One document matched: draft-ietf-dnssd-hybrid-00.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!--
Check output with <http://tools.ietf.org/tools/idnits/>
-->
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.35) -->
<!-- give errors regarding ID-nits and DTD validation -->
<?rfc strict="yes" ?>
<!-- control the table of contents (ToC) -->
<!-- generate a ToC -->
<?rfc toc="yes"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<?rfc tocdepth="3"?>
<!-- control references -->
<!-- use anchors instead of numbers for refs, i.e, [RFC2119] instead of [1] -->
<?rfc symrefs="yes"?>
<!-- sort the reference entries alphabetically -->
<?rfc sortrefs="no" ?>
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<!-- do not start each main section on a new page -->
<?rfc compact="yes" ?>
<!-- keep one blank line between list items -->
<?rfc subcompact="no" ?>
<!-- encourage use of "xml2rfc" tool -->
<?rfc rfcprocack="yes" ?>
<!-- end of list of popular I-D processing instructions -->
<rfc category="std" docName="draft-ietf-dnssd-hybrid-00" ipr="trust200902">
<front>
<title abbrev='Hybrid uDNS/mDNS Service Discovery'>Hybrid
Unicast/Multicast DNS-Based Service Discovery</title>
<author initials='S.' surname='Cheshire' fullname='Stuart Cheshire'>
<organization>Apple Inc.</organization>
<address>
<postal>
<street>1 Infinite Loop</street>
<city>Cupertino</city>
<region>California</region>
<code>95014</code>
<country>USA</country>
</postal>
<phone>+1 408 974 3207</phone>
<email>cheshire@apple.com</email>
</address>
</author>
<date day='10' month='November' year='2014'/>
<area>Internet</area>
<workgroup>Internet Engineering Task Force</workgroup>
<keyword>Multicast DNS</keyword>
<keyword>DNS-Based Service Discovery</keyword>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<abstract>
<t>Performing DNS-Based Service Discovery using purely link-local
Multicast DNS enables discovery of services that are on the local link,
but not (without some kind of proxy or similar special support) of
services that are outside the local link.
Using a very large local link with thousands of hosts improves service
discovery, but at the cost of large amounts of multicast traffic.</t>
<t>Performing DNS-Based Service Discovery using purely Unicast DNS is
more efficient, but requires configuration of DNS Update keys on
the devices offering the services, which can be onerous for simple
devices like printers and network cameras.</t>
<t>Hence a compromise is needed, that provides easy service
discovery without requiring either large amounts of multicast
traffic or onerous configuration.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>Multicast DNS <xref target="RFC6762"/> and its companion technology
DNS-based Service Discovery <xref target="RFC6763"/> were created to provide
IP networking with the ease-of-use and autoconfiguration for which
AppleTalk was well known <xref target="RFC6760"/> <xref target="ZC"/>.</t>
<t>For a small network consisting of just a single link (or several
physical links bridged together to appear as a single logical link to IP)
Multicast DNS <xref target="RFC6762"/> is sufficient for client
devices to look up the dot-local host names of peers on the same
home network, and perform DNS-Based Service Discovery (DNS-SD)
<xref target="RFC6763"/> of services offered on that home network.</t>
<t>For a larger network consisting of multiple links that are
interconnected using IP-layer routing instead of link-layer bridging,
link-local Multicast DNS alone is insufficient because link-local
Multicast DNS packets, by design, do not cross between links.<vspace/>
(This was a deliberate design choice for Multicast DNS, since even on
a single link multicast traffic is expensive -- especially on Wi-Fi
links -- and multiplying the amount of multicast traffic by flooding
it across multiple links would make that problem even worse.)<vspace/>
In this environment, Unicast DNS would be preferable to Multicast DNS.
(Unicast DNS can be used either with a traditionally assigned globally
unique domain name, or with a private local unicast domain name such as
".home" <xref target="HOME"/>.)</t>
<t>To use Unicast DNS, the names of hosts and services
need to be made available in the Unicast DNS namespace.
In the DNS-SD specification <xref target="RFC6763"/>
Section 10 ("Populating the DNS with Information")
discusses various possible ways that a service's PTR, SRV, TXT and
address records can make their way into the Unicast DNS namespace,
including manual zone file configuration
<xref target="RFC1034"/> <xref target="RFC1035"/>,
DNS Update <xref target="RFC2136"/> <xref target="RFC3007"/>
and proxies of various kinds.</t>
<t>This document specifies a type of proxy called a Hybrid Proxy
that uses Multicast DNS <xref target="RFC6762"/> to discover
Multicast DNS records on its local link, and makes corresponding
DNS records visible in the Unicast DNS namespace.</t>
</section>
<?rfc needLines="12" ?>
<section title="Conventions and Terminology Used in this Document">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in "Key words for use
in RFCs to Indicate Requirement Levels" <xref target="RFC2119"/>.</t>
<t>The Hybrid Proxy builds on Multicast DNS,
which works between hosts on the same link.
