| draft-ietf-dnssd-push-18.txt | draft-ietf-dnssd-push-19.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force T. Pusateri | Internet Engineering Task Force T. Pusateri | |||
| Internet-Draft Unaffiliated | Internet-Draft Unaffiliated | |||
| Intended status: Standards Track S. Cheshire | Intended status: Standards Track S. Cheshire | |||
| Expires: September 12, 2019 Apple Inc. | Expires: September 25, 2019 Apple Inc. | |||
| March 11, 2019 | March 24, 2019 | |||
| DNS Push Notifications | DNS Push Notifications | |||
| draft-ietf-dnssd-push-18 | draft-ietf-dnssd-push-19 | |||
| Abstract | Abstract | |||
| The Domain Name System (DNS) was designed to return matching records | The Domain Name System (DNS) was designed to return matching records | |||
| efficiently for queries for data that are relatively static. When | efficiently for queries for data that are relatively static. When | |||
| those records change frequently, DNS is still efficient at returning | those records change frequently, DNS is still efficient at returning | |||
| the updated results when polled, as long as the polling rate is not | the updated results when polled, as long as the polling rate is not | |||
| too high. But there exists no mechanism for a client to be | too high. But there exists no mechanism for a client to be | |||
| asynchronously notified when these changes occur. This document | asynchronously notified when these changes occur. This document | |||
| defines a mechanism for a client to be notified of such changes to | defines a mechanism for a client to be notified of such changes to | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 12, 2019. | This Internet-Draft will expire on September 25, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 4, line 41 ¶ | skipping to change at page 4, line 41 ¶ | |||
| 10.5 Leopard in 2007. Back to My Mac was designed in an era when the | 10.5 Leopard in 2007. Back to My Mac was designed in an era when the | |||
| data center operations staff asserted that it was impossible for a | data center operations staff asserted that it was impossible for a | |||
| server to handle large numbers of mostly-idle TCP connections, so LLQ | server to handle large numbers of mostly-idle TCP connections, so LLQ | |||
| was defined as a UDP-based protocol, effectively replicating much of | was defined as a UDP-based protocol, effectively replicating much of | |||
| TCP's connection state management logic in user space, and creating | TCP's connection state management logic in user space, and creating | |||
| its own poor imitations of existing TCP features like the three-way | its own poor imitations of existing TCP features like the three-way | |||
| handshake, flow control, and reliability. | handshake, flow control, and reliability. | |||
| This document builds on experience gained with the LLQ protocol, with | This document builds on experience gained with the LLQ protocol, with | |||
| an improved design. Instead of using UDP, this specification uses | an improved design. Instead of using UDP, this specification uses | |||
| DNS Stateful Operations (DSO) [DSO] running over TLS over TCP, and | DNS Stateful Operations (DSO) [RFC8490] running over TLS over TCP, | |||
| therefore doesn't need to reinvent existing TCP functionality. Using | and therefore doesn't need to reinvent existing TCP functionality. | |||
| TCP also gives long-lived low-traffic connections better longevity | Using TCP also gives long-lived low-traffic connections better | |||
| through NAT gateways without depending on the gateway to support NAT | longevity through NAT gateways without depending on the gateway to | |||
| Port Mapping Protocol (NAT-PMP) [RFC6886] or Port Control Protocol | support NAT Port Mapping Protocol (NAT-PMP) [RFC6886] or Port Control | |||
| (PCP) [RFC6887], or resorting to excessive keepalive traffic. | Protocol (PCP) [RFC6887], or resorting to excessive keepalive | |||
| traffic. | ||||
| 3. Overview | 3. Overview | |||
| A DNS Push Notification client subscribes for Push Notifications for | A DNS Push Notification client subscribes for Push Notifications for | |||
| a particular RRSet by connecting to the appropriate Push Notification | a particular RRSet by connecting to the appropriate Push Notification | |||
| server for that RRSet, and sending DSO message(s) indicating the | server for that RRSet, and sending DSO message(s) indicating the | |||
| RRSet(s) of interest. When the client loses interest in receiving | RRSet(s) of interest. When the client loses interest in receiving | |||
| further updates to these records, it unsubscribes. | further updates to these records, it unsubscribes. | |||
| The DNS Push Notification server for a DNS zone is any server capable | The DNS Push Notification server for a DNS zone is any server capable | |||
| skipping to change at page 6, line 27 ¶ | skipping to change at page 6, line 27 ¶ | |||
| (b) A DNS Push Notification client SHOULD NOT routinely keep a DNS | (b) A DNS Push Notification client SHOULD NOT routinely keep a DNS | |||
| Push Notification subscription active 24 hours a day, 7 days a week, | Push Notification subscription active 24 hours a day, 7 days a week, | |||
| just to keep a list in memory up to date so that if the user does | just to keep a list in memory up to date so that if the user does | |||
| choose to bring up an on-screen display of that data, it can be | choose to bring up an on-screen display of that data, it can be | |||
| displayed really fast. DNS Push Notifications are designed to be | displayed really fast. DNS Push Notifications are designed to be | |||
| fast enough that there is no need to pre-load a "warm" list in memory | fast enough that there is no need to pre-load a "warm" list in memory | |||
| just in case it might be needed later. | just in case it might be needed later. | |||
| Generally, as described in the DNS Stateful Operations specification | Generally, as described in the DNS Stateful Operations specification | |||
| [DSO], a client must not keep a session to a server open indefinitely | [RFC8490], a client must not keep a session to a server open | |||
| if it has no subscriptions (or other operations) active on that | indefinitely if it has no subscriptions (or other operations) active | |||
| session. A client MAY close a session as soon as it becomes idle, | on that session. A client MAY close a session as soon as it becomes | |||
| and then if needed in the future, open a new session when required. | idle, and then if needed in the future, open a new session when | |||
| Alternatively, a client MAY speculatively keep an idle session open | required. Alternatively, a client MAY speculatively keep an idle | |||
| for some time, subject to the constraint that it MUST NOT keep a | session open for some time, subject to the constraint that it MUST | |||
| session open that has been idle for more than the session's idle | NOT keep a session open that has been idle for more than the | |||
| timeout (15 seconds by default) [DSO]. | session's idle timeout (15 seconds by default) [RFC8490]. | |||
| 4. Transport | 4. Transport | |||
| Other DNS operations like DNS Update [RFC2136] MAY use either User | Other DNS operations like DNS Update [RFC2136] MAY use either User | |||
| Datagram Protocol (UDP) [RFC0768] or Transmission Control Protocol | Datagram Protocol (UDP) [RFC0768] or Transmission Control Protocol | |||
| (TCP) [RFC0793] as the transport protocol, in keeping with the | (TCP) [RFC0793] as the transport protocol, in keeping with the | |||
| historical precedent that DNS queries must first be sent over UDP | historical precedent that DNS queries must first be sent over UDP | |||
| [RFC1123]. This requirement to use UDP has subsequently been relaxed | [RFC1123]. This requirement to use UDP has subsequently been relaxed | |||
| [RFC7766]. | [RFC7766]. | |||
| In keeping with the more recent precedent, DNS Push Notification is | In keeping with the more recent precedent, DNS Push Notification is | |||
| defined only for TCP. DNS Push Notification clients MUST use DNS | defined only for TCP. DNS Push Notification clients MUST use DNS | |||
| Stateful Operations (DSO) [DSO] running over TLS over TCP [RFC7858]. | Stateful Operations [RFC8490] running over TLS over TCP [RFC7858]. | |||
