draft-ietf-dnssd-hybrid-10.txt   rfc8766.txt 
Internet Engineering Task Force S. Cheshire Internet Engineering Task Force (IETF) S. Cheshire
Internet-Draft Apple Inc. Request for Comments: 8766 Apple Inc.
Intended status: Standards Track March 24, 2019 Category: Standards Track June 2020
Expires: September 25, 2019 ISSN: 2070-1721
Discovery Proxy for Multicast DNS-Based Service Discovery Discovery Proxy for Multicast DNS-Based Service Discovery
draft-ietf-dnssd-hybrid-10
Abstract Abstract
This document specifies a network proxy that uses Multicast DNS to This document specifies a network proxy that uses Multicast DNS to
automatically populate the wide-area unicast Domain Name System automatically populate the wide-area unicast Domain Name System
namespace with records describing devices and services found on the namespace with records describing devices and services found on the
local link. local link.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on September 25, 2019. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8766.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
2. Operational Analogy . . . . . . . . . . . . . . . . . . . . . 6 2. Operational Analogy
3. Conventions and Terminology Used in this Document . . . . . . 7 3. Conventions and Terminology Used in This Document
4. Compatibility Considerations . . . . . . . . . . . . . . . . 7 4. Compatibility Considerations
5. Discovery Proxy Operation . . . . . . . . . . . . . . . . . . 8 5. Discovery Proxy Operation
5.1. Delegated Subdomain for Service Discovery Records . . . . 9 5.1. Delegated Subdomain for DNS-based Service Discovery Records
5.2. Domain Enumeration . . . . . . . . . . . . . . . . . . . 11 5.2. Domain Enumeration
5.2.1. Domain Enumeration via Unicast Queries . . . . . . . 11 5.2.1. Domain Enumeration via Unicast Queries
5.2.2. Domain Enumeration via Multicast Queries . . . . . . 13 5.2.2. Domain Enumeration via Multicast Queries
5.3. Delegated Subdomain for LDH Host Names . . . . . . . . . 14 5.3. Delegated Subdomain for LDH Host Names
5.4. Delegated Subdomain for Reverse Mapping . . . . . . . . . 16 5.4. Delegated Subdomain for Reverse Mapping
5.5. Data Translation . . . . . . . . . . . . . . . . . . . . 18 5.5. Data Translation
5.5.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . 18 5.5.1. DNS TTL Limiting
5.5.2. Suppressing Unusable Records . . . . . . . . . . . . 19 5.5.2. Suppressing Unusable Records
5.5.3. NSEC and NSEC3 queries . . . . . . . . . . . . . . . 20 5.5.3. NSEC and NSEC3 Queries
5.5.4. No Text Encoding Translation . . . . . . . . . . . . 20 5.5.4. No Text-Encoding Translation
5.5.5. Application-Specific Data Translation . . . . . . . . 21 5.5.5. Application-Specific Data Translation
5.6. Answer Aggregation . . . . . . . . . . . . . . . . . . . 23 5.6. Answer Aggregation
6. Administrative DNS Records . . . . . . . . . . . . . . . . . 27 6. Administrative DNS Records
6.1. DNS SOA (Start of Authority) Record . . . . . . . . . . . 27 6.1. DNS SOA (Start of Authority) Record
6.2. DNS NS Records . . . . . . . . . . . . . . . . . . . . . 28 6.2. DNS NS Records
6.3. DNS Delegation Records . . . . . . . . . . . . . . . . . 28 6.3. DNS Delegation Records
6.4. DNS SRV Records . . . . . . . . . . . . . . . . . . . . . 29 6.4. DNS SRV Records
7. DNSSEC Considerations . . . . . . . . . . . . . . . . . . . . 30 6.5. Domain Enumeration Records
7.1. On-line signing only . . . . . . . . . . . . . . . . . . 30 7. DNSSEC Considerations
7.2. NSEC and NSEC3 Records . . . . . . . . . . . . . . . . . 30 7.1. Online Signing Only
8. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 31 7.2. NSEC and NSEC3 Records
9. Security Considerations . . . . . . . . . . . . . . . . . . . 32 8. IPv6 Considerations
9.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . 32 9. Security Considerations
9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 32 9.1. Authenticity
9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 32 9.2. Privacy
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 9.3. Denial of Service
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 33 10. IANA Considerations
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 11. References
12.1. Normative References . . . . . . . . . . . . . . . . . . 34 11.1. Normative References
12.2. Informative References . . . . . . . . . . . . . . . . . 35 11.2. Informative References
Appendix A. Implementation Status . . . . . . . . . . . . . . . 38 Appendix A. Implementation Status
A.1. Already Implemented and Deployed . . . . . . . . . . . . 38 A.1. Already Implemented and Deployed
A.2. Already Implemented . . . . . . . . . . . . . . . . . . . 38 A.2. Already Implemented
A.3. Partially Implemented . . . . . . . . . . . . . . . . . . 39 A.3. Partially Implemented
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 39 Acknowledgments
Author's Address
1. Introduction 1. Introduction
Multicast DNS [RFC6762] and its companion technology DNS-based Multicast DNS [RFC6762] and its companion technology DNS-based
Service Discovery [RFC6763] were created to provide IP networking Service Discovery [RFC6763] were created to provide IP networking
with the ease-of-use and autoconfiguration for which AppleTalk was with the ease of use and autoconfiguration for which AppleTalk was
well known [RFC6760] [ZC] [Roadmap]. well known [RFC6760] [ZC] [ROADMAP].
For a small home network consisting of just a single link (or a few For a small home network consisting of just a single link (or a few
physical links bridged together to appear as a single logical link physical links bridged together to appear as a single logical link
from the point of view of IP) Multicast DNS [RFC6762] is sufficient from the point of view of IP), Multicast DNS [RFC6762] is sufficient
for client devices to look up the ".local" host names of peers on the for client devices to look up the ".local" host names of peers on the
same home network, and to use Multicast DNS-Based Service Discovery same home network, and to use Multicast DNS-based Service Discovery
(DNS-SD) [RFC6763] to discover services offered on that home network. (DNS-SD) [RFC6763] to discover services offered on that home network.
For a larger network consisting of multiple links that are For a larger network consisting of multiple links that are
interconnected using IP-layer routing instead of link-layer bridging, interconnected using IP-layer routing instead of link-layer bridging,
link-local Multicast DNS alone is insufficient because link-local link-local Multicast DNS alone is insufficient because link-local
Multicast DNS packets, by design, are not propagated onto other Multicast DNS packets, by design, are not propagated onto other
links. links.
Using link-local multicast packets for Multicast DNS was a conscious Using link-local multicast packets for Multicast DNS was a conscious
design choice [RFC6762]. Even when limited to a single link, design choice [RFC6762]. Even when limited to a single link,
multicast traffic is still generally considered to be more expensive multicast traffic is still generally considered to be more expensive
than unicast, because multicast traffic impacts many devices, instead than unicast, because multicast traffic impacts many devices instead
of just a single recipient. In addition, with some technologies like of just a single recipient. In addition, with some technologies like
Wi-Fi [IEEE-11], multicast traffic is inherently less efficient and Wi-Fi [IEEE-11], multicast traffic is inherently less efficient and
less reliable than unicast, because Wi-Fi multicast traffic is sent less reliable than unicast, because Wi-Fi multicast traffic is sent
at lower data rates, and is not acknowledged [Mcast]. Increasing the at lower data rates, and is not acknowledged [MCAST]. Increasing the
amount of expensive multicast traffic by flooding it across multiple amount of expensive multicast traffic by flooding it across multiple
links would make the traffic load even worse. links would make the traffic load even worse.
Partitioning the network into many small links curtails the spread of Partitioning the network into many small links curtails the spread of
expensive multicast traffic, but limits the discoverability of expensive multicast traffic but limits the discoverability of
services. At the opposite end of the spectrum, using a very large services. At the opposite end of the spectrum, using a very large
local link with thousands of hosts enables better service discovery, local link with thousands of hosts enables better service discovery
but at the cost of larger amounts of multicast traffic. but at the cost of larger amounts of multicast traffic.
Performing DNS-Based Service Discovery using purely Unicast DNS is Performing DNS-based Service Discovery using purely Unicast DNS is
more efficient and doesn't require large multicast domains, but does more efficient and doesn't require large multicast domains but does
require that the relevant data be available in the Unicast DNS require that the relevant data be available in the Unicast DNS
namespace. The Unicast DNS namespace in question could fall within a namespace. The Unicast DNS namespace in question could fall within a
traditionally assigned globally unique domain name, or could use a traditionally assigned globally unique domain name, or it could be
private local unicast domain name such as ".home.arpa" [RFC8375]. within a private local unicast domain name such as ".home.arpa"
[RFC8375].
In the DNS-SD specification [RFC6763], Section 10 ("Populating the In the DNS-SD specification [RFC6763], Section 10 ("Populating the
DNS with Information") discusses various possible ways that a DNS with Information") discusses various possible ways that a
service's PTR, SRV, TXT and address records can make their way into service's PTR, SRV, TXT, and address records can make their way into
the Unicast DNS namespace, including manual zone file configuration the Unicast DNS namespace, including manual zone file configuration
[RFC1034] [RFC1035], DNS Update [RFC2136] [RFC3007], and proxies of
[RFC1034] [RFC1035], DNS Update [RFC2136] [RFC3007] and proxies of
various kinds. various kinds.
Making the relevant data available in the Unicast DNS namespace by One option is to make the relevant data available in the Unicast DNS
manual DNS configuration is one option. This option has been used namespace by manual DNS configuration. This option has been used for
for many years at IETF meetings to advertise the IETF Terminal Room many years at IETF meetings to advertise the IETF terminal room
printer. Details of this example are given in Appendix A of the printer. Details of this example are given in Appendix A of the
Roadmap document [Roadmap]. However, this manual DNS configuration Roadmap document [ROADMAP]. However, this manual DNS configuration
is labor intensive, error prone, and requires a reasonable degree of is labor intensive, error prone, and requires a reasonable degree of
DNS expertise. DNS expertise.
Populating the Unicast DNS namespace via DNS Update by the devices Another option is to populate the Unicast DNS namespace by having the
offering the services themselves is another option [RegProt] devices offering the services do that themselves, using DNS Update
[DNS-UL]. However, this requires configuration of DNS Update keys on [REG-PROT] [DNS-UL]. However, this requires configuration of DNS
those devices, which has proven onerous and impractical for simple Update keys on those devices, which has proven onerous and
devices like printers and network cameras. impractical for simple devices like printers and network cameras.
Hence, to facilitate efficient and reliable DNS-Based Service Hence, to facilitate efficient and reliable DNS-based Service
Discovery, a compromise is needed that combines the ease-of-use of Discovery, a hybrid is needed that combines the ease of use of
Multicast DNS with the efficiency and scalability of Unicast DNS. Multicast DNS with the efficiency and scalability of Unicast DNS.
This document specifies a type of proxy called a "Discovery Proxy" This document specifies a type of proxy called a "Discovery Proxy"
that uses Multicast DNS [RFC6762] to discover Multicast DNS records that uses Multicast DNS [RFC6762] to discover Multicast DNS records
on its local link, and makes corresponding DNS records visible in the on its local link on demand, and makes corresponding DNS records
Unicast DNS namespace. visible in the Unicast DNS namespace.
In principle, similar mechanisms could be defined using other local In principle, similar mechanisms could be defined for other local
service discovery protocols, to discover local information and then discovery protocols, by creating a proxy that (i) uses the protocol
make corresponding DNS records visible in the Unicast DNS namespace. in question to discover local information on demand, and then (ii)
Such mechanisms for other local service discovery protocols could be makes corresponding DNS records visible in the Unicast DNS namespace.
Such mechanisms for other local discovery protocols could be
addressed in future documents. addressed in future documents.
The design of the Discovery Proxy is guided by the previously The design of the Discovery Proxy is guided by the previously
published requirements document [RFC7558]. published DNS-based Service Discovery requirements document
[RFC7558].
In simple terms, a descriptive DNS name is chosen for each link in an In simple terms, a descriptive DNS name is chosen for each link in an
organization. Using a DNS NS record, responsibility for that DNS organization. Using a DNS NS record, responsibility for that DNS
name is delegated to a Discovery Proxy physically attached to that name is delegated to a Discovery Proxy physically attached to that
link. Now, when a remote client issues a unicast query for a name link. When a remote client issues a unicast query for a name falling
falling within the delegated subdomain, the normal DNS delegation within the delegated subdomain, the normal DNS delegation mechanism
mechanism results in the unicast query arriving at the Discovery results in the unicast query arriving at the Discovery Proxy, since
Proxy, since it has been declared authoritative for those names. it has been declared authoritative for those names. Now, instead of
Now, instead of consulting a textual zone file on disk to discover consulting a textual zone file on disk to discover the answer to the
the answer to the query, as a traditional DNS server would, a query as a traditional authoritative DNS server would, a Discovery
Discovery Proxy consults its local link, using Multicast DNS, to find Proxy consults its local link, using Multicast DNS, to find the
the answer to the question. answer to the question.
For fault tolerance reasons there may be more than one Discovery For fault tolerance reasons, there may be more than one Discovery
Proxy serving a given link. Proxy serving a given link.
Note that the Discovery Proxy uses a "pull" model. The local link is Note that the Discovery Proxy uses a "pull" model. Until some remote
not queried using Multicast DNS until some remote client has client has requested data, the local link is not queried using
requested that data. In the idle state, in the absence of client Multicast DNS. In the idle state, in the absence of client requests,
requests, the Discovery Proxy sends no packets and imposes no burden the Discovery Proxy sends no packets and imposes no burden on the
on the network. It operates purely "on demand". network. It operates purely "on demand".
An alternative proposal that has been discussed is a proxy that An alternative proposal that has been discussed is a proxy that
performs DNS updates to a remote DNS server on behalf of the performs DNS updates to a remote DNS server on behalf of the
Multicast DNS devices on the local network. The difficulty with this Multicast DNS devices on the local network. The difficulty with this
is is that Multicast DNS devices do not routinely announce their is that Multicast DNS devices do not routinely announce their records
records on the network. Generally they remain silent until queried. on the network. Generally, they remain silent until queried. This
This means that the complete set of Multicast DNS records in use on a means that the complete set of Multicast DNS records in use on a link
link can only be discovered by active querying, not by passive can only be discovered by active querying, not by passive listening.
listening. Because of this, a proxy can only know what names exist Because of this, a proxy can only know what names exist on a link by
on a link by issuing queries for them, and since it would be issuing queries for them, and since it would be impractical to issue
impractical to issue queries for every possible name just to find out queries for every possible name just to find out which names exist
which names exist and which do not, there is no reasonable way for a and which do not, there is no reasonable way for a proxy to
proxy to programmatically learn all the answers it would need to push programmatically learn all the answers it would need to push up to
up to the remote DNS server using DNS Update. Even if such a the remote DNS server using DNS Update. Even if such a mechanism
mechanism were possible, it would risk generating high load on the were possible, it would risk generating high load on the network
network continuously, even when there are no clients with any continuously, even when there are no clients with any interest in
interest in that data. that data.
Hence, having a model where the query comes to the Discovery Proxy is Hence, having a model where the query comes to the Discovery Proxy is
much more efficient than a model where the Discovery Proxy pushes the much more efficient than a model where the Discovery Proxy pushes the
answers out to some other remote DNS server. answers out to some other remote DNS server.
A client seeking to discover services and other information achieves A client seeking to discover services and other information performs
this by sending traditional DNS queries to the Discovery Proxy, or by this by sending traditional DNS queries to the Discovery Proxy or by
sending DNS Push Notification subscription requests [Push]. sending DNS Push Notification subscription requests [RFC8765].
How a client discovers what domain name(s) to use for its service How a client discovers what domain name(s) to use for its DNS-based
discovery queries, (and consequently what Discovery Proxy or Proxies Service Discovery queries (and, consequently, what Discovery Proxy or
to use) is described in Section 5.2. Proxies to use) is described in Section 5.2.
The diagram below illustrates a network topology using a Discovery The diagram below illustrates a network topology using a Discovery
Proxy to provide discovery service to a remote client. Proxy to provide discovery service to a remote client.
