idnits 2.17.1 draft-ietf-dnssd-srp-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 4 instances of too long lines in the document, the longest one being 22 characters in excess of 72. == There are 1 instance of lines with non-RFC3849-compliant IPv6 addresses in the document. If these are example addresses, they should be changed. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 162: '...rvices using SRP MUST use the domain n...' RFC 2119 keyword, line 165: '...e than one domain name, it MUST NOT be...' RFC 2119 keyword, line 239: '...ce Instance Name MUST be referenced by...' RFC 2119 keyword, line 358: '...s case a service MAY attempt to regist...' RFC 2119 keyword, line 365: '...t implements SRP MUST first attempt to...' (31 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 11, 2019) is 1867 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'RFC8375' is defined on line 834, but no explicit reference was found in the text == Unused Reference: 'RFC1034' is defined on line 854, but no explicit reference was found in the text == Unused Reference: 'RFC3152' is defined on line 883, but no explicit reference was found in the text == Outdated reference: A later version (-03) exists of draft-sekar-dns-ul-02 == Outdated reference: A later version (-10) exists of draft-ietf-dnsop-algorithm-update-06 -- Obsolete informational reference (is this intentional?): RFC 3152 (Obsoleted by RFC 3596) == Outdated reference: A later version (-10) exists of draft-ietf-dnssd-hybrid-08 == Outdated reference: A later version (-25) exists of draft-ietf-dnssd-push-17 Summary: 2 errors (**), 0 flaws (~~), 9 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force S. Cheshire 3 Internet-Draft Apple Inc. 4 Intended status: Informational T. Lemon 5 Expires: September 12, 2019 Nibbhaya Consulting 6 March 11, 2019 8 Service Registration Protocol for DNS-Based Service Discovery 9 draft-ietf-dnssd-srp-01 11 Abstract 13 The Service Registration Protocol for DNS-Based Service Discovery 14 uses the standard DNS Update mechanism to enable DNS-Based Service 15 Discovery using only unicast packets. This makes it possible to 16 deploy DNS Service Discovery without multicast, which greatly 17 improves scalability and improves performance on networks where 18 multicast service is not an optimal choice, particularly 802.11 19 (Wi-Fi) and 802.15.4 (IoT) networks. DNS-SD Service registration 20 uses public keys and SIG(0) to allow services to defend their 21 registrations against attack. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 12, 2019. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Service Registration Protocol . . . . . . . . . . . . . . . . 4 59 2.1. What to publish . . . . . . . . . . . . . . . . . . . . . 5 60 2.2. Where to publish it . . . . . . . . . . . . . . . . . . . 6 61 2.3. How to publish it . . . . . . . . . . . . . . . . . . . . 6 62 2.3.1. How DNS-SD Service Registration differs from standard 63 RFC2136 DNS Update . . . . . . . . . . . . . . . . . 7 64 2.3.2. Testing using standard RFC2136-compliant servers . . 7 65 2.3.3. How to allow services to update standard 66 RFC2136-compliant servers . . . . . . . . . . . . . . 8 67 2.4. How to secure it . . . . . . . . . . . . . . . . . . . . 8 68 2.4.1. First-Come First-Served Naming . . . . . . . . . . . 9 69 2.4.2. SRP Server Behavior . . . . . . . . . . . . . . . . . 10 70 2.5. TTL Consistency . . . . . . . . . . . . . . . . . . . . . 12 71 2.6. Maintenance . . . . . . . . . . . . . . . . . . . . . . . 13 72 2.6.1. Cleaning up stale data . . . . . . . . . . . . . . . 13 73 2.6.2. Sleep Proxy . . . . . . . . . . . . . . . . . . . . . 14 74 3. Security Considerations . . . . . . . . . . . . . . . . . . . 15 75 3.1. Source Validation . . . . . . . . . . . . . . . . . . . . 15 76 3.2. SIG(0) signature validation . . . . . . . . . . . . . . . 16 77 3.3. Required Signature Algorithm . . . . . . . . . . . . . . 16 78 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 16 79 5. Delegation of 'services.arpa.' . . . . . . . . . . . . . . . 16 80 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 81 6.1. Registration and Delegation of 'services.arpa' as a 82 Special-Use Domain Name . . . . . . . . . . . . . . . . . 17 83 6.2. 'dnssd-srp' Service Name . . . . . . . . . . . . . . . . 17 84 6.3. Anycast Address . . . . . . . . . . . . . . . . . . . . . 17 85 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 86 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 87 8.1. Normative References . . . . . . . . . . . . . . . . . . 18 88 8.2. Informative References . . . . . . . . . . . . . . . . . 19 89 Appendix A. Sample BIND9 configuration for 90 default.services.arpa. . . . . . . . . . . . . . . . 20 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 93 1. Introduction 95 DNS-Based Service Discovery [RFC6763] is a component of Zero 96 Configuration Networking [RFC6760] [ZC] [I-D.cheshire-dnssd-roadmap]. 98 This document describes an enhancement to DNS-Based Service Discovery 99 [RFC6763] that allows services to automatically register their 100 services using the DNS protocol rather than using Multicast DNS 101 [RFC6762] (mDNS). There is already a large installed base of DNS-SD 102 clients that can discover services using the DNS protocol. This 103 extension makes it much easier to take advantage of this existing 104 functionality. 106 This document is intended for three audiences: implementors of 107 software that provides services that should be advertised using 108 DNS-SD, implementors of DNS servers that will be used in contexts 109 where DNS-SD registration is needed, and administrators of networks 110 where DNS-SD service is required. The document is intended to 111 provide sufficient information to allow interoperable implementation 112 of the registration protocol. 