| Connection setup over TCP ensures return reachability and alleviates | Connection setup over TCP ensures return reachability and alleviates | |||
| concerns of state overload at the server through anonymous | concerns of state overload at the server through anonymous | |||
| subscriptions. All subscribers are guaranteed to be reachable by the | subscriptions. All subscribers are guaranteed to be reachable by the | |||
| server by virtue of the TCP three-way handshake. Flooding attacks | server by virtue of the TCP three-way handshake. Flooding attacks | |||
| are possible with any protocol, and a benefit of TCP is that there | are possible with any protocol, and a benefit of TCP is that there | |||
| are already established industry best practices to guard against SYN | are already established industry best practices to guard against SYN | |||
| flooding and similar attacks [SYN] [RFC4953]. | flooding and similar attacks [SYN] [RFC4953]. | |||
| Use of TCP also allows DNS Push Notifications to take advantage of | Use of TCP also allows DNS Push Notifications to take advantage of | |||
| skipping to change at page 9, line 8 ¶ | skipping to change at page 9, line 8 ¶ | |||
| employ various techniques to limit subscriptions to a manageable | employ various techniques to limit subscriptions to a manageable | |||
| level. Correspondingly, the client is free to establish simultaneous | level. Correspondingly, the client is free to establish simultaneous | |||
| sessions to alternate DNS servers that support DNS Push Notifications | sessions to alternate DNS servers that support DNS Push Notifications | |||
| for the zone and distribute subscriptions at the client's discretion. | for the zone and distribute subscriptions at the client's discretion. | |||
| In this way, both clients and servers can react to resource | In this way, both clients and servers can react to resource | |||
| constraints. | constraints. | |||
| 6. Protocol Operation | 6. Protocol Operation | |||
| The DNS Push Notification protocol is a session-oriented protocol, | The DNS Push Notification protocol is a session-oriented protocol, | |||
| and makes use of DNS Stateful Operations (DSO) [DSO]. | and makes use of DNS Stateful Operations (DSO) [RFC8490]. | |||
| For details of the DSO message format refer to the DNS Stateful | For details of the DSO message format refer to the DNS Stateful Oper- | |||
| Operations specification [DSO]. Those details are not repeated here. | ations specification [RFC8490]. Those details are not repeated here. | |||
| DNS Push Notification clients and servers MUST support DSO. A single | DNS Push Notification clients and servers MUST support DSO. A single | |||
| server can support DNS Queries, DNS Updates, and DNS Push | server can support DNS Queries, DNS Updates, and DNS Push | |||
| Notifications (using DSO) on the same TCP port. | Notifications (using DSO) on the same TCP port. | |||
| A DNS Push Notification exchange begins with the client discovering | A DNS Push Notification exchange begins with the client discovering | |||
| the appropriate server, using the procedure described in Section 6.1, | the appropriate server, using the procedure described in Section 6.1, | |||
| and then making a TLS/TCP connection to it. | and then making a TLS/TCP connection to it. | |||
| A typical DNS Push Notification client will immediately issue a DSO | A typical DNS Push Notification client will immediately issue a DSO | |||
| skipping to change at page 10, line 36 ¶ | skipping to change at page 10, line 36 ¶ | |||
| In many contexts, the recursive resolver will be able to handle Push | In many contexts, the recursive resolver will be able to handle Push | |||
| Notifications for all names that the client may need to follow. Use | Notifications for all names that the client may need to follow. Use | |||
| of VPN tunnels and split-view DNS can create some additional | of VPN tunnels and split-view DNS can create some additional | |||
| complexity in the client software here; the techniques to handle VPN | complexity in the client software here; the techniques to handle VPN | |||
| tunnels and split-view DNS for DNS Push Notifications are the same as | tunnels and split-view DNS for DNS Push Notifications are the same as | |||
| those already used to handle this for normal DNS queries. | those already used to handle this for normal DNS queries. | |||
| If the recursive resolver does not support DNS over TLS, or does | If the recursive resolver does not support DNS over TLS, or does | |||
| support DNS over TLS but is not listening on TCP port 853, or does | support DNS over TLS but is not listening on TCP port 853, or does | |||
| support DNS over TLS on TCP port 853 but does not support DSO on that | support DNS over TLS on TCP port 853 but does not support DSO on that | |||
| port, then the DSO Session session establishment will fail [DSO]. | port, then the DSO Session session establishment will fail [RFC8490]. | |||
| If the recursive resolver does support DSO but not Push Notification | If the recursive resolver does support DSO but not Push Notification | |||
| subscriptions, then it will return the DSO error code, DSOTYPENI | subscriptions, then it will return the DSO error code, DSOTYPENI | |||
| (11). | (11). | |||
| In some cases, the recursive resolver may support DSO and Push | In some cases, the recursive resolver may support DSO and Push | |||
| Notification subscriptions, but may not be able to subscribe for Push | Notification subscriptions, but may not be able to subscribe for Push | |||
| Notifications for a particular name. In this case, the recursive | Notifications for a particular name. In this case, the recursive | |||
| resolver should return an informative error code to the client so | resolver should return an informative error code to the client so | |||
| that the client can make an informed decision how to handle the | that the client can make an informed decision how to handle the | |||
| skipping to change at page 14, line 8 ¶ | skipping to change at page 14, line 8 ¶ | |||
| the client device MUST respect the DNS TTL values on records it | the client device MUST respect the DNS TTL values on records it | |||
| receives, and store them in its local cache with this lifetime. This | receives, and store them in its local cache with this lifetime. This | |||
| means that, as long as the DNS TTL values on the authoritative | means that, as long as the DNS TTL values on the authoritative | |||
| records were set to reasonable values, repeated application of this | records were set to reasonable values, repeated application of this | |||
| discovery process can be completed nearly instantaneously by the | discovery process can be completed nearly instantaneously by the | |||
| client, using only locally-stored cached data. | client, using only locally-stored cached data. | |||
| 6.2. DNS Push Notification SUBSCRIBE | 6.2. DNS Push Notification SUBSCRIBE | |||
| After connecting, and requesting a longer idle timeout and/or | After connecting, and requesting a longer idle timeout and/or | |||
| keepalive interval if necessary, a DNS Push Notification client then | keepalive interval if necessary, a DNS Push Notification client | |||
| indicates its desire to receive DNS Push Notifications for a given | then indicates its desire to receive DNS Push Notifications for | |||
| domain name by sending a SUBSCRIBE request to the server. A | a given domain name by sending a SUBSCRIBE request to the server. | |||
| SUBSCRIBE request is encoded in a DSO message [DSO]. This | A SUBSCRIBE request is encoded in a DSO message [RFC8490]. | |||
| specification defines a primary DSO TLV for DNS Push Notification | This specification defines a primary DSO TLV for DNS Push | |||
| SUBSCRIBE Requests (tentatively DSO Type Code 0x40). | Notification SUBSCRIBE Requests (tentatively DSO Type Code 0x40). | |||
| The entity that initiates a SUBSCRIBE request is by definition the | The entity that initiates a SUBSCRIBE request is by definition the | |||
| client. A server MUST NOT send a SUBSCRIBE request over an existing | client. A server MUST NOT send a SUBSCRIBE request over an existing | |||
