idnits 2.17.1 draft-ietf-dnssd-srp-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC3849-compliant IPv6 addresses in the document. If these are example addresses, they should be changed. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 162: '...rvices using SRP MUST use the domain n...' RFC 2119 keyword, line 165: '...e than one domain name, it MUST NOT be...' RFC 2119 keyword, line 241: '...ce Instance Name MUST be referenced by...' RFC 2119 keyword, line 349: '.../private key pair. This key pair MUST...' RFC 2119 keyword, line 351: '...ient, the client MUST be pre-configure...' (39 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 13, 2020) is 1377 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'RFC8375' is defined on line 845, but no explicit reference was found in the text == Outdated reference: A later version (-03) exists of draft-sekar-dns-ul-02 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force T. Lemon 3 Internet-Draft S. Cheshire 4 Intended status: Informational Apple Inc. 5 Expires: January 14, 2021 July 13, 2020 7 Service Registration Protocol for DNS-Based Service Discovery 8 draft-ietf-dnssd-srp-04 10 Abstract 12 The Service Registration Protocol for DNS-Based Service Discovery 13 uses the standard DNS Update mechanism to enable DNS-Based Service 14 Discovery using only unicast packets. This makes it possible to 15 deploy DNS Service Discovery without multicast, which greatly 16 improves scalability and improves performance on networks where 17 multicast service is not an optimal choice, particularly 802.11 18 (Wi-Fi) and 802.15.4 (IoT) networks. DNS-SD Service registration 19 uses public keys and SIG(0) to allow services to defend their 20 registrations against attack. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on January 14, 2021. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Service Registration Protocol . . . . . . . . . . . . . . . . 4 58 2.1. What to publish . . . . . . . . . . . . . . . . . . . . . 5 59 2.2. Where to publish it . . . . . . . . . . . . . . . . . . . 6 60 2.3. How to publish it . . . . . . . . . . . . . . . . . . . . 6 61 2.3.1. How DNS-SD Service Registration differs from standard 62 RFC2136 DNS Update . . . . . . . . . . . . . . . . . 7 63 2.4. How to secure it . . . . . . . . . . . . . . . . . . . . 7 64 2.4.1. First-Come First-Served Naming . . . . . . . . . . . 8 65 2.4.2. Removing published services . . . . . . . . . . . . . 9 66 2.4.3. SRP Server Behavior . . . . . . . . . . . . . . . . . 9 67 2.5. TTL Consistency . . . . . . . . . . . . . . . . . . . . . 12 68 2.6. Maintenance . . . . . . . . . . . . . . . . . . . . . . . 13 69 2.6.1. Cleaning up stale data . . . . . . . . . . . . . . . 13 70 2.6.2. Sleep Proxy . . . . . . . . . . . . . . . . . . . . . 14 71 3. Security Considerations . . . . . . . . . . . . . . . . . . . 15 72 3.1. Source Validation . . . . . . . . . . . . . . . . . . . . 15 73 3.2. SIG(0) signature validation . . . . . . . . . . . . . . . 16 74 3.3. Required Signature Algorithm . . . . . . . . . . . . . . 16 75 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 16 76 5. Delegation of 'service.arpa.' . . . . . . . . . . . . . . . . 16 77 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 78 6.1. Registration and Delegation of 'service.arpa' as a 79 Special-Use Domain Name . . . . . . . . . . . . . . . . . 17 80 6.2. 'dnssd-srp' Service Name . . . . . . . . . . . . . . . . 17 81 6.3. 'dnssd-srp-tls' Service Name . . . . . . . . . . . . . . 17 82 6.4. Anycast Address . . . . . . . . . . . . . . . . . . . . . 17 83 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 84 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 85 8.1. Normative References . . . . . . . . . . . . . . . . . . 18 86 8.2. Informative References . . . . . . . . . . . . . . . . . 19 87 Appendix A. Testing using standard RFC2136-compliant servers . . 20 88 Appendix B. How to allow services to update standard 89 RFC2136-compliant servers . . . . . . . . . . . . . 21 90 Appendix C. Sample BIND9 configuration for default.service.arpa. 21 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 93 1. Introduction 95 DNS-Based Service Discovery [RFC6763] is a component of Zero 96 Configuration Networking [RFC6760] [ZC] [I-D.cheshire-dnssd-roadmap]. 98 This document describes an enhancement to DNS-Based Service Discovery 99 [RFC6763] that allows services to automatically register their 100 services using the DNS protocol rather than using Multicast DNS 101 [RFC6762] (mDNS). There is already a large installed base of DNS-SD 102 clients that can discover services using the DNS protocol. This 103 extension makes it much easier to take advantage of this existing 104 functionality. 106 This document is intended for three audiences: implementors of 107 software that provides services that should be advertised using 108 DNS-SD, implementors of DNS servers that will be used in contexts 109 where DNS-SD registration is needed, and administrators of networks 110 where DNS-SD service is required. The document is intended to 111 provide sufficient information to allow interoperable implementation 112 of the registration protocol. 114 DNS-Based Service Discovery (DNS-SD) allows services to advertise the 115 fact that they provide service, and to provide the information 116 required to access that service. Clients can then discover the set 117 of services of a particular type that are available. They can then 118 select a service from among those that are available and obtain the 119 information required to use it. 121 The Service Registration Protocol for DNS-SD (SRP), described in this 122 document, provides a reasonably secure mechanism for publishing this 123 information. Once published, these services can be readily 124 discovered by clients using standard DNS lookups. 