draft-ietf-dnssd-push-01.txt   draft-ietf-dnssd-push-02.txt 
Internet Engineering Task Force T. Pusateri Internet Engineering Task Force T. Pusateri
Internet-Draft Seeking affiliation Internet-Draft Seeking affiliation
Intended status: Standards Track S. Cheshire Intended status: Standards Track S. Cheshire
Expires: April 21, 2016 Apple Inc. Expires: April 21, 2016 Apple Inc.
October 19, 2015 October 19, 2015
DNS Push Notifications DNS Push Notifications
draft-ietf-dnssd-push-01 draft-ietf-dnssd-push-02
Abstract Abstract
The Domain Name System (DNS) was designed to efficiently return The Domain Name System (DNS) was designed to return matching records
matching records for queries for data that is relatively static. efficiently for queries for data that is relatively static. When
When those records change frequently, DNS is still efficient at those records change frequently, DNS is still efficient at returning
returning the updated results when polled. But there exists no the updated results when polled. But there exists no mechanism for a
mechanism for a client to be asynchronously notified when these client to be asynchronously notified when these changes occur. This
changes occur. This document defines a mechanism for a client to be document defines a mechanism for a client to be notified of such
notified of such changes to DNS records, called DNS Push changes to DNS records, called DNS Push Notifications.
Notifications.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
skipping to change at page 2, line 12 skipping to change at page 2, line 11
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Transport . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Transport . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. State Considerations . . . . . . . . . . . . . . . . . . . . 5 5. State Considerations . . . . . . . . . . . . . . . . . . . . 6
6. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 6 6. Protocol Operation . . . . . . . . . . . . . . . . . . . . . 7
6.1. Discovery . . . . . . . . . . . . . . . . . . . . . . . . 6 6.1. Discovery . . . . . . . . . . . . . . . . . . . . . . . . 7
6.2. DNS Push Notification SUBSCRIBE . . . . . . . . . . . . . 8 6.2. DNS Push Notification SUBSCRIBE . . . . . . . . . . . . . 9
6.3. DNS Push Notification UNSUBSCRIBE . . . . . . . . . . . . 10 6.3. DNS Push Notification UNSUBSCRIBE . . . . . . . . . . . . 12
6.4. DNS Push Notification Update Messages . . . . . . . . . . 11 6.4. DNS Push Notification Update Messages . . . . . . . . . . 13
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 6.5. DNS RECONFIRM . . . . . . . . . . . . . . . . . . . . . . 16
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 6.6. DNS Push Notification Termination Message . . . . . . . . 18
9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19
9.1. Security Services . . . . . . . . . . . . . . . . . . . . 14 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
9.2. TLS Name Authentication . . . . . . . . . . . . . . . . . 14 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19
9.3. TLS Compression . . . . . . . . . . . . . . . . . . . . . 15 9.1. Security Services . . . . . . . . . . . . . . . . . . . . 19
9.4. TLS Session Resumption . . . . . . . . . . . . . . . . . 15 9.2. TLS Name Authentication . . . . . . . . . . . . . . . . . 20
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 9.3. TLS Compression . . . . . . . . . . . . . . . . . . . . . 20
10.1. Normative References . . . . . . . . . . . . . . . . . . 15 9.4. TLS Session Resumption . . . . . . . . . . . . . . . . . 20
10.2. Informative References . . . . . . . . . . . . . . . . . 16 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 10.1. Normative References . . . . . . . . . . . . . . . . . . 21
10.2. Informative References . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
DNS records may be updated using DNS Update [RFC2136]. Other DNS records may be updated using DNS Update [RFC2136]. Other
mechanisms such as a Hybrid Proxy [I-D.ietf-dnssd-hybrid] can also mechanisms such as a Hybrid Proxy [I-D.ietf-dnssd-hybrid] can also
generate changes to a DNS zone. This document specifies a protocol generate changes to a DNS zone. This document specifies a protocol
for Unicast DNS clients to subscribe to receive asynchronous for Unicast DNS clients to subscribe to receive asynchronous
notifications of changes to RRSets of interest. It is immediately notifications of changes to RRSets of interest. It is immediately
relevant in the case of DNS Service Discovery [RFC6763] but is not relevant in the case of DNS Service Discovery [RFC6763] but is not
limited to that use case and provides a general DNS mechanism for DNS limited to that use case and provides a general DNS mechanism for DNS
record change notifications. Familiarity with the DNS protocol and record change notifications. Familiarity with the DNS protocol and
DNS packet formats is assumed [RFC1034] [RFC1035] [RFC6195]. DNS packet formats is assumed [RFC1034] [RFC1035] [RFC6195].
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in "Key words for use in "OPTIONAL" in this document are to be interpreted as described in
RFCs to Indicate Requirement Levels" [RFC2119]. "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119].