A set of hosts is considered to be "on the same link" if:
<list style='symbols'>
<t>when any host A from that set sends a packet to any other host B
in that set, using unicast, multicast, or broadcast, the entire
link-layer packet payload arrives unmodified, and</t>
<t>a broadcast sent over that link by any host from that set of hosts
can be received by every other host in that set</t>
</list>
The link-layer *header* may be modified, such as in Token Ring
Source Routing [802.5], but not the link-layer *payload*.
In particular, if any device forwarding a packet modifies any
part of the IP header or IP payload then the packet is no longer
considered to be on the same link. This means that the packet may
pass through devices such as repeaters, bridges, hubs or switches
and still be considered to be on the same link for the purpose of
this document, but not through a device such as an IP router that
decrements the IP TTL or otherwise modifies the IP header.</t>
</section>
<?rfc needLines="22" ?>
<section anchor="operation" title="Hybrid Proxy Operation">
<t>In its simplest form, each physical link in an organization
is assigned a unique Unicast DNS domain name, such as
"Building 1.example.com" or
"4th Floor.Building 1.example.com".
Grouping multiple links under a single Unicast DNS domain
name is to be specified in a future companion document, but for
the purposes of this document, assume that each link has its own
unique Unicast DNS domain name.
In a graphical user interface these names are not displayed
as strings with dots as shown above, but something more
akin to a typical file browser graphical user interface
(which is harder to illustrate in a text-only document)
showing folders, subfolders and files in a file system.</t>
<t>Each named link in an organization has a Hybrid Proxy which
serves it. This Hybrid Proxy function could be performed by a
router on that link, or, with appropriate VLAN configuration, a
single Hybrid Proxy could have a logical presence on, and serve as
the Hybrid Proxy for, many links. In the parent domain, NS records
are used to delegate ownership of each defined link name
(e.g., "Building 1.example.com")
to the Hybrid Proxy that serves the named link.
In other words, the Hybrid Proxy is the authoritative name
server for that subdomain.</t>
<?rfc needLines="6" ?>
<t>When a DNS-SD client issues a Unicast DNS query to discover services
in a particular Unicast DNS subdomain
(e.g., "_printer._tcp.Building 1.example.com. PTR ?")
the normal DNS delegation mechanism results in that query being
forwarded until it reaches the delegated authoritative name server
for that subdomain, namely the Hybrid Proxy on the link in question.
Like a conventional Unicast DNS server,
a Hybrid Proxy implements the usual Unicast DNS protocol
<xref target="RFC1034"/> <xref target="RFC1035"/> over UDP and TCP.
However, unlike a conventional Unicast DNS server that
generates answers from the data in its manually-configured zone file,
a Hybrid Proxy generates answers using Multicast DNS.
A Hybrid Proxy does this by consulting
its Multicast DNS cache and/or issuing Multicast DNS queries for
the corresponding Multicast DNS name, type and class,
(e.g., in this case, "_printer._tcp.local. PTR ?").
Then, from the received Multicast DNS data, the Hybrid Proxy
synthesizes the appropriate Unicast DNS response.</t>
<t>Naturally, the existing Multicast DNS caching mechanism is used
to avoid issuing unnecessary Multicast DNS queries on the wire. The
Hybrid Proxy is acting as a client of the underlying Multicast DNS
subsystem, and benefits from the same caching and efficiency
measures as any other client using that subsystem.</t>
<?rfc needLines="7" ?>
<section title="Domain Enumeration">
<t>The administrator creates Domain Enumeration
PTR records <xref target="RFC6763"/>
to inform clients of available service discovery domains, e.g.,:</t>
<figure><artwork>
b._dns-sd._udp.example.com. PTR Building 1.example.com.
PTR Building 2.example.com.
PTR Building 3.example.com.
PTR Building 4.example.com.
db._dns-sd._udp.example.com. PTR Building 1.example.com.
lb._dns-sd._udp.example.com. PTR Building 1.example.com.</artwork></figure>
<t>The "b" ("browse") records tell the client device the
list of browsing domains to display for the user to select from
and the "db" ("default browse") record tells the client device
which domain in that list should be selected by default.
The "lb" ("legacy browse") record tells the client device which domain
to automatically browse on behalf of applications that don't implement
UI for multi-domain browsing (which is most of them, today).
