draft-ietf-dnssd-hybrid-05.txt   draft-ietf-dnssd-hybrid-06.txt 
Internet Engineering Task Force S. Cheshire Internet Engineering Task Force S. Cheshire
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track November 16, 2016 Intended status: Standards Track March 13, 2017
Expires: May 20, 2017 Expires: September 14, 2017
Hybrid Unicast/Multicast DNS-Based Service Discovery Discovery Proxy for Multicast DNS-Based Service Discovery
draft-ietf-dnssd-hybrid-05 draft-ietf-dnssd-hybrid-06
Abstract Abstract
This document specifies a mechanism that uses Multicast DNS to This document specifies a mechanism that uses Multicast DNS to
automatically populate the wide-area unicast Domain Name System automatically populate the wide-area unicast Domain Name System
namespace with records describing devices and services found on the namespace with records describing devices and services found on the
local link. local link.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 20, 2017. This Internet-Draft will expire on September 14, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Operational Analogy . . . . . . . . . . . . . . . . . . . . . 6 2. Operational Analogy . . . . . . . . . . . . . . . . . . . . . 6
3. Conventions and Terminology Used in this Document . . . . . . 7 3. Conventions and Terminology Used in this Document . . . . . . 7
4. Compatibility Considerations . . . . . . . . . . . . . . . . . 7 4. Compatibility Considerations . . . . . . . . . . . . . . . . 7
5. Hybrid Proxy Operation . . . . . . . . . . . . . . . . . . . . 8 5. Discovery Proxy Operation . . . . . . . . . . . . . . . . . . 8
5.1. Delegated Subdomain for Service Discovery Records . . . . 9 5.1. Delegated Subdomain for Service Discovery Records . . . . 9
5.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . . 10 5.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . 11
5.2.1. Domain Enumeration via Unicast Queries . . . . . . . . 10 5.2.1. Domain Enumeration via Unicast Queries . . . . . . . 11
5.2.2. Domain Enumeration via Multicast Queries . . . . . . . 12 5.2.2. Domain Enumeration via Multicast Queries . . . . . . 13
5.3. Delegated Subdomain for LDH Host Names . . . . . . . . . . 13 5.3. Delegated Subdomain for LDH Host Names . . . . . . . . . 14
5.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 15 5.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 16
5.5. Data Translation . . . . . . . . . . . . . . . . . . . . . 16 5.5. Data Translation . . . . . . . . . . . . . . . . . . . . 18
5.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . . 16 5.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . 18
5.5.2. Suppressing Unusable Records . . . . . . . . . . . . . 17 5.5.2. Suppressing Unusable Records . . . . . . . . . . . . 19
5.5.3. NSEC and NSEC3 queries . . . . . . . . . . . . . . . . 18 5.5.3. NSEC and NSEC3 queries . . . . . . . . . . . . . . . 20
5.5.4. Text Encoding Translation . . . . . . . . . . . . . . 18 5.5.4. No Text Encoding Translation . . . . . . . . . . . . 20
5.5.5. Application-Specific Data Translation . . . . . . . . 18 5.5.5. Application-Specific Data Translation . . . . . . . . 21
5.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . . 20 5.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . 23
6. Administrative DNS Records . . . . . . . . . . . . . . . . . . 23 6. Administrative DNS Records . . . . . . . . . . . . . . . . . 26
6.1. DNS SOA (Start of Authority) Record . . . . . . . . . . . 23 6.1. DNS SOA (Start of Authority) Record . . . . . . . . . . . 26
6.2. DNS NS Records . . . . . . . . . . . . . . . . . . . . . . 23 6.2. DNS NS Records . . . . . . . . . . . . . . . . . . . . . 27
6.3. DNS SRV Records . . . . . . . . . . . . . . . . . . . . . 23 6.3. DNS SRV Records . . . . . . . . . . . . . . . . . . . . . 27
7. DNSSEC Issues . . . . . . . . . . . . . . . . . . . . . . . . 24 7. DNSSEC Considerations . . . . . . . . . . . . . . . . . . . . 28
7.1. On-line signing only . . . . . . . . . . . . . . . . . . . 24 7.1. On-line signing only . . . . . . . . . . . . . . . . . . 28
7.2. NSEC and NSEC3 Records . . . . . . . . . . . . . . . . . . 24 7.2. NSEC and NSEC3 Records . . . . . . . . . . . . . . . . . 28
8. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 25 8. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 29
9. Security Considerations . . . . . . . . . . . . . . . . . . . 25 9. Security Considerations . . . . . . . . . . . . . . . . . . . 30
9.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . . 25 9.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . 30
9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 25 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 30
9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 26 9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 31
10. Intelectual Property Rights . . . . . . . . . . . . . . . . . 26 10. Intelectual Property Rights . . . . . . . . . . . . . . . . . 32
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 32
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 33
13.1. Normative References . . . . . . . . . . . . . . . . . . . 27 13.1. Normative References . . . . . . . . . . . . . . . . . . 33
13.2. Informative References . . . . . . . . . . . . . . . . . . 28 13.2. Informative References . . . . . . . . . . . . . . . . . 34
Appendix A. Implementation Status . . . . . . . . . . . . . . . . 30 Appendix A. Implementation Status . . . . . . . . . . . . . . . 36
A.1. Already Implemented and Deployed . . . . . . . . . . . . . 30 A.1. Already Implemented and Deployed . . . . . . . . . . . . 36
A.2. Already Implemented . . . . . . . . . . . . . . . . . . . 30 A.2. Already Implemented . . . . . . . . . . . . . . . . . . . 36
A.3. Partially Implemented . . . . . . . . . . . . . . . . . . 30 A.3. Partially Implemented . . . . . . . . . . . . . . . . . . 36
A.4. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 31 A.4. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 37
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 31 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 37
1. Introduction 1. Introduction
Multicast DNS [RFC6762] and its companion technology DNS-based Multicast DNS [RFC6762] and its companion technology DNS-based
Service Discovery [RFC6763] were created to provide IP networking Service Discovery [RFC6763] were created to provide IP networking
with the ease-of-use and autoconfiguration for which AppleTalk was with the ease-of-use and autoconfiguration for which AppleTalk was
well known [RFC6760] [ZC]. well known [RFC6760] [ZC].
For a small home network consisting of just a single link (or a few For a small home network consisting of just a single link (or a few
physical links bridged together to appear as a single logical link to physical links bridged together to appear as a single logical link
IP) Multicast DNS [RFC6762] is sufficient for client devices to look from the point of view of IP) Multicast DNS [RFC6762] is sufficient
up the ".local" host names of peers on the same home network, and to for client devices to look up the ".local" host names of peers on the
use DNS-Based Service Discovery (DNS-SD) [RFC6763] to discover same home network, and to use Multicast DNS-Based Service Discovery
services offered on that home network. (DNS-SD) [RFC6763] to discover services offered on that home network.
For a larger network consisting of multiple links that are For a larger network consisting of multiple links that are
interconnected using IP-layer routing instead of link-layer bridging, interconnected using IP-layer routing instead of link-layer bridging,
link-local Multicast DNS alone is insufficient because link-local link-local Multicast DNS alone is insufficient because link-local
Multicast DNS packets, by design, are not propagated onto other Multicast DNS packets, by design, are not propagated onto other
links. links.
Using link-local multicast packets for Multicast DNS was a conscious Using link-local multicast packets for Multicast DNS was a conscious
design choice [RFC6762]. Even when limited to a single link, design choice [RFC6762]. Even when limited to a single link,
multicast traffic is still generally considered to be more expensive multicast traffic is still generally considered to be more expensive
than unicast, because multicast traffic impacts many devices, instead than unicast, because multicast traffic impacts many devices, instead
of just a single recipient. In addition, with some technologies like of just a single recipient. In addition, with some technologies like
Wi-Fi [802.11], multicast traffic is inherently less efficient and Wi-Fi [IEEE-11], multicast traffic is inherently less efficient and
less reliable than unicast, because Wi-Fi multicast traffic is sent less reliable than unicast, because Wi-Fi multicast traffic is sent
using the lower data rates, and is not acknowledged. Multiplying the using the lower data rates, and is not acknowledged. Multiplying the
amount of expensive multicast traffic by flooding it across multiple amount of expensive multicast traffic by flooding it across multiple
links would make the traffic load even worse. links would make the traffic load even worse.
Partitioning the network into many small links curtails the spread of Partitioning the network into many small links curtails the spread of
expensive multicast traffic, but limits the discoverability of expensive multicast traffic, but limits the discoverability of
services. Using a very large local link with thousands of hosts services. Using a very large local link with thousands of hosts
enables better service discovery, but at the cost of larger amounts enables better service discovery, but at the cost of larger amounts
of multicast traffic. of multicast traffic.
skipping to change at page 4, line 23 skipping to change at page 4, line 23
Populating the Unicast DNS namespace via DNS Update by the devices Populating the Unicast DNS namespace via DNS Update by the devices
offering the services themselves requires configuration of DNS Update offering the services themselves requires configuration of DNS Update
keys on those devices, which has proven onerous and impractical for keys on those devices, which has proven onerous and impractical for
simple devices like printers and network cameras. simple devices like printers and network cameras.
Hence, to facilitate efficient and reliable DNS-Based Service Hence, to facilitate efficient and reliable DNS-Based Service
Discovery, a compromise is needed that combines the ease-of-use of Discovery, a compromise is needed that combines the ease-of-use of
Multicast DNS with the efficiency and scalability of Unicast DNS. Multicast DNS with the efficiency and scalability of Unicast DNS.
This document specifies a type of proxy called a Hybrid Proxy that This document specifies a type of proxy called a "Multicast Discovery
uses Multicast DNS [RFC6762] to discover Multicast DNS records on its Proxy" (or just "Discovery Proxy") that uses Multicast DNS [RFC6762]
local link, and makes corresponding DNS records visible in the to discover Multicast DNS records on its local link, and makes
Unicast DNS namespace. corresponding DNS records visible in the Unicast DNS namespace.
In principle, similar mechanisms could be defined using other local In principle, similar mechanisms could be defined using other local
service discovery protocols, to discover local information and then service discovery protocols, to discover local information and then
make corresponding DNS records visible in the Unicast DNS namespace. make corresponding DNS records visible in the Unicast DNS namespace.
Such mechanisms for other local service discovery protocols could be Such mechanisms for other local service discovery protocols could be
addressed in future documents. addressed in future documents.
The design of the Hybrid Proxy is guided by the previously published The design of the Discovery Proxy is guided by the previously
Requirements for Scalable DNS-Based Service [RFC7558]. published Requirements for Scalable DNS-Based Service [RFC7558].
In simple terms, a descriptive DNS name is chosen for each link in an In simple terms, a descriptive DNS name is chosen for each link in an
organization. Using a DNS NS record, responsibility for that DNS organization. Using a DNS NS record, responsibility for that DNS
name is delegated to a Hybrid Proxy physically attached to that link. name is delegated to a Discovery Proxy physically attached to that
Now, when a remote client issues a unicast query for a name falling link. Now, when a remote client issues a unicast query for a name
within the delegated subdomain, the normal DNS delegation mechanism falling within the delegated subdomain, the normal DNS delegation
results in the unicast query arriving at the Hybrid Proxy, since it mechanism results in the unicast query arriving at the Discovery
has been declared authoritative for those names. Now, instead of Proxy, since it has been declared authoritative for those names.
consulting a textual zone file on disk to discover the answer to the Now, instead of consulting a textual zone file on disk to discover
query, as a traditional DNS server would, a Hybrid Proxy consults its the answer to the query, as a traditional DNS server would, a
local link, using Multicast DNS, to find the answer to the question. Discovery Proxy consults its local link, using Multicast DNS, to find
the answer to the question.
