implement SRP because the zone being updated is 332 "services.arpa", and no DNS server that is not an SRP server should 333 normally be configured to be authoritative for "services.arpa". 334 Therefore, a service that sends an SRP update can tell that the 335 receiving server does not support SRP, but does support RFC2136, 336 because the RCODE will either be NOTZONE, NOTAUTH or REFUSED, or 337 because there is no response to the update request (when using the 338 anycast address) 340 In this case a service MAY attempt to register itself using regular 341 RFC2136 DNS updates. To do so, it must discover the default 342 registration zone and the DNS server designated to receive updates 343 for that zone, as described earlier using the _dns-update._udp SRV 344 record. It can then make the update using the port and host pointed 345 to by the SRV record, and should use appropriate constraints to avoid 346 overwriting competing records. Such updates are out of scope for 347 SRP, and a service that implements SRP MUST first attempt to use SRP 348 to register itself, and should only attempt to use RFC2136 backwards 349 compatibility if that fails. Although the owner name for the SRV 350 record specifies the UDP protocol for updates, it is also possible to 351 use TCP, when the update is too large. 353 2.4. How to secure it 355 Traditional DNS update is secured using the TSIG protocol, which uses 356 a secret key shared between the client (which issues the update) and 357 the server (which authenticates it). This model does not work for 358 automatic service registration. 360 The goal of securing the DNS-SD Registration Protocol is to provide 361 the best possible security given the constraint that service 362 registration has to be automatic. It is possible to layer more 363 operational security on top of what we describe here, but what we 364 describe here improves upon the security of mDNS. The goal is not to 365 provide the level of security of a network managed by a skilled 366 operator. 368 2.4.1. First-Come First-Served Naming 370 First-Come First-Serve naming provides a limited degree of security: 371 a service that registers its service using DNS-SD Registration 372 protocol is given ownership of a name for an extended period of time 373 based on the key used to authenticate the DNS Update. As long as the 374 registration service remembers thename and the key used to register 375 that name, no other service can add or update the information 376 associated with that. FCFS naming is used to protect both the 377 Service Description and the Host Description. 379 2.4.1.1. Service Behavior 381 The service generates a public/private key pair. This key pair MUST 382 be stored in stable storage; if there is no writable stable storage 383 on the client, the client MUST be pre-configured with a public/ 384 private key pair in read-only storage that can be used. This key 385 pair MUST be unique to the device. 387 When sending DNS updates, the service includes a KEY record 388 containing the public portion of the key in each Host Description 389 update and each Service Description update. Each KEY record MUST 390 contain the same public key. The update is signed using SIG(0), 391 using the private key that corresponds to the public key in the KEY 392 record. The lifetimes of the records in the update is set using the 393 EDNS(0) Update Lease option [I-D.sekar-dns-ul]. 395 The lifetime of the DNS-SD PTR, SRV, A, AAAA and TXT records 396 [RFC6763] uses the LEASE field of the Update Lease option, and is 397 typically set to two hours. This means that if a device is 398 disconnected from the network, it does not appear in the user 399 interfaces of devices looking for services of that type for too long. 401 The lifetime of the KEY records is set using the KEY-LEASE field of 402 the Update Lease Option, and should be set to a much longer time, 403 typically 14 days. The result of this is that even though a device 404 may be temporarily unplugged, disappearing from the network for a few 405 days, it makes a claim on its name that lasts much longer. 407 This means that even if a device is unplugged from the network for a 408 few days, and its services are not available for that time, no other 409 rogue device can come along and immediately claim its name the moment 410 it disappears from the network. In the event that a device is 411 unplugged from the network and permanently discarded, then its name 412 is eventually cleaned up and made available for re-use. 414 2.4.2. SRP Server Behavior 416 The SRP server first validates that the SRP update is a syntactically 417 and semantically valid DNS Update according to the rules specified in 418 RFC2136. 420 The SRP server checks each update in the SRP update to see that it 421 contains a Service Discovery update, a Service Description update, 422 and a Host Description update. Order matters in DNS updates. 