idnits 2.17.1 draft-ietf-dnssd-srp-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC2606-compliant FQDNs in the document. == There are 2 instances of lines with non-RFC3849-compliant IPv6 addresses in the document. If these are example addresses, they should be changed. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 211: '...rvices using SRP MUST use the domain n...' RFC 2119 keyword, line 214: '...e than one domain name, it MUST NOT be...' RFC 2119 keyword, line 294: '...ce Instance Name MUST be referenced by...' RFC 2119 keyword, line 398: '.../private key pair. This key pair MUST...' RFC 2119 keyword, line 400: '..., the SRP client MUST be pre-configure...' (49 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (18 November 2020) is 1254 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-03) exists of draft-sekar-dns-ul-02 -- Possible downref: Non-RFC (?) normative reference: ref. 'SUDN' -- Possible downref: Non-RFC (?) normative reference: ref. 'LSDZ' Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force T. Lemon 3 Internet-Draft S. Cheshire 4 Intended status: Standards Track Apple Inc. 5 Expires: 22 May 2021 18 November 2020 7 Service Registration Protocol for DNS-Based Service Discovery 8 draft-ietf-dnssd-srp-06 10 Abstract 12 The Service Registration Protocol for DNS-Based Service Discovery 13 uses the standard DNS Update mechanism to enable DNS-Based Service 14 Discovery using only unicast packets. This makes it possible to 15 deploy DNS Service Discovery without multicast, which greatly 16 improves scalability and improves performance on networks where 17 multicast service is not an optimal choice, particularly 802.11 18 (Wi-Fi) and 802.15.4 (IoT) networks. DNS-SD Service registration 19 uses public keys and SIG(0) to allow services to defend their 20 registrations against attack. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on 22 May 2021. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 46 license-info) in effect on the date of publication of this document. 47 Please review these documents carefully, as they describe your rights 48 and restrictions with respect to this document. Code Components 49 extracted from this document must include Simplified BSD License text 50 as described in Section 4.e of the Trust Legal Provisions and are 51 provided without warranty as described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Service Registration Protocol . . . . . . . . . . . . . . . . 5 57 2.1. Protocol Variants . . . . . . . . . . . . . . . . . . . . 5 58 2.1.1. Full-featured Hosts . . . . . . . . . . . . . . . . . 5 59 2.1.2. Constrained Hosts . . . . . . . . . . . . . . . . . . 6 60 2.1.3. Why two variants? . . . . . . . . . . . . . . . . . . 6 61 2.2. Protocol Details . . . . . . . . . . . . . . . . . . . . 6 62 2.2.1. What to publish . . . . . . . . . . . . . . . . . . . 7 63 2.2.2. Where to publish it . . . . . . . . . . . . . . . . . 7 64 2.2.3. How to publish it . . . . . . . . . . . . . . . . . . 8 65 2.2.4. How to secure it . . . . . . . . . . . . . . . . . . 9 66 2.2.5. Service Behavior . . . . . . . . . . . . . . . . . . 9 67 2.3. SRP Server Behavior . . . . . . . . . . . . . . . . . . . 11 68 2.3.1. Validation of Adds . . . . . . . . . . . . . . . . . 11 69 2.3.2. Valid SRP Update Requirements . . . . . . . . . . . . 13 70 2.3.3. FCFS Name And Signature Validation . . . . . . . . . 14 71 2.3.4. SRP Update response . . . . . . . . . . . . . . . . . 14 72 2.3.5. Optional Behavior . . . . . . . . . . . . . . . . . . 14 73 3. TTL Consistency . . . . . . . . . . . . . . . . . . . . . . . 15 74 4. Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . 16 75 4.1. Cleaning up stale data . . . . . . . . . . . . . . . . . 16 76 5. Sleep Proxy . . . . . . . . . . . . . . . . . . . . . . . . . 17 77 6. Security Considerations . . . . . . . . . . . . . . . . . . . 18 78 6.1. Source Validation . . . . . . . . . . . . . . . . . . . . 18 79 6.2. SRP Server Authentication . . . . . . . . . . . . . . . . 19 80 6.3. Required Signature Algorithm . . . . . . . . . . . . . . 19 81 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 19 82 8. Delegation of 'service.arpa.' . . . . . . . . . . . . . . . . 20 83 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 84 9.1. Registration and Delegation of 'service.arpa' as a 85 Special-Use Domain Name . . . . . . . . . . . . . . . . . 20 86 9.2. 'dnssd-srp' Service Name . . . . . . . . . . . . . . . . 20 87 9.3. 'dnssd-srp-tls' Service Name . . . . . . . . . . . . . . 20 88 9.4. Anycast Address . . . . . . . . . . . . . . . . . . . . . 21 89 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 90 11. Normative References . . . . . . . . . . . . . . . . . . . . 22 91 12. Informative References . . . . . . . . . . . . . . . . . . . 23 92 Appendix A. Testing using standard RFC2136-compliant servers . . 24 93 Appendix B. How to allow services to update standard 94 RFC2136-compliant servers . . . . . . . . . . . . . . . . 25 95 Appendix C. Sample BIND9 configuration for 96 default.service.arpa. . . . . . . . . . . . . . . . . . . 25 98 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 100 1. Introduction 102 DNS-Based Service Discovery [RFC6763] is a component of Zero 103 Configuration Networking [RFC6760] [ZC] [I-D.cheshire-dnssd-roadmap]. 105 This document describes an enhancement to DNS-Based Service Discovery 106 [RFC6763] that allows services to register their services using the 107 DNS protocol rather than using Multicast DNS [RFC6762] (mDNS). There 108 is already a large installed base of DNS-SD clients that can discover 109 services using the DNS protocol. 111 This document is intended for three audiences: implementors of 112 software that provides services that should be advertised using 113 DNS-SD, implementors of DNS servers that will be used in contexts 114 where DNS-SD registration is needed, and administrators of networks 115 where DNS-SD service is required. The document is intended to 116 provide sufficient information to allow interoperable implementation 117 of the registration protocol. 119 DNS-Based Service Discovery (DNS-SD) allows services to advertise the 120 fact that they provide service, and to provide the information 121 required to access that service. DNS-SD clients can then discover 122 the set of services of a particular type that are available. They 123 can then select a service from among those that are available and 124 obtain the information required to use it. Although DNS-SD using the 125 DNS protocol (as opposed to mDNS) can be more efficient and 126 versatile, it is not common in practice, because of the difficulties 127 associated with updating authoritative DNS services with service 128 information. 130 Existing practice for updating DNS zones is to either manually enter 131 new data, or else use DNS Update [RFC2136]. Unfortunately DNS Update 132 requires either that the authoritative DNS server automatically trust 133 updates, or else that the DNS Update client have some kind of shared 134 secret or public key that is known to the DNS server and can be used 135 to authenticate the update. Furthermore, DNS Update can be a fairly 136 chatty process, requiring multiple round trips with different 137 conditional predicates to complete the update process. 