<?xml version="1.0" encoding="UTF-8"?> version='1.0' encoding='UTF-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">

<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>

<!--
Check output with <http://tools.ietf.org/tools/idnits/>
-->

<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
     please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most
I-Ds might want to use.
     (Here they are set differently than their defaults in xml2rfc v1.35) -->

<!-- give errors regarding ID-nits and DTD validation -->
<?rfc strict="yes" ?>

<!-- control the table of contents (ToC) -->
<!-- generate a ToC -->
<?rfc toc="yes"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<?rfc tocdepth="3"?>

<!-- control references -->
<!-- use anchors instead of numbers for refs, i.e, [RFC2119] instead of [1]
-->
<?rfc symrefs="yes"?> "rfc2629-xhtml.ent">

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" number="8766" consensus="true" category="std" docName="draft-ietf-dnssd-hybrid-10" ipr="trust200902" obsoletes="" updates="" submissionType="IETF" xml:lang="en" tocInclude="true" tocDepth="3" symRefs="true" sortRefs="false" version="3">

<!-- [rfced] May we sort the reference entries references alphabetically -->
<?rfc sortrefs="no" ?>

<!-- control vertical white space
     (using these PIs as follows is recommended by the RFC Editor) -->
<!--
(i.e., set sortrefs="true"), or do not start each main section on a new page -->
<?rfc compact="yes" ?>
<!-- keep one blank line between list items -->
<?rfc subcompact="no" ?>

<!-- encourage use of "xml2rfc" tool -->
<?rfc rfcprocack="yes" ?>
<!-- end of list of popular I-D processing instructions you prefer the current order?
-->

<rfc category="std" docName="draft-ietf-dnssd-hybrid-10" ipr="trust200902">

  <front>
    <title abbrev='Multicast abbrev="Multicast Service Discovery Proxy'>Discovery Proxy">Discovery Proxy
      for Multicast DNS-Based Service Discovery</title>
    <seriesInfo name="RFC" value="8766"/>
    <author initials='S.' surname='Cheshire' fullname='Stuart Cheshire'> initials="S." surname="Cheshire" fullname="Stuart Cheshire">
      <organization>Apple Inc.</organization>
      <address>
        <postal>
          <street>One Apple Park Way</street>
          <city>Cupertino</city>
          <region>California</region>
          <code>95014</code>
          <country>USA</country>
          <country>United States of America</country>
        </postal>
        <phone>+1 (408) 996-1010</phone>
        <email>cheshire@apple.com</email>
      </address>
    </author>
    <date year='2019' month='March' day='24'/>
    <area>Internet</area>
    <workgroup>Internet Engineering Task Force</workgroup> year="2020" month="March"/>
    <area>INT</area>
    <workgroup>DNSSD</workgroup>

    <keyword>Multicast DNS</keyword>
    <keyword>DNS-Based Service Discovery</keyword>
    <keyword>RFC</keyword>
    <keyword>Request for Comments</keyword>
    <keyword>I-D</keyword>
    <keyword>Internet-Draft</keyword>

    <abstract>
      <t>This document specifies a network proxy that uses Multicast DNS
      to automatically populate the wide-area unicast Domain Name System
      namespace
      with records describing devices and services found on the local
      link.</t>
    </abstract>
  </front>
  <middle>
<?rfc needLines="31" ?>
    <section title="Introduction">
      <t><xref target="RFC6762">Multicast DNS</xref> numbered="true" toc="default">
      <name>Introduction</name>
      <t>Multicast DNS <xref target="RFC6762" format="default"></xref> and its
      companion technology DNS-based Service Discovery <xref target="RFC6763"/> target="RFC6763"
      format="default"/> were created to provide IP networking with the ease-of-use ease
      of use and autoconfiguration for which AppleTalk was well known <xref target="RFC6760"/>
      target="RFC6760" format="default"/> <xref target="ZC"/> target="ZC" format="default"/>
      <xref target="Roadmap"/>.</t> target="I-D.cheshire-dnssd-roadmap" format="default"/>.</t>
      <t>For a small home network consisting of just a single link (or a few
      physical links bridged together to appear as a single logical link from
      the point of view of IP) IP), Multicast DNS <xref target="RFC6762">Multicast DNS</xref> target="RFC6762"
      format="default"></xref> is sufficient for client devices
      to look up the ".local" host names of peers on the same home network, network
      and to use Multicast <xref target="RFC6763">DNS-Based DNS-based
      Service Discovery
      (DNS-SD)</xref> (DNS-SD) <xref target="RFC6763" format="default"></xref> to discover services offered on that
      home network.</t>
      <t>For a larger network consisting of multiple links that are
      interconnected using IP-layer routing instead of link-layer bridging,
      link-local Multicast DNS alone is insufficient because link-local
      Multicast DNS packets, by design, are not propagated onto other
      links.</t>
      <t>Using link-local multicast packets for Multicast DNS was a conscious
      design choice <xref target="RFC6762"/>. target="RFC6762" format="default"/>.  Even when
      limited to a single link, multicast traffic is still generally
      considered to be more expensive than unicast, because multicast traffic
      impacts many devices, devices instead of just a single recipient.  In addition,
      with some technologies like Wi-Fi <xref
      target="IEEE-11">Wi-Fi</xref>, target="IEEE-11"
      format="default"></xref>, multicast traffic is inherently less
      efficient and less reliable than unicast, because Wi-Fi multicast
      traffic is sent at lower data rates, and is not acknowledged <xref target="Mcast"/>.
      target="I-D.ietf-mboned-ieee802-mcast-problems" format="default"/>.
      Increasing the amount of expensive multicast traffic by flooding it
      across multiple links would make the traffic load even worse.</t>
      <t>Partitioning the network into many small links curtails the spread
      of expensive multicast traffic, traffic but limits the discoverability of
      services.
      At the opposite end of the spectrum, using a very large local link with
      thousands of hosts enables better
      service discovery, discovery but at the cost of larger amounts of multicast
      traffic.</t>
      <t>Performing DNS-Based DNS-based Service Discovery using purely Unicast DNS is
      more efficient and doesn't require large multicast domains, domains but does
      require that the relevant data be available in the Unicast DNS
      namespace.
      The Unicast DNS namespace in question could fall within a traditionally
      assigned globally unique domain name, name or could use a private local
      unicast domain name such as ".home.arpa" <xref target="RFC8375"/>.</t> target="RFC8375" format="default"/>.</t>
      <t>In the DNS-SD specification <xref target="RFC6763">DNS-SD specification</xref>,
      Section 10 target="RFC6763" sectionFormat="comma" section="10"/> ("Populating
      the DNS with Information") discusses various possible ways that a
      service's PTR, SRV, TXT TXT, and address records can make their way into the
      Unicast DNS namespace, including manual zone file configuration <xref target="RFC1034"/>
      target="RFC1034" format="default"/> <xref target="RFC1035"/>, target="RFC1035"
      format="default"/>, DNS&nbsp;Update <xref target="RFC2136"/> target="RFC2136"
      format="default"/> <xref target="RFC3007"/> target="RFC3007" format="default"/>, and proxies
      of various kinds.</t>

      <t>Making the relevant data available in the Unicast DNS namespace by
      manual DNS configuration is one option. This option has been used for
      many years at IETF meetings to advertise the IETF Terminal Room terminal room printer.
      Details of this example are given in Appendix A of <xref target="Roadmap">the
      target="I-D.cheshire-dnssd-roadmap" sectionFormat="of" section="A">the
      Roadmap document</xref>.  However, this manual DNS configuration is
      labor intensive, error prone, and requires a reasonable degree of DNS
      expertise.</t>

<!-- [rfced] In the following sentence, it may be a bit confusing with regard
to "by the devices". How might we update?

Original:
   Populating the Unicast DNS namespace via DNS Update by the devices offering
   the services themselves is...