The "lb" domain is usually the same as the "db" domain.</t>
<?rfc needLines="6" ?>
<t>DNS responses are limited to a maximum size of 65535 bytes.
This limits the maximum number of domains that can be returned for
a Domain Enumeration query, as follows:</t>
<t>A DNS response header is 12 bytes.
That's typically followed by a single qname (up to 256 bytes)
plus qtype (2 bytes) and qclass (2 bytes), leaving 65275
for the Answer Section.</t>
<t>An Answer Section Resource Record consists of:
<?rfc subcompact="yes" ?>
<list style='symbols'>
<t>Owner name, encoded as a two-byte compression pointer</t>
<t>Two-byte rrtype (type PTR)</t>
<t>Two-byte rrclass (class IN)</t>
<t>Four-byte ttl</t>
<t>Two-byte rdlength</t>
<t>rdata (domain name, up to 256 bytes)</t>
</list>
<?rfc subcompact="no" ?>
</t>
<t>This means that each Resource Record in the Answer Section can
take up to 268 bytes total, which means that the Answer Section
can contain, in the worst case, no more than 243 domains.</t>
<t>In a more typical scenario, where the domain names are not all
maximum-sized names, and there is some similarity between names
so that reasonable name compression is possible, each Answer
Section Resource Record may average 140 bytes, which means that
the Answer Section can contain up to 466 domains.</t>
</section>
<?rfc needLines="30" ?>
<section title="Delegated Subdomain for LDH Host Names">
<t>The rules for DNS-SD service instance names and domains are
more permissive than the traditional rules for host names.</t>
<t>Users typically interact with DNS-SD by viewing a list of
discovered service instance names on the display and selecting
one of them by pointing, touching, or clicking.
Similarly, in software that provides a multi-domain DNS-SD user
interface, users view a list of offered domains on the display
and select one of them by pointing, touching, or clicking.
To use a service, users don't have to remember domain or instance
names, or type them; users just have to be able to recognize what
they see on the display and click on the thing they want.</t>
<t>In contrast, host names are often remembered and typed.
Also, host names are often used in command-line interfaces
where spaces can be inconvenient. For this reason, host names have
traditionally been restricted to letters, digits and hyphens, with
no spaces or other punctuation.</t>
<t>While we still want to allow rich text for DNS-SD service
instance names and domains, it is advisable, for maximum
compatibility with existing software, to restrict host names
to the traditional letter-digit-hyphen rules.
This means that while a service name
"My Printer._ipp._tcp.Building 1.example.com"
is acceptable and desirable
(it is displayed in a graphical user interface as an instance called
"My Printer" in the domain "Building 1" at "example.com"),
a host name "My-Printer.Building 1.example.com" is not advisable
(because of the space in "Building 1").</t>
<t>To accomodate this difference in allowable characters,
a Hybrid Proxy MUST support having two
subdomains delegated to it, one to be used for host names
(names of 'A' and 'AAAA' address records), which is restricted
to the traditional letter-digit-hyphen rules,
and another to be used for other records
(including the PTR, SRV and TXT records used by DNS-SD),
which is allowed to be arbitrary Net-Unicode text
<xref target="RFC5198"/>.</t>
<?rfc needLines="12" ?>
<t>For example, a Hybrid Proxy could have the two subdomains
"Building 1.example.com" and "bldg1.example.com" delegated to it.
The Hybrid Proxy would then translate these two Multicast DNS records:</t>
<figure><artwork>
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.
prnt.local. A 10.0.1.2</artwork></figure>
<t>into Unicast DNS records as follows:</t>
<figure><artwork>
My Printer._ipp._tcp.Building 1.example.com.
SRV 0 0 631 prnt.bldg1.example.com.
prnt.bldg1.example.com. A 10.0.1.2</artwork></figure>
<t>Note that the SRV record name is translated using the rich-text
domain name ("Building 1.example.com") and the address record
name is translated using the LDH domain ("bldg1.example.com").</t>
</section>
<?rfc needLines="36" ?>
<section title="Delegated Subdomain for Reverse Mapping">
<t>A Hybrid Proxy can facilitate easier management of reverse
mapping domains, particularly for IPv6 addresses where manual
management may be more onerous than it is for IPv4 addresses.</t>
<t>To achieve this, in the parent domain, NS records are used to
delegate ownership of the appropriate reverse mapping domain to
the Hybrid Proxy. In other words, the Hybrid Proxy becomes the
authoritative name server for the reverse mapping domain.</t>
<t>For example, if a given link is using the IPv4 subnet 10.1/16,
then the domain "1.10.in-addr.arpa"
is delegated to the Hybrid Proxy for that link.</t>
<t>If a given link is using the IPv6 prefix 2001:0DB8/32,
then the domain "8.b.d.0.1.0.0.2.ip6.arpa"
is delegated to the Hybrid Proxy for that link.</t>
<t>When a reverse mapping query arrives at the Hybrid Proxy, it issues
the identical query on its local link as a Multicast DNS query.<vspace/>
(In the Apple "/usr/include/dns_sd.h" APIs, using
ForceMulticast indicates that the DNSServiceQueryRecord()
call should perform the query using Multicast DNS.)
