<?xmlversion="1.0" encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM "rfc2629.dtd"> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <!-- Check output with <http://tools.ietf.org/tools/idnits/> --> <!-- used by XSLT processors --> <!-- For a complete list and description of processing instructions (PIs), please see http://xml.resource.org/authoring/README.html. --> <!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use. (Here they are set differently than their defaults in xml2rfc v1.35) --> <!-- give errors regarding ID-nits and DTD validation --> <?rfc strict="yes" ?> <!-- control the table of contents (ToC) --> <!-- generate a ToC --> <?rfc toc="yes"?> <!-- the number of levels of subsections in ToC. default: 3 --> <?rfc tocdepth="3"?> <!-- control references --> <!-- use anchors instead of numbers for refs, i.e, [RFC2119] instead of [1] --> <?rfc symrefs="yes"?> <!-- sort the reference entries alphabetically --> <?rfc sortrefs="no" ?> <!-- control vertical white space (using these PIs as follows is recommended by the RFC Editor) --> <!-- do not start each main section on a new page --> <?rfc compact="yes" ?> <!-- keep one blank line between list items --> <?rfc subcompact="no" ?> <!-- encourage use of "xml2rfc" tool --> <?rfc rfcprocack="yes" ?> <!-- end of list of popular I-D processing instructions -->version='1.0' encoding='utf-8'?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" category="std" consensus="true" docName="draft-ietf-dnssd-hybrid-10"ipr="trust200902">indexInclude="true" ipr="trust200902" number="8766" prepTime="2020-06-22T20:59:58" scripts="Common,Latin" sortRefs="false" submissionType="IETF" symRefs="true" tocDepth="3" tocInclude="true" xml:lang="en"> <link href="https://datatracker.ietf.org/doc/draft-ietf-dnssd-hybrid-10" rel="prev"/> <link href="https://dx.doi.org/10.17487/rfc8766" rel="alternate"/> <link href="urn:issn:2070-1721" rel="alternate"/> <front> <titleabbrev='Multicastabbrev="Multicast Service DiscoveryProxy'>DiscoveryProxy">Discovery Proxy for Multicast DNS-Based Service Discovery</title> <seriesInfo name="RFC" value="8766" stream="IETF"/> <authorinitials='S.' surname='Cheshire' fullname='Stuart Cheshire'> <organization>Appleinitials="S." surname="Cheshire" fullname="Stuart Cheshire"> <organization showOnFrontPage="true">Apple Inc.</organization> <address> <postal> <street>One Apple Park Way</street> <city>Cupertino</city> <region>California</region> <code>95014</code><country>USA</country><country>United States of America</country> </postal> <phone>+1 (408) 996-1010</phone> <email>cheshire@apple.com</email> </address> </author> <dateyear='2019' month='March' day='24'/> <area>Internet</area> <workgroup>Internet Engineering Task Force</workgroup>month="06" year="2020"/> <area>INT</area> <workgroup>DNSSD</workgroup> <keyword>Multicast DNS</keyword> <keyword>DNS-Based Service Discovery</keyword><keyword>RFC</keyword> <keyword>Request for Comments</keyword> <keyword>I-D</keyword> <keyword>Internet-Draft</keyword> <abstract> <t>This<abstract pn="section-abstract"> <t pn="section-abstract-1">This document specifies a network proxy that uses Multicast DNS to automatically populate the wide-area unicast Domain Name System namespace with records describing devices and services found on the local link.</t> </abstract></front> <middle> <?rfc needLines="31" ?> <section title="Introduction"> <t><xref target="RFC6762">Multicast DNS</xref> and its companion technology DNS-based Service Discovery <xref target="RFC6763"/> were created to provide IP networking with the ease-of-use and autoconfiguration for which AppleTalk was well known <xref target="RFC6760"/> <xref target="ZC"/> <xref target="Roadmap"/>.</t> <t>For a small home network consisting<boilerplate> <section anchor="status-of-memo" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.1"> <name slugifiedName="name-status-of-this-memo">Status ofjust a single link (or a few physical links bridged together to appear asThis Memo</name> <t pn="section-boilerplate.1-1"> This is an Internet Standards Track document. </t> <t pn="section-boilerplate.1-2"> This document is asingle logical link from the pointproduct ofviewthe Internet Engineering Task Force (IETF). It represents the consensus ofIP) <xref target="RFC6762">Multicast DNS</xref> is sufficientthe IETF community. It has received public review and has been approved forclient devices to look uppublication by the".local" host names of peersInternet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. </t> <t pn="section-boilerplate.1-3"> Information about thesame home network,current status of this document, any errata, and how touse Multicast <xref target="RFC6763">DNS-Based Service Discovery (DNS-SD)</xref>provide feedback on it may be obtained at <eref target="https://www.rfc-editor.org/info/rfc8766" brackets="none"/>. </t> </section> <section anchor="copyright" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.2"> <name slugifiedName="name-copyright-notice">Copyright Notice</name> <t pn="section-boilerplate.2-1"> Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. </t> <t pn="section-boilerplate.2-2"> This document is subject todiscover services offeredBCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (<eref target="https://trustee.ietf.org/license-info" brackets="none"/>) in effect onthat home network.</t> <t>For a larger network consistingthe date ofmultiple links that are interconnected using IP-layer routing insteadpublication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. </t> </section> </boilerplate> <toc> <section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" pn="section-toc.1"> <name slugifiedName="name-table-of-contents">Table of Contents</name> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1"> <li pn="section-toc.1-1.1"> <t keepWithNext="true" pn="section-toc.1-1.1.1"><xref derivedContent="1" format="counter" sectionFormat="of" target="section-1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-introduction">Introduction</xref></t> </li> <li pn="section-toc.1-1.2"> <t keepWithNext="true" pn="section-toc.1-1.2.1"><xref derivedContent="2" format="counter" sectionFormat="of" target="section-2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-operational-analogy">Operational Analogy</xref></t> </li> <li pn="section-toc.1-1.3"> <t keepWithNext="true" pn="section-toc.1-1.3.1"><xref derivedContent="3" format="counter" sectionFormat="of" target="section-3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-conventions-and-terminology">Conventions and Terminology Used in This Document</xref></t> </li> <li pn="section-toc.1-1.4"> <t pn="section-toc.1-1.4.1"><xref derivedContent="4" format="counter" sectionFormat="of" target="section-4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-compatibility-consideration">Compatibility Considerations</xref></t> </li> <li pn="section-toc.1-1.5"> <t pn="section-toc.1-1.5.1"><xref derivedContent="5" format="counter" sectionFormat="of" target="section-5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-discovery-proxy-operation">Discovery Proxy Operation</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.5.2"> <li pn="section-toc.1-1.5.2.1"> <t pn="section-toc.1-1.5.2.1.1"><xref derivedContent="5.1" format="counter" sectionFormat="of" target="section-5.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-delegated-subdomain-for-dns">Delegated Subdomain for DNS-based Service Discovery Records</xref></t> </li> <li pn="section-toc.1-1.5.2.2"> <t pn="section-toc.1-1.5.2.2.1"><xref derivedContent="5.2" format="counter" sectionFormat="of" target="section-5.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-domain-enumeration">Domain Enumeration</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.5.2.2.2"> <li pn="section-toc.1-1.5.2.2.2.1"> <t pn="section-toc.1-1.5.2.2.2.1.1"><xref derivedContent="5.2.1" format="counter" sectionFormat="of" target="section-5.2.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-domain-enumeration-via-unic">Domain Enumeration via Unicast Queries</xref></t> </li> <li pn="section-toc.1-1.5.2.2.2.2"> <t pn="section-toc.1-1.5.2.2.2.2.1"><xref derivedContent="5.2.2" format="counter" sectionFormat="of" target="section-5.2.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-domain-enumeration-via-mult">Domain Enumeration via Multicast Queries</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.5.2.3"> <t pn="section-toc.1-1.5.2.3.1"><xref derivedContent="5.3" format="counter" sectionFormat="of" target="section-5.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-delegated-subdomain-for-ldh">Delegated Subdomain for LDH Host Names</xref></t> </li> <li pn="section-toc.1-1.5.2.4"> <t pn="section-toc.1-1.5.2.4.1"><xref derivedContent="5.4" format="counter" sectionFormat="of" target="section-5.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-delegated-subdomain-for-rev">Delegated Subdomain for Reverse Mapping</xref></t> </li> <li pn="section-toc.1-1.5.2.5"> <t pn="section-toc.1-1.5.2.5.1"><xref derivedContent="5.5" format="counter" sectionFormat="of" target="section-5.5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-data-translation">Data Translation</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.5.2.5.2"> <li pn="section-toc.1-1.5.2.5.2.1"> <t pn="section-toc.1-1.5.2.5.2.1.1"><xref derivedContent="5.5.1" format="counter" sectionFormat="of" target="section-5.5.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-dns-ttl-limiting">DNS TTL Limiting</xref></t> </li> <li pn="section-toc.1-1.5.2.5.2.2"> <t pn="section-toc.1-1.5.2.5.2.2.1"><xref derivedContent="5.5.2" format="counter" sectionFormat="of" target="section-5.5.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-suppressing-unusable-record">Suppressing Unusable Records</xref></t> </li> <li pn="section-toc.1-1.5.2.5.2.3"> <t pn="section-toc.1-1.5.2.5.2.3.1"><xref derivedContent="5.5.3" format="counter" sectionFormat="of" target="section-5.5.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-nsec-and-nsec3-queries">NSEC and NSEC3 Queries</xref></t> </li> <li pn="section-toc.1-1.5.2.5.2.4"> <t pn="section-toc.1-1.5.2.5.2.4.1"><xref derivedContent="5.5.4" format="counter" sectionFormat="of" target="section-5.5.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-no-text-encoding-translatio">No Text-Encoding Translation</xref></t> </li> <li pn="section-toc.1-1.5.2.5.2.5"> <t pn="section-toc.1-1.5.2.5.2.5.1"><xref derivedContent="5.5.5" format="counter" sectionFormat="of" target="section-5.5.5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-application-specific-data-t">Application-Specific Data Translation</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.5.2.6"> <t pn="section-toc.1-1.5.2.6.1"><xref derivedContent="5.6" format="counter" sectionFormat="of" target="section-5.6"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-answer-aggregation">Answer Aggregation</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.6"> <t pn="section-toc.1-1.6.1"><xref derivedContent="6" format="counter" sectionFormat="of" target="section-6"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-administrative-dns-records">Administrative DNS Records</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.6.2"> <li pn="section-toc.1-1.6.2.1"> <t pn="section-toc.1-1.6.2.1.1"><xref derivedContent="6.1" format="counter" sectionFormat="of" target="section-6.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-dns-soa-start-of-authority-">DNS SOA (Start of Authority) Record</xref></t> </li> <li pn="section-toc.1-1.6.2.2"> <t pn="section-toc.1-1.6.2.2.1"><xref derivedContent="6.2" format="counter" sectionFormat="of" target="section-6.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-dns-ns-records">DNS NS Records</xref></t> </li> <li pn="section-toc.1-1.6.2.3"> <t pn="section-toc.1-1.6.2.3.1"><xref derivedContent="6.3" format="counter" sectionFormat="of" target="section-6.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-dns-delegation-records">DNS Delegation Records</xref></t> </li> <li pn="section-toc.1-1.6.2.4"> <t pn="section-toc.1-1.6.2.4.1"><xref derivedContent="6.4" format="counter" sectionFormat="of" target="section-6.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-dns-srv-records">DNS SRV Records</xref></t> </li> <li pn="section-toc.1-1.6.2.5"> <t pn="section-toc.1-1.6.2.5.1"><xref derivedContent="6.5" format="counter" sectionFormat="of" target="section-6.5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-domain-enumeration-records">Domain Enumeration Records</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.7"> <t pn="section-toc.1-1.7.1"><xref derivedContent="7" format="counter" sectionFormat="of" target="section-7"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-dnssec-considerations">DNSSEC Considerations</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.7.2"> <li pn="section-toc.1-1.7.2.1"> <t pn="section-toc.1-1.7.2.1.1"><xref derivedContent="7.1" format="counter" sectionFormat="of" target="section-7.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-online-signing-only">Online Signing Only</xref></t> </li> <li pn="section-toc.1-1.7.2.2"> <t pn="section-toc.1-1.7.2.2.1"><xref derivedContent="7.2" format="counter" sectionFormat="of" target="section-7.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-nsec-and-nsec3-records">NSEC and NSEC3 Records</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.8"> <t pn="section-toc.1-1.8.1"><xref derivedContent="8" format="counter" sectionFormat="of" target="section-8"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-ipv6-considerations">IPv6 Considerations</xref></t> </li> <li pn="section-toc.1-1.9"> <t pn="section-toc.1-1.9.1"><xref derivedContent="9" format="counter" sectionFormat="of" target="section-9"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-security-considerations">Security Considerations</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.9.2"> <li pn="section-toc.1-1.9.2.1"> <t pn="section-toc.1-1.9.2.1.1"><xref derivedContent="9.1" format="counter" sectionFormat="of" target="section-9.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-authenticity">Authenticity</xref></t> </li> <li pn="section-toc.1-1.9.2.2"> <t pn="section-toc.1-1.9.2.2.1"><xref derivedContent="9.2" format="counter" sectionFormat="of" target="section-9.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-privacy">Privacy</xref></t> </li> <li pn="section-toc.1-1.9.2.3"> <t pn="section-toc.1-1.9.2.3.1"><xref derivedContent="9.3" format="counter" sectionFormat="of" target="section-9.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-denial-of-service">Denial of Service</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.10"> <t pn="section-toc.1-1.10.1"><xref derivedContent="10" format="counter" sectionFormat="of" target="section-10"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-iana-considerations">IANA Considerations</xref></t> </li> <li pn="section-toc.1-1.11"> <t pn="section-toc.1-1.11.1"><xref derivedContent="11" format="counter" sectionFormat="of" target="section-11"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-references">References</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.11.2"> <li pn="section-toc.1-1.11.2.1"> <t pn="section-toc.1-1.11.2.1.1"><xref derivedContent="11.1" format="counter" sectionFormat="of" target="section-11.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-normative-references">Normative References</xref></t> </li> <li pn="section-toc.1-1.11.2.2"> <t pn="section-toc.1-1.11.2.2.1"><xref derivedContent="11.2" format="counter" sectionFormat="of" target="section-11.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-informative-references">Informative References</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.12"> <t pn="section-toc.1-1.12.1"><xref derivedContent="Appendix A" format="default" sectionFormat="of" target="section-appendix.a"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-implementation-status">Implementation Status</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.12.2"> <li pn="section-toc.1-1.12.2.1"> <t pn="section-toc.1-1.12.2.1.1"><xref derivedContent="A.1" format="counter" sectionFormat="of" target="section-a.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-already-implemented-and-dep">Already Implemented and Deployed</xref></t> </li> <li pn="section-toc.1-1.12.2.2"> <t pn="section-toc.1-1.12.2.2.1"><xref derivedContent="A.2" format="counter" sectionFormat="of" target="section-a.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-already-implemented">Already Implemented</xref></t> </li> <li pn="section-toc.1-1.12.2.3"> <t pn="section-toc.1-1.12.2.3.1"><xref derivedContent="A.3" format="counter" sectionFormat="of" target="section-a.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-partially-implemented">Partially Implemented</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.13"> <t pn="section-toc.1-1.13.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.b"/><xref derivedContent="" format="title" sectionFormat="of" target="name-acknowledgments">Acknowledgments</xref></t> </li> <li pn="section-toc.1-1.14"> <t pn="section-toc.1-1.14.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.c"/><xref derivedContent="" format="title" sectionFormat="of" target="name-authors-address">Author's Address</xref></t> </li> </ul> </section> </toc> </front> <middle> <section numbered="true" toc="include" removeInRFC="false" pn="section-1"> <name slugifiedName="name-introduction">Introduction</name> <t pn="section-1-1">Multicast DNS <xref target="RFC6762" format="default" sectionFormat="of" derivedContent="RFC6762"/> and its companion technology DNS-based Service Discovery <xref target="RFC6763" format="default" sectionFormat="of" derivedContent="RFC6763"/> were created to provide IP networking with the ease of use and autoconfiguration for which AppleTalk was well known <xref target="RFC6760" format="default" sectionFormat="of" derivedContent="RFC6760"/> <xref target="ZC" format="default" sectionFormat="of" derivedContent="ZC"/> <xref target="I-D.cheshire-dnssd-roadmap" format="default" sectionFormat="of" derivedContent="ROADMAP"/>.</t> <t pn="section-1-2">For a small home network consisting of just a single link (or a few physical links bridged together to appear as a single logical link from the point of view of IP), Multicast DNS <xref target="RFC6762" format="default" sectionFormat="of" derivedContent="RFC6762"/> is sufficient for client devices to look up the ".local" host names of peers on the same home network, and to use Multicast DNS-based Service Discovery (DNS-SD) <xref target="RFC6763" format="default" sectionFormat="of" derivedContent="RFC6763"/> to discover services offered on that home network.</t> <t pn="section-1-3">For a larger network consisting of multiple links that are interconnected using IP-layer routing instead of link-layer bridging, link-local Multicast DNS alone is insufficient because link-local Multicast DNS packets, by design, are not propagated onto other links.</t><t>Using<t pn="section-1-4">Using link-local multicast packets for Multicast DNS was a conscious design choice <xreftarget="RFC6762"/>.target="RFC6762" format="default" sectionFormat="of" derivedContent="RFC6762"/>. Even when limited to a single link, multicast traffic is still generally considered to be more expensive than unicast, because multicast traffic impacts manydevices,devices instead of just a single recipient. In addition, with some technologies like Wi-Fi <xreftarget="IEEE-11">Wi-Fi</xref>,target="IEEE-11" format="default" sectionFormat="of" derivedContent="IEEE-11"/>, multicast traffic is inherently less efficient and less reliable than unicast, because Wi-Fi multicast traffic is sent at lower data rates, and is not acknowledged <xreftarget="Mcast"/>.target="I-D.ietf-mboned-ieee802-mcast-problems" format="default" sectionFormat="of" derivedContent="MCAST"/>. Increasing the amount of expensive multicast traffic by flooding it across multiple links would make the traffic load even worse.</t><t>Partitioning<t pn="section-1-5">Partitioning the network into many small links curtails the spread of expensive multicasttraffic,traffic but limits the discoverability of services. At the opposite end of the spectrum, using a very large local link with thousands of hosts enables better servicediscovery,discovery but at the cost of larger amounts of multicast traffic.</t><t>Performing DNS-Based<t pn="section-1-6">Performing DNS-based Service Discovery using purely Unicast DNS is more efficient and doesn't require large multicastdomains,domains but does require that the relevant data be available in the Unicast DNS namespace. The Unicast DNS namespace in question could fall within a traditionally assigned globally unique domain name, or it couldusebe within a private local unicast domain name such as ".home.arpa" <xreftarget="RFC8375"/>.</t> <t>Intarget="RFC8375" format="default" sectionFormat="of" derivedContent="RFC8375"/>.</t> <t pn="section-1-7">In the DNS-SD specification <xreftarget="RFC6763">DNS-SD specification</xref>, Section 10target="RFC6763" sectionFormat="comma" section="10" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6763#section-10" derivedContent="RFC6763"/> ("Populating the DNS with Information") discusses various possible ways that a service's PTR, SRV,TXTTXT, and address records can make their way into the Unicast DNS namespace, including manual zone file configuration <xreftarget="RFC1034"/> <xref target="RFC1035"/>, DNS Update <xref target="RFC2136"/> <xref target="RFC3007"/>target="RFC1034" format="default" sectionFormat="of" derivedContent="RFC1034"/> <xref target="RFC1035" format="default" sectionFormat="of" derivedContent="RFC1035"/>, DNS Update <xref target="RFC2136" format="default" sectionFormat="of" derivedContent="RFC2136"/> <xref target="RFC3007" format="default" sectionFormat="of" derivedContent="RFC3007"/>, and proxies of various kinds.</t><t>Making<t pn="section-1-8">One option is to make the relevant data available in the Unicast DNS namespace by manual DNSconfiguration is one option.configuration. This option has been used for many years at IETF meetings to advertise the IETFTerminal Roomterminal room printer. Details of this example are given inAppendix A of<xreftarget="Roadmap">thetarget="I-D.cheshire-dnssd-roadmap" sectionFormat="of" section="A" format="default" derivedLink="https://tools.ietf.org/html/draft-cheshire-dnssd-roadmap-03#appendix-A" derivedContent="ROADMAP">the Roadmap document</xref>. However, this manual DNS configuration is labor intensive, error prone, and requires a reasonable degree of DNS expertise.</t><t>Populating<t pn="section-1-9">Another option is to populate the Unicast DNS namespacevia DNS Updateby having the devices offering the servicesthemselves is another option <xref target="RegProt"/>do that themselves, using DNS Update <xreftarget="DNS-UL"/>.target="I-D.sctl-service-registration" format="default" sectionFormat="of" derivedContent="REG-PROT"/> <xref target="I-D.sekar-dns-ul" format="default" sectionFormat="of" derivedContent="DNS-UL"/>. However, this requires configuration of DNS Update keys on those devices, which has proven onerous and impractical for simple devices like printers and network cameras.</t><t>Hence,<t pn="section-1-10">Hence, to facilitate efficient and reliableDNS-BasedDNS-based Service Discovery, acompromisehybrid is needed that combines theease-of-useease of use of Multicast DNS with the efficiency and scalability of Unicast DNS.</t><t>This<t pn="section-1-11">This document specifies a type of proxy called a "Discovery Proxy" that uses Multicast DNS <xreftarget="RFC6762">Multicast DNS</xref>target="RFC6762" format="default" sectionFormat="of" derivedContent="RFC6762"/> to discover Multicast DNS records on its locallink,link on demand, and makes corresponding DNS records visible in the Unicast DNS namespace.