2. Motivation 2. Motivation
As the domain name system continues to adapt to new uses and changes As the domain name system continues to adapt to new uses and changes
in deployment, polling has the potential to burden DNS servers at in deployment, polling has the potential to burden DNS servers at
many levels throughout the network. Other network protocols have many levels throughout the network. Other network protocols have
successfully deployed a publish/subscribe model to state changes successfully deployed a publish/subscribe model to state changes
following the Observer design pattern. XMPP Publish-Subscribe following the Observer design pattern. XMPP Publish-Subscribe
[XEP-0060] and Atom [RFC4287] are examples. While DNS servers are [XEP-0060] and Atom [RFC4287] are examples. While DNS servers are
generally highly tuned and capable of a high rate of query/response generally highly tuned and capable of a high rate of query/response
skipping to change at page 4, line 5 skipping to change at page 3, line 47
though it can be used over TCP, LLQ is defined primarily as a UDP- though it can be used over TCP, LLQ is defined primarily as a UDP-
based protocol, and as such it defines its own equivalents of based protocol, and as such it defines its own equivalents of
existing TCP features like the three-way handshake. This document existing TCP features like the three-way handshake. This document
builds on experience gained with the LLQ protocol, with an improved builds on experience gained with the LLQ protocol, with an improved
design that uses long-lived TCP connections instead of UDP (and design that uses long-lived TCP connections instead of UDP (and
therefore doesn't need to duplicate existing TCP functionality), and therefore doesn't need to duplicate existing TCP functionality), and
adopts the syntax and semantics of DNS Update messages [RFC2136] adopts the syntax and semantics of DNS Update messages [RFC2136]
instead of inventing a new vocabulary of messages to communicate DNS instead of inventing a new vocabulary of messages to communicate DNS
zone changes. zone changes.
Because DNS Push Notifications impose a certain load on the
responding server (though less load that rapid polling of that
server) DNS Push Notification clients SHOULD exercise restraint in
issuing DNS Push Notification subscriptions. A subscription SHOULD
only be active when there is a valid reason to need live data (for
example, an on-screen display is currently showing the results of
that subscription to the user) and the subscription SHOULD be
cancelled as soon as the need for that data ends (for example, when
the user dismisses that display).
A DNS Push Notification client MUST not routinely keep a DNS Push
Notification subscription active 24 hours a day 7 days a week just to
keep a list in memory up to date so that it will be really fast if
the user does choose to bring up an on-screen display of that data.
DNS Push Notifications are designed to be fast enough that there is
no need to pre-load a "warm" list in memory just in case it might be
needed later.
3. Overview 3. Overview
The existing DNS Update protocol [RFC2136] provides a mechanism for The existing DNS Update protocol [RFC2136] provides a mechanism for
clients to add or delete individual resource records (RRs) or entire clients to add or delete individual resource records (RRs) or entire
resource record sets (RRSets) on the zone's server. Adopting this resource record sets (RRSets) on the zone's server. Adopting this
existing syntax and semantics for DNS Push Notifications allows for existing syntax and semantics for DNS Push Notifications allows for
messages going in the other direction, from server to client, to messages going in the other direction, from server to client, to
communicate changes to a zone. The client first must subscribe for communicate changes to a zone. The client first must subscribe for
Push Notifications by connecting to the server and sending DNS Push Notifications by connecting to the server and sending DNS
message(s) indicating the RRSet(s) of interest. When the client message(s) indicating the RRSet(s) of interest. When the client
loses interest in updates to these records, it unsubscribes. The DNS loses interest in updates to these records, it unsubscribes.
Push Notification server for a zone is any server capable of
The DNS Push Notification server for a zone is any server capable of
generating the correct change notifications for a name. It may be a generating the correct change notifications for a name. It may be a
master, slave, or stealth name server [RFC1996]. master, slave, or stealth name server [RFC1996]. Consequently, the
"_dns-push-tls._tcp.<zone>" SRV record for a <zone> MAY reference the
same target host and port as that zone's
"_dns-update-tls._tcp.<zone>" SRV record. When the same target host
and port is offered for both DNS Updates and DNS Push Notifications,
a client MAY use a single TCP connection to that server for DNS
Updates, DNS Queries, and DNS Push Notification Queries.
DNS Push Notification clients are NOT required to implement DNS DNS Push Notification clients are NOT required to implement DNS
Update Prerequisite processing. Prerequisites are used to perform Update Prerequisite processing. Prerequisites are used to perform
tentative atomic test-and-set type operations on the server, and that tentative atomic test-and-set type operations on the server, and that
concept has no application when it comes to an authoritative server concept has no application when it comes to an authoritative server
telling a client of changes to DNS records. informing a client of changes to DNS records.
4. Transport 4. Transport
Implementations of DNS Update [RFC2136] MAY use either User Datagram Implementations of DNS Update [RFC2136] MAY use either User Datagram
Protocol (UDP) [RFC0768] or Transmission Control Protocol (TCP) Protocol (UDP) [RFC0768] or Transmission Control Protocol (TCP)
[RFC0793] as the transport protocol, in keeping with the historical [RFC0793] as the transport protocol, in keeping with the historical
precedent that DNS queries must first be sent over UDP [RFC1123]. precedent that DNS queries must first be sent over UDP [RFC1123].