114 DNS-Based Service Discovery (DNS-SD) allows services to advertise the 115 fact that they provide service, and to provide the information 116 required to access that service. Clients can then discover the set 117 of services of a particular type that are available. They can then 118 select a service from among those that are available and obtain the 119 information required to use it. 121 The Service Registration Protocol for DNS-SD (SRP), described in this 122 document, provides a reasonably secure mechanism for publishing this 123 information. Once published, these services can be readily 124 discovered by clients using standard DNS lookups. 126 The DNS-SD specification [RFC6763], Section 10 ("Populating the DNS 127 with Information"), briefly discusses ways that services can publish 128 their information in the DNS namespace. In the case of mDNS, it 129 allows services to publish their information on the local link, using 130 names in the ".local" namespace, which makes their services directly 131 discoverable by peers attached to that same local link. 133 RFC6763 also allows clients to discover services using the DNS 134 protocol [RFC1035]. This can be done by having a system 135 administrator manually configure service information in the DNS, but 136 manually populating DNS authoritative server databases is costly and 137 potentially error-prone, and requires a knowledgable network 138 administrator. Consequently, although all DNS-SD client 139 implementations of which we are aware support DNS-SD using DNS 140 queries, in practice it is used much less frequently than mDNS. 142 The Discovery Proxy [I-D.ietf-dnssd-hybrid] provides one way to 143 automatically populate the DNS namespace, but is only appropriate on 144 networks where services are easily advertised using mDNS. This 145 document describes a solution more suitable for networks where 146 multicast is inefficient, or where sleepy devices are common, by 147 supporting both offering of services, and discovery of services, 148 using unicast. 150 2. Service Registration Protocol 152 Services that implement SRP use DNS Update [RFC2136] [RFC3007] to 153 publish service information in the DNS. Two variants exist, one for 154 full-featured hosts, and one for devices designed for "Constrained- 155 Node Networks" [RFC7228]. 157 Full-featured hosts are either configured manually with a 158 registration domain, or use the "dr._dns-sd._udp." query 159 ([RFC6763] Section 11) to learn the default registration domain from 160 the network. RFC6763 says to discover the registration domain using 161 either ".local" or a network-supplied domain name for . 162 Services using SRP MUST use the domain name received through the 163 DHCPv4 Domain Name option ([RFC2132] section 3.17), if available, or 164 the Neighbor Discovery DNS Search List option [RFC8106]. If the DNS 165 Search List option contains more than one domain name, it MUST NOT be 166 used. If neither option is available, the Service Registration 167 protocol is not available on the local network. 169 Manual configuration of the registraton domain can be done either by 170 querying the list of available registration zones ("r._dns-sd._udp") 171 and allowing the user to select one from the UI, or by any other 172 means appropriate to the particular use case being addressed. Full- 173 featured devices construct the names of the SRV, TXT, and PTR records 174 describing their service(s) as subdomains of the chosen service 175 registration domain. For these names they then discover the zone 176 apex of the closest enclosing DNS zone using SOA queries 177 [I-D.ietf-dnssd-push]. Having discovered the enclosing DNS zone, 178 they query for the "_dnssd-srp._tcp" SRV record to discover the 179 server to which they should send DNS updates. 181 For devices designed for Constrained-Node Networks [RFC7228] some 182 simplifications are available. Instead of being configured with (or 183 discovering) the service registration domain, the (proposed) special- 184 use domain name [RFC6761] "default.services.arpa" is used. Instead 185 of learning the server to which they should send DNS updates, a fixed 186 IPv6 anycast address is used (value TBD). Anycasts are sent using 187 UDP unless TCP is required due to the size of the update. It is the 188 responsibility of a Constrained-Node Network supporting SRP to 189 provide appropriate anycast routing to deliver the DNS updates to the 190 appropriate server. It is the responsibility of the SRP server 191 supporting a Constrained-Node Network to handle the updates 192 appropriately. In some network environments, updates may be accepted 193 directly into a local "default.services.arpa" zone, which has only 194 local visibility. In other network environments, updates for names 195 ending in "default.services.arpa" may be rewritten internally to 196 names with broader visibility. 198 The reason for these different assumptions is that Constrained-Node 199 Networks generally require special egress support, and Anycast 200 packets captured at the Constrained-Node Network egress can be 201 assumed to have originated locally. Low-power devices that typically 202 use Constrained-Node Networks may have very limited battery power. 203 The additional DNS lookups required to discover an SRP server and 204 then communicate with it will increase the power required to 205 advertise a service; for low-power devices, the additional 206 flexibility this provides does not justify the additional use of 207 power. 209 General networks have the potential to have more complicated 210 topologies at the Internet layer, which makes anycast routing more 211 difficult. Such networks may or may not have the infrastructure 212 required to route anycast to a server that can process it. However, 213 they can be assumed to be able to provide registration domain 214 discovery and routing. By requiring the use of TCP, the possibility 215 of off-network spoofing is eliminated. 