When the host owning that IPv4 or IPv6 address responds
with a name of the form "something.local", the Hybrid Proxy
rewrites that to use its configured LDH host name domain instead
of "local" and returns the response to the caller.</t>
<t>For example, a Hybrid Proxy with the two subdomains
"1.10.in&nbhy;addr.arpa" and "bldg1.example.com" delegated to it
would translate this Multicast DNS record:</t>
<figure><artwork>
3.2.1.10.in-addr.arpa. PTR prnt.local.</artwork></figure>
<t>into this Unicast DNS response:</t>
<figure><artwork>
3.2.1.10.in-addr.arpa. PTR prnt.bldg1.example.com.</artwork></figure>
<t>Subsequent queries for the prnt.bldg1.example.com address
record, falling as it does within the bldg1.example.com domain,
which is delegated to the Hybrid Proxy, will arrive at the Hybrid
Proxy, where they are answered by issuing Multicast DNS queries
and using the received Multicast DNS answers to synthesize Unicast
DNS responses, as described above.</t>
</section>
<?rfc needLines="36" ?>
<section title="Data Translation">
<t>Generating the appropriate Multicast DNS queries involves,
at the very least, translating from the configured DNS domain
(e.g., "Building 1.example.com") on the Unicast DNS side
to "local" on the Multicast DNS side.</t>
<t>Generating the appropriate Unicast DNS responses involves
translating back from "local" to the configured DNS Unicast domain.</t>
<t>Other beneficial translation and filtering operations are described below.</t>
<section title="DNS TTL limiting">
<t>For efficiency, Multicast DNS typically uses moderately high
DNS TTL values. For example, the typical TTL on DNS-SD PTR records
is 75 minutes. What makes these moderately high TTLs acceptable
is the cache coherency mechanisms built in to the Multicast DNS
protocol which protect against stale data persisting for too long.
When a service shuts down gracefully, it sends goodbye packets
to remove its PTR records immediately from neighbouring caches.
If a service shuts down abruptly without sending goodbye packets,
the Passive Observation Of Failures (POOF) mechanism described
in Section 10.5 of the Multicast DNS specification <xref target="RFC6762"/>
comes into play to purge the cache of stale data.</t>
<t>A Unicast DNS client on a remote link does not get to participate
in these Multicast DNS cache coherency mechanisms on the local link.
For Unicast DNS requests received without any LLQ option
the DNS TTLs reported in the resulting Unicast DNS response
SHOULD be capped to be no more than ten seconds.
For received Unicast DNS requests that contain an LLQ option,
the Multicast DNS record's TTL SHOULD be returned unmodified,
because the LLQ notification channel exists to inform the remote
client as records come and go.
For further details about the LLQ option, see <xref target="aggregation"/>.
</t>
</section>
<section title="Suppressing Unusable Records">
<t>A Hybrid Proxy SHOULD suppress Unicast DNS answers
for records that are not useful outside the local link.
For example, DNS A and AAAA records for
IPv4 link-local addresses <xref target="RFC3927"/> and
IPv6 link-local addresses <xref target="RFC4862"/> should be suppressed.
Similarly, for sites that have multiple private address realms <xref target="RFC1918"/>,
private addresses from one private address realm should not be
communicated to clients in a different private address realm.</t>
<t>By the same logic, DNS SRV records that reference target host
names that have no addresses usable by the requester should be
suppressed, and likewise, DNS PTR records that point to unusable
SRV records should be similarly be suppressed.</t>
</section>
<?rfc needLines="26" ?>
<section title="Application-Specific Data Translation">
<t>There may be cases where Application-Specific Data Translation is appropriate.</t>
<t>For example, AirPrint printers tend to advertise fairly verbose
information about their capabilities in their DNS-SD TXT record.
This information is a legacy from LPR printing, because LPR does not
have in-band capability negotiation, so all of this information is
conveyed using the DNS-SD TXT record instead.
IPP printing does have in-band capability negotiation, but for
convenience printers tend to include the same capability information
in their IPP DNS-SD TXT records as well. For local mDNS use this
extra TXT record information is inefficient, but not fatal.
