draft-ietf-dnssd-hybrid-01.txt   draft-ietf-dnssd-hybrid-02.txt 
Internet Engineering Task Force S. Cheshire Internet Engineering Task Force S. Cheshire
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track October 19, 2015 Intended status: Standards Track November 5, 2015
Expires: April 21, 2016 Expires: May 8, 2016
Hybrid Unicast/Multicast DNS-Based Service Discovery Hybrid Unicast/Multicast DNS-Based Service Discovery
draft-ietf-dnssd-hybrid-01 draft-ietf-dnssd-hybrid-02
Abstract Abstract
Performing DNS-Based Service Discovery using purely link-local Performing DNS-Based Service Discovery using purely link-local
Multicast DNS enables discovery of services that are on the local Multicast DNS enables discovery of services that are on the local
link, but not (without some kind of proxy or similar special support) link, but not (without some kind of proxy or similar special support)
discovery of services that are outside the local link. Using a very discovery of services that are outside the local link. Using a very
large local link with thousands of hosts facilitates service large local link with thousands of hosts facilitates service
discovery, but at the cost of large amounts of multicast traffic. discovery, but at the cost of large amounts of multicast traffic.
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Unicast DNS namespace. This can be achieved by manual DNS Unicast DNS namespace. This can be achieved by manual DNS
configuration (as has been done for many years at IETF meetings to configuration (as has been done for many years at IETF meetings to
advertise the IETF Terminal Room printer) but this is labor advertise the IETF Terminal Room printer) but this is labor
intensive, error prone, and requires a reasonable degree of DNS intensive, error prone, and requires a reasonable degree of DNS
expertise. The Unicast DNS namespace can be populated with the expertise. The Unicast DNS namespace can be populated with the
required data automatically by the devices themselves, but that required data automatically by the devices themselves, but that
requires configuration of DNS Update keys on the devices offering the requires configuration of DNS Update keys on the devices offering the
services, which has proven onerous and impractical for simple devices services, which has proven onerous and impractical for simple devices
like printers and network cameras. like printers and network cameras.
Hence a compromise is needed, that combines the ease-of-use of Hence, to facilitate efficient and reliable DNS-Based Service
Discovery, a compromise is needed that combines the ease-of-use of
Multicast DNS with the efficiency and scalability of Unicast DNS. Multicast DNS with the efficiency and scalability of Unicast DNS.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2016.
This Internet-Draft will expire on May 8, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Conventions and Terminology Used in this Document . . . . . . 5 2. Conventions and Terminology Used in this Document . . . . . . 5
3. Hybrid Proxy Operation . . . . . . . . . . . . . . . . . . . . 6 3. Compatibility Considerations . . . . . . . . . . . . . . . . . 5
3.1. Delegated Subdomain for Service Discovery Records . . . . 7 4. Hybrid Proxy Operation . . . . . . . . . . . . . . . . . . . . 6
3.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . . 8 4.1. Delegated Subdomain for Service Discovery Records . . . . 7
3.2.1. Domain Enumeration via Unicast Queries . . . . . . . . 8 4.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . . 8
3.2.2. Domain Enumeration via Multicast Queries . . . . . . . 9 4.2.1. Domain Enumeration via Unicast Queries . . . . . . . . 8
3.3. Delegated Subdomain for LDH Host Names . . . . . . . . . . 10 4.2.2. Domain Enumeration via Multicast Queries . . . . . . . 9
3.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 12 4.3. Delegated Subdomain for LDH Host Names . . . . . . . . . . 10
3.5. Data Translation . . . . . . . . . . . . . . . . . . . . . 13 4.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 12
3.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . . 13 4.5. Data Translation . . . . . . . . . . . . . . . . . . . . . 13
3.5.2. Suppressing Unusable Records . . . . . . . . . . . . . 13 4.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . . 13
3.5.3. Application-Specific Data Translation . . . . . . . . 14 4.5.2. Suppressing Unusable Records . . . . . . . . . . . . . 14
3.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . . 15 4.5.3. Application-Specific Data Translation . . . . . . . . 15
3.6.1. Discovery of LLQ or PUSH Notification Service . . . . 17 4.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . . 16
4. Implementation Status . . . . . . . . . . . . . . . . . . . . 18 4.6.1. Discovery of LLQ and/or PUSH Notification Service . . 19
4.1. Already Implemented and Deployed . . . . . . . . . . . . . 18 5. DNS SOA (Start of Authority) Record . . . . . . . . . . . . . 20
4.2. Partially Implemented . . . . . . . . . . . . . . . . . . 18 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 20
4.3. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 19 6.1. Already Implemented and Deployed . . . . . . . . . . . . . 20
5. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 19 6.2. Already Implemented . . . . . . . . . . . . . . . . . . . 21
6. Security Considerations . . . . . . . . . . . . . . . . . . . 20 6.3. Partially Implemented . . . . . . . . . . . . . . . . . . 21
6.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . . 20 6.4. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 21
6.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 20 7. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 22
6.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 20 8. Security Considerations . . . . . . . . . . . . . . . . . . . 22
7. Intelectual Property Rights . . . . . . . . . . . . . . . . . 21 8.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . . 22
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 8.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 22
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 8.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 23
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 9. Intelectual Property Rights . . . . . . . . . . . . . . . . . 23
10.1. Normative References . . . . . . . . . . . . . . . . . . . 21 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
10.2. Informative References . . . . . . . . . . . . . . . . . . 22 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
12.1. Normative References . . . . . . . . . . . . . . . . . . . 23
12.2. Informative References . . . . . . . . . . . . . . . . . . 24
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction 1. Introduction
Multicast DNS [RFC6762] and its companion technology DNS-based Multicast DNS [RFC6762] and its companion technology DNS-based
Service Discovery [RFC6763] were created to provide IP networking Service Discovery [RFC6763] were created to provide IP networking
with the ease-of-use and autoconfiguration for which AppleTalk was with the ease-of-use and autoconfiguration for which AppleTalk was
well known [RFC6760] [ZC]. well known [RFC6760] [ZC].
For a small network consisting of just a single link (or several For a small network consisting of just a single link (or several
physical links bridged together to appear as a single logical link to physical links bridged together to appear as a single logical link to
skipping to change at page 6, line 5 skipping to change at page 5, line 33
The link-layer *header* may be modified, such as in Token Ring Source The link-layer *header* may be modified, such as in Token Ring Source
Routing [802.5], but not the link-layer *payload*. In particular, if Routing [802.5], but not the link-layer *payload*. In particular, if
any device forwarding a packet modifies any part of the IP header or any device forwarding a packet modifies any part of the IP header or
IP payload then the packet is no longer considered to be on the same IP payload then the packet is no longer considered to be on the same
link. This means that the packet may pass through devices such as link. This means that the packet may pass through devices such as
repeaters, bridges, hubs or switches and still be considered to be on repeaters, bridges, hubs or switches and still be considered to be on
the same link for the purpose of this document, but not through a the same link for the purpose of this document, but not through a
device such as an IP router that decrements the IP TTL or otherwise device such as an IP router that decrements the IP TTL or otherwise
modifies the IP header. modifies the IP header.
3. Hybrid Proxy Operation 3. Compatibility Considerations
No changes to existing devices are required to work with a Hybrid
Proxy.
Existing devices that advertise services using Multicast DNS work
with Hybrid Proxy.
Existing clients that support DNS-Based Service Discovery over
Unicast DNS (Mac OS X 10.4 and later, including iPhone, iPad, and
Bonjour for Windows) work with Hybrid Proxy.