Perhaps:
   Populating the Unicast DNS namespace via DNS Update using the devices
   offering the services themselves is...
-->
      <t>Populating the Unicast DNS namespace via DNS Update by the
      devices offering the services themselves is another option <xref
      target="RegProt"/> target="I-D.sctl-service-registration" format="default"/> <xref target="DNS-UL"/>. target="I-D.sekar-dns-ul" format="default"/>.
      However, this requires configuration
      of DNS Update keys on those devices, which has proven onerous and
      impractical for simple devices like printers and network cameras.</t>
      <t>Hence, to facilitate efficient and reliable DNS-Based DNS-based Service
      Discovery,
      a compromise is needed that combines the ease-of-use ease of use of
      Multicast DNS with the efficiency and scalability of Unicast DNS.</t>
      <t>This document specifies a type of proxy called a "Discovery Proxy"
      that uses Multicast DNS <xref target="RFC6762">Multicast DNS</xref> target="RFC6762" format="default"></xref> to discover
      Multicast DNS records on its local link, and makes corresponding
      DNS records visible in the Unicast DNS namespace.</t>
      <t>In principle, similar mechanisms could be defined using other
      local service discovery protocols, protocols to discover local information
      and then make corresponding DNS records visible in the Unicast
      DNS namespace. Such mechanisms for other local service discovery
      protocols could be addressed in future documents.</t>
      <t>The design of the Discovery Proxy is guided by the previously
      published requirements document
      <xref target="RFC7558">requirements document</xref>.</t> target="RFC7558" format="default"></xref>.</t>
      <t>In simple terms, a descriptive DNS name is chosen for
      each link in an organization.
      Using a DNS NS record, responsibility for that DNS name is delegated to
      a Discovery Proxy physically attached to that link.
      Now, when a remote client issues a unicast query for a name falling
      within
      the delegated subdomain, the normal DNS delegation mechanism
      results in the unicast query arriving at the Discovery Proxy, Proxy
      since it has been declared authoritative for those names.
      Now, instead of consulting a textual zone file on disk to discover
      the answer to the query, query as a traditional DNS server would,
      a Discovery Proxy consults its local link, using Multicast DNS,
      to find the answer to the question.</t>

      <t>For fault tolerance reasons
<!-- [rfced] In the following sentences, does "now" mean the process was
different in the past, or can it be removed? Also, it sounds odd
having "Now" twice sequentially; is there may another word or phrase that
can be more than one
      Discovery Proxy used?

Original:
   Now, when a remote client issues a unicast query for a name falling within
   the delegated subdomain, the normal DNS delegation mechanism results in the
   unicast query arriving at the Discovery Proxy, since it has been declared
   authoritative for those names. Now, instead of consulting a textual zone
   file on disk to discover the answer to the query, as a traditional DNS
   server would, a Discovery Proxy consults its local link, using Multicast
   DNS, to find the answer to the question.
 -->
      <t>For fault tolerance reasons, there may be more than one
      Discovery Proxy serving a given link.</t>
      <t>Note that the Discovery Proxy uses a "pull" model.
      The local link is not queried using Multicast DNS until some remote
      client has requested that data. In the idle state, in the absence
      of client requests, the Discovery Proxy sends no packets and imposes
      no burden on the network. It operates purely "on demand".</t>
      <t>An alternative proposal that has been discussed is a proxy that
      performs DNS updates to a remote DNS server on behalf of the Multicast
      DNS devices on the local network.  The difficulty with this is is that
      Multicast DNS devices do not routinely announce their records on the
      network. Generally Generally, they remain silent until queried.  This means that
      the complete set of Multicast DNS records in use on a link can only be
      discovered by active querying, not by passive listening.  Because of
      this, a proxy can only know what names exist on a link by issuing
      queries for them, and since it would be impractical to issue queries for
      every possible name just to find out which names exist and which do not,
      there is no reasonable way for a proxy to programmatically learn all the
      answers it would need to push up to the remote DNS server using DNS
      Update.  Even if such a mechanism were possible, it would risk
      generating high load on the network continuously, even when there are no
      clients with any interest in that data.</t>
      <t>Hence, having a model where the query comes to the Discovery Proxy
      is much more efficient than
      a model where the Discovery Proxy pushes the answers out
      to some other remote DNS server.</t>
      <t>A client seeking to discover services and other information achieves
      this by sending traditional DNS queries to the Discovery Proxy, Proxy or by
      sending
      <xref target="Push">DNS DNS Push Notification subscription
      requests</xref>.</t> requests <xref
      target="RFC8765" format="default"></xref>.</t>
      <t>How a client discovers what domain name(s) to use for its service
      discovery queries,
      (and consequently queries
      (and, consequently, what Discovery Proxy or Proxies to use)
      is described in <xref target="dom-enum"/>.</t> target="dom-enum" format="default"/>.</t>
      <t>The diagram below illustrates a network topology using a
      Discovery Proxy to provide discovery service to a remote client.</t>

      <figure><artwork>

<!-- [rfced] Would you like to add a title to the figure in Section 1?
-->
    <figure>
      <artwork name="" type="" align="left" alt=""><![CDATA[
  +--------+    Unicast     +-----------+  +---------+  +---------+
  | Remote |  Communcation  Communication | Discovery |  | Network |  | Network |
  | Client |---- . . . -----|   Proxy   |  | Printer |  | Camera  |
  +--------+                +-----------+  +---------+  +---------+
                                   |            |            |
                        --------------------------------------------
                       Multicast-capable LAN segment (e.g., Ethernet)
		     </artwork></figure>

<?rfc needLines="31" ?>
]]></artwork>
    </figure>
    </section>

    <section title="Operational Analogy"> numbered="true" toc="default">
      <name>Operational Analogy</name>
      <t>A Discovery Proxy does not operate as a multicast relay, relay or multicast
      forwarder.  There is no danger of multicast forwarding loops that result
      in traffic storms, because no multicast packets are forwarded.  A
      Discovery Proxy operates as a *proxy* for a remote client, performing
      queries on its behalf and reporting the results back.</t>
      <t>A reasonable analogy is making a telephone call to a colleague at
      your workplace and saying, "I'm out of the office right now. Would you
      mind bringing up a printer browser window and telling me the names of
      the printers you see?" That entails no risk of a forwarding loop causing
      a traffic storm, because no multicast packets are sent over the
      telephone call.</t>

<!-- [rfced] May "ssh" be written out as follows?

Original: Or log in using ssh and type ...

Perhaps:  Or, log in using the Secure Shell (SSH) protocol and type ...
-->

      <t>A similar analogy, instead of enlisting another human being
      to initiate the service discovery operation on your behalf, is
      to log into in to your own desktop work computer using screen sharing, sharing
      and then run the printer browser yourself to see the list of printers.
      Or
      Or, log in using ssh and type "dns-sd -B _ipp._tcp" and observe the
      list of discovered printer names. In neither case is there any risk
      of a forwarding loop causing a traffic storm, because no multicast
      packets are being sent over the screen sharing screen-sharing or ssh connection.</t>
      <t>The Discovery Proxy provides another way of performing remote
      queries,
      except using that it uses a different protocol instead of screen sharing or ssh.</t>
      <t>When the Discovery Proxy software performs Multicast DNS
      operations, the exact same Multicast DNS caching mechanisms are
      applied as when any other client software on that Discovery Proxy
      device performs Multicast DNS operations, regardless of whether that be running
      a printer browser client locally, or a remote user running the
      printer browser client via a screen sharing screen-sharing connection, or a remote
      user logged in via ssh running a command-line tool like "dns-sd",
      or a remote user sending DNS requests that cause a Discovery Proxy
      to perform discovery operations on its behalf.</t>

    <?rfc needLines="15" ?>
    </section>

    <section title="Conventions numbered="true" toc="default">
      <name>Conventions and Terminology Used in this Document">
      <t>The This Document</name>

        <t>
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
      "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",<vspace
      /> "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
    NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and "OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
      described<vspace />
      in "Key words for use
    described in RFCs to Indicate Requirement Levels",<vspace /> BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
    when, and only when, they appear in all capitals, as shown here<vspace
      />
      <xref target="RFC2119"/> <xref target="RFC8174"/>.</t> here.
        </t>

      <t>The Discovery Proxy builds on Multicast DNS,
      which works between hosts on the same link.
      For the purposes of this document document,
      a set of hosts is considered to be "on the same link" if:

      <list style='symbols'>
        <t>when

      </t>
<!-- [rfced] This document uses asterisks for emphasis on several words.
May this be changed to <em> in the XML? (It generates italics in the
HTML and PDF outputs; underscores in the TXT.)