139 The SRP protocol adds a set of default heuristics for processing DNS 140 updates that eliminates the need for DNS update conditional 141 predicates: instead, the SRP server has a set of default predicates 142 that are applied to the update, and the update either succeeds 143 entirely, or fails in a way that allows the registering service to 144 know what went wrong and construct a new update. 146 SRP also adds a feature called First-Come, First-Served Naming, which 147 allows the registering service to claim a name that is not yet in 148 use, and, using SIG(0) [RFC2931], to authenticate both the initial 149 claim and subsequent updates. This prevents name conflicts, since a 150 second SRP service attempting to claim the same name will not possess 151 the SIG(0) key used by the first service to claim it, and so its 152 claim will be rejected and the second service will have to choose a 153 new name. 155 Finally, SRP adds the concept of a 'lease,' similar to leases in 156 Dynamic Host Configuration Protocol [RFC8415]. The SRP registration 157 itself has a lease which may be on the order of an hour; if the 158 registering service does not renew the lease before it has elapsed, 159 the registration is removed. The claim on the name can have a longer 160 lease, so that another service cannot claim the name, even though the 161 registration has expired. 163 The Service Registration Protocol for DNS-SD (SRP), described in this 164 document, provides a reasonably secure mechanism for publishing this 165 information. Once published, these services can be readily 166 discovered by DNS-SD clients using standard DNS lookups. 168 The DNS-SD specification [RFC6763], Section 10 ("Populating the DNS 169 with Information"), briefly discusses ways that services can publish 170 their information in the DNS namespace. In the case of mDNS, it 171 allows services to publish their information on the local link, using 172 names in the ".local" namespace, which makes their services directly 173 discoverable by peers attached to that same local link. 175 RFC6763 also allows clients to discover services using the DNS 176 protocol [RFC1035]. This can be done by having a system 177 administrator manually configure service information in the DNS, but 178 manually populating DNS authoritative server databases is costly and 179 potentially error-prone, and requires a knowledgable network 180 administrator. Consequently, although all DNS-SD client 181 implementations of which we are aware support DNS-SD using DNS 182 queries, in practice it is used much less frequently than mDNS. 184 The Discovery Proxy [RFC8766] provides one way to automatically 185 populate the DNS namespace, but is only appropriate on networks where 186 services are easily advertised using mDNS. This document describes a 187 solution more suitable for networks where multicast is inefficient, 188 or where sleepy devices are common, by supporting both offering of 189 services, and discovery of services, using unicast. 191 2. Service Registration Protocol 193 Services that implement SRP use DNS Update [RFC2136] [RFC3007] to 194 publish service information in the DNS. Two variants exist, one for 195 full-featured hosts, and one for devices designed for "Constrained- 196 Node Networks" [RFC7228]. An SRP server is most likely an 197 authoritative DNS server, or else is updating an authoritative DNS 198 server. There is no requirement that the server that is receiving 199 SRP requests be the same server that is answering queries that return 200 records that have been registered. 202 2.1. Protocol Variants 204 2.1.1. Full-featured Hosts 206 Full-featured hosts are either configured manually with a 207 registration domain, or use the "dr._dns-sd._udp." query 208 ([RFC6763], Section 11) to learn the default registration domain from 209 the network. RFC6763 says to discover the registration domain using 210 either ".local" or a network-supplied domain name for . 211 Services using SRP MUST use the domain name received through the 212 DHCPv4 Domain Name option ([RFC2132], Section 3.17), if available, or 213 the Neighbor Discovery DNS Search List option [RFC8106]. If the DNS 214 Search List option contains more than one domain name, it MUST NOT be 215 used. If neither option is available, the Service Registration 216 protocol is not available on the local network. 218 Manual configuration of the registration domain can be done either by 219 querying the list of available registration zones ("r._dns-sd._udp") 220 and allowing the user to select one from the UI, or by any other 221 means appropriate to the particular use case being addressed. Full- 222 featured devices construct the names of the SRV, TXT, and PTR records 223 describing their service(s) as subdomains of the chosen service 224 registration domain. For these names they then discover the zone 225 apex of the closest enclosing DNS zone using SOA queries [RFC8765]. 226 Having discovered the enclosing DNS zone, they query for the 227 "_dnssd-srp._tcp." SRV record to discover the server to which 228 they should send DNS updates. Hosts that support SRP updates using 229 TLS use the "_dnssd-srp-tls._tcp." SRV record instead. 231 2.1.2. Constrained Hosts 233 For devices designed for Constrained-Node Networks [RFC7228] some 234 simplifications are available. Instead of being configured with (or 235 discovering) the service registration domain, the (proposed) special- 236 use domain name (see [RFC6761]) "default.service.arpa" is used. The 237 details of how SRP server(s) are discovered will be specific to the 238 constrained network, and therefore we do not suggest a specific 239 mechanism here. 241 SRP clients on constrained networks are expected to receive from the 242 network a list of SRP servers with which to register. It is the 243 responsibility of a Constrained-Node Network supporting SRP to 244 provide one or more SRP server addresses. It is the responsibility 245 of the SRP server supporting a Constrained-Node Network to handle the 246 updates appropriately. In some network environments, updates may be 247 accepted directly into a local "default.service.arpa" zone, which has 248 only local visibility. In other network environments, updates for 249 names ending in "default.service.arpa" may be rewritten internally to 250 names with broader visibility. 252 2.1.3. Why two variants? 254 The reason for these different assumptions is that low-power devices 255 that typically use Constrained-Node Networks may have very limited 256 battery power. The series of DNS lookups required to discover an SRP 257 server and then communicate with it will increase the power required 258 to advertise a service; for low-power devices, the additional 259 flexibility this provides does not justify the additional use of 260 power. It is also fairly typical of such networks that some network 261 service information is obtained as part of the process of joining the 262 network, and so this can be relied upon to provide nodes with the 263 information they need. 265 Networks that are not constrained networks can more complicated 266 topologies at the Internet layer. Nodes connected to such networks 267 can be assumed to be able to do DNSSD service registration domain 268 discovery. Such networks are generally able to provide registration 269 domain discovery and routing. By requiring the use of TCP, the 270 possibility of off-network spoofing is eliminated. 