423 Specifically, deletes must precede adds for records that the deletes 424 would affect; otherwise the add will have no effect. This is the 425 only ordering constraint; aside from this constraint, updates may 426 appear in whatever order is convenient when constructing the update. 428 An update is a Service Discovery update if it contains 430 o exactly one RRset update, 431 o which is for a PTR RR, 432 o which points to a Service Instance Name 433 o for which an update is present in the SRP update. 434 o Service Discovery updates do not contain any deletes, and do not 435 contain any other updates. 437 An update is a Service Description update if, for the appropriate 438 Service Instance Name, it contains 440 o exactly one "Delete all RRsets from a name" update, 441 o exactly one SRV RRset update, 442 o exactly one KEY RR update that adds a KEY RR that contains the 443 public key corresponding to the private key that was used to sign 444 the message, 445 o one or more TXT RRset updates, 446 o and the target of the SRV record update references a hostname for 447 which there is a Host Description update in the SRP update. 448 o Service Descriptions do not update any other records. 450 An update is a Host Description update if, for the appropriate 451 hostname, it contains 453 o exactly one "Delete all RRsets from a name" update, 454 o one or more A or AAAA RR update(s) 455 o exactly one KEY RR update that adds a KEY RR that contains the 456 public key corresponding to the private key that was used to sign 457 the message, 458 o there is a Service Instance Name update in the SRP update that 459 updates an SRV RR so that it points to the hostname being updated 460 by this update. 461 o Host Description updates do not update any other records. 463 An SRP update MUST include at least one Service Discovery update, at 464 least one Service Description update, and exactly one Host 465 Description update. An update message that does not is not an SRP 466 update. An update message that contains any other updates, or any 467 update constraints, is not an SRP update. Such messages should 468 either be processed as regular RFC2136 updates, including access 469 control checks and constraint checks, if supported, or else rejected 470 with RCODE=REFUSED. 472 Note that if the definitions of each of these update types are 473 followed carefully, this means that many things that look very much 474 like SRP updates nevertheless are not. For example, a DNS update 475 that contains an update to a Service Name and an update to a Service 476 Instance Name, where the Service Name does not reference the Service 477 Instance Name, is not a valid SRP update message, but may be a valid 478 RFC2136 update. 480 Assuming that an update message has been validated with these 481 conditions and is a valid SRP update, the server checks that the name 482 in the Host Description update exists. If so, then the server checks 483 to see if the KEY record on the name is the same as the KEY record in 484 the update. The server performs the same check for the KEY records 485 in any Service Description update. If any existing KEY record 486 corresponding to a KEY record in the SRP update does not match the 487 KEY record in the SRP update, then the server MUST reject the SRP 488 update with the YXDOMAIN RCODE. 490 Otherwise, the server validates the SRP update using SIG(0) on the 491 public key in the KEY record of the Host Description update. If the 492 validation fails, the server MUST reject the SRP Update with the 493 REFUSED RCODE. Otherwise, the SRP update is considered valid and 494 authentic, and is processed according to the method described in 495 RFC2136. The status that is returned depends on the result of 496 processing the update. 498 The server MAY add a Reverse Mapping that corresponds to the Host 499 Description. This is not required because the Reverse Mapping serves 500 no protocol function, but it may be useful for debugging, e.g. in 501 annotating network packet traces or logs. 503 The server MAY apply additional criteria when accepting updates. In 504 some networks, it may be possible to do out-of-band registration of 505 keys, and only accept updates from pre-registered keys. In this 506 case, an update for a key that has not been registered should be 507 rejected with the REFUSED RCODE. 509 There are at least two benefits to doing this rather than simply 510 using normal SIG(0) DNS updates. First, the same registration 511 protocol can be used in both cases, so both use cases can be 512 addressed by the same service implementation. Second, the 513 registration protocol includes maintenance functionality not present 514 with normal DNS updates. 516 Note that the semantics of using SRP in this way are different than 517 for typical RFC2136 implementations: the KEY used to sign the SRP 518 update only allows the client to update records that refer to its 519 Host Description. RFC2136 implementations do not normally provide a 520 way to enforce a constraint of this type. 522 The server may also have a dictionary of names or name patterns that 523 are not permitted. If such a list is used, updates for Service 524 Instance Names that match entries in the dictionary are rejected with 525 YXDOMAIN. 