One document matched: draft-ietf-dnssd-hybrid-00.txt
Internet Engineering Task Force S. Cheshire
Internet-Draft Apple Inc.
Intended status: Standards Track November 10, 2014
Expires: May 14, 2015
Hybrid Unicast/Multicast DNS-Based Service Discovery
draft-ietf-dnssd-hybrid-00
Abstract
Performing DNS-Based Service Discovery using purely link-local
Multicast DNS enables discovery of services that are on the local
link, but not (without some kind of proxy or similar special support)
of services that are outside the local link. Using a very large
local link with thousands of hosts improves service discovery, but at
the cost of large amounts of multicast traffic.
Performing DNS-Based Service Discovery using purely Unicast DNS is
more efficient, but requires configuration of DNS Update keys on the
devices offering the services, which can be onerous for simple
devices like printers and network cameras.
Hence a compromise is needed, that provides easy service discovery
without requiring either large amounts of multicast traffic or
onerous configuration.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 14, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
Cheshire Expires May 14, 2015 [Page 1]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions and Terminology Used in this Document . . . . . . 4
3. Hybrid Proxy Operation . . . . . . . . . . . . . . . . . . . . 5
3.1. Domain Enumeration . . . . . . . . . . . . . . . . . . . . 6
3.2. Delegated Subdomain for LDH Host Names . . . . . . . . . . 7
3.3. Delegated Subdomain for Reverse Mapping . . . . . . . . . 9
3.4. Data Translation . . . . . . . . . . . . . . . . . . . . . 10
3.4.1. DNS TTL limiting . . . . . . . . . . . . . . . . . . . 10
3.4.2. Suppressing Unusable Records . . . . . . . . . . . . . 10
3.4.3. Application-Specific Data Translation . . . . . . . . 11
3.5. Answer Aggregation . . . . . . . . . . . . . . . . . . . . 12
3.5.1. Discovery of LLQ Service . . . . . . . . . . . . . . . 14
4. Implementation Status . . . . . . . . . . . . . . . . . . . . 15
4.1. Already Implemented and Deployed . . . . . . . . . . . . . 15
4.2. Partially Implemented . . . . . . . . . . . . . . . . . . 15
4.3. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 16
5. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 16
6. Security Considerations . . . . . . . . . . . . . . . . . . . 17
6.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . . 17
6.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 17
6.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 17
7. Intelectual Property Rights . . . . . . . . . . . . . . . . . 18
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18
10.1. Normative References . . . . . . . . . . . . . . . . . . . 18
10.2. Informative References . . . . . . . . . . . . . . . . . . 19
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 19
Cheshire Expires May 14, 2015 [Page 2]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
1. Introduction
Multicast DNS [RFC6762] and its companion technology DNS-based
Service Discovery [RFC6763] were created to provide IP networking
with the ease-of-use and autoconfiguration for which AppleTalk was
well known [RFC6760] [ZC].
For a small network consisting of just a single link (or several
physical links bridged together to appear as a single logical link to
IP) Multicast DNS [RFC6762] is sufficient for client devices to look
up the dot-local host names of peers on the same home network, and
perform DNS-Based Service Discovery (DNS-SD) [RFC6763] of services
offered on that home network.
For a larger network consisting of multiple links that are
interconnected using IP-layer routing instead of link-layer bridging,
link-local Multicast DNS alone is insufficient because link-local
Multicast DNS packets, by design, do not cross between links.
(This was a deliberate design choice for Multicast DNS, since even on
a single link multicast traffic is expensive -- especially on Wi-Fi
links -- and multiplying the amount of multicast traffic by flooding
it across multiple links would make that problem even worse.)
In this environment, Unicast DNS would be preferable to Multicast
DNS. (Unicast DNS can be used either with a traditionally assigned
globally unique domain name, or with a private local unicast domain
name such as ".home" [HOME].)
To use Unicast DNS, the names of hosts and services need to be made
available in the Unicast DNS namespace. In the DNS-SD specification
[RFC6763] Section 10 ("Populating the DNS with Information")
discusses various possible ways that a service's PTR, SRV, TXT and
address records can make their way into the Unicast DNS namespace,
including manual zone file configuration [RFC1034] [RFC1035],
DNS Update [RFC2136] [RFC3007] and proxies of various kinds.
This document specifies a type of proxy called a Hybrid Proxy that
uses Multicast DNS [RFC6762] to discover Multicast DNS records on its
local link, and makes corresponding DNS records visible in the
Unicast DNS namespace.