For fault tolerance reasons there may be more than one Hybrid Proxy For fault tolerance reasons there may be more than one Discovery
serving a given link. Proxy serving a given link.
Note that the Hybrid Proxy uses a "pull" model. The local link is Note that the Discovery Proxy uses a "pull" model. The local link is
not queried using Multicast DNS until a remote client has requested not queried using Multicast DNS until some remote client has
that data. In the idle state, in the absence of client requests, the requested that data. In the idle state, in the absence of client
Hybrid Proxy sends no packets and imposes no burden on the network. requests, the Discovery Proxy sends no packets and imposes no burden
It operates purely "on demand". on the network. It operates purely "on demand".
An alternative proposal has been a proxy that performs DNS updates to An alternative proposal that has been suggested is a proxy that
a remote DNS server on behalf of the Multicast DNS devices on the performs DNS updates to a remote DNS server on behalf of the
local network. The difficulty of this is that the proxy would have Multicast DNS devices on the local network. The difficulty of this
to be issuing all possible Multicast DNS queries all the time, to is that the proxy would have to be issuing all possible Multicast DNS
discover all the answers it needed to push up to the remote DNS queries all the time, to discover all the answers it needed to push
server using DNS Update. It would thus generate very high load on up to the remote DNS server using DNS Update. It would thus generate
the network continuously, even when there were no clients with any very high load on the network continuously, even when there were no
interest in that data. clients with any interest in that data.
Hence, having a model where the query comes to the Hybrid Proxy is Hence, having a model where the query comes to the Discovery Proxy is
much more efficient than a model where the Hybrid Proxy pushes the much more efficient than a model where the Discovery Proxy pushes the
answers out to some other remote DNS server. answers out to some other remote DNS server.
A client can send queries to the Hybrid Proxy in the form of A client seeking to discover services and other information achieves
traditional DNS queries, or by making a DNS Push Notification this by sending traditional DNS queries to the Discovery Proxy, or by
subscription [I-D.ietf-dnssd-push]. sending DNS Push Notification subscription requests [PUSH].
2. Operational Analogy 2. Operational Analogy
A Hybrid Proxy does not operate as a multicast relay, or multicast A Discovery Proxy does not operate as a multicast relay, or multicast
forwarder. There is no danger of multicast forwarding loops that forwarder. There is no danger of multicast forwarding loops that
result in traffic storms, because no multicast packets are forwarded. result in traffic storms, because no multicast packets are forwarded.
A Hybrid Proxy operates as a *proxy* for a remote client, performing A Discovery Proxy operates as a *proxy* for a remote client,
queries on its behalf and reporting the results back. performing queries on its behalf and reporting the results back.
A reasonable analogy would be making a telephone call to a colleague A reasonable analogy would be making a telephone call to a colleague
at your workplace and saying, "I'm out of the office right now. at your workplace and saying, "I'm out of the office right now.
Would you mind bringing up a printer browser window and telling me Would you mind bringing up a printer browser window and telling me
the names of the printers you see?" That entails no risk of a the names of the printers you see?" That entails no risk of a
forwarding loop causing a traffic storm, because no multicast packets forwarding loop causing a traffic storm, because no multicast packets
are sent over the telephone call. are sent over the telephone call.
A similar analogy, instead of enlisting another human being to A similar analogy, instead of enlisting another human being to
initiate the service discovery operation on your behalf, would be to initiate the service discovery operation on your behalf, would be to
log into your own desktop work computer using screen sharing, and log into your own desktop work computer using screen sharing, and
then run the printer browser yourself to see the list of printers. then run the printer browser yourself to see the list of printers.
Or log in using ssh and type "dns-sd -B _ipp._tcp" and observe the Or log in using ssh and type "dns-sd -B _ipp._tcp" and observe the
list of discovered printer names. In neither case is there any risk list of discovered printer names. In neither case is there any risk
of a forwarding loop causing a traffic storm, because no multicast of a forwarding loop causing a traffic storm, because no multicast
packets are being sent over the screen sharing or ssh connection. packets are being sent over the screen sharing or ssh connection.
The Hybrid Proxy provides another way of performing remote queries, The Discovery Proxy provides another way of performing remote
just using a different protocol instead of screen sharing or ssh. queries, just using a different protocol instead of screen sharing or
ssh.
When the Hybrid Proxy software performs Multicast DNS operations, the When the Discovery Proxy software performs Multicast DNS operations,
exact same Multicast DNS caching mechanisms are applied as when any the exact same Multicast DNS caching mechanisms are applied as when
other client software on that Hybrid Proxy device performs Multicast any other client software on that Discovery Proxy device performs
DNS operations, whether that be running a printer browser client Multicast DNS operations, whether that be running a printer browser
locally, or a remote user running the printer browser client via a client locally, or a remote user running the printer browser client
screen sharing connection, or a remote user logged in via ssh running via a screen sharing connection, or a remote user logged in via ssh
a command-line tool like "dns-sd". running a command-line tool like "dns-sd".
3. Conventions and Terminology Used in this Document 3. Conventions and Terminology Used in this Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
"Key words for use in RFCs to Indicate Requirement Levels" [RFC2119]. "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119].
The Hybrid Proxy builds on Multicast DNS, which works between hosts The Discovery Proxy builds on Multicast DNS, which works between
on the same link. A set of hosts is considered to be "on the same hosts on the same link. A set of hosts is considered to be "on the
link" if: same link" if:
o when any host A from that set sends a packet to any other host B o when any host A from that set sends a packet to any other host B
in that set, using unicast, multicast, or broadcast, the entire in that set, using unicast, multicast, or broadcast, the entire
link-layer packet payload arrives unmodified, and link-layer packet payload arrives unmodified, and
o a broadcast sent over that link by any host from that set of hosts o a broadcast sent over that link by any host from that set of hosts
can be received by every other host in that set can be received by every other host in that set
The link-layer *header* may be modified, such as in Token Ring Source The link-layer *header* may be modified, such as in Token Ring Source
Routing [802.5], but not the link-layer *payload*. In particular, if Routing [IEEE-5], but not the link-layer *payload*. In particular,
any device forwarding a packet modifies any part of the IP header or if any device forwarding a packet modifies any part of the IP header
IP payload then the packet is no longer considered to be on the same or IP payload then the packet is no longer considered to be on the
link. This means that the packet may pass through devices such as same link. This means that the packet may pass through devices such
repeaters, bridges, hubs or switches and still be considered to be on as repeaters, bridges, hubs or switches and still be considered to be
the same link for the purpose of this document, but not through a on the same link for the purpose of this document, but not through a
device such as an IP router that decrements the IP TTL or otherwise device such as an IP router that decrements the IP TTL or otherwise
modifies the IP header. modifies the IP header.
4. Compatibility Considerations 4. Compatibility Considerations
No changes to existing devices are required to work with a Hybrid No changes to existing devices are required to work with a Discovery
Proxy. Proxy.
Existing devices that advertise services using Multicast DNS work Existing devices that advertise services using Multicast DNS work
with Hybrid Proxy. with Discovery Proxy.
Existing clients that support DNS-Based Service Discovery over Existing clients that support DNS-Based Service Discovery over
Unicast DNS work with Hybrid Proxy. Service Discovery over Unicast Unicast DNS work with Discovery Proxy. Service Discovery over
DNS was introduced in Mac OS X 10.4 in April 2005, as is included in Unicast DNS was introduced in Mac OS X 10.4 in April 2005, as is
Apple products introduced since then, including iPhone and iPad, as included in Apple products introduced since then, including iPhone
well as products from other vendors, such as Microsoft Windows 10. and iPad, as well as products from other vendors, such as Microsoft
Windows 10.
5. Hybrid Proxy Operation 5. Discovery Proxy Operation
In a typical configuration, a Hybrid Proxy is configured to be In a typical configuration, a Discovery Proxy is configured to be
authoritative [RFC1034] [RFC1035] for four DNS subdomains, and authoritative [RFC1034] [RFC1035] for four DNS subdomains, and
authority for these subdomains is delegated to it via NS records: authority for these subdomains is delegated to it via NS records:
A DNS subdomain for service discovery records. A DNS subdomain for service discovery records.
This subdomain name may contain rich text, including spaces and This subdomain name may contain rich text, including spaces and
other punctuation. This is because this subdomain name is used other punctuation. This is because this subdomain name is used
only in graphical user interfaces, where rich text is appropriate. only in graphical user interfaces, where rich text is appropriate.
A DNS subdomain for host name records. A DNS subdomain for host name records.
This subdomain name SHOULD be limited to letters, digits and This subdomain name SHOULD be limited to letters, digits and
skipping to change at page 9, line 30 skipping to change at page 9, line 30
| *example.com* | Building 1 | 1st Floor | Alice's printer | | *example.com* | Building 1 | 1st Floor | Alice's printer |
| | Building 2 | *2nd Floor* | Bob's printer | | | Building 2 | *2nd Floor* | Bob's printer |
| | *Building 3* | 3rd Floor | Charlie's printer | | | *Building 3* | 3rd Floor | Charlie's printer |
| | Building 4 | 4th Floor | | | | Building 4 | 4th Floor | |
| | Building 5 | | | | | Building 5 | | |
| | Building 6 | | | | | Building 6 | | |
+---------------+--------------+-------------+-------------------+ +---------------+--------------+-------------+-------------------+
Figure 1: Illustrative GUI Figure 1: Illustrative GUI
Each named link in an organization has one or more Hybrid Proxies Each named link in an organization has one or more Discovery Proxies
which serves it. This Hybrid Proxy function for each link could be which serve it. This Discovery Proxy function for each link could be
performed by a device like a router or switch that is physically performed by a device like a router or switch that is physically
attached to that link. In the parent domain, NS records are used to attached to that link. In the parent domain, NS records are used to
delegate ownership of each defined link name delegate ownership of each defined link name
(e.g., "Building 1.example.com") to the one or more Hybrid Proxies (e.g., "Building 1.example.com") to the one or more Discovery Proxies
that serve the named link. In other words, the Hybrid Proxies are that serve the named link. In other words, the Discovery Proxies are
the authoritative name servers for that subdomain. the authoritative name servers for that subdomain.
With appropriate VLAN configuration [802.1Q] a single Hybrid Proxy With appropriate VLAN configuration [IEEE-1Q] a single Discovery
device could have a logical presence on many links, and serve as the Proxy device could have a logical presence on many links, and serve
Hybrid Proxy for all those links. In such a configuration the Hybrid as the Discovery Proxy for all those links. In such a configuration
Proxy device would have a single physical Ethernet [802.3] port, the Discovery Proxy device would have a single physical Ethernet
configured as a VLAN trunk port, which would appear to software on [IEEE-3] port, configured as a VLAN trunk port, which would appear to
that device as multiple virtual Ethernet interfaces, one connected to software on that device as multiple virtual Ethernet interfaces, one
each of the VLAN links. connected to each of the VLAN links.