217 We will discuss several parts to this process: how to know what to 218 publish, how to know where to publish it (under what name), how to 219 publish it, how to secure its publication, and how to maintain the 220 information once published. 222 2.1. What to publish 224 We refer to the DNS Update message sent by services using SRP as an 225 SRP update. Three types of updates appear in an SRP update: Service 226 Discovery records, Service Description records, and Host Description 227 records. 229 o Service Discovery records are one or more PTR RRs, mapping from 230 the generic service type (or subtype) to the specific Service 231 Instance Name. 233 o Service Description records are exactly one SRV RR, exactly one 234 KEY RR, and one or more TXT RRs, both with the same name, the 235 Service Instance Name ([RFC6763] section 4.1). In principle 236 Service Description records can include other record types, with 237 the same Service Instance Name, though in practice they rarely do. 239 The Service Instance Name MUST be referenced by one or more 240 Service Discovery PTR records, unless it is a placeholder service 241 registration for an intentionally non-discoverable service name. 243 o The Host Description records for a service are a KEY RR, used to 244 claim exclusive ownership of the service registration, and one or 245 more RRs of type A or AAAA, giving the IPv4 or IPv6 address(es) of 246 the host where the service resides. 248 RFC 6763 describes the details of what each of these types of updates 249 contains and is the definitive source for information about what to 250 publish; the reason for summarizing this here is to provide the 251 reader with enough information about what will be published that the 252 service registration process can be understood at a high level 253 without first learning the full details of DNS-SD. Also, the 254 "Service Instance Name" is an important aspect of first-come, first- 255 serve naming, which we describe later on in this document. 257 2.2. Where to publish it 259 Multicast DNS uses a single namespace, ".local", which is valid on 260 the local link. This convenience is not available for DNS-SD using 261 the DNS protocol: services must exist in some specific unicast 262 namespace. 264 As described above, full-featured devices are responsible for knowing 265 in what domain they should register their services. Devices made for 266 Constrained-Node Networks register in the (proposed) special use 267 domain name [RFC6761] "default.services.arpa", and let the SRP server 268 handle rewriting that to a different domain if necessary. 270 2.3. How to publish it 272 It is possible to issue a DNS Update that does several things at 273 once; this means that it's possible to do all the work of adding a 274 PTR resource record to the PTR RRset on the Service Name if it 275 already exists, or creating one if it doesn't, and creating or 276 updating the Service Instance Name and Host Description in a single 277 transaction. 279 An SRP update is therefore implemented as a single DNS Update message 280 that contains a service's Service Discovery records, Service 281 Description records, and Host Description records. 283 Updates done according to this specification are somewhat different 284 than regular DNS Updates as defined in RFC2136. RFC2136 uses a 285 fairly heavyweight process for updating: you might first attempt to 286 add a name if it doesn't exist; if that fails, then in a second 287 message you might update the name if it does exist but matches 288 certain preconditions. Because the registration protocol uses a 289 single transaction, some of this adaptability is lost. 291 In order to allow updates to happen in a single transaction, SRP 292 updates do not include update constraints. The constraints specified 293 in Section 2.4.2 are implicit in the processing of SRP updates, and 294 so there is no need for the service sending the SRP update to put in 295 any explicit constraints. 297 2.3.1. How DNS-SD Service Registration differs from standard RFC2136 298 DNS Update 300 DNS-SD Service Registration is based on standard RFC2136 DNS Update, 301 with some differences: 303 o It implements first-come first-served name allocation, protected 304 using SIG(0) [RFC2931]. 306 o It enforces policy about what updates are allowed. 308 o It optionally performs rewriting of "default.services.arpa" to 309 some other domain. 311 o It optionally performs automatic population of the address-to-name 312 reverse mapping domains. 314 o An SRP server is not required to implement general DNS Update 315 prerequsite processing. 317 o Simplified clients are allowed to send updates to an anycast 318 address, for names ending in "default.services.arpa" 320 2.3.2. Testing using standard RFC2136-compliant servers 322 It may be useful to set up a DNS server for testing that does not 323 implement SRP. This can be done by configuring the server to listen 324 on the anycast address, or advertising it in the 325 _dnssd-srp._tcp. SRV record. It must be configured to be 326 authoritative for "default.services.arpa", and to accept updates from 327 hosts on local networks for names under "default.services.arpa" 328 without authentication, since such servers will not have support for 329 FCFS authentication Section 2.4.1. 331 A server configured in this way will be able to successfully accept 332 and process SRP updates from services that send SRP updates. 333 However, no constraints will be applied, and this means that the test 334 server will accept internally inconsistent SRP updates, and will not 335 stop two SRP updates, sent by different services, that claim the same 336 name(s), from overwriting each other. 