Original:
   The link-layer *header* may be...
   ...
   but not the link-layer *payload*.
-->
      <ul spacing="normal">
        <li>when any host from that set sends a packet to any other host
        in that set, using unicast, multicast, or broadcast, the entire
        link-layer packet payload arrives unmodified, and</t>
        <t>a and</li>
        <li>a broadcast sent over that link, by any host from that set of
	hosts,
        can be received by every other host in that set.</t>
      </list> set.</li>
      </ul>
      <t>

      The link-layer *header* may be modified, such as in
      <xref target="IEEE-5">Token Token Ring Source Routing</xref>, Routing
      <xref target="IEEE802.5" format="default"></xref>,
      but not the link-layer *payload*.
      In particular, if any device forwarding a packet modifies any
      part of the IP header or IP payload payload, then the packet is no longer
      considered to be on the same link. This means that the packet may
      pass through devices such as repeaters, bridges, hubs hubs, or switches
      and still be considered to be on the same link for the purpose of
      this document, but not through a device such as an IP router that
      decrements the IP TTL or otherwise modifies the IP header.</t>
    </section>

    <section anchor="compatibility" title="Compatibility Considerations"> numbered="true" toc="default">
      <name>Compatibility Considerations</name>
      <t>No changes to existing devices are required to work with a Discovery
      Proxy.</t>
      <t>Existing devices that advertise services using Multicast DNS work
      with a Discovery Proxy.</t>

      <t>Existing clients that support DNS-Based Service Discovery over
      Unicast DNS
      work with Discovery Proxy.

<!-- [rfced] The following sentence may be confusing due to its length. How
might we rephrase for clarity?

Original:
   Service Discovery over
   Unicast DNS was introduced in Mac OS X 10.4 in April 2005, as is
   included in Apple products introduced since then, including iPhone
   and iPad, as well as products from other vendors, such as Microsoft
   Windows
      10.</t>

      <t>An overview of the larger collection of related 10.

Perhaps:
   Service Discovery
      technologies, and how Discovery Proxy relates to those, is given over Unicast DNS was introduced in
      <xref target="Roadmap">the Mac OS X (version
   10.4) in April of 2005 and has been included in Apple products introduced
   since then such as the iPhone and iPad.  It has also been included in
   products from other vendors such as Microsoft Windows 10.
-->

      <t>Existing clients that support DNS-based Service Discovery over
      Unicast DNS work with a Discovery Proxy.  Service Discovery over Unicast
      DNS was introduced in Mac OS X 10.4 in April 2005 and has been included in
      Apple products introduced since then, including the iPhone and iPad as well
      as products from other vendors such as Microsoft Windows 10.</t>
      <t>An overview of the larger collection of related Service Discovery
      technologies, and how Discovery Proxies relate to those, is given in the
      Service Discovery Road Map
      document</xref>.</t>

    <?rfc needLines="22" ?> document <xref
      target="I-D.cheshire-dnssd-roadmap" format="default"></xref>.</t>
    </section>

<!-- [rfced] Would the following sentence be clearer with "as shown below," to
better set up the four definitions it leads into following the colon?

Original:
   In a typical configuration, a Discovery Proxy is configured to be
   authoritative [RFC1034] [RFC1035] for four or more DNS subdomains, and
   authority for these subdomains is delegated to it via NS records:

      A DNS subdomain for service discovery records.
      ...

Perhaps:
   In a typical configuration, a Discovery Proxy is configured to be
   authoritative [RFC1034] [RFC1035] for four or more DNS subdomains, as shown
   below, and authority for these subdomains is delegated to it via NS records:

      A DNS subdomain for service discovery records.
      ...
-->
    <section anchor="operation" title="Discovery numbered="true" toc="default">
      <name>Discovery Proxy Operation"> Operation</name>
      <t>In a typical configuration, a Discovery Proxy is configured
      to be authoritative <xref target="RFC1034"/> target="RFC1034" format="default"/> <xref target="RFC1035"/> target="RFC1035" format="default"/>
      for four or more DNS subdomains, and authority
      for these subdomains is delegated to it via NS records:
        <list style="hanging">
          <t hangText="A
      </t>
      <dl newline="true" spacing="normal">
        <dt>A DNS subdomain for service discovery records."><vspace
	  /> records.</dt>
        <dd>
          This subdomain name may contain rich text, including
          spaces and other punctuation. This is because this
          subdomain name is used only in graphical user interfaces, interfaces
          where rich text is appropriate.</t>
          <t hangText="A appropriate.</dd>
        <dt>A DNS subdomain for host name records."><vspace /> records.</dt>
        <dd>
          This subdomain name SHOULD <bcp14>SHOULD</bcp14> be limited to letters, digits digits, and
	  hyphens,
	  hyphens in order to facilitate the convenient use of host names in command-line
	  interfaces.</t>
          <t hangText="One
	  interfaces.</dd>
        <dt>One or more DNS subdomains for IPv4 Reverse Mapping
		       records."><vspace /> records.</dt>
        <dd>
          These subdomains will have names that ends end in "in-addr.arpa."</t>
          <t hangText="One "in-addr.arpa".</dd>
        <dt>One or more DNS subdomains for IPv6 Reverse Mapping
		       records."><vspace />          records.</dt>
        <dd>
          These subdomains will have names that ends end in "ip6.arpa."</t>
        </list>
      </t> "ip6.arpa".</dd>
      </dl>
      <t>In an enterprise network network, the naming and delegation of these
      subdomains
      is typically performed by conscious action of the network administrator.
      In a home network network, naming and delegation would typically be performed
      using some automatic configuration mechanism such as HNCP Home Networking
      Control Protocol (HNCP)
      <xref target="RFC7788"/>.</t> target="RFC7788" format="default"/>.</t>
      <t>These three varieties of delegated subdomains
      (service discovery, host names, and reverse mapping) are described below
      in Sections <xref target="dom-sd"/>, target="dom-sd" format="counter"/>, <xref target="dom-host"/>
      target="dom-host" format="counter"/>, and <xref target="dom-rev"/>.</t> target="dom-rev" format="counter"/>.</t>
      <t>How a client discovers where to issue its service discovery queries
      is described
      below in <xref target="dom-enum"/>.</t>

      <?rfc needLines="28" ?> target="dom-enum" format="default"/>.</t>
      <section anchor="dom-sd" title="Delegated numbered="true" toc="default">
        <name>Delegated Subdomain for Service  Discovery Records"> Records</name>
        <t>In its simplest form, each link in an organization
      is assigned a unique Unicast DNS domain name, name such as
      "Building&nbsp;1.example.com" or
      "2nd&nbsp;Floor.Building&nbsp;3.example.com".
      Grouping multiple links under a single Unicast DNS domain
      name is to be specified in a future companion document, but for
      the purposes of this document, assume that each link has its own
      unique Unicast DNS domain name.
      In a graphical user interface interface, these names are not displayed
      as strings with dots as shown above, but something more
      akin to a typical file browser graphical user interface
      (which is harder to illustrate in a text-only document)
      showing folders, subfolders subfolders, and files in a file system.