This requirement to use UDP has subsequently been relaxed [RFC5966]. This requirement to use UDP has subsequently been relaxed
DNS Push Notification is defined only for TCP. DNS Push Notification [RFC5966][I-D.ietf-dnsop-5966bis]. Following that precendent, DNS
clients MUST use TCP. Push Notification is defined only for TCP. DNS Push Notification
clients MUST use TLS over TCP.
Either end of the TCP connection can terminate all of the Either end of the TCP connection can terminate all of the
subscriptions on that connection by simply closing the connection subscriptions on that connection by simply closing the connection
abruptly with a TCP RST. (An individual subscription is terminated abruptly with a TCP FIN or RST. (An individual subscription is
by sending an UNSUBSCRIBE message for that specific subscription.) terminated by sending an UNSUBSCRIBE message for that specific
subscription.)
If a client closes the connection, it is signaling that it is no If a client closes the connection, it is signaling that it is no
longer interested in receiving updates to any of the records it has longer interested in receiving updates to any of the records it has
subscribed. It is informing the server that the server may release subscribed. It is informing the server that the server may release
all state information it has been keeping with regards to this all state information it has been keeping with regards to this
client. This may occur because the client computer has been client. This may occur because the client computer has been
disconnected from the network, has gone to sleep, or the application disconnected from the network, has gone to sleep, or the application
requiring the records has terminated. requiring the records has terminated.
If a server closes the connection, it is informing the client that it If a server closes the connection, it is informing the client that it
skipping to change at page 5, line 16 skipping to change at page 5, line 46
receive it. The client can try to re-subscribe at a later time or receive it. The client can try to re-subscribe at a later time or
connect to another server supporting DNS Push Notifications for the connect to another server supporting DNS Push Notifications for the
zone. zone.
Connection setup over TCP ensures return reachability and alleviates Connection setup over TCP ensures return reachability and alleviates
concerns of state overload at the server through anonymous concerns of state overload at the server through anonymous
subscriptions. All subscribers are guaranteed to be reachable by the subscriptions. All subscribers are guaranteed to be reachable by the
server by virtue of the TCP three-way handshake. Because TCP SYN server by virtue of the TCP three-way handshake. Because TCP SYN
flooding attacks are possible with any protocol over TCP, flooding attacks are possible with any protocol over TCP,
implementers are encouraged to use industry best practices to guard implementers are encouraged to use industry best practices to guard
against such attacks [IPJ.9-4-TCPSYN]. against such attacks [IPJ.9-4-TCPSYN] [RFC4953].
Transport Layer Security (TLS) [RFC5246] is well understood and Transport Layer Security (TLS) [RFC5246] is well understood and
deployed across many protocols running over TCP. It is designed to deployed across many protocols running over TCP. It is designed to
prevent eavesdropping, tampering, or message forgery. TLS is prevent eavesdropping, tampering, or message forgery. TLS is
REQUIRED for every connection between a client subscriber and server REQUIRED for every connection between a client subscriber and server
in this protocol specification. Additional security measures such as in this protocol specification. Additional security measures such as
client authentication during TLS negotiation MAY also be employed to client authentication during TLS negotiation MAY also be employed to
increase the trust relationship between client and server. increase the trust relationship between client and server.
Additional authentication of the SRV target using DNSSEC verification Additional authentication of the SRV target using DNSSEC verification
and DANE TLSA records [RFC7673] is strongly encouraged. See below in and DANE TLSA records [RFC7673] is strongly encouraged. See below in
skipping to change at page 6, line 8 skipping to change at page 7, line 8
simultaneous connections to alternate DNS servers that support DNS simultaneous connections to alternate DNS servers that support DNS
Push Notifications for the zone and distribute record subscriptions Push Notifications for the zone and distribute record subscriptions
at its discretion. In this way, both clients and servers can react at its discretion. In this way, both clients and servers can react
to resource constraints. Token bucket rate limiting schemes are also to resource constraints. Token bucket rate limiting schemes are also
effective in providing fairness by a server across numerous client effective in providing fairness by a server across numerous client
requests. requests.
6. Protocol Operation 6. Protocol Operation
A DNS Push Notification exchange begins with the client discovering A DNS Push Notification exchange begins with the client discovering
the appropriate server, and connecting to it. The client may then the appropriate server, and then making a TLS/TCP connection to it.
add and remove Push Notification subscriptions over this connection. The client may then add and remove Push Notification subscriptions
In accordance with the current set of active subscriptions the server over this connection. In accordance with the current set of active
sends relevant asynchronous Push Notifications to the client. The subscriptions the server sends relevant asynchronous Push
exchange terminates when either end closes the TCP connection with a Notifications to the client. The exchange terminates when either end
TCP RST. closes the TCP connection with a TCP FIN or RST.
A client SHOULD NOT make multiple TLS/TCP connections to the same DNS
Push Notification server. A client SHOULD share a single TLS/TCP
connection for all requests to the same DNS Push Notification server.