338 Since SRP updates are signed with keys, validation of the SIG(0) 339 algorithm used by the client can be done by manually installing the 340 client public key on the DNS server that will be receiving the 341 updates. The key can then be used to authenticate the client, and 342 can be used as a requirement for the update. An example 343 configuration for testing SRP using BIND 9 is given in Appendix A. 345 2.3.3. How to allow services to update standard RFC2136-compliant 346 servers 348 Ordinarily SRP updates will fail when sent to an RFC 2136-compliant 349 server that does not implement SRP because the zone being updated is 350 "default.services.arpa", and no DNS server that is not an SRP server 351 should normally be configured to be authoritative for 352 "default.services.arpa". Therefore, a service that sends an SRP 353 update can tell that the receiving server does not support SRP, but 354 does support RFC2136, because the RCODE will either be NOTZONE, 355 NOTAUTH or REFUSED, or because there is no response to the update 356 request (when using the anycast address) 358 In this case a service MAY attempt to register itself using regular 359 RFC2136 DNS updates. To do so, it must discover the default 360 registration zone and the DNS server designated to receive updates 361 for that zone, as described earlier using the _dns-update._udp SRV 362 record. It can then make the update using the port and host pointed 363 to by the SRV record, and should use appropriate constraints to avoid 364 overwriting competing records. Such updates are out of scope for 365 SRP, and a service that implements SRP MUST first attempt to use SRP 366 to register itself, and should only attempt to use RFC2136 backwards 367 compatibility if that fails. Although the owner name for the SRV 368 record specifies the UDP protocol for updates, it is also possible to 369 use TCP, when the update is too large. 371 2.4. How to secure it 373 Traditional DNS update is secured using the TSIG protocol, which uses 374 a secret key shared between the client (which issues the update) and 375 the server (which authenticates it). This model does not work for 376 automatic service registration. 378 The goal of securing the DNS-SD Registration Protocol is to provide 379 the best possible security given the constraint that service 380 registration has to be automatic. It is possible to layer more 381 operational security on top of what we describe here, but what we 382 describe here improves upon the security of mDNS. The goal is not to 383 provide the level of security of a network managed by a skilled 384 operator. 386 2.4.1. First-Come First-Served Naming 388 First-Come First-Serve naming provides a limited degree of security: 389 a service that registers its service using DNS-SD Registration 390 protocol is given ownership of a name for an extended period of time 391 based on the key used to authenticate the DNS Update. As long as the 392 registration service remembers the name and the key used to register 393 that name, no other service can add or update the information 394 associated with that. FCFS naming is used to protect both the 395 Service Description and the Host Description. 397 2.4.1.1. Service Behavior 399 The service generates a public/private key pair. This key pair MUST 400 be stored in stable storage; if there is no writable stable storage 401 on the client, the client MUST be pre-configured with a public/ 402 private key pair in read-only storage that can be used. This key 403 pair MUST be unique to the device. 405 When sending DNS updates, the service includes a KEY record 406 containing the public portion of the key in each Host Description 407 update and each Service Description update. Each KEY record MUST 408 contain the same public key. The update is signed using SIG(0), 409 using the private key that corresponds to the public key in the KEY 410 record. The lifetimes of the records in the update is set using the 411 EDNS(0) Update Lease option [I-D.sekar-dns-ul]. 413 The KEY record in service description updates MAY be omitted for 414 brevity; if it is omitted, the SRP server MUST behave as if the same 415 KEY record that is given for the Host Description is also given for 416 each Service Description for which no KEY record is provided. 417 Omitted KEY records are not used when computing the SIG(0) signature. 419 The lifetime of the DNS-SD PTR, SRV, A, AAAA and TXT records 420 [RFC6763] uses the LEASE field of the Update Lease option, and is 421 typically set to two hours. This means that if a device is 422 disconnected from the network, it does not appear in the user 423 interfaces of devices looking for services of that type for too long. 425 The lifetime of the KEY records is set using the KEY-LEASE field of 426 the Update Lease Option, and should be set to a much longer time, 427 typically 14 days. The result of this is that even though a device 428 may be temporarily unplugged, disappearing from the network for a few 429 days, it makes a claim on its name that lasts much longer. 431 This means that even if a device is unplugged from the network for a 432 few days, and its services are not available for that time, no other 433 rogue device can come along and immediately claim its name the moment 434 it disappears from the network. In the event that a device is 435 unplugged from the network and permanently discarded, then its name 436 is eventually cleaned up and made available for re-use. 438 2.4.2. SRP Server Behavior 440 The SRP server first validates that the SRP update is a syntactically 441 and semantically valid DNS Update according to the rules specified in 442 RFC2136. 444 The SRP server checks each update in the SRP update to see that it 445 contains a Service Discovery update, a Service Description update, 446 and a Host Description update. Order matters in DNS updates. 