       <figure align="left" anchor="browser" title="Illustrative
						    GUI"><artwork><![CDATA[
 +---------------+--------------+-------------+-------------------+
 | *example.com* |  Building 1  |  1st Floor  | Alice's printer   |
 |               |  Building 2  | *2nd Floor* | Bob's printer     |
 |               | *Building 3* |  3rd Floor  | Charlie's printer |
 |               |  Building 4  |  4th Floor  |                   |
 |               |  Building 5  |             |                   |
 |               |  Building 6  |             |                   |
 +---------------+--------------+-------------+-------------------+]]></artwork>
       </figure>

        </t>

<table anchor="browser">
<name>Illustrative GUI
</name>
  <tbody>
    <tr>
      <td align="center">*example.com*</td>
      <td align="center">Building 1</td>
      <td align="center">1st Floor</td>
      <td align="center">Alice's printer</td>
    </tr>

    <tr>
      <td align="center"></td>
      <td align="center">Building 2</td>
      <td align="center">*2nd Floor*</td>
      <td align="center">Bob's printer</td>
    </tr>

    <tr>
      <td align="center"></td>
      <td align="center">*Building 3*</td>
      <td align="center">3rd Floor</td>
      <td align="center">Charlie's printer</td>
    </tr>

    <tr>
      <td align="center"></td>
      <td align="center">Building 4</td>
      <td align="center">4th Floor</td>
      <td align="center"></td>
    </tr>

 <tr>
      <td align="center"></td>
      <td align="center">Building 5</td>
      <td align="center"></td>
      <td align="center"></td>
    </tr>

 <tr>
      <td align="center"></td>
      <td align="center">Building 6</td>
      <td align="center"></td>
      <td align="center"></td>
    </tr>
  </tbody>
</table>

<!-- [rfced] Please clarify "Discovery Proxy function for each link".
May it be rephrased as follows or otherwise?

Original:
   This Discovery Proxy function for each link could be performed by a device
   like a router or switch that is physically attached to that link.

Perhaps:
   This Discovery Proxy function could be performed for each link by a device
   like a router or switch that is physically attached to that link.
-->
        <t>Each named link in an organization has one or more Discovery
        Proxies
      which that serve it. This Discovery Proxy function for each link
        could be performed by a device like a router or switch that is
        physically attached to that link.  In the parent domain, NS records
        are used to delegate ownership of each defined link name
        (e.g.,&nbsp;"Building&nbsp;1.example.com") to the one or more
        Discovery Proxies that serve the named link.  In other words, the
        Discovery Proxies are the authoritative name servers for that
        subdomain.  As in the rest of DNS-Based DNS-based Service Discovery, all names
        are represented as-is using plain UTF-8 encoding, encoding and, as described in
        <xref
      target="notrans"/>, target="notrans" format="default"/>, no text encoding text-encoding
        translations are performed.</t>
        <t>With appropriate VLAN
        configuration <xref target="IEEE-1Q">VLAN configuration</xref> target="IEEE802.1Q" format="default"></xref>, a single Discovery Proxy device could have a
        logical presence on many links, links and serve as the Discovery Proxy for
        all those links.  In such a configuration configuration, the Discovery Proxy device
        would have a single physical Ethernet <xref target="IEEE-3">Ethernet</xref> target="IEEE-3"
        format="default"></xref> port, configured as a VLAN trunk
        port, which would appear to software on that device as multiple
        virtual Ethernet interfaces, one connected to each of the VLAN
        links.</t>
        <t>As an alternative to using VLAN technology, using a
      <xref target="Relay">Multicast Multicast DNS Discovery Relay</xref> Relay
      <xref target="I-D.sctl-dnssd-mdns-relay" format="default"></xref>
      is another way that a Discovery Proxy can have
      a ‘virtual’ "virtual" presence on a remote link.</t>

      <?rfc needLines="6" ?>
        <t>When a DNS-SD client issues a Unicast DNS query to discover
        services in a particular Unicast DNS subdomain
      (e.g.,&nbsp;"_printer._tcp.Building&nbsp;1.example.com.&nbsp;PTR&nbsp;?")
        (e.g.,&nbsp;"_printer._tcp.Building&nbsp;1.example.com.&nbsp;PTR&nbsp;?"),
        the normal DNS delegation mechanism results in that query being
        forwarded until it reaches the delegated authoritative name server for
        that subdomain, namely namely, the Discovery Proxy on the link in question.
        Like a conventional Unicast DNS server, a Discovery Proxy implements
        the usual Unicast DNS protocol <xref target="RFC1034"/> target="RFC1034"
        format="default"/> <xref target="RFC1035"/> target="RFC1035" format="default"/> over UDP
        and TCP.  However, unlike a conventional Unicast DNS server that
        generates answers from the data in its manually-configured manually configured zone file,
        a Discovery Proxy generates answers using Multicast DNS.  A Discovery
        Proxy does this by consulting its Multicast DNS cache and/or issuing
        Multicast DNS queries, as appropriate, appropriate according to the usual protocol
        rules of Multicast DNS <xref target="RFC6762">Multicast DNS</xref>, target="RFC6762" format="default"></xref>,
        for the corresponding Multicast DNS name, type type, and class, with the
        delegated zone part of the name replaced with ".local" (e.g.,&nbsp;in
        this case, "_printer._tcp.local.&nbsp;PTR&nbsp;?").  Then, from the
        received Multicast DNS data, the Discovery Proxy synthesizes the
        appropriate Unicast DNS response, with the ".local" top-level label
        replaced with with the name of the delegated zone.  How long the Discovery
        Proxy should wait to accumulate Multicast DNS responses before sending
        its unicast reply is described below in <xref
      target="aggregation"/>.</t> target="aggregation"
        format="default"/>.</t>
        <t>The existing Multicast DNS caching mechanism is used to minimize
        unnecessary Multicast DNS queries on the wire.  The Discovery Proxy is
        acting as a client of the underlying Multicast DNS
      subsystem, subsystem and
        benefits from the same caching and efficiency measures as any other
        client using that subsystem.</t>
        <t>Note that the contents of the delegated zone, generated as it is by
        performing ".local" Multicast DNS queries, mirrors the records
        available on the local link via Multicast DNS very closely, but not
        precisely.  There is not a full bidirectional equivalence between the
        two.  Certain records that are available via Multicast DNS may not
        have equivalents in the delegated zone, zone possibly because they are
        invalid or not relevant in the delegated zone, zone or because they are
        being supressed suppressed because they are unusable outside the local link (see
        <xref target="unusable"/>). target="unusable" format="default"/>).  Conversely, certain
        records that appear in the delegated zone may not have corresponding
        records available on the local link via Multicast DNS.  In particular particular,
        there are certain administrative SRV records (see <xref target="admin"/>) target="admin"
        format="default"/>) that logically fall within the delegated
      zone, zone but
        semantically represent metadata *about* the zone rather than records
        *within* the zone, and consequently zone. Consequently, these administrative records in
        the delegated zone do not have any corresponding counterparts in the
        Multicast DNS namespace of the local link.</t>

      <?rfc needLines="26" ?>
      </section>

      <section anchor="dom-enum" title="Domain Enumeration"> numbered="true" toc="default">
        <name>Domain Enumeration</name>
        <t>A DNS-SD client performs Domain Enumeration <xref
	target="RFC6763"/> target="RFC6763"
        format="default"/> via certain PTR queries, queries using both unicast and
        multicast.  If it receives a Domain Name configuration via
        <xref target="RFC2132">DHCP DHCP option 15</xref>,
        15 <xref target="RFC2132" format="default"></xref>, then it issues
        unicast queries using this domain.  It issues unicast queries using
        names derived from its IPv4 subnet address(es) and IPv6 prefix(es).
        These prefix(es),
        which are described below in <xref target="unicast"/>. target="unicast" format="default"/>.  It
        also issues multicast Domain Enumeration queries in the "local" domain
        <xref target="RFC6762"/>.
        These target="RFC6762" format="default"/>, which are described below in
        <xref target="multicast"/>. target="multicast" format="default"/>.  The results of all the
        Domain Enumeration queries are combined for Service Discovery
        purposes.</t>