Cheshire Expires May 14, 2015 [Page 3]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
2. Conventions and Terminology Used in this Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
"Key words for use in RFCs to Indicate Requirement Levels" [RFC2119].
The Hybrid Proxy builds on Multicast DNS, which works between hosts
on the same link. A set of hosts is considered to be "on the same
link" if:
o when any host A from that set sends a packet to any other host B
in that set, using unicast, multicast, or broadcast, the entire
link-layer packet payload arrives unmodified, and
o a broadcast sent over that link by any host from that set of hosts
can be received by every other host in that set
The link-layer *header* may be modified, such as in Token Ring Source
Routing [802.5], but not the link-layer *payload*. In particular, if
any device forwarding a packet modifies any part of the IP header or
IP payload then the packet is no longer considered to be on the same
link. This means that the packet may pass through devices such as
repeaters, bridges, hubs or switches and still be considered to be on
the same link for the purpose of this document, but not through a
device such as an IP router that decrements the IP TTL or otherwise
modifies the IP header.
Cheshire Expires May 14, 2015 [Page 4]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
3. Hybrid Proxy Operation
In its simplest form, each physical link in an organization is
assigned a unique Unicast DNS domain name, such as
"Building 1.example.com" or "4th Floor.Building 1.example.com".
Grouping multiple links under a single Unicast DNS domain name is to
be specified in a future companion document, but for the purposes of
this document, assume that each link has its own unique Unicast DNS
domain name. In a graphical user interface these names are not
displayed as strings with dots as shown above, but something more
akin to a typical file browser graphical user interface (which is
harder to illustrate in a text-only document) showing folders,
subfolders and files in a file system.
Each named link in an organization has a Hybrid Proxy which serves
it. This Hybrid Proxy function could be performed by a router on
that link, or, with appropriate VLAN configuration, a single Hybrid
Proxy could have a logical presence on, and serve as the Hybrid Proxy
for, many links. In the parent domain, NS records are used to
delegate ownership of each defined link name
(e.g., "Building 1.example.com") to the Hybrid Proxy that serves the
named link. In other words, the Hybrid Proxy is the authoritative
name server for that subdomain.
When a DNS-SD client issues a Unicast DNS query to discover services
in a particular Unicast DNS subdomain
(e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS
delegation mechanism results in that query being forwarded until it
reaches the delegated authoritative name server for that subdomain,
namely the Hybrid Proxy on the link in question. Like a conventional
Unicast DNS server, a Hybrid Proxy implements the usual Unicast DNS
protocol [RFC1034] [RFC1035] over UDP and TCP. However, unlike a
conventional Unicast DNS server that generates answers from the data
in its manually-configured zone file, a Hybrid Proxy generates
answers using Multicast DNS. A Hybrid Proxy does this by consulting
its Multicast DNS cache and/or issuing Multicast DNS queries for the
corresponding Multicast DNS name, type and class, (e.g., in this
case, "_printer._tcp.local. PTR ?"). Then, from the received
Multicast DNS data, the Hybrid Proxy synthesizes the appropriate
Unicast DNS response.
Naturally, the existing Multicast DNS caching mechanism is used to
avoid issuing unnecessary Multicast DNS queries on the wire. The
Hybrid Proxy is acting as a client of the underlying Multicast DNS
subsystem, and benefits from the same caching and efficiency measures
as any other client using that subsystem.
Cheshire Expires May 14, 2015 [Page 5]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
3.1. Domain Enumeration
The administrator creates Domain Enumeration PTR records [RFC6763] to
inform clients of available service discovery domains, e.g.,:
b._dns-sd._udp.example.com. PTR Building 1.example.com.
PTR Building 2.example.com.
PTR Building 3.example.com.
PTR Building 4.example.com.
db._dns-sd._udp.example.com. PTR Building 1.example.com.
lb._dns-sd._udp.example.com. PTR Building 1.example.com.
The "b" ("browse") records tell the client device the list of
browsing domains to display for the user to select from and the "db"
("default browse") record tells the client device which domain in
that list should be selected by default. The "lb" ("legacy browse")
record tells the client device which domain to automatically browse
on behalf of applications that don't implement UI for multi-domain
browsing (which is most of them, today). The "lb" domain is usually
the same as the "db" domain.