272 2.2. Protocol Details 274 We will discuss several parts to this process: how to know what to 275 publish, how to know where to publish it (under what name), how to 276 publish it, how to secure its publication, and how to maintain the 277 information once published. 279 2.2.1. What to publish 281 We refer to the DNS Update message sent by services using SRP as an 282 SRP update. Three types of updates appear in an SRP update: Service 283 Discovery records, Service Description records, and Host Description 284 records. 286 * Service Discovery records are one or more PTR RRs, mapping from 287 the generic service type (or subtype) to the specific Service 288 Instance Name. 289 * Service Description records are exactly one SRV RR, exactly one 290 KEY RR, and one or more TXT RRs, all with the same name, the 291 Service Instance Name ([RFC6763], Section 4.1). In principle 292 Service Description records can include other record types, with 293 the same Service Instance Name, though in practice they rarely do. 294 The Service Instance Name MUST be referenced by one or more 295 Service Discovery PTR records, unless it is a placeholder service 296 registration for an intentionally non-discoverable service name. 297 * The Host Description records for a service are a KEY RR, used to 298 claim exclusive ownership of the service registration, and one or 299 more RRs of type A or AAAA, giving the IPv4 or IPv6 address(es) of 300 the host where the service resides. 302 RFC 6763 describes the details of what each of these types of updates 303 contains and is the definitive source for information about what to 304 publish; the reason for summarizing this here is to provide the 305 reader with enough information about what will be published that the 306 service registration process can be understood at a high level 307 without first learning the full details of DNS-SD. Also, the 308 "Service Instance Name" is an important aspect of first-come, first- 309 serve naming, which we describe later on in this document. 311 2.2.2. Where to publish it 313 Multicast DNS uses a single namespace, ".local", which is valid on 314 the local link. This convenience is not available for DNS-SD using 315 the DNS protocol: services must exist in some specific unicast 316 namespace. 318 As described above, full-featured devices are responsible for knowing 319 in what domain they should register their services. Devices made for 320 Constrained-Node Networks register in the (proposed) special use 321 domain name [RFC6761] "default.service.arpa", and let the SRP server 322 handle rewriting that to a different domain if necessary. 324 2.2.3. How to publish it 326 It is possible to issue a DNS Update that does several things at 327 once; this means that it's possible to do all the work of adding a 328 PTR resource record to the PTR RRset on the Service Name, and 329 creating or updating the Service Instance Name and Host Description, 330 in a single transaction. 332 An SRP update takes advantage of this: it is implemented as a single 333 DNS Update message that contains a service's Service Discovery 334 records, Service Description records, and Host Description records. 336 Updates done according to this specification are somewhat different 337 than regular DNS Updates as defined in RFC2136. The RFC2136 update 338 process can involve many update attempts: you might first attempt to 339 add a name if it doesn't exist; if that fails, then in a second 340 message you might update the name if it does exist but matches 341 certain preconditions. Because the registration protocol uses a 342 single transaction, some of this adaptability is lost. 344 In order to allow updates to happen in a single transaction, SRP 345 updates do not include update prerequisites. The requirements 346 specified in Section 2.3 are implicit in the processing of SRP 347 updates, and so there is no need for the service sending the SRP 348 update to put in any explicit prerequisites. 350 2.2.3.1. How DNS-SD Service Registration differs from standard RFC2136 351 DNS Update 353 DNS-SD Service Registration is based on standard RFC2136 DNS Update, 354 with some differences: 356 * It implements first-come first-served name allocation, protected 357 using SIG(0) [RFC2931]. 358 * It enforces policy about what updates are allowed. 359 * It optionally performs rewriting of "default.service.arpa" to some 360 other domain. 361 * It optionally performs automatic population of the address-to-name 362 reverse mapping domains. 363 * An SRP server is not required to implement general DNS Update 364 prerequisite processing. 365 * SRP clients are allowed to send updates to the generic domain 366 "default.service.arpa" 368 2.2.4. How to secure it 370 Traditional DNS update is secured using the TSIG protocol, which uses 371 a secret key shared between the DNS Update client (which issues the 372 update) and the server (which authenticates it). This model does not 373 work for automatic service registration. 375 The goal of securing the DNS-SD Registration Protocol is to provide 376 the best possible security given the constraint that service 377 registration has to be automatic. It is possible to layer more 378 operational security on top of what we describe here, but what we 379 describe here is an improvement over the security of mDNS. The goal 380 is not to provide the level of security of a network managed by a 381 skilled operator. 383 2.2.4.1. First-Come First-Served Naming 385 First-Come First-Serve naming provides a limited degree of security: 386 a service that registers its service using DNS-SD Registration 387 protocol is given ownership of a name for an extended period of time 388 based on the key used to authenticate the DNS Update. As long as the 389 registration service remembers the name and the key used to register 390 that name, no other service can add or update the information 391 associated with that. FCFS naming is used to protect both the 392 Service Description and the Host Description. 394 2.2.5. Service Behavior 396 2.2.5.1. Public/Private key pair generation and storage 398 The service generates a public/private key pair. This key pair MUST 399 be stored in stable storage; if there is no writable stable storage 400 on the SRP client, the SRP client MUST be pre-configured with a 401 public/private key pair in read-only storage that can be used. This 402 key pair MUST be unique to the device. This key pair MUST be unique 403 to the device. A device with rewritable storage should retain this 404 key indefinitely. When the device changes ownership, it may be 405 appropriate to erase the old key and install a new one. Therefore 406 the key MAY be overwritten as a result of a full reset of the device 407 (e.g., a "factory reset"). 409 When sending DNS updates, the service includes a KEY record 410 containing the public portion of the key in each Host Description 411 update and each Service Description update. Each KEY record MUST 412 contain the same public key. The update is signed using SIG(0), 413 using the private key that corresponds to the public key in the KEY 414 record. The lifetimes of the records in the update is set using the 415 EDNS(0) Update Lease option [I-D.sekar-dns-ul]. 417 The KEY record in Service Description updates MAY be omitted for 418 brevity; if it is omitted, the SRP server MUST behave as if the same 419 KEY record that is given for the Host Description is also given for 420 each Service Description for which no KEY record is provided. 