| session from a client. If a server does send a SUBSCRIBE request | session from a client. If a server does send a SUBSCRIBE request | |||
| over a DSO session initiated by a client, this is a fatal error and | over a DSO session initiated by a client, this is a fatal error and | |||
| the client should immediately abort the connection with a TCP RST (or | the client should immediately abort the connection with a TCP RST (or | |||
| equivalent for other protocols). | equivalent for other protocols). | |||
| 6.2.1. SUBSCRIBE Request | 6.2.1. SUBSCRIBE Request | |||
| A SUBSCRIBE request begins with the standard DSO 12-byte header | A SUBSCRIBE request begins with the standard DSO 12-byte header | |||
| [DSO], followed by the SUBSCRIBE primary TLV. A SUBSCRIBE request | [RFC8490], followed by the SUBSCRIBE primary TLV. A SUBSCRIBE | |||
| message is illustrated in Figure 1. | request message is illustrated in Figure 1. | |||
| The MESSAGE ID field MUST be set to a unique value, that the client | The MESSAGE ID field MUST be set to a unique value, that the client | |||
| is not using for any other active operation on this DSO session. For | is not using for any other active operation on this DSO session. For | |||
| the purposes here, a MESSAGE ID is in use on this session if the | the purposes here, a MESSAGE ID is in use on this session if the | |||
| client has used it in a request for which it has not yet received a | client has used it in a request for which it has not yet received a | |||
| response, or if the client has used it for a subscription which it | response, or if the client has used it for a subscription which it | |||
| has not yet cancelled using UNSUBSCRIBE. In the SUBSCRIBE response | has not yet cancelled using UNSUBSCRIBE. In the SUBSCRIBE response | |||
| the server MUST echo back the MESSAGE ID value unchanged. | the server MUST echo back the MESSAGE ID value unchanged. | |||
| The other header fields MUST be set as described in the DSO | The other header fields MUST be set as described in the DSO spec- | |||
| specification [DSO]. The DNS OPCODE field contains the OPCODE value | ification [RFC8490]. The DNS OPCODE field contains the OPCODE value | |||
| for DNS Stateful Operations (6). The four count fields MUST be zero, | for DNS Stateful Operations (6). The four count fields MUST be zero, | |||
| and the corresponding four sections MUST be empty (i.e., absent). | and the corresponding four sections MUST be empty (i.e., absent). | |||
| The DSO-TYPE is SUBSCRIBE (tentatively 0x40). | The DSO-TYPE is SUBSCRIBE (tentatively 0x40). | |||
| The DSO-LENGTH is the length of the DSO-DATA that follows, which | The DSO-LENGTH is the length of the DSO-DATA that follows, which | |||
| specifies the name, type, and class of the record(s) being sought. | specifies the name, type, and class of the record(s) being sought. | |||
| 1 1 1 1 1 1 | 1 1 1 1 1 1 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 | |||
| skipping to change at page 17, line 11 ¶ | skipping to change at page 17, line 11 ¶ | |||
| where one or both of TYPE or CLASS are 255, the server MUST send Push | where one or both of TYPE or CLASS are 255, the server MUST send Push | |||
| Notification Updates for ALL record changes that match the | Notification Updates for ALL record changes that match the | |||
| subscription, not just some of them. | subscription, not just some of them. | |||
| 6.2.2. SUBSCRIBE Response | 6.2.2. SUBSCRIBE Response | |||
| Each SUBSCRIBE request generates exactly one SUBSCRIBE response from | Each SUBSCRIBE request generates exactly one SUBSCRIBE response from | |||
| the server. | the server. | |||
| A SUBSCRIBE response begins with the standard DSO 12-byte header | A SUBSCRIBE response begins with the standard DSO 12-byte header | |||
| [DSO], possibly followed by one or more optional TLVs, such as a | [RFC8490], possibly followed by one or more optional TLVs, such as a | |||
| Retry Delay TLV. | Retry Delay TLV. | |||
| The MESSAGE ID field MUST echo the value given in the ID field of the | The MESSAGE ID field MUST echo the value given in the ID field of the | |||
| SUBSCRIBE request. This is how the client knows which request is | SUBSCRIBE request. This is how the client knows which request is | |||
| being responded to. | being responded to. | |||
| A SUBSCRIBE response message MUST NOT include a SUBSCRIBE TLV. If a | A SUBSCRIBE response message MUST NOT include a SUBSCRIBE TLV. If a | |||
| client receives a SUBSCRIBE response message containing a SUBSCRIBE | client receives a SUBSCRIBE response message containing a SUBSCRIBE | |||
| TLV then the response message is processed but the SUBSCRIBE TLV MUST | TLV then the response message is processed but the SUBSCRIBE TLV MUST | |||
| be silently ignored. | be silently ignored. | |||
| skipping to change at page 18, line 23 ¶ | skipping to change at page 18, line 23 ¶ | |||
| server right away. If multiple SRV records were returned as | server right away. If multiple SRV records were returned as | |||
| described in Section 6.1, Paragraph 7, a subsequent server can be | described in Section 6.1, Paragraph 7, a subsequent server can be | |||
| tried immediately. | tried immediately. | |||
| If the client has other successful subscriptions to this server, | If the client has other successful subscriptions to this server, | |||
| these subscriptions remain even though additional subscriptions may | these subscriptions remain even though additional subscriptions may | |||
| be refused. Neither the client nor the server are required to close | be refused. Neither the client nor the server are required to close | |||
| the connection, although, either end may choose to do so. | the connection, although, either end may choose to do so. | |||
| If the server sends a nonzero RCODE then it SHOULD append a Retry | If the server sends a nonzero RCODE then it SHOULD append a Retry | |||
| Delay TLV [DSO] to the response specifying a delay before the client | Delay TLV [RFC8490] to the response specifying a delay before the | |||
| attempts this operation again. Recommended values for the delay for | client attempts this operation again. Recommended values for the | |||
| different RCODE values are given below. These recommended values | delay for different RCODE values are given below. These recommended | |||
| apply both to the default values a server should place in the Retry | values apply both to the default values a server should place in the | |||
| Delay TLV, and the default values a client should assume if the | Retry Delay TLV, and the default values a client should assume if the | |||
| server provides no Retry Delay TLV. | server provides no Retry Delay TLV. | |||
| For RCODE = 1 (FORMERR) the delay may be any value selected by the | For RCODE = 1 (FORMERR) the delay may be any value selected by the | |||
| implementer. A value of five minutes is RECOMMENDED, to reduce | implementer. A value of five minutes is RECOMMENDED, to reduce | |||
| the risk of high load from defective clients. | the risk of high load from defective clients. | |||
| For RCODE = 2 (SERVFAIL) the delay should be chosen according to | For RCODE = 2 (SERVFAIL) the delay should be chosen according to | |||
| the level of server overload and the anticipated duration of that | the level of server overload and the anticipated duration of that | |||
| overload. By default, a value of one minute is RECOMMENDED. If a | overload. By default, a value of one minute is RECOMMENDED. If a | |||
| more serious server failure occurs, the delay may be longer in | more serious server failure occurs, the delay may be longer in | |||
| accordance with the specific problem encountered. | accordance with the specific problem encountered. | |||
| For RCODE = 4 (NOTIMP), which occurs on a server that doesn't | For RCODE = 4 (NOTIMP), which occurs on a server that doesn't | |||
| implement DNS Stateful Operations [DSO], it is unlikely that the | implement DNS Stateful Operations [RFC8490], it is unlikely that | |||
| server will begin supporting DSO in the next few minutes, so the | the server will begin supporting DSO in the next few minutes, so | |||
| retry delay SHOULD be one hour. Note that in such a case, a | the retry delay SHOULD be one hour. Note that in such a case, a | |||