4. Hybrid Proxy Operation
In a typical configuration, a Hybrid Proxy is configured to be In a typical configuration, a Hybrid Proxy is configured to be
authoritative for four DNS subdomains, and authority for these authoritative [RFC1034] [RFC1035] for four DNS subdomains, and
subdomains is delegated to it via NS records: authority for these subdomains is delegated to it via NS records:
A DNS subdomain for service discovery records. A DNS subdomain for service discovery records.
This subdomain name may contain rich text, including spaces and This subdomain name may contain rich text, including spaces and
other punctuation. This is because this subdomain name is used other punctuation. This is because this subdomain name is used
only in graphical user interfaces, where rich text is appropriate. only in graphical user interfaces, where rich text is appropriate.
A DNS subdomain for host name records. A DNS subdomain for host name records.
This subdomain name SHOULD be limited to letters, digits and This subdomain name SHOULD be limited to letters, digits and
hyphens, to facilitate convenient use of host names in command- hyphens, to facilitate convenient use of host names in command-
line interfaces. line interfaces.
A DNS subdomain for IPv6 Reverse Mapping records. A DNS subdomain for IPv6 Reverse Mapping records.
This subdomain name will be a name that ends in "ip6.arpa." This subdomain name will be a name that ends in "ip6.arpa."
A DNS subdomain for IPv4 Reverse Mapping records. A DNS subdomain for IPv4 Reverse Mapping records.
This subdomain name will be a name that ends in "in-addr.arpa." This subdomain name will be a name that ends in "in-addr.arpa."
In an enterprise network the naming and delegation of these
subdomains is typically performed by conscious action of the network
administrator. In a home network naming and delegation would
typically be performed using some automatic configuration mechanism
such as HNCP [I-D.ietf-homenet-hncp].
These three varieties of delegated subdomains (service discovery, These three varieties of delegated subdomains (service discovery,
host names, and reverse mapping) are described below. host names, and reverse mapping) are described below.
3.1. Delegated Subdomain for Service Discovery Records 4.1. Delegated Subdomain for Service Discovery Records
In its simplest form, each physical link in an organization is In its simplest form, each physical link in an organization is
assigned a unique Unicast DNS domain name, such as assigned a unique Unicast DNS domain name, such as
"Building 1.example.com" or "4th Floor.Building 1.example.com". "Building 1.example.com" or "2nd Floor.Building 3.example.com".
Grouping multiple links under a single Unicast DNS domain name is to Grouping multiple links under a single Unicast DNS domain name is to
be specified in a future companion document, but for the purposes of be specified in a future companion document, but for the purposes of
this document, assume that each link has its own unique Unicast DNS this document, assume that each link has its own unique Unicast DNS
domain name. In a graphical user interface these names are not domain name. In a graphical user interface these names are not
displayed as strings with dots as shown above, but something more displayed as strings with dots as shown above, but something more
akin to a typical file browser graphical user interface (which is akin to a typical file browser graphical user interface (which is
harder to illustrate in a text-only document) showing folders, harder to illustrate in a text-only document) showing folders,
subfolders and files in a file system. subfolders and files in a file system.
+---------------+--------------+-------------+-------------------+
| *example.com* | Building 1 | 1st Floor | Alice's printer |
| | Building 2 | *2nd Floor* | Bob's printer |
| | *Building 3* | 3rd Floor | Charlie's printer |
| | Building 4 | 4th Floor | |
| | Building 5 | | |
| | Building 6 | | |
+---------------+--------------+-------------+-------------------+
Figure 1: Illustrative GUI
Each named link in an organization has a Hybrid Proxy which serves Each named link in an organization has a Hybrid Proxy which serves
it. This Hybrid Proxy function could be performed by a router on it. This Hybrid Proxy function could be performed by a router on
that link, or, with appropriate VLAN configuration, a single Hybrid that link, or, with appropriate VLAN configuration, a single Hybrid
Proxy could have a logical presence on, and serve as the Hybrid Proxy Proxy could have a logical presence on, and serve as the Hybrid Proxy
for, many links. In the parent domain, NS records are used to for, many links. In the parent domain, NS records are used to
delegate ownership of each defined link name delegate ownership of each defined link name
(e.g., "Building 1.example.com") to the Hybrid Proxy that serves the (e.g., "Building 1.example.com") to the Hybrid Proxy that serves the
named link. In other words, the Hybrid Proxy is the authoritative named link. In other words, the Hybrid Proxy is the authoritative
name server for that subdomain. name server for that subdomain.
skipping to change at page 8, line 5 skipping to change at page 8, line 14
case, "_printer._tcp.local. PTR ?"). Then, from the received case, "_printer._tcp.local. PTR ?"). Then, from the received
Multicast DNS data, the Hybrid Proxy synthesizes the appropriate Multicast DNS data, the Hybrid Proxy synthesizes the appropriate
Unicast DNS response. Unicast DNS response.
Naturally, the existing Multicast DNS caching mechanism is used to Naturally, the existing Multicast DNS caching mechanism is used to
avoid issuing unnecessary Multicast DNS queries on the wire. The avoid issuing unnecessary Multicast DNS queries on the wire. The
Hybrid Proxy is acting as a client of the underlying Multicast DNS Hybrid Proxy is acting as a client of the underlying Multicast DNS
subsystem, and benefits from the same caching and efficiency measures subsystem, and benefits from the same caching and efficiency measures
as any other client using that subsystem. as any other client using that subsystem.
3.2. Domain Enumeration 4.2. Domain Enumeration
An DNS-SD client performs Domain Enumeration [RFC6763] via certain An DNS-SD client performs Domain Enumeration [RFC6763] via certain
PTR queries. It issues unicast Domain Enumeration queries using its PTR queries. It issues unicast Domain Enumeration queries using its
"home" domain (typically learned learned via DHCP) and using its IPv6 "home" domain (typically learned via DHCP) and using its IPv6 prefix
prefix and IPv4 subnet address. These are described below in and IPv4 subnet address. These are described below in Section 4.2.1.
Section 3.2.1. It also issues multicast Domain Enumeration queries It also issues multicast Domain Enumeration queries in the "local"
in the "local" domain [RFC6762]. These are described below in domain [RFC6762]. These are described below in Section 4.2.2. The
Section 3.2.2. The results of all Domain Enumeration queries are results of all Domain Enumeration queries are combined for Service
combined for Service Discovery purposes. Discovery purposes.
3.2.1. Domain Enumeration via Unicast Queries 4.2.1. Domain Enumeration via Unicast Queries
The administrator creates Domain Enumeration PTR records [RFC6763] to The administrator creates Domain Enumeration PTR records [RFC6763] to
inform clients of available service discovery domains, e.g.,: inform clients of available service discovery domains, e.g.,:
b._dns-sd._udp.example.com. PTR Building 1.example.com. b._dns-sd._udp.example.com. PTR Building 1.example.com.
PTR Building 2.example.com. PTR Building 2.example.com.
PTR Building 3.example.com. PTR Building 3.example.com.
PTR Building 4.example.com. PTR Building 4.example.com.
db._dns-sd._udp.example.com. PTR Building 1.example.com. db._dns-sd._udp.example.com. PTR Building 1.example.com.
lb._dns-sd._udp.example.com. PTR Building 1.example.com. lb._dns-sd._udp.example.com. PTR Building 1.example.com.
The "b" ("browse") records tell the client device the list of The "b" ("browse") records tell the client device the list of
browsing domains to display for the user to select from and the "db" browsing domains to display for the user to select from and the "db"
("default browse") record tells the client device which domain in ("default browse") record tells the client device which domain in
that list should be selected by default. The "lb" ("legacy browse") that list should be selected by default. The "lb" ("legacy browse")
record tells the client device which domain to automatically browse record tells the client device which domain to automatically browse
on behalf of applications that don't implement UI for multi-domain on behalf of applications that don't implement UI for multi-domain
browsing (which is most of them, today). The "lb" domain is often browsing (which is most of them, as of 2015). The "lb" domain is
the same as the "db" domain, or sometimes the "db" domain plus one or often the same as the "db" domain, or sometimes the "db" domain plus
more others that should be included in the list of automatic browsing one or more others that should be included in the list of automatic
domains for legacy clients. browsing domains for legacy clients.