421 Omitted KEY records are not used when computing the SIG(0) signature. 423 2.2.5.2. Name Conflict Handling 425 Both Host Description records and Service Description Records can 426 have names that result in name conflicts. Service Discovery records 427 cannot have name conflicts. If any Host Description or Service 428 Description record is found by the server to have a conflict with an 429 existing name, the server will respond to the SRP Update with a 430 YXDOMAIN rcode. In this case, the Service MUST either abandon the 431 service registration attempt, or else choose a new name. 433 There is no specific requirement for how this is done; typically, 434 however, the service will append a number to the preferred name. 435 This number could be sequentially increasing, or could be chosen 436 randomly. One existing implementation attempts several sequential 437 numbers before choosing randomly. So for instance, it might try 438 host.service.arpa, then host-1.service.arpa, then host- 439 2.service.arpa, then host-31773.service.arpa. 441 2.2.5.3. Record Lifetimes 443 The lifetime of the DNS-SD PTR, SRV, A, AAAA and TXT records 444 [RFC6763] uses the LEASE field of the Update Lease option, and is 445 typically set to two hours. This means that if a device is 446 disconnected from the network, it does not appear in the user 447 interfaces of devices looking for services of that type for too long. 449 The lifetime of the KEY records is set using the KEY-LEASE field of 450 the Update Lease Option, and should be set to a much longer time, 451 typically 14 days. The result of this is that even though a device 452 may be temporarily unplugged, disappearing from the network for a few 453 days, it makes a claim on its name that lasts much longer. 455 This means that even if a device is unplugged from the network for a 456 few days, and its services are not available for that time, no other 457 device can come along and claim its name the moment it disappears 458 from the network. In the event that a device is unplugged from the 459 network and permanently discarded, then its name is eventually 460 cleaned up and made available for re-use. 462 2.2.5.4. Compression in SRV records 464 Although [RFC2782] requires that the target name in the SRV record 465 not be compressed, an SRP client SHOULD compress the target in the 466 SRV record. The motivation for _not_ compressing in RFC2782 is not 467 stated, but is assumed to be because a caching resolver that does not 468 understand the format of the SRV record might store it as binary data 469 and thus return an invalid pointer in response to a query. This does 470 not apply in the case of SRP case: an SRP server needs to understand 471 SRV records in order to validate the SRP update. Compression of the 472 target potentially saves substantial space in the SRP update. 474 2.2.5.5. Removing published services 476 To remove a service registration, the SRP client retransmits its most 477 recent update with an Update Lease option that has a LEASE value of 478 zero. If the registration is to be permanently removed, KEY-LEASE 479 should also be zero. Otherwise, it should have the same value it had 480 previously; this holds the name in reserve for when the SRP client is 481 once again able to provide the service. 483 SRP clients are normally expected to remove all service instances 484 when removing a host. However, in some cases a SRP client may not 485 have retained sufficient state to know that some service instance is 486 pointing to a host that it is removing. An SRP server can assume 487 that all service instances pointing to a host entry that's being 488 removed are no longer valid. Therefore, SRP servers MAY remove all 489 service instances pointing to a host when a host is removed, even if 490 the SRP client doesn't remove them explicitly. 492 2.3. SRP Server Behavior 494 2.3.1. Validation of Adds 496 The SRP server first validates that the DNS Update is a syntactically 497 and semantically valid DNS Update according to the rules specified in 498 RFC2136. 500 SRP Updates consist of a set of _instructions_ that together add one 501 or more services. Each instruction consists either of a single add, 502 or a delete followed by an add. When an instruction contains a 503 delete and an add, the delete MUST precede the add. 505 The SRP server checks each instruction in the SRP update to see that 506 it is either a Service Discovery update, a Service Description 507 update, or a Host Description update. Order matters in DNS updates. 508 Specifically, deletes must precede adds for records that the deletes 509 would affect; otherwise the add will have no effect. This is the 510 only ordering constraint; aside from this constraint, updates may 511 appear in whatever order is convenient when constructing the update. 513 Because the SRP update is a DNS update, it MUST contain a single 514 question that indicates the zone to be updated. Every delete and 515 update in an SRP update MUST be within the zone that is specified for 516 the SRP Update. 518 2.3.1.1. Service Discovery Instruction 520 An Instruction is a Service Discovery Instruction if it contains 522 * exactly one "Add to an RRSet" ([RFC2136], Section 2.5.1) RR, 523 * which is a PTR RR, 524 * which points to a Service Instance Name 525 * for which a Service Description Instruction is present in the SRP 526 Update. 527 * Service Discovery Instructions do not contain any deletes, and do 528 not contain any other adds. 530 2.3.1.2. Service Description Instruction 532 An Instruction is a Service Description Instruction if, for the 533 appropriate Service Instance Name, it contains 535 * exactly one "Delete all RRsets from a name" update for the service 536 instance name ([RFC2136], Section 2.5.3), 537 * exactly one "Add to an RRset" SRV RR, 538 * zero or one "Add to an RRset" KEY RR that contains the public key 539 corresponding to the private key that was used to sign the message 540 (if present, the KEY MUST match the KEY RR given in the Host 541 Description), 542 * one or more "Add to an RRset" TXT RRs, 543 * and the target of the SRV RR Add points to a hostname for which 544 there is a Host Description Instruction in the SRP Update. 545 * Service Descriptions Instructions do not modify any other RRs. 547 An SRP server MUST correctly handle compressed names in the SRV 548 target. 550 2.3.1.3. Host Description Instruction 552 An Instruction is a Host Description Instruction if, for the 553 appropriate hostname, it contains 555 * exactly one "Delete all RRsets from a name" RR, 556 * one or more "Add to an RRset" RRs of type A and/or AAAA, 557 * A and/or AAAA records must be of sufficient scope to be reachable 558 by all hosts that might query the DNS. If a link-scope address or 559 IPv4 autoconfiguration address is provided by the SRP client, the 560 SRP server MUST treat this as if no address records were received; 561 that is, the Host Description is not valid. 562 * exactly one "Add to an RRset" RR that adds a KEY RR that contains 563 the public key corresponding to the private key that was used to 564 sign the message, 565 * there is a Service Instance Name Instruction in the SRP update for 566 which the SRV RR that is added points to the hostname being 567 updated by this update. 