126 The DNS-SD specification [RFC6763], Section 10 ("Populating the DNS 127 with Information"), briefly discusses ways that services can publish 128 their information in the DNS namespace. In the case of mDNS, it 129 allows services to publish their information on the local link, using 130 names in the ".local" namespace, which makes their services directly 131 discoverable by peers attached to that same local link. 133 RFC6763 also allows clients to discover services using the DNS 134 protocol [RFC1035]. This can be done by having a system 135 administrator manually configure service information in the DNS, but 136 manually populating DNS authoritative server databases is costly and 137 potentially error-prone, and requires a knowledgable network 138 administrator. Consequently, although all DNS-SD client 139 implementations of which we are aware support DNS-SD using DNS 140 queries, in practice it is used much less frequently than mDNS. 142 The Discovery Proxy [I-D.ietf-dnssd-hybrid] provides one way to 143 automatically populate the DNS namespace, but is only appropriate on 144 networks where services are easily advertised using mDNS. This 145 document describes a solution more suitable for networks where 146 multicast is inefficient, or where sleepy devices are common, by 147 supporting both offering of services, and discovery of services, 148 using unicast. 150 2. Service Registration Protocol 152 Services that implement SRP use DNS Update [RFC2136] [RFC3007] to 153 publish service information in the DNS. Two variants exist, one for 154 full-featured hosts, and one for devices designed for "Constrained- 155 Node Networks" [RFC7228]. 157 Full-featured hosts are either configured manually with a 158 registration domain, or use the "dr._dns-sd._udp." query 159 ([RFC6763] Section 11) to learn the default registration domain from 160 the network. RFC6763 says to discover the registration domain using 161 either ".local" or a network-supplied domain name for . 162 Services using SRP MUST use the domain name received through the 163 DHCPv4 Domain Name option ([RFC2132] section 3.17), if available, or 164 the Neighbor Discovery DNS Search List option [RFC8106]. If the DNS 165 Search List option contains more than one domain name, it MUST NOT be 166 used. If neither option is available, the Service Registration 167 protocol is not available on the local network. 169 Manual configuration of the registraton domain can be done either by 170 querying the list of available registration zones ("r._dns-sd._udp") 171 and allowing the user to select one from the UI, or by any other 172 means appropriate to the particular use case being addressed. Full- 173 featured devices construct the names of the SRV, TXT, and PTR records 174 describing their service(s) as subdomains of the chosen service 175 registration domain. For these names they then discover the zone 176 apex of the closest enclosing DNS zone using SOA queries 177 [I-D.ietf-dnssd-push]. Having discovered the enclosing DNS zone, 178 they query for the "_dnssd-srp._tcp" SRV record to discover the 179 server to which they should send DNS updates. Hosts that support SRP 180 updates using TLS use the "_dnssd-srp-tls._tcp" SRV record 181 instead. 183 For devices designed for Constrained-Node Networks [RFC7228] some 184 simplifications are available. Instead of being configured with (or 185 discovering) the service registration domain, the (proposed) special- 186 use domain name (see [RFC6761]) "default.service.arpa" is used. The 187 details of how SRP server(s) are discovered will be specific to the 188 constrained network, and therefore we do not suggest a specific 189 mechanism here. 191 SRP clients on constrained networks are expected to receive from the 192 network a list of SRP servers with which to register. It is the 193 responsibility of a Constrained-Node Network supporting SRP to 194 provide one or more SRP server addresses. It is the responsibility 195 of the SRP server supporting a Constrained-Node Network to handle the 196 updates appropriately. In some network environments, updates may be 197 accepted directly into a local "default.service.arpa" zone, which has 198 only local visibility. In other network environments, updates for 199 names ending in "default.service.arpa" may be rewritten internally to 200 names with broader visibility. 202 The reason for these different assumptions is that low-power devices 203 that typically use Constrained-Node Networks may have very limited 204 battery power. The series of DNS lookups required to discover an SRP 205 server and then communicate with it will increase the power required 206 to advertise a service; for low-power devices, the additional 207 flexibility this provides does not justify the additional use of 208 power. It is also fairly typical of such networks that some network 209 service information is obtained as part of the process of joining the 210 network, and so this can be relied upon to provide nodes with the 211 information they need. 213 Networks that are not constrained networks can more complicated 214 topologies at the Internet layer. Nodes connected to such networks 215 can be assumed to be able to do DNSSD service registration domain 216 discovery. Such networks are generally able to provide registration 217 domain discovery and routing. By requiring the use of TCP, the 218 possibility of off-network spoofing is eliminated. 220 We will discuss several parts to this process: how to know what to 221 publish, how to know where to publish it (under what name), how to 222 publish it, how to secure its publication, and how to maintain the 223 information once published. 225 2.1. What to publish 227 We refer to the DNS Update message sent by services using SRP as an 228 SRP update. Three types of updates appear in an SRP update: Service 229 Discovery records, Service Description records, and Host Description 230 records. 232 o Service Discovery records are one or more PTR RRs, mapping from 233 the generic service type (or subtype) to the specific Service 234 Instance Name. 236 o Service Description records are exactly one SRV RR, exactly one 237 KEY RR, and one or more TXT RRs, all with the same name, the 238 Service Instance Name ([RFC6763] section 4.1). In principle 239 Service Description records can include other record types, with 240 the same Service Instance Name, though in practice they rarely do. 241 The Service Instance Name MUST be referenced by one or more 242 Service Discovery PTR records, unless it is a placeholder service 243 registration for an intentionally non-discoverable service name. 245 o The Host Description records for a service are a KEY RR, used to 246 claim exclusive ownership of the service registration, and one or 247 more RRs of type A or AAAA, giving the IPv4 or IPv6 address(es) of 248 the host where the service resides. 