| server that doesn't implement DSO is unlikely to place a Retry | server that doesn't implement DSO is unlikely to place a Retry | |||
| Delay TLV in its response, so this recommended value in particular | Delay TLV in its response, so this recommended value in particular | |||
| applies to what a client should assume by default. | applies to what a client should assume by default. | |||
| For RCODE = 5 (REFUSED), which occurs on a server that implements | For RCODE = 5 (REFUSED), which occurs on a server that implements | |||
| DNS Push Notifications, but is currently configured to disallow | DNS Push Notifications, but is currently configured to disallow | |||
| DNS Push Notifications, the retry delay may be any value selected | DNS Push Notifications, the retry delay may be any value selected | |||
| by the implementer and/or configured by the operator. | by the implementer and/or configured by the operator. | |||
| If the server being queried is listed in a | If the server being queried is listed in a | |||
| skipping to change at page 19, line 47 ¶ | skipping to change at page 19, line 47 ¶ | |||
| For RCODE = 9 (NOTAUTH), the time delay applies to requests for other | For RCODE = 9 (NOTAUTH), the time delay applies to requests for other | |||
| names falling within the same zone. Requests for names falling | names falling within the same zone. Requests for names falling | |||
| within other zones are not subject to the delay. For all other | within other zones are not subject to the delay. For all other | |||
| RCODEs the time delay applies to all subsequent requests to this | RCODEs the time delay applies to all subsequent requests to this | |||
| server. | server. | |||
| After sending an error response the server MAY allow the session to | After sending an error response the server MAY allow the session to | |||
| remain open, or MAY send a DNS Push Notification Retry Delay | remain open, or MAY send a DNS Push Notification Retry Delay | |||
| Operation TLV instructing the client to close the session, as | Operation TLV instructing the client to close the session, as | |||
| described in the DSO specification [DSO]. Clients MUST correctly | described in the DSO specification [RFC8490]. Clients MUST correctly | |||
| handle both cases. | handle both cases. | |||
| 6.3. DNS Push Notification Updates | 6.3. DNS Push Notification Updates | |||
| Once a subscription has been successfully established, the server | Once a subscription has been successfully established, the server | |||
| generates PUSH messages to send to the client as appropriate. In the | generates PUSH messages to send to the client as appropriate. In the | |||
| case that the answer set was already non-empty at the moment the | case that the answer set was already non-empty at the moment the | |||
| subscription was established, an initial PUSH message will be sent | subscription was established, an initial PUSH message will be sent | |||
| immediately following the SUBSCRIBE Response. Subsequent changes to | immediately following the SUBSCRIBE Response. Subsequent changes to | |||
| the answer set are then communicated to the client in subsequent PUSH | the answer set are then communicated to the client in subsequent PUSH | |||
| messages. | messages. | |||
| 6.3.1. PUSH Message | 6.3.1. PUSH Message | |||
| A PUSH unidirectional message begins with the standard DSO 12-byte | A PUSH unidirectional message begins with the standard DSO 12-byte | |||
| header [DSO], followed by the PUSH primary TLV. A PUSH message is | header [RFC8490], followed by the PUSH primary TLV. A PUSH message | |||
| illustrated in Figure 2. | is illustrated in Figure 2. | |||
| In accordance with the definition of DSO unidirectional messages, the | In accordance with the definition of DSO unidirectional messages, the | |||
| MESSAGE ID field MUST be zero. There is no client response to a PUSH | MESSAGE ID field MUST be zero. There is no client response to a PUSH | |||
| message. | message. | |||
| The other header fields MUST be set as described in the DSO | The other header fields MUST be set as described in the DSO spec- | |||
| specification [DSO]. The DNS OPCODE field contains the OPCODE value | ification [RFC8490]. The DNS OPCODE field contains the OPCODE value | |||
| for DNS Stateful Operations (6). The four count fields MUST be zero, | for DNS Stateful Operations (6). The four count fields MUST be zero, | |||
| and the corresponding four sections MUST be empty (i.e., absent). | and the corresponding four sections MUST be empty (i.e., absent). | |||
| The DSO-TYPE is PUSH (tentatively 0x41). | The DSO-TYPE is PUSH (tentatively 0x41). | |||
| The DSO-LENGTH is the length of the DSO-DATA that follows, which | The DSO-LENGTH is the length of the DSO-DATA that follows, which | |||
| specifies the changes being communicated. | specifies the changes being communicated. | |||
| The DSO-DATA contains one or more change notifications. A PUSH | The DSO-DATA contains one or more change notifications. A PUSH | |||
| Message MUST contain at least one change notification. If a PUSH | Message MUST contain at least one change notification. If a PUSH | |||
| Message is received that contains no change notifications, this is a | Message is received that contains no change notifications, this is a | |||
| fatal error, and the receiver MUST immediately terminate the | fatal error, and the receiver MUST immediately terminate the | |||
| connection with a TCP RST (or equivalent for other protocols). The | connection with a TCP RST (or equivalent for other protocols). | |||
| change notifications are formatted similarly to how DNS Resource | ||||
| Records are conventionally expressed in DNS messages, and are | ||||
| interpreted as described below. | ||||
| If the signed 32-bit TTL is in the range 0 to 604,800 seconds (one | The change notification records are formatted similarly to how DNS | |||
| week), then a new DNS Resource Record with the given name, type, | Resource Records are conventionally expressed in DNS messages, as | |||
| class and RDATA is added. The maximum record lifetime supported in a | illustrated in Figure 2, and are interpreted as described below. | |||
| PUSH Message is one week. In the event that the DNS record in | ||||
| question has an actual TTL greater than one week, the TTL is reported | ||||
| in the PUSH Message as being one week. A TTL of 0 means that this | ||||
| record should be retained for as long as the subscription is active, | ||||
| and should be discarded immediately the moment the subscription is | ||||
| cancelled. | ||||
| If the signed 32-bit TTL has the value -1, then the DNS Resource | The TTL field holds an unsigned 32-bit integer [RFC2181]. If the TTL | |||
| Record with the given name, type, class and RDATA is removed. | is in the range 0 to 2,147,483,647 seconds (2^31 - 1, or 0x7FFFFFFF), | |||
| then a new DNS Resource Record with the given name, type, class and | ||||
| RDATA is added. A TTL of 0 means that this record should be retained | ||||
| for as long as the subscription is active, and should be discarded | ||||
| immediately the moment the subscription is cancelled. | ||||
| If the signed 32-bit TTL has the value -2, then this is a | If the TTL has the value 0xFFFFFFFF, then the DNS Resource Record | |||
| 'collective' remove notification. For collective remove | with the given name, type, class and RDATA is removed. | |||
| notifications RDLEN MUST be zero and consequently the RDATA MUST be | ||||
| empty. If a change notification is received where TTL = -2 and RDLEN | If the TTL has the value 0xFFFFFFFE, then this is a 'collective' | |||
| is not zero, this is a fatal error, and the receiver MUST immediately | remove notification. For collective remove notifications RDLEN MUST | |||
| be zero and consequently the RDATA MUST be empty. If a change | ||||
| notification is received where TTL = 0xFFFFFFFE and RDLEN is not | ||||
| zero, this is a fatal error, and the receiver MUST immediately | ||||
| terminate the connection with a TCP RST (or equivalent for other | terminate the connection with a TCP RST (or equivalent for other | |||
| protocols). There are three types of collective remove notification: | protocols). There are three types of collective remove notification: | |||