DNS responses are limited to a maximum size of 65535 bytes. This
limits the maximum number of domains that can be returned for a
Domain Enumeration query, as follows:
A DNS response header is 12 bytes. That's typically followed by a
single qname (up to 256 bytes) plus qtype (2 bytes) and qclass
(2 bytes), leaving 65275 for the Answer Section.
An Answer Section Resource Record consists of:
o Owner name, encoded as a two-byte compression pointer
o Two-byte rrtype (type PTR)
o Two-byte rrclass (class IN)
o Four-byte ttl
o Two-byte rdlength
o rdata (domain name, up to 256 bytes)
This means that each Resource Record in the Answer Section can take
up to 268 bytes total, which means that the Answer Section can
contain, in the worst case, no more than 243 domains.
In a more typical scenario, where the domain names are not all
maximum-sized names, and there is some similarity between names so
that reasonable name compression is possible, each Answer Section
Resource Record may average 140 bytes, which means that the Answer
Section can contain up to 466 domains.
Cheshire Expires May 14, 2015 [Page 6]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
3.2. Delegated Subdomain for LDH Host Names
The rules for DNS-SD service instance names and domains are more
permissive than the traditional rules for host names.
Users typically interact with DNS-SD by viewing a list of discovered
service instance names on the display and selecting one of them by
pointing, touching, or clicking. Similarly, in software that
provides a multi-domain DNS-SD user interface, users view a list of
offered domains on the display and select one of them by pointing,
touching, or clicking. To use a service, users don't have to
remember domain or instance names, or type them; users just have to
be able to recognize what they see on the display and click on the
thing they want.
In contrast, host names are often remembered and typed. Also, host
names are often used in command-line interfaces where spaces can be
inconvenient. For this reason, host names have traditionally been
restricted to letters, digits and hyphens, with no spaces or other
punctuation.
While we still want to allow rich text for DNS-SD service instance
names and domains, it is advisable, for maximum compatibility with
existing software, to restrict host names to the traditional letter-
digit-hyphen rules. This means that while a service name
"My Printer._ipp._tcp.Building 1.example.com" is acceptable and
desirable (it is displayed in a graphical user interface as an
instance called "My Printer" in the domain "Building 1" at
"example.com"), a host name "My-Printer.Building 1.example.com" is
not advisable (because of the space in "Building 1").
To accomodate this difference in allowable characters, a Hybrid Proxy
MUST support having two subdomains delegated to it, one to be used
for host names (names of 'A' and 'AAAA' address records), which is
restricted to the traditional letter-digit-hyphen rules, and another
to be used for other records (including the PTR, SRV and TXT records
used by DNS-SD), which is allowed to be arbitrary Net-Unicode text
[RFC5198].
Cheshire Expires May 14, 2015 [Page 7]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
For example, a Hybrid Proxy could have the two subdomains
"Building 1.example.com" and "bldg1.example.com" delegated to it.
The Hybrid Proxy would then translate these two Multicast DNS
records:
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.
prnt.local. A 10.0.1.2
into Unicast DNS records as follows:
My Printer._ipp._tcp.Building 1.example.com.
SRV 0 0 631 prnt.bldg1.example.com.
prnt.bldg1.example.com. A 10.0.1.2
Note that the SRV record name is translated using the rich-text
domain name ("Building 1.example.com") and the address record name is
translated using the LDH domain ("bldg1.example.com").
Cheshire Expires May 14, 2015 [Page 8]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
3.3. Delegated Subdomain for Reverse Mapping
A Hybrid Proxy can facilitate easier management of reverse mapping
domains, particularly for IPv6 addresses where manual management may
be more onerous than it is for IPv4 addresses.
To achieve this, in the parent domain, NS records are used to
delegate ownership of the appropriate reverse mapping domain to the
Hybrid Proxy. In other words, the Hybrid Proxy becomes the
authoritative name server for the reverse mapping domain.
For example, if a given link is using the IPv4 subnet 10.1/16, then
the domain "1.10.in-addr.arpa" is delegated to the Hybrid Proxy for
that link.
If a given link is using the IPv6 prefix 2001:0DB8/32, then the
domain "8.b.d.0.1.0.0.2.ip6.arpa" is delegated to the Hybrid Proxy
for that link.
When a reverse mapping query arrives at the Hybrid Proxy, it issues
the identical query on its local link as a Multicast DNS query.