However, when a Hybrid Proxy aggregates data from multiple printers
on a link, and sends it via unicast (via UDP or TCP)
this amount of unnecessary TXT record information can
result in large responses. Therefore, a Hybrid Proxy that is aware of
the specifics of an application-layer protocol such as Apple's
AirPrint (which uses IPP) can elide unnecessary key/value pairs from
the DNS-SD TXT record for better network efficiency.</t>
<t>Note that this kind of Application-Specific Data Translation is
expected to be very rare. It is the exception, rather than the rule.
This is an example of a common theme in computing.
It is frequently the case that it is wise to start with a clean,
layered design, with clear boundaries. Then, in certain special cases,
those layer boundaries may be violated, where the performance and
efficiency benefits outweigh the inelegance of the layer violation.</t>
<t>As in other similar situations, these layer violations optional.
They are done only for efficiency reasons, and are not required for
correct operation. A Hybrid Proxy can operate solely at the mDNS layer,
without any knowledge of semantics at the DNS-SD layer or above.</t>
</section>
</section>
<?rfc needLines="16" ?>
<section anchor="aggregation" title="Answer Aggregation">
<t>In a simple analysis, simply gathering multicast answers and forwarding them
in a unicast response seems adequate, but it raises the
question of how long the Hybrid Proxy should wait to be sure that it has received
all the Multicast DNS answers it needs to form a complete Unicast DNS response.
If it waits too little time, then it risks its Unicast DNS response being incomplete.
If it waits too long, then it creates a poor user experience at the client end.
In fact, there may no time which is both short enough to produce a good
user experience and at the same time long enough to reliably produce
complete results.</t>
<t>Similarly, the Hybrid Proxy
-- the authoritative name server for the subdomain in question --
needs to decide what DNS TTL to report for these records.
If the TTL is too long then the recursive (caching) name servers
issuing queries on behalf of their clients risk caching stale
data for too long. If the TTL is too short then the amount of
network traffic will be more than necessary.
In fact, there may no TTL which is both short enough to avoid
undesirable stale data and at the same time long enough to be
efficient on the network.</t>
<t>These dilemmas are solved by use of DNS Long-Lived Queries (DNS LLQ)
<xref target="I-D.sekar-dns-llq"/>. The Hybrid Proxy responds immediately to the
Unicast DNS query using the Multicast DNS records it already has in its cache (if any).
This provides a good client user experience by providing a near-instantaneous
response. Simultaneously, the Hybrid Proxy issues a Multicast DNS query on the
local link to discover if there are any additional Multicast DNS records it
did not already know about. Should additional Multicast DNS responses be
received, these are then delivered to the client using DNS LLQ update messages.
The timeliness of such LLQ updates is limited only by the timeliness of the
device responding to the Multicast DNS query. If the Multicast DNS device
responds quickly, then the LLQ update is delivered quickly. If the Multicast
DNS device responds slowly, then the LLQ update is delivered slowly.
The benefit of using LLQ is that the Hybrid Proxy can respond promptly
because it doesn't have to delay its unicast response to allow for
the expected worst-case delay for receiving all the Multicast DNS responses.
Even if a proxy were to try to provide reliability by assuming an
excessively pessimistic worst-case time (thereby giving a very
poor user experience) there would still be the risk of a slow
Multicast DNS device taking even longer than that (e.g, a device
that is not even powered on until ten seconds after the initial
query is received) resulting in incomplete responses. Using LLQs solves
this dilemma: even very late responses are not lost; they are delivered
in subsequent LLQ update messages.</t>
<?rfc needLines="16" ?>
<t>There are two factors that determine specifically how responses
are generated:</t>
<t>The first factor is whether the query from the client included
the LLQ option (typical with long-lived service browsing PTR queries)
or not (typical with one-shot operations like SRV or address record queries).
Note that queries containing the LLQ option are received directly
from the client (see <xref target="llq"/>).
Queries containing no LLQ option are generally received via the
client's configured recursive (caching) name server.</t>
<t>The second factor is whether the Hybrid Proxy already has at least
one record in its cache that positively answers the question.
<list style='symbols'>
<t>No LLQ option; no answer in cache:<vspace/>
Do local mDNS query up to three times, return answers if received,
otherwise return negative response if no answer after three tries.<vspace/>
DNS TTLs in responses are capped to at most ten seconds.</t>
<t>No LLQ option; at least one answer in cache:<vspace/>
Send response right away to minimise delay.<vspace/>
DNS TTLs in responses are capped to at most ten seconds.<vspace/>
No local mDNS queries are performed.<vspace/>
(Reasoning: Given RRSet TTL harmonisation, if the proxy has
one Multicast DNS answer in its cache, it can reasonably
assume that it has all of them.)</t>
<t>Query contains LLQ option; no answer in cache:<vspace/>
As above, do local mDNS query up to three times,
and return answers if received.<vspace/>
If no answer after three tries, return negative response.