| For collective remove notifications, if CLASS is ANY, then for the | For collective remove notifications, if CLASS is 255 (ANY), then for | |||
| given name this deletes all records of all types in all classes. In | the given name this deletes all records of all types in all classes. | |||
| this case TYPE MUST be set to ANY on tranmission, and MUST be | In this case TYPE MUST be set to zero on transmission, and MUST be | |||
| silently ignored on reception. | silently ignored on reception. | |||
| For collective remove notifications, if CLASS is not ANY and TYPE is | For collective remove notifications, if CLASS is not 255 (ANY) and | |||
| is ANY then for the given name this deletes all records of all types | TYPE is 255 (ANY) then for the given name this deletes all records of | |||
| in the specified class. | all types in the specified class. | |||
| For collective remove notifications, if CLASS is not ANY and TYPE is | For collective remove notifications, if CLASS is not 255 (ANY) and | |||
| is not ANY then for the given name this deletes all records of the | TYPE is not 255 (ANY) then for the given name this deletes all | |||
| specified type in the specified class. | records of the specified type in the specified class. | |||
| Summary of change notification types: | Summary of change notification types: | |||
| Delete all RRsets from a name, in all classes | Delete all RRsets from a name, in all classes | |||
| TTL=-2, RDLENGTH=0, TYPE=ANY, CLASS=ANY | TTL=0xFFFFFFFE, RDLENGTH=0, CLASS=255 (ANY) | |||
| Delete all RRsets from a name, in given class: | Delete all RRsets from a name, in given class: | |||
| TTL=-2, RDLENGTH=0, TYPE=ANY | TTL=0xFFFFFFFE, RDLENGTH=0, CLASS specifies class, TYPE=255 (ANY) | |||
| CLASS specifies class (usually class "IN") | ||||
| Delete specified RRset from a name, in given class: | Delete specified RRset from a name, in given class: | |||
| TTL=-2, RDLENGTH=0 | TTL=0xFFFFFFFE, RDLENGTH=0 | |||
| CLASS and TYPE specify the RRset being deleted | CLASS and TYPE specify the RRset being deleted | |||
| Delete an individual RR from a name: | Delete an individual RR from a name: | |||
| TTL=-1 | TTL=0xFFFFFFFF | |||
| CLASS, TYPE, RDLENGTH and RDATA specify the RR being deleted. | CLASS, TYPE, RDLENGTH and RDATA specify the RR being deleted. | |||
| Add individual RR to a name | Add individual RR to a name | |||
| TTL>=0 | TTL>=0 | |||
| CLASS, TYPE, RDLENGTH, RDATA and TTL specify the RR being added. | CLASS, TYPE, RDLENGTH, RDATA and TTL specify the RR being added. | |||
| Note that it is valid for the RDATA of an added or removed DNS | Note that it is valid for the RDATA of an added or removed DNS | |||
| Resource Record to be empty (zero length). For example, an Address | Resource Record to be empty (zero length). For example, an Address | |||
| Prefix List Resource Record [RFC3123] may have empty RDATA. | Prefix List Resource Record [RFC3123] may have empty RDATA. | |||
| Therefore, a change notification with RDLEN=0 does not automatically | Therefore, a change notification with RDLEN=0 does not automatically | |||
| indicate a remove notification. If RDLEN=0 and TTL >= 0, this change | indicate a remove notification. If RDLEN=0 and TTL is the in the | |||
| notification signals the addition of a record with the given name, | range 0 - 0x7FFFFFFF, this change notification signals the addition | |||
| type, class, and empty RDATA. If RDLEN=0 and TTL = -1, this change | of a record with the given name, type, class, and empty RDATA. If | |||
| notification signals the removal specifically of that single record | RDLEN=0 and TTL = 0xFFFFFFFF, this change notification signals the | |||
| with the given name, type, class, and empty RDATA. | removal specifically of that single record with the given name, type, | |||
| class, and empty RDATA. | ||||
| If the TTL is any value other than 0xFFFFFFFF, 0xFFFFFFFE, or a value | ||||
| in the range 0 - 0x7FFFFFFF, then the receiver SHOULD silently ignore | ||||
| this particular change notification record. The connection is not | ||||
| terminated and other valid change notification records within this | ||||
| PUSH message are processed as usual. | ||||
| For efficiency, when generating a PUSH message, a server SHOULD | For efficiency, when generating a PUSH message, a server SHOULD | |||
| include as many change notifications as it has immediately available | include as many change notifications as it has immediately available | |||
| to send, rather than sending each change notification as a separate | to send, rather than sending each change notification as a separate | |||
| DSO message. Once it has exhausted the list of change notifications | DSO message. Once it has exhausted the list of change notifications | |||
| immediately available to send, a server SHOULD then send the PUSH | immediately available to send, a server SHOULD then send the PUSH | |||
| message immediately, rather than waiting to see if additional change | message immediately, rather than waiting to see if additional change | |||
| notifications become available. | notifications become available. | |||
| For efficiency, when generating a PUSH message, a server SHOULD use | For efficiency, when generating a PUSH message, a server SHOULD use | |||
| standard DNS name compression, with offsets relative to the beginning | standard DNS name compression, with offsets relative to the beginning | |||
| of the DNS message [RFC1035]. When multiple change notifications in | of the DNS message [RFC1035]. When multiple change notifications in | |||
| a single PUSH message have the same owner name, this name compression | a single PUSH message have the same owner name, this name compression | |||
| can yield significant savings. Name compression should be performed | can yield significant savings. Name compression should be performed | |||
| as specified in Section 18.14 of the Multicast DNS specification | as specified in Section 18.14 of the Multicast DNS specification | |||
| [RFC6762], namely, owner names should always be compressed, and names | [RFC6762], namely, owner names should always be compressed, and names | |||
| appearing within only the RDATA of the following DNS types should be | appearing within RDATA should be compressed for only the RR types | |||
| compressed: | listed below: | |||
| NS, CNAME, PTR, DNAME, SOA, MX, AFSDB, RT, KX, RP, PX, SRV, NSEC | NS, CNAME, PTR, DNAME, SOA, MX, AFSDB, RT, KX, RP, PX, SRV, NSEC | |||
| Servers MAY generate PUSH messages up to a DNS message length of | Servers may generate PUSH messages up to a maximum DNS message length | |||
| 16,382 bytes, counting from the start of the DSO 12-byte header. | of 16,382 bytes, counting from the start of the DSO 12-byte header. | |||
| Including the two-byte length prefix that is used to frame DNS over a | Including the two-byte length prefix that is used to frame DNS over a | |||
| byte stream like TLS, this makes a total of 16,384 bytes. Servers | byte stream like TLS, this makes a total of 16,384 bytes. Servers | |||
| SHOULD NOT generate PUSH messages larger than this. Where the | MUST NOT generate PUSH messages larger than this. Where the | |||
| immediately available change notifications are sufficient to exceed a | immediately available change notifications are sufficient to exceed a | |||
| DNS message length of 16,382 bytes, the change notifications SHOULD | DNS message length of 16,382 bytes, the change notifications MUST be | |||
| be communicated in separate PUSH messages of up to 16,382 bytes each. | communicated in separate PUSH messages of up to 16,382 bytes each. | |||
| DNS name compression becomes less effective for messages larger than | DNS name compression becomes less effective for messages larger than | |||
| 16,384 bytes, so little efficiency benefit is gained by sending | 16,384 bytes, so little efficiency benefit is gained by sending | |||
| messages larger than this. | messages larger than this. | |||
| If a client receives a PUSH message with a DNS message length larger | If a client receives a PUSH message with a DNS message length larger | |||
| than 16,382 bytes, the this is a fatal error, and the receiver MUST | than 16,382 bytes, the this is a fatal error, and the receiver MUST | |||