+--------+ Unicast +-----------+ +---------+ +---------+ +--------+ Unicast +-----------+ +---------+ +---------+
| Remote | Communcation | Discovery | | Network | | Network | | Remote | Communication | Discovery | | Network | | Network |
| Client |---- . . . -----| Proxy | | Printer | | Camera | | Client |---- . . . ----| Proxy | | Printer | | Camera |
+--------+ +-----------+ +---------+ +---------+ +--------+ +-----------+ +---------+ +---------+
| | | | | | |
-------------------------------------------- ------------ --------------------------------------------
Multicast-capable LAN segment (e.g., Ethernet) Multicast-capable LAN segment (e.g., Ethernet)
Figure 1: Example Deployment
Note that there need not be any Discovery Proxy on the link to which
the remote client is directly attached. The remote client
communicates directly with the Discovery Proxy using normal unicast
TCP/IP communication mechanisms, potentially spanning multiple IP
hops, possibly including VPN tunnels and other similar long-distance
communication channels.
2. Operational Analogy 2. Operational Analogy
A Discovery Proxy does not operate as a multicast relay, or multicast A Discovery Proxy does not operate as a multicast relay or multicast
forwarder. There is no danger of multicast forwarding loops that forwarder. There is no danger of multicast forwarding loops that
result in traffic storms, because no multicast packets are forwarded. result in traffic storms, because no multicast packets are forwarded.
A Discovery Proxy operates as a *proxy* for a remote client, A Discovery Proxy operates as a _proxy_ for remote clients,
performing queries on its behalf and reporting the results back. performing queries on their behalf and reporting the results back.
A reasonable analogy is making a telephone call to a colleague at A reasonable analogy is making a telephone call to a colleague at
your workplace and saying, "I'm out of the office right now. Would your workplace and saying, "I'm out of the office right now. Would
you mind bringing up a printer browser window and telling me the you mind bringing up a printer browser window and telling me the
names of the printers you see?" That entails no risk of a forwarding names of the printers you see?" That entails no risk of a forwarding
loop causing a traffic storm, because no multicast packets are sent loop causing a traffic storm, because no multicast packets are sent
over the telephone call. over the telephone call.
A similar analogy, instead of enlisting another human being to A similar analogy, instead of enlisting another human being to
initiate the service discovery operation on your behalf, is to log initiate the service discovery operation on your behalf, is to log in
into your own desktop work computer using screen sharing, and then to your own desktop work computer using screen sharing and then run
run the printer browser yourself to see the list of printers. Or log the printer browser yourself to see the list of printers. Or, log in
in using ssh and type "dns-sd -B _ipp._tcp" and observe the list of using Secure Shell (ssh) and type "dns-sd -B _ipp._tcp" and observe
discovered printer names. In neither case is there any risk of a the list of discovered printer names. In neither case is there any
forwarding loop causing a traffic storm, because no multicast packets risk of a forwarding loop causing a traffic storm, because no
are being sent over the screen sharing or ssh connection. multicast packets are being sent over the screen-sharing or ssh
connection.
The Discovery Proxy provides another way of performing remote The Discovery Proxy provides another way of performing remote
queries, except using a different protocol instead of screen sharing queries, which uses a different protocol instead of screen sharing or
or ssh. ssh. The Discovery Proxy mechanism can be thought of as a custom
Remote Procedure Call (RPC) protocol that allows a remote client to
exercise the Multicast DNS APIs on the Discovery Proxy device, just
as a local client running on the Discovery Proxy device would use
those APIs.
When the Discovery Proxy software performs Multicast DNS operations, When the Discovery Proxy software performs Multicast DNS operations,
the exact same Multicast DNS caching mechanisms are applied as when the exact same Multicast DNS caching mechanisms are applied as when
any other client software on that Discovery Proxy device performs any other client software on that Discovery Proxy device performs
Multicast DNS operations, whether that be running a printer browser Multicast DNS operations, regardless of whether that be running a
client locally, or a remote user running the printer browser client printer browser client locally, a remote user running the printer
via a screen sharing connection, or a remote user logged in via ssh browser client via a screen-sharing connection, a remote user logged
running a command-line tool like "dns-sd", or a remote user sending in via ssh running a command-line tool like "dns-sd", or a remote
DNS requests that cause a Discovery Proxy to perform discovery user sending DNS requests that cause a Discovery Proxy to perform
operations on its behalf. discovery operations on its behalf.
3. Conventions and Terminology Used in this Document 3. Conventions and Terminology Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
and "OPTIONAL" in this document are to be interpreted as described "OPTIONAL" in this document are to be interpreted as described in
in "Key words for use in RFCs to Indicate Requirement Levels", BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
when, and only when, they appear in all capitals, as shown here capitals, as shown here.
[RFC2119] [RFC8174].
The Discovery Proxy builds on Multicast DNS, which works between The Discovery Proxy builds on Multicast DNS, which works between
hosts on the same link. For the purposes of this document a set of hosts on the same link. For the purposes of this document, a set of
hosts is considered to be "on the same link" if: hosts is considered to be "on the same link" if:
o when any host from that set sends a packet to any other host in * when any host from that set sends a packet to any other host in
that set, using unicast, multicast, or broadcast, the entire link- that set, using unicast, multicast, or broadcast, the entire link-
layer packet payload arrives unmodified, and layer packet payload arrives unmodified, and
o a broadcast sent over that link, by any host from that set of * a broadcast sent over that link, by any host from that set of
hosts, can be received by every other host in that set. hosts, can be received by every other host in that set.
The link-layer *header* may be modified, such as in Token Ring Source The link-layer _header_ may be modified, such as in Token Ring Source
Routing [IEEE-5], but not the link-layer *payload*. In particular, Routing [IEEE-5], but not the link-layer _payload_. In particular,
if any device forwarding a packet modifies any part of the IP header if any device forwarding a packet modifies any part of the IP header
or IP payload then the packet is no longer considered to be on the or IP payload, then the packet is no longer considered to be on the
same link. This means that the packet may pass through devices such same link. This means that the packet may pass through devices such
as repeaters, bridges, hubs or switches and still be considered to be as repeaters, bridges, hubs, or switches and still be considered to
on the same link for the purpose of this document, but not through a be on the same link for the purpose of this document, but not through
device such as an IP router that decrements the IP TTL or otherwise a device such as an IP router that decrements the IP TTL or otherwise
modifies the IP header. modifies the IP header.
4. Compatibility Considerations 4. Compatibility Considerations
No changes to existing devices are required to work with a Discovery No changes to existing devices are required to work with a Discovery
Proxy. Proxy.
Existing devices that advertise services using Multicast DNS work Existing devices that advertise services using Multicast DNS work
with Discovery Proxy. with a Discovery Proxy.
Existing clients that support DNS-Based Service Discovery over Existing clients that support DNS-based Service Discovery over
Unicast DNS work with Discovery Proxy. Service Discovery over Unicast DNS work with a Discovery Proxy. DNS-based Service Discovery
Unicast DNS was introduced in Mac OS X 10.4 in April 2005, as is over Unicast DNS was introduced in Mac OS X 10.4 Tiger in April 2005
included in Apple products introduced since then, including iPhone and has been included in Apple products introduced since then,
and iPad, as well as products from other vendors, such as Microsoft including the iPhone and iPad. It has also been included in products
Windows 10. from other vendors, such as Microsoft Windows 10.
An overview of the larger collection of related Service Discovery An overview of the larger collection of associated DNS-based Service
technologies, and how Discovery Proxy relates to those, is given in Discovery technologies, and how the Discovery Proxy technology
the Service Discovery Road Map document [Roadmap]. relates to those, is given in the Service Discovery Road Map document
[ROADMAP].
5. Discovery Proxy Operation 5. Discovery Proxy Operation
In a typical configuration, a Discovery Proxy is configured to be In a typical configuration, a Discovery Proxy is configured to be
authoritative [RFC1034] [RFC1035] for four or more DNS subdomains, authoritative [RFC1034] [RFC1035] for four or more DNS subdomains,
and authority for these subdomains is delegated to it via NS records: listed below. Authority for these subdomains is delegated from the
parent domain to the Discovery Proxy in the usual way for DNS
delegation, via NS records.
A DNS subdomain for service discovery records. A DNS subdomain for DNS-based Service Discovery records.
This subdomain name may contain rich text, including spaces and This subdomain name may contain rich text, including spaces and
other punctuation. This is because this subdomain name is used other punctuation. This is because this subdomain name is used
only in graphical user interfaces, where rich text is appropriate. only in graphical user interfaces, where rich text is appropriate.
A DNS subdomain for host name records. A DNS subdomain for host name records.
This subdomain name SHOULD be limited to letters, digits and This subdomain name SHOULD be limited to letters, digits, and
hyphens, to facilitate convenient use of host names in command- hyphens in order to facilitate the convenient use of host names in
line interfaces. command-line interfaces.
One or more DNS subdomains for IPv4 Reverse Mapping records. One or more DNS subdomains for IPv4 Reverse Mapping records.
These subdomains will have names that ends in "in-addr.arpa." These subdomains will have names that end in "in-addr.arpa".
One or more DNS subdomains for IPv6 Reverse Mapping records. One or more DNS subdomains for IPv6 Reverse Mapping records.
These subdomains will have names that ends in "ip6.arpa." These subdomains will have names that end in "ip6.arpa".
In an enterprise network the naming and delegation of these In an enterprise network, the naming and delegation of these
subdomains is typically performed by conscious action of the network subdomains is typically performed by conscious action of the network
administrator. In a home network naming and delegation would administrator. In a home network, naming and delegation would
typically be performed using some automatic configuration mechanism typically be performed using some automatic configuration mechanism
such as HNCP [RFC7788]. such as Home Networking Control Protocol (HNCP) [RFC7788].
These three varieties of delegated subdomains (service discovery, These three varieties of delegated subdomains (service discovery,
host names, and reverse mapping) are described below in Section 5.1, host names, and reverse mapping) are described below in Sections 5.1,
Section 5.3 and Section 5.4. 5.3, and 5.4.
How a client discovers where to issue its service discovery queries How a client discovers where to issue its DNS-based Service Discovery
is described below in Section 5.2. queries is described in Section 5.2.
5.1. Delegated Subdomain for Service Discovery Records 5.1. Delegated Subdomain for DNS-based Service Discovery Records
In its simplest form, each link in an organization is assigned a In its simplest form, each link in an organization is assigned a
unique Unicast DNS domain name, such as "Building 1.example.com" or unique Unicast DNS domain name such as "Building 1.example.com" or
"2nd Floor.Building 3.example.com". Grouping multiple links under a "2nd Floor.Building 3.example.com". Grouping multiple links under a
single Unicast DNS domain name is to be specified in a future single Unicast DNS domain name is to be specified in a future
companion document, but for the purposes of this document, assume companion document, but for the purposes of this document, assume
that each link has its own unique Unicast DNS domain name. In a that each link has its own unique Unicast DNS domain name. In a
graphical user interface these names are not displayed as strings graphical user interface these names are not displayed as strings
with dots as shown above, but something more akin to a typical file with dots as shown above, but something more akin to a typical file
browser graphical user interface (which is harder to illustrate in a browser graphical user interface (which is harder to illustrate in a
text-only document) showing folders, subfolders and files in a file text-only document) showing folders, subfolders, and files in a file
system. system.
+---------------+--------------+-------------+-------------------+ +---------------+--------------+-------------+-------------------+
| *example.com* | Building 1 | 1st Floor | Alice's printer | | *example.com* | Building 1 | 1st Floor | Alice's printer |
| | Building 2 | *2nd Floor* | Bob's printer | | | Building 2 | *2nd Floor* | Bob's printer |
| | *Building 3* | 3rd Floor | Charlie's printer | | | *Building 3* | 3rd Floor | Charlie's printer |
| | Building 4 | 4th Floor | | | | Building 4 | 4th Floor | |
| | Building 5 | | | | | Building 5 | | |
| | Building 6 | | | | | Building 6 | | |
+---------------+--------------+-------------+-------------------+ +---------------+--------------+-------------+-------------------+
Figure 1: Illustrative GUI Figure 2: Illustrative GUI
Each named link in an organization has one or more Discovery Proxies Each named link in an organization has one or more Discovery Proxies
which serve it. This Discovery Proxy function for each link could be that serve it. This Discovery Proxy function could be performed by a
performed by a device like a router or switch that is physically device like a router or switch that is physically attached to that
attached to that link. In the parent domain, NS records are used to link. In the parent domain, NS records are used to delegate
delegate ownership of each defined link name ownership of each defined link name (e.g., "Building 1.example.com")
(e.g., "Building 1.example.com") to the one or more Discovery Proxies to one or more Discovery Proxies that serve the named link. In other
that serve the named link. In other words, the Discovery Proxies are words, the Discovery Proxies are the authoritative name servers for
the authoritative name servers for that subdomain. As in the rest of that subdomain. As in the rest of DNS-based Service Discovery, all
DNS-Based Service Discovery, all names are represented as-is using names are represented as-is using plain UTF-8 encoding and, as
plain UTF-8 encoding, and, as described in Section 5.5.4, no text described in Section 5.5.4, no text-encoding translations are
encoding translations are performed. performed.
With appropriate VLAN configuration [IEEE-1Q] a single Discovery With appropriate VLAN configuration [IEEE-1Q], a single Discovery
Proxy device could have a logical presence on many links, and serve Proxy device could have a logical presence on many links and serve as
as the Discovery Proxy for all those links. In such a configuration the Discovery Proxy for all those links. In such a configuration,
the Discovery Proxy device would have a single physical Ethernet the Discovery Proxy device would have a single physical Ethernet
[IEEE-3] port, configured as a VLAN trunk port, which would appear to [IEEE-3] port, configured as a VLAN trunk port, which would appear to
software on that device as multiple virtual Ethernet interfaces, one software on that device as multiple virtual Ethernet interfaces, one
connected to each of the VLAN links. connected to each of the VLAN links.
As an alternative to using VLAN technology, using a Multicast DNS As an alternative to using VLAN technology, using a Multicast DNS
Discovery Relay [Relay] is another way that a Discovery Proxy can Discovery Relay [RELAY] is another way that a Discovery Proxy can
have a 'virtual' presence on a remote link. have a "virtual" presence on a remote link.
When a DNS-SD client issues a Unicast DNS query to discover services When a DNS-SD client issues a Unicast DNS query to discover services
in a particular Unicast DNS subdomain in a particular Unicast DNS subdomain
(e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS (e.g., "_ipp._tcp.Building 1.example.com. PTR ?"), the normal DNS
delegation mechanism results in that query being forwarded until it delegation mechanism results in that query being forwarded until it
reaches the delegated authoritative name server for that subdomain, reaches the delegated authoritative name server for that subdomain,
namely the Discovery Proxy on the link in question. Like a namely, the Discovery Proxy on the link in question. Like a
conventional Unicast DNS server, a Discovery Proxy implements the conventional Unicast DNS server, a Discovery Proxy implements the
usual Unicast DNS protocol [RFC1034] [RFC1035] over UDP and TCP. usual Unicast DNS protocol [RFC1034] [RFC1035] over UDP and TCP.
However, unlike a conventional Unicast DNS server that generates However, unlike a conventional Unicast DNS server that generates
answers from the data in its manually-configured zone file, a answers from the data in its manually configured zone file, a
Discovery Proxy generates answers using Multicast DNS. A Discovery Discovery Proxy learns answers using Multicast DNS. A Discovery
Proxy does this by consulting its Multicast DNS cache and/or issuing Proxy does this by consulting its Multicast DNS cache and/or issuing
Multicast DNS queries, as appropriate, according to the usual Multicast DNS queries, as appropriate according to the usual protocol
protocol rules of Multicast DNS [RFC6762], for the corresponding rules of Multicast DNS [RFC6762], for the corresponding Multicast DNS
Multicast DNS name, type and class, with the delegated zone part of name, type, and class, with the delegated zone part of the name
the name replaced with ".local" (e.g., in this case, replaced with ".local" (e.g., in this case,
"_printer._tcp.local. PTR ?"). Then, from the received Multicast DNS "_ipp._tcp.local. PTR ?"). Then, from the received Multicast DNS
data, the Discovery Proxy synthesizes the appropriate Unicast DNS data, the Discovery Proxy synthesizes the appropriate Unicast DNS
response, with the ".local" top-level label replaced with with the response, with the ".local" top-level label of the owner name
name of the delegated zone. How long the Discovery Proxy should wait replaced with the name of the delegated zone. Further details of the
to accumulate Multicast DNS responses before sending its unicast name translation rules are described in Section 5.5. Rules
reply is described below in Section 5.6. specifying how long the Discovery Proxy should wait to accumulate
Multicast DNS responses before sending its unicast reply are
described in Section 5.6.
