draft-ietf-dnssd-hybrid-04.txt   draft-ietf-dnssd-hybrid-05.txt 
Internet Engineering Task Force S. Cheshire Internet Engineering Task Force S. Cheshire
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track October 31, 2016 Intended status: Standards Track November 16, 2016
Expires: May 4, 2017 Expires: May 20, 2017
Hybrid Unicast/Multicast DNS-Based Service Discovery Hybrid Unicast/Multicast DNS-Based Service Discovery
draft-ietf-dnssd-hybrid-04 draft-ietf-dnssd-hybrid-05
Abstract Abstract
Performing DNS-Based Service Discovery using purely link-local This document specifies a mechanism that uses Multicast DNS to
Multicast DNS enables discovery of services that are on the local automatically populate the wide-area unicast Domain Name System
link, but not (without some kind of proxy or similar special support) namespace with records describing devices and services found on the
discovery of services that are outside the local link. Using a very local link.
large local link with thousands of hosts facilitates service
discovery, but at the cost of large amounts of multicast traffic.
Performing DNS-Based Service Discovery using purely Unicast DNS is
more efficient and doesn't require excessively large multicast
domains, but requires that the relevant data be available in the
Unicast DNS namespace. This can be achieved by manual DNS
configuration (as has been done for many years at IETF meetings to
advertise the IETF Terminal Room printer) but this is labor
intensive, error prone, and requires a reasonable degree of DNS
expertise. The Unicast DNS namespace can be populated with the
required data automatically by the devices themselves, but that
requires configuration of DNS Update keys on the devices offering the
services, which has proven onerous and impractical for simple devices
like printers and network cameras.
Hence, to facilitate efficient and reliable DNS-Based Service
Discovery, a compromise is needed that combines the ease-of-use of
Multicast DNS with the efficiency and scalability of Unicast DNS.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 4, 2017. This Internet-Draft will expire on May 20, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions and Terminology Used in this Document . . . . . . 5 2. Operational Analogy . . . . . . . . . . . . . . . . . . . . . 6
3. Compatibility Considerations . . . . . . . . . . . . . . . . . 6 3. Conventions and Terminology Used in this Document . . . . . . 7
4. Hybrid Proxy Operation . . . . . . . . . . . . . . . . . . . . 6 4. Compatibility Considerations . . . . . . . . . . . . . . . . . 7
4.1. Delegated Subdomain for Service Discovery Records . . . . 7 5. Hybrid Proxy Operation . . . . . . . . . . . . . . . . . . . . 8
4.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . . 8 5.1. Delegated Subdomain for Service Discovery Records . . . . 9
4.2.1. Domain Enumeration via Unicast Queries . . . . . . . . 8 5.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . . 10
4.2.2. Domain Enumeration via Multicast Queries . . . . . . . 9 5.2.1. Domain Enumeration via Unicast Queries . . . . . . . . 10
4.3. Delegated Subdomain for LDH Host Names . . . . . . . . . . 10 5.2.2. Domain Enumeration via Multicast Queries . . . . . . . 12
4.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 12 5.3. Delegated Subdomain for LDH Host Names . . . . . . . . . . 13
4.5. Data Translation . . . . . . . . . . . . . . . . . . . . . 13 5.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 15
4.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . . 13 5.5. Data Translation . . . . . . . . . . . . . . . . . . . . . 16
4.5.2. Suppressing Unusable Records . . . . . . . . . . . . . 14 5.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . . 16
4.5.3. Text Encoding Translation . . . . . . . . . . . . . . 14 5.5.2. Suppressing Unusable Records . . . . . . . . . . . . . 17
4.5.4. Application-Specific Data Translation . . . . . . . . 15 5.5.3. NSEC and NSEC3 queries . . . . . . . . . . . . . . . . 18
4.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . . 16 5.5.4. Text Encoding Translation . . . . . . . . . . . . . . 18
5. DNS SOA (Start of Authority) Record . . . . . . . . . . . . . 19 5.5.5. Application-Specific Data Translation . . . . . . . . 18
6. DNSSEC Issues . . . . . . . . . . . . . . . . . . . . . . . . 20 5.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . . 20
6.1. On-line signing only . . . . . . . . . . . . . . . . . . . 20 6. Administrative DNS Records . . . . . . . . . . . . . . . . . . 23
6.2. NSEC and NSEC3 Records . . . . . . . . . . . . . . . . . . 20 6.1. DNS SOA (Start of Authority) Record . . . . . . . . . . . 23
7. Implementation Status . . . . . . . . . . . . . . . . . . . . 21 6.2. DNS NS Records . . . . . . . . . . . . . . . . . . . . . . 23
7.1. Already Implemented and Deployed . . . . . . . . . . . . . 21 6.3. DNS SRV Records . . . . . . . . . . . . . . . . . . . . . 23
7.2. Already Implemented . . . . . . . . . . . . . . . . . . . 21 7. DNSSEC Issues . . . . . . . . . . . . . . . . . . . . . . . . 24
7.3. Partially Implemented . . . . . . . . . . . . . . . . . . 21 7.1. On-line signing only . . . . . . . . . . . . . . . . . . . 24
7.4. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 22 7.2. NSEC and NSEC3 Records . . . . . . . . . . . . . . . . . . 24
8. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 22 8. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 25
9. Security Considerations . . . . . . . . . . . . . . . . . . . 23 9. Security Considerations . . . . . . . . . . . . . . . . . . . 25
9.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . . 23 9.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . . 25
9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 23 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 25
9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 23 9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 26
10. Intelectual Property Rights . . . . . . . . . . . . . . . . . 24 10. Intelectual Property Rights . . . . . . . . . . . . . . . . . 26
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
13.1. Normative References . . . . . . . . . . . . . . . . . . . 24 13.1. Normative References . . . . . . . . . . . . . . . . . . . 27
13.2. Informative References . . . . . . . . . . . . . . . . . . 25 13.2. Informative References . . . . . . . . . . . . . . . . . . 28
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 26 Appendix A. Implementation Status . . . . . . . . . . . . . . . . 30
A.1. Already Implemented and Deployed . . . . . . . . . . . . . 30
A.2. Already Implemented . . . . . . . . . . . . . . . . . . . 30
A.3. Partially Implemented . . . . . . . . . . . . . . . . . . 30
A.4. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 31
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 31
1. Introduction 1. Introduction
Multicast DNS [RFC6762] and its companion technology DNS-based Multicast DNS [RFC6762] and its companion technology DNS-based
Service Discovery [RFC6763] were created to provide IP networking Service Discovery [RFC6763] were created to provide IP networking
with the ease-of-use and autoconfiguration for which AppleTalk was with the ease-of-use and autoconfiguration for which AppleTalk was
well known [RFC6760] [ZC]. well known [RFC6760] [ZC].
For a small network consisting of just a single link (or several For a small home network consisting of just a single link (or a few
physical links bridged together to appear as a single logical link to physical links bridged together to appear as a single logical link to
IP) Multicast DNS [RFC6762] is sufficient for client devices to look IP) Multicast DNS [RFC6762] is sufficient for client devices to look
up the dot-local host names of peers on the same home network, and up the ".local" host names of peers on the same home network, and to
perform DNS-Based Service Discovery (DNS-SD) [RFC6763] of services use DNS-Based Service Discovery (DNS-SD) [RFC6763] to discover
offered on that home network. services offered on that home network.
For a larger network consisting of multiple links that are For a larger network consisting of multiple links that are
interconnected using IP-layer routing instead of link-layer bridging, interconnected using IP-layer routing instead of link-layer bridging,
link-local Multicast DNS alone is insufficient because link-local link-local Multicast DNS alone is insufficient because link-local
Multicast DNS packets, by design, do not cross between links. Multicast DNS packets, by design, are not propagated onto other
(This was a deliberate design choice for Multicast DNS, since even on links.
a single link multicast traffic is expensive -- especially on Wi-Fi
links -- and multiplying the amount of multicast traffic by flooding
it across multiple links would make that problem even worse.)
In this environment, Unicast DNS would be preferable to Multicast
DNS. (Unicast DNS can be used either with a traditionally assigned
globally unique domain name, or with a private local unicast domain
name such as ".home" [HOME].)
To use Unicast DNS, the names of hosts and services need to be made Using link-local multicast packets for Multicast DNS was a conscious
available in the Unicast DNS namespace. In the DNS-SD specification design choice [RFC6762]. Even when limited to a single link,
[RFC6763] Section 10 ("Populating the DNS with Information") multicast traffic is still generally considered to be more expensive
discusses various possible ways that a service's PTR, SRV, TXT and than unicast, because multicast traffic impacts many devices, instead
address records can make their way into the Unicast DNS namespace, of just a single recipient. In addition, with some technologies like
including manual zone file configuration [RFC1034] [RFC1035], Wi-Fi [802.11], multicast traffic is inherently less efficient and
DNS Update [RFC2136] [RFC3007] and proxies of various kinds. less reliable than unicast, because Wi-Fi multicast traffic is sent
using the lower data rates, and is not acknowledged. Multiplying the
amount of expensive multicast traffic by flooding it across multiple
links would make the traffic load even worse.
Partitioning the network into many small links curtails the spread of
expensive multicast traffic, but limits the discoverability of
services. Using a very large local link with thousands of hosts
enables better service discovery, but at the cost of larger amounts
of multicast traffic.
Performing DNS-Based Service Discovery using purely Unicast DNS is
more efficient and doesn't require excessively large multicast
domains, but requires that the relevant data be available in the
Unicast DNS namespace. The Unicast DNS namespace in question could
fall within a traditionally assigned globally unique domain name, or
could use a private local unicast domain name such as ".home"
[HOME].)
In the DNS-SD specification [RFC6763], Section 10 ("Populating the
DNS with Information") discusses various possible ways that a
service's PTR, SRV, TXT and address records can make their way into
the Unicast DNS namespace, including manual zone file configuration
[RFC1034] [RFC1035], DNS Update [RFC2136] [RFC3007] and proxies of
various kinds.
Making the relevant data available in the Unicast DNS namespace by
manual DNS configuration (as has been done for many years at IETF
meetings to advertise the IETF Terminal Room printer) is labor
intensive, error prone, and requires a reasonable degree of DNS
expertise.
Populating the Unicast DNS namespace via DNS Update by the devices
offering the services themselves requires configuration of DNS Update
keys on those devices, which has proven onerous and impractical for
simple devices like printers and network cameras.
Hence, to facilitate efficient and reliable DNS-Based Service
Discovery, a compromise is needed that combines the ease-of-use of
Multicast DNS with the efficiency and scalability of Unicast DNS.