        <section anchor="unicast" title="Domain numbered="true" toc="default">
          <name>Domain Enumeration via Unicast
					 Queries"> Queries</name>
          <t>The administrator creates Domain Enumeration PTR records <xref target="RFC6763"/>
          target="RFC6763" format="default"/> to inform clients of available
          service discovery domains.  Two varieties of such Domain Enumeration
          PTR records exist; exist: those with names derived from the domain name
          communicated to the clients via DHCP, DHCP and those with names derived
          from either IPv4 subnet address(es) and or IPv6 prefix(es) in use by the
          clients.  Below is an example showing the name-based variety:</t>
        <figure><artwork>
          <artwork name="" type="" align="left" alt=""><![CDATA[
    b._dns-sd._udp.example.com.    PTR   Building 1.example.com.
                                   PTR   Building 2.example.com.
                                   PTR   Building 3.example.com.
                                   PTR   Building 4.example.com.

    db._dns-sd._udp.example.com.   PTR   Building 1.example.com.

    lb._dns-sd._udp.example.com.   PTR   Building
	1.example.com.</artwork></figure>
	1.example.com.]]></artwork>
          <t>The meaning of these records is defined in the <xref target="RFC6763">DNS target="RFC6763"
          format="default">DNS Service
          Discovery specification</xref>
        but but, for convenience convenience, is repeated here.
          The "b" ("browse") records tell the client device the list of
          browsing domains to display for the user to select from.  The "db"
          ("default browse") record tells the client device which domain in
          that list should be selected by default.  The "db" domain MUST
          <bcp14>MUST</bcp14> be one of the domains in the "b" list; if not not,
          then no domain is selected by default.  The "lb" ("legacy browse")
          record tells the client device which domain to automatically browse
          on behalf of applications that don't implement UI for multi-domain
          browsing (which is most of them, them at the time of writing).  The "lb"
          domain is often the same as the "db" domain, domain or sometimes the "db"
          domain plus one or more others that should be included in the list
          of automatic browsing domains for legacy clients.</t>
          <t>Note that in the example above, for clarity, space characters in
          names are shown as actual spaces.  If this data is manually entered
          into a textual zone file for authoritative server software such as
          BIND, care must be taken because the space character is used as a
          field separator, and other characters like dot ('.'), semicolon
          (';'), dollar ('$'), backslash ('\'), etc., also have special meaning.
          These characters have to be escaped when entered into a textual zone
          file, following the rules in Section 5.1 of the <xref target="RFC1035">DNS target="RFC1035"
	  sectionFormat="of" section="5.1">the DNS specification</xref>.  For
          example, a literal space in a name is represented in the textual
          zone file using '\032', so "Building 1.example.com." is entered as
          "Building\0321.example.com."</t>

        <?rfc needLines="15" ?>
        <t>DNS responses are limited to a maximum size
<!-- [rfced] In the following sentence, is the period following "Building
1.example.com" part of 65535 bytes.
        This limits the maximum number actual name? If so, we will include a period
after the quotation marks to indicate the end of domains the sentence.

We note that can be returned for
        a Domain Enumeration query, as follows:</t>

        <t>A DNS response header is 12 bytes.
        That's typically followed by some instances of ".example.com" end in a single qname (up to 256 bytes)
        plus qtype (2&nbsp;bytes) period and qclass (2&nbsp;bytes), leaving 65275
        for others
do not; please review.

Original:
   For example, a literal space in a name is
   represented in the Answer Section.</t> textual zone file using '\032', so "Building
   1.example.com." is entered as "Building\0321.example.com."
   ...
   These subdomains will have names that end in "in-addr.arpa."

Perhaps:
   For example, a literal space in a name is
   represented in the textual zone file using "\032", so "Building
   1.example.com." is entered as "Building\0321.example.com.".
   ...
   These subdomains will have names that end in "in-addr.arpa.".
-->
          <t>DNS responses are limited to a maximum size of 65535 bytes.
        This limits the maximum number of domains that can be returned for
        a Domain Enumeration query as follows:</t>
          <t>A DNS response header is 12 bytes.
        That's typically followed by a single qname (up to 256 bytes)
        plus qtype (2&nbsp;bytes) and qclass (2&nbsp;bytes), leaving 65275
        for the Answer Section.</t>

<!-- [rfced] This document uses a mix of numerals ("10") and spelled out
numbers ("ten") for quantities of seconds and other technical content.
Please let us know if you were following a specific guideline, or if
you would you like to make any changes for consistency.
Examples:
  Section 5.2.1: 2 bytes vs. two-byte
  Section 6.1: the value 10 vs. value of ten seconds
-->
          <t>An Answer Section Resource Record consists of:
          <?rfc subcompact="yes" ?>
          <list style='symbols'>
            <t>Owner
          </t>

<!-- [rfced] Should capitalization be changed in this list?
We see all-caps usage in past RFCs.

Current:
   *  Owner name encoded as a two-byte compression pointer
   *  Two-byte rrtype (type PTR)
   *  Two-byte rrclass (class IN)
   *  Four-byte ttl
   *  Two-byte rdlength
   *  rdata (domain name, up to 256 bytes)

Perhaps:
   *  Owner name encoded as a two-byte compression pointer
   *  Two-byte RRTYPE (type PTR)
   *  Two-byte RRCLASS (class IN)
   *  Four-byte TTL
   *  Two-byte RDLENGTH
   *  RDATA (domain name, up to 256 bytes)
-->

          <ul spacing="compact">
            <li>Owner name encoded as a two-byte compression pointer</t>
            <t>Two-byte pointer</li>
            <li>Two-byte rrtype (type PTR)</t>
            <t>Two-byte PTR)</li>
            <li>Two-byte rrclass (class IN)</t>
            <t>Four-byte ttl</t>
            <t>Two-byte rdlength</t>
            <t>rdata IN)</li>
            <li>Four-byte ttl</li>
            <li>Two-byte rdlength</li>
            <li>rdata (domain name, up to 256 bytes)</t>
          </list>
          <?rfc subcompact="no" ?>
        </t> bytes)</li>
          </ul>
          <t>This means that each Resource Record in the Answer Section can
        take up to 268 bytes total, which means that the Answer Section
        can contain, in the worst case, no more than 243 domains.</t>
          <t>In a more typical scenario, where the domain names are not all
        maximum-sized names, and there is some similarity between names
        so that reasonable name compression is possible, each Answer
        Section Resource Record may average 140 bytes, which means that
        the Answer Section can contain up to 466 domains.</t>
          <t>It is anticipated that this should be sufficient for even a large
        corporate network or university campus.</t>
        <?rfc needLines="21" ?>
        </section>
        <section anchor="multicast" title="Domain numbered="true" toc="default">
          <name>Domain Enumeration via Multicast
					   Queries">         Queries</name>
          <t>In the case where Discovery Proxy functionality is widely
          deployed within an enterprise (either by having a Discovery Proxy on
          each link, link or by having a Discovery Proxy with a remote ‘virtual’ "virtual"
          presence on each link using VLANs or <xref target="Relay">Multicast Multicast DNS Discovery
	Relays</xref>) Relays
          <xref target="I-D.sctl-dnssd-mdns-relay" format="default"></xref>),
          this offers an additional way to provide Domain Enumeration data for
          clients.</t>
          <t>A Discovery Proxy can be configured to generate Multicast DNS
	responses
        for the following Multicast DNS Domain Enumeration queries issued by
	clients:</t>