(In the Apple "/usr/include/dns_sd.h" APIs, using ForceMulticast
indicates that the DNSServiceQueryRecord() call should perform the
query using Multicast DNS.) When the host owning that IPv4 or IPv6
address responds with a name of the form "something.local", the
Hybrid Proxy rewrites that to use its configured LDH host name domain
instead of "local" and returns the response to the caller.
For example, a Hybrid Proxy with the two subdomains
"1.10.in-addr.arpa" and "bldg1.example.com" delegated to it would
translate this Multicast DNS record:
3.2.1.10.in-addr.arpa. PTR prnt.local.
into this Unicast DNS response:
3.2.1.10.in-addr.arpa. PTR prnt.bldg1.example.com.
Subsequent queries for the prnt.bldg1.example.com address record,
falling as it does within the bldg1.example.com domain, which is
delegated to the Hybrid Proxy, will arrive at the Hybrid Proxy, where
they are answered by issuing Multicast DNS queries and using the
received Multicast DNS answers to synthesize Unicast DNS responses,
as described above.
Cheshire Expires May 14, 2015 [Page 9]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
3.4. Data Translation
Generating the appropriate Multicast DNS queries involves, at the
very least, translating from the configured DNS domain
(e.g., "Building 1.example.com") on the Unicast DNS side to "local"
on the Multicast DNS side.
Generating the appropriate Unicast DNS responses involves translating
back from "local" to the configured DNS Unicast domain.
Other beneficial translation and filtering operations are described
below.
3.4.1. DNS TTL limiting
For efficiency, Multicast DNS typically uses moderately high DNS TTL
values. For example, the typical TTL on DNS-SD PTR records is 75
minutes. What makes these moderately high TTLs acceptable is the
cache coherency mechanisms built in to the Multicast DNS protocol
which protect against stale data persisting for too long. When a
service shuts down gracefully, it sends goodbye packets to remove its
PTR records immediately from neighbouring caches. If a service shuts
down abruptly without sending goodbye packets, the Passive
Observation Of Failures (POOF) mechanism described in Section 10.5 of
the Multicast DNS specification [RFC6762] comes into play to purge
the cache of stale data.
A Unicast DNS client on a remote link does not get to participate in
these Multicast DNS cache coherency mechanisms on the local link.
For Unicast DNS requests received without any LLQ option the DNS TTLs
reported in the resulting Unicast DNS response SHOULD be capped to be
no more than ten seconds. For received Unicast DNS requests that
contain an LLQ option, the Multicast DNS record's TTL SHOULD be
returned unmodified, because the LLQ notification channel exists to
inform the remote client as records come and go. For further details
about the LLQ option, see Section 3.5.
3.4.2. Suppressing Unusable Records
A Hybrid Proxy SHOULD suppress Unicast DNS answers for records that
are not useful outside the local link. For example, DNS A and AAAA
records for IPv4 link-local addresses [RFC3927] and IPv6 link-local
addresses [RFC4862] should be suppressed. Similarly, for sites that
have multiple private address realms [RFC1918], private addresses
from one private address realm should not be communicated to clients
in a different private address realm.
By the same logic, DNS SRV records that reference target host names
Cheshire Expires May 14, 2015 [Page 10]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
that have no addresses usable by the requester should be suppressed,
and likewise, DNS PTR records that point to unusable SRV records
should be similarly be suppressed.
3.4.3. Application-Specific Data Translation
There may be cases where Application-Specific Data Translation is
appropriate.
For example, AirPrint printers tend to advertise fairly verbose
information about their capabilities in their DNS-SD TXT record.
This information is a legacy from LPR printing, because LPR does not
have in-band capability negotiation, so all of this information is
conveyed using the DNS-SD TXT record instead. IPP printing does have
in-band capability negotiation, but for convenience printers tend to
include the same capability information in their IPP DNS-SD TXT
records as well. For local mDNS use this extra TXT record
information is inefficient, but not fatal. However, when a Hybrid
Proxy aggregates data from multiple printers on a link, and sends it
via unicast (via UDP or TCP) this amount of unnecessary TXT record
information can result in large responses. Therefore, a Hybrid Proxy
that is aware of the specifics of an application-layer protocol such
as Apple's AirPrint (which uses IPP) can elide unnecessary key/value
pairs from the DNS-SD TXT record for better network efficiency.
Note that this kind of Application-Specific Data Translation is
expected to be very rare. It is the exception, rather than the rule.