250 RFC 6763 describes the details of what each of these types of updates 251 contains and is the definitive source for information about what to 252 publish; the reason for summarizing this here is to provide the 253 reader with enough information about what will be published that the 254 service registration process can be understood at a high level 255 without first learning the full details of DNS-SD. Also, the 256 "Service Instance Name" is an important aspect of first-come, first- 257 serve naming, which we describe later on in this document. 259 2.2. Where to publish it 261 Multicast DNS uses a single namespace, ".local", which is valid on 262 the local link. This convenience is not available for DNS-SD using 263 the DNS protocol: services must exist in some specific unicast 264 namespace. 266 As described above, full-featured devices are responsible for knowing 267 in what domain they should register their services. Devices made for 268 Constrained-Node Networks register in the (proposed) special use 269 domain name [RFC6761] "default.service.arpa", and let the SRP server 270 handle rewriting that to a different domain if necessary. 272 2.3. How to publish it 274 It is possible to issue a DNS Update that does several things at 275 once; this means that it's possible to do all the work of adding a 276 PTR resource record to the PTR RRset on the Service Name, and 277 creating or updating the Service Instance Name and Host Description, 278 in a single transaction. 280 An SRP update takes advantage of this: it is implemented as a single 281 DNS Update message that contains a service's Service Discovery 282 records, Service Description records, and Host Description records. 284 Updates done according to this specification are somewhat different 285 than regular DNS Updates as defined in RFC2136. The RFC2136 update 286 process can involve many update attempts: you might first attempt to 287 add a name if it doesn't exist; if that fails, then in a second 288 message you might update the name if it does exist but matches 289 certain preconditions. Because the registration protocol uses a 290 single transaction, some of this adaptability is lost. 292 In order to allow updates to happen in a single transaction, SRP 293 updates do not include update prerequisites. The requirements 294 specified in Section 2.4.3 are implicit in the processing of SRP 295 updates, and so there is no need for the service sending the SRP 296 update to put in any explicit prerequisites. 298 2.3.1. How DNS-SD Service Registration differs from standard RFC2136 299 DNS Update 301 DNS-SD Service Registration is based on standard RFC2136 DNS Update, 302 with some differences: 304 o It implements first-come first-served name allocation, protected 305 using SIG(0) [RFC2931]. 307 o It enforces policy about what updates are allowed. 309 o It optionally performs rewriting of "default.service.arpa" to some 310 other domain. 312 o It optionally performs automatic population of the address-to-name 313 reverse mapping domains. 315 o An SRP server is not required to implement general DNS Update 316 prerequsite processing. 318 o Clients are allowed to send updates to the generic domain 319 "default.service.arpa" 321 2.4. How to secure it 323 Traditional DNS update is secured using the TSIG protocol, which uses 324 a secret key shared between the client (which issues the update) and 325 the server (which authenticates it). This model does not work for 326 automatic service registration. 328 The goal of securing the DNS-SD Registration Protocol is to provide 329 the best possible security given the constraint that service 330 registration has to be automatic. It is possible to layer more 331 operational security on top of what we describe here, but what we 332 describe here is an improvement over the security of mDNS. The goal 333 is not to provide the level of security of a network managed by a 334 skilled operator. 336 2.4.1. First-Come First-Served Naming 338 First-Come First-Serve naming provides a limited degree of security: 339 a service that registers its service using DNS-SD Registration 340 protocol is given ownership of a name for an extended period of time 341 based on the key used to authenticate the DNS Update. As long as the 342 registration service remembers the name and the key used to register 343 that name, no other service can add or update the information 344 associated with that. FCFS naming is used to protect both the 345 Service Description and the Host Description. 347 2.4.1.1. Service Behavior 349 The service generates a public/private key pair. This key pair MUST 350 be stored in stable storage; if there is no writable stable storage 351 on the client, the client MUST be pre-configured with a public/ 352 private key pair in read-only storage that can be used. This key 353 pair MUST be unique to the device. 355 When sending DNS updates, the service includes a KEY record 356 containing the public portion of the key in each Host Description 357 update and each Service Description update. Each KEY record MUST 358 contain the same public key. The update is signed using SIG(0), 359 using the private key that corresponds to the public key in the KEY 360 record. The lifetimes of the records in the update is set using the 361 EDNS(0) Update Lease option [I-D.sekar-dns-ul]. 363 The KEY record in Service Description updates MAY be omitted for 364 brevity; if it is omitted, the SRP server MUST behave as if the same 365 KEY record that is given for the Host Description is also given for 366 each Service Description for which no KEY record is provided. 367 Omitted KEY records are not used when computing the SIG(0) signature. 