DNS responses are limited to a maximum size of 65535 bytes. This DNS responses are limited to a maximum size of 65535 bytes. This
limits the maximum number of domains that can be returned for a limits the maximum number of domains that can be returned for a
Domain Enumeration query, as follows: Domain Enumeration query, as follows:
A DNS response header is 12 bytes. That's typically followed by a A DNS response header is 12 bytes. That's typically followed by a
single qname (up to 256 bytes) plus qtype (2 bytes) and qclass single qname (up to 256 bytes) plus qtype (2 bytes) and qclass
(2 bytes), leaving 65275 for the Answer Section. (2 bytes), leaving 65275 for the Answer Section.
An Answer Section Resource Record consists of: An Answer Section Resource Record consists of:
skipping to change at page 9, line 31 skipping to change at page 9, line 31
This means that each Resource Record in the Answer Section can take This means that each Resource Record in the Answer Section can take
up to 268 bytes total, which means that the Answer Section can up to 268 bytes total, which means that the Answer Section can
contain, in the worst case, no more than 243 domains. contain, in the worst case, no more than 243 domains.
In a more typical scenario, where the domain names are not all In a more typical scenario, where the domain names are not all
maximum-sized names, and there is some similarity between names so maximum-sized names, and there is some similarity between names so
that reasonable name compression is possible, each Answer Section that reasonable name compression is possible, each Answer Section
Resource Record may average 140 bytes, which means that the Answer Resource Record may average 140 bytes, which means that the Answer
Section can contain up to 466 domains. Section can contain up to 466 domains.
3.2.2. Domain Enumeration via Multicast Queries 4.2.2. Domain Enumeration via Multicast Queries
Since a Hybrid Proxy exists on many, if not all, the links in an Since a Hybrid Proxy exists on many, if not all, the links in an
enterprise, it offers an additional way to provide Domain Enumeration enterprise, it offers an additional way to provide Domain Enumeration
data for clients. data for clients.
A Hybrid Proxy can be configured to generate Multicast DNS responses A Hybrid Proxy can be configured to generate Multicast DNS responses
for the following Multicast DNS Domain Enumeration queries issues by for the following Multicast DNS Domain Enumeration queries issues by
clients: clients:
b._dns-sd._udp.local. PTR ? b._dns-sd._udp.local. PTR ?
db._dns-sd._udp.local. PTR ? db._dns-sd._udp.local. PTR ?
lb._dns-sd._udp.local. PTR ? lb._dns-sd._udp.local. PTR ?
This provides the ability for Hybrid Proxies to provide configuration This provides the ability for Hybrid Proxies to provide configuration
data on a per-link granularity to DNS-SD clients. In some data on a per-link granularity to DNS-SD clients. In some
enterprises it may be preferable to provide this per-link enterprises it may be preferable to provide this per-link
configuration data in the form of Hybrid Proxy configuration, rather configuration data in the form of Hybrid Proxy configuration, rather
than populating the Unicast DNS servers with the same data (in the than populating the Unicast DNS servers with the same data (in the
"ip6.arpa" or "in-addr.arpa" domains). "ip6.arpa" or "in-addr.arpa" domains).
3.3. Delegated Subdomain for LDH Host Names 4.3. Delegated Subdomain for LDH Host Names
The traditional rules for host names are more restrictive than those The traditional rules for host names are more restrictive than those
for DNS-SD service instance names and domains. for DNS-SD service instance names and domains.
Users typically interact with DNS-SD by viewing a list of discovered Users typically interact with DNS-SD by viewing a list of discovered
service instance names on the display and selecting one of them by service instance names on the display and selecting one of them by
pointing, touching, or clicking. Similarly, in software that pointing, touching, or clicking. Similarly, in software that
provides a multi-domain DNS-SD user interface, users view a list of provides a multi-domain DNS-SD user interface, users view a list of
offered domains on the display and select one of them by pointing, offered domains on the display and select one of them by pointing,
touching, or clicking. To use a service, users don't have to touching, or clicking. To use a service, users don't have to
remember domain or instance names, or type them; users just have to remember domain or instance names, or type them; users just have to
be able to recognize what they see on the display and click on the be able to recognize what they see on the display and click on the
thing they want. thing they want.
In contrast, host names are often remembered and typed. Also, host In contrast, host names are often remembered and typed. Also, host
names are often used in command-line interfaces where spaces can be names have historically been used in command-line interfaces where
inconvenient. For this reason, host names have traditionally been spaces can be inconvenient. For this reason, host names have
restricted to letters, digits and hyphens, with no spaces or other traditionally been restricted to letters, digits and hyphens, with no
punctuation. spaces or other punctuation.
While we still want to allow rich text for DNS-SD service instance While we still want to allow rich text for DNS-SD service instance
names and domains, it is advisable, for maximum compatibility with names and domains, it is advisable, for maximum compatibility with
existing software, to restrict host names to the traditional letter- existing usage, to restrict host names to the traditional letter-
digit-hyphen rules. This means that while a service name digit-hyphen rules. This means that while a service name
"My Printer._ipp._tcp.Building 1.example.com" is acceptable and "My Printer._ipp._tcp.Building 1.example.com" is acceptable and
desirable (it is displayed in a graphical user interface as an desirable (it is displayed in a graphical user interface as an
instance called "My Printer" in the domain "Building 1" at instance called "My Printer" in the domain "Building 1" at
"example.com"), a host name "My-Printer.Building 1.example.com" is "example.com"), a host name "My-Printer.Building 1.example.com" is
not advisable (because of the space in "Building 1"). less desirable (because of the space in "Building 1").
To accomodate this difference in allowable characters, a Hybrid Proxy To accomodate this difference in allowable characters, a Hybrid Proxy
MUST support having separate subdomains delegated to it, one to be SOULD support having separate subdomains delegated to it, one whose
used for host names (names of 'A' and 'AAAA' address records), which name is allowed to contain arbitrary Net-Unicode text [RFC5198], and
is restricted to the traditional letter-digit-hyphen rules, and a second more constrained subdomain whose name is restricted to
another to be used for other records (including the PTR, SRV and TXT contain only letters, digits, and hyphens, to be used for host name
records used by DNS-SD), which is allowed to be arbitrary Net-Unicode records (names of 'A' and 'AAAA' address records).
text [RFC5198].
For example, a Hybrid Proxy could have the two subdomains For example, a Hybrid Proxy could have the two subdomains
"Building 1.example.com" and "bldg1.example.com" delegated to it. "Building 1.example.com" and "bldg1.example.com" delegated to it.
The Hybrid Proxy would then translate these two Multicast DNS The Hybrid Proxy would then translate these two Multicast DNS
records: records:
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.
prnt.local. A 10.0.1.2 prnt.local. A 10.0.1.2
into Unicast DNS records as follows: into Unicast DNS records as follows:
My Printer._ipp._tcp.Building 1.example.com. My Printer._ipp._tcp.Building 1.example.com.
SRV 0 0 631 prnt.bldg1.example.com. SRV 0 0 631 prnt.bldg1.example.com.
prnt.bldg1.example.com. A 10.0.1.2 prnt.bldg1.example.com. A 10.0.1.2
Note that the SRV record name is translated using the rich-text Note that the SRV record name is translated using the rich-text
domain name ("Building 1.example.com") and the address record name is domain name ("Building 1.example.com") and the address record name is
translated using the LDH domain ("bldg1.example.com"). translated using the LDH domain ("bldg1.example.com").