This is an example of a common theme in computing. It is frequently
the case that it is wise to start with a clean, layered design, with
clear boundaries. Then, in certain special cases, those layer
boundaries may be violated, where the performance and efficiency
benefits outweigh the inelegance of the layer violation.
As in other similar situations, these layer violations optional.
They are done only for efficiency reasons, and are not required for
correct operation. A Hybrid Proxy can operate solely at the mDNS
layer, without any knowledge of semantics at the DNS-SD layer or
above.
Cheshire Expires May 14, 2015 [Page 11]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
3.5. Answer Aggregation
In a simple analysis, simply gathering multicast answers and
forwarding them in a unicast response seems adequate, but it raises
the question of how long the Hybrid Proxy should wait to be sure that
it has received all the Multicast DNS answers it needs to form a
complete Unicast DNS response. If it waits too little time, then it
risks its Unicast DNS response being incomplete. If it waits too
long, then it creates a poor user experience at the client end. In
fact, there may no time which is both short enough to produce a good
user experience and at the same time long enough to reliably produce
complete results.
Similarly, the Hybrid Proxy -- the authoritative name server for the
subdomain in question -- needs to decide what DNS TTL to report for
these records. If the TTL is too long then the recursive (caching)
name servers issuing queries on behalf of their clients risk caching
stale data for too long. If the TTL is too short then the amount of
network traffic will be more than necessary. In fact, there may no
TTL which is both short enough to avoid undesirable stale data and at
the same time long enough to be efficient on the network.
These dilemmas are solved by use of DNS Long-Lived Queries (DNS LLQ)
[I-D.sekar-dns-llq]. The Hybrid Proxy responds immediately to the
Unicast DNS query using the Multicast DNS records it already has in
its cache (if any). This provides a good client user experience by
providing a near-instantaneous response. Simultaneously, the Hybrid
Proxy issues a Multicast DNS query on the local link to discover if
there are any additional Multicast DNS records it did not already
know about. Should additional Multicast DNS responses be received,
these are then delivered to the client using DNS LLQ update messages.
The timeliness of such LLQ updates is limited only by the timeliness
of the device responding to the Multicast DNS query. If the
Multicast DNS device responds quickly, then the LLQ update is
delivered quickly. If the Multicast DNS device responds slowly, then
the LLQ update is delivered slowly. The benefit of using LLQ is that
the Hybrid Proxy can respond promptly because it doesn't have to
delay its unicast response to allow for the expected worst-case delay
for receiving all the Multicast DNS responses. Even if a proxy were
to try to provide reliability by assuming an excessively pessimistic
worst-case time (thereby giving a very poor user experience) there
would still be the risk of a slow Multicast DNS device taking even
longer than that (e.g, a device that is not even powered on until ten
seconds after the initial query is received) resulting in incomplete
responses. Using LLQs solves this dilemma: even very late responses
are not lost; they are delivered in subsequent LLQ update messages.
Cheshire Expires May 14, 2015 [Page 12]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
There are two factors that determine specifically how responses are
generated:
The first factor is whether the query from the client included the
LLQ option (typical with long-lived service browsing PTR queries) or
not (typical with one-shot operations like SRV or address record
queries). Note that queries containing the LLQ option are received
directly from the client (see Section 3.5.1). Queries containing no
LLQ option are generally received via the client's configured
recursive (caching) name server.
The second factor is whether the Hybrid Proxy already has at least
one record in its cache that positively answers the question.
o No LLQ option; no answer in cache:
Do local mDNS query up to three times, return answers if received,
otherwise return negative response if no answer after three tries.
DNS TTLs in responses are capped to at most ten seconds.
o No LLQ option; at least one answer in cache:
Send response right away to minimise delay.
DNS TTLs in responses are capped to at most ten seconds.
No local mDNS queries are performed.
(Reasoning: Given RRSet TTL harmonisation, if the proxy has one
Multicast DNS answer in its cache, it can reasonably assume that
it has all of them.)
o Query contains LLQ option; no answer in cache:
As above, do local mDNS query up to three times, and return
answers if received.
If no answer after three tries, return negative response.
(Reasoning: We don't need to rush to send an empty answer.)
In both cases the query remains active for as long as the client
maintains the LLQ state, and if mDNS answers are received later,
LLQ update messages are sent.
DNS TTLs in responses are returned unmodified.
o Query contains LLQ option; at least one answer in cache:
As above, send response right away to minimise delay.