This shared connection should be used for all DNS Queries and DNS
Push Notification Queries queries to that server, and for DNS Update
requests too when the "_dns-update-tls._tcp.<zone>" SRV record
indicates that the same server also handles DNS Update requests.
This is to reduce unnecessary load on the DNS Push Notification
server.
However, a single client device may be home to multiple independent
client software instances that don't know about each other, so a DNS
Push Notification server MUST be prepared to accept multiple
connections from the same client IP address. This is undesirable
from an efficiency stanpoint, but may be unavoidable in some
situations, so a DNS Push Notification server MUST be prepared to
accept multiple connections from the same client IP address.
6.1. Discovery 6.1. Discovery
The first step in DNS Push Notification subscription is to discover The first step in DNS Push Notification subscription is to discover
an appropriate DNS server that supports DNS Push Notifications for an appropriate DNS server that supports DNS Push Notifications for
the desired zone. The client MUST also determine which TCP port on the desired zone. The client MUST also determine which TCP port on
the server is listening for connections, which need not be (and often the server is listening for connections, which need not be (and often
is not) the typical TCP port 53 used for conventional DNS. is not) the typical TCP port 53 used for conventional DNS.
1. The client begins the discovery by sending a DNS query to the 1. The client begins the discovery by sending a DNS query to the
skipping to change at page 6, line 41 skipping to change at page 8, line 10
3. If no SOA record is returned, the client then strips off the 3. If no SOA record is returned, the client then strips off the
leading label from the requested name. If the resulting name has leading label from the requested name. If the resulting name has
at least one label in it, the client sends a new SOA query and at least one label in it, the client sends a new SOA query and
processing continues at step 2 above. If the resulting name is processing continues at step 2 above. If the resulting name is
empty (the root label) then this is a network configuration error empty (the root label) then this is a network configuration error
and the client gives up. The client MAY retry the operation at a and the client gives up. The client MAY retry the operation at a
later time. later time.
4. Once the SOA is known, the client sends a DNS query with type SRV 4. Once the SOA is known, the client sends a DNS query with type SRV
[RFC2782] for the record name "_dns-push._tcp.<zone>", where [RFC2782] for the record name "_dns-push-tls._tcp.<zone>", where
<zone> is the owner name of the discovered SOA record. <zone> is the owner name of the discovered SOA record.
5. If the zone in question does not offer DNS Push Notifications 5. If the zone in question does not offer DNS Push Notifications
then SRV record MUST NOT exist and the SRV query will return a then SRV record MUST NOT exist and the SRV query will return a
negative answer. negative answer.
6. If the zone in question is set up to offer DNS Push Notifications 6. If the zone in question is set up to offer DNS Push Notifications
then this SRV record MUST exist. The SRV "target" contains the then this SRV record MUST exist. The SRV "target" contains the
name of the server providing DNS Push Notifications for the zone. name of the server providing DNS Push Notifications for the zone.
The port number on which to contact the server is in the SRV The port number on which to contact the server is in the SRV
skipping to change at page 10, line 11 skipping to change at page 11, line 11
Any records in the Authority Section MUST be silently ignored. Any records in the Authority Section MUST be silently ignored.
ARCOUNT MUST be zero, and the Additional Section MUST be empty. ARCOUNT MUST be zero, and the Additional Section MUST be empty.
Any records in the Additional Section MUST be silently ignored. Any records in the Additional Section MUST be silently ignored.
If accepted, the subscription will stay in effect until the client If accepted, the subscription will stay in effect until the client
revokes the subscription or until the connection between the client revokes the subscription or until the connection between the client
and the server is closed. and the server is closed.
A client MUST not send a SUBSCRIBE message that duplicates the name, SUBSCRIBE requests on a given connection MUST be unique. A client
type and class of an existing active subscription. For the purpose MUST NOT send a SUBSCRIBE message that duplicates the name, type and
of this matching, the established DNS case-insensitivity for US-ASCII class of an existing active subscription on that TLS/TCP connection.
letters applies (e.g., "foo.com" and "Foo.com" are the same). If a For the purpose of this matching, the established DNS case-
server receives such a duplicate SUBSCRIBE message this is an error insensitivity for US-ASCII letters applies (e.g., "foo.com" and
and the server MUST immediately close the TCP connection. "Foo.com" are the same). If a server receives such a duplicate
SUBSCRIBE message this is an error and the server MUST immediately
close the TCP connection.
DNS wildcarding is not supported. That is, a wildcard ("*") in a DNS wildcarding is not supported. That is, a wildcard ("*") in a
SUBSCRIBE message matches only a wildcard ("*") in the zone, and SUBSCRIBE message matches only a wildcard ("*") in the zone, and
nothing else. nothing else.
Aliasing is not supported. That is, a CNAME in a SUBSCRIBE message Aliasing is not supported. That is, a CNAME in a SUBSCRIBE message
matches only a CNAME in the zone, and nothing else. matches only a CNAME in the zone, and nothing else.
A client may SUBSCRIBE to records that are unknown to the server at A client may SUBSCRIBE to records that are unknown to the server at
the time of the request and this is not an error. The server MUST the time of the request and this is not an error. The server MUST
accept these requests and send Push Notifications if and when matches accept these requests and send Push Notifications if and when matches
are found in the future. are found in the future.