369 The lifetime of the DNS-SD PTR, SRV, A, AAAA and TXT records 370 [RFC6763] uses the LEASE field of the Update Lease option, and is 371 typically set to two hours. This means that if a device is 372 disconnected from the network, it does not appear in the user 373 interfaces of devices looking for services of that type for too long. 375 The lifetime of the KEY records is set using the KEY-LEASE field of 376 the Update Lease Option, and should be set to a much longer time, 377 typically 14 days. The result of this is that even though a device 378 may be temporarily unplugged, disappearing from the network for a few 379 days, it makes a claim on its name that lasts much longer. 381 This means that even if a device is unplugged from the network for a 382 few days, and its services are not available for that time, no other 383 device can come along and claim its name the moment it disappears 384 from the network. In the event that a device is unplugged from the 385 network and permanently discarded, then its name is eventually 386 cleaned up and made available for re-use. 388 2.4.2. Removing published services 390 To remove a service registration, the client retransmits its most 391 recent update with an Update Lease option that has a LEASE value of 392 zero. If the registration is to be permanently removed, KEY-LEASE 393 should also be zero. Otherwise, it should have the same value it had 394 previously; this holds the name in reserve for when the client is 395 once again able to provide the service. 397 SRP clients are normally expected to remove all service instances 398 when removing a host. However, in some cases a client may not have 399 retained sufficient state to know that some service instance is 400 pointing to a host that it is removing. Nevertheless, removing the 401 host can be assumed to mean that all service instances pointing to it 402 are no longer valid. Therefore, SRP servers MAY remove all service 403 instances pointing to a host when a host is removed, even if the 404 client doesn't remove them explicitly. 406 2.4.3. SRP Server Behavior 408 2.4.3.1. Validation of Adds 410 The SRP server first validates that the DNS Update is a syntactically 411 and semantically valid DNS Update according to the rules specified in 412 RFC2136. 414 SRP Updates consist of a set of Instructions that together add one or 415 more services. Each instruction consists either of a single add, or 416 a delete followed by an add. When an instruction contains a delete 417 and an add, the delete MUST precede the add. 419 The SRP server checks each Instruction in the SRP update to see that 420 it is either a Service Discovery update, a Service Description 421 update, or a Host Description update. Order matters in DNS updates. 422 Specifically, deletes must precede adds for records that the deletes 423 would affect; otherwise the add will have no effect. This is the 424 only ordering constraint; aside from this constraint, updates may 425 appear in whatever order is convenient when constructing the update. 427 Because the SRP update is a DNS update, it MUST contain a single 428 question that indicates the zone to be updated. Every delete and 429 update in an SRP update MUST be within the zone that is specified for 430 the SRP Update. 432 An Instruction is a Service Discovery Instruction if it contains 434 o exactly one "Add to an RRSet" ([RFC2136] Section 2.5.1) RR, 435 o which is a PTR RR, 436 o which points to a Service Instance Name 437 o for which a Service Description Instruction is present in the SRP 438 Update. 439 o Service Discovery Instructions do not contain any deletes, and do 440 not contain any other adds. 442 An Instruction is a Service Description Instruction if, for the 443 appropriate Service Instance Name, it contains 445 o exactly one "Delete all RRsets from a name" update for the service 446 instance name [RFC2136] Section 2.5.3, 447 o exactly one "Add to an RRset" SRV RR, 448 o zero or one "Add to an RRset" KEY RR that contains the public key 449 corresponding to the private key that was used to sign the message 450 (if present, the KEY MUST match the KEY RR given in the Host 451 Description), 452 o one or more "Add to an RRset" TXT RRs, 453 o and the target of the SRV RR Add points to a hostname for which 454 there is a Host Description Instruction in the SRP Update. 455 o Service Descriptions Instructions do not modify any other RRs. 457 An Instruction is a Host Description Instruction if, for the 458 appropriate hostname, it contains 460 o exactly one "Delete all RRsets from a name" RR, 461 o one or more "Add to an RRset" RRs of type A and/or AAAA, 462 o exactly one "Add to an RRset" RR that adds a KEY RR that contains 463 the public key corresponding to the private key that was used to 464 sign the message, 465 o there is a Service Instance Name Instruction in the SRP update for 466 which the SRV RR that is added points to the hostname being 467 updated by this update. 468 o Host Description updates do not modify any other records. 470 An SRP Update MUST include at least one Service Discovery 471 Instruction, at least one Service Description Instruction, and 472 exactly one Host Description Instruction. A DNS Update that does not 473 is not an SRP update. A DNS Update that contains any other adds, any 474 other deletes, or any prerequisites, is not an SRP update. Such 475 messages should either be processed as regular RFC2136 updates, 476 including access control checks and constraint checks, if supported, 477 or else rejected with RCODE=REFUSED. 479 Note that if the definitions of each of these update types are 480 followed carefully, this means that many things that look very much 481 like SRP updates nevertheless are not. For example, a DNS update 482 that contains an RRset Add to a Service Name and an RRset Add to a 483 Service Instance Name, where the Service Name does not reference the 484 Service Instance Name, is not a valid SRP update message, but may be 485 a valid RFC2136 update. 487 Assuming that a DNS Update message has been validated with these 488 conditions and is a valid SRP Update, the server checks that the name 489 in the Host Description Instruction exists. If so, then the server 490 checks to see if the KEY record on that name is the same as the KEY 491 record in the Host Description Instruction. The server performs the 492 same check for the KEY records in any Service Description 493 Instrructions. For KEY records that were omitted from Service 494 Description Instructions, the KEY from the Host Description 495 Instruction is used. If any existing KEY record corresponding to a 496 KEY record in the SRP Update does not match the KEY same record in 497 the SRP Update (whether provided or taken from the Host Description 498 Instruction), then the server MUST reject the SRP Update with the 499 YXDOMAIN RCODE. 