3.4. Delegated Subdomain for Reverse Mapping A Hybrid Proxy MAY support only a single rich text Net-Unicode
domain, and use that domain for all records, including 'A' and 'AAAA'
address records, but implementers choosing this option should be
aware that this choice may produce host names that are awkward to use
in command-line environments. Whether this is an issue depends on
whether users in the target environment are expected to be using
command-line interfaces.
A Hybrid Proxy MUST NOT be restricted to support only a letter-digit-
hyphen subdomain, because that results in an unnecessarily poor user
experience.
4.4. Delegated Subdomain for Reverse Mapping
A Hybrid Proxy can facilitate easier management of reverse mapping A Hybrid Proxy can facilitate easier management of reverse mapping
domains, particularly for IPv6 addresses where manual management may domains, particularly for IPv6 addresses where manual management may
be more onerous than it is for IPv4 addresses. be more onerous than it is for IPv4 addresses.
To achieve this, in the parent domain, NS records are used to To achieve this, in the parent domain, NS records are used to
delegate ownership of the appropriate reverse mapping domain to the delegate ownership of the appropriate reverse mapping domain to the
Hybrid Proxy. In other words, the Hybrid Proxy becomes the Hybrid Proxy. In other words, the Hybrid Proxy becomes the
authoritative name server for the reverse mapping domain. authoritative name server for the reverse mapping domain.
skipping to change at page 13, line 5 skipping to change at page 13, line 5
3.2.1.10.in-addr.arpa. PTR prnt.bldg1.example.com. 3.2.1.10.in-addr.arpa. PTR prnt.bldg1.example.com.
Subsequent queries for the prnt.bldg1.example.com address record, Subsequent queries for the prnt.bldg1.example.com address record,
falling as it does within the bldg1.example.com domain, which is falling as it does within the bldg1.example.com domain, which is
delegated to the Hybrid Proxy, will arrive at the Hybrid Proxy, where delegated to the Hybrid Proxy, will arrive at the Hybrid Proxy, where
they are answered by issuing Multicast DNS queries and using the they are answered by issuing Multicast DNS queries and using the
received Multicast DNS answers to synthesize Unicast DNS responses, received Multicast DNS answers to synthesize Unicast DNS responses,
as described above. as described above.
3.5. Data Translation 4.5. Data Translation
Generating the appropriate Multicast DNS queries involves, at the Generating the appropriate Multicast DNS queries involves, at the
very least, translating from the configured DNS domain very least, translating from the configured DNS domain
(e.g., "Building 1.example.com") on the Unicast DNS side to "local" (e.g., "Building 1.example.com") on the Unicast DNS side to "local"
on the Multicast DNS side. on the Multicast DNS side.
Generating the appropriate Unicast DNS responses involves translating Generating the appropriate Unicast DNS responses involves translating
back from "local" to the configured DNS Unicast domain. back from "local" to the configured DNS Unicast domain.
Other beneficial translation and filtering operations are described Other beneficial translation and filtering operations are described
below. below.
3.5.1. DNS TTL limiting 4.5.1. DNS TTL limiting
For efficiency, Multicast DNS typically uses moderately high DNS TTL For efficiency, Multicast DNS typically uses moderately high DNS TTL
values. For example, the typical TTL on DNS-SD PTR records is 75 values. For example, the typical TTL on DNS-SD PTR records is 75
minutes. What makes these moderately high TTLs acceptable is the minutes. What makes these moderately high TTLs acceptable is the
cache coherency mechanisms built in to the Multicast DNS protocol cache coherency mechanisms built in to the Multicast DNS protocol
which protect against stale data persisting for too long. When a which protect against stale data persisting for too long. When a
service shuts down gracefully, it sends goodbye packets to remove its service shuts down gracefully, it sends goodbye packets to remove its
PTR records immediately from neighbouring caches. If a service shuts PTR records immediately from neighbouring caches. If a service shuts
down abruptly without sending goodbye packets, the Passive down abruptly without sending goodbye packets, the Passive
Observation Of Failures (POOF) mechanism described in Section 10.5 of Observation Of Failures (POOF) mechanism described in Section 10.5 of
the Multicast DNS specification [RFC6762] comes into play to purge the Multicast DNS specification [RFC6762] comes into play to purge
the cache of stale data. the cache of stale data.
A traditional Unicast DNS client on a remote link does not get to A traditional Unicast DNS client on a remote link does not get to
participate in these Multicast DNS cache coherency mechanisms on the participate in these Multicast DNS cache coherency mechanisms on the
local link. For traditional Unicast DNS requests (those received local link. For traditional Unicast DNS queries (those received
without any Long-Lived Query [I-D.sekar-dns-llq] or DNS Push without any Long-Lived Query [I-D.sekar-dns-llq] or DNS Push
Notification [I-D.ietf-dnssd-push] option) the DNS TTLs reported in Notification [I-D.ietf-dnssd-push] option) the DNS TTLs reported in
the resulting Unicast DNS response SHOULD be capped to be no more the resulting Unicast DNS response SHOULD be capped to be no more
than ten seconds. For received Unicast DNS requests that contain an than ten seconds.
LLQ or DNS Push Notification option, the Multicast DNS record's TTL
SHOULD be returned unmodified, because the Push Notification channel
exists to inform the remote client as records come and go. For
further details about Long-Lived Queries, and its newer replacement,
DNS Push Notifications, see Section 3.6.
3.5.2. Suppressing Unusable Records Similarly, for negative responses, the negative caching TTL indicated
in the SOA record [RFC2308] should also be ten seconds (Section 5).
This value of ten seconds is chosen based on user experience
considerations.
For negative caching, suppose a user is attempting to access a remote
device (e.g., a printer), and they are unsuccessful because that
device is powered off. Suppose they then place a telephone call and
ask for the device to be powered on. We want the device to become
available to the user within a reasonable time period. It is
reasonble to expect it to take on the order of ten seconds for a
simple device with a simple embedded operating system to power on.
Once the device is powered on and has announced its presence on the
network via Multicast DNS, we would like it to take no more than a
further ten seconds for stale negative cache entries to expire from
Unicast DNS caches, making the device available to the user desiring
to access it.
Similar reasoning applies to capping positive TTLs at ten seconds.
In the event of a device moving location, getting a new DHCP address,
or other renumbering events, we would like the updated information to
be available to remote clients in a relatively timely fashion.
However, network administrators should be aware that many recursive
(caching) DNS servers by default are configured to impose a minimum
TTL of 30 seconds. If stale data appears to be persisting in the
network to the extent that it adversely impacts user experience,
network administrators are advised to check the configuration of
their recursive DNS servers.
For received Unicast DNS queries that contain an LLQ or DNS Push
Notification option, the Multicast DNS record's TTL SHOULD be
returned unmodified, because the Push Notification channel exists to
inform the remote client as records come and go. For further details
about Long-Lived Queries, and its newer replacement, DNS Push
Notifications, see Section 4.6.
4.5.2. Suppressing Unusable Records
A Hybrid Proxy SHOULD suppress Unicast DNS answers for records that A Hybrid Proxy SHOULD suppress Unicast DNS answers for records that
are not useful outside the local link. For example, DNS A and AAAA are not useful outside the local link. For example, DNS A and AAAA
records for IPv6 link-local addresses [RFC4862] and IPv4 link-local records for IPv6 link-local addresses [RFC4862] and IPv4 link-local
addresses [RFC3927] should be suppressed. Similarly, for sites that addresses [RFC3927] should be suppressed. Similarly, for sites that
have multiple private address realms [RFC1918], private addresses have multiple private address realms [RFC1918], private addresses
from one private address realm should not be communicated to clients from one private address realm should not be communicated to clients
in a different private address realm. in a different private address realm.