527 2.5. TTL Consistency 529 All RRs within an RRset are required to have the same TTL 530 (Clarifications to the DNS Specification [RFC2181], Section 5.2). In 531 order to avoid inconsistencies, SRP places restrictions on TTLs sent 532 by services and requires that SRP Servers enforce consistency. 534 Services sending SRP updates MUST use consistent TTLs in all RRs 535 within the SRP update. 537 SRP update servers MUST check that the TTLs for all RRs within the 538 SRP update are the same. If they are not, the SRP update MUST be 539 rejected with a REFUSED RCODE. 541 Additionally, when adding RRs to an RRset, for example when 542 processing Service Discovery records, the server MUST use the same 543 TTL on all RRs in the RRset. How this consistency is enforced is up 544 to the implementation. 546 TTLs sent in SRP updates are advisory: they indicate the client's 547 guess as to what a good TTL would be. SRP servers may override these 548 TTLs. SRP servers SHOULD ensure that TTLs are reasonable: neither 549 too long nor too short. The TTL should never be longer than the 550 lease time Section 2.6.1. Shorter TTLs will result in more frequent 551 data refreshes; this increases latency on the client side, and 552 increases load on any caching resolvers and on the authoritative 553 server. Longer TTLs will increase the likelihood that data in caches 554 will be stale. TTL minimums and maximums SHOULD be configurable by 555 the operator of the SRP server. 557 2.6. Maintenance 559 2.6.1. Cleaning up stale data 561 Because the DNS-SD registration protocol is automatic, and not 562 managed by humans, some additional bookkeeping is required. When an 563 update is constructed by the client, it MUST include include an 564 EDNS(0) Update Lease Option [I-D.sekar-dns-ul]. The Update Lease 565 Option contains two lease times: the Lease Time and the Key Lease 566 Time. 568 These leases are promises, similar to DHCP leases [RFC2131], from the 569 client that it will send a new update for the service registration 570 before the lease time expires. The Lease time is chosen to represent 571 the time after the update during which the registered records other 572 than the KEY record should be assumed to be valid. The Key Lease 573 time represents the time after the update during which the KEY record 574 should be assumed to be valid. 576 The reasoning behind the different lease times is discussed in the 577 section on first-come, first-served naming Section 2.4.1. SRP 578 servers may be configured with limits for these values. A default 579 limit of two hours for the Lease and 14 days for the SIG(0) KEY are 580 currently thought to be good choices. Clients that are going to 581 continue to use names on which they hold leases should update well 582 before the lease ends, in case the registration service is 583 unavailable or under heavy load. 585 The SRP server MUST include an EDNS(0) Update Lease option in the 586 response if the lease time proposed by the service has been shortened 587 or lengthened. The service MUST check for the EDNS(0) Update Lease 588 option in the response and MUST use the lease times from that option 589 in place of the options that it sent to the server when deciding when 590 to update its registration. The times may be shorter or longer than 591 those specified in the SRP update; the client must honor them in 592 either case. 594 Clients should assume that each lease ends N seconds after the update 595 was first transmitted, where N is the lease duration. Servers should 596 assume that each lease ends N seconds after the update that was 597 successfully processed was received. Because the server will always 598 receive the update after the client sent it, this avoids the 599 possibility of misunderstandings. 601 SRP servers MUST reject updates that do not include an EDNS(0) Update 602 Lease option. Dual-use servers MAY accept updates that don't include 603 leases, but SHOULD differentiate between SRP updates and other 604 updates, and MUST reject updates that would otherwise be SRP updates 605 updates if they do not include leases. 607 Lease times have a completely different function than TTLs. On an 608 authoritative DNS server, the TTL on a resource record is a constant: 609 whenever that RR is served in a DNS response, the TTL value sent in 610 the answer is the same. The lease time is never sent as a TTL; its 611 sole purpose is to determine when the authoritative DNS server will 612 delete stale records. It is not an error to send a DNS response with 613 a TTL of 'n' when the remaining time on the lease is less than 'n'. 615 2.6.2. Sleep Proxy 617 Another use of SRP is for devices that sleep to reduce power 618 consumption. 