When a DNS-SD client issues a Unicast DNS query to discover services When a DNS-SD client issues a Unicast DNS query to discover services
in a particular Unicast DNS subdomain in a particular Unicast DNS subdomain
(e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS (e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS
delegation mechanism results in that query being forwarded until it delegation mechanism results in that query being forwarded until it
reaches the delegated authoritative name server for that subdomain, reaches the delegated authoritative name server for that subdomain,
namely the Hybrid Proxy on the link in question. Like a conventional namely the Discovery Proxy on the link in question. Like a
Unicast DNS server, a Hybrid Proxy implements the usual Unicast DNS conventional Unicast DNS server, a Discovery Proxy implements the
protocol [RFC1034] [RFC1035] over UDP and TCP. However, unlike a usual Unicast DNS protocol [RFC1034] [RFC1035] over UDP and TCP.
conventional Unicast DNS server that generates answers from the data However, unlike a conventional Unicast DNS server that generates
in its manually-configured zone file, a Hybrid Proxy generates answers from the data in its manually-configured zone file, a
answers using Multicast DNS. A Hybrid Proxy does this by consulting Discovery Proxy generates answers using Multicast DNS. A Discovery
its Multicast DNS cache and/or issuing Multicast DNS queries for the Proxy does this by consulting its Multicast DNS cache and/or issuing
corresponding Multicast DNS name, type and class, (e.g., in this Multicast DNS queries for the corresponding Multicast DNS name, type
case, "_printer._tcp.local. PTR ?"). Then, from the received and class, (e.g., in this case, "_printer._tcp.local. PTR ?"). Then,
Multicast DNS data, the Hybrid Proxy synthesizes the appropriate from the received Multicast DNS data, the Discovery Proxy synthesizes
Unicast DNS response. How long the Hybrid Proxy should wait to the appropriate Unicast DNS response. How long the Discovery Proxy
accumulate Multicast DNS responses is described below in section should wait to accumulate Multicast DNS responses is described below
Section 5.6. in section Section 5.6.
Naturally, the existing Multicast DNS caching mechanism is used to Naturally, the existing Multicast DNS caching mechanism is used to
minimize unnecessary Multicast DNS queries on the wire. The Hybrid minimize unnecessary Multicast DNS queries on the wire. The
Proxy is acting as a client of the underlying Multicast DNS Discovery Proxy is acting as a client of the underlying Multicast DNS
subsystem, and benefits from the same caching and efficiency measures subsystem, and benefits from the same caching and efficiency measures
as any other client using that subsystem. as any other client using that subsystem.
5.2. Domain Enumeration 5.2. Domain Enumeration
A DNS-SD client performs Domain Enumeration [RFC6763] via certain PTR A DNS-SD client performs Domain Enumeration [RFC6763] via certain PTR
queries, using both unicast and multicast. If it receives a Domain queries, using both unicast and multicast. If it receives a Domain
Name configuration via DHCP option 15 [RFC2132], then it issues Name configuration via DHCP option 15 [RFC2132], then it issues
unicast queries using this domain. It issues unicast queries using unicast queries using this domain. It issues unicast queries using
names derived from its IPv6 prefix(es) and IPv4 subnet address(es). names derived from its IPv6 prefix(es) and IPv4 subnet address(es).
skipping to change at page 11, line 7 skipping to change at page 11, line 37
db._dns-sd._udp.example.com. PTR Building 1.example.com. db._dns-sd._udp.example.com. PTR Building 1.example.com.
lb._dns-sd._udp.example.com. PTR Building 1.example.com. lb._dns-sd._udp.example.com. PTR Building 1.example.com.
The "b" ("browse") records tell the client device the list of The "b" ("browse") records tell the client device the list of
browsing domains to display for the user to select from and the "db" browsing domains to display for the user to select from and the "db"
("default browse") record tells the client device which domain in ("default browse") record tells the client device which domain in
that list should be selected by default. The "lb" ("legacy browse") that list should be selected by default. The "lb" ("legacy browse")
record tells the client device which domain to automatically browse record tells the client device which domain to automatically browse
on behalf of applications that don't implement UI for multi-domain on behalf of applications that don't implement UI for multi-domain
browsing (which is most of them, as of 2015). The "lb" domain is browsing (which is most of them, as of 2017). The "lb" domain is
often the same as the "db" domain, or sometimes the "db" domain plus often the same as the "db" domain, or sometimes the "db" domain plus
one or more others that should be included in the list of automatic one or more others that should be included in the list of automatic
browsing domains for legacy clients. browsing domains for legacy clients.
DNS responses are limited to a maximum size of 65535 bytes. This DNS responses are limited to a maximum size of 65535 bytes. This
limits the maximum number of domains that can be returned for a limits the maximum number of domains that can be returned for a
Domain Enumeration query, as follows: Domain Enumeration query, as follows:
A DNS response header is 12 bytes. That's typically followed by a A DNS response header is 12 bytes. That's typically followed by a
single qname (up to 256 bytes) plus qtype (2 bytes) and qclass single qname (up to 256 bytes) plus qtype (2 bytes) and qclass
skipping to change at page 11, line 34 skipping to change at page 12, line 28
o Four-byte ttl o Four-byte ttl
o Two-byte rdlength o Two-byte rdlength
o rdata (domain name, up to 256 bytes) o rdata (domain name, up to 256 bytes)
This means that each Resource Record in the Answer Section can take This means that each Resource Record in the Answer Section can take
up to 268 bytes total, which means that the Answer Section can up to 268 bytes total, which means that the Answer Section can
contain, in the worst case, no more than 243 domains. contain, in the worst case, no more than 243 domains.
In a more typical scenario, where the domain names are not all In a more typical scenario, where the domain names are not all
maximum-sized names, and there is some similarity between names so maximum-sized names, and there is some similarity between names so
that reasonable name compression is possible, each Answer Section that reasonable name compression is possible, each Answer
Resource Record may average 140 bytes, which means that the Answer Section Resource Record may average 140 bytes, which means that the
Section can contain up to 466 domains. Answer Section can contain up to 466 domains.
It is anticipated that this should be sufficient for even a large It is anticipated that this should be sufficient for even a large
corporate network or university campus. corporate network or university campus.
5.2.2. Domain Enumeration via Multicast Queries 5.2.2. Domain Enumeration via Multicast Queries
Since a Hybrid Proxy exists on many, if not all, the links in an Since a Discovery Proxy exists on many, if not all, the links in an
enterprise, it offers an additional way to provide Domain Enumeration enterprise, it offers an additional way to provide Domain Enumeration
data for clients. data for clients.
A Hybrid Proxy can be configured to generate Multicast DNS responses A Discovery Proxy can be configured to generate Multicast DNS
for the following Multicast DNS Domain Enumeration queries issued by responses for the following Multicast DNS Domain Enumeration queries
clients: issued by clients:
b._dns-sd._udp.local. PTR ? b._dns-sd._udp.local. PTR ?
db._dns-sd._udp.local. PTR ? db._dns-sd._udp.local. PTR ?
lb._dns-sd._udp.local. PTR ? lb._dns-sd._udp.local. PTR ?
This provides the ability for Hybrid Proxies to indicate recommended This provides the ability for Discovery Proxies to indicate
browsing domains to DNS-SD clients on a per-link granularity. In recommended browsing domains to DNS-SD clients on a per-link
some enterprises it may be preferable to provide this per-link granularity. In some enterprises it may be preferable to provide
configuration data in the form of Hybrid Proxy configuration, rather this per-link configuration data in the form of Discovery Proxy
than populating the Unicast DNS servers with the same data (in the configuration, rather than populating the Unicast DNS servers with
"ip6.arpa" or "in-addr.arpa" domains). the same data (in the "ip6.arpa" or "in-addr.arpa" domains).
Regardless of how the network operator chooses to provide this Regardless of how the network operator chooses to provide this
configuration data, clients will perform Domain Enumeration via both configuration data, clients will perform Domain Enumeration via both
unicast and multicast queries, and then combine the results of these unicast and multicast queries, and then combine the results of these
queries. queries.
5.3. Delegated Subdomain for LDH Host Names 5.3. Delegated Subdomain for LDH Host Names
DNS-SD service instance names and domains are allowed to contain DNS-SD service instance names and domains are allowed to contain
arbitrary Net-Unicode text [RFC5198], encoded as precomposed UTF-8 arbitrary Net-Unicode text [RFC5198], encoded as precomposed UTF-8
skipping to change at page 13, line 37 skipping to change at page 14, line 37
While we still want to allow rich text for DNS-SD service instance While we still want to allow rich text for DNS-SD service instance
names and domains, it is advisable, for maximum compatibility with names and domains, it is advisable, for maximum compatibility with
existing usage, to restrict host names to the traditional letter- existing usage, to restrict host names to the traditional letter-
digit-hyphen rules. This means that while a service name digit-hyphen rules. This means that while a service name
"My Printer._ipp._tcp.Building 1.example.com" is acceptable and "My Printer._ipp._tcp.Building 1.example.com" is acceptable and
desirable (it is displayed in a graphical user interface as an desirable (it is displayed in a graphical user interface as an
instance called "My Printer" in the domain "Building 1" at instance called "My Printer" in the domain "Building 1" at
"example.com"), a host name "My-Printer.Building 1.example.com" is "example.com"), a host name "My-Printer.Building 1.example.com" is
less desirable (because of the space in "Building 1"). less desirable (because of the space in "Building 1").
To accomodate this difference in allowable characters, a Hybrid Proxy To accomodate this difference in allowable characters, a Discovery
SHOULD support having two separate subdomains delegated to it for Proxy SHOULD support having two separate subdomains delegated to it
each link it serves, one whose name is allowed to contain arbitrary for each link it serves, one whose name is allowed to contain
Net-Unicode text [RFC5198], and a second more constrained subdomain arbitrary Net-Unicode text [RFC5198], and a second more constrained
whose name is restricted to contain only letters, digits, and subdomain whose name is restricted to contain only letters, digits,
hyphens, to be used for host name records (names of 'A' and 'AAAA' and hyphens, to be used for host name records (names of 'A' and
address records). 'AAAA' address records).
For example, a Hybrid Proxy could have the two subdomains For example, a Discovery Proxy could have the two subdomains
"Building 1.example.com" and "bldg1.example.com" delegated to it. "Building 1.example.com" and "bldg1.example.com" delegated to it.
The Hybrid Proxy would then translate these two Multicast DNS The Discovery Proxy would then translate these two Multicast DNS
records: records:
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.
prnt.local. A 203.0.113.2 prnt.local. A 203.0.113.2
into Unicast DNS records as follows: into Unicast DNS records as follows:
My Printer._ipp._tcp.Building 1.example.com. My Printer._ipp._tcp.Building 1.example.com.
SRV 0 0 631 prnt.bldg1.example.com. SRV 0 0 631 prnt.bldg1.example.com.
prnt.bldg1.example.com. A 203.0.113.2 prnt.bldg1.example.com. A 203.0.113.2
Note that the SRV record name is translated using the rich-text Note that the SRV record name is translated using the rich-text
domain name ("Building 1.example.com") and the address record name is domain name ("Building 1.example.com") and the address record name is
translated using the LDH domain ("bldg1.example.com"). translated using the LDH domain ("bldg1.example.com").
A Hybrid Proxy MAY support only a single rich text Net-Unicode A Discovery Proxy MAY support only a single rich text Net-Unicode
domain, and use that domain for all records, including 'A' and 'AAAA' domain, and use that domain for all records, including 'A' and 'AAAA'
address records, but implementers choosing this option should be address records, but implementers choosing this option should be
aware that this choice may produce host names that are awkward to use aware that this choice may produce host names that are awkward to use
in command-line environments. Whether this is an issue depends on in command-line environments. Whether this is an issue depends on
whether users in the target environment are expected to be using whether users in the target environment are expected to be using
command-line interfaces. command-line interfaces.
A Hybrid Proxy MUST NOT be restricted to support only a letter-digit- A Discovery Proxy MUST NOT be restricted to support only a letter-
hyphen subdomain, because that results in an unnecessarily poor user digit-hyphen subdomain, because that results in an unnecessarily poor
experience. user experience.