        <figure><artwork>
          <artwork name="" type="" align="left" alt=""><![CDATA[
    b._dns-sd._udp.local.    PTR   ?
    db._dns-sd._udp.local.   PTR   ?
    lb._dns-sd._udp.local.   PTR   ?</artwork></figure>   ?]]></artwork>
          <t>This provides the ability for Discovery Proxies to indicate
          recommended browsing domains to DNS-SD clients on a per-link
          granularity. In some enterprises enterprises, it may be preferable to provide
          this per-link configuration data in the form of a Discovery Proxy configuration,
          configuration rather than populating the Unicast DNS servers with
          the same data (in the "ip6.arpa" or "in-addr.arpa" domains).</t>
          <t>Regardless of how the network operator chooses to provide this
	configuration
        data, clients will perform Domain Enumeration via both unicast and
	multicast
        queries,
        queries and then combine the results of these queries.</t>

      <?rfc needLines="30" ?>
        </section>
      </section>
      <section anchor="dom-host" title="Delegated numbered="true" toc="default">
        <name>Delegated Subdomain for LDH Host
					Names">      Names</name>
        <t>DNS-SD service instance names and domains are allowed
        to contain arbitrary Net-Unicode text <xref target="RFC5198">Net-Unicode text</xref>, target="RFC5198" format="default"></xref>
        encoded as precomposed UTF-8 <xref target="RFC3629">precomposed UTF-8</xref>.</t> target="RFC3629" format="default"></xref>.</t>
        <t>Users typically interact with service discovery software by
        viewing a list of discovered service instance names on a display, display
        and selecting one of them by pointing, touching, or clicking.
        Similarly, in software that provides a multi-domain DNS-SD user
        interface, users view a list of offered domains on the display
        and select one of them by pointing, touching, or clicking.
        To use a service, users don't have to remember domain or instance
        names, or type them; users just have to be able to recognize what
        they see on the display and touch or click on the thing they want.</t>
        <t>In contrast, host names are often remembered and typed.  Also, host
        names have historically been used in command-line interfaces where
        spaces can be inconvenient. For this reason, host names have
        traditionally been restricted to letters, digits digits, and hyphens (LDH), (LDH)
        with no spaces or other punctuation.</t> <t>While we do want to allow
        rich text for DNS-SD service instance names and domains, it is
        advisable, for maximum compatibility with existing usage, to restrict
        host names to the traditional letter-digit-hyphen rules.  This means
        that while a the service name
        "My&nbsp;Printer._ipp._tcp.Building&nbsp;1.example.com" is acceptable
        and desirable (it is displayed in a graphical user interface as an
        instance called "My&nbsp;Printer" in the domain "Building&nbsp;1" at
        "example.com"),
        a the host name "My-Printer.Building&nbsp;1.example.com"
        is less desirable (because of the space in "Building&nbsp;1").</t>
        <t>To accomodate accommodate this difference in allowable characters, a Discovery
        Proxy
        SHOULD <bcp14>SHOULD</bcp14> support having two separate subdomains
        delegated to it for each link it serves, serves: one whose name is allowed to
        contain arbitrary Net-Unicode text <xref
	target="RFC5198"/>, target="RFC5198"
        format="default"/> and a second more constrained subdomain whose name
        is restricted to contain only letters, digits, and hyphens, to be used
        for host name records (names of 'A' and 'AAAA' address records).  The
        restricted names may be any valid name consisting of only letters,
        digits, and hyphens, including Punycode-encoded names <xref
	target="RFC3492"/>.
        target="RFC3492" format="default"/>.
        </t>

        <?rfc needLines="12" ?>
        <t>For example, a Discovery Proxy could have the two subdomains
        "Building&nbsp;1.example.com" and "bldg1.example.com" delegated to it.
        The Discovery Proxy would then translate these two Multicast DNS
	records:</t>

<figure><artwork>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.
   prnt.local.                 A   203.0.113.2</artwork></figure>   203.0.113.2]]></artwork>
        <t>into Unicast DNS records as follows:</t>

<figure><artwork>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   My Printer._ipp._tcp.Building 1.example.com.
                               SRV 0 0 631 prnt.bldg1.example.com.
   prnt.bldg1.example.com.     A   203.0.113.2</artwork></figure>   203.0.113.2]]></artwork>
        <t>Note that the SRV record name is translated using the rich-text
        domain name ("Building&nbsp;1.example.com") ("Building&nbsp;1.example.com"), and the address record
        name is translated using the LDH domain ("bldg1.example.com").</t>
        <t>A Discovery Proxy MAY <bcp14>MAY</bcp14> support only a single rich text
        rich-text Net-Unicode
	domain, domain and use that domain for all records,
        including 'A' and 'AAAA' address records, but implementers choosing
        this option should be aware that this choice may produce host names
        that are awkward to use in command-line environments.  Whether or not this is
        an issue depends on whether users in the target environment are
        expected to be using command-line interfaces.</t>
        <t>A Discovery Proxy MUST NOT <bcp14>MUST NOT</bcp14> be restricted to support only a
	letter-digit-hyphen
        subdomain, because that results in an unnecessarily poor user
	experience.</t>

        <t>As described above in <xref target="unicast"/>, target="unicast" format="default"/>, for
        clarity, space characters in names are shown as actual spaces.  If
        this data were to be manually entered into a textual zone file (which
        it isn't) isn't), then spaces would need to be represented using '\032', so
        "My&nbsp;Printer._ipp._tcp.Building&nbsp;1.example.com." would become
        "My\032Printer._ipp._tcp.Building\0321.example.com."<vspace />
        "My\032Printer._ipp._tcp.Building\0321.example.com."</t>
<t>
Note that the '\032' representation does not appear in the network packets
sent over the air.  In the wire format of DNS messages, spaces are sent as
spaces, not as '\032', and likewise, in a graphical user interface at the
client device, spaces are shown as spaces, not as '\032'.
</t>

      <?rfc needLines="36" ?>
      </section>

      <section anchor="dom-rev" title="Delegated numbered="true" toc="default">
        <name>Delegated Subdomain for Reverse
				       Mapping"> Mapping</name>
        <t>A Discovery Proxy can facilitate easier management of reverse
        mapping domains, domains particularly for IPv6 addresses where manual
        management may be more onerous than it is for IPv4 addresses.</t>
        <t>To achieve this, in the parent domain, NS records are used to
        delegate ownership of the appropriate reverse mapping domain to
        the Discovery Proxy. In other words, the Discovery Proxy becomes the
        authoritative name server for the reverse mapping domain.
        For fault tolerance reasons reasons, there may be more than one
        Discovery Proxy serving a given link.</t>
        <t>If a given link is using the IPv4 subnet 203.0.113/24,<vspace/> 203.0.113/24,
        then the domain "113.0.203.in-addr.arpa"<vspace/> "113.0.203.in-addr.arpa"
        is delegated to the Discovery Proxy for that link.</t>
        <t>For example, if a given link is using the<vspace/> the
        IPv6 prefix 2001:0DB8:1234:5678/64,<vspace/> 2001:0DB8:1234:5678/64,
        then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa"<vspace/> "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa"
        is delegated to the Discovery Proxy for that link.</t>
        <t>When a reverse mapping query arrives at the Discovery Proxy, it
        issues the identical query on its local link as a Multicast DNS query.
        The mechanism to force an apparently unicast name to be resolved using
        link-local Multicast DNS varies depending on the API set being used.
        For example, in the "dns_sd.h" APIs<vspace/> APIs (available on macOS, iOS, Bonjour
        for Windows, Linux Linux, and Android), using kDNSServiceFlagsForceMulticast
        indicates that the DNSServiceQueryRecord() call should perform the
        query using Multicast DNS.  Other APIs API sets have different ways of
        forcing multicast queries.  When the host owning that IPv4 or IPv6
        address responds with a name of the form "something.local", the
        Discovery Proxy rewrites that it to use its configured LDH host name
        domain instead of "local", "local" and returns the response to the caller.</t>

        <?rfc needLines="15" ?>
        <t>For example, a Discovery Proxy with the two subdomains
        "113.0.203.in&nbhy;addr.arpa" and "bldg1.example.com" delegated to it
        would translate this Multicast DNS record:</t>