| immediately terminate the connection with a TCP RST (or equivalent | immediately terminate the connection with a TCP RST (or equivalent | |||
| for other protocols). | for other protocols). | |||
| 1 1 1 1 1 1 | 1 1 1 1 1 1 | |||
| skipping to change at page 23, line 31 ¶ | skipping to change at page 23, line 33 ¶ | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | |||
| | DSO-LENGTH (number of octets in DSO-DATA) | | | DSO-LENGTH (number of octets in DSO-DATA) | | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ \ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ \ | |||
| \ NAME \ \ | \ NAME \ \ | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | |||
| | TYPE | | | | TYPE | | | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | |||
| | CLASS | | | | CLASS | | | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | |||
| | TTL | | | | TTL | | | |||
| | (32-bit signed big-endian integer) | > DSO-DATA | | (32-bit unsigned big-endian integer) | > DSO-DATA | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | |||
| | RDLEN | | | | RDLEN | | | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | |||
| \ RDATA (sized as necessary) \ | | \ RDATA (sized as necessary) \ | | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | |||
| : NAME, TYPE, CLASS, TTL, RDLEN, RDATA : | | : NAME, TYPE, CLASS, TTL, RDLEN, RDATA : | | |||
| : Repeated As Necessary : / | : Repeated As Necessary : / | |||
| +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ / | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ / | |||
| Figure 2: PUSH Message | Figure 2: PUSH Message | |||
| skipping to change at page 24, line 15 ¶ | skipping to change at page 24, line 18 ¶ | |||
| record addition/deletion is silently ignored. Processing of other | record addition/deletion is silently ignored. Processing of other | |||
| additions and deletions in this message is not affected. The DSO | additions and deletions in this message is not affected. The DSO | |||
| session is not closed. This is to allow for the unavoidable race | session is not closed. This is to allow for the unavoidable race | |||
| condition where a client sends an outbound UNSUBSCRIBE while inbound | condition where a client sends an outbound UNSUBSCRIBE while inbound | |||
| PUSH messages for that subscription from the server are still in | PUSH messages for that subscription from the server are still in | |||
| flight. | flight. | |||
| In the case where a single change affects more than one active | In the case where a single change affects more than one active | |||
| subscription, only one PUSH message is sent. For example, a PUSH | subscription, only one PUSH message is sent. For example, a PUSH | |||
| message adding a given record may match both a SUBSCRIBE request with | message adding a given record may match both a SUBSCRIBE request with | |||
| the same TYPE and a different SUBSCRIBE request with TYPE=ANY. It is | the same TYPE and a different SUBSCRIBE request with TYPE=ANY (255). | |||
| not the case that two PUSH messages are sent because the new record | It is not the case that two PUSH messages are sent because the new | |||
| matches two active subscriptions. | record matches two active subscriptions. | |||
| The server SHOULD encode change notifications in the most efficient | The server SHOULD encode change notifications in the most efficient | |||
| manner possible. For example, when three AAAA records are deleted | manner possible. For example, when three AAAA records are deleted | |||
| from a given name, and no other AAAA records exist for that name, the | from a given name, and no other AAAA records exist for that name, the | |||
| server SHOULD send a "delete an RRset from a name" PUSH message, not | server SHOULD send a "delete an RRset from a name" PUSH message, not | |||
| three separate "delete an individual RR from a name" PUSH messages. | three separate "delete an individual RR from a name" PUSH messages. | |||
| Similarly, when both an SRV and a TXT record are deleted from a given | Similarly, when both an SRV and a TXT record are deleted from a given | |||
| name, and no other records of any kind exist for that name, the | name, and no other records of any kind exist for that name, the | |||
| server SHOULD send a "delete all RRsets from a name" PUSH message, | server SHOULD send a "delete all RRsets from a name" PUSH message, | |||
| not two separate "delete an RRset from a name" PUSH messages. | not two separate "delete an RRset from a name" PUSH messages. | |||
| skipping to change at page 25, line 10 ¶ | skipping to change at page 25, line 10 ¶ | |||
| record is still there. Once a subscription is cancelled | record is still there. Once a subscription is cancelled | |||
| (individually, or as a result of the DSO session being closed) record | (individually, or as a result of the DSO session being closed) record | |||
| aging for records covered by the subscription resumes and records are | aging for records covered by the subscription resumes and records are | |||
| removed from the local cache when their TTL reaches zero. | removed from the local cache when their TTL reaches zero. | |||
| 6.4. DNS Push Notification UNSUBSCRIBE | 6.4. DNS Push Notification UNSUBSCRIBE | |||
| To cancel an individual subscription without closing the entire DSO | To cancel an individual subscription without closing the entire DSO | |||
| session, the client sends an UNSUBSCRIBE message over the established | session, the client sends an UNSUBSCRIBE message over the established | |||
| DSO session to the server. The UNSUBSCRIBE message is encoded as a | DSO session to the server. The UNSUBSCRIBE message is encoded as a | |||
| DSO unidirectional message [DSO]. This specification defines a | DSO unidirectional message [RFC8490]. This specification defines a | |||
| primary unidirectional DSO TLV for DNS Push Notification UNSUBSCRIBE | primary unidirectional DSO TLV for DNS Push Notification UNSUBSCRIBE | |||
| Messages (tentatively DSO Type Code 0x42). | Messages (tentatively DSO Type Code 0x42). | |||
| A server MUST NOT initiate an UNSUBSCRIBE message. If a server does | A server MUST NOT initiate an UNSUBSCRIBE message. If a server does | |||
| send an UNSUBSCRIBE message over a DSO session initiated by a client, | send an UNSUBSCRIBE message over a DSO session initiated by a client, | |||
| this is a fatal error and the client should immediately abort the | this is a fatal error and the client should immediately abort the | |||
| connection with a TCP RST (or equivalent for other protocols). | connection with a TCP RST (or equivalent for other protocols). | |||
| 6.4.1. UNSUBSCRIBE Message | 6.4.1. UNSUBSCRIBE Message | |||
| An UNSUBSCRIBE unidirectional message begins with the standard DSO | An UNSUBSCRIBE unidirectional message begins with the standard DSO | |||
| 12-byte header [DSO], followed by the UNSUBSCRIBE primary TLV. An | 12-byte header [RFC8490], followed by the UNSUBSCRIBE primary TLV. | |||
| UNSUBSCRIBE message is illustrated in Figure 3. | An UNSUBSCRIBE message is illustrated in Figure 3. | |||
| In accordance with the definition of DSO unidirectional messages, the | In accordance with the definition of DSO unidirectional messages, the | |||
| MESSAGE ID field MUST be zero. There is no server response to an | MESSAGE ID field MUST be zero. There is no server response to an | |||
| UNSUBSCRIBE message. | UNSUBSCRIBE message. | |||
| The other header fields MUST be set as described in the DSO | The other header fields MUST be set as described in the DSO spec- | |||
| specification [DSO]. The DNS OPCODE field contains the OPCODE value | ification [RFC8490]. The DNS OPCODE field contains the OPCODE value | |||
| for DNS Stateful Operations (6). The four count fields MUST be zero, | for DNS Stateful Operations (6). The four count fields MUST be zero, | |||
| and the corresponding four sections MUST be empty (i.e., absent). | and the corresponding four sections MUST be empty (i.e., absent). | |||
| The DSO-TYPE is UNSUBSCRIBE (tentatively 0x42). | The DSO-TYPE is UNSUBSCRIBE (tentatively 0x42). | |||
| The DSO-LENGTH field contains the value 2, the length of the 2-octet | The DSO-LENGTH field contains the value 2, the length of the 2-octet | |||