447 Specifically, deletes must precede adds for records that the deletes 448 would affect; otherwise the add will have no effect. This is the 449 only ordering constraint; aside from this constraint, updates may 450 appear in whatever order is convenient when constructing the update. 452 An update is a Service Discovery update if it contains 454 o exactly one RRset update, 455 o which is for a PTR RR, 456 o which points to a Service Instance Name 457 o for which an update is present in the SRP update. 458 o Service Discovery updates do not contain any deletes, and do not 459 contain any other updates. 461 An update is a Service Description update if, for the appropriate 462 Service Instance Name, it contains 464 o exactly one "Delete all RRsets from a name" update, 465 o exactly one SRV RRset update, 466 o zero or one KEY RR update that adds a KEY RR that contains the 467 public key corresponding to the private key that was used to sign 468 the message (if present, the KEY MUST match the KEY RR given in 469 the Host Description), 470 o one or more TXT RRset updates, 471 o and the target of the SRV record update references a hostname for 472 which there is a Host Description update in the SRP update. 473 o Service Descriptions do not update any other records. 475 An update is a Host Description update if, for the appropriate 476 hostname, it contains 478 o exactly one "Delete all RRsets from a name" update, 479 o one or more A or AAAA RR update(s) 480 o exactly one KEY RR update that adds a KEY RR that contains the 481 public key corresponding to the private key that was used to sign 482 the message, 483 o there is a Service Instance Name update in the SRP update that 484 updates an SRV RR so that it points to the hostname being updated 485 by this update. 486 o Host Description updates do not update any other records. 488 An SRP update MUST include at least one Service Discovery update, at 489 least one Service Description update, and exactly one Host 490 Description update. An update message that does not is not an SRP 491 update. An update message that contains any other updates, or any 492 update constraints, is not an SRP update. Such messages should 493 either be processed as regular RFC2136 updates, including access 494 control checks and constraint checks, if supported, or else rejected 495 with RCODE=REFUSED. 497 Note that if the definitions of each of these update types are 498 followed carefully, this means that many things that look very much 499 like SRP updates nevertheless are not. For example, a DNS update 500 that contains an update to a Service Name and an update to a Service 501 Instance Name, where the Service Name does not reference the Service 502 Instance Name, is not a valid SRP update message, but may be a valid 503 RFC2136 update. 505 Assuming that an update message has been validated with these 506 conditions and is a valid SRP update, the server checks that the name 507 in the Host Description update exists. If so, then the server checks 508 to see if the KEY record on the name is the same as the KEY record in 509 the update. The server performs the same check for the KEY records 510 in any Service Description update. For KEY records that were 511 omitted, the KEY from the Host Description update is used. If any 512 existing KEY record corresponding to a KEY record in the SRP update 513 does not match the KEY record in the SRP update, then the server MUST 514 reject the SRP update with the YXDOMAIN RCODE. 516 Otherwise, the server validates the SRP update using SIG(0) on the 517 public key in the KEY record of the Host Description update. If the 518 validation fails, the server MUST reject the SRP Update with the 519 REFUSED RCODE. Otherwise, the SRP update is considered valid and 520 authentic, and is processed according to the method described in 521 RFC2136. 523 KEY record updates omitted from Service Description update are 524 processed as if they had been explicitly present: every Service 525 Description that is updated MUST, after the update, have a KEY RR, 526 and it must be the same KEY RR that is present in the Host 527 Description to which the Service Description refers. 529 The status that is returned depends on the result of processing the 530 update, and can be either SUCCESS or SERVFAIL: all other possible 531 outcomes should already have been accounted for when applying the 532 constraints. 534 The server MAY add a Reverse Mapping that corresponds to the Host 535 Description. This is not required because the Reverse Mapping serves 536 no protocol function, but it may be useful for debugging, e.g. in 537 annotating network packet traces or logs. 539 The server MAY apply additional criteria when accepting updates. In 540 some networks, it may be possible to do out-of-band registration of 541 keys, and only accept updates from pre-registered keys. In this 542 case, an update for a key that has not been registered should be 543 rejected with the REFUSED RCODE. 545 There are at least two benefits to doing this rather than simply 546 using normal SIG(0) DNS updates. First, the same registration 547 protocol can be used in both cases, so both use cases can be 548 addressed by the same service implementation. Second, the 549 registration protocol includes maintenance functionality not present 550 with normal DNS updates. 552 Note that the semantics of using SRP in this way are different than 553 for typical RFC2136 implementations: the KEY used to sign the SRP 554 update only allows the client to update records that refer to its 555 Host Description. RFC2136 implementations do not normally provide a 556 way to enforce a constraint of this type. 558 The server may also have a dictionary of names or name patterns that 559 are not permitted. If such a list is used, updates for Service 560 Instance Names that match entries in the dictionary are rejected with 561 YXDOMAIN. 