501 Otherwise, the server validates the SRP Update using SIG(0) on the 502 public key in the KEY record of the Host Description update. If the 503 validation fails, the server MUST reject the SRP Update with the 504 REFUSED RCODE. Otherwise, the SRP update is considered valid and 505 authentic, and is processed according to the method described in 506 RFC2136. 508 KEY record updates omitted from Service Description update are 509 processed as if they had been explicitly present: every Service 510 Description that is updated MUST, after the update, have a KEY RR, 511 and it must be the same KEY RR that is present in the Host 512 Description to which the Service Description refers. 514 The status that is returned depends on the result of processing the 515 update, and can be either SUCCESS or SERVFAIL: all other possible 516 outcomes should already have been accounted for when applying the 517 constraints that qualify the update as an SRP Update. 519 The server MAY add a Reverse Mapping that corresponds to the Host 520 Description. This is not required because the Reverse Mapping serves 521 no protocol function, but it may be useful for debugging, e.g. in 522 annotating network packet traces or logs. In order for the server to 523 add a reverse mapping update, it must be authoritative for the zone 524 or have credentials to do the update. The client MAY also do a 525 reverse mapping update if it has credentials to do so. 527 The server MAY apply additional criteria when accepting updates. In 528 some networks, it may be possible to do out-of-band registration of 529 keys, and only accept updates from pre-registered keys. In this 530 case, an update for a key that has not been registered should be 531 rejected with the REFUSED RCODE. 533 There are at least two benefits to doing this rather than simply 534 using normal SIG(0) DNS updates. First, the same registration 535 protocol can be used in both cases, so both use cases can be 536 addressed by the same service implementation. Second, the 537 registration protocol includes maintenance functionality not present 538 with normal DNS updates. 540 Note that the semantics of using SRP in this way are different than 541 for typical RFC2136 implementations: the KEY used to sign the SRP 542 update only allows the client to update records that refer to its 543 Host Description. RFC2136 implementations do not normally provide a 544 way to enforce a constraint of this type. 546 The server may also have a dictionary of names or name patterns that 547 are not permitted. If such a list is used, updates for Service 548 Instance Names that match entries in the dictionary are rejected with 549 YXDOMAIN. 551 2.5. TTL Consistency 553 All RRs within an RRset are required to have the same TTL 554 (Clarifications to the DNS Specification [RFC2181], Section 5.2). In 555 order to avoid inconsistencies, SRP places restrictions on TTLs sent 556 by services and requires that SRP Servers enforce consistency. 558 Services sending SRP updates MUST use consistent TTLs in all RRs 559 within the SRP update. 561 SRP update servers MUST check that the TTLs for all RRs within the 562 SRP update are the same. If they are not, the SRP update MUST be 563 rejected with a REFUSED RCODE. 565 Additionally, when adding RRs to an RRset, for example when 566 processing Service Discovery records, the server MUST use the same 567 TTL on all RRs in the RRset. How this consistency is enforced is up 568 to the implementation. 570 TTLs sent in SRP updates are advisory: they indicate the client's 571 guess as to what a good TTL would be. SRP servers may override these 572 TTLs. SRP servers SHOULD ensure that TTLs are reasonable: neither 573 too long nor too short. The TTL should never be longer than the 574 lease time Section 2.6.1. Shorter TTLs will result in more frequent 575 data refreshes; this increases latency on the client side, and 576 increases load on any caching resolvers and on the authoritative 577 server. Longer TTLs will increase the likelihood that data in caches 578 will be stale. TTL minimums and maximums SHOULD be configurable by 579 the operator of the SRP server. 581 2.6. Maintenance 583 2.6.1. Cleaning up stale data 585 Because the DNS-SD registration protocol is automatic, and not 586 managed by humans, some additional bookkeeping is required. When an 587 update is constructed by the client, it MUST include include an 588 EDNS(0) Update Lease Option [I-D.sekar-dns-ul]. The Update Lease 589 Option contains two lease times: the Lease Time and the Key Lease 590 Time. 592 These leases are promises, similar to DHCP leases [RFC2131], from the 593 client that it will send a new update for the service registration 594 before the lease time expires. The Lease time is chosen to represent 595 the time after the update during which the registered records other 596 than the KEY record should be assumed to be valid. The Key Lease 597 time represents the time after the update during which the KEY record 598 should be assumed to be valid. 600 The reasoning behind the different lease times is discussed in the 601 section on first-come, first-served naming Section 2.4.1. SRP 602 servers may be configured with limits for these values. A default 603 limit of two hours for the Lease and 14 days for the SIG(0) KEY are 604 currently thought to be good choices. Clients that are going to 605 continue to use names on which they hold leases should update well 606 before the lease ends, in case the registration service is 607 unavailable or under heavy load. 609 The SRP server MUST include an EDNS(0) Update Lease option in the 610 response if the lease time proposed by the service has been shortened 611 or lengthened. The service MUST check for the EDNS(0) Update Lease 612 option in the response and MUST use the lease times from that option 613 in place of the options that it sent to the server when deciding when 614 to update its registration. The times may be shorter or longer than 615 those specified in the SRP update; the client must honor them in 616 either case. 618 Clients should assume that each lease ends N seconds after the update 619 was first transmitted, where N is the lease duration. Servers should 620 assume that each lease ends N seconds after the update that was 621 successfully processed was received. Because the server will always 622 receive the update after the client sent it, this avoids the 623 possibility of misunderstandings. 