This document specifies a type of proxy called a Hybrid Proxy that This document specifies a type of proxy called a Hybrid Proxy that
uses Multicast DNS [RFC6762] to discover Multicast DNS records on its uses Multicast DNS [RFC6762] to discover Multicast DNS records on its
local link, and makes corresponding DNS records visible in the local link, and makes corresponding DNS records visible in the
Unicast DNS namespace. Unicast DNS namespace.
In simple terms, a descriptive DNS name is chosen for each physical In principle, similar mechanisms could be defined using other local
link in an organization. Using a DNS NS record, responsibility for service discovery protocols, to discover local information and then
that DNS name is delegated to a Hybrid Proxy physically attached to make corresponding DNS records visible in the Unicast DNS namespace.
that link. Now, when a remote client issues a unicast query for a Such mechanisms for other local service discovery protocols could be
name falling within the delegated subdomain, the normal DNS addressed in future documents.
delegation mechanism results in the unicast query arriving at the
Hybrid Proxy, since it has been declared authoritative for those The design of the Hybrid Proxy is guided by the previously published
names. Now, instead of consulting a textual zone file on disk to Requirements for Scalable DNS-Based Service [RFC7558].
discover the answer to the query, as a traditional DNS server would,
a Hybrid Proxy consults its local link, using Multicast DNS, to find In simple terms, a descriptive DNS name is chosen for each link in an
the answer to the question. organization. Using a DNS NS record, responsibility for that DNS
name is delegated to a Hybrid Proxy physically attached to that link.
Now, when a remote client issues a unicast query for a name falling
within the delegated subdomain, the normal DNS delegation mechanism
results in the unicast query arriving at the Hybrid Proxy, since it
has been declared authoritative for those names. Now, instead of
consulting a textual zone file on disk to discover the answer to the
query, as a traditional DNS server would, a Hybrid Proxy consults its
local link, using Multicast DNS, to find the answer to the question.
For fault tolerance reasons there may be more than one Hybrid Proxy
serving a given link.
Note that the Hybrid Proxy uses a "pull" model. The local link is Note that the Hybrid Proxy uses a "pull" model. The local link is
not queried using Multicast DNS until a remote client has requested not queried using Multicast DNS until a remote client has requested
that data. In the idle state, in the absence of client requests, the that data. In the idle state, in the absence of client requests, the
Hybrid Proxy sends no packets and imposes no burden on the network. Hybrid Proxy sends no packets and imposes no burden on the network.
It operates purely "on demand". It operates purely "on demand".
An alternative proposal has been a proxy that performs DNS updates to An alternative proposal has been a proxy that performs DNS updates to
a remote DNS server on behalf of the Multicast DNS devices on the a remote DNS server on behalf of the Multicast DNS devices on the
local network. The difficulty of this is that the proxy would have local network. The difficulty of this is that the proxy would have
skipping to change at page 5, line 31 skipping to change at page 6, line 5
interest in that data. interest in that data.
Hence, having a model where the query comes to the Hybrid Proxy is Hence, having a model where the query comes to the Hybrid Proxy is
much more efficient than a model where the Hybrid Proxy pushes the much more efficient than a model where the Hybrid Proxy pushes the
answers out to some other remote DNS server. answers out to some other remote DNS server.
A client can send queries to the Hybrid Proxy in the form of A client can send queries to the Hybrid Proxy in the form of
traditional DNS queries, or by making a DNS Push Notification traditional DNS queries, or by making a DNS Push Notification
subscription [I-D.ietf-dnssd-push]. subscription [I-D.ietf-dnssd-push].
2. Conventions and Terminology Used in this Document 2. Operational Analogy
A Hybrid Proxy does not operate as a multicast relay, or multicast
forwarder. There is no danger of multicast forwarding loops that
result in traffic storms, because no multicast packets are forwarded.
A Hybrid Proxy operates as a *proxy* for a remote client, performing
queries on its behalf and reporting the results back.
A reasonable analogy would be making a telephone call to a colleague
at your workplace and saying, "I'm out of the office right now.
Would you mind bringing up a printer browser window and telling me
the names of the printers you see?" That entails no risk of a
forwarding loop causing a traffic storm, because no multicast packets
are sent over the telephone call.
A similar analogy, instead of enlisting another human being to
initiate the service discovery operation on your behalf, would be to
log into your own desktop work computer using screen sharing, and
then run the printer browser yourself to see the list of printers.
Or log in using ssh and type "dns-sd -B _ipp._tcp" and observe the
list of discovered printer names. In neither case is there any risk
of a forwarding loop causing a traffic storm, because no multicast
packets are being sent over the screen sharing or ssh connection.
The Hybrid Proxy provides another way of performing remote queries,
just using a different protocol instead of screen sharing or ssh.
When the Hybrid Proxy software performs Multicast DNS operations, the
exact same Multicast DNS caching mechanisms are applied as when any
other client software on that Hybrid Proxy device performs Multicast
DNS operations, whether that be running a printer browser client
locally, or a remote user running the printer browser client via a
screen sharing connection, or a remote user logged in via ssh running
a command-line tool like "dns-sd".
3. Conventions and Terminology Used in this Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
"Key words for use in RFCs to Indicate Requirement Levels" [RFC2119]. "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119].
The Hybrid Proxy builds on Multicast DNS, which works between hosts The Hybrid Proxy builds on Multicast DNS, which works between hosts
on the same link. A set of hosts is considered to be "on the same on the same link. A set of hosts is considered to be "on the same
link" if: link" if:
skipping to change at page 6, line 12 skipping to change at page 7, line 33
The link-layer *header* may be modified, such as in Token Ring Source The link-layer *header* may be modified, such as in Token Ring Source
Routing [802.5], but not the link-layer *payload*. In particular, if Routing [802.5], but not the link-layer *payload*. In particular, if
any device forwarding a packet modifies any part of the IP header or any device forwarding a packet modifies any part of the IP header or
IP payload then the packet is no longer considered to be on the same IP payload then the packet is no longer considered to be on the same
link. This means that the packet may pass through devices such as link. This means that the packet may pass through devices such as
repeaters, bridges, hubs or switches and still be considered to be on repeaters, bridges, hubs or switches and still be considered to be on
the same link for the purpose of this document, but not through a the same link for the purpose of this document, but not through a
device such as an IP router that decrements the IP TTL or otherwise device such as an IP router that decrements the IP TTL or otherwise
modifies the IP header. modifies the IP header.
3. Compatibility Considerations 4. Compatibility Considerations
No changes to existing devices are required to work with a Hybrid No changes to existing devices are required to work with a Hybrid
Proxy. Proxy.
Existing devices that advertise services using Multicast DNS work Existing devices that advertise services using Multicast DNS work
with Hybrid Proxy. with Hybrid Proxy.
Existing clients that support DNS-Based Service Discovery over Existing clients that support DNS-Based Service Discovery over
Unicast DNS (Mac OS X 10.4 and later, including iPhone, iPad, and Unicast DNS work with Hybrid Proxy. Service Discovery over Unicast
Bonjour for Windows) work with Hybrid Proxy. DNS was introduced in Mac OS X 10.4 in April 2005, as is included in
Apple products introduced since then, including iPhone and iPad, as
well as products from other vendors, such as Microsoft Windows 10.
4. Hybrid Proxy Operation 5. Hybrid Proxy Operation
In a typical configuration, a Hybrid Proxy is configured to be In a typical configuration, a Hybrid Proxy is configured to be
authoritative [RFC1034] [RFC1035] for four DNS subdomains, and authoritative [RFC1034] [RFC1035] for four DNS subdomains, and
authority for these subdomains is delegated to it via NS records: authority for these subdomains is delegated to it via NS records:
A DNS subdomain for service discovery records. A DNS subdomain for service discovery records.
This subdomain name may contain rich text, including spaces and This subdomain name may contain rich text, including spaces and
other punctuation. This is because this subdomain name is used other punctuation. This is because this subdomain name is used
only in graphical user interfaces, where rich text is appropriate. only in graphical user interfaces, where rich text is appropriate.
skipping to change at page 7, line 4 skipping to change at page 8, line 31
A DNS subdomain for IPv6 Reverse Mapping records. A DNS subdomain for IPv6 Reverse Mapping records.
This subdomain name will be a name that ends in "ip6.arpa." This subdomain name will be a name that ends in "ip6.arpa."
A DNS subdomain for IPv4 Reverse Mapping records. A DNS subdomain for IPv4 Reverse Mapping records.
This subdomain name will be a name that ends in "in-addr.arpa." This subdomain name will be a name that ends in "in-addr.arpa."
In an enterprise network the naming and delegation of these In an enterprise network the naming and delegation of these
subdomains is typically performed by conscious action of the network subdomains is typically performed by conscious action of the network
administrator. In a home network naming and delegation would administrator. In a home network naming and delegation would
typically be performed using some automatic configuration mechanism typically be performed using some automatic configuration mechanism
such as HNCP [I-D.ietf-homenet-hncp]. such as HNCP [RFC7788].
These three varieties of delegated subdomains (service discovery, These three varieties of delegated subdomains (service discovery,
host names, and reverse mapping) are described below. host names, and reverse mapping) are described below in sections
Section 5.1, Section 5.3 and Section 5.4.
4.1. Delegated Subdomain for Service Discovery Records How a client discovers where to issue its service discovery queries
is described below in section Section 5.2.
In its simplest form, each physical link in an organization is 5.1. Delegated Subdomain for Service Discovery Records
assigned a unique Unicast DNS domain name, such as
"Building 1.example.com" or "2nd Floor.Building 3.example.com". In its simplest form, each link in an organization is assigned a
Grouping multiple links under a single Unicast DNS domain name is to unique Unicast DNS domain name, such as "Building 1.example.com" or
be specified in a future companion document, but for the purposes of "2nd Floor.Building 3.example.com". Grouping multiple links under a
this document, assume that each link has its own unique Unicast DNS single Unicast DNS domain name is to be specified in a future
domain name. In a graphical user interface these names are not companion document, but for the purposes of this document, assume
displayed as strings with dots as shown above, but something more that each link has its own unique Unicast DNS domain name. In a
akin to a typical file browser graphical user interface (which is graphical user interface these names are not displayed as strings
harder to illustrate in a text-only document) showing folders, with dots as shown above, but something more akin to a typical file
subfolders and files in a file system. browser graphical user interface (which is harder to illustrate in a
text-only document) showing folders, subfolders and files in a file
system.