563 2.5. TTL Consistency 565 All RRs within an RRset are required to have the same TTL 566 (Clarifications to the DNS Specification [RFC2181], Section 5.2). In 567 order to avoid inconsistencies, SRP places restrictions on TTLs sent 568 by services and requires that SRP Servers enforce consistency. 570 Services sending SRP updates MUST use consistent TTLs in all RRs 571 within the SRP update. 573 SRP update servers MUST check that the TTLs for all RRs within the 574 SRP update are the same. If they are not, the SRP update MUST be 575 rejected with a REFUSED RCODE. 577 Additionally, when adding RRs to an RRset, for example when 578 processing Service Discovery records, the server MUST use the same 579 TTL on all RRs in the RRset. How this consistency is enforced is up 580 to the implementation. 582 TTLs sent in SRP updates are advisory: they indicate the client's 583 guess as to what a good TTL would be. SRP servers may override these 584 TTLs. SRP servers SHOULD ensure that TTLs are reasonable: neither 585 too long nor too short. The TTL should never be longer than the 586 lease time Section 2.6.1. Shorter TTLs will result in more frequent 587 data refreshes; this increases latency on the client side, and 588 increases load on any caching resolvers and on the authoritative 589 server. Longer TTLs will increase the likelihood that data in caches 590 will be stale. TTL minimums and maximums SHOULD be configurable by 591 the operator of the SRP server. 593 2.6. Maintenance 595 2.6.1. Cleaning up stale data 597 Because the DNS-SD registration protocol is automatic, and not 598 managed by humans, some additional bookkeeping is required. When an 599 update is constructed by the client, it MUST include include an 600 EDNS(0) Update Lease Option [I-D.sekar-dns-ul]. The Update Lease 601 Option contains two lease times: the Lease Time and the Key Lease 602 Time. 604 These leases are promises, similar to DHCP leases [RFC2131], from the 605 client that it will send a new update for the service registration 606 before the lease time expires. The Lease time is chosen to represent 607 the time after the update during which the registered records other 608 than the KEY record should be assumed to be valid. The Key Lease 609 time represents the time after the update during which the KEY record 610 should be assumed to be valid. 612 The reasoning behind the different lease times is discussed in the 613 section on first-come, first-served naming Section 2.4.1. SRP 614 servers may be configured with limits for these values. A default 615 limit of two hours for the Lease and 14 days for the SIG(0) KEY are 616 currently thought to be good choices. Clients that are going to 617 continue to use names on which they hold leases should update well 618 before the lease ends, in case the registration service is 619 unavailable or under heavy load. 621 The SRP server MUST include an EDNS(0) Update Lease option in the 622 response if the lease time proposed by the service has been shortened 623 or lengthened. The service MUST check for the EDNS(0) Update Lease 624 option in the response and MUST use the lease times from that option 625 in place of the options that it sent to the server when deciding when 626 to update its registration. The times may be shorter or longer than 627 those specified in the SRP update; the client must honor them in 628 either case. 630 Clients should assume that each lease ends N seconds after the update 631 was first transmitted, where N is the lease duration. Servers should 632 assume that each lease ends N seconds after the update that was 633 successfully processed was received. Because the server will always 634 receive the update after the client sent it, this avoids the 635 possibility of misunderstandings. 637 SRP servers MUST reject updates that do not include an EDNS(0) Update 638 Lease option. Dual-use servers MAY accept updates that don't include 639 leases, but SHOULD differentiate between SRP updates and other 640 updates, and MUST reject updates that would otherwise be SRP updates 641 updates if they do not include leases. 643 Lease times have a completely different function than TTLs. On an 644 authoritative DNS server, the TTL on a resource record is a constant: 645 whenever that RR is served in a DNS response, the TTL value sent in 646 the answer is the same. The lease time is never sent as a TTL; its 647 sole purpose is to determine when the authoritative DNS server will 648 delete stale records. It is not an error to send a DNS response with 649 a TTL of 'n' when the remaining time on the lease is less than 'n'. 651 2.6.2. Sleep Proxy 653 Another use of SRP is for devices that sleep to reduce power 654 consumption. 656 In this case, in addition to the DNS Update Lease option 657 [I-D.sekar-dns-ul] described above, the device includes an EDNS(0) 658 OWNER Option [I-D.cheshire-edns0-owner-option]. 660 The EDNS(0) Update Lease option constitutes a promise by the device 661 that it will wake up before this time elapses, to renew its 662 registration and thereby demonstrate that it is still attached to the 663 network. If it fails to renew the registration by this time, that 664 indicates that it is no longer attached to the network, and its 665 registration (except for the KEY in the Host Description) should be 666 deleted. 668 The EDNS(0) OWNER Option indicates that the device will be asleep, 669 and will not be receptive to normal network traffic. When a DNS 670 server receives a DNS Update with an EDNS(0) OWNER Option, that 671 signifies that the SRP server should set up a proxy for any IPv4 or 672 IPv6 address records in the DNS Update message. This proxy should 673 send ARP or ND messages claiming ownership of the IPv4 and/or IPv6 674 addresses in the records in question. In addition, proxy should 675 answer future ARP or ND requests for those IPv4 and/or IPv6 676 addresses, claiming ownership of them. When the DNS server receives 677 a TCP SYN or UDP packet addressed to one of the IPv4 or IPv6 678 addresses for which it proxying, it should then wake up the sleeping 679 device using the information in the EDNS(0) OWNER Option. At present 680 version 0 of the OWNER Option specifies the "Wake-on-LAN Magic 681 Packet" that needs to be sent; future versions could be extended to 682 specify other wakeup mechanisms. 