The existing Multicast DNS caching mechanism is used to minimize The existing Multicast DNS caching mechanism is used to minimize
unnecessary Multicast DNS queries on the wire. The Discovery Proxy unnecessary Multicast DNS queries on the wire. The Discovery Proxy
is acting as a client of the underlying Multicast DNS subsystem, and is acting as a client of the underlying Multicast DNS subsystem and
benefits from the same caching and efficiency measures as any other benefits from the same caching and efficiency measures as any other
client using that subsystem. client using that subsystem.
Note that the contents of the delegated zone, generated as it is by Note that the contents of the delegated zone, generated as it is by
performing ".local" Multicast DNS queries, mirrors the records performing ".local" Multicast DNS queries, mirrors the records
available on the local link via Multicast DNS very closely, but not available on the local link via Multicast DNS very closely, but not
precisely. There is not a full bidirectional equivalence between the precisely. There is not a full bidirectional equivalence between the
two. Certain records that are available via Multicast DNS may not two. Certain records that are available via Multicast DNS may not
have equivalents in the delegated zone, possibly because they are have equivalents in the delegated zone possibly because they are
invalid or not relevant in the delegated zone, or because they are invalid or not relevant in the delegated zone or because they are
being supressed because they are unusable outside the local link (see being suppressed because they are unusable outside the local link
Section 5.5.2). Conversely, certain records that appear in the (see Section 5.5.2). Conversely, certain records that appear in the
delegated zone may not have corresponding records available on the delegated zone may not have corresponding records available on the
local link via Multicast DNS. In particular there are certain local link via Multicast DNS. In particular, there are certain
administrative SRV records (see Section 6) that logically fall within administrative SRV records (see Section 6) that logically fall within
the delegated zone, but semantically represent metadata *about* the the delegated zone but semantically represent metadata _about_ the
zone rather than records *within* the zone, and consequently these zone rather than records _within_ the zone. Consequently, these
administrative records in the delegated zone do not have any administrative records in the delegated zone do not have any
corresponding counterparts in the Multicast DNS namespace of the corresponding counterparts in the Multicast DNS namespace of the
local link. local link.
5.2. Domain Enumeration 5.2. Domain Enumeration
A DNS-SD client performs Domain Enumeration [RFC6763] via certain PTR A DNS-SD client performs Domain Enumeration [RFC6763] via certain PTR
queries, using both unicast and multicast. If it receives a Domain queries, using both unicast and multicast.
Name configuration via DHCP option 15 [RFC2132], then it issues
unicast queries using this domain. It issues unicast queries using If a DNS-SD client receives a Domain Name configuration via DHCP then
names derived from its IPv4 subnet address(es) and IPv6 prefix(es). it issues unicast queries derived from this domain name. It also
These are described below in Section 5.2.1. It also issues multicast issues unicast queries using names derived from its IPv4 subnet
Domain Enumeration queries in the "local" domain [RFC6762]. These address(es) and IPv6 prefix(es). These unicast Domain Enumeration
are described below in Section 5.2.2. The results of all the Domain queries are described in Section 5.2.1. A DNS-SD client also issues
Enumeration queries are combined for Service Discovery purposes. multicast Domain Enumeration queries in the "local" domain [RFC6762],
as described in Section 5.2.2. The results of all the Domain
Enumeration queries are combined for DNS-based Service Discovery
purposes.
5.2.1. Domain Enumeration via Unicast Queries 5.2.1. Domain Enumeration via Unicast Queries
The administrator creates Domain Enumeration PTR records [RFC6763] to The (human or automated) administrator creates Unicast DNS Domain
inform clients of available service discovery domains. Two varieties Enumeration PTR records [RFC6763] to inform clients of available
of such Domain Enumeration PTR records exist; those with names service discovery domains. Two varieties of such Unicast DNS Domain
derived from the domain name communicated to the clients via DHCP, Enumeration PTR records exist: those with names derived from the
and those with names derived from IPv4 subnet address(es) and IPv6 domain name communicated to the clients via DHCP option 15 [RFC2132],
prefix(es) in use by the clients. Below is an example showing the and those with names derived from either IPv4 subnet address(es) or
name-based variety: IPv6 prefix(es) in use by the clients. Below is an example showing
the name-based variety, where the DHCP server configured the client
with the domain name "example.com":
b._dns-sd._udp.example.com. PTR Building 1.example.com. b._dns-sd._udp.example.com. PTR Building 1.example.com.
PTR Building 2.example.com. PTR Building 2.example.com.
PTR Building 3.example.com. PTR Building 3.example.com.
PTR Building 4.example.com. PTR Building 4.example.com.
db._dns-sd._udp.example.com. PTR Building 1.example.com. db._dns-sd._udp.example.com. PTR Building 1.example.com.
lb._dns-sd._udp.example.com. PTR Building 1.example.com. lb._dns-sd._udp.example.com. PTR Building 1.example.com.
The meaning of these records is defined in the DNS Service Discovery The meaning of these records is defined in the DNS-based Service
specification [RFC6763] but for convenience is repeated here. The Discovery specification [RFC6763] but, for convenience, is repeated
"b" ("browse") records tell the client device the list of browsing here. The "b" ("browse") records tell the client device the list of
domains to display for the user to select from. The "db" ("default browsing domains to display for the user to select from. The "db"
browse") record tells the client device which domain in that list ("default browse") record tells the client device which domain in
should be selected by default. The "db" domain MUST be one of the that list should be selected by default. The "db" domain MUST be one
domains in the "b" list; if not then no domain is selected by of the domains in the "b" list; if not, then no domain is selected by
default. The "lb" ("legacy browse") record tells the client device default. The "lb" ("legacy browse") record tells the client device
which domain to automatically browse on behalf of applications that which domain to automatically browse on behalf of applications that
don't implement UI for multi-domain browsing (which is most of them, don't implement user interface for multi-domain browsing (which is
at the time of writing). The "lb" domain is often the same as the most of them at the time of writing). The "lb" domain is often the
"db" domain, or sometimes the "db" domain plus one or more others same as the "db" domain, or sometimes the "db" domain plus one or
that should be included in the list of automatic browsing domains for more others that should be included in the list of automatic browsing
legacy clients. domains for legacy clients.
Note that in the example above, for clarity, space characters in Note that in the example above, for clarity, space characters in
names are shown as actual spaces. If this data is manually entered names are shown as actual spaces. If this data is manually entered
into a textual zone file for authoritative server software such as into a textual zone file for authoritative server software such as
BIND, care must be taken because the space character is used as a BIND, care must be taken because the space character is used as a
field separator, and other characters like dot ('.'), semicolon field separator, and other characters like dot ('.'), semicolon
(';'), dollar ('$'), backslash ('\'), etc., also have special (';'), dollar ('$'), backslash ('\'), etc., also have special
meaning. These characters have to be escaped when entered into a meaning. These characters have to be escaped when entered into a
textual zone file, following the rules in Section 5.1 of the DNS textual zone file, following the rules in Section 5.1 of the DNS
specification [RFC1035]. For example, a literal space in a name is specification [RFC1035]. For example, a literal space in a name is
represented in the textual zone file using '\032', so "Building represented in the textual zone file using '\032', so
1.example.com." is entered as "Building\0321.example.com." "Building 1.example.com" is entered as "Building\0321.example.com".
DNS responses are limited to a maximum size of 65535 bytes. This DNS responses are limited to a maximum size of 65535 bytes. This
limits the maximum number of domains that can be returned for a limits the maximum number of domains that can be returned for a
Domain Enumeration query, as follows: Domain Enumeration query as follows:
A DNS response header is 12 bytes. That's typically followed by a A DNS response header is 12 bytes. That's typically followed by a
single qname (up to 256 bytes) plus qtype (2 bytes) and qclass single qname (up to 256 bytes) plus qtype (2 bytes) and qclass
(2 bytes), leaving 65275 for the Answer Section. (2 bytes), leaving 65275 for the Answer Section.
An Answer Section Resource Record consists of: An Answer Section Resource Record consists of:
o Owner name, encoded as a two-byte compression pointer * Owner name, encoded as a compression pointer, 2 bytes
o Two-byte rrtype (type PTR) * RRTYPE (type PTR), 2 bytes
o Two-byte rrclass (class IN) * RRCLASS (class IN), 2 bytes
o Four-byte ttl * TTL, 4 bytes
o Two-byte rdlength * RDLENGTH, 2 bytes
o rdata (domain name, up to 256 bytes) * RDATA (domain name), up to 256 bytes
This means that each Resource Record in the Answer Section can take This means that each Resource Record in the Answer Section can take
up to 268 bytes total, which means that the Answer Section can up to 268 bytes total, which means that the Answer Section can
contain, in the worst case, no more than 243 domains. contain, in the worst case, no more than 243 domains.
In a more typical scenario, where the domain names are not all In a more typical scenario, where the domain names are not all
maximum-sized names, and there is some similarity between names so maximum-sized names, and there is some similarity between names so
that reasonable name compression is possible, each Answer that reasonable name compression is possible, each Answer
Section Resource Record may average 140 bytes, which means that the Section Resource Record may average 140 bytes, which means that the
Answer Section can contain up to 466 domains. Answer Section can contain up to 466 domains.
It is anticipated that this should be sufficient for even a large It is anticipated that this should be sufficient for even a large
corporate network or university campus. corporate network or university campus.
5.2.2. Domain Enumeration via Multicast Queries 5.2.2. Domain Enumeration via Multicast Queries
In the case where Discovery Proxy functionality is widely deployed In the case where Discovery Proxy functionality is widely deployed
within an enterprise (either by having a Discovery Proxy on each within an enterprise (either by having a Discovery Proxy physically
link, or by having a Discovery Proxy with a remote 'virtual' presence on each link, or by having a Discovery Proxy with a remote "virtual"
on each link using VLANs or Multicast DNS Discovery Relays [Relay]) presence on each link using VLANs or Multicast DNS Discovery Relays
this offers an additional way to provide Domain Enumeration data for [RELAY]), this offers an additional way to provide Domain Enumeration
clients. configuration data for clients.
Note that this function of the Discovery Proxy is supplementary to
the primary purpose of the Discovery Proxy, which is to facilitate
_remote_ clients discovering services on the Discovery Proxy's local
link. This publication of Domain Enumeration configuration data via
link-local multicast on the Discovery Proxy's local link is performed
for the benefit of _local_ clients attached to that link, and
typically directs those clients to contact other distant Discovery
Proxies attached to other links. Generally, a client does not need
to use the local Discovery Proxy on its own link, because a client is
generally able to perform its own Multicast DNS queries on that link.
(The exception to this is when the local Wi-Fi access point is
blocking or filtering local multicast traffic, requiring even local
clients to use their local Discovery Proxy to perform local
discovery.)
A Discovery Proxy can be configured to generate Multicast DNS A Discovery Proxy can be configured to generate Multicast DNS
responses for the following Multicast DNS Domain Enumeration queries responses for the following Multicast DNS Domain Enumeration queries
issued by clients: issued by clients:
b._dns-sd._udp.local. PTR ? b._dns-sd._udp.local. PTR ?
db._dns-sd._udp.local. PTR ? db._dns-sd._udp.local. PTR ?
lb._dns-sd._udp.local. PTR ? lb._dns-sd._udp.local. PTR ?
This provides the ability for Discovery Proxies to indicate This provides the ability for Discovery Proxies to indicate
recommended browsing domains to DNS-SD clients on a per-link recommended browsing domains to DNS-SD clients on a per-link
granularity. In some enterprises it may be preferable to provide granularity. In some enterprises, it may be preferable to provide
this per-link configuration data in the form of Discovery Proxy this per-link configuration information in the form of Discovery
configuration, rather than populating the Unicast DNS servers with Proxy configuration data rather than by populating the Unicast DNS
the same data (in the "ip6.arpa" or "in-addr.arpa" domains). servers with the same data (in the "ip6.arpa" or "in-addr.arpa"
domains).
Regardless of how the network operator chooses to provide this Regardless of how the network operator chooses to provide this
configuration data, clients will perform Domain Enumeration via both configuration data, clients will perform Domain Enumeration via both
unicast and multicast queries, and then combine the results of these unicast and multicast queries and then combine the results of these
queries. queries.
5.3. Delegated Subdomain for LDH Host Names 5.3. Delegated Subdomain for LDH Host Names
DNS-SD service instance names and domains are allowed to contain DNS-SD service instance names and domains are allowed to contain
arbitrary Net-Unicode text [RFC5198], encoded as precomposed UTF-8 arbitrary Net-Unicode text [RFC5198], encoded as precomposed UTF-8
[RFC3629]. [RFC3629].
Users typically interact with service discovery software by viewing a Users typically interact with service discovery software by viewing a
list of discovered service instance names on a display, and selecting list of discovered service instance names on a display and selecting
one of them by pointing, touching, or clicking. Similarly, in one of them by pointing, touching, or clicking. Similarly, in
software that provides a multi-domain DNS-SD user interface, users software that provides a multi-domain DNS-SD user interface, users
view a list of offered domains on the display and select one of them view a list of offered domains on the display and select one of them
by pointing, touching, or clicking. To use a service, users don't by pointing, touching, or clicking. To use a service, users don't
have to remember domain or instance names, or type them; users just have to remember domain or instance names, or type them; users just
have to be able to recognize what they see on the display and touch have to be able to recognize what they see on the display and touch
or click on the thing they want. or click on the thing they want.
In contrast, host names are often remembered and typed. Also, host In contrast, host names are often remembered and typed. Also, host
names have historically been used in command-line interfaces where names have historically been used in command-line interfaces where
spaces can be inconvenient. For this reason, host names have spaces can be inconvenient. For this reason, host names have
traditionally been restricted to letters, digits and hyphens (LDH), traditionally been restricted to letters, digits, and hyphens (LDH)
with no spaces or other punctuation. with no spaces or other punctuation.
While we do want to allow rich text for DNS-SD service instance names While we do want to allow rich text for DNS-SD service instance names
and domains, it is advisable, for maximum compatibility with existing and domains, it is advisable, for maximum compatibility with existing
usage, to restrict host names to the traditional letter-digit-hyphen usage, to restrict host names to the traditional letter-digit-hyphen
rules. This means that while a service name rules. This means that while the service name
"My Printer._ipp._tcp.Building 1.example.com" is acceptable and "My Printer._ipp._tcp.Building 1.example.com" is acceptable and
desirable (it is displayed in a graphical user interface as an desirable (it is displayed in a graphical user interface as an
instance called "My Printer" in the domain "Building 1" at instance called "My Printer" in the domain "Building 1" at
"example.com"), a host name "My-Printer.Building 1.example.com" is "example.com"), the host name "My-Printer.Building 1.example.com" is
less desirable (because of the space in "Building 1"). less desirable (because of the space in "Building 1").
To accomodate this difference in allowable characters, a Discovery To accommodate this difference in allowable characters, a Discovery
Proxy SHOULD support having two separate subdomains delegated to it Proxy SHOULD support having two separate subdomains delegated to it
for each link it serves, one whose name is allowed to contain for each link it serves: one whose name is allowed to contain
arbitrary Net-Unicode text [RFC5198], and a second more constrained arbitrary Net-Unicode text [RFC5198], and a second more constrained
subdomain whose name is restricted to contain only letters, digits, subdomain whose name is restricted to contain only letters, digits,
and hyphens, to be used for host name records (names of 'A' and and hyphens, to be used for host name records (names of 'A' and
'AAAA' address records). The restricted names may be any valid name 'AAAA' address records). The restricted names may be any valid name
consisting of only letters, digits, and hyphens, including Punycode- consisting of only letters, digits, and hyphens, including Punycode-
encoded names [RFC3492]. encoded names [RFC3492].
For example, a Discovery Proxy could have the two subdomains For example, a Discovery Proxy could have the two subdomains
"Building 1.example.com" and "bldg1.example.com" delegated to it. "Building 1.example.com" and "bldg-1.example.com" delegated to it.
The Discovery Proxy would then translate these two Multicast DNS The Discovery Proxy would then translate these two Multicast DNS
records: records:
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.
prnt.local. A 203.0.113.2 prnt.local. A 203.0.113.2
into Unicast DNS records as follows: into Unicast DNS records as follows:
My Printer._ipp._tcp.Building 1.example.com. My Printer._ipp._tcp.Building 1.example.com.
SRV 0 0 631 prnt.bldg1.example.com. SRV 0 0 631 prnt.bldg-1.example.com.
prnt.bldg1.example.com. A 203.0.113.2 prnt.bldg-1.example.com. A 203.0.113.2
Note that the SRV record name is translated using the rich-text Note that the SRV record name is translated using the rich-text
domain name ("Building 1.example.com") and the address record name is domain name ("Building 1.example.com"), and the address record name
translated using the LDH domain ("bldg1.example.com"). is translated using the LDH domain ("bldg-1.example.com"). Further
details of the name translation rules are described in Section 5.5.