Since all SUBSCRIBE operations are implicitly long-lived operations,
the server MUST interpret a SUBSCRIBE request as if it contained an
EDNS0 TCP Keepalive option [I-D.wouters-edns-tcp-keepalive]. A
client MUST NOT include an actual EDNS0 TCP Keepalive option in the
request, since it is automatic, and implied by the semantics of
SUBSCRIBE. If a server receives a SUBSCRIBE request this is an error
and the server MUST immediately close the TCP connection. In a
SUBSCRIBE response the server MUST include an EDNS0 TCP Keepalive
option specifying the idle timeout so that the client knows the
frequency of keepalives it must generate to keep the connection
alive. If the client receives a SUBSCRIBE response that does not
contain an EDNS0 TCP Keepalive option this is an error and the client
MUST immediately close the TCP connection.
6.3. DNS Push Notification UNSUBSCRIBE 6.3. DNS Push Notification UNSUBSCRIBE
To cancel an individual subscription without closing the entire To cancel an individual subscription without closing the entire
connection, the client sends an UNSUBSCRIBE message over the connection, the client sends an UNSUBSCRIBE message over the
established TCP connection to the server. The UNSUBSCRIBE message is established TCP connection to the server. The UNSUBSCRIBE message is
formatted identically to the SUBSCRIBE message which created the formatted identically to the SUBSCRIBE message which created the
subscription, with the exact same name, type and class, except that subscription, with the exact same name, type and class, except that
the opcode is UNSUBSCRIBE (7) instead of SUBSCRIBE (6). the opcode is UNSUBSCRIBE (7) instead of SUBSCRIBE (6).
A client MUST not send an UNSUBSCRIBE message that does not exactly A client MUST NOT send an UNSUBSCRIBE message that does not exactly
match the name, type and class of an existing active subscription. match the name, type and class of an existing active subscription on
If a server receives such an UNSUBSCRIBE message this is an error and that TLS/TCP connection. If a server receives such an UNSUBSCRIBE
the server MUST immediately close the TCP connection. message this is an error and the server MUST immediately close the
connection.
No response message is generated as a result of processing an No response message is generated as a result of processing an
UNSUBSCRIBE message. UNSUBSCRIBE message.
Having being successfully revoked with a correctly-formatted Having being successfully revoked with a correctly-formatted
UNSUBSCRIBE message, the previously referenced subscription is no UNSUBSCRIBE message, the previously referenced subscription is no
longer active and the server MAY discard the state associated with it longer active and the server MAY discard the state associated with it
immediately, or later, at the server's discretion. immediately, or later, at the server's discretion.
6.4. DNS Push Notification Update Messages 6.4. DNS Push Notification Update Messages
skipping to change at page 13, line 10 skipping to change at page 15, line 10
The server SHOULD encode change notifications in the most efficient The server SHOULD encode change notifications in the most efficient
manner possible. For example, when three AAAA records are deleted manner possible. For example, when three AAAA records are deleted
from a given name, and no other AAAA records exist for that name, the from a given name, and no other AAAA records exist for that name, the
server SHOULD send a "delete an RRset from a name" update, not three server SHOULD send a "delete an RRset from a name" update, not three
separate "delete an individual RR from a name" updates. Similarly, separate "delete an individual RR from a name" updates. Similarly,
when both an SRV and a TXT record are deleted from a given name, and when both an SRV and a TXT record are deleted from a given name, and
no other records of any kind exist for that name, the server SHOULD no other records of any kind exist for that name, the server SHOULD
send a "delete all RRsets from a name" update, not two separate send a "delete all RRsets from a name" update, not two separate
"delete an RRset from a name" updates. "delete an RRset from a name" updates.
All Push Notification Update Messages MUST contain an EDNS0 TCP
Keepalive option [I-D.wouters-edns-tcp-keepalive] specifying the idle
timeout so that the client knows the frequency of keepalives it must
generate to keep the connection alive. If the client receives a Push
Notification Update Message that does not contain an EDNS0 TCP
Keepalive option this is an error and the client MUST immediately
close the TCP connection.
Reception of a Push Notification Update Message results in no Reception of a Push Notification Update Message results in no
response back to the server. response back to the server.
The TTL of an added record is stored by the client and decremented as The TTL of an added record is stored by the client and decremented as
time passes, with the caveat that for as long as a relevant time passes, with the caveat that for as long as a relevant
subscription is active, the TTL does not decrement below 1 second. subscription is active, the TTL does not decrement below 1 second.
For as long as a relevant subscription remains active, the client For as long as a relevant subscription remains active, the client
SHOULD assume that when a record goes away the server will notify it SHOULD assume that when a record goes away the server will notify it
of that fact. Consequently, a client does not have to poll to verify of that fact. Consequently, a client does not have to poll to verify
that the record is still there. Once a subscription is cancelled that the record is still there. Once a subscription is cancelled
(individually, or as a result of the TCP connection being closed) (individually, or as a result of the TCP connection being closed)
record aging resumes and records are removed from the local cache record aging resumes and records are removed from the local cache
when their TTL reaches zero. when their TTL reaches zero.