| MESSAGE ID contained in the DSO-DATA. | MESSAGE ID contained in the DSO-DATA. | |||
| The DSO-DATA contains the value given in the MESSAGE ID field of an | The DSO-DATA contains the value given in the MESSAGE ID field of an | |||
| active SUBSCRIBE request. This is how the server knows which | active SUBSCRIBE request. This is how the server knows which | |||
| skipping to change at page 28, line 8 ¶ | skipping to change at page 28, line 8 ¶ | |||
| that the disputed records are in fact no longer valid, then | that the disputed records are in fact no longer valid, then | |||
| subsequent DNS PUSH Messages will be generated to inform interested | subsequent DNS PUSH Messages will be generated to inform interested | |||
| clients. Thus, one client discovering that a previously-advertised | clients. Thus, one client discovering that a previously-advertised | |||
| device (like a network printer) is no longer present has the side | device (like a network printer) is no longer present has the side | |||
| effect of informing all other interested clients that the device in | effect of informing all other interested clients that the device in | |||
| question is now gone. | question is now gone. | |||
| 6.5.1. RECONFIRM Message | 6.5.1. RECONFIRM Message | |||
| A RECONFIRM unidirectional message begins with the standard DSO | A RECONFIRM unidirectional message begins with the standard DSO | |||
| 12-byte header [DSO], followed by the RECONFIRM primary TLV. A | 12-byte header [RFC8490], followed by the RECONFIRM primary TLV. | |||
| RECONFIRM message is illustrated in Figure 4. | A RECONFIRM message is illustrated in Figure 4. | |||
| In accordance with the definition of DSO unidirectional messages, the | In accordance with the definition of DSO unidirectional messages, the | |||
| MESSAGE ID field MUST be zero. There is no server response to a | MESSAGE ID field MUST be zero. There is no server response to a | |||
| RECONFIRM message. | RECONFIRM message. | |||
| The other header fields MUST be set as described in the DSO | The other header fields MUST be set as described in the DSO spec- | |||
| specification [DSO]. The DNS OPCODE field contains the OPCODE value | ification [RFC8490]. The DNS OPCODE field contains the OPCODE value | |||
| for DNS Stateful Operations (6). The four count fields MUST be zero, | for DNS Stateful Operations (6). The four count fields MUST be zero, | |||
| and the corresponding four sections MUST be empty (i.e., absent). | and the corresponding four sections MUST be empty (i.e., absent). | |||
| The DSO-TYPE is RECONFIRM (tentatively 0x43). | The DSO-TYPE is RECONFIRM (tentatively 0x43). | |||
| The DSO-LENGTH is the length of the data that follows, which | The DSO-LENGTH is the length of the data that follows, which | |||
| specifies the name, type, class, and content of the record being | specifies the name, type, class, and content of the record being | |||
| disputed. | disputed. | |||
| 1 1 1 1 1 1 | 1 1 1 1 1 1 | |||
| skipping to change at page 30, line 8 ¶ | skipping to change at page 30, line 8 ¶ | |||
| DNS wildcarding is not supported. That is, a wildcard ("*") in a | DNS wildcarding is not supported. That is, a wildcard ("*") in a | |||
| RECONFIRM message matches only a literal wildcard character ("*") in | RECONFIRM message matches only a literal wildcard character ("*") in | |||
| the zone, and nothing else. | the zone, and nothing else. | |||
| Aliasing is not supported. That is, a CNAME in a RECONFIRM message | Aliasing is not supported. That is, a CNAME in a RECONFIRM message | |||
| matches only a literal CNAME record in the zone, and nothing else. | matches only a literal CNAME record in the zone, and nothing else. | |||
| 6.6. DNS Stateful Operations TLV Context Summary | 6.6. DNS Stateful Operations TLV Context Summary | |||
| This document defines four new DSO TLVs. As suggested in Section 8.2 | This document defines four new DSO TLVs. As suggested in Section 8.2 | |||
| of the DNS Stateful Operations specification [DSO], the valid | of the DNS Stateful Operations specification [RFC8490], the valid | |||
| contexts of these new TLV types are summarized below. | contexts of these new TLV types are summarized below. | |||
| The client TLV contexts are: | The client TLV contexts are: | |||
| C-P: Client request message, primary TLV | C-P: Client request message, primary TLV | |||
| C-U: Client unidirectional message, primary TLV | C-U: Client unidirectional message, primary TLV | |||
| C-A: Client request or unidirectional message, additional TLV | C-A: Client request or unidirectional message, additional TLV | |||
| CRP: Response back to client, primary TLV | CRP: Response back to client, primary TLV | |||
| CRA: Response back to client, additional TLV | CRA: Response back to client, additional TLV | |||
| skipping to change at page 31, line 21 ¶ | skipping to change at page 31, line 21 ¶ | |||
| subscriptions on that DSO session (by ending the session) it is | subscriptions on that DSO session (by ending the session) it is | |||
| signaling to the server that it is longer interested in receiving | signaling to the server that it is longer interested in receiving | |||
| those particular updates. It is informing the server that the server | those particular updates. It is informing the server that the server | |||
| may release any state information it has been keeping with regards to | may release any state information it has been keeping with regards to | |||
| these particular subscriptions. | these particular subscriptions. | |||
| After terminating its last subscription on a session via UNSUBSCRIBE, | After terminating its last subscription on a session via UNSUBSCRIBE, | |||
| a client MAY close the session immediately, or it may keep it open if | a client MAY close the session immediately, or it may keep it open if | |||
| it anticipates performing further operations on that session in the | it anticipates performing further operations on that session in the | |||
| future. If a client wishes to keep an idle session open, it MUST | future. If a client wishes to keep an idle session open, it MUST | |||
| respect the maximum idle time required by the server [DSO]. | respect the maximum idle time required by the server [RFC8490]. | |||
| If a client plans to terminate one or more subscriptions on a session | If a client plans to terminate one or more subscriptions on a session | |||
| and doesn't intend to keep that session open, then as an efficiency | and doesn't intend to keep that session open, then as an efficiency | |||
| optimization it MAY instead choose to simply close the session, which | optimization it MAY instead choose to simply close the session, which | |||
| implicitly terminates all subscriptions on that session. This may | implicitly terminates all subscriptions on that session. This may | |||
| occur because the client computer is being shut down, is going to | occur because the client computer is being shut down, is going to | |||
| sleep, the application requiring the subscriptions has terminated, or | sleep, the application requiring the subscriptions has terminated, or | |||
| simply because the last active subscription on that session has been | simply because the last active subscription on that session has been | |||
| cancelled. | cancelled. | |||
| skipping to change at page 33, line 6 ¶ | skipping to change at page 33, line 6 ¶ | |||
| recommendations will continue to change. Updated versions or errata | recommendations will continue to change. Updated versions or errata | |||
| may exist for these recommendations. | may exist for these recommendations. | |||
| 7.2. TLS Name Authentication | 7.2. TLS Name Authentication | |||
| As described in Section 6.1, the client discovers the DNS Push | As described in Section 6.1, the client discovers the DNS Push | |||
| Notification server using an SRV lookup for the record name | Notification server using an SRV lookup for the record name | |||
| "_dns-push-tls._tcp.<zone>". The server connection endpoint SHOULD | "_dns-push-tls._tcp.<zone>". The server connection endpoint SHOULD | |||
| then be authenticated using DANE TLSA records for the associated SRV | then be authenticated using DANE TLSA records for the associated SRV | |||