A Discovery Proxy MAY support only a single rich text Net-Unicode A Discovery Proxy MAY support only a single rich-text Net-Unicode
domain, and use that domain for all records, including 'A' and 'AAAA' domain and use that domain for all records, including 'A' and 'AAAA'
address records, but implementers choosing this option should be address records, but implementers choosing this option should be
aware that this choice may produce host names that are awkward to use aware that this choice may produce host names that are awkward to use
in command-line environments. Whether this is an issue depends on in command-line environments. Whether or not this is an issue
whether users in the target environment are expected to be using depends on whether users in the target environment are expected to be
command-line interfaces. using command-line interfaces.
A Discovery Proxy MUST NOT be restricted to support only a letter- A Discovery Proxy MUST NOT be restricted to support only a letter-
digit-hyphen subdomain, because that results in an unnecessarily poor digit-hyphen subdomain, because that results in an unnecessarily poor
user experience. user experience.
As described above in Section 5.2.1, for clarity, space characters in As described in Section 5.2.1, for clarity, in examples here space
names are shown as actual spaces. If this data were to be manually characters in names are shown as actual spaces. If this dynamically
entered into a textual zone file (which it isn't) then spaces would discovered data were to be manually entered into a textual zone file
need to be represented using '\032', so (which it isn't), then spaces would need to be represented using
"My Printer._ipp._tcp.Building 1.example.com." would become '\032', so "My Printer._ipp._tcp.Building 1.example.com" would become
"My\032Printer._ipp._tcp.Building\0321.example.com." "My\032Printer._ipp._tcp.Building\0321.example.com".
Note that the '\032' representation does not appear in the network
packets sent over the air. In the wire format of DNS messages, Note that the '\032' representation does not appear in DNS messages
spaces are sent as spaces, not as '\032', and likewise, in a sent over the air. In the wire format of DNS messages, spaces are
graphical user interface at the client device, spaces are shown as sent as spaces, not as '\032', and likewise, in a graphical user
spaces, not as '\032'. interface at the client device, spaces are shown as spaces, not as
'\032'.
5.4. Delegated Subdomain for Reverse Mapping 5.4. Delegated Subdomain for Reverse Mapping
A Discovery Proxy can facilitate easier management of reverse mapping A Discovery Proxy can facilitate easier management of reverse mapping
domains, particularly for IPv6 addresses where manual management may domains, particularly for IPv6 addresses where manual management may
be more onerous than it is for IPv4 addresses. be more onerous than it is for IPv4 addresses.
To achieve this, in the parent domain, NS records are used to To achieve this, in the parent domain, NS records are used to
delegate ownership of the appropriate reverse mapping domain to the delegate ownership of the appropriate reverse mapping domain to the
Discovery Proxy. In other words, the Discovery Proxy becomes the Discovery Proxy. In other words, the Discovery Proxy becomes the
authoritative name server for the reverse mapping domain. For fault authoritative name server for the reverse mapping domain. For fault
tolerance reasons there may be more than one Discovery Proxy serving tolerance reasons, there may be more than one Discovery Proxy serving
a given link. a given link.
If a given link is using the IPv4 subnet 203.0.113/24, If a given link is using the IPv4 subnet 203.0.113/24, then the
then the domain "113.0.203.in-addr.arpa" domain "113.0.203.in-addr.arpa" is delegated to the Discovery Proxy
is delegated to the Discovery Proxy for that link. for that link.
For example, if a given link is using the If a given link is using the IPv6 prefix 2001:0DB8:1234:5678::/64,
IPv6 prefix 2001:0DB8:1234:5678/64, then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa" is
then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa" delegated to the Discovery Proxy for that link.
is delegated to the Discovery Proxy for that link.
When a reverse mapping query arrives at the Discovery Proxy, it When a reverse mapping query arrives at the Discovery Proxy, it
issues the identical query on its local link as a Multicast DNS issues the identical query on its local link, as a Multicast DNS
query. The mechanism to force an apparently unicast name to be query. The mechanism to force an apparently unicast name to be
resolved using link-local Multicast DNS varies depending on the API resolved using link-local Multicast DNS varies depending on the API
set being used. For example, in the "dns_sd.h" APIs set being used. For example, in the "dns_sd.h" APIs (available on
(available on macOS, iOS, Bonjour for Windows, Linux and Android), macOS, iOS, Bonjour for Windows, Linux, and Android), using
using kDNSServiceFlagsForceMulticast indicates that the kDNSServiceFlagsForceMulticast indicates that the
DNSServiceQueryRecord() call should perform the query using Multicast DNSServiceQueryRecord() call should perform the query using Multicast
DNS. Other APIs sets have different ways of forcing multicast DNS. Other API sets have different ways of forcing multicast
queries. When the host owning that IPv4 or IPv6 address responds queries. When the host owning that IPv4 or IPv6 address responds
with a name of the form "something.local", the Discovery Proxy with a name of the form "something.local", the Discovery Proxy
rewrites that to use its configured LDH host name domain instead of rewrites it to use its configured LDH host name domain instead of
"local", and returns the response to the caller. ".local" and returns the response to the caller.
For example, a Discovery Proxy with the two subdomains For example, a Discovery Proxy with the two subdomains
"113.0.203.in-addr.arpa" and "bldg1.example.com" delegated to it "113.0.203.in-addr.arpa" and "bldg-1.example.com" delegated to it
would translate this Multicast DNS record: would translate this Multicast DNS record:
2.113.0.203.in-addr.arpa. PTR prnt.local. 2.113.0.203.in-addr.arpa. PTR prnt.local.
into this Unicast DNS response: into this Unicast DNS response:
2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com. 2.113.0.203.in-addr.arpa. PTR prnt.bldg-1.example.com.
Subsequent queries for the prnt.bldg1.example.com address record, In this example the "prnt.local" host name is translated using the
falling as it does within the bldg1.example.com domain, which is delegated LDH subdomain, as described in Section 5.5.
delegated to the Discovery Proxy, will arrive at the Discovery Proxy,
where they are answered by issuing Multicast DNS queries and using Subsequent queries for the prnt.bldg-1.example.com address record,
the received Multicast DNS answers to synthesize Unicast DNS falling as it does within the bldg-1.example.com domain, which is
delegated to this Discovery Proxy, will arrive at this Discovery
Proxy where they are answered by issuing Multicast DNS queries and
using the received Multicast DNS answers to synthesize Unicast DNS
responses, as described above. responses, as described above.
Note that this design assumes that all addresses on a given IPv4 Note that this description assumes that all addresses on a given IPv4
subnet or IPv6 prefix are mapped to hostnames using the Discovery subnet or IPv6 prefix are mapped to host names using the Discovery
Proxy mechanism. It would be possible to implement a Discovery Proxy Proxy mechanism. It would be possible to implement a Discovery Proxy
that can be configured so that some address-to-name mappings are that can be configured so that some address-to-name mappings are
performed using Multicast DNS on the local link, while other address- performed using Multicast DNS on the local link, while other address-
to-name mappings within the same IPv4 subnet or IPv6 prefix are to-name mappings within the same IPv4 subnet or IPv6 prefix are
configured manually. configured manually.
5.5. Data Translation 5.5. Data Translation
Generating the appropriate Multicast DNS queries involves, For the delegated rich-text and LDH subdomains, generating
at the very least, translating from the configured DNS domain appropriate Multicast DNS queries involves translating from the
(e.g., "Building 1.example.com") on the Unicast DNS side to "local" configured DNS domain (e.g., "Building 1.example.com") on the Unicast
on the Multicast DNS side. DNS side to ".local" on the Multicast DNS side.
Generating the appropriate Unicast DNS responses involves translating For the delegated reverse-mapping subdomain, generating appropriate
back from "local" to the appropriate configured DNS Unicast domain. Multicast DNS queries involves using the appropriate API mechanism to
indicate that a query should be performed using Multicast DNS, as
described in Section 5.4.
Generating appropriate Unicast DNS responses from the received
Multicast DNS answers involves translating back from ".local" to the
appropriate configured Unicast DNS domain as necessary, as described
below.
In the examples below, the delegated subdomains are as follows:
Delegated subdomain for rich-text names Building 1.example.com.
Delegated subdomain for LDH names bldg-1.example.com.
Delegated subdomain for IPv4 reverse mapping 113.0.203.in-addr.arpa.
Names in Multicast DNS answers that do not end in ".local" do not
require any translation.
Names in Multicast DNS answers that end in ".local" are only
meaningful on the local link, and require translation to make them
useable by clients outside the local link.
Names that end in ".local" may appear both as the owner names of
received Multicast DNS answer records, and in the RDATA of received
Multicast DNS answer records.
In a received Multicast DNS answer record, if the owner name ends
with ".local", then the ".local" top-level label is replaced with the
name of the delegated subdomain as was used in the originating query.
In a received Multicast DNS answer record, if a name in the RDATA
ends with ".local", then the name is translated according to the
delegated subdomain that was used in the originating query, as
explained below.
For queries in subdomains delegated for LDH host names, ".local"
names in RDATA are translated to that delegated LDH subdomain. For
example, a query for "thing.bldg-1.example.com" will be translated to
a Multicast DNS query for "thing.local". If that query returns this
CNAME record:
thing.local. CNAME prnt.local.
then both the owner name and the name in the RDATA are translated
from ".local" to the LDH subdomain "bldg-1.example.com":
thing.bldg-1.example.com. CNAME prnt.bldg-1.example.com.
For queries in subdomains delegated for reverse mapping names,
".local" names in RDATA are translated to the delegated LDH
subdomain, if one is configured, or to the delegated rich-text
subdomain otherwise. For example, consider a reverse mapping query
that returns this PTR record:
2.113.0.203.in-addr.arpa. PTR prnt.local.
The owner name is not translated because it does not end in ".local".
The name in the RDATA is translated from ".local" to the LDH
subdomain "bldg-1.example.com":
2.113.0.203.in-addr.arpa. PTR prnt.bldg-1.example.com.
For queries in subdomains delegated for rich-text names, ".local"
names in RDATA are translated according to whether or not they
represent host names (i.e., RDATA names that are the owner names of A
and AAAA DNS records). RDATA names ending in ".local" that represent
host names are translated to the delegated LDH subdomain, if one is
configured, or to the delegated rich-text subdomain otherwise. All
other RDATA names ending in ".local" are translated to the delegated
rich-text subdomain. For example, consider a DNS-SD service browsing
PTR query that returns this PTR record for IPP printing:
_ipp._tcp.local. PTR My Printer._ipp._tcp.local.
Both the owner name and the name in the RDATA are translated from
".local" to the rich-text subdomain:
_ipp._tcp.Building 1.example.com.
PTR My Printer._ipp._tcp.Building 1.example.com.
In contrast, consider a query that returns this SRV record for a
specific IPP printing instance:
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.
As for all queries, the owner name is translated to the delegated
subdomain of the originating query, the delegated rich-text subdomain
"Building 1.example.com". However, the ".local" name in the RDATA is
the target host name field of an SRV record, a field that is used
exclusively for host names. Consequently it is translated to the LDH
subdomain "bldg-1.example.com", if configured, instead of the rich-
text subdomain:
My Printer._ipp._tcp.Building 1.example.com.
SRV 0 0 631 prnt.bldg-1.example.com.
Other beneficial translation and filtering operations are described Other beneficial translation and filtering operations are described
below. below.
5.5.1. DNS TTL limiting 5.5.1. DNS TTL Limiting
For efficiency, Multicast DNS typically uses moderately high DNS TTL For efficiency, Multicast DNS typically uses moderately high DNS TTL
values. For example, the typical TTL on DNS-SD PTR records is 75 values. For example, the typical TTL on DNS-SD service browsing PTR
minutes. What makes these moderately high TTLs acceptable is the records is 75 minutes. What makes these moderately high TTLs
cache coherency mechanisms built in to the Multicast DNS protocol acceptable is the cache coherency mechanisms built in to the
which protect against stale data persisting for too long. When a Multicast DNS protocol, which protect against stale data persisting
service shuts down gracefully, it sends goodbye packets to remove its for too long. When a service shuts down gracefully, it sends goodbye
PTR records immediately from neighboring caches. If a service shuts packets to remove its service browsing PTR record(s) immediately from
down abruptly without sending goodbye packets, the Passive neighboring caches. If a service shuts down abruptly without sending
Observation Of Failures (POOF) mechanism described in Section 10.5 of goodbye packets, the Passive Observation Of Failures (POOF) mechanism
the Multicast DNS specification [RFC6762] comes into play to purge described in Section 10.5 of the Multicast DNS specification
the cache of stale data. [RFC6762] comes into play to purge the cache of stale data.
A traditional Unicast DNS client on a distant remote link does not A traditional Unicast DNS client on a distant remote link does not
get to participate in these Multicast DNS cache coherency mechanisms get to participate in these Multicast DNS cache coherency mechanisms
on the local link. For traditional Unicast DNS queries (those on the local link. For traditional Unicast DNS queries (those
received without using Long-Lived Query [LLQ] or DNS Push received without using Long-Lived Queries (LLQ) [RFC8764] or DNS Push
Notification subscriptions [Push]) the DNS TTLs reported in the Notification subscriptions [RFC8765]), the DNS TTLs reported in the
resulting Unicast DNS response MUST be capped to be no more than ten resulting Unicast DNS response MUST be capped to be no more than ten
seconds. seconds.
Similarly, for negative responses, the negative caching TTL indicated Similarly, for negative responses, the negative caching TTL indicated
in the SOA record [RFC2308] should also be ten seconds (Section 6.1). in the SOA record [RFC2308] should also be ten seconds (see
Section 6.1).
This value of ten seconds is chosen based on user-experience This value of ten seconds is chosen based on user-experience
considerations. considerations.
For negative caching, suppose a user is attempting to access a remote For negative caching, suppose a user is attempting to access a remote
device (e.g., a printer), and they are unsuccessful because that device (e.g., a printer), and they are unsuccessful because that
device is powered off. Suppose they then place a telephone call and device is powered off. Suppose they then place a telephone call and
ask for the device to be powered on. We want the device to become ask for the device to be powered on. We want the device to become
available to the user within a reasonable time period. It is available to the user within a reasonable time period. It is
reasonable to expect it to take on the order of ten seconds for a reasonable to expect it to take on the order of ten seconds for a
skipping to change at page 19, line 17 skipping to change at line 915
further ten seconds for stale negative cache entries to expire from further ten seconds for stale negative cache entries to expire from
Unicast DNS caches, making the device available to the user desiring Unicast DNS caches, making the device available to the user desiring
to access it. to access it.
Similar reasoning applies to capping positive TTLs at ten seconds. Similar reasoning applies to capping positive TTLs at ten seconds.
In the event of a device moving location, getting a new DHCP address, In the event of a device moving location, getting a new DHCP address,
or other renumbering events, we would like the updated information to or other renumbering events, we would like the updated information to
be available to remote clients in a relatively timely fashion. be available to remote clients in a relatively timely fashion.
However, network administrators should be aware that many recursive However, network administrators should be aware that many recursive
(caching) DNS servers by default are configured to impose a minimum resolvers by default are configured to impose a minimum TTL of 30
TTL of 30 seconds. If stale data appears to be persisting in the seconds. If stale data appears to be persisting in the network to
network to the extent that it adversely impacts user experience, the extent that it adversely impacts user experience, network
network administrators are advised to check the configuration of administrators are advised to check the configuration of their
their recursive DNS servers. recursive resolvers.
For received Unicast DNS queries that use LLQ [LLQ] or DNS Push For received Unicast DNS queries that use LLQ [RFC8764] or DNS Push
Notifications [Push], the Multicast DNS record's TTL SHOULD be Notifications [RFC8765], the Multicast DNS record's TTL SHOULD be
returned unmodified, because the Push Notification channel exists to returned unmodified, because the notification channel exists to
inform the remote client as records come and go. For further details inform the remote client as records come and go. For further details
about Long-Lived Queries, and its newer replacement, DNS Push about Long-Lived Queries and its newer replacement, DNS Push
Notifications, see Section 5.6. Notifications, see Section 5.6.