6.5. DNS RECONFIRM
Sometimes, particularly when used with a Hybrid Proxy
[I-D.ietf-dnssd-hybrid], a DNS Zone may contain stale data. When a
client encounters data that it believe may be stale (e.g., an SRV
record referencing a target host+port that is not responding to
connection requests) the client sends a DNS RECONFIRM message to
request that the server re-verify that the data is still valid. For
a Hybrid Proxy, this causes it to issue new Multicast DNS requests to
ascertain whether the target device is still present. For other
kinds of DNS server the RECONFIRM operation is currently undefined
and should be sliently ignored. A RECONFIRM request is formatted
similarly to a conventional DNS QUERY request [RFC1035], except that
the opcode is RECONFIRM (8) instead of QUERY (0). QTYPE MUST NOT be
the value ANY (255). QCLASS MUST NOT be the value ANY (255).
In a RECONFIRM request the DNS Header QR bit MUST be zero.
If the QR bit is not zero the message is not a RECONFIRM request.
The AA, TC, RD, RA, Z, AD, and CD bits, the ID field, and the RCODE
field, MUST be zero on transmission, and MUST be silently ignored on
reception.
Like a DNS QUERY request, a RECONFIRM request MUST contain exactly
one question. Since RECONFIRM requests are sent over TCP, multiple
RECONFIRM requests can be concatenated in a single TCP stream and
packed efficiently into TCP segments, so the ability to pack multiple
RECONFIRM operations into a single DNS message within that TCP stream
would add extra complexity for little benefit.
ANCOUNT MUST be nonzero, and the Answer Section MUST contain the
rdata for the record(s) that the client believes to be in doubt.
NSCOUNT MUST be zero, and the Authority Section MUST be empty.
Any records in the Authority Section MUST be silently ignored.
ARCOUNT MUST be zero, and the Additional Section MUST be empty.
Any records in the Additional Section MUST be silently ignored.
DNS wildcarding is not supported. That is, a wildcard ("*") in a
SUBSCRIBE message matches only a wildcard ("*") in the zone, and
nothing else.
Aliasing is not supported. That is, a CNAME in a SUBSCRIBE message
matches only a CNAME in the zone, and nothing else.
No response message is generated as a result of processing a
RECONFIRM message.
If the server receiving the RECONFIRM request determines that the
records are in fact no longer valid, then subsequent DNS Push
Notification Update Messages will be generated to inform interested
clients. Thus, one client discovering that a previously-advertised
printer is no longer present has the side effect of informing all
other interested clients that the printer in question is now gone.
6.6. DNS Push Notification Termination Message
If a server is low on resources it MAY simply terminate a client
connection with a TCP RST. However, the likely behavour of the
client may be simply to reconnect immediately, putting more burden on
the server. Therefore, a server MAY instead choose to shed client
load by (a) sending a DNS Push Notification Termination Message and
then (b) closing the client connection with a TCP FIN instead of RST,
thereby facilitating reliable delivery of the Termination Message.
The format of a Termination Message is similar to a Push Notification
Update.
The following figure shows the existing DNS Update header format:
1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ID |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR| Opcode | Z | RCODE |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ZOCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| PRCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| UPCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ADCOUNT |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Figure 2
For Termination Messages the following rules apply:
The QR bit MUST be zero, and the Opcode MUST be UPDATE (5).
Messages received where this is not true are not Termination Messages
and should be silently ignored.
ID and the Z bits MUST be zero on transmission,
and MUST be silently ignored on reception.
ZOCOUNT MUST be zero, and the Zone Section MUST be empty.
Any records in the Zone Section MUST be silently ignored.
PRCOUNT MUST be zero, and the Prerequisite Section MUST be empty.
Any records in the Prerequisite Section MUST be silently ignored.
UPCOUNT MUST be zero, and the Update Section MUST be empty.
Any records in the Update Section MUST be silently ignored.
ADCOUNT MUST be zero, and the Additional Data Section MUST be empty.
Any records in the Additional Data Section MUST be silently ignored.
The RCODE MUST contain a code giving the reason for termination.
[Codes to be determined.] The Termination Message MUST contain an
EDNS0 TCP Keepalive option [I-D.wouters-edns-tcp-keepalive] where the
idle timeout indicates the time the client SHOULD wait before
attempting to reconnect.
7. Acknowledgements 7. Acknowledgements
The authors would like to thank Kiren Sekar and Marc Krochmal for The authors would like to thank Kiren Sekar and Marc Krochmal for
previous work completed in this field. This draft has been improved previous work completed in this field. This draft has been improved
due to comments from Ran Atkinson. due to comments from Ran Atkinson.
8. IANA Considerations 8. IANA Considerations
This document defines the service name: "_dns-push._tcp". This document defines the service name: "_dns-push-tls._tcp".