<figure><artwork>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   2.113.0.203.in-addr.arpa. PTR prnt.local.</artwork></figure> prnt.local.]]></artwork>
        <t>into this Unicast DNS response:</t>

<figure><artwork>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com.</artwork></figure> prnt.bldg1.example.com.]]></artwork>
        <t>Subsequent queries for the prnt.bldg1.example.com address
        record, falling as it does within the bldg1.example.com domain,
        which is delegated to the Discovery Proxy, will arrive at the
        Discovery Proxy, Proxy where they are answered by issuing Multicast DNS
	queries
        and using the received Multicast DNS answers to synthesize Unicast
        DNS responses, as described above.</t>
        <t>Note that this design assumes that all addresses on a given
        IPv4 subnet or IPv6 prefix are mapped to hostnames using the Discovery
	Proxy mechanism.
        It would be possible to implement a Discovery Proxy that can be
	configured
        so that some address-to-name mappings are performed using Multicast
	DNS
        on the local link, while other address-to-name mappings within the
	same
        IPv4 subnet or IPv6 prefix are configured manually.</t>
      <?rfc needLines="46" ?>
      </section>

      <section title="Data Translation"> numbered="true" toc="default">
        <name>Data Translation</name>
        <t>Generating the appropriate Multicast DNS queries involves,<vspace/> involves,
        at the very least, translating from the configured DNS domain
        (e.g.,&nbsp;"Building&nbsp;1.example.com") on the Unicast DNS side
        to "local" on the Multicast DNS side.</t>
        <t>Generating the appropriate Unicast DNS responses involves
        translating back from "local" to the appropriate configured DNS
	Unicast domain.</t>
        <t>Other beneficial translation and filtering operations are described
	below.</t>
        <section anchor="ttl" title="DNS numbered="true" toc="default">
          <name>DNS TTL limiting"> Limiting</name>
          <t>For efficiency, Multicast DNS typically uses moderately high DNS
          TTL values. For example, the typical TTL on DNS-SD PTR records is 75
          minutes. What makes these moderately high TTLs acceptable is the
          cache coherency mechanisms built in to the Multicast DNS protocol which
          that protect against stale data persisting for too long.  When a
          service shuts down gracefully, it sends goodbye packets to remove
          its PTR records immediately from neighboring caches.  If a service
          shuts down abruptly without sending goodbye packets, the Passive
          Observation Of Failures (POOF) mechanism described in Section 10.5 of the <xref target="RFC6762">Multicast
          target="RFC6762" sectionFormat="of" section="10.5">the Multicast DNS
          specification</xref> comes into play to purge the cache of stale data.</t>
          <t>A traditional Unicast DNS client on a distant remote link does
          not get to participate in these Multicast DNS cache coherency
          mechanisms on the local link.  For traditional Unicast DNS queries
          (those received without using Long-Lived Query Queries (LLQ) <xref target="LLQ"/>
          target="RFC8764" format="default"/> or DNS Push
          Notification subscriptions <xref target="Push"/>) target="RFC8765"
          format="default"/>), the DNS TTLs reported in the resulting Unicast
          DNS response
          MUST <bcp14>MUST</bcp14> be capped to be no more than ten
          seconds.</t>
          <t>Similarly, for negative responses, the negative caching TTL
          indicated in the SOA record <xref target="RFC2308"/> target="RFC2308"
          format="default"/> should also be ten seconds
          (<xref target="soa"/>).</t> (see <xref target="soa"
          format="default"/>).</t>
          <t>This value of ten seconds is chosen based on user-experience
	  considerations.</t>
          <t>For negative caching, suppose a user is attempting to access a
          remote device (e.g., a printer), and they are unsuccessful because
          that device is powered off. Suppose they then place a telephone call
          and ask for the device to be powered on. We want the device to
          become available to the user within a reasonable time period. It is
          reasonable to expect it to take on the order of ten seconds for a
          simple device with a simple embedded operating system to power
          on. Once the device is powered on and has announced its presence on
          the network via Multicast DNS, we would like it to take no more than
          a further ten seconds for stale negative cache entries to expire
          from Unicast DNS caches, making the device available to the user
          desiring to access it.</t>
          <t>Similar reasoning applies to capping positive TTLs at ten
	  seconds.
          In the event of a device moving location, getting a new DHCP
	  address,
          or other renumbering events, we would like the updated information
	  to
          be available to remote clients in a relatively timely fashion.</t>
          <t>However, network administrators should be aware that many
	  recursive
          (caching) DNS servers by default are configured to impose a minimum
	  TTL of
          30 seconds. If stale data appears to be persisting in the network to
	  the
          extent that it adversely impacts user experience, network
	  administrators
          are advised to check the configuration of their recursive DNS
	  servers.</t>
          <t>For received Unicast DNS queries that use LLQ <xref
	  target="LLQ"/> target="RFC8764" format="default"/> or
          DNS Push Notifications <xref target="Push"/>, target="RFC8765" format="default"/>, the Multicast DNS
	  record's TTL SHOULD <bcp14>SHOULD</bcp14> be
          returned unmodified, because the Push Notification channel exists
          to inform the remote client as records come and go.
          For further details about Long-Lived Queries, Queries and its newer
	  replacement,
          DNS Push Notifications, see <xref target="aggregation"/>.</t> target="aggregation" format="default"/>.</t>
        </section>
        <section anchor="unusable" title="Suppressing numbered="true" toc="default">
          <name>Suppressing Unusable Records"> Records</name>
          <t>A Discovery Proxy SHOULD <bcp14>SHOULD</bcp14> offer a configurable option,
          enabled by default, to suppress Unicast DNS answers
          for records that are not useful outside the local link.
          When the option to suppress unusable records is enabled:
            <list style='symbols'>

              <t>DNS
          </t>
          <ul spacing="normal">
            <li>DNS A and AAAA records for
              IPv4 link-local addresses <xref target="RFC3927"/> target="RFC3927" format="default"/>
              and
              IPv6 link-local addresses <xref target="RFC4862"/>
              SHOULD target="RFC4862" format="default"/>
              <bcp14>SHOULD</bcp14> be suppressed.</t>

              <t>Similarly, suppressed.</li>
            <li>Similarly, for sites that have multiple private address
	      realms <xref target="RFC1918"/>, target="RFC1918" format="default"/>,
              in cases where the Discovery Proxy can determine that the
	      querying client
              is in a different address realm, private addresses SHOULD NOT <bcp14>SHOULD NOT</bcp14> be
              communicated to that client.</t>

              <t><xref target="RFC4193">IPv6 client.</li>
            <li>
              IPv6 Unique Local Addresses</xref>
	      SHOULD Addresses <xref target="RFC4193" format="default"></xref>
	      <bcp14>SHOULD</bcp14> be suppressed
              in cases where the Discovery Proxy can determine that the
	      querying client
              is in a different IPv6 address realm.</t>

              <t>By realm.</li>
            <li>By the same logic, DNS SRV records that reference target host
              names that have no addresses usable by the requester should be
              suppressed, and likewise, DNS PTR records that point to unusable
              SRV records should be similarly be suppressed.</t>
            </list>
          </t>