684 Note that although the authoritative DNS server that implements the 685 SRP function need not be on the same link as the sleeping host, the 686 Sleep Proxy must be on the same link. 688 It is not required that sleepy nodes on a Constrained-Node Network 689 support sleep proxy. Such devices may have different mechanisms for 690 dealing with sleep and wakeup. An SRP registration for such a device 691 will be useful regardless of the mechanism whereby messages are 692 delivered to the sleepy end device. For example, the message might 693 be held in a buffer for an extended period of time by an intermediate 694 device on a mesh network, and then delivered to the device when it 695 wakes up. The exact details of such behaviors are out of scope for 696 this document. 698 3. Security Considerations 700 3.1. Source Validation 702 SRP updates have no authorization semantics other than first-come, 703 first-served. This means that if an attacker from outside of the 704 administrative domain of the server knows the server's IP address, it 705 can in principle send updates to the server that will be processed 706 successfully. Servers should therefore be configured to reject 707 updates from source addresses outside of the administrative domain of 708 the server. 710 For Anycast updates, this validation must be enforced by every router 711 that connects the Constrained-Device Network to the unconstrained 712 portion of the network. For TCP updates, the initial SYN-SYN+ACK 713 handshake prevents updates being forged by an off-network attacker. 714 In order to ensure that this handshake happens, Service Discovery 715 Protocol servers MUST NOT accept TCP Fast Open payloads. 717 Note that these rules only apply to the validation of SRP updates. A 718 server that accepts updates from DNS-SD registration protocol clients 719 may also accept other DNS updates, and those DNS updates may be 720 validated using different rules. However, in the case of a DNS 721 service that accepts SRP updates, the intersection of the SRP update 722 rules and whatever other update rules are present must be considered 723 very carefully. 725 For example, a normal, authenticated RFC2136 update to any RR that 726 was added using SRP, but that is authenticated using a different key, 727 could be used to override a promise made by the registration 728 protocol, by replacing all or part of the service registration 729 information with information provided by a different client. An 730 implementation that allows both kinds of updates should not allow 731 updates to records added by SRP updates using different 732 authentication and authorization credentials. 734 3.2. SIG(0) signature validation 736 This specification does not provide a mechanism for validating 737 responses from DNS servers to SRP clients. In the case of 738 Constrained Network/Constrained Node clients, such validation isn't 739 practical because there's no way to establish trust. In principle, a 740 KEY RR could be used by a non-constrained SRP client to validate 741 responses from the server, but this is not required, nor do we 742 specify a mechanism for determining which key to use. 744 3.3. Required Signature Algorithm 746 For validation, SRP Servers MUST implement the ECDSAP256SHA256 747 signature algorithm. SRP servers SHOULD implement the algorithms 748 specified in [I-D.ietf-dnsop-algorithm-update] section 3.1, in the 749 validation column of the table, starting with algorithm number 13. 750 SRP clients MUST NOT assume that any algorithm numbered lower than 13 751 is available for use in validating SIG(0) signatures. 753 4. Privacy Considerations 755 5. Delegation of 'services.arpa.' 757 In order to be fully functional, there must be a delegation of 758 'services.arpa.' in the '.arpa.' zone [RFC3172]. This delegation 759 should be set up as was done for 'home.arpa', as a result of the 760 specification in [RFC8375]Section 7. 762 6. IANA Considerations 764 6.1. Registration and Delegation of 'services.arpa' as a Special-Use 765 Domain Name 767 IANA is requested to record the domain name 'services.arpa.' in the 768 Special-Use Domain Names registry [SUDN]. IANA is requested, with 769 the approval of IAB, to implement the delegation requested in 770 Section 5. 772 IANA is further requested to add a new entry to the "Transport- 773 Independent Locally-Served Zones" subregistry of the the "Locally- 774 Served DNS Zones" registry[LSDZ]. The entry will be for the domain 775 'services.arpa.' with the description "DNS-SD Registration Protocol 776 Special-Use Domain", listing this document as the reference. 778 6.2. 'dnssd-srp' Service Name 780 IANA is also requested to add a new entry to the Service Names and 781 Port Numbers registry for dnssd-srp with a transport type of tcp. No 782 port number is to be assigned. The reference should be to this 783 document, and the Assignee and Contact information should reference 784 the authors of this document. The Description should be as follows: 786 Availability of DNS Service Discovery Service Registration Protocol 787 Service for a given domain is advertised using the 788 "_dnssd-srp._tcp.." SRV record gives the target host and 789 port where DNSSD Service Registration Service is provided for the 790 named domain. 792 6.3. Anycast Address 794 IANA is requested to allocate an IPv6 Anycast address from the IPv6 795 Special-Purpose Address Registry, similar to the Port Control 796 Protocol anycast address, 2001:1::1. This address is referred to 797 within the document as TBD1, and the document should be updated to 798 reflect the address that was allocated. 