By the same logic, DNS SRV records that reference target host names By the same logic, DNS SRV records that reference target host names
that have no addresses usable by the requester should be suppressed, that have no addresses usable by the requester should be suppressed,
and likewise, DNS PTR records that point to unusable SRV records and likewise, DNS PTR records that point to unusable SRV records
should be similarly be suppressed. should be similarly be suppressed.
3.5.3. Application-Specific Data Translation 4.5.3. Application-Specific Data Translation
There may be cases where Application-Specific Data Translation is There may be cases where Application-Specific Data Translation is
appropriate. appropriate.
For example, AirPrint printers tend to advertise fairly verbose For example, AirPrint printers tend to advertise fairly verbose
information about their capabilities in their DNS-SD TXT record. information about their capabilities in their DNS-SD TXT record. TXT
This information is a legacy from LPR printing, because LPR does not record sizes in the range 500-1000 bytes are not uncommon. This
have in-band capability negotiation, so all of this information is information is a legacy from LPR printing, because LPR does not have
in-band capability negotiation, so all of this information is
conveyed using the DNS-SD TXT record instead. IPP printing does have conveyed using the DNS-SD TXT record instead. IPP printing does have
in-band capability negotiation, but for convenience printers tend to in-band capability negotiation, but for convenience printers tend to
include the same capability information in their IPP DNS-SD TXT include the same capability information in their IPP DNS-SD TXT
records as well. For local mDNS use this extra TXT record records as well. For local mDNS use this extra TXT record
information is inefficient, but not fatal. However, when a Hybrid information is inefficient, but not fatal. However, when a Hybrid
Proxy aggregates data from multiple printers on a link, and sends it Proxy aggregates data from multiple printers on a link, and sends it
via unicast (via UDP or TCP) this amount of unnecessary TXT record via unicast (via UDP or TCP) this amount of unnecessary TXT record
information can result in large responses. Therefore, a Hybrid Proxy information can result in large responses. A DNS reply over TCP
that is aware of the specifics of an application-layer protocol such carrying information about 70 printers with an average of 700 bytes
as AirPrint (which uses IPP) can elide unnecessary key/value pairs per printer adds up to about 50 kilobytes of data. Therefore, a
from the DNS-SD TXT record for better network efficiency. Hybrid Proxy that is aware of the specifics of an application-layer
protocol such as AirPrint (which uses IPP) can elide unnecessary key/
value pairs from the DNS-SD TXT record for better network efficiency.
Note that this kind of Application-Specific Data Translation is Note that this kind of Application-Specific Data Translation is
expected to be very rare. It is the exception, rather than the rule. expected to be very rare. It is the exception, rather than the rule.
This is an example of a common theme in computing. It is frequently This is an example of a common theme in computing. It is frequently
the case that it is wise to start with a clean, layered design, with the case that it is wise to start with a clean, layered design, with
clear boundaries. Then, in certain special cases, those layer clear boundaries. Then, in certain special cases, those layer
boundaries may be violated, where the performance and efficiency boundaries may be violated, where the performance and efficiency
benefits outweigh the inelegance of the layer violation. benefits outweigh the inelegance of the layer violation.
As in other similar situations, these layer violations are optional. As in other similar situations, these layer violations are optional.
They are done only for efficiency reasons, and are not required for They are done only for efficiency reasons, and are not required for
correct operation. A Hybrid Proxy can operate solely at the mDNS correct operation. A Hybrid Proxy can operate solely at the mDNS
layer, without any knowledge of semantics at the DNS-SD layer or layer, without any knowledge of semantics at the DNS-SD layer or
above. above.
3.6. Answer Aggregation 4.6. Answer Aggregation
In a simple analysis, simply gathering multicast answers and In a simple analysis, simply gathering multicast answers and
forwarding them in a unicast response seems adequate, but it raises forwarding them in a unicast response seems adequate, but it raises
the question of how long the Hybrid Proxy should wait to be sure that the question of how long the Hybrid Proxy should wait to be sure that
it has received all the Multicast DNS answers it needs to form a it has received all the Multicast DNS answers it needs to form a
complete Unicast DNS response. If it waits too little time, then it complete Unicast DNS response. If it waits too little time, then it
risks its Unicast DNS response being incomplete. If it waits too risks its Unicast DNS response being incomplete. If it waits too
long, then it creates a poor user experience at the client end. In long, then it creates a poor user experience at the client end. In
fact, there may no time which is both short enough to produce a good fact, there may be no time which is both short enough to produce a
user experience and at the same time long enough to reliably produce good user experience and at the same time long enough to reliably
complete results. produce complete results.
Similarly, the Hybrid Proxy -- the authoritative name server for the Similarly, the Hybrid Proxy -- the authoritative name server for the
subdomain in question -- needs to decide what DNS TTL to report for subdomain in question -- needs to decide what DNS TTL to report for
these records. If the TTL is too long then the recursive (caching) these records. If the TTL is too long then the recursive (caching)
name servers issuing queries on behalf of their clients risk caching name servers issuing queries on behalf of their clients risk caching
stale data for too long. If the TTL is too short then the amount of stale data for too long. If the TTL is too short then the amount of
network traffic will be more than necessary. In fact, there may no network traffic will be more than necessary. In fact, there may be
TTL which is both short enough to avoid undesirable stale data and at no TTL which is both short enough to avoid undesirable stale data and
the same time long enough to be efficient on the network. at the same time long enough to be efficient on the network.
Both these dilemmas are solved by use of DNS Long-Lived Queries (DNS Both these dilemmas are solved by use of DNS Long-Lived Queries
LLQ) [I-D.sekar-dns-llq] or its newer replacement, DNS Push (DNS LLQ) [I-D.sekar-dns-llq] or its newer replacement, DNS Push
Notifications [I-D.ietf-dnssd-push]. When a Hybrid Proxy recieves a Notifications [I-D.ietf-dnssd-push]. (Clients and Hybrid Proxies can
query containing a DNS LLQ or DNS Push Notification option, it support both DNS LLQ and DNS Push, and when talking to a Hybrid Proxy
responds immediately using the Multicast DNS records it already has that supports both the client may use either protocol, as it chooses,
in its cache (if any). This provides a good client user experience though it is expected that only DNS Push will continue to be
by providing a near-instantaneous response. Simultaneously, the supported in the long run.)
Hybrid Proxy issues a Multicast DNS query on the local link to
discover if there are any additional Multicast DNS records it did not When a Hybrid Proxy receives a query containing a DNS LLQ or DNS Push
already know about. Should additional Multicast DNS responses be Notification option, it responds immediately using the Multicast DNS
received, these are then delivered to the client using DNS LLQ or DNS records it already has in its cache (if any). This provides a good
Push Notification update messages. The timeliness of such update client user experience by providing a near-instantaneous response.