(Reasoning: We don't need to rush to send an empty answer.)<vspace/>
In both cases the query remains active for as long as the
client maintains the LLQ state, and if mDNS answers are
received later, LLQ update messages are sent.<vspace/>
DNS TTLs in responses are returned unmodified.</t>
<t>Query contains LLQ option; at least one answer in cache:<vspace/>
As above, send response right away to minimise delay.<vspace/>
The query remains active for as long as the client
maintains the LLQ state, and if additional mDNS answers are
received later, LLQ update messages are sent.<vspace/>
(Reasoning: We want UI that is displayed very rapidly, yet continues
to remain accurate even as the network environment changes.)<vspace/>
DNS TTLs in responses are returned unmodified.</t>
</list>
Note that the "negative responses" referred to above are
"no error no answer" negative responses, not NXDOMAIN.
This is because the Hybrid Proxy cannot know all the Multicast
DNS domain names that may exist on a link at any given time,
so any name with no answers may have child names that do exist,
making it an "empty nonterminal" name.</t>
<section anchor="llq" title="Discovery of LLQ Service">
<t>To issue LLQ queries, clients need to communicate directly
with the authoritative Hybrid Proxy. The procedure by which
the client locates the authoritative Hybrid Proxy is described
in the LLQ specification <xref target="I-D.sekar-dns-llq"/>.</t>
<t>Briefly, the procedure is as follows:
To discover the LLQ service for a given domain name,
a client first performs DNS zone apex discovery, and then,
having discovered <apex>, the client then issues a DNS query
for the SRV record with the name _dns&nbhy;llq._udp.<apex>
to find the target host and port for the LLQ service for that zone.
By default LLQ service runs on port 5352, but since SRV records
are used, the LLQ service can be offered on any port.</t>
<t>A client performs DNS zone apex discovery using the procedure below:
<list style='numbers'>
<t>The client issues a DNS query for the SOA record with
the given domain name.</t>
<t>A conformant recursive (caching) name server will either
send a positive response, or a negative response containing the
SOA record of the zone apex in the Authority Section.</t>
<t>If the name server sends a negative response that does not
contain the SOA record of the zone apex, the client trims
the first label off the given domain name and returns to
step 1 to try again.</t>
</list>
By this method, the client iterates until it learns the name
of the zone apex, or (in pathological failure cases) reaches
the root and gives up.</t>
<t>Normal DNS caching is used to avoid repetitive queries on the wire.</t>
</section>
</section>
</section>
<?rfc needLines="19" ?>
<section anchor="implementation" title="Implementation Status">
<t>Some aspects of the mechanism specified in this document already exist in
deployed software. Some aspects are new. This section outlines which aspects
already exist and which are new.</t>
<section title="Already Implemented and Deployed">
<t>Domain enumeration by the client (the
"b._dns-sd._udp" queries) is already implemented and deployed.</t>
<t>Unicast queries to the indicated discovery domain is already
implemented and deployed.</t>
<t>These are implemented and deployed in Mac OS X 10.4 and later
(including all versions of Apple iOS, on all iPhone and iPads),
in Bonjour for Windows,
and in Android 4.1 "Jelly Bean" (API Level 16) and later.</t>
<t>Domain enumeration and unicast querying have been
used for several years at IETF meetings to make Terminal Room
printers discoverable from outside the Terminal room. When you
Press Cmd-P on your Mac, or select AirPrint on your iPad or
iPhone, and the Terminal room printers appear, that is because
your client is doing unicast DNS queries to the IETF DNS servers.</t>
</section>
<section title="Partially Implemented">
<t>The current APIs make multiple domains visible to client
software, but most client UI today lumps all discovered services
into a single flat list. This is largely a chicken-and-egg
problem. Application writers were naturally reluctant to spend
time writing domain-aware UI code when few customers today would
benefit from it. If Hybrid Proxy deployment becomes common, then
application writers will have a reason to provide better UI.
Existing applications will work with the Hybrid Proxy, but will
show all services in a single flat list. Applications with
improved UI will group services by domain.</t>
<t>The Long-Lived Query mechanism <xref target="I-D.sekar-dns-llq"/>
referred to in this specification exists and is deployed,
but has not been standardized by the IETF. It is possible that the
IETF may choose to standardize a different or better Long-Lived Query mechanism.