5.4. Delegated Subdomain for Reverse Mapping 5.4. Delegated Subdomain for Reverse Mapping
A Hybrid Proxy can facilitate easier management of reverse mapping A Discovery Proxy can facilitate easier management of reverse mapping
domains, particularly for IPv6 addresses where manual management may domains, particularly for IPv6 addresses where manual management may
be more onerous than it is for IPv4 addresses. be more onerous than it is for IPv4 addresses.
To achieve this, in the parent domain, NS records are used to To achieve this, in the parent domain, NS records are used to
delegate ownership of the appropriate reverse mapping domain to the delegate ownership of the appropriate reverse mapping domain to the
Hybrid Proxy. In other words, the Hybrid Proxy becomes the Discovery Proxy. In other words, the Discovery Proxy becomes the
authoritative name server for the reverse mapping domain. For fault authoritative name server for the reverse mapping domain. For fault
tolerance reasons there may be more than one Hybrid Proxy serving a tolerance reasons there may be more than one Discovery Proxy serving
given link. a given link.
For example, if a given link is using the IPv6 prefix For example, if a given link is using the
2001:0DB8:1234:5678/64, then the domain IPv6 prefix 2001:0DB8:1234:5678/64,
"8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa" is delegated to the Hybrid then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa"
Proxy for that link. is delegated to the Discovery Proxy for that link.
If a given link is using the IPv4 subnet 203.0.113/24, then the If a given link is using the IPv4 subnet 203.0.113/24,
domain "113.0.203.in-addr.arpa" is delegated to the Hybrid Proxy for then the domain "113.0.203.in-addr.arpa"
that link. is delegated to the Discovery Proxy for that link.
When a reverse mapping query arrives at the Hybrid Proxy, it issues When a reverse mapping query arrives at the Discovery Proxy, it
the identical query on its local link as a Multicast DNS query. issues the identical query on its local link as a Multicast DNS
The mechanism to force an apparently unicast name to be resolved query. The mechanism to force an apparently unicast name to be
using link-local Multicast DNS varies depending on the API set being resolved using link-local Multicast DNS varies depending on the API
used. For example, in the "/usr/include/dns_sd.h" APIs set being used. For example, in the "/usr/include/dns_sd.h" APIs
(available on macOS, iOS, Microsoft Windows, Linux and Android), (available on macOS, iOS, Bonjour for Windows, Linux and Android),
using kDNSServiceFlagsForceMulticast indicates that the using kDNSServiceFlagsForceMulticast indicates that the
DNSServiceQueryRecord() call should perform the query using Multicast DNSServiceQueryRecord() call should perform the query using Multicast
DNS. Other APIs sets have different ways of forcing multicast DNS. Other APIs sets have different ways of forcing multicast
queries. When the host owning that IPv6 or IPv4 address responds queries. When the host owning that IPv6 or IPv4 address responds
with a name of the form "something.local", the Hybrid Proxy rewrites with a name of the form "something.local", the Discovery Proxy
that to use its configured LDH host name domain instead of "local", rewrites that to use its configured LDH host name domain instead of
and returns the response to the caller. "local", and returns the response to the caller.
For example, a Hybrid Proxy with the two subdomains For example, a Discovery Proxy with the two subdomains
"113.0.203.in-addr.arpa" and "bldg1.example.com" delegated to it "113.0.203.in-addr.arpa" and "bldg1.example.com" delegated to it
would translate this Multicast DNS record: would translate this Multicast DNS record:
2.113.0.203.in-addr.arpa. PTR prnt.local. 2.113.0.203.in-addr.arpa. PTR prnt.local.
into this Unicast DNS response: into this Unicast DNS response:
2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com. 2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com.
Subsequent queries for the prnt.bldg1.example.com address record, Subsequent queries for the prnt.bldg1.example.com address record,
falling as it does within the bldg1.example.com domain, which is falling as it does within the bldg1.example.com domain, which is
delegated to the Hybrid Proxy, will arrive at the Hybrid Proxy, where delegated to the Discovery Proxy, will arrive at the Discovery Proxy,
they are answered by issuing Multicast DNS queries and using the where they are answered by issuing Multicast DNS queries and using
received Multicast DNS answers to synthesize Unicast DNS responses, the received Multicast DNS answers to synthesize Unicast DNS
as described above. responses, as described above.
5.5. Data Translation 5.5. Data Translation
Generating the appropriate Multicast DNS queries involves, at the Generating the appropriate Multicast DNS queries involves,
very least, translating from the configured DNS domain at the very least, translating from the configured DNS domain
(e.g., "Building 1.example.com") on the Unicast DNS side to "local" (e.g., "Building 1.example.com") on the Unicast DNS side to "local"
on the Multicast DNS side. on the Multicast DNS side.
Generating the appropriate Unicast DNS responses involves translating Generating the appropriate Unicast DNS responses involves translating
back from "local" to the configured DNS Unicast domain. back from "local" to the appropriate configured DNS Unicast domain.
Other beneficial translation and filtering operations are described Other beneficial translation and filtering operations are described
below. below.
5.5.1. DNS TTL limiting 5.5.1. DNS TTL limiting
For efficiency, Multicast DNS typically uses moderately high DNS TTL For efficiency, Multicast DNS typically uses moderately high DNS TTL
values. For example, the typical TTL on DNS-SD PTR records is 75 values. For example, the typical TTL on DNS-SD PTR records is 75
minutes. What makes these moderately high TTLs acceptable is the minutes. What makes these moderately high TTLs acceptable is the
cache coherency mechanisms built in to the Multicast DNS protocol cache coherency mechanisms built in to the Multicast DNS protocol
skipping to change at page 16, line 39 skipping to change at page 18, line 35
service shuts down gracefully, it sends goodbye packets to remove its service shuts down gracefully, it sends goodbye packets to remove its
PTR records immediately from neighbouring caches. If a service shuts PTR records immediately from neighbouring caches. If a service shuts
down abruptly without sending goodbye packets, the Passive down abruptly without sending goodbye packets, the Passive
Observation Of Failures (POOF) mechanism described in Section 10.5 of Observation Of Failures (POOF) mechanism described in Section 10.5 of
the Multicast DNS specification [RFC6762] comes into play to purge the Multicast DNS specification [RFC6762] comes into play to purge
the cache of stale data. the cache of stale data.
A traditional Unicast DNS client on a remote link does not get to A traditional Unicast DNS client on a remote link does not get to
participate in these Multicast DNS cache coherency mechanisms on the participate in these Multicast DNS cache coherency mechanisms on the
local link. For traditional Unicast DNS queries (those received local link. For traditional Unicast DNS queries (those received
without any Long-Lived Query [I-D.sekar-dns-llq] or DNS Push without using Long-Lived Query [LLQ] or DNS Push Notification [PUSH])
Notification [I-D.ietf-dnssd-push] option) the DNS TTLs reported in the DNS TTLs reported in the resulting Unicast DNS response SHOULD be
the resulting Unicast DNS response SHOULD be capped to be no more capped to be no more than ten seconds.
than ten seconds.
Similarly, for negative responses, the negative caching TTL indicated Similarly, for negative responses, the negative caching TTL indicated
in the SOA record [RFC2308] should also be ten seconds (Section 6.1). in the SOA record [RFC2308] should also be ten seconds (Section 6.1).
This value of ten seconds is chosen based on user experience This value of ten seconds is chosen based on user-experience
considerations. considerations.
For negative caching, suppose a user is attempting to access a remote For negative caching, suppose a user is attempting to access a remote
device (e.g., a printer), and they are unsuccessful because that device (e.g., a printer), and they are unsuccessful because that
device is powered off. Suppose they then place a telephone call and device is powered off. Suppose they then place a telephone call and
ask for the device to be powered on. We want the device to become ask for the device to be powered on. We want the device to become
available to the user within a reasonable time period. It is available to the user within a reasonable time period. It is
reasonable to expect it to take on the order of ten seconds for a reasonable to expect it to take on the order of ten seconds for a
simple device with a simple embedded operating system to power on. simple device with a simple embedded operating system to power on.
Once the device is powered on and has announced its presence on the Once the device is powered on and has announced its presence on the
skipping to change at page 17, line 27 skipping to change at page 19, line 21
or other renumbering events, we would like the updated information to or other renumbering events, we would like the updated information to
be available to remote clients in a relatively timely fashion. be available to remote clients in a relatively timely fashion.
However, network administrators should be aware that many recursive However, network administrators should be aware that many recursive
(caching) DNS servers by default are configured to impose a minimum (caching) DNS servers by default are configured to impose a minimum
TTL of 30 seconds. If stale data appears to be persisting in the TTL of 30 seconds. If stale data appears to be persisting in the
network to the extent that it adversely impacts user experience, network to the extent that it adversely impacts user experience,
network administrators are advised to check the configuration of network administrators are advised to check the configuration of
their recursive DNS servers. their recursive DNS servers.
For received Unicast DNS queries that contain an LLQ or DNS Push For received Unicast DNS queries that use LLQ or DNS Push
Notification option, the Multicast DNS record's TTL SHOULD be Notification, the Multicast DNS record's TTL SHOULD be returned
returned unmodified, because the Push Notification channel exists to unmodified, because the Push Notification channel exists to inform
inform the remote client as records come and go. For further details the remote client as records come and go. For further details about
about Long-Lived Queries, and its newer replacement, DNS Push Long-Lived Queries, and its newer replacement, DNS Push
Notifications, see Section 5.6. Notifications, see Section 5.6.
5.5.2. Suppressing Unusable Records 5.5.2. Suppressing Unusable Records
A Hybrid Proxy SHOULD suppress Unicast DNS answers for records that A Discovery Proxy SHOULD suppress Unicast DNS answers for records
are not useful outside the local link. For example, DNS A and AAAA that are not useful outside the local link. For example, DNS AAAA
records for IPv6 link-local addresses [RFC4862] and IPv4 link-local and A records for IPv6 link-local addresses [RFC4862] and IPv4 link-
addresses [RFC3927] SHOULD be suppressed. Similarly, for sites that local addresses [RFC3927] SHOULD be suppressed. Similarly, for sites
have multiple private address realms [RFC1918], in cases where the that have multiple private address realms [RFC1918], in cases where
Hybrid Proxy can determine that the querying client is in a different the Discovery Proxy can determine that the querying client is in a
address realm, private addresses MUST NOT be communicated to that different address realm, private addresses MUST NOT be communicated
client. IPv6 Unique Local Addresses [RFC4193] SHOULD be suppressed to that client. IPv6 Unique Local Addresses [RFC4193] SHOULD be
in cases where the Hybrid Proxy can determine that the querying suppressed in cases where the Discovery Proxy can determine that the
client is in a different IPv6 address realm. querying client is in a different IPv6 address realm.
By the same logic, DNS SRV records that reference target host names By the same logic, DNS SRV records that reference target host names
that have no addresses usable by the requester should be suppressed, that have no addresses usable by the requester should be suppressed,
and likewise, DNS PTR records that point to unusable SRV records and likewise, DNS PTR records that point to unusable SRV records
should be similarly be suppressed. should be similarly be suppressed.
5.5.3. NSEC and NSEC3 queries 5.5.3. NSEC and NSEC3 queries
Since a Hybrid Proxy only knows what names exist on the local link by Since a Discovery Proxy only knows what names exist on the local link
issuing queries for them, and since it would be impractical to issue by issuing queries for them, and since it would be impractical to
queries for every possible name just to find out which names exist issue queries for every possible name just to find out which names
and which do not, a Hybrid Proxy cannot programatically generate the exist and which do not, a Discovery Proxy cannot programatically
traditional NSEC and NSEC3 records which assert the nonexistence of a generate the traditional NSEC and NSEC3 records which assert the
large range names. nonexistence of a large range of names.