messages is limited only by the timeliness of the device responding Simultaneously, the Hybrid Proxy issues a Multicast DNS query on the
to the Multicast DNS query. If the Multicast DNS device responds local link to discover if there are any additional Multicast DNS
quickly, then the update message is delivered quickly. If the records it did not already know about. Should additional Multicast
Multicast DNS device responds slowly, then the update message is DNS responses be received, these are then delivered to the client
delivered slowly. The benefit of using update messages is that the using DNS LLQ or DNS Push Notification update messages. The
Hybrid Proxy can respond promptly because it doesn't have to delay timeliness of such update messages is limited only by the timeliness
its unicast response to allow for the expected worst-case delay for of the device responding to the Multicast DNS query. If the
receiving all the Multicast DNS responses. Even if a proxy were to Multicast DNS device responds quickly, then the update message is
try to provide reliability by assuming an excessively pessimistic delivered quickly. If the Multicast DNS device responds slowly, then
worst-case time (thereby giving a very poor user experience) there the update message is delivered slowly. The benefit of using update
would still be the risk of a slow Multicast DNS device taking even messages is that the Hybrid Proxy can respond promptly because it
longer than that (e.g, a device that is not even powered on until ten doesn't have to delay its unicast response to allow for the expected
seconds after the initial query is received) resulting in incomplete worst-case delay for receiving all the Multicast DNS responses. Even
responses. Using update message solves this dilemma: even very late if a proxy were to try to provide reliability by assuming an
responses are not lost; they are delivered in subsequent update excessively pessimistic worst-case time (thereby giving a very poor
messages. user experience) there would still be the risk of a slow Multicast
DNS device taking even longer than that (e.g, a device that is not
even powered on until ten seconds after the initial query is
received) resulting in incomplete responses. Using update message
solves this dilemma: even very late responses are not lost; they are
delivered in subsequent update messages.
There are two factors that determine specifically how responses are There are two factors that determine specifically how responses are
generated: generated:
The first factor is whether the query from the client included an LLQ The first factor is whether the query from the client included an LLQ
or DNS Push Notification option (typical with long-lived service or DNS Push Notification option (typical with long-lived service
browsing PTR queries) or not (typical with one-shot operations like browsing PTR queries) or not (typical with one-shot operations like
SRV or address record queries). Note that queries containing the SRV or address record queries). Note that queries containing the LLQ
LLQ/PUSH option are received directly from the client (see or PUSH option are received directly from the client (see
Section 3.6.1). Queries containing no LLQ/PUSH option are generally Section 4.6.1). Queries containing no LLQ or PUSH option are
received via the client's configured recursive (caching) name server. generally received via the client's configured recursive (caching)
name server.
The second factor is whether the Hybrid Proxy already has at least The second factor is whether the Hybrid Proxy already has at least
one record in its cache that positively answers the question. one record in its cache that positively answers the question.
o No LLQ/PUSH option; no answer in cache: o No LLQ or PUSH option; no answer in cache:
Do local mDNS query up to three times, return answers if received, Issue an mDNS query, exactly as a local client would issue an mDNS
otherwise return negative response if no answer after three tries. query on the local link for the desired record name, type and
class, including retransmissions, as appropriate, according to the
established mDNS retransmission schedule [RFC6762]. As soon as
any Multicast DNS response packet is received that contains one or
more positive answers to that question (with or without the Cache
Flush bit [RFC6762] set), or a negative answer (signified via an
NSEC record [RFC6762]), the Hybrid Proxy generates a Unicast DNS
response packet containing the corresponding (filtered and
translated) answers and sends it to the remote client. If after
six seconds no Multicast DNS answers have been received, return a
negative response to the remote client.
DNS TTLs in responses are capped to at most ten seconds. DNS TTLs in responses are capped to at most ten seconds.
o No LLQ/PUSH option; at least one answer in cache: o No LLQ or PUSH option; at least one answer in cache:
Send response right away to minimise delay. Send response right away to minimise delay.
DNS TTLs in responses are capped to at most ten seconds. DNS TTLs in responses are capped to at most ten seconds.
No local mDNS queries are performed. No local mDNS queries are performed.
(Reasoning: Given RRSet TTL harmonisation, if the proxy has one (Reasoning: Given RRSet TTL harmonisation, if the proxy has one
Multicast DNS answer in its cache, it can reasonably assume that Multicast DNS answer in its cache, it can reasonably assume that
it has all of them.) it has all of them.)
o Query contains LLQ/PUSH option; no answer in cache: o Query contains LLQ or PUSH option; no answer in cache:
As above, do local mDNS query up to three times, and return As in the case above with no answer in the cache, perform mDNS
answers if received. querying for six seconds, and send a response to the remote client
If no answer after three tries, return negative response. as soon as any relevant mDNS response is received.
(Reasoning: We don't need to rush to send an empty answer.) If after six seconds no relevant mDNS response has been received,
In both cases the query remains active for as long as the client return negative response to the remote client. (Reasoning: We
maintains the LLQ/PUSH state, and if mDNS answers are received don't need to rush to send an empty answer.)
later, LLQ/PUSH update messages are sent. Whether or not a relevant mDNS response is received within six
seconds, the query remains active for as long as the client
maintains the LLQ or PUSH state, and if mDNS answers are received
later, LLQ or PUSH update messages are sent.
DNS TTLs in responses are returned unmodified. DNS TTLs in responses are returned unmodified.
o Query contains LLQ/PUSH option; at least one answer in cache: o Query contains LLQ or PUSH option; at least one answer in cache:
As above, send response right away to minimise delay. As in the case above with at least one answer in cache, send
response right away to minimise delay.
The query remains active for as long as the client maintains the The query remains active for as long as the client maintains the
LLQ/PUSH state, and if additional mDNS answers are received later, LLQ or PUSH state, and if additional mDNS answers are received
LLQ/PUSH update messages are sent. later, LLQ or PUSH update messages are sent.
(Reasoning: We want UI that is displayed very rapidly, yet (Reasoning: We want UI that is displayed very rapidly, yet
continues to remain accurate even as the network environment continues to remain accurate even as the network environment
changes.) changes.)
DNS TTLs in responses are returned unmodified. DNS TTLs in responses are returned unmodified.
Note that the "negative responses" referred to above are "no error no Note that the "negative responses" referred to above are "no error no
answer" negative responses, not NXDOMAIN. This is because the Hybrid answer" negative responses, not NXDOMAIN. This is because the Hybrid
Proxy cannot know all the Multicast DNS domain names that may exist Proxy cannot know all the Multicast DNS domain names that may exist
on a link at any given time, so any name with no answers may have on a link at any given time, so any name with no answers may have
child names that do exist, making it an "empty nonterminal" name. child names that do exist, making it an "empty nonterminal" name.
3.6.1. Discovery of LLQ or PUSH Notification Service 4.6.1. Discovery of LLQ and/or PUSH Notification Service
To issue LLQ/PUSH queries, clients need to communicate directly with To issue LLQ or PUSH queries, clients need to communicate directly
the authoritative Hybrid Proxy. The procedure by which the client with the authoritative Hybrid Proxy. The procedure by which the
locates the authoritative Hybrid Proxy is described in the LLQ client locates the authoritative Hybrid Proxy is described in the LLQ
specification [I-D.sekar-dns-llq] and the DNS Push Notifications specification [I-D.sekar-dns-llq] and the DNS Push Notifications
specification [I-D.ietf-dnssd-push]. specification [I-D.ietf-dnssd-push].
Briefly, the procedure is as follows: Briefly, the procedure is as follows:
To discover the LLQ service for a given domain name, a client first To discover the LLQ service for a given domain name, a client first
performs DNS zone apex discovery, and then, having discovered <apex>, performs DNS zone apex discovery, and then, having discovered <apex>,
the client then issues a DNS query for the SRV record with the name the client then issues a DNS query for the SRV record with the name
_dns-llq._udp.<apex> to find the target host and port for the LLQ _dns-llq._udp.<apex> to find the target host and port for the LLQ
service for that zone. By default LLQ service runs on UDP port 5352, service for that zone. By default LLQ service runs on UDP port 5352,
skipping to change at page 18, line 11 skipping to change at page 20, line 5
contain the SOA record of the zone apex, the client trims the contain the SOA record of the zone apex, the client trims the
first label off the given domain name and returns to step 1 to first label off the given domain name and returns to step 1 to
try again. try again.