625 SRP servers MUST reject updates that do not include an EDNS(0) Update 626 Lease option. Dual-use servers MAY accept updates that don't include 627 leases, but SHOULD differentiate between SRP updates and other 628 updates, and MUST reject updates that would otherwise be SRP updates 629 updates if they do not include leases. 631 Lease times have a completely different function than TTLs. On an 632 authoritative DNS server, the TTL on a resource record is a constant: 633 whenever that RR is served in a DNS response, the TTL value sent in 634 the answer is the same. The lease time is never sent as a TTL; its 635 sole purpose is to determine when the authoritative DNS server will 636 delete stale records. It is not an error to send a DNS response with 637 a TTL of 'n' when the remaining time on the lease is less than 'n'. 639 2.6.2. Sleep Proxy 641 Another use of SRP is for devices that sleep to reduce power 642 consumption. 644 In this case, in addition to the DNS Update Lease option 645 [I-D.sekar-dns-ul] described above, the device includes an EDNS(0) 646 OWNER Option [I-D.cheshire-edns0-owner-option]. 648 The EDNS(0) Update Lease option constitutes a promise by the device 649 that it will wake up before this time elapses, to renew its 650 registration and thereby demonstrate that it is still attached to the 651 network. If it fails to renew the registration by this time, that 652 indicates that it is no longer attached to the network, and its 653 registration (except for the KEY in the Host Description) should be 654 deleted. 656 The EDNS(0) OWNER Option indicates that the device will be asleep, 657 and will not be receptive to normal network traffic. When a DNS 658 server receives a DNS Update with an EDNS(0) OWNER Option, that 659 signifies that the SRP server should set up a proxy for any IPv4 or 660 IPv6 address records in the DNS Update message. This proxy should 661 send ARP or ND messages claiming ownership of the IPv4 and/or IPv6 662 addresses in the records in question. In addition, proxy should 663 answer future ARP or ND requests for those IPv4 and/or IPv6 664 addresses, claiming ownership of them. When the DNS server receives 665 a TCP SYN or UDP packet addressed to one of the IPv4 or IPv6 666 addresses for which it proxying, it should then wake up the sleeping 667 device using the information in the EDNS(0) OWNER Option. At present 668 version 0 of the OWNER Option specifies the "Wake-on-LAN Magic 669 Packet" that needs to be sent; future versions could be extended to 670 specify other wakeup mechanisms. 672 Note that although the authoritative DNS server that implements the 673 SRP function need not be on the same link as the sleeping host, the 674 Sleep Proxy must be on the same link. 676 It is not required that sleepy nodes on a Constrained-Node Network 677 support sleep proxy. Such devices may have different mechanisms for 678 dealing with sleep and wakeup. An SRP registration for such a device 679 will be useful regardless of the mechanism whereby messages are 680 delivered to the sleepy end device. For example, the message might 681 be held in a buffer for an extended period of time by an intermediate 682 device on a mesh network, and then delivered to the device when it 683 wakes up. The exact details of such behaviors are out of scope for 684 this document. 686 3. Security Considerations 688 3.1. Source Validation 690 SRP updates have no authorization semantics other than first-come, 691 first-served. This means that if an attacker from outside of the 692 administrative domain of the server knows the server's IP address, it 693 can in principle send updates to the server that will be processed 694 successfully. Servers should therefore be configured to reject 695 updates from source addresses outside of the administrative domain of 696 the server. 698 For Anycast updates, this validation must be enforced by every router 699 that connects the Constrained-Device Network to the unconstrained 700 portion of the network. For TCP updates, the initial SYN-SYN+ACK 701 handshake prevents updates being forged by an off-network attacker. 702 In order to ensure that this handshake happens, Service Discovery 703 Protocol servers MUST NOT accept TCP Fast Open payloads. 705 Note that these rules only apply to the validation of SRP updates. A 706 server that accepts updates from DNS-SD registration protocol clients 707 may also accept other DNS updates, and those DNS updates may be 708 validated using different rules. However, in the case of a DNS 709 service that accepts SRP updates, the intersection of the SRP update 710 rules and whatever other update rules are present must be considered 711 very carefully. 713 For example, a normal, authenticated RFC2136 update to any RR that 714 was added using SRP, but that is authenticated using a different key, 715 could be used to override a promise made by the registration 716 protocol, by replacing all or part of the service registration 717 information with information provided by a different client. An 718 implementation that allows both kinds of updates should not allow 719 updates to records added by SRP updates using different 720 authentication and authorization credentials. 722 3.2. SIG(0) signature validation 724 This specification does not provide a mechanism for validating 725 responses from DNS servers to SRP clients. In the case of 726 Constrained Network/Constrained Node clients, such validation isn't 727 practical because there's no way to establish trust. In principle, a 728 KEY RR could be used by a non-constrained SRP client to validate 729 responses from the server, but this is not required, nor do we 730 specify a mechanism for determining which key to use. 732 3.3. Required Signature Algorithm 734 For validation, SRP Servers MUST implement the ECDSAP256SHA256 735 signature algorithm. SRP servers SHOULD implement the algorithms 736 specified in [I-D.ietf-dnsop-algorithm-update] section 3.1, in the 737 validation column of the table, starting with algorithm number 13. 