5.5.2. Suppressing Unusable Records 5.5.2. Suppressing Unusable Records
A Discovery Proxy SHOULD offer a configurable option, enabled by A Discovery Proxy SHOULD offer a configurable option, enabled by
default, to suppress Unicast DNS answers for records that are not default, to suppress Unicast DNS answers for records that are not
useful outside the local link. When the option to suppress unusable useful outside the local link. When the option to suppress unusable
records is enabled: records is enabled:
o DNS A and AAAA records for IPv4 link-local addresses [RFC3927] and * For a Discovery Proxy that is serving only clients outside the
IPv6 link-local addresses [RFC4862] SHOULD be suppressed. local link, DNS A and AAAA records for IPv4 link-local addresses
[RFC3927] and IPv6 link-local addresses [RFC4862] SHOULD be
suppressed.
o Similarly, for sites that have multiple private address realms * Similarly, for sites that have multiple private address realms
[RFC1918], in cases where the Discovery Proxy can determine that [RFC1918], in cases where the Discovery Proxy can determine that
the querying client is in a different address realm, private the querying client is in a different address realm, private
addresses SHOULD NOT be communicated to that client. addresses SHOULD NOT be communicated to that client.
o IPv6 Unique Local Addresses [RFC4193] SHOULD be suppressed in * IPv6 Unique Local Addresses [RFC4193] SHOULD be suppressed in
cases where the Discovery Proxy can determine that the querying cases where the Discovery Proxy can determine that the querying
client is in a different IPv6 address realm. client is in a different IPv6 address realm.
o By the same logic, DNS SRV records that reference target host * By the same logic, DNS SRV records that reference target host
names that have no addresses usable by the requester should be names that have no addresses usable by the requester should be
suppressed, and likewise, DNS PTR records that point to unusable suppressed, and likewise, DNS-SD service browsing PTR records that
SRV records should be similarly be suppressed. point to unusable SRV records should similarly be suppressed.
5.5.3. NSEC and NSEC3 queries 5.5.3. NSEC and NSEC3 Queries
Multicast DNS devices do not routinely announce their records on the Multicast DNS devices do not routinely announce their records on the
network. Generally they remain silent until queried. This means network. Generally, they remain silent until queried. This means
that the complete set of Multicast DNS records in use on a link can that the complete set of Multicast DNS records in use on a link can
only be discovered by active querying, not by passive listening. only be discovered by active querying, not by passive listening.
Because of this, a Discovery Proxy can only know what names exist on Because of this, a Discovery Proxy can only know what names exist on
a link by issuing queries for them, and since it would be impractical a link by issuing queries for them, and since it would be impractical
to issue queries for every possible name just to find out which names to issue queries for every possible name just to find out which names
exist and which do not, a Discovery Proxy cannot programmatically exist and which do not, a Discovery Proxy cannot programmatically
generate the traditional NSEC [RFC4034] and NSEC3 [RFC5155] records generate the traditional Unicast DNS NSEC [RFC4034] and NSEC3
which assert the nonexistence of a large range of names. [RFC5155] records that assert the nonexistence of a large range of
names.
When queried for an NSEC or NSEC3 record type, the Discovery Proxy When queried for an NSEC or NSEC3 record type, the Discovery Proxy
issues a qtype "ANY" query using Multicast DNS on the local link, and issues a qtype "ANY" query using Multicast DNS on the local link and
then generates an NSEC or NSEC3 response with a Type Bit Map then generates an NSEC or NSEC3 response with a Type Bit Map
signifying which record types do and do not exist for just the signifying which record types do and do not exist for just the
specific name queried, and no other names. specific name queried, and no other names.
Multicast DNS NSEC records received on the local link MUST NOT be Multicast DNS NSEC records received on the local link MUST NOT be
forwarded unmodified to a unicast querier, because there are slight forwarded unmodified to a unicast querier, because there are slight
differences in the NSEC record data. In particular, Multicast DNS differences in the NSEC record data. In particular, Multicast DNS
NSEC records do not have the NSEC bit set in the Type Bit Map, NSEC records do not have the NSEC bit set in the Type Bit Map,
whereas conventional Unicast DNS NSEC records do have the NSEC bit whereas conventional Unicast DNS NSEC records do have the NSEC bit
set. set.
5.5.4. No Text Encoding Translation 5.5.4. No Text-Encoding Translation
A Discovery Proxy does no translation between text encodings. A Discovery Proxy does no translation between text encodings.
Specifically, a Discovery Proxy does no translation between Punycode Specifically, a Discovery Proxy does no translation between Punycode
encoding [RFC3492] and UTF-8 encoding [RFC3629], either in the owner encoding [RFC3492] and UTF-8 encoding [RFC3629], either in the owner
name of DNS records, or anywhere in the RDATA of DNS records (such as name of DNS records or anywhere in the RDATA of DNS records (such as
the RDATA of PTR records, SRV records, NS records, or other record the RDATA of PTR records, SRV records, NS records, or other record
types like TXT, where it is ambiguous whether the RDATA may contain types like TXT, where it is ambiguous whether the RDATA may contain
DNS names). All bytes are treated as-is, with no attempt at text DNS names). All bytes are treated as-is with no attempt at text-
encoding translation. A client implementing DNS-based Service encoding translation. A client implementing DNS-based Service
Discovery [RFC6763] will use UTF-8 encoding for its service discovery Discovery [RFC6763] will use UTF-8 encoding for its unicast DNS-based
queries, which the Discovery Proxy passes through without any text Service Discovery queries, which the Discovery Proxy passes through
encoding translation to the Multicast DNS subsystem. Responses from without any text-encoding translation to the Multicast DNS subsystem.
the Multicast DNS subsystem are similarly returned, without any text Responses from the Multicast DNS subsystem are similarly returned,
encoding translation, back to the requesting client. without any text-encoding translation, back to the requesting unicast
client.
5.5.5. Application-Specific Data Translation 5.5.5. Application-Specific Data Translation
There may be cases where Application-Specific Data Translation is There may be cases where Application-Specific Data Translation is
appropriate. appropriate.
For example, AirPrint printers tend to advertise fairly verbose For example, AirPrint printers tend to advertise fairly verbose
information about their capabilities in their DNS-SD TXT record. TXT information about their capabilities in their DNS-SD TXT record. TXT
record sizes in the range 500-1000 bytes are not uncommon. This record sizes in the range of 500-1000 bytes are not uncommon. This
information is a legacy from LPR printing, because LPR does not have information is a legacy from lineprinter (LPR) printing, because LPR
in-band capability negotiation, so all of this information is does not have in-band capability negotiation, so all of this
conveyed using the DNS-SD TXT record instead. IPP printing does have information is conveyed using the DNS-SD TXT record instead.
in-band capability negotiation, but for convenience printers tend to Internet Printing Protocol (IPP) printing does have in-band
include the same capability information in their IPP DNS-SD TXT capability negotiation, but for convenience, printers tend to include
records as well. For local mDNS use this extra TXT record the same capability information in their IPP DNS-SD TXT records as
information is inefficient, but not fatal. However, when a Discovery well. For local Multicast DNS (mDNS) use, this extra TXT record
information is wasteful but not fatal. However, when a Discovery
Proxy aggregates data from multiple printers on a link, and sends it Proxy aggregates data from multiple printers on a link, and sends it
via unicast (via UDP or TCP) this amount of unnecessary TXT record via unicast (via UDP or TCP), this amount of unnecessary TXT record
information can result in large responses. A DNS reply over TCP information can result in large responses. A DNS reply over TCP
carrying information about 70 printers with an average of 700 bytes carrying information about 70 printers with an average of 700 bytes
per printer adds up to about 50 kilobytes of data. Therefore, a per printer adds up to about 50 kilobytes of data. Therefore, a
Discovery Proxy that is aware of the specifics of an application- Discovery Proxy that is aware of the specifics of an application-
layer protocol such as AirPrint (which uses IPP) can elide layer protocol such as AirPrint (which uses IPP) can elide
unnecessary key/value pairs from the DNS-SD TXT record for better unnecessary key/value pairs from the DNS-SD TXT record for better
network efficiency. network efficiency.
Also, the DNS-SD TXT record for many printers contains an "adminurl" Also, the DNS-SD TXT record for many printers contains an "adminurl"
key something like "adminurl=http://printername.local/status.html". key (e.g., "adminurl=http://printername.local/status.html"). For
For this URL to be useful outside the local link, the embedded this URL to be useful outside the local link, the embedded ".local"
".local" hostname needs to be translated to an appropriate name with host name needs to be translated to an appropriate name with larger
larger scope. It is easy to translate ".local" names when they scope. It is easy to translate ".local" names when they appear in
appear in well-defined places, either as a record's name, or in the well-defined places: as a record's owner name, or in domain name
rdata of record types like PTR and SRV. In the printing case, some fields in the RDATA of record types like PTR and SRV. In the
application-specific knowledge about the semantics of the "adminurl" printing case, some application-specific knowledge about the
key is needed for the Discovery Proxy to know that it contains a name semantics of the "adminurl" key is needed for the Discovery Proxy to
that needs to be translated. This is somewhat analogous to the need know that it contains a name that needs to be translated. This is
for NAT gateways to contain ALGs (Application-Specific Gateways) to somewhat analogous to the need for NAT gateways to contain ALGs
facilitate the correct translation of protocols that embed addresses (Application-Level Gateways) to facilitate the correct translation of
in unexpected places. protocols that embed addresses in unexpected places.
To avoid the need for application-specific knowledge about the To avoid the need for application-specific knowledge about the
semantics of particular TXT record keys, protocol designers are semantics of particular TXT record keys, protocol designers are
advised to avoid placing link-local names or link-local IP addresses advised to avoid placing link-local names or link-local IP addresses
in TXT record keys, if translation of those names or addresses would in TXT record keys if translation of those names or addresses would
be required for off-link operation. In the printing case, the be required for off-link operation. In the printing case, the
operational failure of failing to translate the "adminurl" key consequence of failing to translate the "adminurl" key correctly
correctly is that, when accessed from a different link, printing will would be that, when accessed from a different link, printing will
still work, but clicking the "Admin" UI button will fail to open the still work, but clicking the "Admin" user interface button will fail
printer's administration page. Rather than duplicating the host name to open the printer's administration page. Rather than duplicating
from the service's SRV record in its "adminurl" key, thereby having the host name from the service's SRV record in its "adminurl" key,
the same host name appear in two places, a better design might have thereby having the same host name appear in two places, a better
been to omit the host name from the "adminurl" key, and instead have design might have been to omit the host name from the "adminurl" key
the client implicitly substitute the target host name from the and instead have the client implicitly substitute the target host
service's SRV record in place of a missing host name in the name from the service's SRV record in place of a missing host name in
"adminurl" key. That way the desired host name only appears once, the "adminurl" key. That way, the desired host name only appears
and it is in a well-defined place where software like the Discovery once and is in a well-defined place where software like the Discovery
Proxy is expecting to find it. Proxy is expecting to find it.
Note that this kind of Application-Specific Data Translation is Note that this kind of Application-Specific Data Translation is
expected to be very rare. It is the exception, rather than the rule. expected to be very rare; it is the exception rather than the rule.
This is an example of a common theme in computing. It is frequently This is an example of a common theme in computing. It is frequently
the case that it is wise to start with a clean, layered design, with the case that it is wise to start with a clean, layered design with
clear boundaries. Then, in certain special cases, those layer clear boundaries. Then, in certain special cases, those layer
boundaries may be violated, where the performance and efficiency boundaries may be violated where the performance and efficiency
benefits outweigh the inelegance of the layer violation. benefits outweigh the inelegance of the layer violation.
These layer violations are optional. They are done primarily for These layer violations are optional. They are done primarily for
efficiency reasons, and generally should not be required for correct efficiency reasons and generally should not be required for correct
operation. A Discovery Proxy MAY operate solely at the mDNS layer, operation. A Discovery Proxy MAY operate solely at the mDNS layer
without any knowledge of semantics at the DNS-SD layer or above. without any knowledge of semantics at the DNS-SD layer or above.
5.6. Answer Aggregation 5.6. Answer Aggregation
In a simple analysis, simply gathering multicast answers and In a simple analysis, simply gathering multicast answers and
forwarding them in a unicast response seems adequate, but it raises forwarding them in a unicast response seems adequate, but it raises
the question of how long the Discovery Proxy should wait to be sure the question of how long the Discovery Proxy should wait to be sure
that it has received all the Multicast DNS answers it needs to form a that it has received all the Multicast DNS answers it needs to form a
complete Unicast DNS response. If it waits too little time, then it complete Unicast DNS response. If it waits too little time, then it
risks its Unicast DNS response being incomplete. If it waits too risks its Unicast DNS response being incomplete. If it waits too
long, then it creates a poor user experience at the client end. In long, then it creates a poor user experience at the client end. In
fact, there may be no time which is both short enough to produce a fact, there may be no time that is both short enough to produce a
good user experience and at the same time long enough to reliably good user experience and at the same time long enough to reliably
produce complete results. produce complete results.
Similarly, the Discovery Proxy -- the authoritative name server for Similarly, the Discovery Proxy (the authoritative name server for the
the subdomain in question -- needs to decide what DNS TTL to report subdomain in question) needs to decide what DNS TTL to report for
for these records. If the TTL is too long then the recursive these records. If the TTL is too long, then the recursive resolvers
(caching) name servers issuing queries on behalf of their clients issuing queries on behalf of their clients risk caching stale data
risk caching stale data for too long. If the TTL is too short then for too long. If the TTL is too short, then the amount of network
the amount of network traffic will be more than necessary. In fact, traffic will be more than necessary. In fact, there may be no TTL
there may be no TTL which is both short enough to avoid undesirable that is both short enough to avoid undesirable stale data and, at the
stale data and at the same time long enough to be efficient on the same time, long enough to be efficient on the network.
network.
Both these dilemmas are solved by use of DNS Long-Lived Queries Both these dilemmas are solved by the use of DNS Long-Lived Queries
(DNS LLQ) [LLQ] or its newer replacement, DNS Push Notifications (LLQ) [RFC8764] or its newer replacement, DNS Push Notifications
[Push]. [RFC8765].
Clients supporting unicast DNS Service Discovery SHOULD implement DNS Clients supporting unicast DNS-based Service Discovery SHOULD
Push Notifications [Push] for improved user experience. implement DNS Push Notifications [RFC8765] for improved user
experience.
Clients and Discovery Proxies MAY support both DNS LLQ and DNS Push, Clients and Discovery Proxies MAY support both LLQ and DNS Push
and when talking to a Discovery Proxy that supports both, the client Notifications, and when talking to a Discovery Proxy that supports
may use either protocol, as it chooses, though it is expected that both, the client may use either protocol, as it chooses, though it is
only DNS Push will continue to be supported in the long run. expected that only DNS Push Notifications will continue to be
supported in the long run.
When a Discovery Proxy receives a query using DNS LLQ or DNS Push When a Discovery Proxy receives a query using LLQ or DNS Push
Notifications, it responds immediately using the Multicast DNS Notifications, it responds immediately using the Multicast DNS
records it already has in its cache (if any). This provides a good records it already has in its cache (if any). This provides a good
client user experience by providing a near-instantaneous response. client user experience by providing a near-instantaneous response.
Simultaneously, the Discovery Proxy issues a Multicast DNS query on Simultaneously, the Discovery Proxy issues a Multicast DNS query on
the local link to discover if there are any additional Multicast DNS the local link to discover if there are any additional Multicast DNS
records it did not already know about. Should additional Multicast records it did not already know about. Should additional Multicast
DNS responses be received, these are then delivered to the client DNS responses be received, these are then delivered to the client
using additional DNS LLQ or DNS Push Notification update messages. using additional LLQ or DNS Push Notification update messages. The
The timeliness of such update messages is limited only by the timeliness of such update messages is limited only by the timeliness
timeliness of the device responding to the Multicast DNS query. If of the device responding to the Multicast DNS query. If the
the Multicast DNS device responds quickly, then the update message is Multicast DNS device responds quickly, then the update message is
delivered quickly. If the Multicast DNS device responds slowly, then delivered quickly. If the Multicast DNS device responds slowly, then
the update message is delivered slowly. The benefit of using update the update message is delivered slowly. The benefit of using
messages is that the Discovery Proxy can respond promptly because it multiple update messages to deliver results as they become available
doesn't have to delay its unicast response to allow for the expected is that the Discovery Proxy can respond promptly because it doesn't
worst-case delay for receiving all the Multicast DNS responses. Even have to deliver all the results in a single response that needs to be
if a proxy were to try to provide reliability by assuming an delayed to allow for the expected worst-case delay for receiving all
excessively pessimistic worst-case time (thereby giving a very poor the Multicast DNS responses.
user experience) there would still be the risk of a slow Multicast
DNS device taking even longer than that (e.g., a device that is not
even powered on until ten seconds after the initial query is
received) resulting in incomplete responses. Using update message
solves this dilemma: even very late responses are not lost; they are
delivered in subsequent update messages.