By this method, the client iterates until it learns the name of the By this method, the client iterates until it learns the name of the
zone apex, or (in pathological failure cases) reaches the root and zone apex, or (in pathological failure cases) reaches the root and
gives up. gives up.
Normal DNS caching is used to avoid repetitive queries on the wire. Normal DNS caching is used to avoid repetitive queries on the wire.
4. Implementation Status 5. DNS SOA (Start of Authority) Record
The MNAME field SHOULD contain the host name of the Hybrid Proxy
device (i.e., the same domain name as the rdata of the NS record
delegating the relevant zone(s) to this Hybrid Proxy device).
The RNAME field SHOULD contain the mailbox of the person responsible
for administering this Hybrid Proxy device.
The SERIAL field SHOULD contain a sequence number that increments
each time the Hybrid Proxy returns an SOA record to any client.
[Author's note: Or maybe it could just be zero?]
Since zone transfers are undefined for Hybrid Proxy zones, the
REFRESH, RETRY and EXPIRE fields have no useful meaning for Hybrid
Proxy zones. These fields SHOULD contain reasonable default values.
The RECOMMENDED values are: REFRESH 7200, RETRY 3600, EXPIRE 86400.
The MINIMUM field (used to control the lifetime of negative cache
entries) SHOULD contain the value 10. The value of ten seconds is
chosen based on user experience considerations (see Section 4.5.1).
[Author's note: Discussion of these recommendations is requested.]
6. Implementation Status
Some aspects of the mechanism specified in this document already Some aspects of the mechanism specified in this document already
exist in deployed software. Some aspects are new. This section exist in deployed software. Some aspects are new. This section
outlines which aspects already exist and which are new. outlines which aspects already exist and which are new.
4.1. Already Implemented and Deployed 6.1. Already Implemented and Deployed
Domain enumeration by the client (the "b._dns-sd._udp" queries) is Domain enumeration by the client (the "b._dns-sd._udp" queries) is
already implemented and deployed. already implemented and deployed.
Unicast queries to the indicated discovery domain is already Unicast queries to the indicated discovery domain is already
implemented and deployed. implemented and deployed.
These are implemented and deployed in Mac OS X 10.4 and later These are implemented and deployed in Mac OS X 10.4 and later
(including all versions of Apple iOS, on all iPhone and iPads), in (including all versions of Apple iOS, on all iPhone and iPads), in
Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16) Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16)
and later. and later.
Domain enumeration and unicast querying have been used for several Domain enumeration and unicast querying have been used for several
years at IETF meetings to make Terminal Room printers discoverable years at IETF meetings to make Terminal Room printers discoverable
from outside the Terminal room. When you Press Cmd-P on your Mac, or from outside the Terminal room. When you Press Cmd-P on your Mac, or
select AirPrint on your iPad or iPhone, and the Terminal room select AirPrint on your iPad or iPhone, and the Terminal room
printers appear, that is because your client is doing unicast DNS printers appear, that is because your client is sending unicast DNS
queries to the IETF DNS servers. queries to the IETF DNS servers.
4.2. Partially Implemented 6.2. Already Implemented
A minimal portable Hybrid Proxy implementation has been produced by
Markus Stenberg and Steven Barth, which runs on OS X and several
Linux variants including OpenWrt [ohp]. It was demonstrated at the
Berlin IETF in July 2013.
Tom Pusateri also has an implementation that runs on any Unix/Linux.
It has a RESTful interface for management and an experimental demo
CLI and web interface.
6.3. Partially Implemented
The current APIs make multiple domains visible to client software, The current APIs make multiple domains visible to client software,
but most client UI today lumps all discovered services into a single but most client UI today lumps all discovered services into a single
flat list. This is largely a chicken-and-egg problem. Application flat list. This is largely a chicken-and-egg problem. Application
writers were naturally reluctant to spend time writing domain-aware writers were naturally reluctant to spend time writing domain-aware
UI code when few customers today would benefit from it. If Hybrid UI code when few customers today would benefit from it. If Hybrid
Proxy deployment becomes common, then application writers will have a Proxy deployment becomes common, then application writers will have a
reason to provide better UI. Existing applications will work with reason to provide better UI. Existing applications will work with
the Hybrid Proxy, but will show all services in a single flat list. the Hybrid Proxy, but will show all services in a single flat list.
Applications with improved UI will group services by domain. Applications with improved UI will group services by domain.
skipping to change at page 19, line 15 skipping to change at page 21, line 44
[I-D.ietf-dnssd-push]. The pragmatic short-term deployment approach [I-D.ietf-dnssd-push]. The pragmatic short-term deployment approach
is for vendors to produce Hybrid Proxies that implement both the is for vendors to produce Hybrid Proxies that implement both the
deployed Long-Lived Query mechanism [I-D.sekar-dns-llq] (for today's deployed Long-Lived Query mechanism [I-D.sekar-dns-llq] (for today's
clients) and the new DNS Push Notifications mechanism clients) and the new DNS Push Notifications mechanism
[I-D.ietf-dnssd-push] as the preferred long-term direction. [I-D.ietf-dnssd-push] as the preferred long-term direction.
The translating/filtering Hybrid Proxy specified in this document. The translating/filtering Hybrid Proxy specified in this document.
Implementations are under development, and operational experience Implementations are under development, and operational experience
with these implementations has guided updates to this document. with these implementations has guided updates to this document.
4.3. Not Yet Implemented 6.4. Not Yet Implemented
Client implementations of the new DNS Push Notifications mechanism Client implementations of the new DNS Push Notifications mechanism
[I-D.ietf-dnssd-push] are currently underway. [I-D.ietf-dnssd-push] are currently underway.
A mechanism to 'stitch' together multiple ".local." zones so that A mechanism to 'stitch' together multiple ".local." zones so that
they appear as one. Such a mechanism will be specified in a future they appear as one. Such a mechanism will be specified in a future
companion document. companion document.
5. IPv6 Considerations 7. IPv6 Considerations
An IPv6-only host and an IPv4-only host behave as "ships that pass in An IPv6-only host and an IPv4-only host behave as "ships that pass in
the night". Even if they are on the same Ethernet, neither is aware the night". Even if they are on the same Ethernet, neither is aware
of the other's traffic. For this reason, each physical link may have of the other's traffic. For this reason, each physical link may have
*two* unrelated ".local." zones, one for IPv6 and one for IPv4. *two* unrelated ".local." zones, one for IPv6 and one for IPv4.
Since for practical purposes, a group of IPv6-only hosts and a group Since for practical purposes, a group of IPv6-only hosts and a group
of IPv4-only hosts on the same Ethernet act as if they were on two of IPv4-only hosts on the same Ethernet act as if they were on two
entirely separate Ethernet segments, it is unsurprising that their entirely separate Ethernet segments, it is unsurprising that their
use of the ".local." zone should occur exactly as it would if they use of the ".local." zone should occur exactly as it would if they
really were on two entirely separate Ethernet segments. really were on two entirely separate Ethernet segments.
It will be desirable to have a mechanism to 'stitch' together these It will be desirable to have a mechanism to 'stitch' together these
two unrelated ".local." zones so that they appear as one. Such two unrelated ".local." zones so that they appear as one. Such
mechanism will need to be able to differentiate between a dual-stack mechanism will need to be able to differentiate between a dual-stack
(v4/v6) host participating in both ".local." zones, and two different (v4/v6) host participating in both ".local." zones, and two different
hosts, one IPv6-only and the other IPv4-only, which are both trying hosts, one IPv6-only and the other IPv4-only, which are both trying
to use the same name(s). Such a mechanism will be specified in a to use the same name(s). Such a mechanism will be specified in a
future companion document. future companion document.