568 * Host Description updates do not modify any other records. 570 2.3.2. Valid SRP Update Requirements 572 An SRP Update MUST include at zero or more Service Discovery 573 Instructions, the same number of Service Description Instructions, 574 and exactly one Host Description Instruction. A DNS Update that does 575 not is not an SRP update. A DNS Update that contains any other adds, 576 any other deletes, or any prerequisites, is not an SRP update. Such 577 messages should either be processed as regular RFC2136 updates, 578 including access control checks and constraint checks, if supported, 579 or else rejected with RCODE=REFUSED. 581 In addition, in order for an update to be a valid SRP update, the 582 target of every Service Discovery Instruction MUST be a Service 583 Description Instruction that is present in the SRP Update. There 584 MUST NOT be any Service Description Instruction to which no Service 585 Discovery Instruction points. The target of the SRV record in every 586 Service Description instruction MUST be the single Host Description 587 Instruction. 589 If the definitions of each of these instructions are followed 590 carefully and the update requirements are validated correctly, many 591 DNS Updates that look very much like SRP updates nevertheless will 592 fail to validate. For example, a DNS update that contains an RRset 593 Add to a Service Name and an RRset Add to a Service Instance Name, 594 where the Service Name does not reference the Service Instance Name, 595 is not a valid SRP update message, but may be a valid RFC2136 update. 597 2.3.3. FCFS Name And Signature Validation 599 Assuming that a DNS Update message has been validated with these 600 conditions and is a valid SRP Update, the server checks that the name 601 in the Host Description Instruction exists. If so, then the server 602 checks to see if the KEY record on that name is the same as the KEY 603 record in the Host Description Instruction. The server performs the 604 same check for the KEY records in any Service Description 605 Instructions. For KEY records that were omitted from Service 606 Description Instructions, the KEY from the Host Description 607 Instruction is used. If any existing KEY record corresponding to a 608 KEY record in the SRP Update does not match the KEY same record in 609 the SRP Update (whether provided or taken from the Host Description 610 Instruction), then the server MUST reject the SRP Update with the 611 YXDOMAIN RCODE. 613 Otherwise, the server validates the SRP Update using SIG(0) on the 614 public key in the KEY record of the Host Description update. If the 615 validation fails, the server MUST reject the SRP Update with the 616 REFUSED RCODE. Otherwise, the SRP update is considered valid and 617 authentic, and is processed according to the method described in 618 RFC2136. 620 KEY record updates omitted from Service Description update are 621 processed as if they had been explicitly present: every Service 622 Description that is updated MUST, after the update, have a KEY RR, 623 and it must be the same KEY RR that is present in the Host 624 Description to which the Service Description refers. 626 2.3.4. SRP Update response 628 The status that is returned depends on the result of processing the 629 update, and can be either SUCCESS or SERVFAIL: all other possible 630 outcomes should already have been accounted for when applying the 631 constraints that qualify the update as an SRP Update. 633 2.3.5. Optional Behavior 635 The server MAY add a Reverse Mapping that corresponds to the Host 636 Description. This is not required because the Reverse Mapping serves 637 no protocol function, but it may be useful for debugging, e.g. in 638 annotating network packet traces or logs. In order for the server to 639 add a reverse mapping update, it must be authoritative for the zone 640 or have credentials to do the update. The SRP client MAY also do a 641 reverse mapping update if it has credentials to do so. 643 The server MAY apply additional criteria when accepting updates. In 644 some networks, it may be possible to do out-of-band registration of 645 keys, and only accept updates from pre-registered keys. In this 646 case, an update for a key that has not been registered should be 647 rejected with the REFUSED RCODE. 649 There are at least two benefits to doing this rather than simply 650 using normal SIG(0) DNS updates. First, the same registration 651 protocol can be used in both cases, so both use cases can be 652 addressed by the same service implementation. Second, the 653 registration protocol includes maintenance functionality not present 654 with normal DNS updates. 656 Note that the semantics of using SRP in this way are different than 657 for typical RFC2136 implementations: the KEY used to sign the SRP 658 update only allows the SRP client to update records that refer to its 659 Host Description. RFC2136 implementations do not normally provide a 660 way to enforce a constraint of this type. 662 The server may also have a dictionary of names or name patterns that 663 are not permitted. If such a list is used, updates for Service 664 Instance Names that match entries in the dictionary are rejected with 665 YXDOMAIN. 667 3. TTL Consistency 669 All RRs within an RRset are required to have the same TTL 670 (Clarifications to the DNS Specification [RFC2181], Section 5.2). In 671 order to avoid inconsistencies, SRP places restrictions on TTLs sent 672 by services and requires that SRP servers enforce consistency. 674 Services sending SRP updates MUST use consistent TTLs in all RRs 675 within the SRP update. 677 SRP update servers MUST check that the TTLs for all RRs within the 678 SRP update are the same. If they are not, the SRP update MUST be 679 rejected with a REFUSED RCODE. 681 Additionally, when adding RRs to an RRset, for example when 682 processing Service Discovery records, the server MUST use the same 683 TTL on all RRs in the RRset. How this consistency is enforced is up 684 to the implementation. 686 TTLs sent in SRP updates are advisory: they indicate the SRP client's 687 guess as to what a good TTL would be. SRP servers may override these 688 TTLs. SRP servers SHOULD ensure that TTLs are reasonable: neither 689 too long nor too short. The TTL should never be longer than the 690 lease time (Section 4.1). Shorter TTLs will result in more frequent 691 data refreshes; this increases latency on the DNS-SD client side, 692 increases load on any caching resolvers and on the authoritative 693 server, and also increases network load, which may be an issue for 694 constrained networks. Longer TTLs will increase the likelihood that 695 data in caches will be stale. TTL minimums and maximums SHOULD be 696 configurable by the operator of the SRP server. 698 4. Maintenance 700 4.1. Cleaning up stale data 702 Because the DNS-SD registration protocol is automatic, and not 703 managed by humans, some additional bookkeeping is required. When an 704 update is constructed by the SRP client, it MUST include an EDNS(0) 705 Update Lease Option [I-D.sekar-dns-ul]. The Update Lease Option 706 contains two lease times: the Lease Time and the Key Lease Time. 708 These leases are promises, similar to DHCP leases [RFC2131], from the 709 SRP client that it will send a new update for the service 710 registration before the lease time expires. The Lease time is chosen 711 to represent the time after the update during which the registered 712 records other than the KEY record should be assumed to be valid. The 713 Key Lease time represents the time after the update during which the 714 KEY record should be assumed to be valid. 