There are two factors that determine specifically how responses are With a proxy that supported only standard DNS queries, even if it
were to try to provide reliability by assuming an excessively
pessimistic worst-case time (thereby giving a very poor user
experience), there would still be the risk of a slow Multicast DNS
device taking even longer than that worst-case time (e.g., a device
that is not even powered on until ten seconds after the initial query
is received), resulting in incomplete responses. Using update
messages to deliver subsequent asynchronous replies solves this
dilemma: even very late responses are not lost; they are delivered in
subsequent update messages.
Note that while normal DNS queries are generally received via the
client's configured recursive resolver, LLQ and DNS Push Notification
subscriptions may be received directly from the client.
There are two factors that determine how unicast responses are
generated: generated:
The first factor is whether the query from the client used LLQ or DNS The first factor is whether or not the Discovery Proxy already has at
Push Notifications (used for long-lived service browsing PTR queries) least one record in its cache that answers the question.
or not (used for one-shot operations like SRV or address record
queries). Note that queries using LLQ or DNS Push Notifications are
received directly from the client. Queries not using LLQ or DNS Push
Notifications are generally received via the client's configured
recursive (caching) name server.
The second factor is whether the Discovery Proxy already has at least The second factor is whether the client used a normal DNS query, or
one record in its cache that positively answers the question. established a subscription using LLQ or DNS Push Notifications.
Normal DNS queries are typically used for one-shot operations like
SRV or address record queries. LLQ and DNS Push Notification
subscriptions are typically used for long-lived service browsing PTR
queries. Normal DNS queries and LLQ each have different response
timing depending on the cache state, yielding the first four cases
listed below. DNS Push Notifications, the newer protocol, has
uniform behavior regardless of cache state, yielding the fifth case
listed below.
o Not using LLQ or Push Notifications; no answer in cache: * Standard DNS query; no answer in cache:
Issue an mDNS query, exactly as a local client would issue an mDNS
query on the local link for the desired record name, type and Issue an mDNS query on the local link, exactly as a local client
would issue an mDNS query, for the desired record name, type, and
class, including retransmissions, as appropriate, according to the class, including retransmissions, as appropriate, according to the
established mDNS retransmission schedule [RFC6762]. As soon as established mDNS retransmission schedule [RFC6762]. The Discovery
any Multicast DNS response packet is received that contains one or Proxy awaits Multicast DNS responses.
more positive answers to that question (with or without the Cache
Flush bit [RFC6762] set), or a negative answer (signified via a As soon as any Multicast DNS response packet is received that
Multicast DNS NSEC record [RFC6762]), the Discovery Proxy contains one or more positive answers to that question (with or
generates a Unicast DNS response packet containing the without the Cache Flush bit [RFC6762] set) or a negative answer
corresponding (filtered and translated) answers and sends it to (signified via a Multicast DNS NSEC record [RFC6762]), the
the remote client. If after six seconds no Multicast DNS answers Discovery Proxy generates a Unicast DNS response message
have been received, cancel the mDNS query and return a negative containing the corresponding (filtered and translated) answers and
response to the remote client. Six seconds is enough time to sends it to the remote client.
transmit three mDNS queries, and allow some time for responses to
arrive. If after six seconds no relevant Multicast DNS answers have been
DNS TTLs in responses MUST be capped to at most ten seconds. received, cancel the mDNS query and return a negative response to
the remote client. Six seconds is enough time for the underlying
Multicast DNS subsystem to transmit three mDNS queries and allow
some time for responses to arrive.
(Reasoning: Queries not using LLQ or Push Notifications are (Reasoning: Queries not using LLQ or Push Notifications are
generally queries that that expect an answer from only one device, generally queries that expect an answer from only one device, so
so the first response is also the only response.) the first response is also the only response.)
o Not using LLQ or Push Notifications; at least one answer in cache:
Send response right away to minimise delay.
DNS TTLs in responses MUST be capped to at most ten seconds. DNS TTLs in responses MUST be capped to at most ten seconds.
* Standard DNS query; at least one answer in cache:
No local mDNS queries are performed. No local mDNS queries are performed.
The Discovery Proxy generates a Unicast DNS response message
containing the answer(s) from the cache right away, to minimize
delay.
(Reasoning: Queries not using LLQ or Push Notifications are (Reasoning: Queries not using LLQ or Push Notifications are
generally queries that that expect an answer from only one device. generally queries that expect an answer from only one device.
Given RRSet TTL harmonisation, if the proxy has one Multicast DNS Given RRSet TTL harmonization, if the proxy has one Multicast DNS
answer in its cache, it can reasonably assume that it has all of answer in its cache, it can reasonably assume that it has the
them.) whole set.)
DNS TTLs in responses MUST be capped to at most ten seconds.
* Long-Lived Query (LLQ); no answer in cache:
As in the case above with no answer in the cache, plan to perform
mDNS querying for six seconds, returning an LLQ response message
to the remote client as soon as any relevant mDNS response is
received.
If after six seconds no relevant mDNS answers have been received,
and the client has not cancelled its Long-Lived Query, return a
negative LLQ response message to the remote client.
o Using LLQ or Push Notifications; no answer in cache:
As in the case above with no answer in the cache, perform mDNS
querying for six seconds, and send a response to the remote client
as soon as any relevant mDNS response is received.
If after six seconds no relevant mDNS response has been received,
return negative response to the remote client (for LLQ; not
applicable for Push Notifications).
(Reasoning: We don't need to rush to send an empty answer.) (Reasoning: We don't need to rush to send an empty answer.)
Whether or not a relevant mDNS response is received within six
seconds, the query remains active for as long as the client Regardless of whether or not a relevant mDNS response is received
maintains the LLQ or Push Notification state, and if mDNS answers within six seconds, the Long-Lived Query remains active for as
are received later, LLQ or Push Notification messages are sent. long as the client maintains the LLQ state, and results in the
ongoing transmission of mDNS queries until the Long-Lived Query is
cancelled. If the set of mDNS answers changes, LLQ Event Response
messages are sent.
DNS TTLs in responses are returned unmodified. DNS TTLs in responses are returned unmodified.
o Using LLQ or Push Notifications; at least one answer in cache: * Long-Lived Query (LLQ); at least one answer in cache:
As in the case above with at least one answer in cache, send
response right away to minimise delay. As in the case above with at least one answer in the cache, the
The query remains active for as long as the client maintains the Discovery Proxy generates a unicast LLQ response message
LLQ or Push Notification state, and results in transmission of containing the answer(s) from the cache right away, to minimize
mDNS queries, with appropriate Known Answer lists, to determine if delay.
further answers are available. If additional mDNS answers are
received later, LLQ or Push Notification messages are sent. The Long-Lived Query remains active for as long as the client
(Reasoning: We want UI that is displayed very rapidly, yet maintains the LLQ state, and results in the transmission of mDNS
continues to remain accurate even as the network environment queries (with appropriate Known Answer lists) to determine if
changes.) further answers are available. If the set of mDNS answers
changes, LLQ Event Response messages are sent.
(Reasoning: We want a user interface that is displayed very
rapidly yet continues to remain accurate even as the network
environment changes.)
DNS TTLs in responses are returned unmodified. DNS TTLs in responses are returned unmodified.
The "negative responses" referred to above are "no error no answer" * Push Notification Subscription
negative responses, not NXDOMAIN. This is because the Discovery
Proxy cannot know all the Multicast DNS domain names that may exist The Discovery Proxy acknowledges the subscription request
on a link at any given time, so any name with no answers may have immediately.
child names that do exist, making it an "empty nonterminal" name.
If one or more answers are already available in the cache, those
answers are then sent in an immediately following DNS PUSH
message.
The Push Notification subscription remains active until the client
cancels the subscription, and results in the transmission of mDNS
queries (with appropriate Known Answer lists) to determine if
further answers are available. If the set of mDNS answers
changes, further DNS PUSH messages are sent.
(Reasoning: We want a user interface that is displayed very
rapidly yet continues to remain accurate even as the network
environment changes.)
DNS TTLs in responses are returned unmodified.
Where the text above refers to returning "a negative response to the
remote client", it is describing returning a "no error no answer"
negative response, not NXDOMAIN. This is because the Discovery Proxy
cannot know all the Multicast DNS domain names that may exist on a
link at any given time, so any name with no answers may have child
names that do exist, making it an "empty non-terminal" name.
Note that certain aspects of the behavior described here do not have Note that certain aspects of the behavior described here do not have
to be implemented overtly by the Discovery Proxy; they occur to be implemented overtly by the Discovery Proxy; they occur
naturally as a result of using existing Multicast DNS APIs. naturally as a result of using existing Multicast DNS APIs.
For example, in the first case above (no LLQ or Push Notifications, For example, in the first case above (standard DNS query and no
and no answers in the cache) if a new Multicast DNS query is answers in the cache), if a new Multicast DNS query is requested
requested (either by a local client, or by the Discovery Proxy on (either by a local client on the Discovery Proxy device, or by the
behalf of a remote client), and there is not already an identical Discovery Proxy software on that device on behalf of a remote
Multicast DNS query active, and there are no matching answers already client), and there is not already an identical Multicast DNS query
in the Multicast DNS cache on the Discovery Proxy device, then this active and there are no matching answers already in the Multicast DNS
will cause a series of Multicast DNS query packets to be issued with cache on the Discovery Proxy device, then this will cause a series of
exponential backoff. The exponential backoff sequence in some Multicast DNS query packets to be issued with exponential backoff.
implementations starts at one second and then doubles for each The exponential backoff sequence in some implementations starts at
retransmission (0, 1, 3, 7 seconds, etc.) and in others starts at one one second and then doubles for each retransmission (0, 1, 3, 7
second and then triples for each retransmission (0, 1, 4, 13 seconds, seconds, etc.), and in others, it starts at one second and then
etc.). In either case, if no response has been received after six triples for each retransmission (0, 1, 4, 13 seconds, etc.). In
seconds, that is long enough that the underlying Multicast DNS either case, if no response has been received after six seconds, that
implementation will have sent three query packets without receiving is long enough that the underlying Multicast DNS implementation will
any response. At that point the Discovery Proxy cancels its have sent three query packets without receiving any response. At
Multicast DNS query (so no further Multicast DNS query packets will that point, the Discovery Proxy cancels its Multicast DNS query (so
be sent for this query) and returns a negative response to the remote no further Multicast DNS query packets will be sent for this query)
client via unicast. and returns a negative response to the remote client via unicast.
The six-second delay is chosen to be long enough to give enough time The six-second delay is chosen to be long enough to give enough time
for devices to respond, yet short enough not to be too onerous for a for devices to respond, yet short enough not to be too onerous for a
human user waiting for a response. For example, using the "dig" DNS human user waiting for a response. For example, using the "dig" DNS
debugging tool, the current default settings result in it waiting a debugging tool, the current default settings result in it waiting a
total of 15 seconds for a reply (three transmissions of the query total of 15 seconds for a reply (three transmissions of the DNS UDP
packet, with a wait of 5 seconds after each packet) which is ample query packet, with a wait of 5 seconds after each packet), which is
time for it to have received a negative reply from a Discovery Proxy ample time for it to have received a negative reply from a Discovery
after six seconds. Proxy after six seconds.
The statement that for a one-shot query (i.e., no LLQ or Push The text above states that for a standard DNS query, if at least one
Notifications requested), if at least one answer is already available answer is already available in the cache, then a Discovery Proxy
in the cache then a Discovery Proxy should not issue additional mDNS should not issue additional mDNS query packets. This also occurs
query packets, also occurs naturally as a result of using existing naturally as a result of using existing Multicast DNS APIs. If a new
Multicast DNS APIs. If a new Multicast DNS query is requested Multicast DNS query is requested (either locally, or by the Discovery
(either locally, or by the Discovery Proxy on behalf of a remote Proxy on behalf of a remote client) for which there are relevant
client), for which there are relevant answers already in the answers already in the Multicast DNS cache on the Discovery Proxy
Multicast DNS cache on the Discovery Proxy device, and after the device, and after the answers are delivered the Multicast DNS query
answers are delivered the Multicast DNS query is then cancelled is immediately cancelled, then no Multicast DNS query packets will be
immediately, then no Multicast DNS query packets will be generated generated for this query.
for this query.
6. Administrative DNS Records 6. Administrative DNS Records
6.1. DNS SOA (Start of Authority) Record 6.1. DNS SOA (Start of Authority) Record
The MNAME field SHOULD contain the host name of the Discovery Proxy The MNAME field SHOULD contain the host name of the Discovery Proxy
device (i.e., the same domain name as the rdata of the NS record device (i.e., the same domain name as the RDATA of the NS record
delegating the relevant zone(s) to this Discovery Proxy device). delegating the relevant zone(s) to this Discovery Proxy device).
The RNAME field SHOULD contain the mailbox of the person responsible The RNAME field SHOULD contain the mailbox of the person responsible
for administering this Discovery Proxy device. for administering this Discovery Proxy device.
The SERIAL field MUST be zero. The SERIAL field MUST be zero.
Zone transfers are undefined for Discovery Proxy zones, and Zone transfers are undefined for Discovery Proxy zones, and
consequently the REFRESH, RETRY and EXPIRE fields have no useful consequently, the REFRESH, RETRY, and EXPIRE fields have no useful
meaning for Discovery Proxy zones. These fields SHOULD contain meaning for Discovery Proxy zones. These fields SHOULD contain
reasonable default values. The RECOMMENDED values are: REFRESH 7200, reasonable default values. The RECOMMENDED values are: REFRESH 7200,
RETRY 3600, EXPIRE 86400. RETRY 3600, and EXPIRE 86400.
The MINIMUM field (used to control the lifetime of negative cache The MINIMUM field (used to control the lifetime of negative cache
entries) SHOULD contain the value 10. The value of ten seconds is entries) SHOULD contain the value 10. This value is chosen based on
chosen based on user-experience considerations (see Section 5.5.1). user-experience considerations (see Section 5.5.1).
In the event that there are multiple Discovery Proxy devices on a In the event that there are multiple Discovery Proxy devices on a
link for fault tolerance reasons, this will result in clients link for fault tolerance reasons, this will result in clients
receiving inconsistent SOA records (different MNAME, and possibly receiving inconsistent SOA records (different MNAME and possibly
RNAME) depending on which Discovery Proxy answers their SOA query. RNAME) depending on which Discovery Proxy answers their SOA query.
However, since clients generally have no reason to use the MNAME or However, since clients generally have no reason to use the MNAME or
RNAME data, this is unlikely to cause any problems. RNAME data, this is unlikely to cause any problems.
6.2. DNS NS Records 6.2. DNS NS Records
In the event that there are multiple Discovery Proxy devices on a In the event that there are multiple Discovery Proxy devices on a
link for fault tolerance reasons, the parent zone MUST be configured link for fault tolerance reasons, the parent zone MUST be configured
with NS records giving the names of all the Discovery Proxy devices with NS records giving the names of all the Discovery Proxy devices
on the link. on the link.
Each Discovery Proxy device MUST be configured to answer NS queries Each Discovery Proxy device MUST be configured to answer NS queries
for the zone apex name by giving its own NS record, and the NS for the zone apex name by giving its own NS record, and the NS
records of its fellow Discovery Proxy devices on the same link, so records of its fellow Discovery Proxy devices on the same link, so
that it can return the correct answers for NS queries. that it can return the correct answers for NS queries.
The target host name in the RDATA of an NS record MUST NOT reference The target host name in the RDATA of an NS record MUST NOT reference
a name that falls within any zone delegated to a Discovery Proxy. a name that falls within any zone delegated to a Discovery Proxy.
Apart from the zone apex name, all other host names that fall within Apart from the zone apex name, all other host names (names of A and
a zone delegated to a Discovery Proxy correspond to local Multicast AAAA DNS records) that fall within a zone delegated to a Discovery
DNS host names, which logically belong to the respective Multicast Proxy correspond to local Multicast DNS host names, which logically
DNS hosts defending those names, not the Discovery Proxy. Generally belong to the respective Multicast DNS hosts defending those names,
speaking, the Discovery Proxy does not own or control the delegated not the Discovery Proxy. Generally speaking, the Discovery Proxy
zone; it is merely a conduit to the corresponding ".local" namespace, does not own or control the delegated zone; it is merely a conduit to
which is controlled by the Multicast DNS hosts on that link. If an the corresponding ".local" namespace, which is controlled by the
NS record were to reference a manually-determined host name that Multicast DNS hosts on that link. If an NS record were to reference
falls within a delegated zone, that manually-determined host name may a manually determined host name that falls within a delegated zone,
inadvertently conflict with a corresponding ".local" host name that that manually determined host name may inadvertently conflict with a
is owned and controlled by some device on that link. corresponding ".local" host name that is owned and controlled by some
device on that link.