</t><t>In<t pn="section-1-12">In principle, similar mechanisms could be definedusingfor other localservicediscovery protocols, by creating a proxy that (i) uses the protocol in question to discover local information on demand, and thenmake(ii) makes corresponding DNS records visible in the Unicast DNS namespace. Such mechanisms for other localservicediscovery protocols could be addressed in future documents.</t><t>The<t pn="section-1-13">The design of the Discovery Proxy is guided by the previously published DNS-based Service Discovery requirements document <xreftarget="RFC7558">requirements document</xref>.</t> <t>Intarget="RFC7558" format="default" sectionFormat="of" derivedContent="RFC7558"/>.</t> <t pn="section-1-14">In simple terms, a descriptive DNS name is chosen for each link in an organization. Using a DNS NS record, responsibility for that DNS name is delegated to a Discovery Proxy physically attached to that link.Now, whenWhen a remote client issues a unicast query for a name falling within the delegated subdomain, the normal DNS delegation mechanism results in the unicast query arriving at the Discovery Proxy, since it has been declared authoritative for those names. Now, instead of consulting a textual zone file on disk to discover the answer to thequery,query as a traditional authoritative DNS server would, a Discovery Proxy consults its local link, using Multicast DNS, to find the answer to the question.</t><t>For<t pn="section-1-15">For fault tolerancereasonsreasons, there may be more than one Discovery Proxy serving a given link.</t><t>Note<t pn="section-1-16">Note that the Discovery Proxy uses a "pull" model.TheUntil some remote client has requested data, the local link is not queried using MulticastDNS until some remote client has requested that data.DNS. In the idle state, in the absence of client requests, the Discovery Proxy sends no packets and imposes no burden on the network. It operates purely "on demand".</t><t>An<t pn="section-1-17">An alternative proposal that has been discussed is a proxy that performs DNS updates to a remote DNS server on behalf of the Multicast DNS devices on the local network. The difficulty with this isisthat Multicast DNS devices do not routinely announce their records on the network.GenerallyGenerally, they remain silent until queried. This means that the complete set of Multicast DNS records in use on a link can only be discovered by active querying, not by passive listening. Because of this, a proxy can only know what names exist on a link by issuing queries for them, and since it would be impractical to issue queries for every possible name just to find out which names exist and which do not, there is no reasonable way for a proxy to programmatically learn all the answers it would need to push up to the remote DNS server using DNS Update. Even if such a mechanism were possible, it would risk generating high load on the network continuously, even when there are no clients with any interest in that data.</t><t>Hence,<t pn="section-1-18">Hence, having a model where the query comes to the Discovery Proxy is much more efficient than a model where the Discovery Proxy pushes the answers out to some other remote DNS server.</t><t>A<t pn="section-1-19">A client seeking to discover services and other informationachievesperforms this by sending traditional DNS queries to the DiscoveryProxy,Proxy or by sending<xref target="Push">DNSDNS Push Notification subscriptionrequests</xref>.</t> <t>Howrequests <xref target="RFC8765" format="default" sectionFormat="of" derivedContent="RFC8765"/>.</t> <t pn="section-1-20">How a client discovers what domain name(s) to use for itsservice discovery queries, (and consequentlyDNS-based Service Discovery queries (and, consequently, what Discovery Proxy or Proxies to use) is described in <xreftarget="dom-enum"/>.</t> <t>Thetarget="dom-enum" format="default" sectionFormat="of" derivedContent="Section 5.2"/>.</t> <t pn="section-1-21">The diagram below illustrates a network topology using a Discovery Proxy to provide discovery service to a remote client.</t><figure><artwork><figure align="left" suppress-title="false" pn="figure-1"> <name slugifiedName="name-example-deployment">Example Deployment</name> <artwork name="" type="" align="center" alt="" pn="section-1-22.1"> +--------+ Unicast +-----------+ +---------+ +---------+ | Remote |CommuncationCommunication | Discovery | | Network | | Network | | Client |---- . . .-----|----| Proxy | | Printer | | Camera | +--------+ +-----------+ +---------+ +---------+ | | | | ------------ -------------------------------------------- Multicast-capable LAN segment (e.g., Ethernet)</artwork></figure> <?rfc needLines="31" ?></artwork> </figure> <t pn="section-1-23">Note that there need not be any Discovery Proxy on the link to which the remote client is directly attached. The remote client communicates directly with the Discovery Proxy using normal unicast TCP/IP communication mechanisms, potentially spanning multiple IP hops, possibly including VPN tunnels and other similar long-distance communication channels. </t> </section> <sectiontitle="Operational Analogy"> <t>Anumbered="true" toc="include" removeInRFC="false" pn="section-2"> <name slugifiedName="name-operational-analogy">Operational Analogy</name> <t pn="section-2-1">A Discovery Proxy does not operate as a multicastrelay,relay or multicast forwarder. There is no danger of multicast forwarding loops that result in traffic storms, because no multicast packets are forwarded. A Discovery Proxy operates as a*proxy*<em>proxy</em> foraremoteclient,clients, performing queries onitstheir behalf and reporting the results back.</t><t>A<t pn="section-2-2">A reasonable analogy is making a telephone call to a colleague at your workplace and saying, "I'm out of the office right now. Would you mind bringing up a printer browser window and telling me the names of the printers you see?" That entails no risk of a forwarding loop causing a traffic storm, because no multicast packets are sent over the telephone call.</t><t>A<t pn="section-2-3">A similar analogy, instead of enlisting another human being to initiate the service discovery operation on your behalf, is to logintoin to your own desktop work computer using screensharing,sharing and then run the printer browser yourself to see the list of printers.OrOr, log in usingsshSecure Shell (ssh) and type "dns-sd -B _ipp._tcp" and observe the list of discovered printer names. In neither case is there any risk of a forwarding loop causing a traffic storm, because no multicast packets are being sent over thescreen sharingscreen-sharing or ssh connection.</t><t>The<t pn="section-2-4">The Discovery Proxy provides another way of performing remote queries,except usingwhich uses a different protocol instead of screen sharing orssh.</t> <t>Whenssh. The Discovery Proxy mechanism can be thought of as a custom Remote Procedure Call (RPC) protocol that allows a remote client to exercise the Multicast DNS APIs on the Discovery Proxy device, just as a local client running on the Discovery Proxy device would use those APIs.</t> <t pn="section-2-5">When the Discovery Proxy software performs Multicast DNS operations, the exact same Multicast DNS caching mechanisms are applied as when any other client software on that Discovery Proxy device performs Multicast DNS operations, regardless of whether that be running a printer browser client locally,ora remote user running the printer browser client via ascreen sharingscreen-sharing connection,ora remote user logged in via ssh running a command-line tool like "dns-sd", or a remote user sending DNS requests that cause a Discovery Proxy to perform discovery operations on its behalf.</t><?rfc needLines="15" ?></section> <sectiontitle="Conventionsnumbered="true" toc="include" removeInRFC="false" pn="section-3"> <name slugifiedName="name-conventions-and-terminology">Conventions and Terminology Used inthis Document"> <t>TheThis Document</name> <t pn="section-3-1"> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",<vspace />"<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted asdescribed<vspace /> in "Key words for usedescribed inRFCs to Indicate Requirement Levels",<vspace />BCP 14 <xref target="RFC2119" format="default" sectionFormat="of" derivedContent="RFC2119"/> <xref target="RFC8174" format="default" sectionFormat="of" derivedContent="RFC8174"/> when, and only when, they appear in all capitals, as shownhere<vspace /> <xref target="RFC2119"/> <xref target="RFC8174"/>.</t> <t>Thehere. </t> <t pn="section-3-2">The Discovery Proxy builds on Multicast DNS, which works between hosts on the same link. For the purposes of thisdocumentdocument, a set of hosts is considered to be "on the same link" if:<list style='symbols'> <t>when</t> <ul spacing="normal" bare="false" empty="false" pn="section-3-3"> <li pn="section-3-3.1">when any host from that set sends a packet to any other host in that set, using unicast, multicast, or broadcast, the entire link-layer packet payload arrives unmodified,and</t> <t>aand</li> <li pn="section-3-3.2">a broadcast sent over that link, by any host from that set of hosts, can be received by every other host in thatset.</t> </list>set.</li> </ul> <t pn="section-3-4"> The link-layer*header*<em>header</em> may be modified, such as in<xref target="IEEE-5">TokenToken Ring SourceRouting</xref>,Routing <xref target="IEEE-5" format="default" sectionFormat="of" derivedContent="IEEE-5"/>, but not the link-layer*payload*.<em>payload</em>. In particular, if any device forwarding a packet modifies any part of the IP header or IPpayloadpayload, then the packet is no longer considered to be on the same link. This means that the packet may pass through devices such as repeaters, bridges,hubshubs, or switches and still be considered to be on the same link for the purpose of this document, but not through a device such as an IP router that decrements the IP TTL or otherwise modifies the IP header.</t> </section> <section anchor="compatibility"title="Compatibility Considerations"> <t>Nonumbered="true" toc="include" removeInRFC="false" pn="section-4"> <name slugifiedName="name-compatibility-consideration">Compatibility Considerations</name> <t pn="section-4-1">No changes to existing devices are required to work with a Discovery Proxy.</t><t>Existing<t pn="section-4-2">Existing devices that advertise services using Multicast DNS work with a Discovery Proxy.</t><t>Existing<t pn="section-4-3">Existing clients that supportDNS-BasedDNS-based Service Discovery over Unicast DNS work with a Discovery Proxy. DNS-based Service Discovery over Unicast DNS was introduced in Mac OS X 10.4 Tiger in April2005, as is2005 and has been included in Apple products introduced since then, including the iPhone andiPad, as well asiPad. It has also been included in products from other vendors, such as Microsoft Windows 10.</t><t>An<t pn="section-4-4">An overview of the larger collection ofrelatedassociated DNS-based Service Discovery technologies, and how the Discovery Proxy technology relates to those, is given in<xref target="Roadmap">thethe Service Discovery Road Mapdocument</xref>.</t> <?rfc needLines="22" ?>document <xref target="I-D.cheshire-dnssd-roadmap" format="default" sectionFormat="of" derivedContent="ROADMAP"/>.</t> </section> <section anchor="operation"title="Discoverynumbered="true" toc="include" removeInRFC="false" pn="section-5"> <name slugifiedName="name-discovery-proxy-operation">Discovery ProxyOperation"> <t>InOperation</name> <t pn="section-5-1">In a typical configuration, a Discovery Proxy is configured to be authoritative <xreftarget="RFC1034"/> <xref target="RFC1035"/>target="RFC1034" format="default" sectionFormat="of" derivedContent="RFC1034"/> <xref target="RFC1035" format="default" sectionFormat="of" derivedContent="RFC1035"/> for four or more DNS subdomains,and authoritylisted below. Authority for these subdomains is delegated from the parent domain toitthe Discovery Proxy in the usual way for DNS delegation, via NSrecords: <list style="hanging"> <t hangText="Arecords. </t> <dl newline="true" spacing="normal" pn="section-5-2"> <dt pn="section-5-2.1">A DNS subdomain forservice discovery records."><vspace />DNS-based Service Discovery records.</dt> <dd pn="section-5-2.2"> This subdomain name may contain rich text, including spaces and other punctuation. This is because this subdomain name is used only in graphical user interfaces, where rich text isappropriate.</t> <t hangText="Aappropriate.</dd> <dt pn="section-5-2.3">A DNS subdomain for host namerecords."><vspace />records.</dt> <dd pn="section-5-2.4"> This subdomain nameSHOULD<bcp14>SHOULD</bcp14> be limited to letters,digitsdigits, andhyphens,hyphens in order to facilitate the convenient use of host names in command-lineinterfaces.</t> <t hangText="Oneinterfaces.</dd> <dt pn="section-5-2.5">One or more DNS subdomains for IPv4 Reverse Mappingrecords."><vspace />records.</dt> <dd pn="section-5-2.6"> These subdomains will have names thatendsend in"in-addr.arpa."</t> <t hangText="One"in-addr.arpa".</dd> <dt pn="section-5-2.7">One or more DNS subdomains for IPv6 Reverse Mappingrecords."><vspace />records.</dt> <dd pn="section-5-2.8"> These subdomains will have names thatendsend in"ip6.arpa."</t> </list> </t> <t>In"ip6.arpa".</dd> </dl> <t pn="section-5-3">In an enterprisenetworknetwork, the naming and delegation of these subdomains is typically performed by conscious action of the network administrator. In a homenetworknetwork, naming and delegation would typically be performed using some automatic configuration mechanism such asHNCPHome Networking Control Protocol (HNCP) <xreftarget="RFC7788"/>.</t> <t>Thesetarget="RFC7788" format="default" sectionFormat="of" derivedContent="RFC7788"/>.</t> <t pn="section-5-4">These three varieties of delegated subdomains (service discovery, host names, and reverse mapping) are described below in Sections <xreftarget="dom-sd"/>, <xref target="dom-host"/> and <xref target="dom-rev"/>.</t> <t>Howtarget="dom-sd" format="counter" sectionFormat="of" derivedContent="5.1"/>, <xref target="dom-host" format="counter" sectionFormat="of" derivedContent="5.3"/>, and <xref target="dom-rev" format="counter" sectionFormat="of" derivedContent="5.4"/>.</t> <t pn="section-5-5">How a client discovers where to issue itsservice discoveryDNS-based Service Discovery queries is describedbelowin <xreftarget="dom-enum"/>.</t> <?rfc needLines="28" ?>target="dom-enum" format="default" sectionFormat="of" derivedContent="Section 5.2"/>.</t> <section anchor="dom-sd"title="Delegatednumbered="true" toc="include" removeInRFC="false" pn="section-5.1"> <name slugifiedName="name-delegated-subdomain-for-dns">Delegated Subdomain for DNS-based Service DiscoveryRecords"> <t>InRecords</name> <t pn="section-5.1-1">In its simplest form, each link in an organization is assigned a unique Unicast DNS domainname,name such as"Building 1.example.com""Building 1.example.com" or"2nd Floor.Building 3.example.com"."2nd Floor.Building 3.example.com". Grouping multiple links under a single Unicast DNS domain name is to be specified in a future companion document, but for the purposes of this document, assume that each link has its own unique Unicast DNS domain name. In a graphical user interface these names are not displayed as strings with dots as shown above, but something more akin to a typical file browser graphical user interface (which is harder to illustrate in a text-only document) showing folders,subfolderssubfolders, and files in a file system. </t> <figurealign="left"anchor="browser"title="Illustrative GUI"><artwork><![CDATA[align="left" suppress-title="false" pn="figure-2"> <name slugifiedName="name-illustrative-gui">Illustrative GUI </name> <artwork align="center" name="" type="" alt="" pn="section-5.1-2.1"> +---------------+--------------+-------------+-------------------+ | *example.com* | Building 1 | 1st Floor | Alice's printer | | | Building 2 | *2nd Floor* | Bob's printer | | | *Building 3* | 3rd Floor | Charlie's printer | | | Building 4 | 4th Floor | | | | Building 5 | | | | | Building 6 | | |+---------------+--------------+-------------+-------------------+]]></artwork>+---------------+--------------+-------------+-------------------+ </artwork> </figure></t> <t>Each<t pn="section-5.1-3">Each named link in an organization has one or more Discovery Proxieswhichthat serve it. This Discovery Proxy functionfor each linkcould be performed by a device like a router or switch that is physically attached to that link. In the parent domain, NS records are used to delegate ownership of each defined link name(e.g., "Building 1.example.com")(e.g., "Building 1.example.com") totheone or more Discovery Proxies that serve the named link. In other words, the Discovery Proxies are the authoritative name servers for that subdomain. As in the rest ofDNS-BasedDNS-based Service Discovery, all names are represented as-is using plain UTF-8encoding,encoding and, as described in <xreftarget="notrans"/>,target="notrans" format="default" sectionFormat="of" derivedContent="Section 5.5.4"/>, notext encodingtext-encoding translations are performed.</t><t>With<t pn="section-5.1-4">With appropriate VLAN configuration <xreftarget="IEEE-1Q">VLAN configuration</xref>target="IEEE-1Q" format="default" sectionFormat="of" derivedContent="IEEE-1Q"/>, a single Discovery Proxy device could have a logical presence on manylinks,links and serve as the Discovery Proxy for all those links. In such aconfigurationconfiguration, the Discovery Proxy device would have a single physical Ethernet <xreftarget="IEEE-3">Ethernet</xref>target="IEEE-3" format="default" sectionFormat="of" derivedContent="IEEE-3"/> port, configured as a VLAN trunk port, which would appear to software on that device as multiple virtual Ethernet interfaces, one connected to each of the VLAN links.</t><t>As<t pn="section-5.1-5">As an alternative to using VLAN technology, using a<xref target="Relay">MulticastMulticast DNS DiscoveryRelay</xref>Relay <xref target="I-D.sctl-dnssd-mdns-relay" format="default" sectionFormat="of" derivedContent="RELAY"/> is another way that a Discovery Proxy can have a‘virtual’"virtual" presence on a remote link.</t><?rfc needLines="6" ?> <t>When<t pn="section-5.1-6">When a DNS-SD client issues a Unicast DNS query to discover services in a particular Unicast DNS subdomain(e.g., "_printer._tcp.Building 1.example.com. PTR ?")(e.g., "_ipp._tcp.Building 1.example.com. PTR ?"), the normal DNS delegation mechanism results in that query being forwarded until it reaches the delegated authoritative name server for that subdomain,namelynamely, the Discovery Proxy on the link in question. Like a conventional Unicast DNS server, a Discovery Proxy implements the usual Unicast DNS protocol <xreftarget="RFC1034"/> <xref target="RFC1035"/>target="RFC1034" format="default" sectionFormat="of" derivedContent="RFC1034"/> <xref target="RFC1035" format="default" sectionFormat="of" derivedContent="RFC1035"/> over UDP and TCP. However, unlike a conventional Unicast DNS server that generates answers from the data in itsmanually-configuredmanually configured zone file, a Discovery Proxygenerateslearns answers using Multicast DNS. A Discovery Proxy does this by consulting its Multicast DNS cache and/or issuing Multicast DNS queries, asappropriate,appropriate according to the usual protocol rules of Multicast DNS <xreftarget="RFC6762">Multicast DNS</xref>,target="RFC6762" format="default" sectionFormat="of" derivedContent="RFC6762"/>, for the corresponding Multicast DNS name,typetype, and class, with the delegated zone part of the name replaced with ".local"(e.g., in(e.g., in this case,"_printer._tcp.local. PTR ?")."_ipp._tcp.local. PTR ?"). Then, from the received Multicast DNS data, the Discovery Proxy synthesizes the appropriate Unicast DNS response, with the ".local" top-level label of the owner name replaced withwiththe name of the delegated zone.HowFurther details of the name translation rules are described in <xref target="translation" format="default" sectionFormat="of" derivedContent="Section 5.5"/>. Rules specifying how long the Discovery Proxy should wait to accumulate Multicast DNS responses before sending its unicast replyisare describedbelowin <xreftarget="aggregation"/>.</t> <t>Thetarget="aggregation" format="default" sectionFormat="of" derivedContent="Section 5.6"/>. </t> <t pn="section-5.1-7">The existing Multicast DNS caching mechanism is used to minimize unnecessary Multicast DNS queries on the wire. The Discovery Proxy is acting as a client of the underlying Multicast DNSsubsystem,subsystem and benefits from the same caching and efficiency measures as any other client using that subsystem.</t><t>Note<t pn="section-5.1-8">Note that the contents of the delegated zone, generated as it is by performing ".local" Multicast DNS queries, mirrors the records available on the local link via Multicast DNS very closely, but not precisely. There is not a full bidirectional equivalence between the two. Certain records that are available via Multicast DNS may not have equivalents in the delegatedzone,zone possibly because they are invalid or not relevant in the delegatedzone,zone or because they are beingsupressedsuppressed because they are unusable outside the local link (see <xreftarget="unusable"/>).target="unusable" format="default" sectionFormat="of" derivedContent="Section 5.5.2"/>). Conversely, certain records that appear in the delegated zone may not have corresponding records available on the local link via Multicast DNS. Inparticularparticular, there are certain administrative SRV records (see <xreftarget="admin"/>)target="admin" format="default" sectionFormat="of" derivedContent="Section 6"/>) that logically fall within the delegatedzone,zone but semantically represent metadata*about*<em>about</em> the zone rather than records*within*<em>within</em> thezone, and consequentlyzone. Consequently, these administrative records in the delegated zone do not have any corresponding counterparts in the Multicast DNS namespace of the local link.</t><?rfc needLines="26" ?></section> <section anchor="dom-enum"title="Domain Enumeration"> <t>Anumbered="true" toc="include" removeInRFC="false" pn="section-5.2"> <name slugifiedName="name-domain-enumeration">Domain Enumeration</name> <t pn="section-5.2-1">A DNS-SD client performs Domain Enumeration <xreftarget="RFC6763"/>target="RFC6763" format="default" sectionFormat="of" derivedContent="RFC6763"/> via certain PTR queries, using both unicast andmulticast. If itmulticast.</t> <t pn="section-5.2-2">If a DNS-SD client receives a Domain Name configuration via<xref target="RFC2132">DHCP option 15</xref>,DHCP then it issues unicast queriesusingderived from thisdomain.domain name. It also issues unicast queries using names derived from its IPv4 subnet address(es) and IPv6 prefix(es). These unicast Domain Enumeration queries are describedbelowin <xreftarget="unicast"/>. Ittarget="unicast" format="default" sectionFormat="of" derivedContent="Section 5.2.1"/>. A DNS-SD client also issues multicast Domain Enumeration queries in the "local" domain <xreftarget="RFC6762"/>. These aretarget="RFC6762" format="default" sectionFormat="of" derivedContent="RFC6762"/>, as describedbelowin <xreftarget="multicast"/>.target="multicast" format="default" sectionFormat="of" derivedContent="Section 5.2.2"/>. The results of all the Domain Enumeration queries are combined for DNS-based Service Discovery purposes.