When queried for an NSEC or NSEC3 record type, the Hybrid Proxy When queried for an NSEC or NSEC3 record type, the Discovery Proxy
issues a qtype "ANY" query using Multicast DNS on the local link, and issues a qtype "ANY" query using Multicast DNS on the local link, and
then generates an NSEC or NSEC3 response signifying which record then generates an NSEC or NSEC3 response signifying which record
types do and do not exist just the specific name queried, and no types do and do not exist just the specific name queried, and no
others. others.
Multicast DNS NSEC records received on the local link MUST NOT be Multicast DNS NSEC records received on the local link MUST NOT be
forwarded unmodified to a unicast querier, because there are slight forwarded unmodified to a unicast querier, because there are slight
differences in the NSEC record data. In particular, Multicast DNS differences in the NSEC record data. In particular, Multicast DNS
NSEC records do not have the NSEC bit set in the Type Bit Map, NSEC records do not have the NSEC bit set in the Type Bit Map,
whereas conventional Unicast DNS NSEC records do have the NSEC bit whereas conventional Unicast DNS NSEC records do have the NSEC bit
set. set.
5.5.4. Text Encoding Translation 5.5.4. No Text Encoding Translation
A Hybrid Proxy does no translation between text encodings. A Discovery Proxy does no translation between text encodings.
Specifically, a Hybrid Proxy does no translation between Punycode and Specifically, a Discovery Proxy does no translation between Punycode
UTF-8, either in the owner name of DNS records, or anywhere in the and UTF-8, either in the owner name of DNS records, or anywhere in
RDATA of DNS records (such as the RDATA of PTR records, SRV records, the RDATA of DNS records (such as the RDATA of PTR records, SRV
NS records, or other record types like TXT, where it is ambiguous records, NS records, or other record types like TXT, where it is
whether the RDATA may contain DNS names). All bytes are treated ambiguous whether the RDATA may contain DNS names). All bytes are
as-is, with no attempt at text encoding translation. A client treated as-is, with no attempt at text encoding translation. A
implementing DNS-based Service Discovery [RFC6763] will use UTF-8 client implementing DNS-based Service Discovery [RFC6763] will use
encoding for its service discovery queries, which the Hybrid Proxy UTF-8 encoding for its service discovery queries, which the Discovery
passes through without any text encoding translation to the Multicast Proxy passes through without any text encoding translation to the
DNS subsystem. Responses from the Multicast DNS subsystem are Multicast DNS subsystem. Responses from the Multicast DNS subsystem
similarly returned, without any text encoding translation, back to are similarly returned, without any text encoding translation, back
the requesting client. to the requesting client.
5.5.5. Application-Specific Data Translation 5.5.5. Application-Specific Data Translation
There may be cases where Application-Specific Data Translation is There may be cases where Application-Specific Data Translation is
appropriate. appropriate.
For example, AirPrint printers tend to advertise fairly verbose For example, AirPrint printers tend to advertise fairly verbose
information about their capabilities in their DNS-SD TXT record. TXT information about their capabilities in their DNS-SD TXT record. TXT
record sizes in the range 500-1000 bytes are not uncommon. This record sizes in the range 500-1000 bytes are not uncommon. This
information is a legacy from LPR printing, because LPR does not have information is a legacy from LPR printing, because LPR does not have
in-band capability negotiation, so all of this information is in-band capability negotiation, so all of this information is
conveyed using the DNS-SD TXT record instead. IPP printing does have conveyed using the DNS-SD TXT record instead. IPP printing does have
in-band capability negotiation, but for convenience printers tend to in-band capability negotiation, but for convenience printers tend to
include the same capability information in their IPP DNS-SD TXT include the same capability information in their IPP DNS-SD TXT
records as well. For local mDNS use this extra TXT record records as well. For local mDNS use this extra TXT record
information is inefficient, but not fatal. However, when a Hybrid information is inefficient, but not fatal. However, when a Discovery
Proxy aggregates data from multiple printers on a link, and sends it Proxy aggregates data from multiple printers on a link, and sends it
via unicast (via UDP or TCP) this amount of unnecessary TXT record via unicast (via UDP or TCP) this amount of unnecessary TXT record
information can result in large responses. A DNS reply over TCP information can result in large responses. A DNS reply over TCP
carrying information about 70 printers with an average of 700 bytes carrying information about 70 printers with an average of 700 bytes
per printer adds up to about 50 kilobytes of data. Therefore, a per printer adds up to about 50 kilobytes of data. Therefore, a
Hybrid Proxy that is aware of the specifics of an application-layer Discovery Proxy that is aware of the specifics of an application-
protocol such as AirPrint (which uses IPP) can elide unnecessary key/ layer protocol such as AirPrint (which uses IPP) can elide
value pairs from the DNS-SD TXT record for better network efficiency. unnecessary key/value pairs from the DNS-SD TXT record for better
network efficiency.
Also, the DNS-SD TXT record for many printers contains an "adminurl" Also, the DNS-SD TXT record for many printers contains an "adminurl"
key something like "adminurl=http://printername.local/status.html". key something like "adminurl=http://printername.local/status.html".
For this URL to be useful outside the local link, the embedded For this URL to be useful outside the local link, the embedded
".local" hostname needs to be translated to an appropriate name with ".local" hostname needs to be translated to an appropriate name with
larger scope. It is easy to translate ".local" names when they larger scope. It is easy to translate ".local" names when they
appear in well-defined places, either as a record's name, or in the appear in well-defined places, either as a record's name, or in the
rdata of record types like PTR and SRV. In the printing case, some rdata of record types like PTR and SRV. In the printing case, some
application-specific knowledge about the semantics of the "adminurl" application-specific knowledge about the semantics of the "adminurl"
key is needed for the Hybrid Proxy to know that it contains a name key is needed for the Discovery Proxy to know that it contains a name
that needs to be translated. This is somewhat analogous to the need that needs to be translated. This is somewhat analogous to the need
for NAT gateways to contain ALGs (Application-Specific Gateways) to for NAT gateways to contain ALGs (Application-Specific Gateways) to
facilitate the correct translation of protocols that embed addresses facilitate the correct translation of protocols that embed addresses
in unexpected places. in unexpected places.
As is the case with NAT ALGs, protocol designers are advised to avoid As is the case with NAT ALGs, protocol designers are advised to avoid
communicating names and addresses in nonstandard locations, because communicating names and addresses in nonstandard locations, because
those "hidden" names and addresses are at risk of not being those "hidden" names and addresses are at risk of not being
translated when necessary, resulting in operational failures. In the translated when necessary, resulting in operational failures. In the
printing case, the operational failure of failing to translate the printing case, the operational failure of failing to translate the
"adminurl" key correctly is that, when accessed from a different "adminurl" key correctly is that, when accessed from a different
link, printing will still work, but clicking the "Admin" UI button link, printing will still work, but clicking the "Admin" UI button
will fail to open the printer's administration page. Rather than will fail to open the printer's administration page. Rather than
duplicating the host name from the service's SRV record in its duplicating the host name from the service's SRV record in its
"adminurl" key, thereby having the same host name appear in two "adminurl" key, thereby having the same host name appear in two
places, a better design might have been to omit the host name from places, a better design might have been to omit the host name from
the "adminurl" key, and instead have the client implicitly substitute the "adminurl" key, and instead have the client implicitly substitute
the target host name from the service's SRV record in place of a the target host name from the service's SRV record in place of a
missing host name in the "adminurl" key. That way the desired host missing host name in the "adminurl" key. That way the desired host
name only appears once, and it is in a well-defined place where name only appears once, and it is in a well-defined place where
software like the Hybrid Proxy is expecting to find it. software like the Discovery Proxy is expecting to find it.
Note that this kind of Application-Specific Data Translation is Note that this kind of Application-Specific Data Translation is
expected to be very rare. It is the exception, rather than the rule. expected to be very rare. It is the exception, rather than the rule.
This is an example of a common theme in computing. It is frequently This is an example of a common theme in computing. It is frequently
the case that it is wise to start with a clean, layered design, with the case that it is wise to start with a clean, layered design, with
clear boundaries. Then, in certain special cases, those layer clear boundaries. Then, in certain special cases, those layer
boundaries may be violated, where the performance and efficiency boundaries may be violated, where the performance and efficiency
benefits outweigh the inelegance of the layer violation. benefits outweigh the inelegance of the layer violation.
These layer violations are optional. They are done primarily for These layer violations are optional. They are done primarily for
efficiency reasons, and generally should not be required for correct efficiency reasons, and generally should not be required for correct
operation. A Hybrid Proxy MAY operate solely at the mDNS layer, operation. A Discovery Proxy MAY operate solely at the mDNS layer,
without any knowledge of semantics at the DNS-SD layer or above. without any knowledge of semantics at the DNS-SD layer or above.
5.6. Answer Aggregation 5.6. Answer Aggregation
In a simple analysis, simply gathering multicast answers and In a simple analysis, simply gathering multicast answers and
forwarding them in a unicast response seems adequate, but it raises forwarding them in a unicast response seems adequate, but it raises
the question of how long the Hybrid Proxy should wait to be sure that the question of how long the Discovery Proxy should wait to be sure
it has received all the Multicast DNS answers it needs to form a that it has received all the Multicast DNS answers it needs to form a
complete Unicast DNS response. If it waits too little time, then it complete Unicast DNS response. If it waits too little time, then it
risks its Unicast DNS response being incomplete. If it waits too risks its Unicast DNS response being incomplete. If it waits too
long, then it creates a poor user experience at the client end. In long, then it creates a poor user experience at the client end. In
fact, there may be no time which is both short enough to produce a fact, there may be no time which is both short enough to produce a
good user experience and at the same time long enough to reliably good user experience and at the same time long enough to reliably
produce complete results. produce complete results.
Similarly, the Hybrid Proxy -- the authoritative name server for the Similarly, the Discovery Proxy -- the authoritative name server for
subdomain in question -- needs to decide what DNS TTL to report for the subdomain in question -- needs to decide what DNS TTL to report
these records. If the TTL is too long then the recursive (caching) for these records. If the TTL is too long then the recursive
name servers issuing queries on behalf of their clients risk caching (caching) name servers issuing queries on behalf of their clients
stale data for too long. If the TTL is too short then the amount of risk caching stale data for too long. If the TTL is too short then
network traffic will be more than necessary. In fact, there may be the amount of network traffic will be more than necessary. In fact,
no TTL which is both short enough to avoid undesirable stale data and there may be no TTL which is both short enough to avoid undesirable
at the same time long enough to be efficient on the network. stale data and at the same time long enough to be efficient on the
network.
Both these dilemmas are solved by use of DNS Long-Lived Queries Both these dilemmas are solved by use of DNS Long-Lived Queries
(DNS LLQ) [I-D.sekar-dns-llq] or its newer replacement, DNS Push (DNS LLQ) [LLQ] or its newer replacement, DNS Push Notifications
Notifications [I-D.ietf-dnssd-push]. (Clients and Hybrid Proxies can [PUSH].
support both DNS LLQ and DNS Push, and when talking to a Hybrid Proxy
that supports both the client may use either protocol, as it chooses,
though it is expected that only DNS Push will continue to be
supported in the long run.) Clients supporting unicast DNS Service
Discovery SHOULD implement DNS Push Notifications
[I-D.ietf-dnssd-push] for improved user experience.