716 The reasoning behind the different lease times is discussed in the 717 section on first-come, first-served naming (Section 2.2.4.1). SRP 718 servers may be configured with limits for these values. A default 719 limit of two hours for the Lease and 14 days for the SIG(0) KEY are 720 currently thought to be good choices. Constrained devices with 721 limited battery that wake infrequently are likely to negotiate longer 722 leases. SRP clients that are going to continue to use names on which 723 they hold leases should update well before the lease ends, in case 724 the registration service is unavailable or under heavy load. 726 The SRP server MUST include an EDNS(0) Update Lease option in the 727 response if the lease time proposed by the service has been shortened 728 or lengthened. The service MUST check for the EDNS(0) Update Lease 729 option in the response and MUST use the lease times from that option 730 in place of the options that it sent to the server when deciding when 731 to update its registration. The times may be shorter or longer than 732 those specified in the SRP update; the SRP client must honor them in 733 either case. 735 SRP clients should assume that each lease ends N seconds after the 736 update was first transmitted, where N is the lease duration. Servers 737 should assume that each lease ends N seconds after the update that 738 was successfully processed was received. Because the server will 739 always receive the update after the SRP client sent it, this avoids 740 the possibility of misunderstandings. 742 SRP servers MUST reject updates that do not include an EDNS(0) Update 743 Lease option. Dual-use servers MAY accept updates that don't include 744 leases, but SHOULD differentiate between SRP updates and other 745 updates, and MUST reject updates that would otherwise be SRP updates 746 if they do not include leases. 748 Lease times have a completely different function than TTLs. On an 749 authoritative DNS server, the TTL on a resource record is a constant: 750 whenever that RR is served in a DNS response, the TTL value sent in 751 the answer is the same. The lease time is never sent as a TTL; its 752 sole purpose is to determine when the authoritative DNS server will 753 delete stale records. It is not an error to send a DNS response with 754 a TTL of 'n' when the remaining time on the lease is less than 'n'. 756 5. Sleep Proxy 758 Another use of SRP is for devices that sleep to reduce power 759 consumption. 761 In this case, in addition to the DNS Update Lease option 762 [I-D.sekar-dns-ul] described above, the device includes an EDNS(0) 763 OWNER Option [I-D.cheshire-edns0-owner-option]. 765 The EDNS(0) Update Lease option constitutes a promise by the device 766 that it will wake up before this time elapses, to renew its 767 registration and thereby demonstrate that it is still attached to the 768 network. If it fails to renew the registration by this time, that 769 indicates that it is no longer attached to the network, and its 770 registration (except for the KEY in the Host Description) should be 771 deleted. 773 The EDNS(0) OWNER Option indicates that the device will be asleep, 774 and will not be receptive to normal network traffic. When a DNS 775 server receives a DNS Update with an EDNS(0) OWNER Option, that 776 signifies that the SRP server should set up a proxy for any IPv4 or 777 IPv6 address records in the DNS Update message. This proxy should 778 send ARP or ND messages claiming ownership of the IPv4 and/or IPv6 779 addresses in the records in question. In addition, the proxy should 780 answer future ARP or ND requests for those IPv4 and/or IPv6 781 addresses, claiming ownership of them. When the DNS server receives 782 a TCP SYN or UDP packet addressed to one of the IPv4 or IPv6 783 addresses for which it proxying, it should then wake up the sleeping 784 device using the information in the EDNS(0) OWNER Option. At present 785 version 0 of the OWNER Option specifies the "Wake-on-LAN Magic 786 Packet" that needs to be sent; future versions could be extended to 787 specify other wakeup mechanisms. 789 Note that although the authoritative DNS server that implements the 790 SRP function need not be on the same link as the sleeping host, the 791 Sleep Proxy must be on the same link. 793 It is not required that sleepy nodes on a Constrained-Node Network 794 support sleep proxy. Such devices may have different mechanisms for 795 dealing with sleep and wakeup. An SRP registration for such a device 796 will be useful regardless of the mechanism whereby messages are 797 delivered to the sleepy end device. For example, the message might 798 be held in a buffer for an extended period of time by an intermediate 799 device on a mesh network, and then delivered to the device when it 800 wakes up. The exact details of such behaviors are out of scope for 801 this document. 803 6. Security Considerations 805 6.1. Source Validation 807 SRP updates have no authorization semantics other than first-come, 808 first-served. This means that if an attacker from outside of the 809 administrative domain of the server knows the server's IP address, it 810 can in principle send updates to the server that will be processed 811 successfully. Servers should therefore be configured to reject 812 updates from source addresses outside of the administrative domain of 813 the server. 815 For updates sent to an anycast IP address of an SRP server, this 816 validation must be enforced by every router on the path from the 817 Constrained-Device Network to the unconstrained portion of the 818 network. For TCP updates, the initial SYN-SYN+ACK handshake prevents 819 updates being forged by an off-network attacker. In order to ensure 820 that this handshake happens, Service Discovery Protocol servers 821 relying on three-way-handshake validation MUST NOT accept TCP Fast 822 Open payloads. If the network infrastructure allows it, an SRP 823 server MAY accept TCP Fast Open payloads if all such packets are 824 validated along the path, and the network is able to reject this type 825 of spoofing at all ingress points. 827 Note that these rules only apply to the validation of SRP updates. A 828 server that accepts updates from SRP clients may also accept other 829 DNS updates, and those DNS updates may be validated using different 830 rules. However, in the case of a DNS service that accepts SRP 831 updates, the intersection of the SRP update rules and whatever other 832 update rules are present must be considered very carefully. 834 For example, a normal, authenticated DNS update to any RR that was 835 added using SRP, but that is authenticated using a different key, 836 could be used to override a promise made by the registration 837 protocol, by replacing all or part of the service registration 838 information with information provided by an SRP client. An 839 implementation that allows both kinds of updates should not allow DNS 840 Update clients to updateupdate records added by SRP clients using 841 different authentication and authorization credentials. 