800 7. Acknowledgments 802 Thanks to Toke Hoeiland-Joergensen for a thorough technical review, 803 to Tamara Kemper for doing a nice developmental edit, Tim Wattenberg 804 for doing a service implementation at the Montreal Hackathon at IETF 805 102, Tom Pusateri for reviewing during the hackathon and afterwards, 806 and [...] more reviewers to come, hopefully. 808 8. References 810 8.1. Normative References 812 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 813 Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, 814 . 816 [I-D.sekar-dns-ul] 817 Cheshire, S. and T. Lemon, "Dynamic DNS Update Leases", 818 draft-sekar-dns-ul-02 (work in progress), August 2018. 820 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 821 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 822 . 824 [RFC3172] Huston, G., Ed., "Management Guidelines & Operational 825 Requirements for the Address and Routing Parameter Area 826 Domain ("arpa")", BCP 52, RFC 3172, DOI 10.17487/RFC3172, 827 September 2001, . 829 [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 830 "IPv6 Router Advertisement Options for DNS Configuration", 831 RFC 8106, DOI 10.17487/RFC8106, March 2017, 832 . 834 [RFC8375] Pfister, P. and T. Lemon, "Special-Use Domain 835 'home.arpa.'", RFC 8375, DOI 10.17487/RFC8375, May 2018, 836 . 838 [I-D.ietf-dnsop-algorithm-update] 839 Wouters, P. and O. Sury, "Algorithm Implementation 840 Requirements and Usage Guidance for DNSSEC", draft-ietf- 841 dnsop-algorithm-update-06 (work in progress), February 842 2019. 844 [SUDN] "Special-Use Domain Names Registry", July 2012, 845 . 848 [LSDZ] "Locally-Served DNS Zones Registry", July 2011, 849 . 852 8.2. Informative References 854 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 855 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 856 . 858 [RFC1035] Mockapetris, P., "Domain names - implementation and 859 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 860 November 1987, . 862 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 863 RFC 2131, DOI 10.17487/RFC2131, March 1997, 864 . 866 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 867 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 868 RFC 2136, DOI 10.17487/RFC2136, April 1997, 869 . 871 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 872 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, 873 . 875 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures 876 ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September 877 2000, . 879 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 880 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 881 . 883 [RFC3152] Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152, 884 DOI 10.17487/RFC3152, August 2001, 885 . 887 [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol 888 to Replace the AppleTalk Name Binding Protocol (NBP)", 889 RFC 6760, DOI 10.17487/RFC6760, February 2013, 890 . 892 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 893 RFC 6761, DOI 10.17487/RFC6761, February 2013, 894 . 896 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 897 DOI 10.17487/RFC6762, February 2013, 898 . 900 [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for 901 Constrained-Node Networks", RFC 7228, 902 DOI 10.17487/RFC7228, May 2014, 903 . 905 [I-D.ietf-dnssd-hybrid] 906 Cheshire, S., "Discovery Proxy for Multicast DNS-Based 907 Service Discovery", draft-ietf-dnssd-hybrid-08 (work in 908 progress), March 2018. 910 [I-D.ietf-dnssd-push] 911 Pusateri, T. and S. Cheshire, "DNS Push Notifications", 912 draft-ietf-dnssd-push-17 (work in progress), March 2019. 914 [I-D.cheshire-dnssd-roadmap] 915 Cheshire, S., "Service Discovery Road Map", draft- 916 cheshire-dnssd-roadmap-03 (work in progress), October 917 2018. 919 [I-D.cheshire-edns0-owner-option] 920 Cheshire, S. and M. Krochmal, "EDNS0 OWNER Option", draft- 921 cheshire-edns0-owner-option-01 (work in progress), July 922 2017. 924 [ZC] Cheshire, S. and D. Steinberg, "Zero Configuration 925 Networking: The Definitive Guide", O'Reilly Media, Inc. , 926 ISBN 0-596-10100-7, December 2005. 928 Appendix A. Sample BIND9 configuration for default.services.arpa. 930 zone "default.services.arpa." { 931 type master; 932 file "/etc/bind/master/service.db"; 933 allow-update { key demo.default.services.arpa.; }; 934 }; 936 Zone Configuration in named.conf 938 $ORIGIN . 939 $TTL 57600 ; 16 hours 940 default.services.arpa IN SOA ns3.default.services.arpa. postmaster.default.services.arpa. ( 941 2951053287 ; serial 942 3600 ; refresh (1 hour) 943 1800 ; retry (30 minutes) 944 604800 ; expire (1 week) 945 3600 ; minimum (1 hour) 946 ) 947 NS ns3.default.services.arpa. 948 SRV 0 0 53 ns3.default.services.arpa. 949 $ORIGIN default.services.arpa. 950 $TTL 3600 ; 1 hour 951 _ipps._tcp PTR demo._ipps._tcp 952 $ORIGIN _ipps._tcp.default.services.arpa. 953 demo TXT "0" 954 SRV 0 0 9992 demo.default.services.arpa. 955 $ORIGIN _udp.default.services.arpa. 956 $TTL 3600 ; 1 hour 957 _dns-update PTR ns3.default.services.arpa. 958 $ORIGIN _tcp.default.services.arpa. 959 _dnssd-srp PTR ns3.default.services.arpa. 960 $ORIGIN default.services.arpa. 961 $TTL 300 ; 5 minutes 962 ns3 AAAA 2001:db8:0:1::1 963 $TTL 3600 ; 1 hour 964 demo AAAA 2001:db8:0:2::1 965 KEY 513 3 13 ( 966 qweEmaaq0FAWok5//ftuQtZgiZoiFSUsm0srWREdywQU 967 9dpvtOhrdKWUuPT3uEFF5TZU6B4q1z1I662GdaUwqg== 968 ); alg = ECDSAP256SHA256 ; key id = 15008 969 AAAA ::1 971 Example Zone file 973 Authors' Addresses 975 Stuart Cheshire 976 Apple Inc. 977 One Apple Park Way 978 Cupertino, California 95014 979 USA 981 Phone: +1 408 974 3207 982 Email: cheshire@apple.com 983 Ted Lemon 984 Nibbhaya Consulting 985 P.O. Box 958 986 Brattleboro, Vermont 05302 987 United States of America 989 Email: mellon@fugue.com