When a Hybrid Proxy receives a query containing a DNS LLQ or DNS Push Clients supporting unicast DNS Service Discovery SHOULD implement DNS
Notification option, it responds immediately using the Multicast DNS Push Notifications [PUSH] for improved user experience.
records it already has in its cache (if any). This provides a good
client user experience by providing a near-instantaneous response. Clients and Discovery Proxies MAY support both DNS LLQ and DNS Push,
Simultaneously, the Hybrid Proxy issues a Multicast DNS query on the and when talking to a Discovery Proxy that supports both, the client
local link to discover if there are any additional Multicast DNS may use either protocol, as it chooses, though it is expected that
only DNS Push will continue to be supported in the long run.
When a Discovery Proxy receives a query using DNS LLQ or DNS Push
Notification, it responds immediately using the Multicast DNS records
it already has in its cache (if any). This provides a good client
user experience by providing a near-instantaneous response.
Simultaneously, the Discovery Proxy issues a Multicast DNS query on
the local link to discover if there are any additional Multicast DNS
records it did not already know about. Should additional Multicast records it did not already know about. Should additional Multicast
DNS responses be received, these are then delivered to the client DNS responses be received, these are then delivered to the client
using DNS LLQ or DNS Push Notification update messages. The using additional DNS LLQ or DNS Push Notification update messages.
timeliness of such update messages is limited only by the timeliness The timeliness of such update messages is limited only by the
of the device responding to the Multicast DNS query. If the timeliness of the device responding to the Multicast DNS query. If
Multicast DNS device responds quickly, then the update message is the Multicast DNS device responds quickly, then the update message is
delivered quickly. If the Multicast DNS device responds slowly, then delivered quickly. If the Multicast DNS device responds slowly, then
the update message is delivered slowly. The benefit of using update the update message is delivered slowly. The benefit of using update
messages is that the Hybrid Proxy can respond promptly because it messages is that the Discovery Proxy can respond promptly because it
doesn't have to delay its unicast response to allow for the expected doesn't have to delay its unicast response to allow for the expected
worst-case delay for receiving all the Multicast DNS responses. Even worst-case delay for receiving all the Multicast DNS responses. Even
if a proxy were to try to provide reliability by assuming an if a proxy were to try to provide reliability by assuming an
excessively pessimistic worst-case time (thereby giving a very poor excessively pessimistic worst-case time (thereby giving a very poor
user experience) there would still be the risk of a slow Multicast user experience) there would still be the risk of a slow Multicast
DNS device taking even longer than that (e.g., a device that is not DNS device taking even longer than that (e.g., a device that is not
even powered on until ten seconds after the initial query is even powered on until ten seconds after the initial query is
received) resulting in incomplete responses. Using update message received) resulting in incomplete responses. Using update message
solves this dilemma: even very late responses are not lost; they are solves this dilemma: even very late responses are not lost; they are
delivered in subsequent update messages. delivered in subsequent update messages.
There are two factors that determine specifically how responses are There are two factors that determine specifically how responses are
generated: generated:
The first factor is whether the query from the client included an LLQ The first factor is whether the query from the client used LLQ or DNS
or DNS Push Notification option (typical with long-lived service Push Notification (typical with long-lived service browsing PTR
browsing PTR queries) or not (typical with one-shot operations like queries) or not (typical with one-shot operations like SRV or address
SRV or address record queries). Note that queries containing the LLQ record queries). Note that queries using LLQ or DNS Push
or PUSH option are received directly from the client. Queries Notification are received directly from the client. Queries not
containing no LLQ or PUSH option are generally received via the using LLQ or DNS Push Notification are generally received via the
client's configured recursive (caching) name server. client's configured recursive (caching) name server.
The second factor is whether the Hybrid Proxy already has at least The second factor is whether the Discovery Proxy already has at least
one record in its cache that positively answers the question. one record in its cache that positively answers the question.
o No LLQ or PUSH option; no answer in cache: o Not using LLQ or Push Notification; no answer in cache:
Issue an mDNS query, exactly as a local client would issue an mDNS Issue an mDNS query, exactly as a local client would issue an mDNS
query on the local link for the desired record name, type and query on the local link for the desired record name, type and
class, including retransmissions, as appropriate, according to the class, including retransmissions, as appropriate, according to the
established mDNS retransmission schedule [RFC6762]. As soon as established mDNS retransmission schedule [RFC6762]. As soon as
any Multicast DNS response packet is received that contains one or any Multicast DNS response packet is received that contains one or
more positive answers to that question (with or without the Cache more positive answers to that question (with or without the Cache
Flush bit [RFC6762] set), or a negative answer (signified via a Flush bit [RFC6762] set), or a negative answer (signified via a
Multicast DNS NSEC record [RFC6762]), the Hybrid Proxy generates a Multicast DNS NSEC record [RFC6762]), the Discovery Proxy
Unicast DNS response packet containing the corresponding (filtered generates a Unicast DNS response packet containing the
and translated) answers and sends it to the remote client. If corresponding (filtered and translated) answers and sends it to
after six seconds no Multicast DNS answers have been received, the remote client. If after six seconds no Multicast DNS answers
return a negative response to the remote client. Six seconds is have been received, return a negative response to the remote
enough time to transmit three mDNS queries, and allow some time client. Six seconds is enough time to transmit three mDNS
for responses to arrive. queries, and allow some time for responses to arrive.
DNS TTLs in responses are capped to at most ten seconds. DNS TTLs in responses are capped to at most ten seconds.
o No LLQ or PUSH option; at least one answer in cache: o Not using LLQ or Push Notification; at least one answer in cache:
Send response right away to minimise delay. Send response right away to minimise delay.
DNS TTLs in responses are capped to at most ten seconds. DNS TTLs in responses are capped to at most ten seconds.
No local mDNS queries are performed. No local mDNS queries are performed.
(Reasoning: Given RRSet TTL harmonisation, if the proxy has one (Reasoning: Given RRSet TTL harmonisation, if the proxy has one
Multicast DNS answer in its cache, it can reasonably assume that Multicast DNS answer in its cache, it can reasonably assume that
it has all of them.) it has all of them.)
o Query contains LLQ or PUSH option; no answer in cache: o Using LLQ or Push Notification; no answer in cache:
As in the case above with no answer in the cache, perform mDNS As in the case above with no answer in the cache, perform mDNS
querying for six seconds, and send a response to the remote client querying for six seconds, and send a response to the remote client
as soon as any relevant mDNS response is received. as soon as any relevant mDNS response is received.
If after six seconds no relevant mDNS response has been received, If after six seconds no relevant mDNS response has been received,
return negative response to the remote client (for LLQ; not return negative response to the remote client (for LLQ; not
applicable for PUSH). (Reasoning: We don't need to rush to send applicable for PUSH).
an empty answer.) (Reasoning: We don't need to rush to send an empty answer.)
Whether or not a relevant mDNS response is received within six Whether or not a relevant mDNS response is received within six
seconds, the query remains active for as long as the client seconds, the query remains active for as long as the client
maintains the LLQ or PUSH state, and if mDNS answers are received maintains the LLQ or PUSH state, and if mDNS answers are received
later, LLQ or PUSH update messages are sent. later, LLQ or PUSH update messages are sent.
DNS TTLs in responses are returned unmodified. DNS TTLs in responses are returned unmodified.
o Query contains LLQ or PUSH option; at least one answer in cache: o Using LLQ or Push Notification; at least one answer in cache:
As in the case above with at least one answer in cache, send As in the case above with at least one answer in cache, send
response right away to minimise delay. response right away to minimise delay.
The query remains active for as long as the client maintains the The query remains active for as long as the client maintains the
LLQ or PUSH state, and if additional mDNS answers are received LLQ or PUSH state, and if additional mDNS answers are received
later, LLQ or PUSH update messages are sent. later, LLQ or PUSH update messages are sent.
(Reasoning: We want UI that is displayed very rapidly, yet (Reasoning: We want UI that is displayed very rapidly, yet
continues to remain accurate even as the network environment continues to remain accurate even as the network environment
changes.) changes.)
DNS TTLs in responses are returned unmodified. DNS TTLs in responses are returned unmodified.
Note that the "negative responses" referred to above are "no error no Note that the "negative responses" referred to above are "no error no
answer" negative responses, not NXDOMAIN. This is because the Hybrid answer" negative responses, not NXDOMAIN. This is because the
Proxy cannot know all the Multicast DNS domain names that may exist Discovery Proxy cannot know all the Multicast DNS domain names that
on a link at any given time, so any name with no answers may have may exist on a link at any given time, so any name with no answers
child names that do exist, making it an "empty nonterminal" name. may have child names that do exist, making it an "empty nonterminal"
name.
6. Administrative DNS Records 6. Administrative DNS Records
6.1. DNS SOA (Start of Authority) Record 6.1. DNS SOA (Start of Authority) Record
The MNAME field SHOULD contain the host name of the Hybrid Proxy The MNAME field SHOULD contain the host name of the Discovery Proxy
device (i.e., the same domain name as the rdata of the NS record device (i.e., the same domain name as the rdata of the NS record
delegating the relevant zone(s) to this Hybrid Proxy device). delegating the relevant zone(s) to this Discovery Proxy device).
The RNAME field SHOULD contain the mailbox of the person responsible The RNAME field SHOULD contain the mailbox of the person responsible
for administering this Hybrid Proxy device. for administering this Discovery Proxy device.
The SERIAL field MUST be zero. The SERIAL field MUST be zero.
Zone transfers are undefined for Hybrid Proxy zones, and consequently Zone transfers are undefined for Discovery Proxy zones, and
the REFRESH, RETRY and EXPIRE fields have no useful meaning for consequently the REFRESH, RETRY and EXPIRE fields have no useful
Hybrid Proxy zones. These fields SHOULD contain reasonable default meaning for Discovery Proxy zones. These fields SHOULD contain
values. The RECOMMENDED values are: REFRESH 7200, RETRY 3600, EXPIRE reasonable default values. The RECOMMENDED values are: REFRESH 7200,
86400. RETRY 3600, EXPIRE 86400.
The MINIMUM field (used to control the lifetime of negative cache The MINIMUM field (used to control the lifetime of negative cache
entries) SHOULD contain the value 10. The value of ten seconds is entries) SHOULD contain the value 10. The value of ten seconds is
chosen based on user experience considerations (see Section 5.5.1). chosen based on user-experience considerations (see Section 5.5.1).
In the event that there are multiple Hybrid Proxy devices on a link In the event that there are multiple Discovery Proxy devices on a
for fault tolerance reasons, this will result in clients receiving link for fault tolerance reasons, this will result in clients
inconsistent SOA records (different MNAME, and possibly RNAME) receiving inconsistent SOA records (different MNAME, and possibly
depending on which Hybrid Proxy answers their SOA query. However, RNAME) depending on which Discovery Proxy answers their SOA query.
since clients generally have no reason to use the MNAME or RNAME However, since clients generally have no reason to use the MNAME or
data, this is unlikely to cause any problems. RNAME data, this is unlikely to cause any problems.
6.2. DNS NS Records 6.2. DNS NS Records
In the event that there are multiple Hybrid Proxy devices on a link In the event that there are multiple Discovery Proxy devices on a
for fault tolerance reasons, the parent zone MUST be configured with link for fault tolerance reasons, the parent zone MUST be configured
glue records giving the names and addresses of all the Hybrid Proxy with glue records giving the names and addresses of all the Discovery
devices on the link. Proxy devices on the link.
Each Hybrid Proxy device MUST be configured with its own NS record, Each Discovery Proxy device MUST be configured with its own NS
and with the NS records of its fellow Hybrid Proxy devices on the record, and with the NS records of its fellow Discovery Proxy devices
same link, so that it can return the correct answers for NS queries. on the same link, so that it can return the correct answers for NS
queries.