The query remains active for as long as the client maintains the
LLQ state, and if additional mDNS answers are received later, LLQ
update messages are sent.
(Reasoning: We want UI that is displayed very rapidly, yet
continues to remain accurate even as the network environment
changes.)
DNS TTLs in responses are returned unmodified.
Note that the "negative responses" referred to above are "no error no
Cheshire Expires May 14, 2015 [Page 13]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
answer" negative responses, not NXDOMAIN. This is because the Hybrid
Proxy cannot know all the Multicast DNS domain names that may exist
on a link at any given time, so any name with no answers may have
child names that do exist, making it an "empty nonterminal" name.
3.5.1. Discovery of LLQ Service
To issue LLQ queries, clients need to communicate directly with the
authoritative Hybrid Proxy. The procedure by which the client
locates the authoritative Hybrid Proxy is described in the LLQ
specification [I-D.sekar-dns-llq].
Briefly, the procedure is as follows: To discover the LLQ service for
a given domain name, a client first performs DNS zone apex discovery,
and then, having discovered <apex>, the client then issues a DNS
query for the SRV record with the name _dns-llq._udp.<apex> to find
the target host and port for the LLQ service for that zone. By
default LLQ service runs on port 5352, but since SRV records are
used, the LLQ service can be offered on any port.
A client performs DNS zone apex discovery using the procedure below:
1. The client issues a DNS query for the SOA record with the given
domain name.
2. A conformant recursive (caching) name server will either send a
positive response, or a negative response containing the SOA
record of the zone apex in the Authority Section.
3. If the name server sends a negative response that does not
contain the SOA record of the zone apex, the client trims the
first label off the given domain name and returns to step 1 to
try again.
By this method, the client iterates until it learns the name of the
zone apex, or (in pathological failure cases) reaches the root and
gives up.
Normal DNS caching is used to avoid repetitive queries on the wire.
Cheshire Expires May 14, 2015 [Page 14]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
4. Implementation Status
Some aspects of the mechanism specified in this document already
exist in deployed software. Some aspects are new. This section
outlines which aspects already exist and which are new.
4.1. Already Implemented and Deployed
Domain enumeration by the client (the "b._dns-sd._udp" queries) is
already implemented and deployed.
Unicast queries to the indicated discovery domain is already
implemented and deployed.
These are implemented and deployed in Mac OS X 10.4 and later
(including all versions of Apple iOS, on all iPhone and iPads), in
Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16)
and later.
Domain enumeration and unicast querying have been used for several
years at IETF meetings to make Terminal Room printers discoverable
from outside the Terminal room. When you Press Cmd-P on your Mac, or
select AirPrint on your iPad or iPhone, and the Terminal room
printers appear, that is because your client is doing unicast DNS
queries to the IETF DNS servers.
4.2. Partially Implemented
The current APIs make multiple domains visible to client software,
but most client UI today lumps all discovered services into a single
flat list. This is largely a chicken-and-egg problem. Application
writers were naturally reluctant to spend time writing domain-aware
UI code when few customers today would benefit from it. If Hybrid
Proxy deployment becomes common, then application writers will have a
reason to provide better UI. Existing applications will work with
the Hybrid Proxy, but will show all services in a single flat list.
Applications with improved UI will group services by domain.
The Long-Lived Query mechanism [I-D.sekar-dns-llq] referred to in
this specification exists and is deployed, but has not been
standardized by the IETF. It is possible that the IETF may choose to
standardize a different or better Long-Lived Query mechanism. In
that case, the pragmatic deployment approach would be for vendors to
produce Hybrid Proxies that implement both the deployed Long-Lived
Query mechanism [I-D.sekar-dns-llq] (for today's clients) and a new
IETF Standard Long-Lived Query mechanism (as the future long-term
direction).
Cheshire Expires May 14, 2015 [Page 15]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
The translating/filtering Hybrid Proxy specified in this document.
Implementations are under development, and operational experience
with these implementations has guided updates to this document.
4.3. Not Yet Implemented
A mechanism to 'stitch' together multiple ".local." zones so that
they appear as one. Such a mechanism will be specified in a future
companion document.
5. IPv6 Considerations
An IPv4-only host and an IPv6-only host behave as "ships that pass in
the night". Even if they are on the same Ethernet, neither is aware
of the other's traffic. For this reason, each physical link may have
*two* unrelated ".local." zones, one for IPv4 and one for IPv6.