620 In this case, in addition to the DNS Update Lease option 621 [I-D.sekar-dns-ul] described above, the device includes an EDNS(0) 622 OWNER Option [I-D.cheshire-edns0-owner-option]. 624 The EDNS(0) Update Lease option constitutes a promise by the device 625 that it will wake up before this time elapses, to renew its 626 registration and thereby demonstrate that it is still attached to the 627 network. If it fails to renew the registration by this time, that 628 indicates that it is no longer attached to the network, and its 629 registration (except for the KEY in the Host Description) should be 630 deleted. 632 The EDNS(0) OWNER Option indicates that the device will be asleep, 633 and will not be receptive to normal network traffic. When a DNS 634 server receives a DNS Update with an EDNS(0) OWNER Option, that 635 signifies that the SRP server should set up a proxy for any IPv4 or 636 IPv6 address records in the DNS Update message. This proxy should 637 send ARP or ND messages claiming ownership of the IPv4 and/or IPv6 638 addresses in the records in question. In addition, proxy should 639 answer future ARP or ND requests for those IPv4 and/or IPv6 640 addresses, claiming ownership of them. When the DNS server receives 641 a TCP SYN or UDP packet addressed to one of the IPv4 or IPv6 642 addresses for which it proxying, it should then wake up the sleeping 643 device using the information in the EDNS(0) OWNER Option. At present 644 version 0 of the OWNER Option specifies the "Wake-on-LAN Magic 645 Packet" that needs to be sent; future versions could be extended to 646 specify other wakeup mechanisms. 648 Note that although the authoritative DNS server that implements the 649 SRP function need not be on the same link as the sleeping host, the 650 Sleep Proxy must be on the same link. 652 It is not required that sleepy nodes on a Constrained-Node Network 653 support sleep proxy. Such devices may have different mechanisms for 654 dealing with sleep and wakeup. An SRP registration for such a device 655 will be useful regardless of the mechanism whereby messages are 656 delivered to the sleepy end device. For example, the message might 657 be held in a buffer for an extended period of time by an intermediate 658 device on a mesh network, and then delivered to the device when it 659 wakes up. The exact details of such behaviors are out of scope for 660 this document. 662 3. Security Considerations 664 SRP updates have no authorization semantics other than first-come, 665 first-served. This means that if an attacker from outside of the 666 administrative domain of the server knows the server's IP address, it 667 can in principle send updates to the server that will be processed 668 successfully. Servers should therefore be configured to reject 669 updates from source addresses outside of the administrative domain of 670 the server. 672 For Anycast updates, this validation must be enforced by every router 673 that connects the Constrained-Device Network to the unconstrained 674 portion of the network. For TCP updates, the initial SYN-SYN+ACK 675 handshake prevents updates being forged by an off-network attacker. 676 In order to ensure that this handshake happens, Service Discovery 677 Protocol servers MUST NOT accept TCP Fast Open payloads. 679 Note that these rules only apply to the validation of SRP updates. A 680 server that accepts updates from DNS-SD registration protocol clients 681 may also accept other DNS updates, and those DNS updates may be 682 validated using different rules. However, in the case of a DNS 683 service that accepts SRP updates, the intersection of the SRP update 684 rules and whatever other update rules are present must be considered 685 very carefully. 687 For example, a normal, authenticated RFC2136 update to any RR that 688 was added using SRP, but that is authenticated using a different key, 689 could be used to override a promise made by the registration 690 protocol, by replacing all or part of the service registration 691 information with information provided by a different client. An 692 implementation that allows both kinds of updates should not allow 693 updates to records added by SRP updates using different 694 authentication and authorization credentials. 696 4. Privacy Considerations 698 5. Delegation of 'services.arpa.' 700 In order to be fully functional, there must be a delegation of 701 'services.arpa.' in the '.arpa.' zone [RFC3172]. This delegation 702 should be set up as was done for 'home.arpa', as a result of the 703 specification in [RFC8375]Section 7. 705 6. IANA Considerations 707 IANA is requested to record the domain name 'services.arpa.' in the 708 Special-Use Domain Names registry [SUDN]. IANA is requested, with 709 the approval of IAB, to implement the delegation requested in 710 Section 5. 712 IANA is further requested to add a new entry to the "Transport- 713 Independent Locally-Served Zones" subregistry of the the "Locally- 714 Served DNS Zones" registry[LSDZ]. The entry will of for 715 'services.arpa.' with the description "DNS-SD Registration Protocol 716 Special-Use Domain", listing this document as the reference. 