In that case, the pragmatic deployment approach would be for vendors
to produce Hybrid Proxies that implement both the deployed
Long-Lived Query mechanism <xref target="I-D.sekar-dns-llq"/>
(for today's clients) and a new IETF Standard Long-Lived Query
mechanism (as the future long-term direction).</t>
<t>The translating/filtering Hybrid Proxy specified in this document.
Implementations are under development, and operational experience with
these implementations has guided updates to this document.</t>
</section>
<section title="Not Yet Implemented">
<t>A mechanism to 'stitch' together multiple ".local." zones so
that they appear as one. Such a mechanism will be specified in a
future companion document.</t>
</section>
</section>
<?rfc needLines="19" ?>
<section title="IPv6 Considerations">
<t>An IPv4-only host and an IPv6-only host behave as "ships that pass in
the night". Even if they are on the same Ethernet, neither is aware
of the other's traffic. For this reason, each physical link may have
*two* unrelated ".local." zones, one for IPv4 and one for IPv6.
Since for practical purposes, a group of IPv4-only hosts and a group
of IPv6-only hosts on the same Ethernet act as if they were on two
entirely separate Ethernet segments, it is unsurprising that their
use of the ".local." zone should occur exactly as it would if
they really were on two entirely separate Ethernet segments.</t>
<t>It will be desirable to have a mechanism to 'stitch' together
these two unrelated ".local." zones so that they appear as one.
Such mechanism will need to be able to differentiate between a
dual-stack (v4/v6) host participating in both ".local."
zones, and two different hosts, one IPv4-only and the other IPv6-only,
which are both trying to use the same name(s). Such a mechanism
will be specified in a future companion document.</t>
</section>
<?rfc needLines="19" ?>
<section title="Security Considerations">
<section title="Authenticity">
<t>A service proves its presence on a link by its ability to
answer link-local multicast queries on that link.
If greater security is desired, then the Hybrid Proxy mechanism
should not be used, and something with stronger security should
be used instead, such as authenticated secure DNS Update
<xref target="RFC2136"/> <xref target="RFC3007"/>.</t>
</section>
<section title="Privacy">
<t>The Domain Name System is, generally speaking, a global public database.
Records that exist in the Domain Name System name hierarchy
can be queried by name from, in principle, anywhere in the world.
If services on a mobile device (like a laptop computer) are made visible
via the Hybrid Proxy mechanism, then when those services become visibile
in a domain such as "My House.example.com" that might indicate to
(potentially hostile) observers that the mobile device is in my house.
When those services disappear from "My House.example.com"
that change could be used by observers to infer when the
mobile device (and possibly its owner) may have left the house.
The privacy of this information may be protected using techniques
like firewalls and split-view DNS, as are customarily used today
to protect the privacy of corporate DNS information.</t>
</section>
<section title="Denial of Service">
<t>A remote attacker could use a rapid series of unique Unicast DNS
queries to induce a Hybrid Proxy to generate a rapid series of
corresponding Multicast DNS queries on one or more of its local links.
Multicast traffic is expensive -- especially on Wi-Fi links --
which makes this attack particularly serious.
To limit the damage that can be caused by such attacks, a Hybrid Proxy
(or the underlying Multicast DNS subsystem which it utilizes) MUST
implement Multicast DNS query rate limiting appropriate to the link
technology in question. For Wi-Fi links the Multicast DNS subsystem
SHOULD NOT issue more than 20 Multicast DNS query packets per second.
On other link technologies like Gigabit Ethernet higher limits
may be appropriate.</t>
</section>
</section>
<?rfc needLines="10" ?>
<section title="Intelectual Property Rights">
<t>Apple has submitted an IPR disclosure concerning the technique
proposed in this document. Details are available on
<xref target="IPR2119">the IETF IPR disclosure page</xref>.</t>
</section>
<section title="IANA Considerations">
<t>This document has no IANA Considerations.</t>
</section>
<section title="Acknowledgments">
<t>Thanks to Markus Stenberg for helping develop the policy
regarding the four styles of unicast response according to what
data is immediately available in the cache.
Thanks to Andrew Yourtchenko for comments about privacy issues.