| record. This associates the target's name and port number with a | record. This associates the target's name and port number with a | |||
| trusted TLS certificate [RFC7673]. This procedure uses the TLS Sever | trusted TLS certificate [RFC7673]. This procedure uses the TLS | |||
| Name Indication (SNI) extension [RFC6066] to inform the server of the | Server Name Indication (SNI) extension [RFC6066] to inform the server | |||
| name the client has authenticated through the use of TLSA records. | of the name the client has authenticated through the use of TLSA | |||
| Therefore, if the SRV record passes DNSSEC validation and a TLSA | records. Therefore, if the SRV record passes DNSSEC validation and a | |||
| record matching the target name is useable, an SNI extension must be | TLSA record matching the target name is useable, an SNI extension | |||
| used for the target name to ensure the client is connecting to the | must be used for the target name to ensure the client is connecting | |||
| server it has authenticated. If the target name does not have a | to the server it has authenticated. If the target name does not have | |||
| usable TLSA record, then the use of the SNI extension is optional. | a usable TLSA record, then the use of the SNI extension is optional. | |||
| See Usage Profiles for DNS over TLS and DNS over DTLS [RFC8310] for | See Usage Profiles for DNS over TLS and DNS over DTLS [RFC8310] for | |||
| more information on authenticating domain names. | more information on authenticating domain names. | |||
| 7.3. TLS Session Resumption | 7.3. TLS Session Resumption | |||
| TLS Session Resumption is permissible on DNS Push Notification | TLS Session Resumption is permissible on DNS Push Notification | |||
| servers. The server may keep TLS state with Session IDs [RFC8446] or | servers. The server may keep TLS state with Session IDs [RFC8446] or | |||
| operate in stateless mode by sending a Session Ticket [RFC5077] to | operate in stateless mode by sending a Session Ticket [RFC5077] to | |||
| the client for it to store. However, closing the TLS connection | the client for it to store. However, closing the TLS connection | |||
| terminates the DSO session. When the TLS session is resumed, the DNS | terminates the DSO session. When the TLS session is resumed, the DNS | |||
| skipping to change at page 34, line 31 ¶ | skipping to change at page 34, line 31 ¶ | |||
| This draft has been improved due to comments from Ran Atkinson, Tim | This draft has been improved due to comments from Ran Atkinson, Tim | |||
| Chown, Mark Delany, Ralph Droms, Bernie Volz, Jan Komissar, Manju | Chown, Mark Delany, Ralph Droms, Bernie Volz, Jan Komissar, Manju | |||
| Shankar Rao, Markus Stenberg, Dave Thaler, Soraia Zlatkovic, Sara | Shankar Rao, Markus Stenberg, Dave Thaler, Soraia Zlatkovic, Sara | |||
| Dickinson, and Andrew Sullivan. Ted Lemon provided clarifying text | Dickinson, and Andrew Sullivan. Ted Lemon provided clarifying text | |||
| that was greatly appreciated. | that was greatly appreciated. | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [DSO] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S., | ||||
| Lemon, T., and T. Pusateri, "DNS Stateful Operations", | ||||
| draft-ietf-dnsop-session-signal-18 (work in progress), | ||||
| October 2018. | ||||
| [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | |||
| DOI 10.17487/RFC0768, August 1980, | DOI 10.17487/RFC0768, August 1980, | |||
| <https://www.rfc-editor.org/info/rfc768>. | <https://www.rfc-editor.org/info/rfc768>. | |||
| [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, | [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, | |||
| RFC 793, DOI 10.17487/RFC0793, September 1981, | RFC 793, DOI 10.17487/RFC0793, September 1981, | |||
| <https://www.rfc-editor.org/info/rfc793>. | <https://www.rfc-editor.org/info/rfc793>. | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | |||
| skipping to change at page 35, line 20 ¶ | skipping to change at page 35, line 15 ¶ | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, | [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, | |||
| "Dynamic Updates in the Domain Name System (DNS UPDATE)", | "Dynamic Updates in the Domain Name System (DNS UPDATE)", | |||
| RFC 2136, DOI 10.17487/RFC2136, April 1997, | RFC 2136, DOI 10.17487/RFC2136, April 1997, | |||
| <https://www.rfc-editor.org/info/rfc2136>. | <https://www.rfc-editor.org/info/rfc2136>. | |||
| [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS | ||||
| Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997, | ||||
| <https://www.rfc-editor.org/info/rfc2181>. | ||||
| [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for | [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for | |||
| specifying the location of services (DNS SRV)", RFC 2782, | specifying the location of services (DNS SRV)", RFC 2782, | |||
| DOI 10.17487/RFC2782, February 2000, | DOI 10.17487/RFC2782, February 2000, | |||
| <https://www.rfc-editor.org/info/rfc2782>. | <https://www.rfc-editor.org/info/rfc2782>. | |||
| [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) | [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) | |||
| Extensions: Extension Definitions", RFC 6066, | Extensions: Extension Definitions", RFC 6066, | |||
| DOI 10.17487/RFC6066, January 2011, | DOI 10.17487/RFC6066, January 2011, | |||
| <https://www.rfc-editor.org/info/rfc6066>. | <https://www.rfc-editor.org/info/rfc6066>. | |||
| skipping to change at page 36, line 13 ¶ | skipping to change at page 36, line 9 ¶ | |||
| <https://www.rfc-editor.org/info/rfc7766>. | <https://www.rfc-editor.org/info/rfc7766>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [RFC8490] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S., | ||||
| Lemon, T., and T. Pusateri, "DNS Stateful Operations", | ||||
| RFC 8490, DOI 10.17487/RFC8490, March 2019, | ||||
| <https://www.rfc-editor.org/info/rfc8490>. | ||||
| [ST] "Service Name and Transport Protocol Port Number | [ST] "Service Name and Transport Protocol Port Number | |||
| Registry", <http://www.iana.org/assignments/ | Registry", <http://www.iana.org/assignments/ | |||
| service-names-port-numbers/>. | service-names-port-numbers/>. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [DisProx] Cheshire, S., "Discovery Proxy for Multicast DNS-Based | [DisProx] Cheshire, S., "Discovery Proxy for Multicast DNS-Based | |||
| Service Discovery", draft-ietf-dnssd-hybrid-08 (work in | Service Discovery", draft-ietf-dnssd-hybrid-10 (work in | |||
| progress), March 2018. | progress), March 2019. | |||
| [I-D.dukkipati-tcpm-tcp-loss-probe] | [I-D.dukkipati-tcpm-tcp-loss-probe] | |||
| Dukkipati, N., Cardwell, N., Cheng, Y., and M. Mathis, | Dukkipati, N., Cardwell, N., Cheng, Y., and M. Mathis, | |||
| "Tail Loss Probe (TLP): An Algorithm for Fast Recovery of | "Tail Loss Probe (TLP): An Algorithm for Fast Recovery of | |||
| Tail Losses", draft-dukkipati-tcpm-tcp-loss-probe-01 (work | Tail Losses", draft-dukkipati-tcpm-tcp-loss-probe-01 (work | |||
| in progress), February 2013. | in progress), February 2013. | |||
| [LLQ] Sekar, K., "DNS Long-Lived Queries", draft-sekar-dns- | [LLQ] Cheshire, S. and M. Krochmal, "DNS Long-Lived Queries", | |||
| llq-01 (work in progress), August 2006. | draft-sekar-dns-llq-03 (work in progress), March 2019. | |||
| [obs] "Observer Pattern", | [obs] "Observer Pattern", | |||
| <https://en.wikipedia.org/wiki/Observer_pattern>. | <https://en.wikipedia.org/wiki/Observer_pattern>. | |||
| [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS | [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS | |||
| NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, | NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, | |||
| <https://www.rfc-editor.org/info/rfc2308>. | <https://www.rfc-editor.org/info/rfc2308>. | |||
| [RFC3123] Koch, P., "A DNS RR Type for Lists of Address Prefixes | [RFC3123] Koch, P., "A DNS RR Type for Lists of Address Prefixes | |||
| (APL RR)", RFC 3123, DOI 10.17487/RFC3123, June 2001, | (APL RR)", RFC 3123, DOI 10.17487/RFC3123, June 2001, | |||
| End of changes. 50 change blocks. | ||||
| 126 lines changed or deleted | 134 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||