6. Security Considerations 8. Security Considerations
6.1. Authenticity 8.1. Authenticity
A service proves its presence on a link by its ability to answer A service proves its presence on a link by its ability to answer
link-local multicast queries on that link. If greater security is link-local multicast queries on that link. If greater security is
desired, then the Hybrid Proxy mechanism should not be used, and desired, then the Hybrid Proxy mechanism should not be used, and
something with stronger security should be used instead, such as something with stronger security should be used instead, such as
authenticated secure DNS Update [RFC2136] [RFC3007]. authenticated secure DNS Update [RFC2136] [RFC3007].
6.2. Privacy 8.2. Privacy
The Domain Name System is, generally speaking, a global public The Domain Name System is, generally speaking, a global public
database. Records that exist in the Domain Name System name database. Records that exist in the Domain Name System name
hierarchy can be queried by name from, in principle, anywhere in the hierarchy can be queried by name from, in principle, anywhere in the
world. If services on a mobile device (like a laptop computer) are world. If services on a mobile device (like a laptop computer) are
made visible via the Hybrid Proxy mechanism, then when those services made visible via the Hybrid Proxy mechanism, then when those services
become visibile in a domain such as "My House.example.com" that might become visibile in a domain such as "My House.example.com" that might
indicate to (potentially hostile) observers that the mobile device is indicate to (potentially hostile) observers that the mobile device is
in my house. When those services disappear from in my house. When those services disappear from
"My House.example.com" that change could be used by observers to "My House.example.com" that change could be used by observers to
infer when the mobile device (and possibly its owner) may have left infer when the mobile device (and possibly its owner) may have left
the house. The privacy of this information may be protected using the house. The privacy of this information may be protected using
techniques like firewalls and split-view DNS, as are customarily used techniques like firewalls and split-view DNS, as are customarily used
today to protect the privacy of corporate DNS information. today to protect the privacy of corporate DNS information.
6.3. Denial of Service 8.3. Denial of Service
A remote attacker could use a rapid series of unique Unicast DNS A remote attacker could use a rapid series of unique Unicast DNS
queries to induce a Hybrid Proxy to generate a rapid series of queries to induce a Hybrid Proxy to generate a rapid series of
corresponding Multicast DNS queries on one or more of its local corresponding Multicast DNS queries on one or more of its local
links. Multicast traffic is expensive -- especially on Wi-Fi links links. Multicast traffic is expensive -- especially on Wi-Fi links
-- which makes this attack particularly serious. To limit the damage -- which makes this attack particularly serious. To limit the damage
that can be caused by such attacks, a Hybrid Proxy (or the underlying that can be caused by such attacks, a Hybrid Proxy (or the underlying
Multicast DNS subsystem which it utilizes) MUST implement Multicast Multicast DNS subsystem which it utilizes) MUST implement Multicast
DNS query rate limiting appropriate to the link technology in DNS query rate limiting appropriate to the link technology in
question. For Wi-Fi links the Multicast DNS subsystem SHOULD NOT question. For Wi-Fi links the Multicast DNS subsystem SHOULD NOT
issue more than 20 Multicast DNS query packets per second. On other issue more than 20 Multicast DNS query packets per second. On other
link technologies like Gigabit Ethernet higher limits may be link technologies like Gigabit Ethernet higher limits may be
appropriate. appropriate.
7. Intelectual Property Rights 9. Intelectual Property Rights
Apple has submitted an IPR disclosure concerning the technique Apple has submitted an IPR disclosure concerning the technique
proposed in this document. Details are available on the IETF IPR proposed in this document. Details are available on the IETF IPR
disclosure page [IPR2119]. disclosure page [IPR2119].
8. IANA Considerations 10. IANA Considerations
This document has no IANA Considerations. This document has no IANA Considerations.
9. Acknowledgments 11. Acknowledgments
Thanks to Markus Stenberg for helping develop the policy regarding Thanks to Markus Stenberg for helping develop the policy regarding
the four styles of unicast response according to what data is the four styles of unicast response according to what data is
immediately available in the cache. Thanks to Andrew Yourtchenko for immediately available in the cache. Thanks to Andrew Yourtchenko for
comments about privacy issues. [Partial list; more names to be comments about privacy issues. [Partial list; more names to be
added.] added.]
10. References 12. References
10.1. Normative References 12.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>. <http://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>. November 1987, <http://www.rfc-editor.org/info/rfc1035>.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., J. de Groot, [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., J. de Groot,
G., and E. Lear, "Address Allocation for Private G., and E. Lear, "Address Allocation for Private
Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918,
February 1996, <http://www.rfc-editor.org/info/rfc1918>. February 1996, <http://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997, RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998,
<http://www.rfc-editor.org/info/rfc2308>.
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of IPv4 Link-Local Addresses", RFC 3927, Configuration of IPv4 Link-Local Addresses", RFC 3927,
DOI 10.17487/RFC3927, May 2005, DOI 10.17487/RFC3927, May 2005,
<http://www.rfc-editor.org/info/rfc3927>. <http://www.rfc-editor.org/info/rfc3927>.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, DOI 10.17487/ Address Autoconfiguration", RFC 4862, DOI 10.17487/
RFC4862, September 2007, RFC4862, September 2007,
<http://www.rfc-editor.org/info/rfc4862>. <http://www.rfc-editor.org/info/rfc4862>.
[RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network
Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008,
<http://www.rfc-editor.org/info/rfc5198>. <http://www.rfc-editor.org/info/rfc5198>.
[RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
December 2012. December 2012.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, December 2012. Discovery", RFC 6763, December 2012.
[I-D.sekar-dns-llq]
Sekar, K., "DNS Long-Lived Queries",
draft-sekar-dns-llq-01 (work in progress), August 2006.
[I-D.ietf-dnssd-push] [I-D.ietf-dnssd-push]
Pusateri, T. and S. Cheshire, "DNS Push Notifications", Pusateri, T. and S. Cheshire, "DNS Push Notifications",
draft-ietf-dnssd-push-02 (work in progress), October 2015. draft-ietf-dnssd-push-03 (work in progress),
November 2015.
10.2. Informative References 12.2. Informative References
[HOME] Cheshire, S., "Special Use Top Level Domain 'home'", [HOME] Cheshire, S., "Special Use Top Level Domain 'home'",
draft-cheshire-homenet-dot-home (work in progress), draft-cheshire-homenet-dot-home (work in progress),
November 2014. November 2015.
[IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid [IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid
Unicast/Multicast DNS-Based Service Discovery", Unicast/Multicast DNS-Based Service Discovery",
<https://datatracker.ietf.org/ipr/2119/>. <https://datatracker.ietf.org/ipr/2119/>.
[ohp] "Hybrid Proxy implementation for OpenWrt",
<https://github.com/sbyx/ohybridproxy/>.
[I-D.sekar-dns-llq]
Sekar, K., "DNS Long-Lived Queries",
draft-sekar-dns-llq-01 (work in progress), August 2006.
[I-D.ietf-homenet-hncp]
Stenberg, M., Barth, S., and P. Pfister, "Home Networking
Control Protocol", draft-ietf-homenet-hncp-09 (work in
progress), August 2015.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)", "Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997, RFC 2136, DOI 10.17487/RFC2136, April 1997,
<http://www.rfc-editor.org/info/rfc2136>. <http://www.rfc-editor.org/info/rfc2136>.
[RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, Update", RFC 3007, DOI 10.17487/RFC3007, November 2000,
<http://www.rfc-editor.org/info/rfc3007>. <http://www.rfc-editor.org/info/rfc3007>.
[RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol
 End of changes. 63 change blocks. 
165 lines changed or deleted 315 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/