718 IANA is also requested to add a new entry to the Service Names and 719 Port Numbers registry for dnssd-srp with a transport type of tcp. No 720 port number is to be assigned. The reference should be to this 721 document, and the Assignee and Contact information should reference 722 the authors of this document. The Description should be as follows: 724 Availability of DNS Service Discovery Service Registration Protocol 725 Service for a given domain is advertised using the "_dnssd- 726 srp._tcp.." SRV record gives the target host and port where 727 DNSSD Service Registration Service is provided for the named domain. 729 7. Acknowledgments 731 Thanks to Toke Hoeiland-Joergensen for a thorough technical review, 732 to Tamara Kemper for doing a nice developmental edit, Tim Wattenberg 733 for doing a service implementation at the Montreal Hackathon at IETF 734 102, Tom Pusateri for reviewing during the hackathon and afterwards, 735 and [...] more reviewers to come, hopefully. 737 8. References 739 8.1. Normative References 741 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 742 Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, 743 . 745 [I-D.sekar-dns-ul] 746 Cheshire, S. and T. Lemon, "Dynamic DNS Update Leases", 747 draft-sekar-dns-ul-02 (work in progress), August 2018. 749 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 750 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 751 . 753 [RFC3172] Huston, G., Ed., "Management Guidelines & Operational 754 Requirements for the Address and Routing Parameter Area 755 Domain ("arpa")", BCP 52, RFC 3172, DOI 10.17487/RFC3172, 756 September 2001, . 758 [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 759 "IPv6 Router Advertisement Options for DNS Configuration", 760 RFC 8106, DOI 10.17487/RFC8106, March 2017, 761 . 763 [RFC8375] Pfister, P. and T. Lemon, "Special-Use Domain 764 'home.arpa.'", RFC 8375, DOI 10.17487/RFC8375, May 2018, 765 . 767 [SUDN] "Special-Use Domain Names Registry", July 2012, 768 . 771 [LSDZ] "Locally-Served DNS Zones Registry", July 2011, 772 . 775 8.2. Informative References 777 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 778 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 779 . 781 [RFC1035] Mockapetris, P., "Domain names - implementation and 782 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 783 November 1987, . 785 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 786 RFC 2131, DOI 10.17487/RFC2131, March 1997, 787 . 789 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 790 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 791 RFC 2136, DOI 10.17487/RFC2136, April 1997, 792 . 794 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 795 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, 796 . 798 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures 799 ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September 800 2000, . 802 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 803 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 804 . 806 [RFC3152] Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152, 807 DOI 10.17487/RFC3152, August 2001, 808 . 810 [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol 811 to Replace the AppleTalk Name Binding Protocol (NBP)", 812 RFC 6760, DOI 10.17487/RFC6760, February 2013, 813 . 815 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 816 RFC 6761, DOI 10.17487/RFC6761, February 2013, 817 . 819 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 820 DOI 10.17487/RFC6762, February 2013, 821 . 823 [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for 824 Constrained-Node Networks", RFC 7228, 825 DOI 10.17487/RFC7228, May 2014, 826 . 828 [I-D.ietf-dnssd-hybrid] 829 Cheshire, S., "Discovery Proxy for Multicast DNS-Based 830 Service Discovery", draft-ietf-dnssd-hybrid-08 (work in 831 progress), March 2018. 833 [I-D.ietf-dnssd-push] 834 Pusateri, T. and S. Cheshire, "DNS Push Notifications", 835 draft-ietf-dnssd-push-15 (work in progress), September 836 2018. 838 [I-D.cheshire-dnssd-roadmap] 839 Cheshire, S., "Service Discovery Road Map", draft- 840 cheshire-dnssd-roadmap-02 (work in progress), October 841 2018. 843 [I-D.cheshire-edns0-owner-option] 844 Cheshire, S. and M. Krochmal, "EDNS0 OWNER Option", draft- 845 cheshire-edns0-owner-option-01 (work in progress), July 846 2017. 848 [ZC] Cheshire, S. and D. Steinberg, "Zero Configuration 849 Networking: The Definitive Guide", O'Reilly Media, Inc. , 850 ISBN 0-596-10100-7, December 2005. 852 Authors' Addresses 853 Stuart Cheshire 854 Apple Inc. 855 One Apple Park Way 856 Cupertino, California 95014 857 USA 859 Phone: +1 408 974 3207 860 Email: cheshire@apple.com 862 Ted Lemon 863 Nibbhaya Consulting 864 P.O. Box 958 865 Brattleboro, Vermont 05302 866 United States of America 868 Email: mellon@fugue.com