[Partial list; more names to be added.]</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.1034" ?>
<?rfc include="reference.RFC.1035" ?>
<?rfc include="reference.RFC.1918" ?>
<?rfc include="reference.RFC.2119" ?>
<?rfc include="reference.RFC.3927" ?>
<?rfc include="reference.RFC.4862" ?>
<?rfc include="reference.RFC.5198" ?>
<reference anchor='RFC6762'>
<front>
<title>Multicast DNS</title>
<author initials='S' surname='Cheshire' fullname='Stuart Cheshire'><organization /></author>
<author initials='M' surname='Krochmal' fullname='Marc Krochmal'><organization /></author>
<date year='2012' month='December' />
<abstract>
<t>As networked devices become smaller, more portable, and
more ubiquitous, the ability to operate with less configured
infrastructure is increasingly important. In particular,
the ability to look up DNS resource record data types
(including, but not limited to, host names) in the absence
of a conventional managed DNS server is useful.</t>
<t>Multicast DNS (mDNS) provides the ability to perform
DNS-like operations on the local link in the absence of any
conventional unicast DNS server. In addition, Multicast DNS
designates a portion of the DNS namespace to be free for
local use, without the need to pay any annual fee, and
without the need to set up delegations or otherwise
configure a conventional DNS server to answer for those names.</t>
<t>The primary benefits of Multicast DNS names are that (i)
they require little or no administration or configuration to
set them up, (ii) they work when no infrastructure is
present, and (iii) they work during infrastructure failures.</t>
</abstract>
</front>
<seriesInfo name='RFC' value='6762' />
<format type='TXT' target='http://www.rfc-editor.org/rfc/rfc6762.txt' />
</reference>
<reference anchor='RFC6763'>
<front>
<title>DNS-Based Service Discovery</title>
<author initials='S' surname='Cheshire' fullname='Stuart Cheshire'><organization /></author>
<author initials='M' surname='Krochmal' fullname='Marc Krochmal'><organization /></author>
<date year='2012' month='December' />
<abstract><t>This document specifies how DNS resource records are named and structured
to facilitate service discovery. Given a type of service that a client is looking for,
and a domain in which the client is looking for that service, this allows clients to
discover a list of named instances of that desired service, using standard DNS
queries. This is referred to as DNS-based Service Discovery, or DNS-SD.</t></abstract>
</front>
<seriesInfo name='RFC' value='6763' />
<format type='TXT' target='http://www.rfc-editor.org/rfc/rfc6763.txt' />
</reference>
<?rfc include="reference.I-D.sekar-dns-llq" ?>
</references>
<?rfc needLines="6" ?>
<references title="Informative References">
<reference anchor='HOME'>
<front>
<title>Special Use Top Level Domain 'home'</title>
<author initials='S' surname='Cheshire' fullname='Stuart Cheshire'><organization /></author>
<date year='2014' month='November' />
<abstract><t>This document specifies usage of the top-level
domain "home", for names that are meaningful and resolvable
within some scope smaller than the entire global Internet, but
larger than the single link supported by Multicast DNS.</t></abstract>
</front>
<seriesInfo name='Internet-Draft' value='draft-cheshire-homenet-dot-home' />
<format type='TXT' target='http://www.ietf.org/id/draft-cheshire-homenet-dot-home' />
</reference>
<reference anchor="IPR2119" target="https://datatracker.ietf.org/ipr/2119/">
<front>
<title>Apple Inc.'s Statement about IPR related to Hybrid Unicast/Multicast DNS-Based Service Discovery</title>
<author/>
<date/>
</front>
</reference>
<?rfc include="reference.RFC.2136" ?>
<?rfc include="reference.RFC.3007" ?>
<reference anchor='RFC6760'>
<front>
<title>Requirements for a Protocol to Replace the AppleTalk Name Binding Protocol (NBP)</title>
<author initials='S' surname='Cheshire' fullname='Stuart Cheshire'><organization /></author>
<author initials='M' surname='Krochmal' fullname='Marc Krochmal'><organization /></author>
<date year='2012' month='December' />
<abstract>
<t>One of the goals of the authors of Multicast DNS (mDNS)
and DNS-Based Service Discovery (DNS-SD) was to retire
AppleTalk and the AppleTalk Name Binding Protocol (NBP) and
to replace them with an IP-based solution. This document
presents a brief overview of the capabilities of AppleTalk
NBP and outlines the properties required of an IP-based replacement.</t>
</abstract>
</front>
<seriesInfo name='RFC' value='6760' />
<format type='TXT' target='http://www.rfc-editor.org/rfc/rfc6760.txt' />
</reference>
<reference anchor="ZC">
<front>
<title>Zero Configuration Networking: The Definitive Guide</title>
<author initials="S." surname="Cheshire" fullname="Stuart Cheshire"/>
<author initials="D.H." surname="Steinberg" fullname="Daniel H. Steinberg"/>
<date year="2005" month="December"/>
</front>
<seriesInfo name="O'Reilly Media, Inc." value=""/>
<seriesInfo name="ISBN" value="0-596-10100-7"/>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 14:48:35 |