+---------------+--------------+-------------+-------------------+ +---------------+--------------+-------------+-------------------+
| *example.com* | Building 1 | 1st Floor | Alice's printer | | *example.com* | Building 1 | 1st Floor | Alice's printer |
| | Building 2 | *2nd Floor* | Bob's printer | | | Building 2 | *2nd Floor* | Bob's printer |
| | *Building 3* | 3rd Floor | Charlie's printer | | | *Building 3* | 3rd Floor | Charlie's printer |
| | Building 4 | 4th Floor | | | | Building 4 | 4th Floor | |
| | Building 5 | | | | | Building 5 | | |
| | Building 6 | | | | | Building 6 | | |
+---------------+--------------+-------------+-------------------+ +---------------+--------------+-------------+-------------------+
Figure 1: Illustrative GUI Figure 1: Illustrative GUI
Each named link in an organization has a Hybrid Proxy which serves Each named link in an organization has one or more Hybrid Proxies
it. This Hybrid Proxy function could be performed by a router on which serves it. This Hybrid Proxy function for each link could be
that link, or, with appropriate VLAN configuration, a single Hybrid performed by a device like a router or switch that is physically
Proxy could have a logical presence on, and serve as the Hybrid Proxy attached to that link. In the parent domain, NS records are used to
for, many links. In the parent domain, NS records are used to
delegate ownership of each defined link name delegate ownership of each defined link name
(e.g., "Building 1.example.com") to the Hybrid Proxy that serves the (e.g., "Building 1.example.com") to the one or more Hybrid Proxies
named link. In other words, the Hybrid Proxy is the authoritative that serve the named link. In other words, the Hybrid Proxies are
name server for that subdomain. the authoritative name servers for that subdomain.
With appropriate VLAN configuration [802.1Q] a single Hybrid Proxy
device could have a logical presence on many links, and serve as the
Hybrid Proxy for all those links. In such a configuration the Hybrid
Proxy device would have a single physical Ethernet [802.3] port,
configured as a VLAN trunk port, which would appear to software on
that device as multiple virtual Ethernet interfaces, one connected to
each of the VLAN links.
When a DNS-SD client issues a Unicast DNS query to discover services When a DNS-SD client issues a Unicast DNS query to discover services
in a particular Unicast DNS subdomain in a particular Unicast DNS subdomain
(e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS (e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS
delegation mechanism results in that query being forwarded until it delegation mechanism results in that query being forwarded until it
reaches the delegated authoritative name server for that subdomain, reaches the delegated authoritative name server for that subdomain,
namely the Hybrid Proxy on the link in question. Like a conventional namely the Hybrid Proxy on the link in question. Like a conventional
Unicast DNS server, a Hybrid Proxy implements the usual Unicast DNS Unicast DNS server, a Hybrid Proxy implements the usual Unicast DNS
protocol [RFC1034] [RFC1035] over UDP and TCP. However, unlike a protocol [RFC1034] [RFC1035] over UDP and TCP. However, unlike a
conventional Unicast DNS server that generates answers from the data conventional Unicast DNS server that generates answers from the data
in its manually-configured zone file, a Hybrid Proxy generates in its manually-configured zone file, a Hybrid Proxy generates
answers using Multicast DNS. A Hybrid Proxy does this by consulting answers using Multicast DNS. A Hybrid Proxy does this by consulting
its Multicast DNS cache and/or issuing Multicast DNS queries for the its Multicast DNS cache and/or issuing Multicast DNS queries for the
corresponding Multicast DNS name, type and class, (e.g., in this corresponding Multicast DNS name, type and class, (e.g., in this
case, "_printer._tcp.local. PTR ?"). Then, from the received case, "_printer._tcp.local. PTR ?"). Then, from the received
Multicast DNS data, the Hybrid Proxy synthesizes the appropriate Multicast DNS data, the Hybrid Proxy synthesizes the appropriate
Unicast DNS response. Unicast DNS response. How long the Hybrid Proxy should wait to
accumulate Multicast DNS responses is described below in section
Section 5.6.
Naturally, the existing Multicast DNS caching mechanism is used to Naturally, the existing Multicast DNS caching mechanism is used to
avoid issuing unnecessary Multicast DNS queries on the wire. The minimize unnecessary Multicast DNS queries on the wire. The Hybrid
Hybrid Proxy is acting as a client of the underlying Multicast DNS Proxy is acting as a client of the underlying Multicast DNS
subsystem, and benefits from the same caching and efficiency measures subsystem, and benefits from the same caching and efficiency measures
as any other client using that subsystem. as any other client using that subsystem.
4.2. Domain Enumeration 5.2. Domain Enumeration
An DNS-SD client performs Domain Enumeration [RFC6763] via certain A DNS-SD client performs Domain Enumeration [RFC6763] via certain PTR
PTR queries. It issues unicast Domain Enumeration queries using its queries, using both unicast and multicast. If it receives a Domain
"home" domain (typically learned via DHCP) and using its IPv6 prefix Name configuration via DHCP option 15 [RFC2132], then it issues
and IPv4 subnet address. These are described below in Section 4.2.1. unicast queries using this domain. It issues unicast queries using
It also issues multicast Domain Enumeration queries in the "local" names derived from its IPv6 prefix(es) and IPv4 subnet address(es).
domain [RFC6762]. These are described below in Section 4.2.2. The These are described below in Section 5.2.1. It also issues multicast
results of all Domain Enumeration queries are combined for Service Domain Enumeration queries in the "local" domain [RFC6762]. These
Discovery purposes. are described below in Section 5.2.2. The results of all the Domain
Enumeration queries are combined for Service Discovery purposes.
4.2.1. Domain Enumeration via Unicast Queries 5.2.1. Domain Enumeration via Unicast Queries
The administrator creates Domain Enumeration PTR records [RFC6763] to The administrator creates Domain Enumeration PTR records [RFC6763] to
inform clients of available service discovery domains, e.g.,: inform clients of available service discovery domains, e.g.,:
b._dns-sd._udp.example.com. PTR Building 1.example.com. b._dns-sd._udp.example.com. PTR Building 1.example.com.
PTR Building 2.example.com. PTR Building 2.example.com.
PTR Building 3.example.com. PTR Building 3.example.com.
PTR Building 4.example.com. PTR Building 4.example.com.
db._dns-sd._udp.example.com. PTR Building 1.example.com. db._dns-sd._udp.example.com. PTR Building 1.example.com.
skipping to change at page 9, line 33 skipping to change at page 11, line 38
This means that each Resource Record in the Answer Section can take This means that each Resource Record in the Answer Section can take
up to 268 bytes total, which means that the Answer Section can up to 268 bytes total, which means that the Answer Section can
contain, in the worst case, no more than 243 domains. contain, in the worst case, no more than 243 domains.
In a more typical scenario, where the domain names are not all In a more typical scenario, where the domain names are not all
maximum-sized names, and there is some similarity between names so maximum-sized names, and there is some similarity between names so
that reasonable name compression is possible, each Answer Section that reasonable name compression is possible, each Answer Section
Resource Record may average 140 bytes, which means that the Answer Resource Record may average 140 bytes, which means that the Answer
Section can contain up to 466 domains. Section can contain up to 466 domains.
4.2.2. Domain Enumeration via Multicast Queries It is anticipated that this should be sufficient for even a large
corporate network or university campus.
5.2.2. Domain Enumeration via Multicast Queries
Since a Hybrid Proxy exists on many, if not all, the links in an Since a Hybrid Proxy exists on many, if not all, the links in an
enterprise, it offers an additional way to provide Domain Enumeration enterprise, it offers an additional way to provide Domain Enumeration
data for clients. data for clients.
A Hybrid Proxy can be configured to generate Multicast DNS responses A Hybrid Proxy can be configured to generate Multicast DNS responses
for the following Multicast DNS Domain Enumeration queries issues by for the following Multicast DNS Domain Enumeration queries issued by
clients: clients:
b._dns-sd._udp.local. PTR ? b._dns-sd._udp.local. PTR ?
db._dns-sd._udp.local. PTR ? db._dns-sd._udp.local. PTR ?
lb._dns-sd._udp.local. PTR ? lb._dns-sd._udp.local. PTR ?
This provides the ability for Hybrid Proxies to provide configuration This provides the ability for Hybrid Proxies to indicate recommended
data on a per-link granularity to DNS-SD clients. In some browsing domains to DNS-SD clients on a per-link granularity. In
enterprises it may be preferable to provide this per-link some enterprises it may be preferable to provide this per-link
configuration data in the form of Hybrid Proxy configuration, rather configuration data in the form of Hybrid Proxy configuration, rather
than populating the Unicast DNS servers with the same data (in the than populating the Unicast DNS servers with the same data (in the
"ip6.arpa" or "in-addr.arpa" domains). "ip6.arpa" or "in-addr.arpa" domains).
4.3. Delegated Subdomain for LDH Host Names Regardless of how the network operator chooses to provide this
configuration data, clients will perform Domain Enumeration via both
unicast and multicast queries, and then combine the results of these
queries.
The traditional rules for host names are more restrictive than those 5.3. Delegated Subdomain for LDH Host Names
for DNS-SD service instance names and domains.
Users typically interact with DNS-SD by viewing a list of discovered DNS-SD service instance names and domains are allowed to contain
service instance names on the display and selecting one of them by arbitrary Net-Unicode text [RFC5198], encoded as precomposed UTF-8
pointing, touching, or clicking. Similarly, in software that [RFC3629].
provides a multi-domain DNS-SD user interface, users view a list of
offered domains on the display and select one of them by pointing, Users typically interact with service discovery software by viewing a
touching, or clicking. To use a service, users don't have to list of discovered service instance names on a display, and selecting
remember domain or instance names, or type them; users just have to one of them by pointing, touching, or clicking. Similarly, in
be able to recognize what they see on the display and click on the software that provides a multi-domain DNS-SD user interface, users
thing they want. view a list of offered domains on the display and select one of them
by pointing, touching, or clicking. To use a service, users don't
have to remember domain or instance names, or type them; users just
have to be able to recognize what they see on the display and touch
or click on the thing they want.
In contrast, host names are often remembered and typed. Also, host In contrast, host names are often remembered and typed. Also, host
names have historically been used in command-line interfaces where names have historically been used in command-line interfaces where
spaces can be inconvenient. For this reason, host names have spaces can be inconvenient. For this reason, host names have
traditionally been restricted to letters, digits and hyphens, with no traditionally been restricted to letters, digits and hyphens (LDH),
spaces or other punctuation. with no spaces or other punctuation.
While we still want to allow rich text for DNS-SD service instance While we still want to allow rich text for DNS-SD service instance
names and domains, it is advisable, for maximum compatibility with names and domains, it is advisable, for maximum compatibility with
existing usage, to restrict host names to the traditional letter- existing usage, to restrict host names to the traditional letter-
digit-hyphen rules. This means that while a service name digit-hyphen rules. This means that while a service name
"My Printer._ipp._tcp.Building 1.example.com" is acceptable and "My Printer._ipp._tcp.Building 1.example.com" is acceptable and
desirable (it is displayed in a graphical user interface as an desirable (it is displayed in a graphical user interface as an
instance called "My Printer" in the domain "Building 1" at instance called "My Printer" in the domain "Building 1" at
"example.com"), a host name "My-Printer.Building 1.example.com" is "example.com"), a host name "My-Printer.Building 1.example.com" is
less desirable (because of the space in "Building 1"). less desirable (because of the space in "Building 1").