6.3. DNS Delegation Records 6.3. DNS Delegation Records
Since the Multicast DNS specification [RFC6762] states that there can Since the Multicast DNS specification [RFC6762] states that there can
be no delegation (subdomains) within a ".local" namespace, this be no delegation (subdomains) within a ".local" namespace, this
implies that any name within a zone delegated to a Discovery Proxy implies that any name within a zone delegated to a Discovery Proxy
(except for the zone apex name itself) cannot have any answers for (except for the zone apex name itself) cannot have any answers for
any DNS queries for RRTYPEs SOA, NS, or DS. Consequently: any DNS queries for RRTYPEs SOA, NS, or DS. Consequently:
o for any query for the zone apex name of a zone delegated to a * for any query for the zone apex name of a zone delegated to a
Discovery Proxy, the Discovery Proxy MUST generate the appropriate Discovery Proxy, the Discovery Proxy MUST generate the appropriate
immediate answers as described above, and immediate answers as described above, and
o for any query for RRTYPEs SOA, NS, or DS, for any name within a * for any query for any name below the zone apex, for RRTYPEs SOA,
zone delegated to a Discovery Proxy, other than the zone apex NS, or DS, the Discovery Proxy MUST generate an immediate negative
name, instead of translating the query to its corresponding answer.
Multicast DNS ".local" equivalent, a Discovery Proxy MUST generate
an immediate negative answer.
6.4. DNS SRV Records 6.4. DNS SRV Records
There are certain special DNS records that logically fall within the There are certain special DNS records that logically fall within the
delegated unicast DNS subdomain, but rather than mapping to their delegated Unicast DNS subdomain, but rather than mapping to their
corresponding ".local" namesakes, they actually contain metadata corresponding ".local" namesakes, they actually contain metadata
pertaining to the operation of the delegated unicast DNS subdomain pertaining to the operation of the delegated Unicast DNS subdomain
itself. They do not exist in the corresponding ".local" namespace of itself. They do not exist in the corresponding ".local" namespace of
the local link. For these queries a Discovery Proxy MUST generate the local link. For these queries, a Discovery Proxy MUST generate
immediate answers, whether positive or negative, to avoid delays immediate answers, whether positive or negative, to avoid delays
while clients wait for their query to be answered. For example, if a while clients wait for their query to be answered.
Discovery Proxy does not implement Long-Lived Queries [LLQ] then it
MUST return an immediate negative answer to tell the client this
without delay, instead of passing the query through to the local
network as a query for "_dns-llq._udp.local.", and then waiting
unsuccessfully for answers that will not be forthcoming.
If a Discovery Proxy implements Long-Lived Queries [LLQ] then it MUST For example, if a Discovery Proxy implements Long-Lived Queries
positively respond to "_dns-llq._udp.<zone> SRV" queries, [RFC8764], then it MUST positively respond to
"_dns-llq._tcp.<zone> SRV" queries, and "_dns-llq._udp.<zone> SRV" queries, "_dns-llq._tcp.<zone> SRV"
"_dns-llq-tls._tcp.<zone> SRV" queries as appropriate, else it MUST queries, and "_dns-llq-tls._tcp.<zone> SRV" queries as appropriate.
return an immediate negative answer for those queries. If it does not implement Long-Lived Queries, it MUST return an
immediate negative answer for those queries, instead of passing those
queries through to the local network as Multicast DNS queries and
then waiting unsuccessfully for answers that will not be forthcoming.
If a Discovery Proxy implements DNS Push Notifications [Push] then it If a Discovery Proxy implements DNS Push Notifications [RFC8765],
MUST positively respond to "_dns-push-tls._tcp.<zone>" queries, else then it MUST positively respond to "_dns-push-tls._tcp.<zone>"
it MUST return an immediate negative answer for those queries. queries. Otherwise, it MUST return an immediate negative answer for
those queries.
A Discovery Proxy MUST return an immediate negative answer for A Discovery Proxy MUST return an immediate negative answer for
"_dns-update._udp.<zone> SRV" queries, "_dns-update._tcp.<zone> SRV" "_dns-update._udp.<zone> SRV" queries, "_dns-update._tcp.<zone> SRV"
queries, and "_dns-update-tls._tcp.<zone> SRV" queries, since using queries, and "_dns-update-tls._tcp.<zone> SRV" queries, since using
DNS Update [RFC2136] to change zones generated dynamically from local DNS Update [RFC2136] to change zones generated dynamically from local
Multicast DNS data is not possible. Multicast DNS data is not possible.
6.5. Domain Enumeration Records
If the network operator chooses to use address-based unicast Domain
Enumeration queries for client configuration (see Section 5.2.1), and
the network operator also chooses to delegate the enclosing reverse
mapping subdomain to a Discovery Proxy, then that Discovery Proxy
becomes responsible for serving the answers to those address-based
unicast Domain Enumeration queries.
As with the SRV metadata records described above, a Discovery Proxy
configured with delegated reverse mapping subdomains is responsible
for generating immediate (positive or negative) answers for address-
based unicast Domain Enumeration queries, rather than passing them
though to the underlying Multicast DNS subsystem and then waiting
unsuccessfully for answers that will not be forthcoming.
7. DNSSEC Considerations 7. DNSSEC Considerations
7.1. On-line signing only 7.1. Online Signing Only
The Discovery Proxy acts as the authoritative name server for The Discovery Proxy acts as the authoritative name server for
designated subdomains, and if DNSSEC is to be used, the Discovery designated subdomains, and if DNSSEC is to be used, the Discovery
Proxy needs to possess a copy of the signing keys, in order to Proxy needs to possess a copy of the signing keys in order to
generate authoritative signed data from the local Multicast DNS generate authoritative signed data from the local Multicast DNS
responses it receives. Off-line signing is not applicable to responses it receives. Offline signing is not applicable to
Discovery Proxy. Discovery Proxy.
7.2. NSEC and NSEC3 Records 7.2. NSEC and NSEC3 Records
In DNSSEC NSEC [RFC4034] and NSEC3 [RFC5155] records are used to In DNSSEC, NSEC and NSEC3 records are used to assert the nonexistence
assert the nonexistence of certain names, also described as of certain names, also described as "authenticated denial of
"authenticated denial of existence". existence" [RFC4034] [RFC5155].
Since a Discovery Proxy only knows what names exist on the local link Since a Discovery Proxy only knows what names exist on the local link
by issuing queries for them, and since it would be impractical to by issuing queries for them, and since it would be impractical to
issue queries for every possible name just to find out which names issue queries for every possible name just to find out which names
exist and which do not, a Discovery Proxy cannot programmatically exist and which do not, a Discovery Proxy cannot programmatically
synthesize the traditional NSEC and NSEC3 records which assert the synthesize the traditional NSEC and NSEC3 records that assert the
nonexistence of a large range of names. Instead, when generating a nonexistence of a large range of names. Instead, when generating a
negative response, a Discovery Proxy programmatically synthesizes a negative response, a Discovery Proxy programmatically synthesizes a
single NSEC record assert the nonexistence of just the specific name single NSEC record asserting the nonexistence of just the specific
queried, and no others. Since the Discovery Proxy has the zone name queried and no others. Since the Discovery Proxy has the zone
signing key, it can do this on demand. Since the NSEC record asserts signing key, it can do this on demand. Since the NSEC record asserts
the nonexistence of only a single name, zone walking is not a the nonexistence of only a single name, zone walking is not a
concern, so NSEC3 is not necessary. concern, and NSEC3 is therefore not necessary.
Note that this applies only to traditional immediate DNS queries, Note that this applies only to traditional immediate DNS queries,
which may return immediate negative answers when no immediate which may return immediate negative answers when no immediate
positive answer is available. When used with a DNS Push Notification positive answer is available. When used with a DNS Push Notification
subscription [Push] there are no negative answers, merely the absence subscription [RFC8765], there are no negative answers, merely the
of answers so far, which may change in the future if answers become absence of answers so far, which may change in the future if answers
available. become available.
8. IPv6 Considerations 8. IPv6 Considerations
An IPv4-only host and an IPv6-only host behave as "ships that pass in An IPv4-only host and an IPv6-only host behave as "ships that pass in
the night". Even if they are on the same Ethernet [IEEE-3], neither the night". Even if they are on the same Ethernet [IEEE-3], neither
is aware of the other's traffic. For this reason, each link may have is aware of the other's traffic. For this reason, each link may have
*two* unrelated ".local." zones, one for IPv4 and one for IPv6. _two_ unrelated ".local." zones: one for IPv4 and one for IPv6.
Since for practical purposes, a group of IPv4-only hosts and a group Since, for practical purposes, a group of IPv4-only hosts and a group
of IPv6-only hosts on the same Ethernet act as if they were on two of IPv6-only hosts on the same Ethernet act as if they were on two
entirely separate Ethernet segments, it is unsurprising that their entirely separate Ethernet segments, it is unsurprising that their
use of the ".local." zone should occur exactly as it would if they use of the ".local." zone should occur exactly as it would if they
really were on two entirely separate Ethernet segments. really were on two entirely separate Ethernet segments.
It will be desirable to have a mechanism to 'stitch' together these It will be desirable to have a mechanism to "stitch" together these
two unrelated ".local." zones so that they appear as one. Such two unrelated ".local." zones so that they appear as one. Such a
mechanism will need to be able to differentiate between a dual-stack mechanism will need to be able to differentiate between a dual-stack
(v4/v6) host participating in both ".local." zones, and two different (v4/v6) host participating in both ".local." zones, and two different
hosts, one IPv4-only and the other IPv6-only, which are both trying hosts: one IPv4-only and the other IPv6-only, which are both trying
to use the same name(s). Such a mechanism will be specified in a to use the same name(s). Such a mechanism will be specified in a
future companion document. future companion document.
At present, it is RECOMMENDED that a Discovery Proxy be configured At present, it is RECOMMENDED that a Discovery Proxy be configured
with a single domain name for both the IPv4 and IPv6 ".local." zones with a single domain name for both the IPv4 and IPv6 ".local." zones
on the local link, and when a unicast query is received, it should on the local link, and when a unicast query is received, it should
issue Multicast DNS queries using both IPv4 and IPv6 on the local issue Multicast DNS queries using both IPv4 and IPv6 on the local
link, and then combine the results. link and then combine the results.
9. Security Considerations 9. Security Considerations
9.1. Authenticity 9.1. Authenticity
A service proves its presence on a link by its ability to answer A service proves its presence on a link by its ability to answer
link-local multicast queries on that link. If greater security is link-local multicast queries on that link. If greater security is
desired, then the Discovery Proxy mechanism should not be used, and desired, then the Discovery Proxy mechanism should not be used, and
something with stronger security should be used instead, such as something with stronger security should be used instead such as
authenticated secure DNS Update [RFC2136] [RFC3007]. authenticated secure DNS Update [RFC2136] [RFC3007].
9.2. Privacy 9.2. Privacy
The Domain Name System is, generally speaking, a global public The Domain Name System is, generally speaking, a global public
database. Records that exist in the Domain Name System name database. Records that exist in the Domain Name System name
hierarchy can be queried by name from, in principle, anywhere in the hierarchy can be queried by name from, in principle, anywhere in the
world. If services on a mobile device (like a laptop computer) are world. If services on a mobile device (like a laptop computer) are
made visible via the Discovery Proxy mechanism, then when those made visible via the Discovery Proxy mechanism, then when those
services become visible in a domain such as "My House.example.com" services become visible in a domain such as "My House.example.com",
that might indicate to (potentially hostile) observers that the it might indicate to (potentially hostile) observers that the mobile
mobile device is in my house. When those services disappear from device is in the owner's home. When those services disappear from
"My House.example.com" that change could be used by observers to "My House.example.com", that change could be used by observers to
infer when the mobile device (and possibly its owner) may have left infer when the mobile device (and possibly its owner) may have left
the house. The privacy of this information may be protected using the house. The privacy of this information may be protected using
techniques like firewalls, split-view DNS, and Virtual Private techniques like firewalls, split-view DNS, and Virtual Private
Networks (VPNs), as are customarily used today to protect the privacy Networks (VPNs), as are customarily used today to protect the privacy
of corporate DNS information. of corporate DNS information.
The privacy issue is particularly serious for the IPv4 and IPv6 The privacy issue is particularly serious for the IPv4 and IPv6
reverse zones. If the public delegation of the reverse zones points reverse zones. If the public delegation of the reverse zones points
to the Discovery Proxy, and the Discovery Proxy is reachable to the Discovery Proxy, and the Discovery Proxy is reachable
globally, then it could leak a significant amount of information. globally, then it could leak a significant amount of information.
Attackers could discover hosts that otherwise might not be easy to Attackers could discover hosts that otherwise might not be easy to
identify, and learn their hostnames. Attackers could also discover identify, and learn their host names. Attackers could also discover
the existence of links where hosts frequently come and go. the existence of links where hosts frequently come and go.
The Discovery Proxy could also provide sensitive records only to The Discovery Proxy could provide sensitive records only to
authenticated users. This is a general DNS problem, not specific to authenticated users. This is a general DNS problem, not specific to
the Discovery Proxy. Work is underway in the IETF to tackle this the Discovery Proxy. Work is underway in the IETF to tackle this
problem [RFC7626]. problem [RFC7626].
9.3. Denial of Service 9.3. Denial of Service
A remote attacker could use a rapid series of unique Unicast DNS A remote attacker could use a rapid series of unique Unicast DNS
queries to induce a Discovery Proxy to generate a rapid series of queries to induce a Discovery Proxy to generate a rapid series of
corresponding Multicast DNS queries on one or more of its local corresponding Multicast DNS queries on one or more of its local
links. Multicast traffic is generally more expensive than unicast links. Multicast traffic is generally more expensive than unicast
traffic -- especially on Wi-Fi links -- which makes this attack traffic, especially on Wi-Fi links [MCAST], which makes this attack
particularly serious. To limit the damage that can be caused by such particularly serious. To limit the damage that can be caused by such
attacks, a Discovery Proxy (or the underlying Multicast DNS subsystem attacks, a Discovery Proxy (or the underlying Multicast DNS subsystem
which it utilizes) MUST implement Multicast DNS query rate limiting that it utilizes) MUST implement Multicast DNS query rate limiting
appropriate to the link technology in question. For today's appropriate to the link technology in question. For today's
802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast 802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast
packets per second is sufficient to consume approximately 100% of the packets per second is sufficient to consume approximately 100% of the
wireless spectrum) a limit of 20 Multicast DNS query packets per wireless spectrum), a limit of 20 Multicast DNS query packets per
second is RECOMMENDED. On other link technologies like Gigabit second is RECOMMENDED. On other link technologies like Gigabit
Ethernet higher limits may be appropriate. A consequence of this Ethernet, higher limits may be appropriate. A consequence of this
rate limiting is that a rogue remote client could issue an excessive rate limiting is that a rogue remote client could issue an excessive
number of queries, resulting in denial of service to other legitimate number of queries resulting in denial of service to other legitimate
remote clients attempting to use that Discovery Proxy. However, this remote clients attempting to use that Discovery Proxy. However, this
is preferable to a rogue remote client being able to inflict even is preferable to a rogue remote client being able to inflict even
greater harm on the local network, which could impact the correct greater harm on the local network, which could impact the correct
operation of all local clients on that network. operation of all local clients on that network.
10. IANA Considerations 10. IANA Considerations
This document has no IANA Considerations. This document has no IANA actions.
11. Acknowledgments
Thanks to Markus Stenberg for helping develop the policy regarding
the four styles of unicast response according to what data is
immediately available in the cache. Thanks to Anders Brandt, Ben
Campbell, Tim Chown, Alissa Cooper, Spencer Dawkins, Ralph Droms,
Joel Halpern, Ray Hunter, Joel Jaeggli, Warren Kumari, Ted Lemon,
Alexey Melnikov, Kathleen Moriarty, Tom Pusateri, Eric Rescorla, Adam
Roach, David Schinazi, Markus Stenberg, Dave Thaler, and Andrew
Yourtchenko for their comments.