</t> <section anchor="unicast"title="Domainnumbered="true" toc="include" removeInRFC="false" pn="section-5.2.1"> <name slugifiedName="name-domain-enumeration-via-unic">Domain Enumeration via UnicastQueries"> <t>TheQueries</name> <t pn="section-5.2.1-1">The (human or automated) administrator creates Unicast DNS Domain Enumeration PTR records <xreftarget="RFC6763"/>target="RFC6763" format="default" sectionFormat="of" derivedContent="RFC6763"/> to inform clients of available service discovery domains. Two varieties of such Unicast DNS Domain Enumeration PTR recordsexist;exist: those with names derived from the domain name communicated to the clients viaDHCP,<xref target="RFC2132" format="default" sectionFormat="of" derivedContent="RFC2132">DHCP option 15</xref>, and those with names derived from either IPv4 subnet address(es)andor IPv6 prefix(es) in use by the clients. Below is an example showing the name-basedvariety:</t> <figure><artwork>variety, where the DHCP server configured the client with the domain name "example.com":</t> <artwork name="" type="" align="center" alt="" pn="section-5.2.1-2"> b._dns-sd._udp.example.com. PTR Building 1.example.com. PTR Building 2.example.com. PTR Building 3.example.com. PTR Building 4.example.com. db._dns-sd._udp.example.com. PTR Building 1.example.com. lb._dns-sd._udp.example.com. PTR Building1.example.com.</artwork></figure> <t>The1.example.com.</artwork> <t pn="section-5.2.1-3">The meaning of these records is defined in the <xreftarget="RFC6763">DNStarget="RFC6763" format="default" sectionFormat="of" derivedContent="RFC6763">DNS-based Service Discovery specification</xref>butbut, forconvenienceconvenience, is repeated here. The "b" ("browse") records tell the client device the list of browsing domains to display for the user to select from. The "db" ("default browse") record tells the client device which domain in that list should be selected by default. The "db" domainMUST<bcp14>MUST</bcp14> be one of the domains in the "b" list; ifnotnot, then no domain is selected by default. The "lb" ("legacy browse") record tells the client device which domain to automatically browse on behalf of applications that don't implementUIuser interface for multi-domain browsing (which is most ofthem,them at the time of writing). The "lb" domain is often the same as the "db" domain, or sometimes the "db" domain plus one or more others that should be included in the list of automatic browsing domains for legacy clients.</t><t>Note<t pn="section-5.2.1-4">Note that in the example above, for clarity, space characters in names are shown as actual spaces. If this data is manually entered into a textual zone file for authoritative server software such as BIND, care must be taken because the space character is used as a field separator, and other characters like dot ('.'), semicolon (';'), dollar ('$'), backslash ('\'), etc., also have special meaning. These characters have to be escaped when entered into a textual zone file, following the rules inSection 5.1 of the<xreftarget="RFC1035">DNStarget="RFC1035" sectionFormat="of" section="5.1" format="default" derivedLink="https://rfc-editor.org/rfc/rfc1035#section-5.1" derivedContent="RFC1035">the DNS specification</xref>. For example, a literal space in a name is represented in the textual zone file using '\032', so"Building 1.example.com.""Building 1.example.com" is entered as"Building\0321.example.com."</t> <?rfc needLines="15" ?> <t>DNS"Building\0321.example.com".</t> <t pn="section-5.2.1-5">DNS responses are limited to a maximum size of 65535 bytes. This limits the maximum number of domains that can be returned for a Domain Enumerationquery,query as follows:</t><t>A<t pn="section-5.2.1-6">A DNS response header is 12 bytes. That's typically followed by a single qname (up to 256 bytes) plus qtype(2 bytes)(2 bytes) and qclass(2 bytes),(2 bytes), leaving 65275 for the Answer Section.</t><t>An<t pn="section-5.2.1-7">An Answer Section Resource Record consists of:<?rfc subcompact="yes" ?> <list style='symbols'> <t>Owner</t> <ul spacing="compact" bare="false" empty="false" pn="section-5.2.1-8"> <li pn="section-5.2.1-8.1">Owner name, encoded as atwo-bytecompressionpointer</t> <t>Two-byte rrtypepointer, 2 bytes</li> <li pn="section-5.2.1-8.2">RRTYPE (typePTR)</t> <t>Two-byte rrclassPTR), 2 bytes</li> <li pn="section-5.2.1-8.3">RRCLASS (classIN)</t> <t>Four-byte ttl</t> <t>Two-byte rdlength</t> <t>rdataIN), 2 bytes</li> <li pn="section-5.2.1-8.4">TTL, 4 bytes</li> <li pn="section-5.2.1-8.5">RDLENGTH, 2 bytes</li> <li pn="section-5.2.1-8.6">RDATA (domainname,name), up to 256bytes)</t> </list> <?rfc subcompact="no" ?> </t> <t>Thisbytes</li> </ul> <t pn="section-5.2.1-9">This means that each Resource Record in the Answer Section can take up to 268 bytes total, which means that the Answer Section can contain, in the worst case, no more than 243 domains.</t><t>In<t pn="section-5.2.1-10">In a more typical scenario, where the domain names are not all maximum-sized names, and there is some similarity between names so that reasonable name compression is possible, each Answer Section Resource Record may average 140 bytes, which means that the Answer Section can contain up to 466 domains.</t><t>It<t pn="section-5.2.1-11">It is anticipated that this should be sufficient for even a large corporate network or university campus.</t><?rfc needLines="21" ?></section> <section anchor="multicast"title="Domainnumbered="true" toc="include" removeInRFC="false" pn="section-5.2.2"> <name slugifiedName="name-domain-enumeration-via-mult">Domain Enumeration via MulticastQueries"> <t>InQueries</name> <t pn="section-5.2.2-1">In the case where Discovery Proxy functionality is widely deployed within an enterprise (either by having a Discovery Proxy physically on each link, or by having a Discovery Proxy with a remote‘virtual’"virtual" presence on each link using VLANs or<xref target="Relay">MulticastMulticast DNS DiscoveryRelays</xref>)Relays <xref target="I-D.sctl-dnssd-mdns-relay" format="default" sectionFormat="of" derivedContent="RELAY"/>), this offers an additional way to provide Domain Enumeration configuration data for clients.</t><t>A<t pn="section-5.2.2-2">Note that this function of the Discovery Proxy is supplementary to the primary purpose of the Discovery Proxy, which is to facilitate <em>remote</em> clients discovering services on the Discovery Proxy's local link. This publication of Domain Enumeration configuration data via link-local multicast on the Discovery Proxy's local link is performed for the benefit of <em>local</em> clients attached to that link, and typically directs those clients to contact other distant Discovery Proxies attached to other links. Generally, a client does not need to use the local Discovery Proxy on its own link, because a client is generally able to perform its own Multicast DNS queries on that link. (The exception to this is when the local Wi-Fi access point is blocking or filtering local multicast traffic, requiring even local clients to use their local Discovery Proxy to perform local discovery.)</t> <t pn="section-5.2.2-3">A Discovery Proxy can be configured to generate Multicast DNS responses for the following Multicast DNS Domain Enumeration queries issued by clients:</t><figure><artwork><artwork name="" type="" align="left" alt="" pn="section-5.2.2-4"> b._dns-sd._udp.local. PTR ? db._dns-sd._udp.local. PTR ? lb._dns-sd._udp.local. PTR?</artwork></figure> <t>This?</artwork> <t pn="section-5.2.2-5">This provides the ability for Discovery Proxies to indicate recommended browsing domains to DNS-SD clients on a per-link granularity. In someenterprisesenterprises, it may be preferable to provide this per-link configurationdatainformation in the form of Discovery Proxyconfiguration,configuration data rather than by populating the Unicast DNS servers with the same data (in the "ip6.arpa" or "in-addr.arpa" domains).</t><t>Regardless<t pn="section-5.2.2-6">Regardless of how the network operator chooses to provide this configuration data, clients will perform Domain Enumeration via both unicast and multicastqueries,queries and then combine the results of these queries.</t><?rfc needLines="30" ?></section> </section> <section anchor="dom-host"title="Delegatednumbered="true" toc="include" removeInRFC="false" pn="section-5.3"> <name slugifiedName="name-delegated-subdomain-for-ldh">Delegated Subdomain for LDH HostNames"> <t>DNS-SDNames</name> <t pn="section-5.3-1">DNS-SD service instance names and domains are allowed to contain arbitrary Net-Unicode text <xreftarget="RFC5198">Net-Unicode text</xref>,target="RFC5198" format="default" sectionFormat="of" derivedContent="RFC5198"/>, encoded as precomposed UTF-8 <xreftarget="RFC3629">precomposed UTF-8</xref>.</t> <t>Userstarget="RFC3629" format="default" sectionFormat="of" derivedContent="RFC3629"/>.</t> <t pn="section-5.3-2">Users typically interact with service discovery software by viewing a list of discovered service instance names on adisplay,display and selecting one of them by pointing, touching, or clicking. Similarly, in software that provides a multi-domain DNS-SD user interface, users view a list of offered domains on the display and select one of them by pointing, touching, or clicking. To use a service, users don't have to remember domain or instance names, or type them; users just have to be able to recognize what they see on the display and touch or click on the thing they want.</t><t>In<t pn="section-5.3-3">In contrast, host names are often remembered and typed. Also, host names have historically been used in command-line interfaces where spaces can be inconvenient. For this reason, host names have traditionally been restricted to letters,digitsdigits, and hyphens(LDH),(LDH) with no spaces or other punctuation.</t><t>While<t pn="section-5.3-4">While we do want to allow rich text for DNS-SD service instance names and domains, it is advisable, for maximum compatibility with existing usage, to restrict host names to the traditional letter-digit-hyphen rules. This means that whileathe service name"My Printer._ipp._tcp.Building 1.example.com""My Printer._ipp._tcp.Building 1.example.com" is acceptable and desirable (it is displayed in a graphical user interface as an instance called"My Printer""My Printer" in the domain"Building 1""Building 1" at "example.com"),athe host name"My-Printer.Building 1.example.com""My-Printer.Building 1.example.com" is less desirable (because of the space in"Building 1").</t> <t>To accomodate"Building 1").</t> <t pn="section-5.3-5">To accommodate this difference in allowable characters, a Discovery ProxySHOULD<bcp14>SHOULD</bcp14> support having two separate subdomains delegated to it for each link itserves,serves: one whose name is allowed to contain arbitrary Net-Unicode text <xreftarget="RFC5198"/>,target="RFC5198" format="default" sectionFormat="of" derivedContent="RFC5198"/>, and a second more constrained subdomain whose name is restricted to contain only letters, digits, and hyphens, to be used for host name records (names of 'A' and 'AAAA' address records). The restricted names may be any valid name consisting of only letters, digits, and hyphens, including Punycode-encoded names <xreftarget="RFC3492"/>.target="RFC3492" format="default" sectionFormat="of" derivedContent="RFC3492"/>. </t><?rfc needLines="12" ?> <t>For<t pn="section-5.3-6">For example, a Discovery Proxy could have the two subdomains"Building 1.example.com""Building 1.example.com" and"bldg1.example.com""bldg‑1.example.com" delegated to it. The Discovery Proxy would then translate these two Multicast DNS records:</t><figure><artwork><artwork name="" type="" align="left" alt="" pn="section-5.3-7"> My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. prnt.local. A203.0.113.2</artwork></figure> <t>into203.0.113.2</artwork> <t pn="section-5.3-8">into Unicast DNS records as follows:</t><figure><artwork><artwork name="" type="" align="left" alt="" pn="section-5.3-9"> My Printer._ipp._tcp.Building 1.example.com. SRV 0 0 631prnt.bldg1.example.com. prnt.bldg1.example.com.prnt.bldg-1.example.com. prnt.bldg-1.example.com. A203.0.113.2</artwork></figure> <t>Note203.0.113.2</artwork> <t pn="section-5.3-10">Note that the SRV record name is translated using the rich-text domain name("Building 1.example.com")("Building 1.example.com"), and the address record name is translated using the LDH domain("bldg1.example.com").</t> <t>A("bldg‑1.example.com"). Further details of the name translation rules are described in <xref target="translation" format="default" sectionFormat="of" derivedContent="Section 5.5"/>.</t> <t pn="section-5.3-11">A Discovery ProxyMAY<bcp14>MAY</bcp14> support only a singlerich textrich-text Net-Unicodedomain,domain and use that domain for all records, including 'A' and 'AAAA' address records, but implementers choosing this option should be aware that this choice may produce host names that are awkward to use in command-line environments. Whether or not this is an issue depends on whether users in the target environment are expected to be using command-line interfaces.</t><t>A<t pn="section-5.3-12">A Discovery ProxyMUST NOT<bcp14>MUST NOT</bcp14> be restricted to support only a letter-digit-hyphen subdomain, because that results in an unnecessarily poor user experience.</t><t>As<t pn="section-5.3-13">As describedabovein <xreftarget="unicast"/>,target="unicast" format="default" sectionFormat="of" derivedContent="Section 5.2.1"/>, for clarity, in examples here space characters in names are shown as actual spaces. If this dynamically discovered data were to be manually entered into a textual zone file (which itisn't)isn't), then spaces would need to be represented using '\032', so"My Printer._ipp._tcp.Building 1.example.com.""My Printer._ipp._tcp.Building 1.example.com" would become"My\032Printer._ipp._tcp.Building\0321.example.com."<vspace />"My\032Printer._ipp._tcp.Building\0321.example.com".</t> <t pn="section-5.3-14"> Note that the '\032' representation does not appear inthe network packetsDNS messages sent over the air. In the wire format of DNS messages, spaces are sent as spaces, not as '\032', and likewise, in a graphical user interface at the client device, spaces are shown as spaces, not as '\032'. </t><?rfc needLines="36" ?></section> <section anchor="dom-rev"title="Delegatednumbered="true" toc="include" removeInRFC="false" pn="section-5.4"> <name slugifiedName="name-delegated-subdomain-for-rev">Delegated Subdomain for ReverseMapping"> <t>AMapping</name> <t pn="section-5.4-1">A Discovery Proxy can facilitate easier management of reverse mapping domains, particularly for IPv6 addresses where manual management may be more onerous than it is for IPv4 addresses.</t><t>To<t pn="section-5.4-2">To achieve this, in the parent domain, NS records are used to delegate ownership of the appropriate reverse mapping domain to the Discovery Proxy. In other words, the Discovery Proxy becomes the authoritative name server for the reverse mapping domain. For fault tolerancereasonsreasons, there may be more than one Discovery Proxy serving a given link.</t><t>If<t pn="section-5.4-3">If a given link is using the IPv4 subnet203.0.113/24,<vspace/>203.0.113/24, then the domain"113.0.203.in-addr.arpa"<vspace/>"113.0.203.in-addr.arpa" is delegated to the Discovery Proxy for that link.</t><t>For example, if<t pn="section-5.4-4">If a given link is usingthe<vspace/>the IPv6 prefix2001:0DB8:1234:5678/64,<vspace/>2001:0DB8:1234:5678::/64, then the domain"8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa"<vspace/>"8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa" is delegated to the Discovery Proxy for that link.</t><t>When<t pn="section-5.4-5">When a reverse mapping query arrives at the Discovery Proxy, it issues the identical query on its locallinklink, as a Multicast DNS query. The mechanism to force an apparently unicast name to be resolved using link-local Multicast DNS varies depending on the API set being used. For example, in the "dns_sd.h"APIs<vspace/>APIs (available on macOS, iOS, Bonjour for Windows,LinuxLinux, and Android), using kDNSServiceFlagsForceMulticast indicates that the DNSServiceQueryRecord() call should perform the query using Multicast DNS. OtherAPIsAPI sets have different ways of forcing multicast queries. When the host owning that IPv4 or IPv6 address responds with a name of the form "something.local", the Discovery Proxy rewritesthatit to use its configured LDH host name domain instead of"local",".local" and returns the response to the caller.</t><?rfc needLines="15" ?> <t>For<t pn="section-5.4-6">For example, a Discovery Proxy with the two subdomains"113.0.203.in&nbhy;addr.arpa""113.0.203.in‑addr.arpa" and"bldg1.example.com""bldg‑1.example.com" delegated to it would translate this Multicast DNS record:</t><figure><artwork><artwork name="" type="" align="left" alt="" pn="section-5.4-7"> 2.113.0.203.in-addr.arpa. PTRprnt.local.</artwork></figure> <t>intoprnt.local.</artwork> <t pn="section-5.4-8">into this Unicast DNS response:</t><figure><artwork><artwork name="" type="" align="left" alt="" pn="section-5.4-9"> 2.113.0.203.in-addr.arpa. PTRprnt.bldg1.example.com.</artwork></figure> <t>Subsequentprnt.bldg-1.example.com.</artwork> <t pn="section-5.4-10">In this example the "prnt.local" host name is translated using the delegated LDH subdomain, as described in <xref target="translation" format="default" sectionFormat="of" derivedContent="Section 5.5"/>.</t> <t pn="section-5.4-11">Subsequent queries for theprnt.bldg1.example.comprnt.bldg‑1.example.com address record, falling as it does within thebldg1.example.combldg‑1.example.com domain, which is delegated tothethis Discovery Proxy, will arrive atthethis DiscoveryProxy,Proxy where they are answered by issuing Multicast DNS queries and using the received Multicast DNS answers to synthesize Unicast DNS responses, as described above.</t><t>Note<t pn="section-5.4-12">Note that thisdesigndescription assumes that all addresses on a given IPv4 subnet or IPv6 prefix are mapped tohostnameshost names using the Discovery Proxy mechanism. It would be possible to implement a Discovery Proxy that can be configured so that some address-to-name mappings are performed using Multicast DNS on the local link, while other address-to-name mappings within the same IPv4 subnet or IPv6 prefix are configured manually.</t><?rfc needLines="46" ?></section> <sectiontitle="Data Translation"> <t>Generatinganchor="translation" numbered="true" toc="include" removeInRFC="false" pn="section-5.5"> <name slugifiedName="name-data-translation">Data Translation</name> <t pn="section-5.5-1">For the delegated rich-text and LDH subdomains, generating appropriate Multicast DNS queriesinvolves,<vspace/> at the very least,involves translating from the configured DNS domain(e.g., "Building 1.example.com")(e.g., "Building 1.example.com") on the Unicast DNS side to"local"".local" on the Multicast DNS side.</t><t>Generating<t pn="section-5.5-2">For the delegated reverse-mapping subdomain, generating appropriate Multicast DNS queries involves using the appropriate API mechanism to indicate that a query should be performed using Multicast DNS, as described in <xref target="dom-rev" format="default" sectionFormat="of" derivedContent="Section 5.4"/>.</t> <t pn="section-5.5-3">Generating appropriate Unicast DNS responses from the received Multicast DNS answers involves translating back from"local"".local" to the appropriate configuredDNSUnicastdomain.</t> <t>Other beneficial translation and filtering operations areDNS domain as necessary, as described below.</t><section anchor="ttl" title="DNS TTL limiting"> <t>For efficiency, Multicast DNS typically uses moderately high DNS TTL values. For example,<t pn="section-5.5-4">In thetypical TTL on DNS-SD PTR records is 75 minutes. What makes these moderately high TTLs acceptable isexamples below, thecache coherency mechanisms builtdelegated subdomains are as follows:</t> <artwork name="" type="" align="left" alt="" pn="section-5.5-5"> Delegated subdomain for rich-text names Building 1.example.com. Delegated subdomain for LDH names bldg‑1.example.com. Delegated subdomain for IPv4 reverse mapping 113.0.203.in-addr.arpa.</artwork> <t pn="section-5.5-6">Names into theMulticast DNSprotocol which protect against stale data persisting for too long. When a service shuts down gracefully, it sends goodbye packets to remove its PTR records immediately from neighboring caches. If a service shuts down abruptly without sending goodbye packets, the Passive Observation Of Failures (POOF) mechanism describedanswers that do not end inSection 10.5 of the <xref target="RFC6762">Multicast DNS specification</xref> comes into play to purge the cache of stale data.</t> <t>A traditional Unicast DNS client on a distant remote link does".local" do notget to participaterequire any translation.</t> <t pn="section-5.5-7">Names intheseMulticast DNScache coherency mechanismsanswers that end in ".local" are only meaningful on the locallink. For traditional Unicast DNS queries (those received without using Long-Lived Query <xref target="LLQ"/> or DNS Push Notification subscriptions <xref target="Push"/>)link, and require translation to make them useable by clients outside theDNS TTLs reportedlocal link.</t> <t pn="section-5.5-8">Names that end in ".local" may appear both as theresulting Unicastowner names of received Multicast DNSresponse MUST be capped to be no more than ten seconds.</t> <t>Similarly, for negative responses, the negative caching TTL indicatedanswer records, and in theSOA record <xref target="RFC2308"/> should also be ten seconds (<xref target="soa"/>).</t> <t>This valueRDATA often seconds is chosen based on user-experience considerations.</t> <t>For negative caching, suppose a user is attempting to access a remote device (e.g., a printer), and they are unsuccessful because that device is powered off. Suppose they then placereceived Multicast DNS answer records.</t> <t pn="section-5.5-9">In atelephone call and ask for the device to be powered on. We wantreceived Multicast DNS answer record, if thedevice to become available toowner name ends with ".local", then theuser within a reasonable time period. It".local" top-level label isreasonable to expect it to take onreplaced with theordername often seconds forthe delegated subdomain as was used in the originating query.</t> <t pn="section-5.5-10">In asimple device withreceived Multicast DNS answer record, if asimple embedded operating system to power on. Oncename in thedeviceRDATA ends with ".local", then the name ispowered on and has announced its presence ontranslated according to thenetwork via Multicast DNS, we would like itdelegated subdomain that was used in the originating query, as explained below.</t> <t pn="section-5.5-11">For queries in subdomains delegated for LDH host names, ".local" names in RDATA are translated totake no more thanthat delegated LDH subdomain. For example, afurther ten secondsquery forstale negative cache entries"thing.bldg‑1.example.com" will be translated toexpire from Unicasta Multicast DNScaches, making the device available toquery for "thing.local". If that query returns this CNAME record:</t> <artwork name="" type="" align="left" alt="" pn="section-5.5-12"> thing.local. CNAME prnt.local.</artwork> <t pn="section-5.5-13">then both theuser desiring to access it.</t> <t>Similar reasoning applies to capping positive TTLs at ten seconds. Inowner name and theevent of a device moving location, getting a new DHCP address, or other renumbering events, we would likename in theupdated information to be availableRDATA are translated from ".local" toremote clientsthe LDH subdomain "bldg‑1.example.com":</t> <artwork name="" type="" align="left" alt="" pn="section-5.5-14"> thing.bldg‑1.example.com. CNAME prnt.bldg‑1.example.com.</artwork> <t pn="section-5.5-15">For queries ina relatively timely fashion.