To accomodate this difference in allowable characters, a Hybrid Proxy To accomodate this difference in allowable characters, a Hybrid Proxy
SOULD support having separate subdomains delegated to it, one whose SHOULD support having two separate subdomains delegated to it for
name is allowed to contain arbitrary Net-Unicode text [RFC5198], and each link it serves, one whose name is allowed to contain arbitrary
a second more constrained subdomain whose name is restricted to Net-Unicode text [RFC5198], and a second more constrained subdomain
contain only letters, digits, and hyphens, to be used for host name whose name is restricted to contain only letters, digits, and
records (names of 'A' and 'AAAA' address records). hyphens, to be used for host name records (names of 'A' and 'AAAA'
address records).
For example, a Hybrid Proxy could have the two subdomains For example, a Hybrid Proxy could have the two subdomains
"Building 1.example.com" and "bldg1.example.com" delegated to it. "Building 1.example.com" and "bldg1.example.com" delegated to it.
The Hybrid Proxy would then translate these two Multicast DNS The Hybrid Proxy would then translate these two Multicast DNS
records: records:
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.
prnt.local. A 10.0.1.2 prnt.local. A 203.0.113.2
into Unicast DNS records as follows: into Unicast DNS records as follows:
My Printer._ipp._tcp.Building 1.example.com. My Printer._ipp._tcp.Building 1.example.com.
SRV 0 0 631 prnt.bldg1.example.com. SRV 0 0 631 prnt.bldg1.example.com.
prnt.bldg1.example.com. A 10.0.1.2 prnt.bldg1.example.com. A 203.0.113.2
Note that the SRV record name is translated using the rich-text Note that the SRV record name is translated using the rich-text
domain name ("Building 1.example.com") and the address record name is domain name ("Building 1.example.com") and the address record name is
translated using the LDH domain ("bldg1.example.com"). translated using the LDH domain ("bldg1.example.com").
A Hybrid Proxy MAY support only a single rich text Net-Unicode A Hybrid Proxy MAY support only a single rich text Net-Unicode
domain, and use that domain for all records, including 'A' and 'AAAA' domain, and use that domain for all records, including 'A' and 'AAAA'
address records, but implementers choosing this option should be address records, but implementers choosing this option should be
aware that this choice may produce host names that are awkward to use aware that this choice may produce host names that are awkward to use
in command-line environments. Whether this is an issue depends on in command-line environments. Whether this is an issue depends on
whether users in the target environment are expected to be using whether users in the target environment are expected to be using
command-line interfaces. command-line interfaces.
A Hybrid Proxy MUST NOT be restricted to support only a letter-digit- A Hybrid Proxy MUST NOT be restricted to support only a letter-digit-
hyphen subdomain, because that results in an unnecessarily poor user hyphen subdomain, because that results in an unnecessarily poor user
experience. experience.
4.4. Delegated Subdomain for Reverse Mapping 5.4. Delegated Subdomain for Reverse Mapping
A Hybrid Proxy can facilitate easier management of reverse mapping A Hybrid Proxy can facilitate easier management of reverse mapping
domains, particularly for IPv6 addresses where manual management may domains, particularly for IPv6 addresses where manual management may
be more onerous than it is for IPv4 addresses. be more onerous than it is for IPv4 addresses.
To achieve this, in the parent domain, NS records are used to To achieve this, in the parent domain, NS records are used to
delegate ownership of the appropriate reverse mapping domain to the delegate ownership of the appropriate reverse mapping domain to the
Hybrid Proxy. In other words, the Hybrid Proxy becomes the Hybrid Proxy. In other words, the Hybrid Proxy becomes the
authoritative name server for the reverse mapping domain. authoritative name server for the reverse mapping domain. For fault
tolerance reasons there may be more than one Hybrid Proxy serving a
given link.
For example, if a given link is using the IPv6 prefix 2001:0DB8/32, For example, if a given link is using the IPv6 prefix
then the domain "8.b.d.0.1.0.0.2.ip6.arpa" is delegated to the Hybrid 2001:0DB8:1234:5678/64, then the domain
"8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa" is delegated to the Hybrid
Proxy for that link. Proxy for that link.
If a given link is using the IPv4 subnet 10.1/16, then the domain If a given link is using the IPv4 subnet 203.0.113/24, then the
"1.10.in-addr.arpa" is delegated to the Hybrid Proxy for that link. domain "113.0.203.in-addr.arpa" is delegated to the Hybrid Proxy for
that link.
When a reverse mapping query arrives at the Hybrid Proxy, it issues When a reverse mapping query arrives at the Hybrid Proxy, it issues
the identical query on its local link as a Multicast DNS query. the identical query on its local link as a Multicast DNS query.
(In the Apple "/usr/include/dns_sd.h" APIs, using ForceMulticast The mechanism to force an apparently unicast name to be resolved
indicates that the DNSServiceQueryRecord() call should perform the using link-local Multicast DNS varies depending on the API set being
query using Multicast DNS.) When the host owning that IPv6 or IPv4 used. For example, in the "/usr/include/dns_sd.h" APIs
address responds with a name of the form "something.local", the (available on macOS, iOS, Microsoft Windows, Linux and Android),
Hybrid Proxy rewrites that to use its configured LDH host name domain using kDNSServiceFlagsForceMulticast indicates that the
instead of "local" and returns the response to the caller. DNSServiceQueryRecord() call should perform the query using Multicast
DNS. Other APIs sets have different ways of forcing multicast
queries. When the host owning that IPv6 or IPv4 address responds
with a name of the form "something.local", the Hybrid Proxy rewrites
that to use its configured LDH host name domain instead of "local",
and returns the response to the caller.
For example, a Hybrid Proxy with the two subdomains For example, a Hybrid Proxy with the two subdomains
"1.10.in-addr.arpa" and "bldg1.example.com" delegated to it would "113.0.203.in-addr.arpa" and "bldg1.example.com" delegated to it
translate this Multicast DNS record: would translate this Multicast DNS record:
3.2.1.10.in-addr.arpa. PTR prnt.local. 2.113.0.203.in-addr.arpa. PTR prnt.local.
into this Unicast DNS response: into this Unicast DNS response:
3.2.1.10.in-addr.arpa. PTR prnt.bldg1.example.com. 2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com.
Subsequent queries for the prnt.bldg1.example.com address record, Subsequent queries for the prnt.bldg1.example.com address record,
falling as it does within the bldg1.example.com domain, which is falling as it does within the bldg1.example.com domain, which is
delegated to the Hybrid Proxy, will arrive at the Hybrid Proxy, where delegated to the Hybrid Proxy, will arrive at the Hybrid Proxy, where
they are answered by issuing Multicast DNS queries and using the they are answered by issuing Multicast DNS queries and using the
received Multicast DNS answers to synthesize Unicast DNS responses, received Multicast DNS answers to synthesize Unicast DNS responses,
as described above. as described above.
4.5. Data Translation 5.5. Data Translation
Generating the appropriate Multicast DNS queries involves, at the Generating the appropriate Multicast DNS queries involves, at the
very least, translating from the configured DNS domain very least, translating from the configured DNS domain
(e.g., "Building 1.example.com") on the Unicast DNS side to "local" (e.g., "Building 1.example.com") on the Unicast DNS side to "local"
on the Multicast DNS side. on the Multicast DNS side.
Generating the appropriate Unicast DNS responses involves translating Generating the appropriate Unicast DNS responses involves translating
back from "local" to the configured DNS Unicast domain. back from "local" to the configured DNS Unicast domain.
Other beneficial translation and filtering operations are described Other beneficial translation and filtering operations are described
below. below.
4.5.1. DNS TTL limiting 5.5.1. DNS TTL limiting
For efficiency, Multicast DNS typically uses moderately high DNS TTL For efficiency, Multicast DNS typically uses moderately high DNS TTL
values. For example, the typical TTL on DNS-SD PTR records is 75 values. For example, the typical TTL on DNS-SD PTR records is 75
minutes. What makes these moderately high TTLs acceptable is the minutes. What makes these moderately high TTLs acceptable is the
cache coherency mechanisms built in to the Multicast DNS protocol cache coherency mechanisms built in to the Multicast DNS protocol
which protect against stale data persisting for too long. When a which protect against stale data persisting for too long. When a
service shuts down gracefully, it sends goodbye packets to remove its service shuts down gracefully, it sends goodbye packets to remove its
PTR records immediately from neighbouring caches. If a service shuts PTR records immediately from neighbouring caches. If a service shuts
down abruptly without sending goodbye packets, the Passive down abruptly without sending goodbye packets, the Passive
Observation Of Failures (POOF) mechanism described in Section 10.5 of Observation Of Failures (POOF) mechanism described in Section 10.5 of
skipping to change at page 13, line 41 skipping to change at page 16, line 45
A traditional Unicast DNS client on a remote link does not get to A traditional Unicast DNS client on a remote link does not get to
participate in these Multicast DNS cache coherency mechanisms on the participate in these Multicast DNS cache coherency mechanisms on the
local link. For traditional Unicast DNS queries (those received local link. For traditional Unicast DNS queries (those received
without any Long-Lived Query [I-D.sekar-dns-llq] or DNS Push without any Long-Lived Query [I-D.sekar-dns-llq] or DNS Push
Notification [I-D.ietf-dnssd-push] option) the DNS TTLs reported in Notification [I-D.ietf-dnssd-push] option) the DNS TTLs reported in
the resulting Unicast DNS response SHOULD be capped to be no more the resulting Unicast DNS response SHOULD be capped to be no more
than ten seconds. than ten seconds.
Similarly, for negative responses, the negative caching TTL indicated Similarly, for negative responses, the negative caching TTL indicated
in the SOA record [RFC2308] should also be ten seconds (Section 5). in the SOA record [RFC2308] should also be ten seconds (Section 6.1).
This value of ten seconds is chosen based on user experience This value of ten seconds is chosen based on user experience
considerations. considerations.
For negative caching, suppose a user is attempting to access a remote For negative caching, suppose a user is attempting to access a remote
device (e.g., a printer), and they are unsuccessful because that device (e.g., a printer), and they are unsuccessful because that
device is powered off. Suppose they then place a telephone call and device is powered off. Suppose they then place a telephone call and
ask for the device to be powered on. We want the device to become ask for the device to be powered on. We want the device to become
available to the user within a reasonable time period. It is available to the user within a reasonable time period. It is
reasonble to expect it to take on the order of ten seconds for a reasonable to expect it to take on the order of ten seconds for a
simple device with a simple embedded operating system to power on. simple device with a simple embedded operating system to power on.