843 6.2. SRP Server Authentication 845 This specification does not provide a mechanism for validating 846 responses from DNS servers to SRP clients. In the case of 847 Constrained Network/Constrained Node clients, such validation isn't 848 practical because there's no way to establish trust. In principle, a 849 KEY RR could be used by a non-constrained SRP client to validate 850 responses from the server, but this is not required, nor do we 851 specify a mechanism for determining which key to use. 853 6.3. Required Signature Algorithm 855 For validation, SRP servers MUST implement the ECDSAP256SHA256 856 signature algorithm. SRP servers SHOULD implement the algorithms 857 specified in [RFC8624], Section 3.1, in the validation column of the 858 table, that are numbered 13 or higher and have a "MUST", 859 "RECOMMENDED", or "MAY" designation in the validation column of the 860 table. SRP clients MUST NOT assume that any algorithm numbered lower 861 than 13 is available for use in validating SIG(0) signatures. 863 7. Privacy Considerations 865 Because DNSSD SRP updates can be sent off-link, the privacy 866 implications of SRP are different than for multicast DNS responses. 867 Host implementations that are using TCP SHOULD also use TLS if 868 available. Server implementations MUST offer TLS support. The use 869 of TLS with DNS is described in [RFC7858] and [RFC8310]. 871 Hosts that implement TLS support SHOULD NOT fall back to TCP; since 872 servers are required to support TLS, it is entirely up to the host 873 implementation whether to use it. 875 Public keys can be used as identifiers to track hosts. SRP servers 876 MAY elect not to return KEY records for queries for SRP 877 registrations. 879 8. Delegation of 'service.arpa.' 881 In order to be fully functional, the owner of the 'arpa.' zone must 882 add a delegation of 'service.arpa.' in the '.arpa.' zone [RFC3172]. 883 This delegation should be set up as was done for 'home.arpa', as a 884 result of the specification in Section 7 of [RFC8375]. 886 9. IANA Considerations 888 9.1. Registration and Delegation of 'service.arpa' as a Special-Use 889 Domain Name 891 IANA is requested to record the domain name 'service.arpa.' in the 892 Special-Use Domain Names registry [SUDN]. IANA is requested, with 893 the approval of IAB, to implement the delegation requested in 894 Section 8. 896 IANA is further requested to add a new entry to the "Transport- 897 Independent Locally-Served Zones" subregistry of the the "Locally- 898 Served DNS Zones" registry [LSDZ]. The entry will be for the domain 899 'service.arpa.' with the description "DNS-SD Registration Protocol 900 Special-Use Domain", listing this document as the reference. 902 9.2. 'dnssd-srp' Service Name 904 IANA is also requested to add a new entry to the Service Names and 905 Port Numbers registry for dnssd-srp with a transport type of tcp. No 906 port number is to be assigned. The reference should be to this 907 document, and the Assignee and Contact information should reference 908 the authors of this document. The Description should be as follows: 910 Availability of DNS Service Discovery Service Registration Protocol 911 Service for a given domain is advertised using the 912 "_dnssd-srp._tcp.." SRV record gives the target host and 913 port where DNSSD Service Registration Service is provided for the 914 named domain. 916 9.3. 'dnssd-srp-tls' Service Name 918 IANA is also requested to add a new entry to the Service Names and 919 Port Numbers registry for dnssd-srp with a transport type of tcp. No 920 port number is to be assigned. The reference should be to this 921 document, and the Assignee and Contact information should reference 922 the authors of this document. The Description should be as follows: 924 Availability of DNS Service Discovery Service Registration Protocol 925 Service for a given domain over TLS is advertised using the 926 "_dnssd-srp-tls._tcp.." SRV record gives the target host and 927 port where DNSSD Service Registration Service is provided for the 928 named domain. 930 9.4. Anycast Address 932 IANA is requested to allocate an IPv6 Anycast address from the IPv6 933 Special-Purpose Address Registry, similar to the Port Control 934 Protocol anycast address, 2001:1::1. The value TBD should be 935 replaced with the actual allocation in the table that follows. The 936 values for the registry are: 938 +----------------------+-----------------------------+ 939 | Attribute | value | 940 +----------------------+-----------------------------+ 941 | Address Block | 2001:1::TBD/128 | 942 +----------------------+-----------------------------+ 943 | Name | DNS-SD Service Registration | 944 | | Protocol Anycast Address | 945 +----------------------+-----------------------------+ 946 | RFC | [this document] | 947 +----------------------+-----------------------------+ 948 | Allocation Date | [date of allocation] | 949 +----------------------+-----------------------------+ 950 | Termination Date | N/A | 951 +----------------------+-----------------------------+ 952 | Source | True | 953 +----------------------+-----------------------------+ 954 | Destination | True | 955 +----------------------+-----------------------------+ 956 | Forwardable | True | 957 +----------------------+-----------------------------+ 958 | Global | True | 959 +----------------------+-----------------------------+ 960 | Reserved-by-protocol | False | 961 +----------------------+-----------------------------+ 963 Table 1 965 10. Acknowledgments 967 Thanks to Toke Høiland-Jørgensen, Jonathan Hui and Esko 968 Dijk for their thorough technical reviews, to Tamara Kemper for doing 969 a nice developmental edit, Tim Wattenberg for doing a service 970 implementation at the Montreal Hackathon at IETF 102, and Tom 971 Pusateri for reviewing during the hackathon and afterwards. 973 11. Normative References 975 [I-D.sekar-dns-ul] 976 Cheshire, S. and T. Lemon, "Dynamic DNS Update Leases", 977 Work in Progress, Internet-Draft, draft-sekar-dns-ul-02, 2 978 August 2018, 979 . 981 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 982 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 983 . 985 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, 986 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 987 RFC 2136, DOI 10.17487/RFC2136, April 1997, 988 . 990 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures 991 ( SIG(0)s )", RFC 2931, DOI 10.17487/RFC2931, September 992 2000, . 994 [RFC3172] Huston, G., Ed., "Management Guidelines & Operational 995 Requirements for the Address and Routing Parameter Area 996 Domain ("arpa")", BCP 52, RFC 3172, DOI 10.17487/RFC3172, 997 September 2001, . 999 [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service 1000 Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, 1001 . 1003 [RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., 1004 and P. Hoffman, "Specification for DNS over Transport 1005 Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May 1006 2016, . 1008 [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 1009 "IPv6 Router Advertisement Options for DNS Configuration", 1010 RFC 8106, DOI 10.17487/RFC8106, March 2017, 1011 . 1013 [RFC8375] Pfister, P. and T. Lemon, "Special-Use Domain 1014 'home.arpa.'", RFC 8375, DOI 10.17487/RFC8375, May 2018, 1015 . 1017 [RFC8624] Wouters, P. and O. Sury, "Algorithm Implementation 1018 Requirements and Usage Guidance for DNSSEC", RFC 8624, 1019 DOI 10.17487/RFC8624, June 2019, 1020 . 