</t> <t>However, network administrators should be aware that many recursive (caching) DNS servers by defaultsubdomains delegated for reverse mapping names, ".local" names in RDATA areconfigured to impose a minimum TTL of 30 seconds. If stale data appearstranslated tobe persisting inthenetworkdelegated LDH subdomain, if one is configured, or to theextentdelegated rich-text subdomain otherwise. For example, consider a reverse mapping query that returns this PTR record:</t> <artwork name="" type="" align="left" alt="" pn="section-5.5-16"> 2.113.0.203.in-addr.arpa. PTR prnt.local.</artwork> <t pn="section-5.5-17">The owner name is not translated because itadversely impacts user experience, network administrators are adviseddoes not end in ".local". The name in the RDATA is translated from ".local" tochecktheconfiguration of their recursive DNS servers.</t> <t>For received Unicast DNSLDH subdomain "bldg‑1.example.com":</t> <artwork name="" type="" align="left" alt="" pn="section-5.5-18"> 2.113.0.203.in-addr.arpa. PTR prnt.bldg‑1.example.com.</artwork> <t pn="section-5.5-19">For queriesthat use LLQ <xref target="LLQ"/>in subdomains delegated for rich-text names, ".local" names in RDATA are translated according to whether orDNS Push Notifications <xref target="Push"/>,not they represent host names (i.e., RDATA names that are theMulticastowner names of A and AAAA DNSrecord's TTL SHOULD be returned unmodified, becauserecords). RDATA names ending in ".local" that represent host names are translated to thePush Notification channel existsdelegated LDH subdomain, if one is configured, or toinformtheremote client as records come and go.delegated rich-text subdomain otherwise. All other RDATA names ending in ".local" are translated to the delegated rich-text subdomain. Forfurther details about Long-Lived Queries, and its newer replacement, DNS Push Notifications, see <xref target="aggregation"/>.</t> </section> <section anchor="unusable" title="Suppressing Unusable Records"> <t>A Discovery Proxy SHOULD offerexample, consider aconfigurable option, enabled by default, to suppress Unicast DNS answers for recordsDNS-SD service browsing PTR query thatare not useful outside the local link. When the option to suppress unusable records is enabled: <list style='symbols'> <t>DNS A and AAAA recordsreturns this PTR record forIPv4 link-local addresses <xref target="RFC3927"/>IPP printing:</t> <artwork name="" type="" align="left" alt="" pn="section-5.5-20"> _ipp._tcp.local. PTR My Printer._ipp._tcp.local.</artwork> <t pn="section-5.5-21">Both the owner name andIPv6 link-local addresses <xref target="RFC4862"/> SHOULD be suppressed.</t> <t>Similarly, for sites that have multiple private address realms <xref target="RFC1918"/>,the name incases wheretheDiscovery Proxy can determineRDATA are translated from ".local" to the rich-text subdomain:</t> <artwork name="" type="" align="left" alt="" pn="section-5.5-22"> _ipp._tcp.Building 1.example.com. PTR My Printer._ipp._tcp.Building 1.example.com.</artwork> <t pn="section-5.5-23">In contrast, consider a query that returns this SRV record for a specific IPP printing instance:</t> <artwork name="" type="" align="left" alt="" pn="section-5.5-24"> My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.</artwork> <t pn="section-5.5-25">As for all queries, thequerying clientowner name isin a different address realm, private addresses SHOULD NOT be communicatedtranslated tothat client.</t> <t><xref target="RFC4193">IPv6 Unique Local Addresses</xref> SHOULD be suppressed in cases wheretheDiscovery Proxy can determine thatdelegated subdomain of thequerying client isoriginating query, the delegated rich-text subdomain "Building 1.example.com". However, the ".local" name ina different IPv6 address realm.</t> <t>Bythesame logic, DNS SRV records that referenceRDATA is the target hostnamesname field of an SRV record, a field thathave no addresses usable byis used exclusively for host names. Consequently it is translated to therequester should be suppressed,LDH subdomain "bldg‑1.example.com", if configured, instead of the rich-text subdomain: </t> <artwork name="" type="" align="left" alt="" pn="section-5.5-26"> My Printer._ipp._tcp.Building 1.example.com. SRV 0 0 631 prnt.bldg‑1.example.com.</artwork> <t pn="section-5.5-27">Other beneficial translation andlikewise, DNS PTR records that point to unusable SRV records should be similarly be suppressed.</t> </list> </t> <?rfc needLines="8" ?> </section>filtering operations are described below.</t> <sectiontitle="NSEC and NSEC3 queries"> <t>Multicastanchor="ttl" numbered="true" toc="include" removeInRFC="false" pn="section-5.5.1"> <name slugifiedName="name-dns-ttl-limiting">DNS TTL Limiting</name> <t pn="section-5.5.1-1">For efficiency, Multicast DNSdevices do not routinely announce their recordstypically uses moderately high DNS TTL values. For example, the typical TTL on DNS-SD service browsing PTR records is 75 minutes. What makes these moderately high TTLs acceptable is thenetwork. Generally they remain silent until queried. This means thatcache coherency mechanisms built in to thecomplete set ofMulticast DNSrecords in use on a link can only be discovered by active querying, not by passive listening. Because of this, a Discovery Proxy can only know what names exist on a link by issuing queriesprotocol, which protect against stale data persisting forthem, and sincetoo long. When a service shuts down gracefully, itwould be impractical to issue queries for every possible name justsends goodbye packets tofind out which names exist and which do not,remove its service browsing PTR record(s) immediately from neighboring caches. If aDiscovery Proxy cannot programmatically generateservice shuts down abruptly without sending goodbye packets, thetraditional <xref target="RFC4034">NSEC</xref> andPassive Observation Of Failures (POOF) mechanism described in <xreftarget="RFC5155">NSEC3</xref> records which asserttarget="RFC6762" sectionFormat="of" section="10.5" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6762#section-10.5" derivedContent="RFC6762">the Multicast DNS specification</xref> comes into play to purge thenonexistence of a large rangecache ofnames.</t> <t>When queried for an NSEC or NSEC3 record type, the Discovery Proxy issuesstale data.</t> <t pn="section-5.5.1-2">A traditional Unicast DNS client on aqtype "ANY" query usingdistant remote link does not get to participate in these Multicast DNS cache coherency mechanisms on the locallink, and then generates an NSEC or NSEC3 response with a Type Bit Map signifying which record types do and do not exist for just the specific name queried, and no other names.</t> <t>Multicastlink. For traditional Unicast DNSNSEC recordsqueries (those receivedon the local link MUST NOT be forwarded unmodified to a unicast querier, because there are slight differences in the NSEC record data. In particular, Multicastwithout using Long-Lived Queries (LLQ) <xref target="RFC8764" format="default" sectionFormat="of" derivedContent="RFC8764"/> or DNSNSEC records do not havePush Notification subscriptions <xref target="RFC8765" format="default" sectionFormat="of" derivedContent="RFC8765"/>), theNSEC bit setDNS TTLs reported in theType Bit Map, whereas conventionalresulting Unicast DNSNSEC records do have the NSEC bit set.</t> </section> <section anchor="notrans" title="No Text Encoding Translation"> <t>A Discovery Proxy does no translation between text encodings. Specifically, a Discovery Proxy doesresponse <bcp14>MUST</bcp14> be capped to be notranslation between <xref target="RFC3492">Punycode encoding</xref> and <xref target="RFC3629">UTF-8 encoding</xref>, either inmore than ten seconds.</t> <t pn="section-5.5.1-3">Similarly, for negative responses, theowner name of DNS records, or anywherenegative caching TTL indicated in theRDATA of DNS records (such as the RDATA of PTR records, SRV records, NS records, or otherSOA recordtypes like TXT, where it<xref target="RFC2308" format="default" sectionFormat="of" derivedContent="RFC2308"/> should also be ten seconds (see <xref target="soa" format="default" sectionFormat="of" derivedContent="Section 6.1"/>).</t> <t pn="section-5.5.1-4">This value of ten seconds isambiguous whether the RDATA may contain DNS names). All byteschosen based on user-experience considerations.</t> <t pn="section-5.5.1-5">For negative caching, suppose a user is attempting to access a remote device (e.g., a printer), and they aretreated as-is, with no attempt at text encoding translation. A client implementing DNS-based Service Discovery <xref target="RFC6763"/> will use UTF-8 encodingunsuccessful because that device is powered off. Suppose they then place a telephone call and ask forits service discovery queries, whichtheDiscovery Proxy passes through without any text encoding translationdevice to be powered on. We want theMulticast DNS subsystem. Responses from the Multicast DNS subsystem are similarly returned, without any text encoding translation, backdevice tothe requesting client.</t> <?rfc needLines="13" ?> </section> <section title="Application-Specific Data Translation"> <t>There may be cases where Application-Specific Data Translation is appropriate.</t> <t>For example, AirPrint printers tendbecome available toadvertise fairly verbose information about their capabilities in their DNS-SD TXT record. TXT record sizes intherange 500-1000 bytes are not uncommon. This information isuser within alegacy from LPR printing, because LPR does not have in-band capability negotiation, so all of this informationreasonable time period. It isconveyed usingreasonable to expect it to take on theDNS-SD TXT record instead. IPP printing does have in-band capability negotiation, butorder of ten seconds forconvenience printers tenda simple device with a simple embedded operating system toincludepower on. Once thesame capability information in their IPP DNS-SD TXT records as well. For local mDNS use this extra TXT record informationdevice isinefficient, but not fatal. However, when a Discovery Proxy aggregates data from multiple printerspowered ona link,andsends ithas announced its presence on the network viaunicast (via UDP or TCP) this amount of unnecessary TXT record information can result in large responses. A DNS reply over TCP carrying information about 70 printers with an average of 700 bytes per printer adds upMulticast DNS, we would like it toabout 50 kilobytes of data. Therefore,take no more than aDiscovery Proxy that is aware offurther ten seconds for stale negative cache entries to expire from Unicast DNS caches, making thespecifics of an application-layer protocol such as AirPrint (which uses IPP) can elide unnecessary key/value pairs from the DNS-SD TXT record for better network efficiency.</t> <t>Also, the DNS-SD TXT record for many printers contains an "adminurl" key something like "adminurl=http://printername.local/status.html". For this URLdevice available tobe useful outsidethelocal link, the embedded ".local" hostname needs to be translateduser desiring toan appropriate name with larger scope. It is easyaccess it.</t> <t pn="section-5.5.1-6">Similar reasoning applies totranslate ".local" names when they appear in well-defined places, either as a record's name, or in the rdata of record types like PTR and SRV.capping positive TTLs at ten seconds. In theprinting case, some application-specific knowledge about the semanticsevent of a device moving location, getting a new DHCP address, or other renumbering events, we would like the"adminurl" key is needed for the Discovery Proxyupdated information toknow that it containsbe available to remote clients in anamerelatively timely fashion.</t> <t pn="section-5.5.1-7">However, network administrators should be aware thatneedsmany recursive resolvers by default are configured tobe translated. This is somewhat analogousimpose a minimum TTL of 30 seconds. If stale data appears to be persisting in theneed for NAT gateways to contain ALGs (Application-Specific Gateways)network tofacilitatethecorrect translation of protocolsextent thatembed addresses in unexpected places.</t> <t>To avoid the need for application-specific knowledge about the semantics of particular TXT record keys, protocol designersit adversely impacts user experience, network administrators are advised toavoid placing link-local names or link-local IP addresses in TXT record keys, if translationcheck the configuration ofthose namestheir recursive resolvers.</t> <t pn="section-5.5.1-8">For received Unicast DNS queries that use LLQ <xref target="RFC8764" format="default" sectionFormat="of" derivedContent="RFC8764"/> oraddresses would be required for off-link operation. InDNS Push Notifications <xref target="RFC8765" format="default" sectionFormat="of" derivedContent="RFC8765"/>, theprinting case,Multicast DNS record's TTL <bcp14>SHOULD</bcp14> be returned unmodified, because theoperational failure of failingnotification channel exists totranslateinform the"adminurl" key correctly is that, when accessed fromremote client as records come and go. For further details about Long-Lived Queries and its newer replacement, DNS Push Notifications, see <xref target="aggregation" format="default" sectionFormat="of" derivedContent="Section 5.6"/>.</t> </section> <section anchor="unusable" numbered="true" toc="include" removeInRFC="false" pn="section-5.5.2"> <name slugifiedName="name-suppressing-unusable-record">Suppressing Unusable Records</name> <t pn="section-5.5.2-1">A Discovery Proxy <bcp14>SHOULD</bcp14> offer adifferent link, printing will still work, but clicking the "Admin" UI button will failconfigurable option, enabled by default, toopen the printer's administration page. Rather than duplicating the host name fromsuppress Unicast DNS answers for records that are not useful outside theservice's SRV record in its "adminurl" key, thereby havinglocal link. When thesame host name appear in two places, a better design might have beenoption toomit the host name fromsuppress unusable records is enabled: </t> <ul spacing="normal" bare="false" empty="false" pn="section-5.5.2-2"> <li pn="section-5.5.2-2.1">For a Discovery Proxy that is serving only clients outside the"adminurl" key,local link, DNS A andinsteadAAAA records for IPv4 link-local addresses <xref target="RFC3927" format="default" sectionFormat="of" derivedContent="RFC3927"/> and IPv6 link-local addresses <xref target="RFC4862" format="default" sectionFormat="of" derivedContent="RFC4862"/> <bcp14>SHOULD</bcp14> be suppressed.</li> <li pn="section-5.5.2-2.2">Similarly, for sites that havethe client implicitly substitute the target host name from the service's SRV record in place of a missing host namemultiple private address realms <xref target="RFC1918" format="default" sectionFormat="of" derivedContent="RFC1918"/>, in cases where the"adminurl" key. That wayDiscovery Proxy can determine that thedesired host name only appears once, and itquerying client is in awell-defined placedifferent address realm, private addresses <bcp14>SHOULD NOT</bcp14> be communicated to that client.</li> <li pn="section-5.5.2-2.3"> IPv6 Unique Local Addresses <xref target="RFC4193" format="default" sectionFormat="of" derivedContent="RFC4193"/> <bcp14>SHOULD</bcp14> be suppressed in cases wheresoftware likethe Discovery Proxyis expecting to find it.</t> <t>Notecan determine thatthis kind of Application-Specific Data Translation is expected to be very rare. It is the exception, rather thantherule. Thisquerying client isan example of a common themeincomputing. It is frequently the case that it is wise to start withaclean, layered design, with clear boundaries. Then, in certain special cases, those layer boundaries may be violated, where the performance and efficiency benefits outweighdifferent IPv6 address realm.</li> <li pn="section-5.5.2-2.4">By theinelegance ofsame logic, DNS SRV records that reference target host names that have no addresses usable by thelayer violation.</t> <t>These layer violations are optional. They are done primarily for efficiency reasons, and generallyrequester shouldnotberequired for correct operation. A Discovery Proxy MAY operate solely at the mDNS layer, without any knowledge of semantics at thesuppressed, and likewise, DNS-SDlayer or above.</t> <?rfc needLines="30" ?> </section>service browsing PTR records that point to unusable SRV records should similarly be suppressed.</li> </ul> </section> <sectionanchor="aggregation" title="Answer Aggregation"> <t>In a simple analysis, simply gathering multicast answersnumbered="true" toc="include" removeInRFC="false" pn="section-5.5.3"> <name slugifiedName="name-nsec-and-nsec3-queries">NSEC andforwarding them in a unicast response seems adequate, but it raises the question of how longNSEC3 Queries</name> <t pn="section-5.5.3-1">Multicast DNS devices do not routinely announce their records on theDiscovery Proxy should wait to be surenetwork. Generally, they remain silent until queried. This means thatit has received allthe complete set of Multicast DNSanswersrecords in use on a link can only be discovered by active querying, not by passive listening. Because of this, a Discovery Proxy can only know what names exist on a link by issuing queries for them, and since itneedswould be impractical toformissue queries for every possible name just to find out which names exist and which do not, acomplete Unicast DNS response. If it waits too little time, then it risks itsDiscovery Proxy cannot programmatically generate the traditional Unicast DNSresponse being incomplete. If it waits too long, then it creates a poor user experience at the client end. In fact, there may be no time which is both short enough to produce a good user experienceNSEC <xref target="RFC4034" format="default" sectionFormat="of" derivedContent="RFC4034"/> andatNSEC3 <xref target="RFC5155" format="default" sectionFormat="of" derivedContent="RFC5155"/> records that assert thesame time long enough to reliably produce complete results.</t> <t>Similarly,nonexistence of a large range of names.</t> <t pn="section-5.5.3-2">When queried for an NSEC or NSEC3 record type, the Discovery Proxy-- the authoritative name server for the subdomain in question -- needs to decide whatissues a qtype "ANY" query using Multicast DNSTTL to report for these records. If the TTL is too long then the recursive (caching) name servers issuing queriesonbehalf of their clients risk caching stale data for too long. IftheTTL is too shortlocal link and thenthe amount of network traffic will be more than necessary. In fact, there may be no TTLgenerates an NSEC or NSEC3 response with a Type Bit Map signifying whichis both short enough to avoid undesirable stale datarecord types do andatdo not exist for just thesame time long enough to be efficientspecific name queried, and no other names.</t> <t pn="section-5.5.3-3">Multicast DNS NSEC records received on thenetwork.</t> <t>Both these dilemmas are solved by use of DNS Long-Lived Queries (DNS LLQ) <xref target="LLQ"/> or its newer replacement, <xref target="Push">DNS Push Notifications</xref>.</t> <t>Clients supportinglocal link <bcp14>MUST NOT</bcp14> be forwarded unmodified to a unicast querier, because there are slight differences in the NSEC record data. In particular, Multicast DNSService Discovery SHOULD implement <xref target="Push">DNS Push Notifications</xref> for improved user experience.</t> <t>Clients and Discovery Proxies MAY support both DNS LLQ and DNS Push, and when talking to a Discovery Proxy that supports both,NSEC records do not have theclient may use either protocol, as it chooses, though it is expected that only DNS Push will continue to be supportedNSEC bit set in thelong run.</t> <t>When a Discovery Proxy receives a query using DNS LLQ or DNS Push Notifications, it responds immediately using the MulticastType Bit Map, whereas conventional Unicast DNS NSEC recordsit already has in its cache (if any). This provides a good client user experience by providing a near-instantaneous response. Simultaneously,do have the NSEC bit set.</t> </section> <section anchor="notrans" numbered="true" toc="include" removeInRFC="false" pn="section-5.5.4"> <name slugifiedName="name-no-text-encoding-translatio">No Text-Encoding Translation</name> <t pn="section-5.5.4-1">A Discovery Proxyissuesdoes no translation between text encodings. Specifically, aMulticast DNS query onDiscovery Proxy does no translation between Punycode encoding <xref target="RFC3492" format="default" sectionFormat="of" derivedContent="RFC3492"/> and UTF-8 encoding <xref target="RFC3629" format="default" sectionFormat="of" derivedContent="RFC3629"/>, either in thelocal link to discover if there are any additional Multicastowner name of DNS recordsit did not already know about. Should additional Multicast DNS responses be received, these are then delivered to the client using additional DNS LLQor anywhere in the RDATA of DNSPush Notification update messages. The timelinessrecords (such as the RDATA ofsuch update messagesPTR records, SRV records, NS records, or other record types like TXT, where it islimited only byambiguous whether thetimeliness ofRDATA may contain DNS names). All bytes are treated as-is with no attempt at text-encoding translation. A client implementing DNS-based Service Discovery <xref target="RFC6763" format="default" sectionFormat="of" derivedContent="RFC6763"/> will use UTF-8 encoding for its unicast DNS-based Service Discovery queries, which thedevice respondingDiscovery Proxy passes through without any text-encoding translation to the Multicast DNSquery. Ifsubsystem. Responses from the Multicast DNSdevice responds quickly, thensubsystem are similarly returned, without any text-encoding translation, back to theupdate messagerequesting unicast client.</t> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-5.5.5"> <name slugifiedName="name-application-specific-data-t">Application-Specific Data Translation</name> <t pn="section-5.5.5-1">There may be cases where Application-Specific Data Translation isdelivered quickly. If the Multicast DNS device responds slowly, thenappropriate.</t> <t pn="section-5.5.5-2">For example, AirPrint printers tend to advertise fairly verbose information about their capabilities in their DNS-SD TXT record. TXT record sizes in theupdate message is delivered slowly. The benefitrange ofusing update messages500-1000 bytes are not uncommon. This information isthat the Discovery Proxy can respond promptlya legacy from lineprinter (LPR) printing, becauseit doesn'tLPR does not haveto delay its unicast response to allow forin-band capability negotiation, so all of this information is conveyed using theexpected worst-case delayDNS-SD TXT record instead. Internet Printing Protocol (IPP) printing does have in-band capability negotiation, but forreceiving allconvenience, printers tend to include the same capability information in their IPP DNS-SD TXT records as well. For local Multicast DNSresponses. Even if(mDNS) use, this extra TXT record information is wasteful but not fatal. However, when aproxy were to try to provide reliability by assuming an excessively pessimistic worst-case time (thereby givingDiscovery Proxy aggregates data from multiple printers on avery poor user experience) there would still be the risklink, and sends it via unicast (via UDP or TCP), this amount ofa slow Multicastunnecessary TXT record information can result in large responses. A DNSdevice taking even longer than that (e.g.,reply over TCP carrying information about 70 printers with an average of 700 bytes per printer adds up to about 50 kilobytes of data. Therefore, adeviceDiscovery Proxy that isnot even powered on until ten seconds after the initial query is received) resulting in incomplete responses. Using update message solves this dilemma: even very late responses are not lost; they are delivered in subsequent update messages.</t> <?rfc needLines="16" ?