6.3. DNS SRV Records 6.3. DNS SRV Records
In the event that a Hybrid Proxy implements LLQ [I-D.sekar-dns-llq] In the event that a Discovery Proxy implements Long-Lived Queries
and/or DNS Push Notifications [I-D.ietf-dnssd-push] (as most SHOULD) [LLQ] and/or DNS Push Notifications [PUSH] (as most SHOULD) they MUST
they MUST generate answers for the appropriate corresponding _dns- generate answers for the appropriate corresponding
llq._udp.<zone> and/or _dns-push-tls._tcp.<zone> SRV record queries. _dns-llq._udp.<zone> and/or _dns-push-tls._tcp.<zone> SRV record
These records are conceptually inserted into the namespace of the queries. These records are conceptually inserted into the namespace
corresponding zones. They do not exist in the ".local" namespace of of the corresponding zones. They do not exist in the ".local"
the local link. namespace of the local link.
7. DNSSEC Issues 7. DNSSEC Considerations
7.1. On-line signing only 7.1. On-line signing only
Auth server must possess key, to generate signed data from mDNS The Discovery Proxy acts as the authoritative name server for
responses. Therefore off-line signing not applicable to Hybrid designated subdomains, and if DNSSEC is to be used, the Discovery
Proxy needs to possess a copy of the signing keys, in order to
generate authoritative signed data from the local Multicast DNS
responses it receives. Off-line signing not applicable to Discovery
Proxy. Proxy.
7.2. NSEC and NSEC3 Records 7.2. NSEC and NSEC3 Records
In DNSSEC, NSEC and NSEC3 records are used to assert the nonexistence In DNSSEC, NSEC and NSEC3 records are used to assert the nonexistence
of certain names, also described as "authenticated denial of of certain names, also described as "authenticated denial of
existence". existence".
Since a Hybrid Proxy only knows what names exist on the local link by Since a Discovery Proxy only knows what names exist on the local link
issuing queries for them, and since it would be impractical to issue by issuing queries for them, and since it would be impractical to
queries for every possible name just to find out which names exist issue queries for every possible name just to find out which names
and which do not, a Hybrid Proxy cannot programatically synthesize exist and which do not, a Discovery Proxy cannot programatically
the traditional NSEC and NSEC3 records which assert the nonexistence synthesize the traditional NSEC and NSEC3 records which assert the
of a large range names. Instead, when generating a negative nonexistence of a large range names. Instead, when generating a
response, a Hybrid Proxy programatically synthesizes a single NSEC negative response, a Discovery Proxy programatically synthesizes a
record assert the nonexistence of just the specific name queried, and single NSEC record assert the nonexistence of just the specific name
no others. Since the Hybrid Proxy has the zone signing key, it can queried, and no others. Since the Discovery Proxy has the zone
do this on demand. Since the NSEC record asserts the nonexistence of signing key, it can do this on demand. Since the NSEC record asserts
only a single name, zone walking is not a concern, so NSEC3 is not the nonexistence of only a single name, zone walking is not a
necessary. concern, so NSEC3 is not necessary.
Note that this applies only to traditional immediate DNS queries, Note that this applies only to traditional immediate DNS queries,
which may return immediate negative answers when no immediate which may return immediate negative answers when no immediate
positive answer is available. When used with a DNS Push Notification positive answer is available. When used with a DNS Push Notification
subscription [I-D.ietf-dnssd-push] there are no negative answers, subscription [PUSH] there are no negative answers, merely the absence
merely the absence of answers so far, which may change in the future of answers so far, which may change in the future if answers become
if answers become available. available.
8. IPv6 Considerations 8. IPv6 Considerations
An IPv6-only host and an IPv4-only host behave as "ships that pass in An IPv6-only host and an IPv4-only host behave as "ships that pass in
the night". Even if they are on the same Ethernet [802.3], neither the night". Even if they are on the same Ethernet [IEEE-3], neither
is aware of the other's traffic. For this reason, each link may have is aware of the other's traffic. For this reason, each link may have
*two* unrelated ".local." zones, one for IPv6 and one for IPv4. *two* unrelated ".local." zones, one for IPv6 and one for IPv4.
Since for practical purposes, a group of IPv6-only hosts and a group Since for practical purposes, a group of IPv6-only hosts and a group
of IPv4-only hosts on the same Ethernet act as if they were on two of IPv4-only hosts on the same Ethernet act as if they were on two
entirely separate Ethernet segments, it is unsurprising that their entirely separate Ethernet segments, it is unsurprising that their
use of the ".local." zone should occur exactly as it would if they use of the ".local." zone should occur exactly as it would if they
really were on two entirely separate Ethernet segments. really were on two entirely separate Ethernet segments.
It will be desirable to have a mechanism to 'stitch' together these It will be desirable to have a mechanism to 'stitch' together these
two unrelated ".local." zones so that they appear as one. Such two unrelated ".local." zones so that they appear as one. Such
mechanism will need to be able to differentiate between a dual-stack mechanism will need to be able to differentiate between a dual-stack
(v4/v6) host participating in both ".local." zones, and two different (v4/v6) host participating in both ".local." zones, and two different
hosts, one IPv6-only and the other IPv4-only, which are both trying hosts, one IPv6-only and the other IPv4-only, which are both trying
to use the same name(s). Such a mechanism will be specified in a to use the same name(s). Such a mechanism will be specified in a
future companion document. future companion document.
At present, it is RECOMMENDED that a Hybrid Proxy be configured with At present, it is RECOMMENDED that a Discovery Proxy be configured
a single domain name for both the IPv4 and IPv6 ".local." zones on with a single domain name for both the IPv4 and IPv6 ".local." zones
the local link, and when a unicast query is received, it should issue on the local link, and when a unicast query is received, it should
Multicast DNS queries using both IPv4 and IPv6 on the local link, and issue Multicast DNS queries using both IPv4 and IPv6 on the local
then combine the results. link, and then combine the results.
9. Security Considerations 9. Security Considerations
9.1. Authenticity 9.1. Authenticity
A service proves its presence on a link by its ability to answer A service proves its presence on a link by its ability to answer
link-local multicast queries on that link. If greater security is link-local multicast queries on that link. If greater security is
desired, then the Hybrid Proxy mechanism should not be used, and desired, then the Discovery Proxy mechanism should not be used, and
something with stronger security should be used instead, such as something with stronger security should be used instead, such as
authenticated secure DNS Update [RFC2136] [RFC3007]. authenticated secure DNS Update [RFC2136] [RFC3007].
9.2. Privacy 9.2. Privacy
The Domain Name System is, generally speaking, a global public The Domain Name System is, generally speaking, a global public
database. Records that exist in the Domain Name System name database. Records that exist in the Domain Name System name
hierarchy can be queried by name from, in principle, anywhere in the hierarchy can be queried by name from, in principle, anywhere in the
world. If services on a mobile device (like a laptop computer) are world. If services on a mobile device (like a laptop computer) are
made visible via the Hybrid Proxy mechanism, then when those services made visible via the Discovery Proxy mechanism, then when those
become visible in a domain such as "My House.example.com" that might services become visible in a domain such as "My House.example.com"
indicate to (potentially hostile) observers that the mobile device is that might indicate to (potentially hostile) observers that the
in my house. When those services disappear from mobile device is in my house. When those services disappear from
"My House.example.com" that change could be used by observers to "My House.example.com" that change could be used by observers to
infer when the mobile device (and possibly its owner) may have left infer when the mobile device (and possibly its owner) may have left
the house. The privacy of this information may be protected using the house. The privacy of this information may be protected using
techniques like firewalls and split-view DNS, as are customarily used techniques like firewalls, split-view DNS, and Virtual Private
today to protect the privacy of corporate DNS information. Networks (VPNs), as are customarily used today to protect the privacy
of corporate DNS information.
The Hybrid Proxy could also provide sensitive records only to The Discovery Proxy could also provide sensitive records only to
authenticated users. This is a general DNS problem, not specific to authenticated users. This is a general DNS problem, not specific to
the Hybrid Proxy. Work is underway in the IETF to tackle this the Discovery Proxy. Work is underway in the IETF to tackle this
problem [RFC7626]. problem [RFC7626].
9.3. Denial of Service 9.3. Denial of Service
A remote attacker could use a rapid series of unique Unicast DNS A remote attacker could use a rapid series of unique Unicast DNS
queries to induce a Hybrid Proxy to generate a rapid series of queries to induce a Discovery Proxy to generate a rapid series of
corresponding Multicast DNS queries on one or more of its local corresponding Multicast DNS queries on one or more of its local
links. Multicast traffic is generally more expensive than unicast links. Multicast traffic is generally more expensive than unicast
traffic -- especially on Wi-Fi links -- which makes this attack traffic -- especially on Wi-Fi links -- which makes this attack
particularly serious. To limit the damage that can be caused by such particularly serious. To limit the damage that can be caused by such
attacks, a Hybrid Proxy (or the underlying Multicast DNS subsystem attacks, a Discovery Proxy (or the underlying Multicast DNS subsystem
which it utilizes) MUST implement Multicast DNS query rate limiting which it utilizes) MUST implement Multicast DNS query rate limiting
appropriate to the link technology in question. For today's 802.11b/ appropriate to the link technology in question. For today's
g/n/ac Wi-Fi links (for which approximately 200 multicast packets per 802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast
second is sufficient to consume approximately 100% of the wireless packets per second is sufficient to consume approximately 100% of the
spectrum) a limit of 20 Multicast DNS query packets per second is wireless spectrum) a limit of 20 Multicast DNS query packets per
RECOMMENDED. On other link technologies like Gigabit Ethernet higher second is RECOMMENDED. On other link technologies like Gigabit
limits may be appropriate. A consequence of this rate limiting is Ethernet higher limits may be appropriate. A consequence of this
that a rogue remote client could issue an excessive number of rate limiting is that a rogue remote client could issue an excessive
queries, resuling in denial of service to other remote clients number of queries, resuling in denial of service to other remote
attempting to use that Hybrid Proxy. However, this is preferable to clients attempting to use that Discovery Proxy. However, this is
a rogue remote client being able to inflict even greater harm on the preferable to a rogue remote client being able to inflict even
local network, which could impact the correct operation of all local greater harm on the local network, which could impact the correct
clients on that network. operation of all local clients on that network.
10. Intelectual Property Rights 10. Intelectual Property Rights
Apple has submitted an IPR disclosure concerning the technique Apple has submitted an IPR disclosure concerning the technique
proposed in this document. Details are available on the IETF IPR proposed in this document. Details are available on the IETF IPR
disclosure page [IPR2119]. disclosure page [IPR2119].
11. IANA Considerations 11. IANA Considerations
This document has no IANA Considerations. This document has no IANA Considerations.
skipping to change at page 27, line 31 skipping to change at page 33, line 23
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>. November 1987, <http://www.rfc-editor.org/info/rfc1035>.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets", and E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
<http://www.rfc-editor.org/info/rfc1918>. <http://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998,
<http://www.rfc-editor.org/info/rfc2308>. <http://www.rfc-editor.org/info/rfc2308>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
November 2003, <http://www.rfc-editor.org/info/rfc3629>. 2003, <http://www.rfc-editor.org/info/rfc3629>.
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of IPv4 Link-Local Addresses", RFC 3927, Configuration of IPv4 Link-Local Addresses", RFC 3927,
DOI 10.17487/RFC3927, May 2005, DOI 10.17487/RFC3927, May 2005,
<http://www.rfc-editor.org/info/rfc3927>. <http://www.rfc-editor.org/info/rfc3927>.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, DOI 10.17487/ Address Autoconfiguration", RFC 4862,
RFC4862, September 2007, DOI 10.17487/RFC4862, September 2007,
<http://www.rfc-editor.org/info/rfc4862>. <http://www.rfc-editor.org/info/rfc4862>.
[RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network
Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008,
<http://www.rfc-editor.org/info/rfc5198>. <http://www.rfc-editor.org/info/rfc5198>.
[RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
December 2012. December 2012.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, December 2012. Discovery", RFC 6763, December 2012.
[I-D.ietf-dnssd-push] [PUSH] Pusateri, T. and S. Cheshire, "DNS Push Notifications",
Pusateri, T. and S. Cheshire, "DNS Push Notifications",
draft-ietf-dnssd-push-09 (work in progress), October 2016. draft-ietf-dnssd-push-09 (work in progress), October 2016.
13.2. Informative References 13.2. Informative References
[HOME] Cheshire, S., "Special Use Top Level Domain 'home'", [HOME] Cheshire, S., "Special Use Top Level Domain 'home'",
draft-cheshire-homenet-dot-home (work in progress), draft-cheshire-homenet-dot-home (work in progress),
November 2015. November 2015.
[IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid [IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid
Unicast/Multicast DNS-Based Service Discovery", Unicast/Multicast DNS-Based Service Discovery",
<https://datatracker.ietf.org/ipr/2119/>. <https://datatracker.ietf.org/ipr/2119/>.
[ohp] "Hybrid Proxy implementation for OpenWrt", [ohp] "Discovery Proxy (Hybrid Proxy) implementation for
<https://github.com/sbyx/ohybridproxy/>. OpenWrt", <https://github.com/sbyx/ohybridproxy/>.
[I-D.sekar-dns-llq] [LLQ] Sekar, K., "DNS Long-Lived Queries", draft-sekar-dns-
Sekar, K., "DNS Long-Lived Queries", llq-01 (work in progress), August 2006.
draft-sekar-dns-llq-01 (work in progress), August 2006.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997,
<http://www.rfc-editor.org/info/rfc2132>. <http://www.rfc-editor.org/info/rfc2132>.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)", "Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997, RFC 2136, DOI 10.17487/RFC2136, April 1997,
<http://www.rfc-editor.org/info/rfc2136>. <http://www.rfc-editor.org/info/rfc2136>.
skipping to change at page 29, line 16 skipping to change at page 35, line 6
"Requirements for Scalable DNS-Based Service Discovery "Requirements for Scalable DNS-Based Service Discovery
(DNS-SD) / Multicast DNS (mDNS) Extensions", RFC 7558, (DNS-SD) / Multicast DNS (mDNS) Extensions", RFC 7558,
DOI 10.17487/RFC7558, July 2015, DOI 10.17487/RFC7558, July 2015,
<http://www.rfc-editor.org/info/rfc7558>. <http://www.rfc-editor.org/info/rfc7558>.
[RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626,
DOI 10.17487/RFC7626, August 2015, DOI 10.17487/RFC7626, August 2015,
<http://www.rfc-editor.org/info/rfc7626>. <http://www.rfc-editor.org/info/rfc7626>.
[RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking [RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking
Control Protocol", RFC 7788, DOI 10.17487/RFC7788, Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April
April 2016, <http://www.rfc-editor.org/info/rfc7788>. 2016, <http://www.rfc-editor.org/info/rfc7788>.
[RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol
to Replace the AppleTalk Name Binding Protocol (NBP)", to Replace the AppleTalk Name Binding Protocol (NBP)",
RFC 6760, December 2012. RFC 6760, December 2012.
[ZC] Cheshire, S. and D. Steinberg, "Zero Configuration [ZC] Cheshire, S. and D. Steinberg, "Zero Configuration
Networking: The Definitive Guide", O'Reilly Media, Inc. , Networking: The Definitive Guide", O'Reilly Media, Inc. ,
ISBN 0-596-10100-7, December 2005. ISBN 0-596-10100-7, December 2005.
[802.1Q] "IEEE Standard for Local and metropolitan area networks -- [IEEE-1Q] "IEEE Standard for Local and metropolitan area networks --
Bridges and Bridged Networks", IEEE Std 802.1Q-2014, Bridges and Bridged Networks", IEEE Std 802.1Q-2014,
November 2014, <http://standards.ieee.org/getieee802/ November 2014, <http://standards.ieee.org/getieee802/
download/802-1Q-2014.pdf>. download/802-1Q-2014.pdf>.
[802.3] "Information technology - Telecommunications and [IEEE-3] "Information technology - Telecommunications and
information exchange between systems - Local and information exchange between systems - Local and
metropolitan area networks - Specific requirements - Part metropolitan area networks - Specific requirements - Part
3: Carrier Sense Multiple Access with Collision Detection 3: Carrier Sense Multiple Access with Collision Detection
(CMSA/CD) Access Method and Physical Layer (CMSA/CD) Access Method and Physical Layer
Specifications", IEEE Std 802.3-2008, December 2008, Specifications", IEEE Std 802.3-2008, December 2008,
<http://standards.ieee.org/getieee802/802.3.html>. <http://standards.ieee.org/getieee802/802.3.html>.
[802.5] "ISO/IEC 8802-5 Information technology - [IEEE-5] Institute of Electrical and Electronics Engineers,
Telecommunications and information exchange between "Information technology - Telecommunications and
systems - Local and metropolitan area networks - Common information exchange between systems - Local and
specifications - Part 5: Token ring access method and metropolitan area networks - Specific requirements - Part
physical layer specifications, (also ANSI/IEEE Std 802.5- 5: Token ring access method and physical layer
1998), 1998.", IEEE Std 802.5-1998, October 1998, specification", IEEE Std 802.5-1998, 1995.
<http://www.iso.org/iso/catalogue_detail?csnumber=29923/>.
[802.11] "Information technology - Telecommunications and [IEEE-11] "Information technology - Telecommunications and
information exchange between systems - Local and information exchange between systems - Local and
metropolitan area networks - Specific requirements - Part metropolitan area networks - Specific requirements - Part
11: Wireless LAN Medium Access Control (MAC) and Physical 11: Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications", IEEE Std 802.11-2007, Layer (PHY) Specifications", IEEE Std 802.11-2007, June
June 2007, 2007, <http://standards.ieee.org/getieee802/802.11.html>.
<http://standards.ieee.org/getieee802/802.11.html>.
Appendix A. Implementation Status Appendix A. Implementation Status
Some aspects of the mechanism specified in this document already Some aspects of the mechanism specified in this document already
exist in deployed software. Some aspects are new. This section exist in deployed software. Some aspects are new. This section
outlines which aspects already exist and which are new. outlines which aspects already exist and which are new.
A.1. Already Implemented and Deployed A.1. Already Implemented and Deployed
Domain enumeration by the client (the "b._dns-sd._udp" queries) is Domain enumeration by the client (the "b._dns-sd._udp" queries) is
skipping to change at page 30, line 35 skipping to change at page 36, line 33
Domain enumeration and unicast querying have been used for several Domain enumeration and unicast querying have been used for several
years at IETF meetings to make Terminal Room printers discoverable years at IETF meetings to make Terminal Room printers discoverable
from outside the Terminal room. When an IETF attendee presses Cmd-P from outside the Terminal room. When an IETF attendee presses Cmd-P
on a Mac, or selects AirPrint on an iPad or iPhone, and the Terminal on a Mac, or selects AirPrint on an iPad or iPhone, and the Terminal
room printers appear, that is because the client is sending unicast room printers appear, that is because the client is sending unicast
DNS queries to the IETF DNS servers. DNS queries to the IETF DNS servers.
A.2. Already Implemented A.2. Already Implemented
A minimal portable Hybrid Proxy implementation has been produced by A minimal portable Discovery Proxy implementation has been produced
Markus Stenberg and Steven Barth, which runs on OS X and several by Markus Stenberg and Steven Barth, which runs on OS X and several
Linux variants including OpenWrt [ohp]. It was demonstrated at the Linux variants including OpenWrt [ohp]. It was demonstrated at the
Berlin IETF in July 2013. Berlin IETF in July 2013.
Tom Pusateri also has an implementation that runs on any Unix/Linux. Tom Pusateri also has an implementation that runs on any Unix/Linux.
It has a RESTful interface for management and an experimental demo It has a RESTful interface for management and an experimental demo
CLI and web interface. CLI and web interface.
A.3. Partially Implemented A.3. Partially Implemented
The current APIs make multiple domains visible to client software, The current APIs make multiple domains visible to client software,
but most client UI today lumps all discovered services into a single but most client UI today lumps all discovered services into a single
flat list. This is largely a chicken-and-egg problem. Application flat list. This is largely a chicken-and-egg problem. Application
writers were naturally reluctant to spend time writing domain-aware writers were naturally reluctant to spend time writing domain-aware
UI code when few customers today would benefit from it. If Hybrid UI code when few customers today would benefit from it. If Discovery
Proxy deployment becomes common, then application writers will have a Proxy deployment becomes common, then application writers will have a
reason to provide better UI. Existing applications will work with reason to provide better UI. Existing applications will work with
the Hybrid Proxy, but will show all services in a single flat list. the Discovery Proxy, but will show all services in a single flat
Applications with improved UI will group services by domain. list. Applications with improved UI will group services by domain.
The Long-Lived Query mechanism [I-D.sekar-dns-llq] referred to in The Long-Lived Query mechanism [LLQ] referred to in this
this specification exists and is deployed, but has not been specification exists and is deployed, but has not been standardized
standardized by the IETF. The IETF is considering standardizing a by the IETF. The IETF is considering standardizing a superior Long-
superior Long-Lived Query mechanism called DNS Push Notifications Lived Query mechanism called DNS Push Notifications [PUSH]. The
[I-D.ietf-dnssd-push]. The pragmatic short-term deployment approach pragmatic short-term deployment approach is for vendors to produce
is for vendors to produce Hybrid Proxies that implement both the Discovery Proxies that implement both the deployed Long-Lived Query
deployed Long-Lived Query mechanism [I-D.sekar-dns-llq] (for today's mechanism [LLQ] (for today's clients) and the new DNS Push
clients) and the new DNS Push Notifications mechanism Notifications mechanism [PUSH] as the preferred long-term direction.
[I-D.ietf-dnssd-push] as the preferred long-term direction.
The translating/filtering Hybrid Proxy specified in this document. The translating/filtering Discovery Proxy specified in this document.
Implementations are under development, and operational experience Implementations are under development, and operational experience
with these implementations has guided updates to this document. with these implementations has guided updates to this document.
A.4. Not Yet Implemented A.4. Not Yet Implemented
Client implementations of the new DNS Push Notifications mechanism Client implementations of the new DNS Push Notifications mechanism
[I-D.ietf-dnssd-push] are currently underway. [PUSH] are currently underway.
A mechanism to 'stitch' together multiple ".local." zones so that A mechanism to 'stitch' together multiple ".local." zones so that
they appear as one. Such a stitching mechanism will be specified in they appear as one. Such a stitching mechanism will be specified in
a future companion document. This stitching mechanism addresses the a future companion document. This stitching mechanism addresses the
issue that if a printer is physically moved from one link to another, issue that if a printer is physically moved from one link to another,
then conceptually the old service has disappeared from the DNS then conceptually the old service has disappeared from the DNS
namespace, and a new service with a similar name has appeared. This namespace, and a new service with a similar name has appeared. This
stitching mechanism will allow a service to change its point of stitching mechanism will allow a service to change its point of
attachment without changing the name by which it can be found. attachment without changing the name by which it can be found.
 End of changes. 122 change blocks. 
420 lines changed or deleted 428 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/