738 SRP clients MUST NOT assume that any algorithm numbered lower than 13 739 is available for use in validating SIG(0) signatures. 741 4. Privacy Considerations 743 Because DNSSD SRP updates can be sent off-link, the privacy 744 implications of SRP are different than for multicast DNS responses. 745 Host implementations that are using TCP SHOULD also use TLS if 746 available. Server implementations MUST offer TLS support. The use 747 of TLS with DNS is described in [RFC7858] and [RFC8310]. 749 Hosts that implement TLS support SHOULD NOT fall back to TCP; since 750 servers are required to support TLS, it is entirely up to the host 751 implementation whether to use it. 753 5. Delegation of 'service.arpa.' 755 In order to be fully functional, there must be a delegation of 756 'service.arpa.' in the '.arpa.' zone [RFC3172]. This delegation 757 should be set up as was done for 'home.arpa', as a result of the 758 specification in [RFC8375]Section 7. 760 6. IANA Considerations 761 6.1. Registration and Delegation of 'service.arpa' as a Special-Use 762 Domain Name 764 IANA is requested to record the domain name 'service.arpa.' in the 765 Special-Use Domain Names registry [SUDN]. IANA is requested, with 766 the approval of IAB, to implement the delegation requested in 767 Section 5. 769 IANA is further requested to add a new entry to the "Transport- 770 Independent Locally-Served Zones" subregistry of the the "Locally- 771 Served DNS Zones" registry[LSDZ]. The entry will be for the domain 772 'service.arpa.' with the description "DNS-SD Registration Protocol 773 Special-Use Domain", listing this document as the reference. 775 6.2. 'dnssd-srp' Service Name 777 IANA is also requested to add a new entry to the Service Names and 778 Port Numbers registry for dnssd-srp with a transport type of tcp. No 779 port number is to be assigned. The reference should be to this 780 document, and the Assignee and Contact information should reference 781 the authors of this document. The Description should be as follows: 783 Availability of DNS Service Discovery Service Registration Protocol 784 Service for a given domain is advertised using the 785 "_dnssd-srp._tcp.." SRV record gives the target host and 786 port where DNSSD Service Registration Service is provided for the 787 named domain. 789 6.3. 'dnssd-srp-tls' Service Name 791 IANA is also requested to add a new entry to the Service Names and 792 Port Numbers registry for dnssd-srp with a transport type of tcp. No 793 port number is to be assigned. The reference should be to this 794 document, and the Assignee and Contact information should reference 795 the authors of this document. The Description should be as follows: 797 Availability of DNS Service Discovery Service Registration Protocol 798 Service for a given domain over TLS is advertised using the 799 "_dnssd-srp-tls._tcp.." SRV record gives the target host and 800 port where DNSSD Service Registration Service is provided for the 801 named domain. 803 6.4. Anycast Address 805 IANA is requested to allocate an IPv6 Anycast address from the IPv6 806 Special-Purpose Address Registry, similar to the Port Control 807 Protocol anycast address, 2001:1::1. This address is referred to 808 within the document as TBD1, and the document should be updated to 809 reflect the address that was allocated. 811 7. Acknowledgments 813 Thanks to Toke Hoeiland-Joergensen for a thorough technical review, 814 to Tamara Kemper for doing a nice developmental edit, Tim Wattenberg 815 for doing a service implementation at the Montreal Hackathon at IETF 816 102, Tom Pusateri for reviewing during the hackathon and afterwards, 817 and [...] more reviewers to come, hopefully. 819 8. References 821 8.1. Normative References 823 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 824 Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, 825 . 827 [I-D.sekar-dns-ul] 828 Cheshire, S. and T. Lemon, "Dynamic DNS Update Leases", 829 draft-sekar-dns-ul-02 (work in progress), August 2018. 831 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 832 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 833 . 835 [RFC3172] Huston, G., Ed., "Management Guidelines & Operational 836 Requirements for the Address and Routing Parameter Area 837 Domain ("arpa")", BCP 52, RFC 3172, DOI 10.17487/RFC3172, 838 September 2001, . 840 [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 841 "IPv6 Router Advertisement Options for DNS Configuration", 842 RFC 8106, DOI 10.17487/RFC8106, March 2017, 843 . 845 [RFC8375] Pfister, P. and T. Lemon, "Special-Use Domain 846 'home.arpa.'", RFC 8375, DOI 10.17487/RFC8375, May 2018, 847 . 849 [I-D.ietf-dnsop-algorithm-update] 850 Wouters, P. and O. Sury, "Algorithm Implementation 851 Requirements and Usage Guidance for DNSSEC", draft-ietf- 852 dnsop-algorithm-update-10 (work in progress), April 2019. 854 [SUDN] "Special-Use Domain Names Registry", July 2012, 855 . 858 [LSDZ] "Locally-Served DNS Zones Registry", July 2011, 859 . 862 8.2. Informative References 864 [RFC1035] Mockapetris, P., "Domain names - implementation and 865 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 866 November 1987, . 868 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 869 RFC 2131, DOI 10.17487/RFC2131, March 1997, 870 . 872 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 873 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 874 RFC 2136, DOI 10.17487/RFC2136, April 1997, 875 . 877 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 878 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, 879 . 881 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures 882 ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September 883 2000, . 885 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 886 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 887 . 