Once the device is powered on and has announced its presence on the Once the device is powered on and has announced its presence on the
network via Multicast DNS, we would like it to take no more than a network via Multicast DNS, we would like it to take no more than a
further ten seconds for stale negative cache entries to expire from further ten seconds for stale negative cache entries to expire from
Unicast DNS caches, making the device available to the user desiring Unicast DNS caches, making the device available to the user desiring
to access it. to access it.
Similar reasoning applies to capping positive TTLs at ten seconds. Similar reasoning applies to capping positive TTLs at ten seconds.
In the event of a device moving location, getting a new DHCP address, In the event of a device moving location, getting a new DHCP address,
or other renumbering events, we would like the updated information to or other renumbering events, we would like the updated information to
be available to remote clients in a relatively timely fashion. be available to remote clients in a relatively timely fashion.
skipping to change at page 14, line 28 skipping to change at page 17, line 32
TTL of 30 seconds. If stale data appears to be persisting in the TTL of 30 seconds. If stale data appears to be persisting in the
network to the extent that it adversely impacts user experience, network to the extent that it adversely impacts user experience,
network administrators are advised to check the configuration of network administrators are advised to check the configuration of
their recursive DNS servers. their recursive DNS servers.
For received Unicast DNS queries that contain an LLQ or DNS Push For received Unicast DNS queries that contain an LLQ or DNS Push
Notification option, the Multicast DNS record's TTL SHOULD be Notification option, the Multicast DNS record's TTL SHOULD be
returned unmodified, because the Push Notification channel exists to returned unmodified, because the Push Notification channel exists to
inform the remote client as records come and go. For further details inform the remote client as records come and go. For further details
about Long-Lived Queries, and its newer replacement, DNS Push about Long-Lived Queries, and its newer replacement, DNS Push
Notifications, see Section 4.6. Notifications, see Section 5.6.
4.5.2. Suppressing Unusable Records 5.5.2. Suppressing Unusable Records
A Hybrid Proxy SHOULD suppress Unicast DNS answers for records that A Hybrid Proxy SHOULD suppress Unicast DNS answers for records that
are not useful outside the local link. For example, DNS A and AAAA are not useful outside the local link. For example, DNS A and AAAA
records for IPv6 link-local addresses [RFC4862] and IPv4 link-local records for IPv6 link-local addresses [RFC4862] and IPv4 link-local
addresses [RFC3927] should be suppressed. Similarly, for sites that addresses [RFC3927] SHOULD be suppressed. Similarly, for sites that
have multiple private address realms [RFC1918], private addresses have multiple private address realms [RFC1918], in cases where the
from one private address realm SHOULD NOT be communicated to clients Hybrid Proxy can determine that the querying client is in a different
in a different private address realm. address realm, private addresses MUST NOT be communicated to that
client. IPv6 Unique Local Addresses [RFC4193] SHOULD be suppressed
in cases where the Hybrid Proxy can determine that the querying
client is in a different IPv6 address realm.
By the same logic, DNS SRV records that reference target host names By the same logic, DNS SRV records that reference target host names
that have no addresses usable by the requester should be suppressed, that have no addresses usable by the requester should be suppressed,
and likewise, DNS PTR records that point to unusable SRV records and likewise, DNS PTR records that point to unusable SRV records
should be similarly be suppressed. should be similarly be suppressed.
4.5.3. Text Encoding Translation 5.5.3. NSEC and NSEC3 queries
Since a Hybrid Proxy only knows what names exist on the local link by
issuing queries for them, and since it would be impractical to issue
queries for every possible name just to find out which names exist
and which do not, a Hybrid Proxy cannot programatically generate the
traditional NSEC and NSEC3 records which assert the nonexistence of a
large range names.
When queried for an NSEC or NSEC3 record type, the Hybrid Proxy
issues a qtype "ANY" query using Multicast DNS on the local link, and
then generates an NSEC or NSEC3 response signifying which record
types do and do not exist just the specific name queried, and no
others.
Multicast DNS NSEC records received on the local link MUST NOT be
forwarded unmodified to a unicast querier, because there are slight
differences in the NSEC record data. In particular, Multicast DNS
NSEC records do not have the NSEC bit set in the Type Bit Map,
whereas conventional Unicast DNS NSEC records do have the NSEC bit
set.
5.5.4. Text Encoding Translation
A Hybrid Proxy does no translation between text encodings. A Hybrid Proxy does no translation between text encodings.
Specifically, a Hybrid Proxy does no translation between Punycode and Specifically, a Hybrid Proxy does no translation between Punycode and
UTF-8, either in the owner name of DNS records, or anywhere in the UTF-8, either in the owner name of DNS records, or anywhere in the
RDATA of DNS records (such as the RDATA of PTR records, SRV records, RDATA of DNS records (such as the RDATA of PTR records, SRV records,
NS records, or other record types like TXT, where it is ambiguous NS records, or other record types like TXT, where it is ambiguous
whether the RDATA may contain DNS names). All bytes are treated whether the RDATA may contain DNS names). All bytes are treated
as-is, with no attempt at text encoding translation. A client as-is, with no attempt at text encoding translation. A client
implementing DNS-based Service Discovery [RFC6763] will use UTF-8 implementing DNS-based Service Discovery [RFC6763] will use UTF-8
encoding for its service discovery queries, which the Hybrid Proxy encoding for its service discovery queries, which the Hybrid Proxy
passes through without any text encoding translation to the Multicast passes through without any text encoding translation to the Multicast
DNS subsystem. Responses from the Multicast DNS subsystem are DNS subsystem. Responses from the Multicast DNS subsystem are
similarly returned, without any text encoding translation, back to similarly returned, without any text encoding translation, back to
the requesting client. the requesting client.
4.5.4. Application-Specific Data Translation 5.5.5. Application-Specific Data Translation
There may be cases where Application-Specific Data Translation is There may be cases where Application-Specific Data Translation is
appropriate. appropriate.
For example, AirPrint printers tend to advertise fairly verbose For example, AirPrint printers tend to advertise fairly verbose
information about their capabilities in their DNS-SD TXT record. TXT information about their capabilities in their DNS-SD TXT record. TXT
record sizes in the range 500-1000 bytes are not uncommon. This record sizes in the range 500-1000 bytes are not uncommon. This
information is a legacy from LPR printing, because LPR does not have information is a legacy from LPR printing, because LPR does not have
in-band capability negotiation, so all of this information is in-band capability negotiation, so all of this information is
conveyed using the DNS-SD TXT record instead. IPP printing does have conveyed using the DNS-SD TXT record instead. IPP printing does have
skipping to change at page 15, line 38 skipping to change at page 19, line 20
via unicast (via UDP or TCP) this amount of unnecessary TXT record via unicast (via UDP or TCP) this amount of unnecessary TXT record
information can result in large responses. A DNS reply over TCP information can result in large responses. A DNS reply over TCP
carrying information about 70 printers with an average of 700 bytes carrying information about 70 printers with an average of 700 bytes
per printer adds up to about 50 kilobytes of data. Therefore, a per printer adds up to about 50 kilobytes of data. Therefore, a
Hybrid Proxy that is aware of the specifics of an application-layer Hybrid Proxy that is aware of the specifics of an application-layer
protocol such as AirPrint (which uses IPP) can elide unnecessary key/ protocol such as AirPrint (which uses IPP) can elide unnecessary key/
value pairs from the DNS-SD TXT record for better network efficiency. value pairs from the DNS-SD TXT record for better network efficiency.
Also, the DNS-SD TXT record for many printers contains an "adminurl" Also, the DNS-SD TXT record for many printers contains an "adminurl"
key something like "adminurl=http://printername.local/status.html". key something like "adminurl=http://printername.local/status.html".
For this URL to be useful outside the local link, the embedded dot- For this URL to be useful outside the local link, the embedded
local hostname needs to be translated to an appropriate name with ".local" hostname needs to be translated to an appropriate name with
larger scope. Dot-local names are easily translated when they appear larger scope. It is easy to translate ".local" names when they
in well-defined places, either as a record's name, or in the rdata of appear in well-defined places, either as a record's name, or in the
record types like PTR and SRV. In the printing case, some rdata of record types like PTR and SRV. In the printing case, some
application-specific knowledge about the semantics of the "adminurl" application-specific knowledge about the semantics of the "adminurl"
key is needed for the Hybrid Proxy to know that it contains a name key is needed for the Hybrid Proxy to know that it contains a name
that needs to be translated. This is somewhat analogous to the need that needs to be translated. This is somewhat analogous to the need
for NAT gateways to contain ALGs (Application-Specific Gateways) to for NAT gateways to contain ALGs (Application-Specific Gateways) to
facilitate the correct translation of protocols that embed addresses facilitate the correct translation of protocols that embed addresses
in unexpected places. in unexpected places.
As is the case with NAT ALGs, protocol designers are advised to avoid As is the case with NAT ALGs, protocol designers are advised to avoid
communicating names and addresses in nonstandard locations, because communicating names and addresses in nonstandard locations, because
those "hidden" names and addresses are at risk of not being those "hidden" names and addresses are at risk of not being
skipping to change at page 16, line 32 skipping to change at page 20, line 14
the case that it is wise to start with a clean, layered design, with the case that it is wise to start with a clean, layered design, with
clear boundaries. Then, in certain special cases, those layer clear boundaries. Then, in certain special cases, those layer
boundaries may be violated, where the performance and efficiency boundaries may be violated, where the performance and efficiency
benefits outweigh the inelegance of the layer violation. benefits outweigh the inelegance of the layer violation.
These layer violations are optional. They are done primarily for These layer violations are optional. They are done primarily for
efficiency reasons, and generally should not be required for correct efficiency reasons, and generally should not be required for correct
operation. A Hybrid Proxy MAY operate solely at the mDNS layer, operation. A Hybrid Proxy MAY operate solely at the mDNS layer,
without any knowledge of semantics at the DNS-SD layer or above. without any knowledge of semantics at the DNS-SD layer or above.
4.6. Answer Aggregation 5.6. Answer Aggregation
In a simple analysis, simply gathering multicast answers and In a simple analysis, simply gathering multicast answers and
forwarding them in a unicast response seems adequate, but it raises forwarding them in a unicast response seems adequate, but it raises
the question of how long the Hybrid Proxy should wait to be sure that the question of how long the Hybrid Proxy should wait to be sure that
it has received all the Multicast DNS answers it needs to form a it has received all the Multicast DNS answers it needs to form a
complete Unicast DNS response. If it waits too little time, then it complete Unicast DNS response. If it waits too little time, then it
risks its Unicast DNS response being incomplete. If it waits too risks its Unicast DNS response being incomplete. If it waits too
long, then it creates a poor user experience at the client end. In long, then it creates a poor user experience at the client end. In
fact, there may be no time which is both short enough to produce a fact, there may be no time which is both short enough to produce a
good user experience and at the same time long enough to reliably good user experience and at the same time long enough to reliably
skipping to change at page 17, line 12 skipping to change at page 20, line 42
network traffic will be more than necessary. In fact, there may be network traffic will be more than necessary. In fact, there may be
no TTL which is both short enough to avoid undesirable stale data and no TTL which is both short enough to avoid undesirable stale data and
at the same time long enough to be efficient on the network. at the same time long enough to be efficient on the network.