1022 [RFC8765] Pusateri, T. and S. Cheshire, "DNS Push Notifications", 1023 RFC 8765, DOI 10.17487/RFC8765, June 2020, 1024 . 1026 [SUDN] "Special-Use Domain Names Registry", July 2012, 1027 . 1030 [LSDZ] "Locally-Served DNS Zones Registry", July 2011, 1031 . 1034 12. Informative References 1036 [RFC1035] Mockapetris, P., "Domain names - implementation and 1037 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 1038 November 1987, . 1040 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 1041 RFC 2131, DOI 10.17487/RFC2131, March 1997, 1042 . 1044 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 1045 Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, 1046 . 1048 [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for 1049 specifying the location of services (DNS SRV)", RFC 2782, 1050 DOI 10.17487/RFC2782, February 2000, 1051 . 1053 [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic 1054 Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, 1055 . 1057 [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol 1058 to Replace the AppleTalk Name Binding Protocol (NBP)", 1059 RFC 6760, DOI 10.17487/RFC6760, February 2013, 1060 . 1062 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 1063 RFC 6761, DOI 10.17487/RFC6761, February 2013, 1064 . 1066 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 1067 DOI 10.17487/RFC6762, February 2013, 1068 . 1070 [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for 1071 Constrained-Node Networks", RFC 7228, 1072 DOI 10.17487/RFC7228, May 2014, 1073 . 1075 [RFC8310] Dickinson, S., Gillmor, D., and T. Reddy, "Usage Profiles 1076 for DNS over TLS and DNS over DTLS", RFC 8310, 1077 DOI 10.17487/RFC8310, March 2018, 1078 . 1080 [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., 1081 Richardson, M., Jiang, S., Lemon, T., and T. Winters, 1082 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 1083 RFC 8415, DOI 10.17487/RFC8415, November 2018, 1084 . 1086 [RFC8766] Cheshire, S., "Discovery Proxy for Multicast DNS-Based 1087 Service Discovery", RFC 8766, DOI 10.17487/RFC8766, June 1088 2020, . 1090 [I-D.cheshire-dnssd-roadmap] 1091 Cheshire, S., "Service Discovery Road Map", Work in 1092 Progress, Internet-Draft, draft-cheshire-dnssd-roadmap-03, 1093 23 October 2018, . 1096 [I-D.cheshire-edns0-owner-option] 1097 Cheshire, S. and M. Krochmal, "EDNS0 OWNER Option", Work 1098 in Progress, Internet-Draft, draft-cheshire-edns0-owner- 1099 option-01, 3 July 2017, . 1102 [ZC] Cheshire, S. and D.H. Steinberg, "Zero Configuration 1103 Networking: The Definitive Guide", O'Reilly Media, Inc. , 1104 ISBN 0-596-10100-7, December 2005. 1106 Appendix A. Testing using standard RFC2136-compliant servers 1108 It may be useful to set up a DNS server for testing that does not 1109 implement SRP. This can be done by configuring the server to listen 1110 on the anycast address, or advertising it in the 1111 _dnssd-srp._tcp. SRV and _dnssd-srp-tls._tcp. record. It 1112 must be configured to be authoritative for "default.service.arpa", 1113 and to accept updates from hosts on local networks for names under 1114 "default.service.arpa" without authentication, since such servers 1115 will not have support for FCFS authentication (Section 2.2.4.1). 1117 A server configured in this way will be able to successfully accept 1118 and process SRP updates from services that send SRP updates. 1119 However, no prerequisites will be applied, and this means that the 1120 test server will accept internally inconsistent SRP updates, and will 1121 not stop two SRP updates, sent by different services, that claim the 1122 same name(s), from overwriting each other. 1124 Since SRP updates are signed with keys, validation of the SIG(0) 1125 algorithm used by the client can be done by manually installing the 1126 client public key on the DNS server that will be receiving the 1127 updates. The key can then be used to authenticate the client, and 1128 can be used as a requirement for the update. An example 1129 configuration for testing SRP using BIND 9 is given in Appendix C. 1131 Appendix B. How to allow services to update standard RFC2136-compliant 1132 servers 1134 Ordinarily SRP updates will fail when sent to an RFC 2136-compliant 1135 server that does not implement SRP because the zone being updated is 1136 "default.service.arpa", and no DNS server that is not an SRP server 1137 should normally be configured to be authoritative for 1138 "default.service.arpa". Therefore, a service that sends an SRP 1139 update can tell that the receiving server does not support SRP, but 1140 does support RFC2136, because the RCODE will either be NOTZONE, 1141 NOTAUTH or REFUSED, or because there is no response to the update 1142 request (when using the anycast address) 1144 In this case a service MAY attempt to register itself using regular 1145 RFC2136 DNS updates. To do so, it must discover the default 1146 registration zone and the DNS server designated to receive updates 1147 for that zone, as described earlier, using the _dns-update._udp SRV 1148 record. It can then make the update using the port and host pointed 1149 to by the SRV record, and should use appropriate prerequisites to 1150 avoid overwriting competing records. Such updates are out of scope 1151 for SRP, and a service that implements SRP MUST first attempt to use 1152 SRP to register itself, and should only attempt to use RFC2136 1153 backwards compatibility if that fails. Although the owner name for 1154 the SRV record specifies the UDP protocol for updates, it is also 1155 possible to use TCP, and TCP should be required to prevent spoofing. 1157 Appendix C. Sample BIND9 configuration for default.service.arpa. 1159 zone "default.service.arpa." { 1160 type master; 1161 file "/etc/bind/master/service.db"; 1162 allow-update { key demo.default.service.arpa.; }; 1163 }; 1164 Figure 1: Zone Configuration in named.conf 1166 $ORIGIN . 1167 $TTL 57600 ; 16 hours 1168 default.service.arpa IN SOA ns3.default.service.arpa. 1169 postmaster.default.service.arpa. ( 1170 2951053287 ; serial 1171 3600 ; refresh (1 hour) 1172 1800 ; retry (30 minutes) 1173 604800 ; expire (1 week) 1174 3600 ; minimum (1 hour) 1175 ) 1176 NS ns3.default.service.arpa. 1177 SRV 0 0 53 ns3.default.service.arpa. 1178 $ORIGIN default.service.arpa. 1179 $TTL 3600 ; 1 hour 1180 _ipps._tcp PTR demo._ipps._tcp 1181 $ORIGIN _ipps._tcp.default.service.arpa. 1182 demo TXT "0" 1183 SRV 0 0 9992 demo.default.service.arpa. 1184 $ORIGIN _udp.default.service.arpa. 1185 $TTL 3600 ; 1 hour 1186 _dns-update PTR ns3.default.service.arpa. 1187 $ORIGIN _tcp.default.service.arpa. 1188 _dnssd-srp PTR ns3.default.service.arpa. 1189 $ORIGIN default.service.arpa. 1190 $TTL 300 ; 5 minutes 1191 ns3 AAAA 2001:db8:0:1::1 1192 $TTL 3600 ; 1 hour 1193 demo AAAA 2001:db8:0:2::1 1194 KEY 513 3 13 ( 1195 qweEmaaq0FAWok5//ftuQtZgiZoiFSUsm0srWREdywQU 1196 9dpvtOhrdKWUuPT3uEFF5TZU6B4q1z1I662GdaUwqg== 1197 ); alg = ECDSAP256SHA256 ; key id = 15008 1198 AAAA ::1 1200 Figure 2: Example Zone file 1202 Authors' Addresses 1204 Ted Lemon 1205 Apple Inc. 1206 One Apple Park Way 1207 Cupertino, California 95014 1208 United States of America 1210 Email: mellon@fugue.com 1211 Stuart Cheshire 1212 Apple Inc. 1213 One Apple Park Way 1214 Cupertino, California 95014 1215 United States of America 1217 Phone: +1 408 974 3207 1218 Email: cheshire@apple.com