> <t>There are two factors that determine specifically how responses are generated:</t> <t>The first factor is whetheraware of thequeryspecifics of an application-layer protocol such as AirPrint (which uses IPP) can elide unnecessary key/value pairs from theclient used LLQ or DNS Push Notifications (used for long-lived service browsing PTR queries) or not (usedDNS-SD TXT record forone-shot operations like SRV or addressbetter network efficiency.</t> <t pn="section-5.5.5-3">Also, the DNS-SD TXT recordqueries). Note that queries using LLQ or DNS Push Notifications are received directly fromfor many printers contains an "adminurl" key (e.g., "adminurl=http://printername.local/status.html"). For this URL to be useful outside theclient. Queries not using LLQ or DNS Push Notifications are generally received vialocal link, theclient's configured recursive (caching)embedded ".local" host nameserver.</t> <t>The second factorneeds to be translated to an appropriate name with larger scope. It iswhether the Discovery Proxy already has at least one record in its cache that positively answers the question. <list style='symbols'> <t>Not using LLQ or Push Notifications; no answereasy to translate ".local" names when they appear incache:<vspace/> Issue an mDNS query, exactlywell-defined places: as alocal client would issue an mDNS query on the local link forrecord's owner name, or in domain name fields in thedesiredRDATA of recordname, typetypes like PTR andclass, including retransmissions, as appropriate, according toSRV. In theestablished mDNS retransmission schedule <xref target="RFC6762"/>. As soon as any Multicast DNS response packet is received that contains one or more positive answers to that question (with or withoutprinting case, some application-specific knowledge about theCache Flush bit <xref target="RFC6762"/> set), or a negative answer (signified via a Multicast DNS NSEC record <xref target="RFC6762"/>),semantics of the "adminurl" key is needed for the Discovery Proxygenerates a Unicast DNS response packet containing the corresponding (filtered and translated) answers and sends ittothe remote client. If after six seconds no Multicast DNS answers have been received, cancel the mDNS query and returnknow that it contains anegative responsename that needs tothe remote client. Six secondsbe translated. This isenough timesomewhat analogous totransmit three mDNS queries, and allow some timethe need forresponsesNAT gateways toarrive.<vspace/> DNS TTLs in responses MUST be cappedcontain ALGs (Application-Level Gateways) toat most ten seconds.<vspace/> (Reasoning: Queries not using LLQ or Push Notifications are generally queries thatfacilitate the correct translation of protocols thatexpect an answer from only one device, soembed addresses in unexpected places.</t> <t pn="section-5.5.5-4">To avoid thefirst response is alsoneed for application-specific knowledge about theonly response.) <vspace blankLines="1"/> </t> <t>Not using LLQ or Push Notifications; at least one answer in cache:<vspace/> Send response right awaysemantics of particular TXT record keys, protocol designers are advised tominimise delay.<vspace/> DNS TTLsavoid placing link-local names or link-local IP addresses inresponses MUSTTXT record keys if translation of those names or addresses would becappedrequired for off-link operation. In the printing case, the consequence of failing toat most ten seconds.<vspace/> No local mDNS queries are performed.<vspace/> (Reasoning: Queries not using LLQ or Push Notifications are generally queries that that expect an answer from only one device. Given RRSet TTL harmonisation, iftranslate theproxy has one Multicast DNS answer"adminurl" key correctly would be that, when accessed from a different link, printing will still work, but clicking the "Admin" user interface button will fail to open the printer's administration page. Rather than duplicating the host name from the service's SRV record in itscache, it can reasonably assume that it has all of them.)</t> <t>Using LLQ or Push Notifications; no answer in cache:<vspace/> As in"adminurl" key, thereby having thecase above with no answersame host name appear inthe cache, perform mDNS querying for six seconds, and sendtwo places, aresponse to the remote client as soon as any relevant mDNS response is received.<vspace/> If after six seconds no relevant mDNS response hasbetter design might have beenreceived, return negative responseto omit theremote client (for LLQ; not applicable for Push Notifications).<vspace/> (Reasoning: We don't need to rush to send an empty answer.)<vspace/> Whether or not a relevant mDNS response is received within six seconds,host name from thequery remains active for as long as"adminurl" key and instead have the clientmaintainsimplicitly substitute theLLQ or Push Notification state, and if mDNS answers are received later, LLQ or Push Notification messages are sent.<vspace/> DNS TTLs in responses are returned unmodified.</t> <t>Using LLQ or Push Notifications; at least one answer in cache:<vspace/> As intarget host name from thecase above with at least one answerservice's SRV record in place of a missing host name incache, send response right away to minimise delay.<vspace/> The query remains active for as long astheclient maintains"adminurl" key. That way, theLLQ or Push Notification state,desired host name only appears once andresultsis intransmission of mDNS queries, with appropriate Known Answer lists,a well-defined place where software like the Discovery Proxy is expecting todetermine if further answers are available. If additional mDNS answers are received later, LLQ or Push Notification messages are sent.<vspace/> (Reasoning: We want UIfind it.</t> <t pn="section-5.5.5-5">Note that this kind of Application-Specific Data Translation isdisplayed very rapidly, yet continuesexpected toremain accurate even asbe very rare; it is thenetwork environment changes.)<vspace/> DNS TTLs in responses are returned unmodified.</t> </list> </t> <t>The "negative responses" referred to above are "no error no answer" negative responses, not NXDOMAIN.exception rather than the rule. This isbecause the Discovery Proxy cannot know allan example of a common theme in computing. It is frequently theMulticast DNS domain namescase thatmay exist onit is wise to start with alink at any given time, so any nameclean, layered design withno answers may have child names that do exist, making it an "empty nonterminal" name.</t> <?rfc needLines="30" ?> <t>Note thatclear boundaries. Then, in certainaspectsspecial cases, those layer boundaries may be violated where the performance and efficiency benefits outweigh the inelegance of thebehavior described here dolayer violation.</t> <t pn="section-5.5.5-6">These layer violations are optional. They are done primarily for efficiency reasons and generally should nothave tobeimplemented overtly by therequired for correct operation. A DiscoveryProxy; they occur naturally as a resultProxy <bcp14>MAY</bcp14> operate solely at the mDNS layer without any knowledge ofusing existing Multicast DNS APIs.</t> <t>For example, insemantics at thefirst case above (no LLQDNS-SD layer orPush Notifications, and noabove.</t> </section> </section> <section anchor="aggregation" numbered="true" toc="include" removeInRFC="false" pn="section-5.6"> <name slugifiedName="name-answer-aggregation">Answer Aggregation</name> <t pn="section-5.6-1">In a simple analysis, simply gathering multicast answers and forwarding them inthe cache) ifanew Multicast DNS query is requested (either by a local client, or byunicast response seems adequate, but it raises theDiscovery Proxy on behalfquestion ofa remote client), and there is not already an identical Multicast DNS query active, and there are no matching answers already in the Multicast DNS cache onhow long the Discovery Proxydevice, then this will cause a series of Multicast DNS query packetsshould wait to beissued with exponential backoff. The exponential backoff sequence in some implementations starts at one second and then doubles for each retransmission (0, 1, 3, 7 seconds, etc.) and in others starts at one second and then triples for each retransmission (0, 1, 4, 13 seconds, etc.). In either case, if no responsesure that it hasbeenreceivedafter six seconds, that is long enough thatall theunderlyingMulticast DNSimplementation will have sent three query packets without receiving anyanswers it needs to form a complete Unicast DNS response.At that point the Discovery Proxy cancelsIf it waits too little time, then it risks itsMulticast DNS query (so no further MulticastUnicast DNSquery packets will be sent for this query) and returns a negativeresponsetobeing incomplete. If it waits too long, then it creates a poor user experience at theremoteclientvia unicast.</t> <t>The six-second delay is chosen toend. In fact, there may belong enough to give enoughno timefor devices to respond, yetthat is both short enoughnottobe too onerous forproduce ahumangood userwaiting for a response. For example, using the "dig" DNS debugging tool,experience and at thecurrent default settings result in it waiting a total of 15 seconds for a reply (three transmissions of the query packet, with a wait of 5 seconds after each packet) which is amplesame timefor itlong enough tohave received a negative reply from areliably produce complete results.</t> <t pn="section-5.6-2">Similarly, the Discovery Proxyafter six seconds.</t> <t>The statement that(the authoritative name server fora one-shot query (i.e., no LLQ or Push Notifications requested), if at least one answer is already available inthecache then a Discovery Proxy should not issue additional mDNS query packets, also occurs naturally as a result of using existing Multicastsubdomain in question) needs to decide what DNSAPIs.TTL to report for these records. Ifa new Multicast DNS querythe TTL isrequested (either locally, or bytoo long, then theDiscovery Proxyrecursive resolvers issuing queries on behalf ofa remote client),their clients risk caching stale data forwhich there are relevant answers already in the Multicast DNS cache on the Discovery Proxy device, and after the answers are deliveredtoo long. If theMulticast DNS queryTTL is too short, thencancelled immediately, then no Multicast DNS query packets will be generated for this query.</t> <?rfc needLines="19" ?> </section> </section> <section anchor="admin" title="Administrative DNS Records"> <section anchor="soa" title="DNS SOA (Start of Authority) Record"> <t>The MNAME field SHOULD containthehost nameamount ofthe Discovery Proxy device (i.e.,network traffic will be more than necessary. In fact, there may be no TTL that is both short enough to avoid undesirable stale data and, at the samedomain name as the rdata of the NS record delegating the relevant zone(s)time, long enough tothis Discovery Proxy device).</t> <t>The RNAME field SHOULD containbe efficient on themailbox ofnetwork.</t> <t pn="section-5.6-3">Both these dilemmas are solved by theperson responsible for administering thisuse of DNS Long-Lived Queries (LLQ) <xref target="RFC8764" format="default" sectionFormat="of" derivedContent="RFC8764"/> or its newer replacement, DNS Push Notifications <xref target="RFC8765" format="default" sectionFormat="of" derivedContent="RFC8765"/>.</t> <t pn="section-5.6-4">Clients supporting unicast DNS-based Service DiscoveryProxy device.</t> <t>The SERIAL field MUST be zero.</t> <t>Zone transfers are undefined<bcp14>SHOULD</bcp14> implement DNS Push Notifications <xref target="RFC8765" format="default" sectionFormat="of" derivedContent="RFC8765"/> for improved user experience.</t> <t pn="section-5.6-5">Clients and DiscoveryProxy zones,Proxies <bcp14>MAY</bcp14> support both LLQ andconsequently the REFRESH, RETRYDNS Push Notifications, andEXPIRE fields have no useful meaning forwhen talking to a Discovery Proxyzones. These fields SHOULD contain reasonable default values. The RECOMMENDED values are: REFRESH 7200, RETRY 3600, EXPIRE 86400.</t> <t>The MINIMUM field (used to control the lifetime of negative cache entries) SHOULD containthat supports both, thevalue 10. The value of ten secondsclient may use either protocol, as it chooses, though it ischosen based on user-experience considerations (see <xref target="ttl"/>).</t> <t>In the eventexpected thatthere are multiple Discovery Proxy devices on a link for fault tolerance reasons, thisonly DNS Push Notifications willresultcontinue to be supported inclients receiving inconsistent SOA records (different MNAME, and possibly RNAME) depending on whichthe long run.</t> <t pn="section-5.6-6">When a Discovery Proxyanswers their SOA query. However, since clients generally have no reason to use the MNAMEreceives a query using LLQ orRNAME data, this is unlikely to cause any problems.</t> <?rfc needLines="22" ?> </section> <section anchor="ns" title="DNS NS Records"> <t>InDNS Push Notifications, it responds immediately using the Multicast DNS records it already has in its cache (if any). This provides a good client user experience by providing a near-instantaneous response. Simultaneously, theevent that there are multipleDiscovery Proxydevices onissues alink for fault tolerance reasons,Multicast DNS query on theparent zone MUST be configured with NSlocal link to discover if there are any additional Multicast DNS recordsgiving the names of all the Discovery Proxy devices on the link.</t> <t>Each Discovery Proxy device MUSTit did not already know about. Should additional Multicast DNS responses beconfiguredreceived, these are then delivered toanswer NS queries forthezone apex nameclient using additional LLQ or DNS Push Notification update messages. The timeliness of such update messages is limited only bygiving its own NS record, andtheNS recordstimeliness ofits fellow Discovery Proxy devices on the same link, so that it can return the correct answers for NS queries.</t> <t>The target host name intheRDATA of an NS record MUST NOT reference a name that falls within any zone delegateddevice responding toa Discovery Proxy. Apart fromthezone apex name, all other host names that fall within a zone delegated to a Discovery Proxy correspond to localMulticast DNShost names, which logically belong toquery. If therespectiveMulticast DNShosts defending those names, notdevice responds quickly, then theDiscovery Proxy. Generally speaking,update message is delivered quickly. If the Multicast DNS device responds slowly, then the update message is delivered slowly. The benefit of using multiple update messages to deliver results as they become available is that the Discovery Proxydoes not own or control the delegated zone;can respond promptly because itis merelydoesn't have to deliver all the results in aconduitsingle response that needs to be delayed to allow for thecorresponding ".local" namespace, which is controlled byexpected worst-case delay for receiving all the Multicast DNShosts onresponses.</t> <t pn="section-5.6-7">With a proxy thatlink. If an NS recordsupported only standard DNS queries, even if it were toreferencetry to provide reliability by assuming an excessively pessimistic worst-case time (thereby giving amanually-determined host name that falls withinvery poor user experience), there would still be the risk of adelegated zone,slow Multicast DNS device taking even longer than thatmanually-determined host name may inadvertently conflict withworst-case time (e.g., acorresponding ".local" host namedevice that isowned and controlled by some devicenot even powered on until ten seconds after the initial query is received), resulting in incomplete responses. Using update messages to deliver subsequent asynchronous replies solves this dilemma: even very late responses are not lost; they are delivered in subsequent update messages.</t> <t pn="section-5.6-8">Note thatlink. </t> </section> <section anchor="delegation" title="DNS Delegation Records"> <t>Sincewhile normal DNS queries are generally received via the<xref target="RFC6762">Multicastclient's configured recursive resolver, LLQ and DNSspecification</xref> states that there canPush Notification subscriptions may beno delegation (subdomains) within a ".local" namespace, this impliesreceived directly from the client.</t> <t pn="section-5.6-9">There are two factors thatany name within a zone delegated to adetermine how unicast responses are generated:</t> <t pn="section-5.6-10">The first factor is whether or not the Discovery Proxy(except for the zone apex name itself) cannot have anyalready has at least one record in its cache that answersfor anythe question. </t> <t pn="section-5.6-11"> The second factor is whether the client used a normal DNS query, or established a subscription using LLQ or DNS Push Notifications. Normal DNS queries are typically used forRRTYPEs SOA, NS,one-shot operations like SRV orDS. Consequently: <list style='symbols'> <t>for any queryaddress record queries. LLQ and DNS Push Notification subscriptions are typically used forthe zone apex name of a zone delegated tolong-lived service browsing PTR queries. Normal DNS queries and LLQ each have different response timing depending on the cache state, yielding the first four cases listed below. DNS Push Notifications, the newer protocol, has uniform behavior regardless of cache state, yielding the fifth case listed below.</t> <ul spacing="normal" bare="false" empty="false" pn="section-5.6-12"> <li pn="section-5.6-12.1"> <t pn="section-5.6-12.1.1">Standard DNS query; no answer in cache:</t> <t pn="section-5.6-12.1.2"> Issue an mDNS query on the local link, exactly as aDiscovery Proxy,local client would issue an mDNS query, for the desired record name, type, and class, including retransmissions, as appropriate, according to the established mDNS retransmission schedule <xref target="RFC6762" format="default" sectionFormat="of" derivedContent="RFC6762"/>. The Discovery ProxyMUST generate the appropriate immediate answersawaits Multicast DNS responses.</t> <t pn="section-5.6-12.1.3"> As soon asdescribed above, and</t> <t>foranyquery for RRTYPEs SOA, NS,Multicast DNS response packet is received that contains one orDS, for any name within a zone delegatedmore positive answers toa Discovery Proxy, other than the zone apex name, instead of translatingthat question (with or without thequery to its correspondingCache Flush bit <xref target="RFC6762" format="default" sectionFormat="of" derivedContent="RFC6762"/> set) or a negative answer (signified via a Multicast DNS".local" equivalent, aNSEC record <xref target="RFC6762" format="default" sectionFormat="of" derivedContent="RFC6762"/>), the Discovery ProxyMUST generate an immediate negative answer.</t> </list> </t> </section> <section anchor="srv" title="DNS SRV Records"> <t>There are certain specialgenerates a Unicast DNSrecords that logically fall withinresponse message containing thedelegated unicast DNS subdomain, but rather than mapping to theircorresponding".local" namesakes, they actually contain metadata pertaining(filtered and translated) answers and sends it to theoperation of the delegated unicastremote client.</t> <t pn="section-5.6-12.1.4"> If after six seconds no relevant Multicast DNSsubdomain itself. They do not exist in the corresponding ".local" namespace ofanswers have been received, cancel thelocal link. For these queriesmDNS query and return aDiscovery Proxy MUST generate immediate answers, whether positive or negative,negative response toavoid delays while clients wait for their query to be answered. For example, if a Discovery Proxy does not implement <xref target="LLQ">Long-Lived Queries</xref> then it MUST return an immediate negative answer to telltheclient this without delay, instead of passingremote client. Six seconds is enough time for thequery throughunderlying Multicast DNS subsystem tothe local network as a query for <spanx style="verb">_dns&nbhy;llq._udp.local.</spanx>,transmit three mDNS queries andthen waiting unsuccessfullyallow some time foranswers that will not be forthcoming.</t> <t>If a Discovery Proxy implements <xref target="LLQ">Long-Lived Queries</xref> then it MUST positively respondresponses to<spanx style="verb">_dns&nbhy;llq._udp.<zone> SRV</spanx> queries, <spanx style="verb">_dns&nbhy;llq._tcp.<zone> SRV</spanx> queries, and <spanx style="verb">_dns&nbhy;llq&nbhy;tls._tcp.<zone> SRV</spanx> queries as appropriate, else it MUST return an immediate negative answer for those queries.</t> <t>If a Discovery Proxy implements <xref target="Push">DNSarrive.</t> <t pn="section-5.6-12.1.5"> (Reasoning: Queries not using LLQ or PushNotifications</xref> then it MUST positively respond to <spanx style="verb">_dns&nbhy;push&nbhy;tls._tcp.<zone></spanx> queries, else it MUST return an immediate negative answer for those queries.</t> <t>A Discovery Proxy MUST returnNotifications are generally queries that expect animmediate negativeanswerfor <spanx style="verb">_dns&nbhy;update._udp.<zone> SRV</spanx> queries, <spanx style="verb">_dns&nbhy;update._tcp.<zone> SRV</spanx> queries, and <spanx style="verb">_dns&nbhy;update-tls._tcp.<zone> SRV</spanx> queries, since using <xref target="RFC2136">DNS Update</xref> to change zones generated dynamicallyfromlocal Multicast DNS data is not possible.</t> <?rfc needLines="29" ?> </section> </section> <section anchor="DNSSEC" title="DNSSEC Considerations"> <section title="On-line signing only"> <t>The Discovery Proxy acts asonly one device, so theauthoritative name server for designated subdomains, and if DNSSECfirst response isto be used,also the only response.)</t> <t pn="section-5.6-12.1.6"> DNS TTLs in responses <bcp14>MUST</bcp14> be capped to at most ten seconds.</t> </li> <li pn="section-5.6-12.2"> <t pn="section-5.6-12.2.1">Standard DNS query; at least one answer in cache:</t> <t pn="section-5.6-12.2.2"> No local mDNS queries are performed.</t> <t pn="section-5.6-12.2.3"> The Discovery Proxyneeds to possessgenerates acopy ofUnicast DNS response message containing thesigning keys, in order to generate authoritative signed dataanswer(s) from thelocal Multicast DNS responses it receives. Off-line signing is not applicablecache right away, toDiscovery Proxy.</t> </section> <section title="NSEC and NSEC3 Records"> <t>In DNSSEC <xref target="RFC4034">NSEC</xref> and <xref target="RFC5155">NSEC3</xref> recordsminimize delay.</t> <t pn="section-5.6-12.2.4"> (Reasoning: Queries not using LLQ or Push Notifications areused to assert the nonexistence of certain names, also described as "authenticated denial of existence".</t> <t>Since a Discovery Proxygenerally queries that expect an answer from onlyknows what names exist onone device. Given RRSet TTL harmonization, if thelocal link by issuing queries for them, and sinceproxy has one Multicast DNS answer in its cache, itwouldcan reasonably assume that it has the whole set.)</t> <t pn="section-5.6-12.2.5"> DNS TTLs in responses <bcp14>MUST</bcp14> beimpracticalcapped toissue queriesat most ten seconds.</t> </li> <li pn="section-5.6-12.3"> <t pn="section-5.6-12.3.1">Long-Lived Query (LLQ); no answer in cache:</t> <t pn="section-5.6-12.3.2"> As in the case above with no answer in the cache, plan to perform mDNS querying forevery possible name justsix seconds, returning an LLQ response message tofind out which names exist and which do not, a Discovery Proxy cannot programmatically synthesizethetraditional NSECremote client as soon as any relevant mDNS response is received.</t> <t pn="section-5.6-12.3.3"> If after six seconds no relevant mDNS answers have been received, andNSEC3 records which assertthenonexistence of a large range of names. Instead, when generatingclient has not cancelled its Long-Lived Query, return a negativeresponse, a Discovery Proxy programmatically synthesizes a single NSEC record assertLLQ response message to thenonexistenceremote client.</t> <t pn="section-5.6-12.3.4"> (Reasoning: We don't need to rush to send an empty answer.)