Both these dilemmas are solved by use of DNS Long-Lived Queries Both these dilemmas are solved by use of DNS Long-Lived Queries
(DNS LLQ) [I-D.sekar-dns-llq] or its newer replacement, DNS Push (DNS LLQ) [I-D.sekar-dns-llq] or its newer replacement, DNS Push
Notifications [I-D.ietf-dnssd-push]. (Clients and Hybrid Proxies can Notifications [I-D.ietf-dnssd-push]. (Clients and Hybrid Proxies can
support both DNS LLQ and DNS Push, and when talking to a Hybrid Proxy support both DNS LLQ and DNS Push, and when talking to a Hybrid Proxy
that supports both the client may use either protocol, as it chooses, that supports both the client may use either protocol, as it chooses,
though it is expected that only DNS Push will continue to be though it is expected that only DNS Push will continue to be
supported in the long run.) supported in the long run.) Clients supporting unicast DNS Service
Discovery SHOULD implement DNS Push Notifications
[I-D.ietf-dnssd-push] for improved user experience.
When a Hybrid Proxy receives a query containing a DNS LLQ or DNS Push When a Hybrid Proxy receives a query containing a DNS LLQ or DNS Push
Notification option, it responds immediately using the Multicast DNS Notification option, it responds immediately using the Multicast DNS
records it already has in its cache (if any). This provides a good records it already has in its cache (if any). This provides a good
client user experience by providing a near-instantaneous response. client user experience by providing a near-instantaneous response.
Simultaneously, the Hybrid Proxy issues a Multicast DNS query on the Simultaneously, the Hybrid Proxy issues a Multicast DNS query on the
local link to discover if there are any additional Multicast DNS local link to discover if there are any additional Multicast DNS
records it did not already know about. Should additional Multicast records it did not already know about. Should additional Multicast
DNS responses be received, these are then delivered to the client DNS responses be received, these are then delivered to the client
using DNS LLQ or DNS Push Notification update messages. The using DNS LLQ or DNS Push Notification update messages. The
skipping to change at page 18, line 26 skipping to change at page 21, line 45
The second factor is whether the Hybrid Proxy already has at least The second factor is whether the Hybrid Proxy already has at least
one record in its cache that positively answers the question. one record in its cache that positively answers the question.
o No LLQ or PUSH option; no answer in cache: o No LLQ or PUSH option; no answer in cache:
Issue an mDNS query, exactly as a local client would issue an mDNS Issue an mDNS query, exactly as a local client would issue an mDNS
query on the local link for the desired record name, type and query on the local link for the desired record name, type and
class, including retransmissions, as appropriate, according to the class, including retransmissions, as appropriate, according to the
established mDNS retransmission schedule [RFC6762]. As soon as established mDNS retransmission schedule [RFC6762]. As soon as
any Multicast DNS response packet is received that contains one or any Multicast DNS response packet is received that contains one or
more positive answers to that question (with or without the Cache more positive answers to that question (with or without the Cache
Flush bit [RFC6762] set), or a negative answer (signified via an Flush bit [RFC6762] set), or a negative answer (signified via a
NSEC record [RFC6762]), the Hybrid Proxy generates a Unicast DNS Multicast DNS NSEC record [RFC6762]), the Hybrid Proxy generates a
response packet containing the corresponding (filtered and Unicast DNS response packet containing the corresponding (filtered
translated) answers and sends it to the remote client. If after and translated) answers and sends it to the remote client. If
six seconds no Multicast DNS answers have been received, return a after six seconds no Multicast DNS answers have been received,
negative response to the remote client. return a negative response to the remote client. Six seconds is
enough time to transmit three mDNS queries, and allow some time
for responses to arrive.
DNS TTLs in responses are capped to at most ten seconds. DNS TTLs in responses are capped to at most ten seconds.
o No LLQ or PUSH option; at least one answer in cache: o No LLQ or PUSH option; at least one answer in cache:
Send response right away to minimise delay. Send response right away to minimise delay.
DNS TTLs in responses are capped to at most ten seconds. DNS TTLs in responses are capped to at most ten seconds.
No local mDNS queries are performed. No local mDNS queries are performed.
(Reasoning: Given RRSet TTL harmonisation, if the proxy has one (Reasoning: Given RRSet TTL harmonisation, if the proxy has one
Multicast DNS answer in its cache, it can reasonably assume that Multicast DNS answer in its cache, it can reasonably assume that
it has all of them.) it has all of them.)
o Query contains LLQ or PUSH option; no answer in cache: o Query contains LLQ or PUSH option; no answer in cache:
As in the case above with no answer in the cache, perform mDNS As in the case above with no answer in the cache, perform mDNS
querying for six seconds, and send a response to the remote client querying for six seconds, and send a response to the remote client
as soon as any relevant mDNS response is received. as soon as any relevant mDNS response is received.
If after six seconds no relevant mDNS response has been received, If after six seconds no relevant mDNS response has been received,
return negative response to the remote client. (Reasoning: We return negative response to the remote client (for LLQ; not
don't need to rush to send an empty answer.) applicable for PUSH). (Reasoning: We don't need to rush to send
an empty answer.)
Whether or not a relevant mDNS response is received within six Whether or not a relevant mDNS response is received within six
seconds, the query remains active for as long as the client seconds, the query remains active for as long as the client
maintains the LLQ or PUSH state, and if mDNS answers are received maintains the LLQ or PUSH state, and if mDNS answers are received
later, LLQ or PUSH update messages are sent. later, LLQ or PUSH update messages are sent.
DNS TTLs in responses are returned unmodified. DNS TTLs in responses are returned unmodified.
o Query contains LLQ or PUSH option; at least one answer in cache: o Query contains LLQ or PUSH option; at least one answer in cache:
As in the case above with at least one answer in cache, send As in the case above with at least one answer in cache, send
response right away to minimise delay. response right away to minimise delay.
The query remains active for as long as the client maintains the The query remains active for as long as the client maintains the
LLQ or PUSH state, and if additional mDNS answers are received LLQ or PUSH state, and if additional mDNS answers are received
later, LLQ or PUSH update messages are sent. later, LLQ or PUSH update messages are sent.
(Reasoning: We want UI that is displayed very rapidly, yet (Reasoning: We want UI that is displayed very rapidly, yet
continues to remain accurate even as the network environment continues to remain accurate even as the network environment
skipping to change at page 19, line 24 skipping to change at page 23, line 5
continues to remain accurate even as the network environment continues to remain accurate even as the network environment
changes.) changes.)
DNS TTLs in responses are returned unmodified. DNS TTLs in responses are returned unmodified.
Note that the "negative responses" referred to above are "no error no Note that the "negative responses" referred to above are "no error no
answer" negative responses, not NXDOMAIN. This is because the Hybrid answer" negative responses, not NXDOMAIN. This is because the Hybrid
Proxy cannot know all the Multicast DNS domain names that may exist Proxy cannot know all the Multicast DNS domain names that may exist
on a link at any given time, so any name with no answers may have on a link at any given time, so any name with no answers may have
child names that do exist, making it an "empty nonterminal" name. child names that do exist, making it an "empty nonterminal" name.
5. DNS SOA (Start of Authority) Record 6. Administrative DNS Records
6.1. DNS SOA (Start of Authority) Record
The MNAME field SHOULD contain the host name of the Hybrid Proxy The MNAME field SHOULD contain the host name of the Hybrid Proxy
device (i.e., the same domain name as the rdata of the NS record device (i.e., the same domain name as the rdata of the NS record
delegating the relevant zone(s) to this Hybrid Proxy device). delegating the relevant zone(s) to this Hybrid Proxy device).
The RNAME field SHOULD contain the mailbox of the person responsible The RNAME field SHOULD contain the mailbox of the person responsible
for administering this Hybrid Proxy device. for administering this Hybrid Proxy device.
The SERIAL field MUST be zero. The SERIAL field MUST be zero.
Since zone transfers are undefined for Hybrid Proxy zones, the Zone transfers are undefined for Hybrid Proxy zones, and consequently
REFRESH, RETRY and EXPIRE fields have no useful meaning for Hybrid the REFRESH, RETRY and EXPIRE fields have no useful meaning for
Proxy zones. These fields SHOULD contain reasonable default values. Hybrid Proxy zones. These fields SHOULD contain reasonable default
The RECOMMENDED values are: REFRESH 7200, RETRY 3600, EXPIRE 86400. values. The RECOMMENDED values are: REFRESH 7200, RETRY 3600, EXPIRE
86400.
The MINIMUM field (used to control the lifetime of negative cache The MINIMUM field (used to control the lifetime of negative cache
entries) SHOULD contain the value 10. The value of ten seconds is entries) SHOULD contain the value 10. The value of ten seconds is
chosen based on user experience considerations (see Section 4.5.1). chosen based on user experience considerations (see Section 5.5.1).
6. DNSSEC Issues In the event that there are multiple Hybrid Proxy devices on a link
for fault tolerance reasons, this will result in clients receiving
inconsistent SOA records (different MNAME, and possibly RNAME)
depending on which Hybrid Proxy answers their SOA query. However,
since clients generally have no reason to use the MNAME or RNAME
data, this is unlikely to cause any problems.
6.1. On-line signing only 6.2. DNS NS Records
In the event that there are multiple Hybrid Proxy devices on a link
for fault tolerance reasons, the parent zone MUST be configured with
glue records giving the names and addresses of all the Hybrid Proxy
devices on the link.
Each Hybrid Proxy device MUST be configured with its own NS record,
and with the NS records of its fellow Hybrid Proxy devices on the
same link, so that it can return the correct answers for NS queries.
6.3. DNS SRV Records
In the event that a Hybrid Proxy implements LLQ [I-D.sekar-dns-llq]
and/or DNS Push Notifications [I-D.ietf-dnssd-push] (as most SHOULD)
they MUST generate answers for the appropriate corresponding _dns-
llq._udp.<zone> and/or _dns-push-tls._tcp.<zone> SRV record queries.
These records are conceptually inserted into the namespace of the
corresponding zones. They do not exist in the ".local" namespace of
the local link.
7. DNSSEC Issues
7.1. On-line signing only
Auth server must possess key, to generate signed data from mDNS Auth server must possess key, to generate signed data from mDNS
responses. Therefore off-line signing not applicable to Hybrid responses. Therefore off-line signing not applicable to Hybrid
Proxy. Proxy.