12. References 11. References
12.1. Normative References 11.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>. November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.
and E. Lear, "Address Allocation for Private Internets", J., and E. Lear, "Address Allocation for Private
BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918,
<https://www.rfc-editor.org/info/rfc1918>. February 1996, <https://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997,
editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998,
<https://www.rfc-editor.org/info/rfc2308>. <https://www.rfc-editor.org/info/rfc2308>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <https://www.rfc-editor.org/info/rfc3629>. 2003, <https://www.rfc-editor.org/info/rfc3629>.
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of IPv4 Link-Local Addresses", RFC 3927, Configuration of IPv4 Link-Local Addresses", RFC 3927,
DOI 10.17487/RFC3927, May 2005, <https://www.rfc- DOI 10.17487/RFC3927, May 2005,
editor.org/info/rfc3927>. <https://www.rfc-editor.org/info/rfc3927>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005, RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>. <https://www.rfc-editor.org/info/rfc4034>.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, Address Autoconfiguration", RFC 4862,
DOI 10.17487/RFC4862, September 2007, <https://www.rfc- DOI 10.17487/RFC4862, September 2007,
editor.org/info/rfc4862>. <https://www.rfc-editor.org/info/rfc4862>.
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
Security (DNSSEC) Hashed Authenticated Denial of Security (DNSSEC) Hashed Authenticated Denial of
Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,
<https://www.rfc-editor.org/info/rfc5155>. <https://www.rfc-editor.org/info/rfc5155>.
[RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network
Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008,
<https://www.rfc-editor.org/info/rfc5198>. <https://www.rfc-editor.org/info/rfc5198>.
[RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
DOI 10.17487/RFC6762, February 2013, <https://www.rfc- DOI 10.17487/RFC6762, February 2013,
editor.org/info/rfc6762>. <https://www.rfc-editor.org/info/rfc6762>.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
<https://www.rfc-editor.org/info/rfc6763>. <https://www.rfc-editor.org/info/rfc6763>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8490] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S., [RFC8490] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S.,
Lemon, T., and T. Pusateri, "DNS Stateful Operations", Lemon, T., and T. Pusateri, "DNS Stateful Operations",
RFC 8490, DOI 10.17487/RFC8490, March 2019, RFC 8490, DOI 10.17487/RFC8490, March 2019,
<https://www.rfc-editor.org/info/rfc8490>. <https://www.rfc-editor.org/info/rfc8490>.
[Push] Pusateri, T. and S. Cheshire, "DNS Push Notifications", [RFC8765] Pusateri, T. and S. Cheshire, "DNS Push Notifications",
draft-ietf-dnssd-push-19 (work in progress), March 2019. RFC 8765, DOI 10.17487/RFC8765, June 2020,
<https://www.rfc-editor.org/info/rfc8765>.
12.2. Informative References 11.2. Informative References
[Roadmap] Cheshire, S., "Service Discovery Road Map", draft- [DNS-UL] Cheshire, S. and T. Lemon, "Dynamic DNS Update Leases",
cheshire-dnssd-roadmap-03 (work in progress), October Work in Progress, Internet-Draft, draft-sekar-dns-ul-02, 2
2018. August 2018,
<https://tools.ietf.org/html/draft-sekar-dns-ul-02>.
[DNS-UL] Sekar, K., "Dynamic DNS Update Leases", draft-sekar-dns- [IEEE-1Q] IEEE, "IEEE Standard for Local and metropolitan area
ul-01 (work in progress), August 2006. networks -- Bridges and Bridged Networks", IEEE Std
802.1Q-2014, DOI 10.1109/IEEESTD.2014.6991462, 2014,
<https://ieeexplore.ieee.org/document/6991462>.
[LLQ] Cheshire, S. and M. Krochmal, "DNS Long-Lived Queries", [IEEE-3] IEEE, "IEEE Standard for Ethernet",
draft-sekar-dns-llq-03 (work in progress), March 2019. DOI 10.1109/IEEESTD.2018.8457469, IEEE Std 802.3-2018,
December 2008,
<https://ieeexplore.ieee.org/document/8457469>.
[RegProt] Cheshire, S. and T. Lemon, "Service Registration Protocol [IEEE-5] IEEE, "Telecommunications and information exchange between
for DNS-Based Service Discovery", draft-sctl-service- systems - Local and metropolitan area networks - Part 5:
registration-00 (work in progress), July 2017. Token ring access method and physical layer
specifications", IEEE Std 802.5-1998, 1998,
<https://standards.ieee.org/standard/802_5-1998.html>.
[Relay] Cheshire, S. and T. Lemon, "Multicast DNS Discovery [IEEE-11] IEEE, "Information technology - Telecommunications and
Relay", draft-sctl-dnssd-mdns-relay-04 (work in progress), information exchange between systems - Local and
March 2018. metropolitan area networks - Specific requirements - Part
11: Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications", IEEE Std 802.11-2016,
December 2016,
<https://standards.ieee.org/standard/802_11-2016.html>.
[Mcast] Perkins, C., McBride, M., Stanley, D., Kumari, W., and J. [MCAST] Perkins, C., McBride, M., Stanley, D., Kumari, W., and J.
Zuniga, "Multicast Considerations over IEEE 802 Wireless Zuniga, "Multicast Considerations over IEEE 802 Wireless
Media", draft-ietf-mboned-ieee802-mcast-problems-04 (work Media", Work in Progress, Internet-Draft, draft-ietf-
in progress), November 2018. mboned-ieee802-mcast-problems-11, 11 December 2019,
<https://tools.ietf.org/html/draft-ietf-mboned-ieee802-
mcast-problems-11>.
[OHP] "ohybridproxy - an mDNS/DNS hybrid-proxy based on
mDNSResponder", commit 464d6c9, June 2017,
<https://github.com/sbyx/ohybridproxy/>.
[REG-PROT] Cheshire, S. and T. Lemon, "Service Registration Protocol
for DNS-Based Service Discovery", Work in Progress,
Internet-Draft, draft-sctl-service-registration-02, 15
July 2018, <https://tools.ietf.org/html/draft-sctl-
service-registration-02>.
[RELAY] Cheshire, S. and T. Lemon, "Multicast DNS Discovery
Relay", Work in Progress, Internet-Draft, draft-sctl-
dnssd-mdns-relay-04, 21 March 2018,
<https://tools.ietf.org/html/draft-sctl-dnssd-mdns-relay-
04>.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997,
<https://www.rfc-editor.org/info/rfc2132>. <https://www.rfc-editor.org/info/rfc2132>.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)", "Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997, RFC 2136, DOI 10.17487/RFC2136, April 1997,
<https://www.rfc-editor.org/info/rfc2136>. <https://www.rfc-editor.org/info/rfc2136>.
skipping to change at page 36, line 40 skipping to change at line 1722
<https://www.rfc-editor.org/info/rfc4193>. <https://www.rfc-editor.org/info/rfc4193>.
[RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol [RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol
to Replace the AppleTalk Name Binding Protocol (NBP)", to Replace the AppleTalk Name Binding Protocol (NBP)",
RFC 6760, DOI 10.17487/RFC6760, February 2013, RFC 6760, DOI 10.17487/RFC6760, February 2013,
<https://www.rfc-editor.org/info/rfc6760>. <https://www.rfc-editor.org/info/rfc6760>.
[RFC7558] Lynn, K., Cheshire, S., Blanchet, M., and D. Migault, [RFC7558] Lynn, K., Cheshire, S., Blanchet, M., and D. Migault,
"Requirements for Scalable DNS-Based Service Discovery "Requirements for Scalable DNS-Based Service Discovery
(DNS-SD) / Multicast DNS (mDNS) Extensions", RFC 7558, (DNS-SD) / Multicast DNS (mDNS) Extensions", RFC 7558,
DOI 10.17487/RFC7558, July 2015, <https://www.rfc- DOI 10.17487/RFC7558, July 2015,
editor.org/info/rfc7558>. <https://www.rfc-editor.org/info/rfc7558>.
[RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626,
DOI 10.17487/RFC7626, August 2015, <https://www.rfc- DOI 10.17487/RFC7626, August 2015,
editor.org/info/rfc7626>. <https://www.rfc-editor.org/info/rfc7626>.
[RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking [RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking
Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April
2016, <https://www.rfc-editor.org/info/rfc7788>. 2016, <https://www.rfc-editor.org/info/rfc7788>.
[RFC8375] Pfister, P. and T. Lemon, "Special-Use Domain [RFC8375] Pfister, P. and T. Lemon, "Special-Use Domain
'home.arpa.'", RFC 8375, DOI 10.17487/RFC8375, May 2018, 'home.arpa.'", RFC 8375, DOI 10.17487/RFC8375, May 2018,
<https://www.rfc-editor.org/info/rfc8375>. <https://www.rfc-editor.org/info/rfc8375>.
[ohp] "Discovery Proxy (Hybrid Proxy) implementation for [RFC8764] Cheshire, S. and M. Krochmal, "Apple's DNS Long-Lived
OpenWrt", <https://github.com/sbyx/ohybridproxy/>. Queries Protocol", RFC 8764, DOI 10.17487/RFC8764, June
2020, <https://www.rfc-editor.org/info/rfc8764>.
[ZC] Cheshire, S. and D. Steinberg, "Zero Configuration
Networking: The Definitive Guide", O'Reilly Media, Inc. ,
ISBN 0-596-10100-7, December 2005.
[IEEE-1Q] "IEEE Standard for Local and metropolitan area networks --
Bridges and Bridged Networks", IEEE Std 802.1Q-2014,
November 2014, <http://standards.ieee.org/getieee802/
download/802-1Q-2014.pdf>.
[IEEE-3] "Information technology - Telecommunications and
information exchange between systems - Local and
metropolitan area networks - Specific requirements - Part
3: Carrier Sense Multiple Access with Collision Detection
(CMSA/CD) Access Method and Physical Layer
Specifications", IEEE Std 802.3-2008, December 2008,
<http://standards.ieee.org/getieee802/802.3.html>.
[IEEE-5] Institute of Electrical and Electronics Engineers, [ROADMAP] Cheshire, S., "Service Discovery Road Map", Work in
"Information technology - Telecommunications and Progress, Internet-Draft, draft-cheshire-dnssd-roadmap-03,
information exchange between systems - Local and 23 October 2018, <https://tools.ietf.org/html/draft-
metropolitan area networks - Specific requirements - Part cheshire-dnssd-roadmap-03>.
5: Token ring access method and physical layer
specification", IEEE Std 802.5-1998, 1995.
[IEEE-11] "Information technology - Telecommunications and [ZC] Cheshire, S. and D.H. Steinberg, "Zero Configuration
information exchange between systems - Local and Networking: The Definitive Guide", O'Reilly Media, Inc.,
metropolitan area networks - Specific requirements - Part ISBN 0-596-10100-7, December 2005.
11: Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications", IEEE Std 802.11-2007, June
2007, <http://standards.ieee.org/getieee802/802.11.html>.
Appendix A. Implementation Status Appendix A. Implementation Status
Some aspects of the mechanism specified in this document already Some aspects of the mechanism specified in this document already
exist in deployed software. Some aspects are new. This section exist in deployed software. Some aspects are new. This section
outlines which aspects already exist and which are new. outlines which aspects already exist and which are new.
A.1. Already Implemented and Deployed A.1. Already Implemented and Deployed
Domain enumeration by the client (the "b._dns-sd._udp" queries) is Domain enumeration by the client ("b._dns-sd._udp.<zone>" queries) is
already implemented and deployed. already implemented and deployed.
Unicast queries to the indicated discovery domain is already Performing unicast queries to the indicated discovery domain is
implemented and deployed. already implemented and deployed.
These are implemented and deployed in Mac OS X 10.4 and later These are implemented and deployed in Mac OS X 10.4 Tiger and later
(including all versions of Apple iOS, on all iPhone and iPads), in (including all versions of Apple iOS, on all models of iPhones,
Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16) iPads, Apple TVs and HomePods), in Bonjour for Windows, and in
and later. Android 4.1 "Jelly Bean" (API Level 16) and later.
Domain enumeration and unicast querying have been used for several Domain enumeration and unicast querying have been used for several
years at IETF meetings to make Terminal Room printers discoverable years at IETF meetings to make terminal room printers discoverable
from outside the Terminal room. When an IETF attendee presses Cmd-P from outside the terminal room. When an IETF attendee presses
on a Mac, or selects AirPrint on an iPad or iPhone, and the Terminal "Cmd-P" on a Mac, or selects AirPrint on an iPad or iPhone, and the
room printers appear, that is because the client is sending unicast terminal room printers appear, it is because the client is sending
DNS queries to the IETF DNS servers. A walk-through giving the Unicast DNS queries to the IETF DNS servers. A walk-through giving
details of this particular specific example is given in Appendix A of the details of this particular specific example is given in
the Roadmap document [Roadmap]. Appendix A of the Roadmap document [ROADMAP].
The Long-Lived Query mechanism [RFC8764] referred to in this
specification exists and is deployed but was not standardized by the
IETF. The IETF has developed a superior Long-Lived Query mechanism
called DNS Push Notifications [RFC8765], which is built on DNS
Stateful Operations [RFC8490]. DNS Push Notifications is implemented
and deployed in Mac OS X 10.15 and later, and iOS 13 and later.
A.2. Already Implemented A.2. Already Implemented
A minimal portable Discovery Proxy implementation has been produced A minimal portable Discovery Proxy implementation has been produced
by Markus Stenberg and Steven Barth, which runs on OS X and several by Markus Stenberg and Steven Barth, which runs on OS X and several
Linux variants including OpenWrt [ohp]. It was demonstrated at the Linux variants including OpenWrt [OHP]. It was demonstrated at the
Berlin IETF in July 2013. Berlin IETF in July 2013.
Tom Pusateri has an implementation that runs on any Unix/Linux. It Tom Pusateri has an implementation that runs on any Unix/Linux
has a RESTful interface for management and an experimental demo CLI system. It has a RESTful interface for management and an
and web interface. experimental demo command-line interface (CLI) and web interface.
Ted Lemon also has produced a portable implementation of Discovery Ted Lemon also has produced a portable implementation of Discovery
Proxy, which is available in the mDNSResponder open source code. Proxy, which is available in the mDNSResponder open source code.
The Long-Lived Query mechanism [LLQ] referred to in this
specification exists and is deployed, but was not standardized by the
IETF. The IETF has developed a superior Long-Lived Query mechanism
called DNS Push Notifications [Push], which is built on DNS Stateful
Operations [RFC8490]. The pragmatic short-term deployment approach
is for vendors to produce Discovery Proxies that implement both the
deployed Long-Lived Query mechanism [LLQ] (for today's clients) and
the new DNS Push Notifications mechanism [Push] as the preferred
long-term direction.
A.3. Partially Implemented A.3. Partially Implemented
The current APIs make multiple domains visible to client software, At the time of writing, existing APIs make multiple domains visible
but most client UI today lumps all discovered services into a single to client software, but most client user interfaces lump all
flat list. This is largely a chicken-and-egg problem. Application discovered services into a single flat list. This is largely a
writers were naturally reluctant to spend time writing domain-aware chicken-and-egg problem. Application writers were naturally
UI code when few customers today would benefit from it. If Discovery reluctant to spend time writing domain-aware user interface code when
Proxy deployment becomes common, then application writers will have a few customers would benefit from it. If Discovery Proxy deployment
reason to provide better UI. Existing applications will work with becomes common, then application writers will have a reason to
the Discovery Proxy, but will show all services in a single flat provide a better user experience. Existing applications will work
list. Applications with improved UI will group services by domain. with the Discovery Proxy but will show all services in a single flat
list. Applications with improved user interfaces will show services
grouped by domain.
Acknowledgments
Thanks to Markus Stenberg for helping develop the policy regarding
the four styles of unicast response according to what data is
immediately available in the cache. Thanks to Anders Brandt, Ben
Campbell, Tim Chown, Alissa Cooper, Spencer Dawkins, Ralph Droms,
Joel Halpern, Ray Hunter, Joel Jaeggli, Warren Kumari, Ted Lemon,
Alexey Melnikov, Kathleen Moriarty, Tom Pusateri, Eric Rescorla, Adam
Roach, David Schinazi, Markus Stenberg, Dave Thaler, and Andrew
Yourtchenko for their comments.
Author's Address Author's Address
Stuart Cheshire Stuart Cheshire
Apple Inc. Apple Inc.
One Apple Park Way One Apple Park Way
Cupertino, California 95014 Cupertino, California 95014
USA United States of America
Phone: +1 (408) 996-1010 Phone: +1 (408) 996-1010
Email: cheshire@apple.com Email: cheshire@apple.com
 End of changes. 236 change blocks. 
747 lines changed or deleted 972 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/