Since for practical purposes, a group of IPv4-only hosts and a group
of IPv6-only hosts on the same Ethernet act as if they were on two
entirely separate Ethernet segments, it is unsurprising that their
use of the ".local." zone should occur exactly as it would if they
really were on two entirely separate Ethernet segments.
It will be desirable to have a mechanism to 'stitch' together these
two unrelated ".local." zones so that they appear as one. Such
mechanism will need to be able to differentiate between a dual-stack
(v4/v6) host participating in both ".local." zones, and two different
hosts, one IPv4-only and the other IPv6-only, which are both trying
to use the same name(s). Such a mechanism will be specified in a
future companion document.
Cheshire Expires May 14, 2015 [Page 16]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
6. Security Considerations
6.1. Authenticity
A service proves its presence on a link by its ability to answer
link-local multicast queries on that link. If greater security is
desired, then the Hybrid Proxy mechanism should not be used, and
something with stronger security should be used instead, such as
authenticated secure DNS Update [RFC2136] [RFC3007].
6.2. Privacy
The Domain Name System is, generally speaking, a global public
database. Records that exist in the Domain Name System name
hierarchy can be queried by name from, in principle, anywhere in the
world. If services on a mobile device (like a laptop computer) are
made visible via the Hybrid Proxy mechanism, then when those services
become visibile in a domain such as "My House.example.com" that might
indicate to (potentially hostile) observers that the mobile device is
in my house. When those services disappear from
"My House.example.com" that change could be used by observers to
infer when the mobile device (and possibly its owner) may have left
the house. The privacy of this information may be protected using
techniques like firewalls and split-view DNS, as are customarily used
today to protect the privacy of corporate DNS information.
6.3. Denial of Service
A remote attacker could use a rapid series of unique Unicast DNS
queries to induce a Hybrid Proxy to generate a rapid series of
corresponding Multicast DNS queries on one or more of its local
links. Multicast traffic is expensive -- especially on Wi-Fi links
-- which makes this attack particularly serious. To limit the damage
that can be caused by such attacks, a Hybrid Proxy (or the underlying
Multicast DNS subsystem which it utilizes) MUST implement Multicast
DNS query rate limiting appropriate to the link technology in
question. For Wi-Fi links the Multicast DNS subsystem SHOULD NOT
issue more than 20 Multicast DNS query packets per second. On other
link technologies like Gigabit Ethernet higher limits may be
appropriate.
Cheshire Expires May 14, 2015 [Page 17]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
7. Intelectual Property Rights
Apple has submitted an IPR disclosure concerning the technique
proposed in this document. Details are available on the IETF IPR
disclosure page [IPR2119].
8. IANA Considerations
This document has no IANA Considerations.
9. Acknowledgments
Thanks to Markus Stenberg for helping develop the policy regarding
the four styles of unicast response according to what data is
immediately available in the cache. Thanks to Andrew Yourtchenko for
comments about privacy issues. [Partial list; more names to be
added.]
10. References
10.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of IPv4 Link-Local Addresses", RFC 3927,
May 2005.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, September 2007.
[RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network
Interchange", RFC 5198, March 2008.
Cheshire Expires May 14, 2015 [Page 18]
Internet-Draft Hybrid uDNS/mDNS Service Discovery November 2014
[RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
December 2012.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, December 2012.
[I-D.sekar-dns-llq]
Sekar, K., "DNS Long-Lived Queries",
draft-sekar-dns-llq-01 (work in progress), August 2006.
10.2. Informative References
[HOME] Cheshire, S., "Special Use Top Level Domain 'home'",
draft-cheshire-homenet-dot-home (work in progress),
November 2014.
[IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid
Unicast/Multicast DNS-Based Service Discovery",
<https://datatracker.ietf.org/ipr/2119/>.
[RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, April 1997.
[RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, November 2000.
[RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol
to Replace the AppleTalk Name Binding Protocol (NBP)",
RFC 6760, December 2012.
[ZC] Cheshire, S. and D. Steinberg, "Zero Configuration
Networking: The Definitive Guide", O'Reilly Media, Inc. ,
ISBN 0-596-10100-7, December 2005.
Author's Address
Stuart Cheshire
Apple Inc.
1 Infinite Loop
Cupertino, California 95014
USA
Phone: +1 408 974 3207
Email: cheshire@apple.com
Cheshire Expires May 14, 2015 [Page 19]
| PAFTECH AB 2003-2026 | 2026-04-23 15:22:08 |