6.2. NSEC and NSEC3 Records 7.2. NSEC and NSEC3 Records
In DNSSEC, NSEC and NSEC3 records are used to assert the nonexistence In DNSSEC, NSEC and NSEC3 records are used to assert the nonexistence
of certain names, also described as "authenticated denial of of certain names, also described as "authenticated denial of
existence". existence".
Since a Hybrid Proxy only knows what names exist on the local link by Since a Hybrid Proxy only knows what names exist on the local link by
issuing queries for them, and since it would be impractical to issue issuing queries for them, and since it would be impractical to issue
queries for every possible name just to find out which names exist queries for every possible name just to find out which names exist
and which do not, a Hybrid Proxy cannot programatically synthesize and which do not, a Hybrid Proxy cannot programatically synthesize
the traditional NSEC and NSEC3 records which assert the nonexistence the traditional NSEC and NSEC3 records which assert the nonexistence
of a large range names. Instead, when generating a negative of a large range names. Instead, when generating a negative
response, a Hybrid Proxy programatically synthesizes a single NSEC response, a Hybrid Proxy programatically synthesizes a single NSEC
record assert the nonexistence of just the specific name queried, and record assert the nonexistence of just the specific name queried, and
no others. Since the Hybrid Proxy has the zone signing key, it can no others. Since the Hybrid Proxy has the zone signing key, it can
do this on demand. Since the NSEC record asserts the nonexistence of do this on demand. Since the NSEC record asserts the nonexistence of
only a single name, zone walking is not a concern, so NSEC3 is not only a single name, zone walking is not a concern, so NSEC3 is not
necessary. Note that this applies only to traditional immediate DNS necessary.
queries, which may return immediate negative answers when no
immediate positive answer is available. When used with a DNS Push
Notification subscription [I-D.ietf-dnssd-push] there are no negative
answers, merely the absence of answers so far, which may change in
the future if answers become available.
7. Implementation Status
Some aspects of the mechanism specified in this document already
exist in deployed software. Some aspects are new. This section
outlines which aspects already exist and which are new.
7.1. Already Implemented and Deployed
Domain enumeration by the client (the "b._dns-sd._udp" queries) is
already implemented and deployed.
Unicast queries to the indicated discovery domain is already
implemented and deployed.
These are implemented and deployed in Mac OS X 10.4 and later
(including all versions of Apple iOS, on all iPhone and iPads), in
Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16)
and later.
Domain enumeration and unicast querying have been used for several
years at IETF meetings to make Terminal Room printers discoverable
from outside the Terminal room. When you Press Cmd-P on your Mac, or
select AirPrint on your iPad or iPhone, and the Terminal room
printers appear, that is because your client is sending unicast DNS
queries to the IETF DNS servers.
7.2. Already Implemented
A minimal portable Hybrid Proxy implementation has been produced by
Markus Stenberg and Steven Barth, which runs on OS X and several
Linux variants including OpenWrt [ohp]. It was demonstrated at the
Berlin IETF in July 2013.
Tom Pusateri also has an implementation that runs on any Unix/Linux.
It has a RESTful interface for management and an experimental demo
CLI and web interface.
7.3. Partially Implemented
The current APIs make multiple domains visible to client software,
but most client UI today lumps all discovered services into a single
flat list. This is largely a chicken-and-egg problem. Application
writers were naturally reluctant to spend time writing domain-aware
UI code when few customers today would benefit from it. If Hybrid
Proxy deployment becomes common, then application writers will have a
reason to provide better UI. Existing applications will work with
the Hybrid Proxy, but will show all services in a single flat list.
Applications with improved UI will group services by domain.
The Long-Lived Query mechanism [I-D.sekar-dns-llq] referred to in
this specification exists and is deployed, but has not been
standardized by the IETF. The IETF is considering standardizing a
superior Long-Lived Query mechanism called DNS Push Notifications
[I-D.ietf-dnssd-push]. The pragmatic short-term deployment approach
is for vendors to produce Hybrid Proxies that implement both the
deployed Long-Lived Query mechanism [I-D.sekar-dns-llq] (for today's
clients) and the new DNS Push Notifications mechanism
[I-D.ietf-dnssd-push] as the preferred long-term direction.
The translating/filtering Hybrid Proxy specified in this document.
Implementations are under development, and operational experience
with these implementations has guided updates to this document.
7.4. Not Yet Implemented
Client implementations of the new DNS Push Notifications mechanism
[I-D.ietf-dnssd-push] are currently underway.
A mechanism to 'stitch' together multiple ".local." zones so that Note that this applies only to traditional immediate DNS queries,
they appear as one. Such a stitching mechanism will be specified in which may return immediate negative answers when no immediate
a future companion document. This stitching mechanism addresses the positive answer is available. When used with a DNS Push Notification
issue that if a printer is physically moved from one link to another, subscription [I-D.ietf-dnssd-push] there are no negative answers,
then conceptually the old service has disappeared from the DNS merely the absence of answers so far, which may change in the future
namespace, and a new service with a similar name has appeared. This if answers become available.
stitching mechanism will allow a service to change its point of
attachment without changing the name by which it can be found.
8. IPv6 Considerations 8. IPv6 Considerations
An IPv6-only host and an IPv4-only host behave as "ships that pass in An IPv6-only host and an IPv4-only host behave as "ships that pass in
the night". Even if they are on the same Ethernet, neither is aware the night". Even if they are on the same Ethernet [802.3], neither
of the other's traffic. For this reason, each physical link may have is aware of the other's traffic. For this reason, each link may have
*two* unrelated ".local." zones, one for IPv6 and one for IPv4. *two* unrelated ".local." zones, one for IPv6 and one for IPv4.
Since for practical purposes, a group of IPv6-only hosts and a group Since for practical purposes, a group of IPv6-only hosts and a group
of IPv4-only hosts on the same Ethernet act as if they were on two of IPv4-only hosts on the same Ethernet act as if they were on two
entirely separate Ethernet segments, it is unsurprising that their entirely separate Ethernet segments, it is unsurprising that their
use of the ".local." zone should occur exactly as it would if they use of the ".local." zone should occur exactly as it would if they
really were on two entirely separate Ethernet segments. really were on two entirely separate Ethernet segments.
It will be desirable to have a mechanism to 'stitch' together these It will be desirable to have a mechanism to 'stitch' together these
two unrelated ".local." zones so that they appear as one. Such two unrelated ".local." zones so that they appear as one. Such
mechanism will need to be able to differentiate between a dual-stack mechanism will need to be able to differentiate between a dual-stack
(v4/v6) host participating in both ".local." zones, and two different (v4/v6) host participating in both ".local." zones, and two different
hosts, one IPv6-only and the other IPv4-only, which are both trying hosts, one IPv6-only and the other IPv4-only, which are both trying
to use the same name(s). Such a mechanism will be specified in a to use the same name(s). Such a mechanism will be specified in a
future companion document. future companion document.
At present, it is RECOMMENDED that a Hybrid Proxy be configured with
a single domain name for both the IPv4 and IPv6 ".local." zones on
the local link, and when a unicast query is received, it should issue
Multicast DNS queries using both IPv4 and IPv6 on the local link, and
then combine the results.
9. Security Considerations 9. Security Considerations
9.1. Authenticity 9.1. Authenticity
A service proves its presence on a link by its ability to answer A service proves its presence on a link by its ability to answer
link-local multicast queries on that link. If greater security is link-local multicast queries on that link. If greater security is
desired, then the Hybrid Proxy mechanism should not be used, and desired, then the Hybrid Proxy mechanism should not be used, and
something with stronger security should be used instead, such as something with stronger security should be used instead, such as
authenticated secure DNS Update [RFC2136] [RFC3007]. authenticated secure DNS Update [RFC2136] [RFC3007].
skipping to change at page 23, line 31 skipping to change at page 26, line 9
made visible via the Hybrid Proxy mechanism, then when those services made visible via the Hybrid Proxy mechanism, then when those services
become visible in a domain such as "My House.example.com" that might become visible in a domain such as "My House.example.com" that might
indicate to (potentially hostile) observers that the mobile device is indicate to (potentially hostile) observers that the mobile device is
in my house. When those services disappear from in my house. When those services disappear from
"My House.example.com" that change could be used by observers to "My House.example.com" that change could be used by observers to
infer when the mobile device (and possibly its owner) may have left infer when the mobile device (and possibly its owner) may have left
the house. The privacy of this information may be protected using the house. The privacy of this information may be protected using
techniques like firewalls and split-view DNS, as are customarily used techniques like firewalls and split-view DNS, as are customarily used
today to protect the privacy of corporate DNS information. today to protect the privacy of corporate DNS information.
The Hybrid Proxy could also provide sensitive records only to
authenticated users. This is a general DNS problem, not specific to
the Hybrid Proxy. Work is underway in the IETF to tackle this
problem [RFC7626].
9.3. Denial of Service 9.3. Denial of Service
A remote attacker could use a rapid series of unique Unicast DNS A remote attacker could use a rapid series of unique Unicast DNS
queries to induce a Hybrid Proxy to generate a rapid series of queries to induce a Hybrid Proxy to generate a rapid series of
corresponding Multicast DNS queries on one or more of its local corresponding Multicast DNS queries on one or more of its local
links. Multicast traffic is expensive -- especially on Wi-Fi links links. Multicast traffic is generally more expensive than unicast
-- which makes this attack particularly serious. To limit the damage traffic -- especially on Wi-Fi links -- which makes this attack
that can be caused by such attacks, a Hybrid Proxy (or the underlying particularly serious. To limit the damage that can be caused by such
Multicast DNS subsystem which it utilizes) MUST implement Multicast attacks, a Hybrid Proxy (or the underlying Multicast DNS subsystem
DNS query rate limiting appropriate to the link technology in which it utilizes) MUST implement Multicast DNS query rate limiting
question. For Wi-Fi links the Multicast DNS subsystem SHOULD NOT appropriate to the link technology in question. For today's 802.11b/
issue more than 20 Multicast DNS query packets per second. On other g/n/ac Wi-Fi links (for which approximately 200 multicast packets per
link technologies like Gigabit Ethernet higher limits may be second is sufficient to consume approximately 100% of the wireless
appropriate. spectrum) a limit of 20 Multicast DNS query packets per second is
RECOMMENDED. On other link technologies like Gigabit Ethernet higher
limits may be appropriate. A consequence of this rate limiting is
that a rogue remote client could issue an excessive number of
queries, resuling in denial of service to other remote clients
attempting to use that Hybrid Proxy. However, this is preferable to
a rogue remote client being able to inflict even greater harm on the
local network, which could impact the correct operation of all local
clients on that network.