</t> <t pn="section-5.6-12.3.5"> Regardless ofjustwhether or not a relevant mDNS response is received within six seconds, thespecific name queried, and no others. SinceLong-Lived Query remains active for as long as theDiscovery Proxy hasclient maintains thezone signing key, it can do this on demand. SinceLLQ state, and results in theNSEC record assertsongoing transmission of mDNS queries until thenonexistenceLong-Lived Query is cancelled. If the set ofonlymDNS answers changes, LLQ Event Response messages are sent.</t> <t pn="section-5.6-12.3.6"> DNS TTLs in responses are returned unmodified.</t> </li> <li pn="section-5.6-12.4"> <t pn="section-5.6-12.4.1">Long-Lived Query (LLQ); at least one answer in cache:</t> <t pn="section-5.6-12.4.2"> As in the case above with at least one answer in the cache, the Discovery Proxy generates asingle name, zone walking is notunicast LLQ response message containing the answer(s) from the cache right away, to minimize delay.</t> <t pn="section-5.6-12.4.3"> The Long-Lived Query remains active for as long as the client maintains the LLQ state, and results in the transmission of mDNS queries (with appropriate Known Answer lists) to determine if further answers are available. If the set of mDNS answers changes, LLQ Event Response messages are sent.</t> <t pn="section-5.6-12.4.4"> (Reasoning: We want aconcern, so NSEC3 is not necessary.</t> <t>Noteuser interface thatthis applies onlyis displayed very rapidly yet continues totraditional immediateremain accurate even as the network environment changes.)</t> <t pn="section-5.6-12.4.5"> DNSqueries, which may return immediate negativeTTLs in responses are returned unmodified.</t> </li> <li pn="section-5.6-12.5"> <t pn="section-5.6-12.5.1">Push Notification Subscription</t> <t pn="section-5.6-12.5.2"> The Discovery Proxy acknowledges the subscription request immediately.</t> <t pn="section-5.6-12.5.3"> If one or more answerswhen no immediate positive answer isare already available in the cache, those answers are then sent in an immediately following DNS PUSH message.</t> <t pn="section-5.6-12.5.4"> The Push Notification subscription remains active until the client cancels the subscription, and results in the transmission of mDNS queries (with appropriate Known Answer lists) to determine if further answers are available.When usedIf the set of mDNS answers changes, further DNS PUSH messages are sent.</t> <t pn="section-5.6-12.5.5"> (Reasoning: We want a user interface that is displayed very rapidly yet continues to remain accurate even as the network environment changes.)</t> <t pn="section-5.6-12.5.6"> DNS TTLs in responses are returned unmodified.</t> </li> </ul> <t pn="section-5.6-13">Where the text above refers to returning "a negative response to the remote client", it is describing returning a "no error no answer" negative response, not NXDOMAIN. This is because the Discovery Proxy cannot know all the Multicast DNS domain names that may exist on a link at any given time, so any name with no answers may have child names that do exist, making it an "empty non-terminal" name.</t> <t pn="section-5.6-14">Note that certain aspects of the behavior described here do not have to be implemented overtly by the Discovery Proxy; they occur naturally as a result of using existing Multicast DNS APIs.</t> <t pn="section-5.6-15">For example, in the first case above (standard DNS query and no answers in the cache), if a new Multicast DNS query is requested (either by a local client on the Discovery Proxy device, or by the Discovery Proxy software on that device on behalf of a remote client), and there is not already an identical Multicast DNS query active and there are no matching answers already in the Multicast DNS cache on the Discovery Proxy device, then this will cause a series of Multicast DNS query packets to be issued with exponential backoff. The exponential backoff sequence in some implementations starts at one second and then doubles for each retransmission (0, 1, 3, 7 seconds, etc.), and in others, it starts at one second and then triples for each retransmission (0, 1, 4, 13 seconds, etc.). In either case, if no response has been received after six seconds, that is long enough that the underlying Multicast DNS implementation will have sent three query packets without receiving any response. At that point, the Discovery Proxy cancels its Multicast DNS query (so no further Multicast DNS query packets will be sent for this query) and returns a negative response to the remote client via unicast.</t> <t pn="section-5.6-16">The six-second delay is chosen to be long enough to give enough time for devices to respond, yet short enough not to be too onerous for a human user waiting for a response. For example, using the "dig" DNS debugging tool, the current default settings result in it waiting a total of 15 seconds for a reply (three transmissions of the DNS UDP query packet, with a wait of 5 seconds after each packet), which is ample time for it to have received a negative reply from a Discovery Proxy after six seconds.</t> <t pn="section-5.6-17">The text above states that for a standard DNS query, if at least one answer is already available in the cache, then a Discovery Proxy should not issue additional mDNS query packets. This also occurs naturally as a result of using existing Multicast DNS APIs. If a new Multicast DNS query is requested (either locally, or by the Discovery Proxy on behalf of a remote client) for which there are relevant answers already in the Multicast DNS cache on the Discovery Proxy device, and after the answers are delivered the Multicast DNS query is immediately cancelled, then no Multicast DNS query packets will be generated for this query. </t> </section> </section> <section anchor="admin" numbered="true" toc="include" removeInRFC="false" pn="section-6"> <name slugifiedName="name-administrative-dns-records">Administrative DNS Records</name> <section anchor="soa" numbered="true" toc="include" removeInRFC="false" pn="section-6.1"> <name slugifiedName="name-dns-soa-start-of-authority-">DNS SOA (Start of Authority) Record</name> <t pn="section-6.1-1">The MNAME field <bcp14>SHOULD</bcp14> contain the host name of the Discovery Proxy device (i.e., the same domain name as the RDATA of the NS record delegating the relevant zone(s) to this Discovery Proxy device).</t> <t pn="section-6.1-2">The RNAME field <bcp14>SHOULD</bcp14> contain the mailbox of the person responsible for administering this Discovery Proxy device.</t> <t pn="section-6.1-3">The SERIAL field <bcp14>MUST</bcp14> be zero.</t> <t pn="section-6.1-4">Zone transfers are undefined for Discovery Proxy zones, and consequently, the REFRESH, RETRY, and EXPIRE fields have no useful meaning for Discovery Proxy zones. These fields <bcp14>SHOULD</bcp14> contain reasonable default values. The <bcp14>RECOMMENDED</bcp14> values are: REFRESH 7200, RETRY 3600, and EXPIRE 86400.</t> <t pn="section-6.1-5">The MINIMUM field (used to control the lifetime of negative cache entries) <bcp14>SHOULD</bcp14> contain the value 10. This value is chosen based on user-experience considerations (see <xref target="ttl" format="default" sectionFormat="of" derivedContent="Section 5.5.1"/>).</t> <t pn="section-6.1-6">In the event that there are multiple Discovery Proxy devices on a link for fault tolerance reasons, this will result in clients receiving inconsistent SOA records (different MNAME and possibly RNAME) depending on which Discovery Proxy answers their SOA query. However, since clients generally have no reason to use the MNAME or RNAME data, this is unlikely to cause any problems.</t> </section> <section anchor="ns" numbered="true" toc="include" removeInRFC="false" pn="section-6.2"> <name slugifiedName="name-dns-ns-records">DNS NS Records</name> <t pn="section-6.2-1">In the event that there are multiple Discovery Proxy devices on a link for fault tolerance reasons, the parent zone <bcp14>MUST</bcp14> be configured with NS records giving the names of all the Discovery Proxy devices on the link.</t> <t pn="section-6.2-2">Each Discovery Proxy device <bcp14>MUST</bcp14> be configured to answer NS queries for the zone apex name by giving its own NS record, and the NS records of its fellow Discovery Proxy devices on the same link, so that it can return the correct answers for NS queries.</t> <t pn="section-6.2-3">The target host name in the RDATA of an NS record <bcp14>MUST NOT</bcp14> reference a name that falls within any zone delegated to a Discovery Proxy. Apart from the zone apex name, all other host names (names of A and AAAA DNS records) that fall within a zone delegated to a Discovery Proxy correspond to local Multicast DNS host names, which logically belong to the respective Multicast DNS hosts defending those names, not the Discovery Proxy. Generally speaking, the Discovery Proxy does not own or control the delegated zone; it is merely a conduit to the corresponding ".local" namespace, which is controlled by the Multicast DNS hosts on that link. If an NS record were to reference a manually determined host name that falls within a delegated zone, that manually determined host name may inadvertently conflict with a corresponding ".local" host name that is owned and controlled by some device on that link. </t> </section> <section anchor="delegation" numbered="true" toc="include" removeInRFC="false" pn="section-6.3"> <name slugifiedName="name-dns-delegation-records">DNS Delegation Records</name> <t pn="section-6.3-1">Since the <xref target="RFC6762" format="default" sectionFormat="of" derivedContent="RFC6762">Multicast DNS specification</xref> states that there can be no delegation (subdomains) within a ".local" namespace, this implies that any name within a zone delegated to a Discovery Proxy (except for the zone apex name itself) cannot have any answers for any DNS queries for RRTYPEs SOA, NS, or DS. Consequently: </t> <ul spacing="normal" bare="false" empty="false" pn="section-6.3-2"> <li pn="section-6.3-2.1">for any query for the zone apex name of a zone delegated to a Discovery Proxy, the Discovery Proxy <bcp14>MUST</bcp14> generate the appropriate immediate answers as described above, and</li> <li pn="section-6.3-2.2"> for any query for any name below the zone apex, for RRTYPEs SOA, NS, or DS, the Discovery Proxy <bcp14>MUST</bcp14> generate an immediate negative answer. </li> </ul> </section> <section anchor="srv" numbered="true" toc="include" removeInRFC="false" pn="section-6.4"> <name slugifiedName="name-dns-srv-records">DNS SRV Records</name> <t pn="section-6.4-1">There are certain special DNS records that logically fall within the delegated Unicast DNS subdomain, but rather than mapping to their corresponding ".local" namesakes, they actually contain metadata pertaining to the operation of the delegated Unicast DNS subdomain itself. They do not exist in the corresponding ".local" namespace of the local link. For these queries, a Discovery Proxy <bcp14>MUST</bcp14> generate immediate answers, whether positive or negative, to avoid delays while clients wait for their query to be answered.</t> <t pn="section-6.4-2">For example, if a Discovery Proxy implements Long-Lived Queries <xref target="RFC8764" format="default" sectionFormat="of" derivedContent="RFC8764"/>, then it <bcp14>MUST</bcp14> positively respond to <tt>_dns‑llq._udp.<zone> SRV</tt> queries, <tt>_dns‑llq._tcp.<zone> SRV</tt> queries, and <tt>_dns‑llq‑tls._tcp.<zone> SRV</tt> queries as appropriate. If it does not implement Long-Lived Queries, it <bcp14>MUST</bcp14> return an immediate negative answer for those queries, instead of passing those queries through to the local network as Multicast DNS queries and then waiting unsuccessfully for answers that will not be forthcoming.</t> <t pn="section-6.4-3">If a Discovery Proxy implements DNS Push Notifications <xref target="RFC8765" format="default" sectionFormat="of" derivedContent="RFC8765"/>, then it <bcp14>MUST</bcp14> positively respond to <tt>_dns‑push‑tls._tcp.<zone></tt> queries. Otherwise, it <bcp14>MUST</bcp14> return an immediate negative answer for those queries.</t> <t pn="section-6.4-4">A Discovery Proxy <bcp14>MUST</bcp14> return an immediate negative answer for <tt>_dns‑update._udp.<zone> SRV</tt> queries, <tt>_dns‑update._tcp.<zone> SRV</tt> queries, and <tt>_dns‑update-tls._tcp.<zone> SRV</tt> queries, since using DNS Update <xref target="RFC2136" format="default" sectionFormat="of" derivedContent="RFC2136"/> to change zones generated dynamically from local Multicast DNS data is not possible.</t> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-6.5"> <name slugifiedName="name-domain-enumeration-records">Domain Enumeration Records</name> <t pn="section-6.5-1">If the network operator chooses to use address-based unicast Domain Enumeration queries for client configuration (see <xref target="unicast" format="default" sectionFormat="of" derivedContent="Section 5.2.1"/>), and the network operator also chooses to delegate the enclosing reverse mapping subdomain to a Discovery Proxy, then that Discovery Proxy becomes responsible for serving the answers to those address-based unicast Domain Enumeration queries.</t> <t pn="section-6.5-2">As with the SRV metadata records described above, a Discovery Proxy configured with delegated reverse mapping subdomains is responsible for generating immediate (positive or negative) answers for address-based unicast Domain Enumeration queries, rather than passing them though to the underlying Multicast DNS subsystem and then waiting unsuccessfully for answers that will not be forthcoming.</t> </section> </section> <section anchor="DNSSEC" numbered="true" toc="include" removeInRFC="false" pn="section-7"> <name slugifiedName="name-dnssec-considerations">DNSSEC Considerations</name> <section numbered="true" toc="include" removeInRFC="false" pn="section-7.1"> <name slugifiedName="name-online-signing-only">Online Signing Only</name> <t pn="section-7.1-1">The Discovery Proxy acts as the authoritative name server for designated subdomains, and if DNSSEC is to be used, the Discovery Proxy needs to possess a copy of the signing keys in order to generate authoritative signed data from the local Multicast DNS responses it receives. Offline signing is not applicable to Discovery Proxy.</t> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-7.2"> <name slugifiedName="name-nsec-and-nsec3-records">NSEC and NSEC3 Records</name> <t pn="section-7.2-1">In DNSSEC, NSEC and NSEC3 records are used to assert the nonexistence of certain names, also described as "authenticated denial of existence" <xref target="RFC4034" format="default" sectionFormat="of" derivedContent="RFC4034"/> <xref target="RFC5155" format="default" sectionFormat="of" derivedContent="RFC5155"/>.</t> <t pn="section-7.2-2">Since a Discovery Proxy only knows what names exist on the local link by issuing queries for them, and since it would be impractical to issue queries for every possible name just to find out which names exist and which do not, a Discovery Proxy cannot programmatically synthesize the traditional NSEC and NSEC3 records that assert the nonexistence of a large range of names. Instead, when generating a negative response, a Discovery Proxy programmatically synthesizes a single NSEC record asserting the nonexistence of just the specific name queried and no others. Since the Discovery Proxy has the zone signing key, it can do this on demand. Since the NSEC record asserts the nonexistence of only a single name, zone walking is not a concern, and NSEC3 is therefore not necessary.</t> <t pn="section-7.2-3">Note that this applies only to traditional immediate DNS queries, which may return immediate negative answers when no immediate positive answer is available. When used with a DNS Push Notification subscription <xref target="RFC8765" format="default" sectionFormat="of" derivedContent="RFC8765"/>, there are no negative answers, merely the absence of answers so far, which may change in the future if answers become available.</t> </section> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-8"> <name slugifiedName="name-ipv6-considerations">IPv6 Considerations</name> <t pn="section-8-1">An IPv4-only host and an IPv6-only host behave as "ships that pass in the night". Even if they are on the same Ethernet <xref target="IEEE-3" format="default" sectionFormat="of" derivedContent="IEEE-3"/>, neither is aware of the other's traffic. For this reason, each link may have <em>two</em> unrelated ".local." zones: one for IPv4 and one for IPv6. Since, for practical purposes, a group of IPv4-only hosts and a group of IPv6-only hosts on the same Ethernet act as if they were on two entirely separate Ethernet segments, it is unsurprising that their use of the ".local." zone should occur exactly as it would if they really were on two entirely separate Ethernet segments.</t> <t pn="section-8-2">It will be desirable to have a mechanism to "stitch" together these two unrelated ".local." zones so that they appear as one. Such a mechanism will need to be able to differentiate between a dual-stack (v4/v6) host participating in both ".local." zones, and two different hosts: one IPv4-only and the other IPv6-only, which are both trying to use the same name(s). Such a mechanism will be specified in a future companion document.</t> <t pn="section-8-3">At present, it is <bcp14>RECOMMENDED</bcp14> that a Discovery Proxy be configured with a single domain name for both the IPv4 and IPv6 ".local." zones on the local link, and when a unicast query is received, it should issue Multicast DNS queries using both IPv4 and IPv6 on the local link and then combine the results.</t> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-9"> <name slugifiedName="name-security-considerations">Security Considerations</name> <section numbered="true" toc="include" removeInRFC="false" pn="section-9.1"> <name slugifiedName="name-authenticity">Authenticity</name> <t pn="section-9.1-1">A service proves its presence on a link by its ability to answer link-local multicast queries on that link. If greater security is desired, then the Discovery Proxy mechanism should not be used, and something with stronger security should be used instead such as authenticated secure DNS Update <xref target="RFC2136" format="default" sectionFormat="of" derivedContent="RFC2136"/> <xref target="RFC3007" format="default" sectionFormat="of" derivedContent="RFC3007"/>.</t> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-9.2"> <name slugifiedName="name-privacy">Privacy</name> <t pn="section-9.2-1">The Domain Name System is, generally speaking, a global public database. Records that exist in the Domain Name System name hierarchy can be queried by name from, in principle, anywhere in the world. If services on a mobile device (like a laptop computer) are made visible via the Discovery Proxy mechanism, then when those services become visible in a domain such as "My House.example.com", it might indicate to (potentially hostile) observers that the mobile device is in the owner's home. When those services disappear from "My House.example.com", that change could be used by observers to infer when the mobile device (and possibly its owner) may have left the house. The privacy of this information may be protected using techniques like firewalls, split-view DNS, and Virtual Private Networks (VPNs), as are customarily used today to protect the privacy of corporate DNS information.</t> <t pn="section-9.2-2">The privacy issue is particularly serious for the IPv4 and IPv6 reverse zones. If the public delegation of the reverse zones points to the Discovery Proxy, and the Discovery Proxy is reachable globally, then it could leak a significant amount of information. Attackers could discover hosts that otherwise might not be easy to identify, and learn their host names. Attackers could also discover the existence of links where hosts frequently come and go.</t> <t pn="section-9.2-3">The Discovery Proxy could provide sensitive records only to authenticated users. This is a general DNS problem, not specific to the Discovery Proxy. Work is underway in the IETF to tackle this problem <xref target="RFC7626" format="default" sectionFormat="of" derivedContent="RFC7626"/>.</t> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-9.3"> <name slugifiedName="name-denial-of-service">Denial of Service</name> <t pn="section-9.3-1">A remote attacker could use a rapid series of unique Unicast DNS queries to induce a Discovery Proxy to generate a rapid series of corresponding Multicast DNS queries on one or more of its local links. Multicast traffic is generally more expensive than unicast traffic, especially on Wi-Fi links <xref target="I-D.ietf-mboned-ieee802-mcast-problems" format="default" sectionFormat="of" derivedContent="MCAST"/>, which makes this attack particularly serious. To limit the damage that can be caused by such attacks, a Discovery Proxy (or the underlying Multicast DNS subsystem that it utilizes) <bcp14>MUST</bcp14> implement Multicast DNS query rate limiting appropriate to the link technology in question. For today's 802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast packets per second is sufficient to consume approximately 100% of the wireless spectrum), a limit of 20 Multicast DNS query packets per second is <bcp14>RECOMMENDED</bcp14>. On other link technologies like Gigabit Ethernet, higher limits may be appropriate. A consequence of this rate limiting is that a rogue remote client could issue an excessive number of queries resulting in denial of service to other legitimate remote clients attempting to use that Discovery Proxy. However, this is preferable to a rogue remote client being able to inflict even greater harm on the local network, which could impact the correct operation of all local clients on that network.</t> </section> </section> <section numbered="true" toc="include" removeInRFC="false" pn="section-10"> <name slugifiedName="name-iana-considerations">IANA Considerations</name> <t pn="section-10-1">This document has no IANA actions.</t> </section> </middle> <back> <displayreference target="I-D.cheshire-dnssd-roadmap" to="ROADMAP"/> <displayreference target="I-D.sctl-service-registration" to="REG-PROT"/> <displayreference target="I-D.sctl-dnssd-mdns-relay" to="RELAY"/> <displayreference target="I-D.ietf-mboned-ieee802-mcast-problems" to="MCAST"/> <displayreference target="I-D.sekar-dns-ul" to="DNS-UL"/> <references pn="section-11"> <name slugifiedName="name-references">References</name> <references pn="section-11.1"> <name slugifiedName="name-normative-references">Normative References</name> <reference anchor="RFC1034" target="https://www.rfc-editor.org/info/rfc1034" quoteTitle="true" derivedAnchor="RFC1034"> <front> <title>Domain names - concepts and facilities</title> <author initials="P.V." surname="Mockapetris" fullname="P.V. Mockapetris"> <organization showOnFrontPage="true"/> </author> <date year="1987" month="November"/> <abstract> <t>This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.</t> </abstract> </front> <seriesInfo name="STD" value="13"/> <seriesInfo name="RFC" value="1034"/> <seriesInfo name="DOI" value="10.17487/RFC1034"/> </reference> <reference anchor="RFC1035" target="https://www.rfc-editor.org/info/rfc1035" quoteTitle="true" derivedAnchor="RFC1035"> <front> <title>Domain names - implementation and specification</title> <author initials="P.V." surname="Mockapetris" fullname="P.V. Mockapetris"> <organization showOnFrontPage="true"/> </author> <date year="1987" month="November"/> <abstract> <t>This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.