889 [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol 890 to Replace the AppleTalk Name Binding Protocol (NBP)", 891 RFC 6760, DOI 10.17487/RFC6760, February 2013, 892 . 894 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 895 RFC 6761, DOI 10.17487/RFC6761, February 2013, 896 . 898 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 899 DOI 10.17487/RFC6762, February 2013, 900 . 902 [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for 903 Constrained-Node Networks", RFC 7228, 904 DOI 10.17487/RFC7228, May 2014, 905 . 907 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 908 and P. Hoffman, "Specification for DNS over Transport 909 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 910 2016, . 912 [RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles 913 for DNS over TLS and DNS over DTLS", RFC 8310, 914 DOI 10.17487/RFC8310, March 2018, 915 . 917 [I-D.ietf-dnssd-hybrid] 918 Cheshire, S., "Discovery Proxy for Multicast DNS-Based 919 Service Discovery", draft-ietf-dnssd-hybrid-10 (work in 920 progress), March 2019. 922 [I-D.ietf-dnssd-push] 923 Pusateri, T. and S. Cheshire, "DNS Push Notifications", 924 draft-ietf-dnssd-push-25 (work in progress), October 2019. 926 [I-D.cheshire-dnssd-roadmap] 927 Cheshire, S., "Service Discovery Road Map", draft- 928 cheshire-dnssd-roadmap-03 (work in progress), October 929 2018. 931 [I-D.cheshire-edns0-owner-option] 932 Cheshire, S. and M. Krochmal, "EDNS0 OWNER Option", draft- 933 cheshire-edns0-owner-option-01 (work in progress), July 934 2017. 936 [ZC] Cheshire, S. and D. Steinberg, "Zero Configuration 937 Networking: The Definitive Guide", O'Reilly Media, Inc. , 938 ISBN 0-596-10100-7, December 2005. 940 Appendix A. Testing using standard RFC2136-compliant servers 942 It may be useful to set up a DNS server for testing that does not 943 implement SRP. This can be done by configuring the server to listen 944 on the anycast address, or advertising it in the 945 _dnssd-srp._tcp. SRV and _dnssd-srp-tls._tcp. record. It 946 must be configured to be authoritative for "default.service.arpa", 947 and to accept updates from hosts on local networks for names under 948 "default.service.arpa" without authentication, since such servers 949 will not have support for FCFS authentication Section 2.4.1. 951 A server configured in this way will be able to successfully accept 952 and process SRP updates from services that send SRP updates. 953 However, no prerequisites will be applied, and this means that the 954 test server will accept internally inconsistent SRP updates, and will 955 not stop two SRP updates, sent by different services, that claim the 956 same name(s), from overwriting each other. 958 Since SRP updates are signed with keys, validation of the SIG(0) 959 algorithm used by the client can be done by manually installing the 960 client public key on the DNS server that will be receiving the 961 updates. The key can then be used to authenticate the client, and 962 can be used as a requirement for the update. An example 963 configuration for testing SRP using BIND 9 is given in Appendix C. 965 Appendix B. How to allow services to update standard RFC2136-compliant 966 servers 968 Ordinarily SRP updates will fail when sent to an RFC 2136-compliant 969 server that does not implement SRP because the zone being updated is 970 "default.service.arpa", and no DNS server that is not an SRP server 971 should normally be configured to be authoritative for 972 "default.service.arpa". Therefore, a service that sends an SRP 973 update can tell that the receiving server does not support SRP, but 974 does support RFC2136, because the RCODE will either be NOTZONE, 975 NOTAUTH or REFUSED, or because there is no response to the update 976 request (when using the anycast address) 978 In this case a service MAY attempt to register itself using regular 979 RFC2136 DNS updates. To do so, it must discover the default 980 registration zone and the DNS server designated to receive updates 981 for that zone, as described earlier, using the _dns-update._udp SRV 982 record. It can then make the update using the port and host pointed 983 to by the SRV record, and should use appropriate prerequisites to 984 avoid overwriting competing records. Such updates are out of scope 985 for SRP, and a service that implements SRP MUST first attempt to use 986 SRP to register itself, and should only attempt to use RFC2136 987 backwards compatibility if that fails. Although the owner name for 988 the SRV record specifies the UDP protocol for updates, it is also 989 possible to use TCP, and TCP should be required to prevent spoofing. 991 Appendix C. Sample BIND9 configuration for default.service.arpa. 993 zone "default.service.arpa." { 994 type master; 995 file "/etc/bind/master/service.db"; 996 allow-update { key demo.default.service.arpa.; }; 997 }; 999 Zone Configuration in named.conf 1001 $ORIGIN . 1002 $TTL 57600 ; 16 hours 1003 default.service.arpa IN SOA ns3.default.service.arpa. 1004 postmaster.default.service.arpa. ( 1005 2951053287 ; serial 1006 3600 ; refresh (1 hour) 1007 1800 ; retry (30 minutes) 1008 604800 ; expire (1 week) 1009 3600 ; minimum (1 hour) 1010 ) 1011 NS ns3.default.service.arpa. 1012 SRV 0 0 53 ns3.default.service.arpa. 1013 $ORIGIN default.service.arpa. 1014 $TTL 3600 ; 1 hour 1015 _ipps._tcp PTR demo._ipps._tcp 1016 $ORIGIN _ipps._tcp.default.service.arpa. 1017 demo TXT "0" 1018 SRV 0 0 9992 demo.default.service.arpa. 1019 $ORIGIN _udp.default.service.arpa. 1020 $TTL 3600 ; 1 hour 1021 _dns-update PTR ns3.default.service.arpa. 1022 $ORIGIN _tcp.default.service.arpa. 1023 _dnssd-srp PTR ns3.default.service.arpa. 1024 $ORIGIN default.service.arpa. 1025 $TTL 300 ; 5 minutes 1026 ns3 AAAA 2001:db8:0:1::1 1027 $TTL 3600 ; 1 hour 1028 demo AAAA 2001:db8:0:2::1 1029 KEY 513 3 13 ( 1030 qweEmaaq0FAWok5//ftuQtZgiZoiFSUsm0srWREdywQU 1031 9dpvtOhrdKWUuPT3uEFF5TZU6B4q1z1I662GdaUwqg== 1032 ); alg = ECDSAP256SHA256 ; key id = 15008 1033 AAAA ::1 1035 Example Zone file 1037 Authors' Addresses 1039 Ted Lemon 1040 Apple Inc. 1041 One Apple Park Way 1042 Cupertino, California 95014 1043 USA 1045 Email: mellon@fugue.com 1047 Stuart Cheshire 1048 Apple Inc. 1049 One Apple Park Way 1050 Cupertino, California 95014 1051 USA 1053 Phone: +1 408 974 3207 1054 Email: cheshire@apple.com