10. Intelectual Property Rights 10. Intelectual Property Rights
Apple has submitted an IPR disclosure concerning the technique Apple has submitted an IPR disclosure concerning the technique
proposed in this document. Details are available on the IETF IPR proposed in this document. Details are available on the IETF IPR
disclosure page [IPR2119]. disclosure page [IPR2119].
11. IANA Considerations 11. IANA Considerations
This document has no IANA Considerations. This document has no IANA Considerations.
12. Acknowledgments 12. Acknowledgments
Thanks to Markus Stenberg for helping develop the policy regarding Thanks to Markus Stenberg for helping develop the policy regarding
the four styles of unicast response according to what data is the four styles of unicast response according to what data is
immediately available in the cache. Thanks to Anders Brandt, Tim immediately available in the cache. Thanks to Anders Brandt, Tim
Chown, Ralph Droms, Ray Hunter, Ted Lemon, Tom Pusateri, Markus Chown, Ralph Droms, Ray Hunter, Ted Lemon, Tom Pusateri, Markus
Stenberg, Dave Thaler, and Andrew Yourtchenko for their comments. Stenberg, Dave Thaler, and Andrew Yourtchenko for their comments.
[Partial list; more names to be added.]
13. References 13. References
13.1. Normative References 13.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>. <http://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>. November 1987, <http://www.rfc-editor.org/info/rfc1035>.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., J. de Groot, [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
G., and E. Lear, "Address Allocation for Private and E. Lear, "Address Allocation for Private Internets",
Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
February 1996, <http://www.rfc-editor.org/info/rfc1918>. <http://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997, RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998,
<http://www.rfc-editor.org/info/rfc2308>. <http://www.rfc-editor.org/info/rfc2308>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629,
November 2003, <http://www.rfc-editor.org/info/rfc3629>.
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of IPv4 Link-Local Addresses", RFC 3927, Configuration of IPv4 Link-Local Addresses", RFC 3927,
DOI 10.17487/RFC3927, May 2005, DOI 10.17487/RFC3927, May 2005,
<http://www.rfc-editor.org/info/rfc3927>. <http://www.rfc-editor.org/info/rfc3927>.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, DOI 10.17487/ Address Autoconfiguration", RFC 4862, DOI 10.17487/
RFC4862, September 2007, RFC4862, September 2007,
<http://www.rfc-editor.org/info/rfc4862>. <http://www.rfc-editor.org/info/rfc4862>.
skipping to change at page 25, line 27 skipping to change at page 28, line 17
<http://www.rfc-editor.org/info/rfc5198>. <http://www.rfc-editor.org/info/rfc5198>.
[RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
December 2012. December 2012.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, December 2012. Discovery", RFC 6763, December 2012.
[I-D.ietf-dnssd-push] [I-D.ietf-dnssd-push]
Pusateri, T. and S. Cheshire, "DNS Push Notifications", Pusateri, T. and S. Cheshire, "DNS Push Notifications",
draft-ietf-dnssd-push-03 (work in progress), draft-ietf-dnssd-push-09 (work in progress), October 2016.
November 2015.
13.2. Informative References 13.2. Informative References
[HOME] Cheshire, S., "Special Use Top Level Domain 'home'", [HOME] Cheshire, S., "Special Use Top Level Domain 'home'",
draft-cheshire-homenet-dot-home (work in progress), draft-cheshire-homenet-dot-home (work in progress),
November 2015. November 2015.
[IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid [IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid
Unicast/Multicast DNS-Based Service Discovery", Unicast/Multicast DNS-Based Service Discovery",
<https://datatracker.ietf.org/ipr/2119/>. <https://datatracker.ietf.org/ipr/2119/>.
[ohp] "Hybrid Proxy implementation for OpenWrt", [ohp] "Hybrid Proxy implementation for OpenWrt",
<https://github.com/sbyx/ohybridproxy/>. <https://github.com/sbyx/ohybridproxy/>.
[I-D.sekar-dns-llq] [I-D.sekar-dns-llq]
Sekar, K., "DNS Long-Lived Queries", Sekar, K., "DNS Long-Lived Queries",
draft-sekar-dns-llq-01 (work in progress), August 2006. draft-sekar-dns-llq-01 (work in progress), August 2006.
[I-D.ietf-homenet-hncp] [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Stenberg, M., Barth, S., and P. Pfister, "Home Networking Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997,
Control Protocol", draft-ietf-homenet-hncp-09 (work in <http://www.rfc-editor.org/info/rfc2132>.
progress), August 2015.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)", "Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997, RFC 2136, DOI 10.17487/RFC2136, April 1997,
<http://www.rfc-editor.org/info/rfc2136>. <http://www.rfc-editor.org/info/rfc2136>.
[RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, Update", RFC 3007, DOI 10.17487/RFC3007, November 2000,
<http://www.rfc-editor.org/info/rfc3007>. <http://www.rfc-editor.org/info/rfc3007>.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005,
<http://www.rfc-editor.org/info/rfc4193>.
[RFC7558] Lynn, K., Cheshire, S., Blanchet, M., and D. Migault,
"Requirements for Scalable DNS-Based Service Discovery
(DNS-SD) / Multicast DNS (mDNS) Extensions", RFC 7558,
DOI 10.17487/RFC7558, July 2015,
<http://www.rfc-editor.org/info/rfc7558>.
[RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626,
DOI 10.17487/RFC7626, August 2015,
<http://www.rfc-editor.org/info/rfc7626>.
[RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking
Control Protocol", RFC 7788, DOI 10.17487/RFC7788,
April 2016, <http://www.rfc-editor.org/info/rfc7788>.
[RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol
to Replace the AppleTalk Name Binding Protocol (NBP)", to Replace the AppleTalk Name Binding Protocol (NBP)",
RFC 6760, December 2012. RFC 6760, December 2012.
[ZC] Cheshire, S. and D. Steinberg, "Zero Configuration [ZC] Cheshire, S. and D. Steinberg, "Zero Configuration
Networking: The Definitive Guide", O'Reilly Media, Inc. , Networking: The Definitive Guide", O'Reilly Media, Inc. ,
ISBN 0-596-10100-7, December 2005. ISBN 0-596-10100-7, December 2005.
[802.1Q] "IEEE Standard for Local and metropolitan area networks --
Bridges and Bridged Networks", IEEE Std 802.1Q-2014,
November 2014, <http://standards.ieee.org/getieee802/
download/802-1Q-2014.pdf>.
[802.3] "Information technology - Telecommunications and
information exchange between systems - Local and
metropolitan area networks - Specific requirements - Part
3: Carrier Sense Multiple Access with Collision Detection
(CMSA/CD) Access Method and Physical Layer
Specifications", IEEE Std 802.3-2008, December 2008,
<http://standards.ieee.org/getieee802/802.3.html>.
[802.5] "ISO/IEC 8802-5 Information technology -
Telecommunications and information exchange between
systems - Local and metropolitan area networks - Common
specifications - Part 5: Token ring access method and
physical layer specifications, (also ANSI/IEEE Std 802.5-
1998), 1998.", IEEE Std 802.5-1998, October 1998,
<http://www.iso.org/iso/catalogue_detail?csnumber=29923/>.
[802.11] "Information technology - Telecommunications and
information exchange between systems - Local and
metropolitan area networks - Specific requirements - Part
11: Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications", IEEE Std 802.11-2007,
June 2007,
<http://standards.ieee.org/getieee802/802.11.html>.
Appendix A. Implementation Status
Some aspects of the mechanism specified in this document already
exist in deployed software. Some aspects are new. This section
outlines which aspects already exist and which are new.
A.1. Already Implemented and Deployed
Domain enumeration by the client (the "b._dns-sd._udp" queries) is
already implemented and deployed.
Unicast queries to the indicated discovery domain is already
implemented and deployed.
These are implemented and deployed in Mac OS X 10.4 and later
(including all versions of Apple iOS, on all iPhone and iPads), in
Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16)
and later.
Domain enumeration and unicast querying have been used for several
years at IETF meetings to make Terminal Room printers discoverable
from outside the Terminal room. When an IETF attendee presses Cmd-P
on a Mac, or selects AirPrint on an iPad or iPhone, and the Terminal
room printers appear, that is because the client is sending unicast
DNS queries to the IETF DNS servers.
A.2. Already Implemented
A minimal portable Hybrid Proxy implementation has been produced by
Markus Stenberg and Steven Barth, which runs on OS X and several
Linux variants including OpenWrt [ohp]. It was demonstrated at the
Berlin IETF in July 2013.
Tom Pusateri also has an implementation that runs on any Unix/Linux.
It has a RESTful interface for management and an experimental demo
CLI and web interface.
A.3. Partially Implemented
The current APIs make multiple domains visible to client software,
but most client UI today lumps all discovered services into a single
flat list. This is largely a chicken-and-egg problem. Application
writers were naturally reluctant to spend time writing domain-aware
UI code when few customers today would benefit from it. If Hybrid
Proxy deployment becomes common, then application writers will have a
reason to provide better UI. Existing applications will work with
the Hybrid Proxy, but will show all services in a single flat list.
Applications with improved UI will group services by domain.
The Long-Lived Query mechanism [I-D.sekar-dns-llq] referred to in
this specification exists and is deployed, but has not been
standardized by the IETF. The IETF is considering standardizing a
superior Long-Lived Query mechanism called DNS Push Notifications
[I-D.ietf-dnssd-push]. The pragmatic short-term deployment approach
is for vendors to produce Hybrid Proxies that implement both the
deployed Long-Lived Query mechanism [I-D.sekar-dns-llq] (for today's
clients) and the new DNS Push Notifications mechanism
[I-D.ietf-dnssd-push] as the preferred long-term direction.
The translating/filtering Hybrid Proxy specified in this document.
Implementations are under development, and operational experience
with these implementations has guided updates to this document.
A.4. Not Yet Implemented
Client implementations of the new DNS Push Notifications mechanism
[I-D.ietf-dnssd-push] are currently underway.
A mechanism to 'stitch' together multiple ".local." zones so that
they appear as one. Such a stitching mechanism will be specified in
a future companion document. This stitching mechanism addresses the
issue that if a printer is physically moved from one link to another,
then conceptually the old service has disappeared from the DNS
namespace, and a new service with a similar name has appeared. This
stitching mechanism will allow a service to change its point of
attachment without changing the name by which it can be found.
Author's Address Author's Address
Stuart Cheshire Stuart Cheshire
Apple Inc. Apple Inc.
1 Infinite Loop 1 Infinite Loop
Cupertino, California 95014 Cupertino, California 95014
USA USA
Phone: +1 408 974 3207 Phone: +1 408 974 3207
Email: cheshire@apple.com Email: cheshire@apple.com
 End of changes. 78 change blocks. 
319 lines changed or deleted 546 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/