</t> </abstract> </front> <seriesInfo name="STD" value="13"/> <seriesInfo name="RFC" value="1035"/> <seriesInfo name="DOI" value="10.17487/RFC1035"/> </reference> <reference anchor="RFC1918" target="https://www.rfc-editor.org/info/rfc1918" quoteTitle="true" derivedAnchor="RFC1918"> <front> <title>Address Allocation for Private Internets</title> <author initials="Y." surname="Rekhter" fullname="Y. Rekhter"> <organization showOnFrontPage="true"/> </author> <author initials="B." surname="Moskowitz" fullname="B. Moskowitz"> <organization showOnFrontPage="true"/> </author> <author initials="D." surname="Karrenberg" fullname="D. Karrenberg"> <organization showOnFrontPage="true"/> </author> <author initials="G. J." surname="de Groot" fullname="G. J. de Groot"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Lear" fullname="E. Lear"> <organization showOnFrontPage="true"/> </author> <date year="1996" month="February"/> <abstract> <t>This document describes address allocation for private internets. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="5"/> <seriesInfo name="RFC" value="1918"/> <seriesInfo name="DOI" value="10.17487/RFC1918"/> </reference> <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" quoteTitle="true" derivedAnchor="RFC2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author initials="S." surname="Bradner" fullname="S. Bradner"> <organization showOnFrontPage="true"/> </author> <date year="1997" month="March"/> <abstract> <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> <reference anchor="RFC2308" target="https://www.rfc-editor.org/info/rfc2308" quoteTitle="true" derivedAnchor="RFC2308"> <front> <title>Negative Caching of DNS Queries (DNS NCACHE)</title> <author initials="M." surname="Andrews" fullname="M. Andrews"> <organization showOnFrontPage="true"/> </author> <date year="1998" month="March"/> <abstract> <t>RFC1034 provided a description of how to cache negative responses. It however had a fundamental flaw in that it did not allow a name server to hand out those cached responses to other resolvers, thereby greatly reducing the effect of the caching. This document addresses issues raise in the light of experience and replaces RFC1034 Section 4.3.4. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="2308"/> <seriesInfo name="DOI" value="10.17487/RFC2308"/> </reference> <reference anchor="RFC3629" target="https://www.rfc-editor.org/info/rfc3629" quoteTitle="true" derivedAnchor="RFC3629"> <front> <title>UTF-8, a transformation format of ISO 10646</title> <author initials="F." surname="Yergeau" fullname="F. Yergeau"> <organization showOnFrontPage="true"/> </author> <date year="2003" month="November"/> <abstract> <t>ISO/IEC 10646-1 defines a large character set called the Universal Character Set (UCS) which encompasses most of the world's writing systems. The originally proposed encodings of the UCS, however, were not compatible with many current applications and protocols, and this has led to the development of UTF-8, the object of this memo. UTF-8 has the characteristic of preserving the full US-ASCII range, providing compatibility with file systems, parsers and other software that rely on US-ASCII values but are transparent to other values. This memo obsoletes and replaces RFC 2279.</t> </abstract> </front> <seriesInfo name="STD" value="63"/> <seriesInfo name="RFC" value="3629"/> <seriesInfo name="DOI" value="10.17487/RFC3629"/> </reference> <reference anchor="RFC3927" target="https://www.rfc-editor.org/info/rfc3927" quoteTitle="true" derivedAnchor="RFC3927"> <front> <title>Dynamic Configuration of IPv4 Link-Local Addresses</title> <author initials="S." surname="Cheshire" fullname="S. Cheshire"> <organization showOnFrontPage="true"/> </author> <author initials="B." surname="Aboba" fullname="B. Aboba"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Guttman" fullname="E. Guttman"> <organization showOnFrontPage="true"/> </author> <date year="2005" month="May"/> <abstract> <t>To participate in wide-area IP networking, a host needs to be configured with IP addresses for its interfaces, either manually by the user or automatically from a source on the network such as a Dynamic Host Configuration Protocol (DHCP) server. Unfortunately, such address configuration information may not always be available. It is therefore beneficial for a host to be able to depend on a useful subset of IP networking functions even when no address configuration is available. This document describes how a host may automatically configure an interface with an IPv4 address within the 169.254/16 prefix that is valid for communication with other devices connected to the same physical (or logical) link.</t> <t>IPv4 Link-Local addresses are not suitable for communication with devices not directly connected to the same physical (or logical) link, and are only used where stable, routable addresses are not available (such as on ad hoc or isolated networks). This document does not recommend that IPv4 Link-Local addresses and routable addresses be configured simultaneously on the same interface. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="3927"/> <seriesInfo name="DOI" value="10.17487/RFC3927"/> </reference> <reference anchor="RFC4034" target="https://www.rfc-editor.org/info/rfc4034" quoteTitle="true" derivedAnchor="RFC4034"> <front> <title>Resource Records for the DNS Security Extensions</title> <author initials="R." surname="Arends" fullname="R. Arends"> <organization showOnFrontPage="true"/> </author> <author initials="R." surname="Austein" fullname="R. Austein"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Larson" fullname="M. Larson"> <organization showOnFrontPage="true"/> </author> <author initials="D." surname="Massey" fullname="D. Massey"> <organization showOnFrontPage="true"/> </author> <author initials="S." surname="Rose" fullname="S. Rose"> <organization showOnFrontPage="true"/> </author> <date year="2005" month="March"/> <abstract> <t>This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given. </t> <t> This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4034"/> <seriesInfo name="DOI" value="10.17487/RFC4034"/> </reference> <reference anchor="RFC4862" target="https://www.rfc-editor.org/info/rfc4862" quoteTitle="true" derivedAnchor="RFC4862"> <front> <title>IPv6 Stateless Address Autoconfiguration</title> <author initials="S." surname="Thomson" fullname="S. Thomson"> <organization showOnFrontPage="true"/> </author> <author initials="T." surname="Narten" fullname="T. Narten"> <organization showOnFrontPage="true"/> </author> <author initials="T." surname="Jinmei" fullname="T. Jinmei"> <organization showOnFrontPage="true"/> </author> <date year="2007" month="September"/> <abstract> <t>This document specifies the steps a host takes in deciding how to autoconfigure its interfaces in IP version 6. The autoconfiguration process includes generating a link-local address, generating global addresses via stateless address autoconfiguration, and the Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4862"/> <seriesInfo name="DOI" value="10.17487/RFC4862"/> </reference> <reference anchor="RFC5155" target="https://www.rfc-editor.org/info/rfc5155" quoteTitle="true" derivedAnchor="RFC5155"> <front> <title>DNS Security (DNSSEC) Hashed Authenticated Denial of Existence</title> <author initials="B." surname="Laurie" fullname="B. Laurie"> <organization showOnFrontPage="true"/> </author> <author initials="G." surname="Sisson" fullname="G. Sisson"> <organization showOnFrontPage="true"/> </author> <author initials="R." surname="Arends" fullname="R. Arends"> <organization showOnFrontPage="true"/> </author> <author initials="D." surname="Blacka" fullname="D. Blacka"> <organization showOnFrontPage="true"/> </author> <date year="2008" month="March"/> <abstract> <t>The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record (RR) for authenticated denial of existence. This document introduces an alternative resource record, NSEC3, which similarly provides authenticated denial of existence. However, it also provides measures against zone enumeration and permits gradual expansion of delegation-centric zones. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5155"/> <seriesInfo name="DOI" value="10.17487/RFC5155"/> </reference> <reference anchor="RFC5198" target="https://www.rfc-editor.org/info/rfc5198" quoteTitle="true" derivedAnchor="RFC5198"> <front> <title>Unicode Format for Network Interchange</title> <author initials="J." surname="Klensin" fullname="J. Klensin"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Padlipsky" fullname="M. Padlipsky"> <organization showOnFrontPage="true"/> </author> <date year="2008" month="March"/> <abstract> <t>The Internet today is in need of a standardized form for the transmission of internationalized "text" information, paralleling the specifications for the use of ASCII that date from the early days of the ARPANET. This document specifies that format, using UTF-8 with normalization and specific line-ending sequences. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5198"/> <seriesInfo name="DOI" value="10.17487/RFC5198"/> </reference> <reference anchor="RFC6762" target="https://www.rfc-editor.org/info/rfc6762" quoteTitle="true" derivedAnchor="RFC6762"> <front> <title>Multicast DNS</title> <author initials="S." surname="Cheshire" fullname="S. Cheshire"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Krochmal" fullname="M. Krochmal"> <organization showOnFrontPage="true"/> </author> <date year="2013" month="February"/> <abstract> <t>As networked devices become smaller, more portable, and more ubiquitous, the ability to operate with less configured infrastructure is increasingly important. In particular, the ability to look up DNS resource record data types (including, but not limited to, host names) in the absence of a conventional managed DNS server is useful.</t> <t>Multicast DNS (mDNS) provides the ability to perform DNS-like operations on the local link in the absence of any conventional Unicast DNS server. In addition, Multicast DNS designates a portion of the DNS namespace to be free for local use, without the need to pay any annual fee, and without the need to set up delegations or otherwise configure a conventional DNS server to answer for those names.</t> <t>The primary benefits of Multicast DNS names are that (i) they require little or no administration or configuration to set them up, (ii) they work when no infrastructure is present, and (iii) they work during infrastructure failures.</t> </abstract> </front> <seriesInfo name="RFC" value="6762"/> <seriesInfo name="DOI" value="10.17487/RFC6762"/> </reference> <reference anchor="RFC6763" target="https://www.rfc-editor.org/info/rfc6763" quoteTitle="true" derivedAnchor="RFC6763"> <front> <title>DNS-Based Service Discovery</title> <author initials="S." surname="Cheshire" fullname="S. Cheshire"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Krochmal" fullname="M. Krochmal"> <organization showOnFrontPage="true"/> </author> <date year="2013" month="February"/> <abstract> <t>This document specifies how DNS resource records are named and structured to facilitate service discovery. Given a type of service that a client is looking for, and a domain in which the client is looking for that service, this mechanism allows clients to discover a list of named instances of that desired service, using standard DNS queries. This mechanism is referred to as DNS-based Service Discovery, or DNS-SD.</t> </abstract> </front> <seriesInfo name="RFC" value="6763"/> <seriesInfo name="DOI" value="10.17487/RFC6763"/> </reference> <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" quoteTitle="true" derivedAnchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author initials="B." surname="Leiba" fullname="B. Leiba"> <organization showOnFrontPage="true"/> </author> <date year="2017" month="May"/> <abstract> <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference> <reference anchor="RFC8490" target="https://www.rfc-editor.org/info/rfc8490" quoteTitle="true" derivedAnchor="RFC8490"> <front> <title>DNS Stateful Operations</title> <author initials="R." surname="Bellis" fullname="R. Bellis"> <organization showOnFrontPage="true"/> </author> <author initials="S." surname="Cheshire" fullname="S. Cheshire"> <organization showOnFrontPage="true"/> </author> <author initials="J." surname="Dickinson" fullname="J. Dickinson"> <organization showOnFrontPage="true"/> </author> <author initials="S." surname="Dickinson" fullname="S. Dickinson"> <organization showOnFrontPage="true"/> </author> <author initials="T." surname="Lemon" fullname="T. Lemon"> <organization showOnFrontPage="true"/> </author> <author initials="T." surname="Pusateri" fullname="T. Pusateri"> <organization showOnFrontPage="true"/> </author> <date year="2019" month="March"/> <abstract> <t>This document defines a new DNS OPCODE for DNS Stateful Operations (DSO). DSO messages communicate operations within persistent stateful sessions using Type Length Value (TLV) syntax. Three TLVs are defined that manage session timeouts, termination, and encryption padding, and a framework is defined for extensions to enable new stateful operations. This document updates RFC 1035 by adding a new DNS header OPCODE that has both different message semantics and a new result code. This document updates RFC 7766 by redefining a session, providing new guidance on connection reuse, and providing a new mechanism for handling session idle timeouts.</t> </abstract> </front> <seriesInfo name="RFC" value="8490"/> <seriesInfo name="DOI" value="10.17487/RFC8490"/> </reference> <reference anchor="RFC8765" target="https://www.rfc-editor.org/info/rfc8765" quoteTitle="true" derivedAnchor="RFC8765"> <front> <title>DNS Push Notifications</title> <author initials="T" surname="Pusateri" fullname="Tom Pusateri"> <organization showOnFrontPage="true"/> </author> <author initials="S" surname="Cheshire" fullname="Stuart Cheshire"> <organization showOnFrontPage="true"/> </author> <date month="June" year="2020"/> </front> <seriesInfo name="RFC" value="8765"/> <seriesInfo name="DOI" value="10.17487/RFC8765"/> </reference> </references> <references pn="section-11.2"> <name slugifiedName="name-informative-references">Informative References</name> <reference anchor="I-D.sekar-dns-ul" quoteTitle="true" target="https://tools.ietf.org/html/draft-sekar-dns-ul-02" derivedAnchor="DNS-UL"> <front> <title>Dynamic DNS Update Leases</title> <author initials="S" surname="Cheshire" fullname="Stuart Cheshire"> <organization showOnFrontPage="true"/> </author> <author initials="T" surname="Lemon" fullname="Ted Lemon"> <organization showOnFrontPage="true"/> </author> <date month="August" day="2" year="2018"/> <abstract> <t>This document proposes a method of extending Dynamic DNS Update to contain an update lease lifetime, allowing a server to garbage collect stale resource records.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-sekar-dns-ul-02"/> <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-sekar-dns-ul-02.txt"/> <refcontent>Work in Progress</refcontent> </reference> <reference anchor="IEEE-1Q" target="https://ieeexplore.ieee.org/document/6991462" quoteTitle="true" derivedAnchor="IEEE-1Q"> <front> <title>IEEE Standard for Local and metropolitan area networks -- Bridges and Bridged Networks</title> <author> <organization showOnFrontPage="true">IEEE</organization> </author> <date year="2014"/> </front> <seriesInfo name="IEEE Std" value="802.1Q-2014"/> <seriesInfo name="DOI" value="10.1109/IEEESTD.2014.6991462"/> </reference> <reference anchor="IEEE-3" target="https://ieeexplore.ieee.org/document/8457469" quoteTitle="true" derivedAnchor="IEEE-3"> <front> <title>IEEE Standard for Ethernet</title> <seriesInfo name="DOI" value="10.1109/IEEESTD.2018.8457469"/> <seriesInfo name="IEEE Std" value="802.3-2018"/> <author> <organization showOnFrontPage="true">IEEE</organization> </author> <date year="2008" month="December"/> </front> </reference> <reference anchor="IEEE-5" target="https://standards.ieee.org/standard/802_5-1998.html" quoteTitle="true" derivedAnchor="IEEE-5"> <front> <title>Telecommunications and information exchange between systems - Local and metropolitan area networks - Part 5: Token ring access method and physical layer specifications</title> <seriesInfo name="IEEE Std" value="802.5-1998"/> <author> <organization showOnFrontPage="true">IEEE</organization> </author> <date year="1998"/> </front> </reference> <reference anchor="IEEE-11" target="https://standards.ieee.org/standard/802_11-2016.html" quoteTitle="true" derivedAnchor="IEEE-11"> <front> <title>Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications</title> <seriesInfo name="IEEE Std" value="802.11-2016"/> <author> <organization showOnFrontPage="true">IEEE</organization> </author> <date year="2016" month="December"/> </front> </reference> <reference anchor="I-D.ietf-mboned-ieee802-mcast-problems" quoteTitle="true" target="https://tools.ietf.org/html/draft-ietf-mboned-ieee802-mcast-problems-11" derivedAnchor="MCAST"> <front> <title>Multicast Considerations over IEEE 802 Wireless Media</title> <author initials="C" surname="Perkins" fullname="Charles Perkins"> <organization showOnFrontPage="true"/> </author> <author initials="M" surname="McBride" fullname="Mike McBride"> <organization showOnFrontPage="true"/> </author> <author initials="D" surname="Stanley" fullname="Dorothy Stanley"> <organization showOnFrontPage="true"/> </author> <author initials="W" surname="Kumari" fullname="Warren Kumari"> <organization showOnFrontPage="true"/> </author> <author initials="J" surname="Zuniga" fullname="Juan Zuniga"> <organization showOnFrontPage="true"/> </author> <date month="December" day="11" year="2019"/> <abstract> <t>Well-known issues witha <xref target="Push">DNS Push Notification subscription</xref> there are no negative answers, merelymulticast have prevented theabsencedeployment ofanswers so far, which may changemulticast inthe future if answers become available.</t> <?rfc needLines="19" ?> </section> </section> <section title="IPv6 Considerations"> <t>An IPv4-only host802.11 (wifi) andan IPv6-only host behave as "ships that pass in the night". Even if they are onother local-area wireless environments. This document describes thesame <xref target="IEEE-3">Ethernet</xref>, neither is awareproblems ofthe other's traffic. For this reason, each link mayknown limitations with wireless (primarily 802.11) Layer-2 multicast. Also described are certain multicast enhancement features that have*two* unrelated ".local." zones, one for IPv4been specified by the IETF, andone for IPv6. Sinceby IEEE 802, forpractical purposes, a group of IPv4-only hosts and a group of IPv6-only hosts on the same Ethernet actwireless media, asif they were on two entirely separate Ethernet segments, it is unsurprising that their use of the ".local." zone should occur exactlywell asit would if they really were on two entirely separate Ethernet segments.</t> <t>It will be desirable to have a mechanism to 'stitch' together these two unrelated ".local." zones sosome operational choices thatthey appear as one. Such mechanism will need tocan beabletaken todifferentiate between a dual-stack (v4/v6) host participating in both ".local." zones, and two different hosts, one IPv4-only andimprove theother IPv6-only, whichperformance of the network. Finally, some recommendations areboth trying to useprovided about thesame name(s). Such ausage and combination of these features and operational choices.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-mboned-ieee802-mcast-problems-11"/> <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-ietf-mboned-ieee802-mcast-problems-11.txt"/> <refcontent>Work in Progress</refcontent> </reference> <reference anchor="OHP" target="https://github.com/sbyx/ohybridproxy/" quoteTitle="true" derivedAnchor="OHP"> <front> <title>ohybridproxy - an mDNS/DNS hybrid-proxy based on mDNSResponder</title> <author/> <date month="June" year="2017"/> </front> <refcontent>commit 464d6c9</refcontent> </reference> <reference anchor="I-D.sctl-service-registration" quoteTitle="true" target="https://tools.ietf.org/html/draft-sctl-service-registration-02" derivedAnchor="REG-PROT"> <front> <title>Service Registration Protocol for DNS-Based Service Discovery</title> <author initials="S" surname="Cheshire" fullname="Stuart Cheshire"> <organization showOnFrontPage="true"/> </author> <author initials="T" surname="Lemon" fullname="Ted Lemon"> <organization showOnFrontPage="true"/> </author> <date month="July" day="15" year="2018"/> <abstract> <t>The DNS-SD Service Registration Protocol uses the standard DNS Update mechanismwill be specified in a future companion document.</t> <t>At present, it is RECOMMENDED that ato enable DNS-Based Service DiscoveryProxy be configured with a single domain name for bothusing only unicast packets. This eliminates theIPv4 and IPv6 ".local." zonesdependency onthe local link, and when a unicast query is received, it should issueMulticast DNSqueries using both IPv4 and IPv6 onas thelocal link,foundation layer, which greatly improves scalability andthen combine the results.</t> <?rfc needLines="25" ?> </section> <section title="Security Considerations"> <section title="Authenticity"> <t>A service proves its presenceimproves performance ona link by its ability to answer link-localnetworks where multicastqueries on that link. If greater securityservice isdesired, thennot an optimal choice, particularly 802.11 (Wi-Fi) and 802.15.4 (IoT) networks. DNS-SD Service registration uses public keys and SIG(0) to allow services to defend their registrations against attack.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-sctl-service-registration-02"/> <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-sctl-service-registration-02.txt"/> <refcontent>Work in Progress</refcontent> </reference> <reference anchor="I-D.sctl-dnssd-mdns-relay" quoteTitle="true" target="https://tools.ietf.org/html/draft-sctl-dnssd-mdns-relay-04" derivedAnchor="RELAY"> <front> <title>Multicast DNS Discovery Relay</title> <author initials="S" surname="Cheshire" fullname="Stuart Cheshire"> <organization showOnFrontPage="true"/> </author> <author initials="T" surname="Lemon" fullname="Ted Lemon"> <organization showOnFrontPage="true"/> </author> <date month="March" day="21" year="2018"/> <abstract> <t>This document extends the specification of the Discovery Proxymechanism shouldfor Multicast DNS-Based Service Discovery. It describes a lightweight relay mechanism, a Discovery Relay, which allows Discovery Proxies to provide service on multicast links to which they are notbe used,directly attached.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-sctl-dnssd-mdns-relay-04"/> <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-sctl-dnssd-mdns-relay-04.txt"/> <refcontent>Work in Progress</refcontent> </reference> <reference anchor="RFC2132" target="https://www.rfc-editor.org/info/rfc2132" quoteTitle="true" derivedAnchor="RFC2132"> <front> <title>DHCP Options andsomething with stronger security shouldBOOTP Vendor Extensions</title> <author initials="S." surname="Alexander" fullname="S. Alexander"> <organization showOnFrontPage="true"/> </author> <author initials="R." surname="Droms" fullname="R. Droms"> <organization showOnFrontPage="true"/> </author> <date year="1997" month="March"/> <abstract> <t>This document specifies the current set of DHCP options. Future options will beused instead, such as authenticated secure DNS Update <xref target="RFC2136"/> <xref target="RFC3007"/>.</t> </section> <section title="Privacy"> <t>Thespecified in separate RFCs. The current list of valid options is also available in ftp://ftp.isi.edu/in-notes/iana/assignments. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="2132"/> <seriesInfo name="DOI" value="10.17487/RFC2132"/> </reference> <reference anchor="RFC2136" target="https://www.rfc-editor.org/info/rfc2136" quoteTitle="true" derivedAnchor="RFC2136"> <front> <title>Dynamic Updates in the Domain Name System (DNS UPDATE)</title> <author initials="P." surname="Vixie" fullname="P. Vixie" role="editor"> <organization showOnFrontPage="true"/> </author> <author initials="S." surname="Thomson" fullname="S. Thomson"> <organization showOnFrontPage="true"/> </author> <author initials="Y." surname="Rekhter" fullname="Y. Rekhter"> <organization showOnFrontPage="true"/> </author> <author initials="J." surname="Bound" fullname="J. Bound"> <organization showOnFrontPage="true"/> </author> <date year="1997" month="April"/> <abstract> <t>Using this specification of the UPDATE opcode, it is possible to add or delete RRs or RRsets from a specified zone. Prerequisites are specified separately from update operations, and can specify a dependency upon either the previous existence or nonexistence of an RRset, or the existence of a single RR. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="2136"/> <seriesInfo name="DOI" value="10.17487/RFC2136"/> </reference> <reference anchor="RFC3007" target="https://www.rfc-editor.org/info/rfc3007" quoteTitle="true" derivedAnchor="RFC3007"> <front> <title>Secure Domain Name Systemis, generally speaking,(DNS) Dynamic Update</title> <author initials="B." surname="Wellington" fullname="B. Wellington"> <organization showOnFrontPage="true"/> </author> <date year="2000" month="November"/> <abstract> <t>This document proposes aglobal public database. Records that exist in themethod for performing secure Domain Name Systemname hierarchy can be queried by name from, in principle, anywhere(DNS) dynamic updates. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="3007"/> <seriesInfo name="DOI" value="10.17487/RFC3007"/> </reference> <reference anchor="RFC3492" target="https://www.rfc-editor.org/info/rfc3492" quoteTitle="true" derivedAnchor="RFC3492"> <front> <title>Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names inthe world. If services onApplications (IDNA)</title> <author initials="A." surname="Costello" fullname="A. Costello"> <organization showOnFrontPage="true"/> </author> <date year="2003" month="March"/> <abstract> <t>Punycode is amobile device (likesimple and efficient transfer encoding syntax designed for use with Internationalized Domain Names in Applications (IDNA). It uniquely and reversibly transforms alaptop computer) are made visible viaUnicode string into an ASCII string. ASCII characters in theDiscovery Proxy mechanism, then when those services become visibleUnicode string are represented literally, and non-ASCII characters are represented by ASCII characters that are allowed in host name labels (letters, digits, and hyphens). This document defines adomain such as "My House.example.com"general algorithm called Bootstring thatmight indicateallows a string of basic code points to(potentially hostile) observers that the mobile device is in my house. When those services disappearuniquely represent any string of code points drawn from"My House.example.com"a larger set. Punycode is an instance of Bootstring thatchange could be useduses particular parameter values specified byobservers to infer when the mobile device (and possibly its owner) may have left the house. The privacy ofthisinformation may be protected using techniques like firewalls, split-view DNS, and Virtual Private Networks (VPNs), as are customarily used today to protect the privacy of corporate DNS information.</t> <t>The privacy issuedocument, appropriate for IDNA. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="3492"/> <seriesInfo name="DOI" value="10.17487/RFC3492"/> </reference> <reference anchor="RFC4193" target="https://www.rfc-editor.org/info/rfc4193" quoteTitle="true" derivedAnchor="RFC4193"> <front> <title>Unique Local IPv6 Unicast Addresses</title> <author initials="R." surname="Hinden" fullname="R. Hinden"> <organization showOnFrontPage="true"/> </author> <author initials="B." surname="Haberman" fullname="B. Haberman"> <organization showOnFrontPage="true"/> </author> <date year="2005" month="October"/> <abstract> <t>This document defines an IPv6 unicast address format that is globally unique and isparticularly seriousintended forthe IPv4 and IPv6 reverse zones. If the public delegationlocal communications, usually inside ofthe reverse zones points to the Discovery Proxy, and the Discovery Proxy is reachable globally, then it could leakasignificant amount of information. Attackers could discover hosts that otherwise mightsite. These addresses are notbe easyexpected toidentify, and learn their hostnames. Attackers could also discoverbe routable on theexistence of links where hosts frequently come and go.</t> <t>The Discovery Proxy could also provide sensitive records only to authenticated users. This isglobal Internet. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4193"/> <seriesInfo name="DOI" value="10.17487/RFC4193"/> </reference> <reference anchor="RFC6760" target="https://www.rfc-editor.org/info/rfc6760" quoteTitle="true" derivedAnchor="RFC6760"> <front> <title>Requirements for ageneral DNS problem, not specificProtocol to Replace theDiscovery Proxy. Work is underway inAppleTalk Name Binding Protocol (NBP)</title> <author initials="S." surname="Cheshire" fullname="S. Cheshire"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Krochmal" fullname="M. Krochmal"> <organization showOnFrontPage="true"/> </author> <date year="2013" month="February"/> <abstract> <t>One of theIETF to tackle this problem <xref target="RFC7626"/>.</t> </section> <section title="Denialgoals ofService"> <t>A remote attacker could use a rapid seriesthe authors ofunique UnicastMulticast DNSqueries to induce a(mDNS) and DNS-Based Service DiscoveryProxy(DNS-SD) was togenerate a rapid series of corresponding Multicast DNS queries on one or more of its local links. Multicast traffic is generally more expensive than unicast traffic -- especially on Wi-Fi links -- which makes this attack particularly serious. To limitretire AppleTalk and thedamage that can be caused by such attacks,AppleTalk Name Binding Protocol (NBP) and to replace them with an IP-based solution. This document presents aDiscovery Proxy (orbrief overview of theunderlying Multicast DNS subsystem which it utilizes) MUST implement Multicast DNS query rate limiting appropriate tocapabilities of AppleTalk NBP and outlines thelink technology in question. For today's 802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast packets per secondproperties required of an IP-based replacement.</t> </abstract> </front> <seriesInfo name="RFC" value="6760"/> <seriesInfo name="DOI" value="10.17487/RFC6760"/> </reference> <reference anchor="RFC7558" target="https://www.rfc-editor.org/info/rfc7558" quoteTitle="true" derivedAnchor="RFC7558"> <front> <title>Requirements for Scalable DNS-Based Service Discovery (DNS-SD) / Multicast DNS (mDNS) Extensions</title> <author initials="K." surname="Lynn" fullname="K. Lynn"> <organization showOnFrontPage="true"/> </author> <author initials="S." surname="Cheshire" fullname="S. Cheshire"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Blanchet" fullname="M. Blanchet"> <organization showOnFrontPage="true"/> </author> <author initials="D." surname="Migault" fullname="D. Migault"> <organization showOnFrontPage="true"/> </author> <date year="2015" month="July"/> <abstract> <t>DNS-based Service Discovery (DNS-SD) over Multicast DNS (mDNS) issufficient to consume approximately 100%widely used today for discovery and resolution of services and names on a local link, but there are use cases to extend DNS-SD/mDNS to enable service discovery beyond thewireless spectrum)local link. This document provides alimitproblem statement and a list of20 Multicastrequirements for scalable DNS-SD.</t> </abstract> </front> <seriesInfo name="RFC" value="7558"/> <seriesInfo name="DOI" value="10.17487/RFC7558"/> </reference> <reference anchor="RFC7626" target="https://www.rfc-editor.org/info/rfc7626" quoteTitle="true" derivedAnchor="RFC7626"> <front> <title>DNS Privacy Considerations</title> <author initials="S." surname="Bortzmeyer" fullname="S. Bortzmeyer"> <organization showOnFrontPage="true"/> </author> <date year="2015" month="August"/> <abstract> <t>This document describes the privacy issues associated with the use of the DNSquery packets per secondby Internet users. It isRECOMMENDED. On other link technologies like Gigabit Ethernet higher limits mayintended to beappropriate. A consequence of this rate limiting is that a rogue remote client could issueanexcessive numberanalysis ofqueries, resulting in denialthe present situation and does not prescribe solutions.</t> </abstract> </front> <seriesInfo name="RFC" value="7626"/> <seriesInfo name="DOI" value="10.17487/RFC7626"/> </reference> <reference anchor="RFC7788" target="https://www.rfc-editor.org/info/rfc7788" quoteTitle="true" derivedAnchor="RFC7788"> <front> <title>Home Networking Control Protocol</title> <author initials="M." surname="Stenberg" fullname="M. Stenberg"> <organization showOnFrontPage="true"/> </author> <author initials="S." surname="Barth" fullname="S. Barth"> <organization showOnFrontPage="true"/> </author> <author initials="P." surname="Pfister" fullname="P. Pfister"> <organization showOnFrontPage="true"/> </author> <date year="2016" month="April"/> <abstract> <t>This document describes the Home Networking Control Protocol (HNCP), an extensible configuration protocol, and a set ofservice to other legitimate remote clients attempting to use that Discovery Proxy. However, thisrequirements for home network devices. HNCP ispreferable todescribed as arogue remote client being ableprofile of and extension toinflict even greater harm onthelocal network, which could impactDistributed Node Consensus Protocol (DNCP). HNCP enables discovery of network borders, automated configuration of addresses, name resolution, service discovery, and thecorrect operationuse ofall local clients onany routing protocol thatnetwork.</t> <?rfc needLines="28" ?> </section> </section> <section title="IANA Considerations">supports routing based on both the source and destination address.</t> </abstract> </front> <seriesInfo name="RFC" value="7788"/> <seriesInfo name="DOI" value="10.17487/RFC7788"/> </reference> <reference anchor="RFC8375" target="https://www.rfc-editor.org/info/rfc8375" quoteTitle="true" derivedAnchor="RFC8375"> <front> <title>Special-Use Domain 'home.arpa.'</title> <author initials="P." surname="Pfister" fullname="P. Pfister"> <organization showOnFrontPage="true"/> </author> <author initials="T." surname="Lemon" fullname="T. Lemon"> <organization showOnFrontPage="true"/> </author> <date year="2018" month="May"/> <abstract> <t>This documenthas no IANA Considerations.</t> </section> <section title="Acknowledgments"> <t>Thanks to Markus Stenberg for helping develop the policy regardingspecifies thefour styles of unicast response according to what databehavior that isimmediately available inexpected from thecache. ThanksDomain Name System with regard toAnders Brandt, Ben Campbell, Tim Chown, Alissa Cooper, Spencer Dawkins, Ralph Droms, Joel Halpern, Ray Hunter, Joel Jaeggli, Warren Kumari, Ted Lemon, Alexey Melnikov, Kathleen Moriarty, Tom Pusateri, Eric Rescorla, Adam Roach, David Schinazi, Markus Stenberg, Dave Thaler, and Andrew YourtchenkoDNS queries fortheir comments.</t> <?rfc needLines="33" ?> </section> </middle> <back> <references title="Normative References"> <?rfc include="reference.RFC.1034" ?> <?rfc include="reference.RFC.1035" ?> <?rfc include="reference.RFC.1918" ?> <?rfc include="reference.RFC.2119" ?> <?rfc include="reference.RFC.2308" ?> <?rfc include="reference.RFC.3629" ?> <?rfc include="reference.RFC.3927" ?> <?rfc include="reference.RFC.4034" ?> <?rfc include="reference.RFC.4862" ?> <?rfc include="reference.RFC.5155" ?> <?rfc include="reference.RFC.5198" ?> <?rfc include="reference.RFC.6762" ?> <?rfc include="reference.RFC.6763" ?> <?rfc include="reference.RFC.8174" ?> <?rfc include="reference.RFC.8490" ?> <?rfc include="reference.I-D.ietf-dnssd-push" anchor='Push' ?> </references> <?rfc needLines="6" ?> <references title="Informative References"> <?rfc include="reference.I-D.cheshire-dnssd-roadmap" anchor='Roadmap' ?> <?rfc include="reference.I-D.sekar-dns-ul" anchor='DNS-UL' ?> <?rfc include="reference.I-D.sekar-dns-llq" anchor='LLQ' ?> <?rfc include="reference.I-D.sctl-service-registration" anchor='RegProt' ?> <?rfc include="reference.I-D.sctl-dnssd-mdns-relay" anchor='Relay' ?> <?rfc include="reference.I-D.ietf-mboned-ieee802-mcast-problems" anchor='Mcast' ?> <?rfc include="reference.RFC.2132" ?> <?rfc include="reference.RFC.2136" ?> <?rfc include="reference.RFC.3007" ?> <?rfc include="reference.RFC.3492" ?> <?rfc include="reference.RFC.4193" ?> <?rfc include="reference.RFC.6760" ?> <?rfc include="reference.RFC.7558" ?> <?rfc include="reference.RFC.7626" ?> <?rfc include="reference.RFC.7788" ?> <?rfc include="reference.RFC.8375" ?> <reference anchor="ohp" target="https://github.com/sbyx/ohybridproxy/"> <front> <title>Discovery Proxy (Hybrid Proxy) implementationnames ending with '.home.arpa.' and designates this domain as a special-use domain name. 'home.arpa.' is designated forOpenWrt</title> <author/> <date/>non-unique use in residential home networks. The Home Networking Control Protocol (HNCP) is updated to use the 'home.arpa.' domain instead of '.home'.</t> </abstract> </front> <seriesInfo name="RFC" value="8375"/> <seriesInfo name="DOI" value="10.17487/RFC8375"/> </reference> <referenceanchor="ZC">anchor="RFC8764" target="https://www.rfc-editor.org/info/rfc8764" quoteTitle="true" derivedAnchor="RFC8764"> <front><title>Zero Configuration Networking: The Definitive Guide</title><title>Apple's DNS Long-Lived Queries Protocol</title> <authorinitials="S."initials="S" surname="Cheshire" fullname="StuartCheshire"/>Cheshire"> <organization showOnFrontPage="true"/> </author> <authorinitials="D.H." surname="Steinberg" fullname="Daniel H. Steinberg"/>initials="M" surname="Krochmal" fullname="Marc Krochmal"> <organization showOnFrontPage="true"/> </author> <dateyear="2005" month="December"/>month="June" year="2020"/> </front> <seriesInfoname="O'Reilly Media, Inc." value=""/> <seriesInfo name="ISBN" value="0-596-10100-7"/> </reference> <!-- Patterned after http://xml.resource.org/public/rfc/bibxml2/_reference.IEEE.802-3.1998.xml --> <reference anchor="IEEE-1Q" target="http://standards.ieee.org/getieee802/download/802-1Q-2014.pdf"> <front> <title> IEEE Standard for Local and metropolitan area networks -- Bridges and Bridged Networks </title> <author/> <date year="2014" month="November"/> </front>name="RFC" value="8764"/> <seriesInfoname="IEEE" value="Std 802.1Q-2014"/>name="DOI" value="10.17487/RFC8764"/> </reference> <referenceanchor="IEEE-3" target="http://standards.ieee.org/getieee802/802.3.html">anchor="I-D.cheshire-dnssd-roadmap" quoteTitle="true" target="https://tools.ietf.org/html/draft-cheshire-dnssd-roadmap-03" derivedAnchor="ROADMAP"> <front><title> Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 3: Carrier Sense Multiple Access with Collision Detection (CMSA/CD) Access Method and Physical Layer Specifications </title> <author/><title>Service Discovery Road Map</title> <author initials="S" surname="Cheshire" fullname="Stuart Cheshire"> <organization showOnFrontPage="true"/> </author> <dateyear="2008" month="December"/> </front> <seriesInfo name="IEEE" value="Std 802.3-2008"/> </reference> <reference anchor="IEEE-5"> <front> <title>Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 5: Token ring access method and physical layer specification</title> <author><organization>Institutemonth="October" day="23" year="2018"/> <abstract> <t>Over the course ofElectrical and Electronics Engineers</organization></author> <date month="" year="1995" />several years, a rich collection of technologies has developed around DNS-Based Service Discovery, described across multiple documents. This "Road Map" document gives an overview of how these related but separate technologies (and their documents) fit together, to facilitate service discovery in various environments.</t> </abstract> </front> <seriesInfoname="IEEE" value="Std 802.5-1998"/>name="Internet-Draft" value="draft-cheshire-dnssd-roadmap-03"/> <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-cheshire-dnssd-roadmap-03.txt"/> <refcontent>Work in Progress</refcontent> </reference> <referenceanchor="IEEE-11" target="http://standards.ieee.org/getieee802/802.11.html">anchor="ZC" quoteTitle="true" derivedAnchor="ZC"> <front><title> Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications </title> <author/><title>Zero Configuration Networking: The Definitive Guide</title> <seriesInfo name="ISBN" value="0-596-10100-7"/> <author initials="S." surname="Cheshire" fullname="Stuart Cheshire"/> <author initials="D.H." surname="Steinberg" fullname="Daniel H. Steinberg"/> <dateyear="2007" month="June"/>year="2005" month="December"/> </front><seriesInfo name="IEEE" value="Std 802.11-2007"/><refcontent>O'Reilly Media, Inc.</refcontent> </reference> </references><?rfc needLines="40" ?></references> <section anchor="implementation"title="Implementation Status"> <t>Somenumbered="true" toc="include" removeInRFC="false" pn="section-appendix.a"> <name slugifiedName="name-implementation-status">Implementation Status</name> <t pn="section-appendix.a-1">Some aspects of the mechanism specified in this document already exist in deployed software. Some aspects are new. This section outlines which aspects already exist and which are new.</t> <sectiontitle="Alreadynumbered="true" toc="include" removeInRFC="false" pn="section-a.1"> <name slugifiedName="name-already-implemented-and-dep">Already Implemented andDeployed"> <t>DomainDeployed</name> <t pn="section-a.1-1">Domain enumeration by the client(the "b._dns-sd._udp"("b._dns-sd._udp.<zone>" queries) is already implemented and deployed.</t><t>Unicast<t pn="section-a.1-2">Performing unicast queries to the indicated discovery domain is already implemented and deployed.</t><t>These<t pn="section-a.1-3">These are implemented and deployed in Mac OS X 10.4 Tiger and later (including all versions of Apple iOS, on alliPhonemodels of iPhones, iPads, Apple TVs andiPads),HomePods), in Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16) and later.</t><t>Domain<t pn="section-a.1-4">Domain enumeration and unicast querying have been used for several years at IETF meetings to makeTerminal Roomterminal room printers discoverable from outside theTerminalterminal room. When an IETF attendee pressesCmd-P"Cmd‑P" on a Mac, or selects AirPrint on an iPad or iPhone, and theTerminalterminal room printers appear,thatit is because the client is sendingunicastUnicast DNS queries to the IETF DNS servers. A walk-through giving the details of this particular specific example is given inAppendix A of<xreftarget="Roadmap">thetarget="I-D.cheshire-dnssd-roadmap" sectionFormat="of" section="A" format="default" derivedLink="https://tools.ietf.org/html/draft-cheshire-dnssd-roadmap-03#appendix-A" derivedContent="ROADMAP">the Roadmap document</xref>.</t> <t pn="section-a.1-5">The Long-Lived Query mechanism <xref target="RFC8764" format="default" sectionFormat="of" derivedContent="RFC8764"/> referred to in this specification exists and is deployed but was not standardized by the IETF. The IETF has developed a superior Long-Lived Query mechanism called DNS Push Notifications <xref target="RFC8765" format="default" sectionFormat="of" derivedContent="RFC8765"/>, which is built on DNS Stateful Operations <xref target="RFC8490" format="default" sectionFormat="of" derivedContent="RFC8490"/>. DNS Push Notifications is implemented and deployed in Mac OS X 10.15 and later, and iOS 13 and later.</t> </section> <sectiontitle="Already Implemented"> <t>Anumbered="true" toc="include" removeInRFC="false" pn="section-a.2"> <name slugifiedName="name-already-implemented">Already Implemented</name> <t pn="section-a.2-1">A minimal portable Discovery Proxy implementation has been produced by Markus Stenberg and Steven Barth, which runs on OS X and several Linux variants including OpenWrt <xreftarget="ohp"/>.target="OHP" format="default" sectionFormat="of" derivedContent="OHP"/>. It was demonstrated at the Berlin IETF in July 2013.</t><t>Tom<t pn="section-a.2-2">Tom Pusateri has an implementation that runs on anyUnix/Linux.Unix/Linux system. It has a RESTful interface for management and an experimental demoCLIcommand-line interface (CLI) and web interface.</t><t>Ted<t pn="section-a.2-3">Ted Lemon also has produced a portable implementation of Discovery Proxy, which is available in the mDNSResponder open source code.</t><t>The Long-Lived Query mechanism <xref target="LLQ"/> referred to in this specification exists and is deployed, but was not standardized by the IETF. The IETF has developed a superior Long-Lived Query mechanism called DNS Push Notifications <xref target="Push"/>, which is built on DNS Stateful Operations <xref target="RFC8490"/>. The pragmatic short-term deployment approach is for vendors to produce Discovery Proxies that implement both the deployed Long-Lived Query mechanism <xref target="LLQ"/> (for today's clients) and the new DNS Push Notifications mechanism <xref target="Push"/> as the preferred long-term direction.</t></section> <sectiontitle="Partially Implemented"> <t>The currentnumbered="true" toc="include" removeInRFC="false" pn="section-a.3"> <name slugifiedName="name-partially-implemented">Partially Implemented</name> <t pn="section-a.3-1">At the time of writing, existing APIs make multiple domains visible to client software, but most clientUI today lumpsuser interfaces lump all discovered services into a single flat list. This is largely a chicken-and-egg problem. Application writers were naturally reluctant to spend time writing domain-awareUIuser interface code when few customerstodaywould benefit from it. If Discovery Proxy deployment becomes common, then application writers will have a reason to provide a betterUI.user experience. Existing applications will work with the DiscoveryProxy,Proxy but will show all services in a single flat list. Applications with improvedUIuser interfaces willgroupshow services grouped by domain.</t> </section> </section> <section numbered="false" toc="include" removeInRFC="false" pn="section-appendix.b"> <name slugifiedName="name-acknowledgments">Acknowledgments</name> <t pn="section-appendix.b-1">Thanks to <contact fullname="Markus Stenberg"/> for helping develop the policy regarding the four styles of unicast response according to what data is immediately available in the cache. Thanks to <contact fullname="Anders Brandt"/>, <contact fullname="Ben Campbell"/>, <contact fullname="Tim Chown"/>, <contact fullname="Alissa Cooper"/>, <contact fullname="Spencer Dawkins"/>, <contact fullname="Ralph Droms"/>, <contact fullname="Joel Halpern"/>, <contact fullname="Ray Hunter"/>, <contact fullname="Joel Jaeggli"/>, <contact fullname="Warren Kumari"/>, <contact fullname="Ted Lemon"/>, <contact fullname="Alexey Melnikov"/>, <contact fullname="Kathleen Moriarty"/>, <contact fullname="Tom Pusateri"/>, <contact fullname="Eric Rescorla"/>, <contact fullname="Adam Roach"/>, <contact fullname="David Schinazi"/>, <contact fullname="Markus Stenberg"/>, <contact fullname="Dave Thaler"/>, and <contact fullname="Andrew Yourtchenko"/> for their comments.</t> </section> <section anchor="authors-addresses" numbered="false" removeInRFC="false" toc="include" pn="section-appendix.c"> <name slugifiedName="name-authors-address">Author's Address</name> <author initials="S." surname="Cheshire" fullname="Stuart Cheshire"> <organization showOnFrontPage="true">Apple Inc.</organization> <address> <postal> <street>One Apple Park Way</street> <city>Cupertino</city> <region>California</region> <code>95014</code> <country>United States of America</country> </postal> <phone>+1 (408) 996-1010</phone> <email>cheshire@apple.com</email> </address> </author> </section> </back> </rfc>