It is only applicable for the TCP protocol. It is only applicable for the TCP protocol.
This name is to be published in the IANA Service Name Registry. This name is to be published in the IANA Service Name Registry.
This document defines two DNS OpCodes: SUBSCRIBE with (tentative) This document defines two DNS OpCodes: SUBSCRIBE with (tentative)
value 6 and UNSUBSCRIBE with (tentative) value 7. value 6 and UNSUBSCRIBE with (tentative) value 7.
9. Security Considerations 9. Security Considerations
TLS support is mandatory in DNS Push Notifications. There is no TLS support is mandatory in DNS Push Notifications. There is no
provision for opportunistic encryption using a mechanism like provision for opportunistic encryption using a mechanism like
skipping to change at page 14, line 36 skipping to change at page 20, line 15
Deployment recommendations on the appropriate key lengths and cypher Deployment recommendations on the appropriate key lengths and cypher
suites are beyond the scope of this document. Please refer to TLS suites are beyond the scope of this document. Please refer to TLS
Recommendations [RFC7525] for the best current practices. Keep in Recommendations [RFC7525] for the best current practices. Keep in
mind that best practices only exist for a snapshot in time and mind that best practices only exist for a snapshot in time and
recommendations will continue to change. Updated versions or errata recommendations will continue to change. Updated versions or errata
may exist for these recommendations. may exist for these recommendations.
9.2. TLS Name Authentication 9.2. TLS Name Authentication
As described in Section 6.1, the client discovers the DNS Push As described in Section 6.1, the client discovers the DNS Push
Notification server using an SRV lookup for the record name "_dns- Notification server using an SRV lookup for the record name
push._tcp.<zone>". The server connection endpoint SHOULD then be "_dns-push-tls._tcp.<zone>". The server connection endpoint SHOULD
authenticated using DANE TLSA records for the associated SRV record. then be authenticated using DANE TLSA records for the associated SRV
This associates the target's name and port number with a trusted TLS record. This associates the target's name and port number with a
certificate [RFC7673]. This procedure uses the TLS Sever Name trusted TLS certificate [RFC7673]. This procedure uses the TLS Sever
Indication (SNI) extension [RFC6066] to inform the server of the name Name Indication (SNI) extension [RFC6066] to inform the server of the
the client has authenticated through the use of TLSA records. name the client has authenticated through the use of TLSA records.
Therefore, if the SRV record passes DNSSEC validation and a TLSA Therefore, if the SRV record passes DNSSEC validation and a TLSA
record matching the target name is useable, an SNI extension MUST be record matching the target name is useable, an SNI extension MUST be
used for the target name to ensure the client is connecting to the used for the target name to ensure the client is connecting to the
server it has authenticated. If the target name does not have a server it has authenticated. If the target name does not have a
usable TLSA record, then the use of the SNI extension is optional. usable TLSA record, then the use of the SNI extension is optional.
9.3. TLS Compression 9.3. TLS Compression
In order to reduce the chances of compression related attacks, TLS- In order to reduce the chances of compression related attacks, TLS-
level compression SHOULD be disabled when using TLS versions 1.2 and level compression SHOULD be disabled when using TLS versions 1.2 and
skipping to change at page 15, line 26 skipping to change at page 21, line 9
operate in stateless mode by sending a Session Ticket [RFC5077] to operate in stateless mode by sending a Session Ticket [RFC5077] to
the client for it to store. However, once the connection is closed, the client for it to store. However, once the connection is closed,
any existing subscriptions will be dropped. When the TLS session is any existing subscriptions will be dropped. When the TLS session is
resumed, the DNS Push Notification server will not have any resumed, the DNS Push Notification server will not have any
subscription state and will proceed as with any other new connection. subscription state and will proceed as with any other new connection.
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-dnsop-5966bis]
Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and
D. Wessels, "DNS Transport over TCP - Implementation
Requirements", draft-ietf-dnsop-5966bis-03 (work in
progress), September 2015.
[I-D.ietf-tls-tls13] [I-D.ietf-tls-tls13]
Rescorla, E., "The Transport Layer Security (TLS) Protocol Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", draft-ietf-tls-tls13-10 (work in progress), Version 1.3", draft-ietf-tls-tls13-09 (work in progress),
October 2015. October 2015.
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, [I-D.wouters-edns-tcp-keepalive]
DOI 10.17487/RFC0768, August 1980, Wouters, P. and J. Abley, "The edns-tcp-keepalive EDNS0
Option", draft-wouters-edns-tcp-keepalive-01 (work in
progress), February 2014.
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, DOI
10.17487/RFC0768, August 1980,
<http://www.rfc-editor.org/info/rfc768>. <http://www.rfc-editor.org/info/rfc768>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC
RFC 793, DOI 10.17487/RFC0793, September 1981, 793, DOI 10.17487/RFC0793, September 1981,
<http://www.rfc-editor.org/info/rfc793>. <http://www.rfc-editor.org/info/rfc793>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>. <http://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>. November 1987, <http://www.rfc-editor.org/info/rfc1035>.
[RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
Application and Support", STD 3, RFC 1123, Application and Support", STD 3, RFC 1123, DOI 10.17487/
DOI 10.17487/RFC1123, October 1989, RFC1123, October 1989,
<http://www.rfc-editor.org/info/rfc1123>. <http://www.rfc-editor.org/info/rfc1123>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
DOI 10.17487/RFC2119, March 1997, RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)", "Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997, RFC 2136, DOI 10.17487/RFC2136, April 1997,
<http://www.rfc-editor.org/info/rfc2136>. <http://www.rfc-editor.org/info/rfc2136>.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, specifying the location of services (DNS SRV)", RFC 2782,
DOI 10.17487/RFC2782, February 2000, DOI 10.17487/RFC2782, February 2000,
<http://www.rfc-editor.org/info/rfc2782>. <http://www.rfc-editor.org/info/rfc2782>.
[RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks", RFC
4953, DOI 10.17487/RFC4953, July 2007,
<http://www.rfc-editor.org/info/rfc4953>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/
DOI 10.17487/RFC5246, August 2008, RFC5246, August 2008,
<http://www.rfc-editor.org/info/rfc5246>. <http://www.rfc-editor.org/info/rfc5246>.
[RFC5966] Bellis, R., "DNS Transport over TCP - Implementation [RFC5966] Bellis, R., "DNS Transport over TCP - Implementation
Requirements", RFC 5966, DOI 10.17487/RFC5966, August Requirements", RFC 5966, DOI 10.17487/RFC5966, August
2010, <http://www.rfc-editor.org/info/rfc5966>. 2010, <http://www.rfc-editor.org/info/rfc5966>.
[RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS)
Extensions: Extension Definitions", RFC 6066, Extensions: Extension Definitions", RFC 6066, DOI
DOI 10.17487/RFC6066, January 2011, 10.17487/RFC6066, January 2011,
<http://www.rfc-editor.org/info/rfc6066>. <http://www.rfc-editor.org/info/rfc6066>.
[RFC6195] Eastlake 3rd, D., "Domain Name System (DNS) IANA [RFC6195] Eastlake 3rd, D., "Domain Name System (DNS) IANA
Considerations", RFC 6195, DOI 10.17487/RFC6195, March Considerations", RFC 6195, DOI 10.17487/RFC6195, March
2011, <http://www.rfc-editor.org/info/rfc6195>. 2011, <http://www.rfc-editor.org/info/rfc6195>.
[RFC7673] Finch, T., Miller, M., and P. Saint-Andre, "Using DNS- [RFC7673] Finch, T., Miller, M., and P. Saint-Andre, "Using DNS-
Based Authentication of Named Entities (DANE) TLSA Records Based Authentication of Named Entities (DANE) TLSA Records
with SRV Records", RFC 7673, DOI 10.17487/RFC7673, October with SRV Records", RFC 7673, DOI 10.17487/RFC7673, October
2015, <http://www.rfc-editor.org/info/rfc7673>. 2015, <http://www.rfc-editor.org/info/rfc7673>.
10.2. Informative References 10.2. Informative References
[I-D.ietf-dnssd-hybrid] [I-D.ietf-dnssd-hybrid]
Cheshire, S., "Hybrid Unicast/Multicast DNS-Based Service Cheshire, S., "Hybrid Unicast/Multicast DNS-Based Service
Discovery", draft-ietf-dnssd-hybrid-00 (work in progress), Discovery", draft-ietf-dnssd-hybrid-01 (work in progress),
November 2014. October 2015.
[I-D.sekar-dns-llq] [I-D.sekar-dns-llq]
Sekar, K., "DNS Long-Lived Queries", draft-sekar-dns- Sekar, K., "DNS Long-Lived Queries", draft-sekar-dns-
llq-01 (work in progress), August 2006. llq-01 (work in progress), August 2006.
[IPJ.9-4-TCPSYN] [IPJ.9-4-TCPSYN]
Eddy, W., "Defenses Against TCP SYN Flooding Attacks", The Eddy, W., "Defenses Against TCP SYN Flooding Attacks", The
Internet Protocol Journal, Cisco Systems, Volume 9, Internet Protocol Journal, Cisco Systems, Volume 9, Number
Number 4, December 2006. 4, December 2006.
[RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996, Changes (DNS NOTIFY)", RFC 1996, DOI 10.17487/RFC1996,
August 1996, <http://www.rfc-editor.org/info/rfc1996>. August 1996, <http://www.rfc-editor.org/info/rfc1996>.
[RFC4287] Nottingham, M., Ed. and R. Sayre, Ed., "The Atom [RFC4287] Nottingham, M., Ed. and R. Sayre, Ed., "The Atom
Syndication Format", RFC 4287, DOI 10.17487/RFC4287, Syndication Format", RFC 4287, DOI 10.17487/RFC4287,
December 2005, <http://www.rfc-editor.org/info/rfc4287>. December 2005, <http://www.rfc-editor.org/info/rfc4287>.
[RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig,
 End of changes. 32 change blocks. 
83 lines changed or deleted 285 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/