        <?rfc needLines="8" ?> suppressed.</li>
          </ul>
        </section>
        <section title="NSEC numbered="true" toc="default">
          <name>NSEC and NSEC3 queries"> Queries</name>
          <t>Multicast DNS devices do not routinely announce their records
          on the network. Generally Generally, they remain silent until queried.
          This means that the complete set of Multicast DNS records in use on
	  a
          link can only be discovered by active querying, not by passive
	  listening.
          Because of this, a Discovery Proxy can only know what names exist on
	  a link
          by issuing queries for them, and since it would be impractical to
          issue queries for every possible name just to find out which names
          exist and which do not, a Discovery Proxy cannot programmatically
          generate the traditional
          NSEC <xref target="RFC4034">NSEC</xref> target="RFC4034" format="default"></xref> and
          NSEC3 <xref target="RFC5155">NSEC3</xref> target="RFC5155" format="default"></xref> records
          which
          that assert the nonexistence of a large range of names.</t>
          <t>When queried for an NSEC or NSEC3 record type, the Discovery
	  Proxy issues
          a qtype "ANY" query using Multicast DNS on the local link, link and then
          generates an NSEC or NSEC3 response with a Type Bit Map signifying
          which record types do and do not exist for just the specific name
	  queried,
          and no other names.</t>
          <t>Multicast DNS NSEC records received on the local link
          MUST NOT
          <bcp14>MUST NOT</bcp14> be forwarded unmodified to a unicast querier, because there
	  are
          slight differences in the NSEC record data.
          In particular, Multicast DNS NSEC records do not have the NSEC
          bit set in the Type Bit Map, whereas conventional Unicast DNS
          NSEC records do have the NSEC bit set.</t>
        </section>
        <section anchor="notrans" title="No Text Encoding Translation"> numbered="true" toc="default">
          <name>No Text-Encoding Translation</name>
          <t>A Discovery Proxy does no translation between text encodings.
          Specifically, a Discovery Proxy does no translation between Punycode
	  encoding <xref target="RFC3492">Punycode encoding</xref>
          target="RFC3492" format="default"></xref> and UTF-8 encoding <xref target="RFC3629">UTF-8 encoding</xref>,
          target="RFC3629" format="default"></xref>, either in
          the owner name of DNS records, records or anywhere in the RDATA of DNS
          records (such as the RDATA of PTR records, SRV records, NS records,
          or other record types like TXT, where it is ambiguous whether the
          RDATA may contain DNS names).  All bytes are treated as-is, as-is with no
          attempt at text encoding text-encoding translation.  A client implementing
          DNS-based Service Discovery <xref
	  target="RFC6763"/> target="RFC6763"
          format="default"/> will use UTF-8 encoding for its service discovery
          queries, which the Discovery Proxy passes through without any text encoding
          text-encoding translation to the Multicast DNS subsystem.  Responses
          from the Multicast DNS subsystem are similarly returned, without any text encoding
          text-encoding translation, back to the requesting client.</t>

        <?rfc needLines="13" ?>
        </section>

        <section title="Application-Specific numbered="true" toc="default">
          <name>Application-Specific Data Translation"> Translation</name>
          <t>There may be cases where Application-Specific Data Translation is
	  appropriate.</t>

<!-- [rfced] FYI: We added the word "of" in "use this extra TXT record".
Please review.

Original:
   For local mDNS use this extra TXT record information is inefficient, but
   not fatal.

Updated:
   For local multicast DNS (mDNS), use of this extra TXT record information
   is inefficient but not fatal.
-->

          <t>For example, AirPrint printers tend to advertise fairly verbose
          information about their capabilities in their DNS-SD TXT record.
          TXT record sizes in the range of 500-1000 bytes are not uncommon.
          This information is a legacy from LPR lineprinter (LPR) printing,
          because LPR does not have in-band capability negotiation, so all of
          this information is conveyed using the DNS-SD TXT record instead.
          IPP
          Internet Printing Protocol (IPP) printing does have in-band
          capability negotiation, but for
          convenience convenience, printers tend to include
          the same capability information in their IPP DNS-SD TXT records as
          well. For local mDNS multicast DNS (mDNS), use of this extra TXT record information is inefficient,
          inefficient but not fatal.  However, when a Discovery Proxy
          aggregates data from multiple printers on a link, and sends it via
          unicast (via UDP or TCP) TCP), this amount of unnecessary TXT record
          information can result in large responses.  A DNS reply over TCP
          carrying information about 70 printers with an average of 700 bytes
          per printer adds up to about 50 kilobytes of data.  Therefore, a
          Discovery Proxy that is aware of the specifics of an
          application-layer protocol such as AirPrint (which uses IPP) can
          elide unnecessary key/value pairs from the DNS-SD TXT record for
          better network efficiency.</t>
          <t>Also, the DNS-SD TXT record for many printers contains an
          "adminurl" key something like similar to
          "adminurl=http://printername.local/status.html".  For this URL to be
          useful outside the local link, the embedded ".local" hostname needs
          to be translated to an appropriate name with larger scope.  It is
          easy to translate ".local" names when they appear in well-defined places,
          places either as a record's name, name or in the rdata of record types
          like PTR and SRV.  In the printing case, some application-specific
          knowledge about the semantics of the "adminurl" key is needed for
          the Discovery Proxy to know that it contains a name that needs to be
          translated.  This is somewhat analogous to the need for NAT gateways
          to contain ALGs (Application-Specific Gateways) to facilitate the
          correct translation of protocols that embed addresses in unexpected
          places.</t>
          <t>To avoid the need for application-specific knowledge about the
          semantics of particular TXT record keys, protocol designers are
          advised to avoid placing link-local names or link-local IP addresses
          in TXT record
	  keys, keys if translation of those names or addresses would
          be required for off-link operation.  In the printing case, the
          operational failure of failing to translate the "adminurl" key
          correctly is that, when accessed from a different link, printing
          will still work, but clicking the "Admin" UI button will fail to
          open the printer's administration page.  Rather than duplicating the
          host name from the service's SRV record in its "adminurl" key,
          thereby having the same host name appear in two places, a better
          design might have been to omit the host name from the "adminurl" key,
          key and instead have the client implicitly substitute the target
          host name from the service's SRV record in place of a missing host
          name in the "adminurl" key.  That way way, the desired host name only
          appears once, once and it is in a well-defined place where software like
          the Discovery Proxy is expecting to find it.</t>
          <t>Note that this kind of Application-Specific Data Translation is
          expected to be very rare. It rare; it is the exception, exception rather than the rule.
          This is an example of a common theme in computing.  It is frequently
          the case that it is wise to start with a clean, layered design, design with
          clear boundaries. Then, in certain special cases, those layer
          boundaries may be violated, violated where the performance and efficiency
          benefits outweigh the inelegance of the layer violation.</t>
          <t>These layer violations are optional. They are done primarily for
          efficiency
          reasons, reasons and generally should not be required for correct
          operation.  A Discovery Proxy MAY <bcp14>MAY</bcp14> operate solely at
          the mDNS layer, layer without any knowledge of semantics at the DNS-SD
          layer or above.</t>

        <?rfc needLines="30" ?>
        </section>
      </section>
      <section anchor="aggregation" title="Answer Aggregation"> numbered="true" toc="default">
        <name>Answer Aggregation</name>
        <t>In a simple analysis, simply gathering multicast answers and
        forwarding them in a unicast response seems adequate, but it raises
        the question of how long the Discovery Proxy should wait to be sure
        that it has received all the Multicast DNS answers it needs to form a
        complete Unicast DNS response.  If it waits too little time, then it
        risks its Unicast DNS response being incomplete.  If it waits too
        long, then it creates a poor user experience at the client end.  In
        fact, there may be no time which that is both short enough to produce a
        good user experience and at the same time long enough to reliably
        produce complete results.</t>
        <t>Similarly, the Discovery Proxy
        -- the (the authoritative name server for
        the subdomain in question -- question) needs to decide what DNS TTL to report
        for these records.  If the TTL is too long long, then the recursive
        (caching) name servers issuing queries on behalf of their clients risk
        caching stale data for too long. If the TTL is too short short, then the
        amount of network traffic will be more than necessary.  In fact, there
        may be no TTL which that is both short enough to avoid undesirable stale
        data and and, at the same time time, long enough to be efficient on the
        network.</t>
        <t>Both these dilemmas are solved by the use of DNS Long-Lived Queries
	(DNS&nbsp;LLQ)
        <xref target="LLQ"/> target="RFC8764" format="default"/> or its newer replacement,
        <xref target="Push">DNS
        DNS Push Notifications</xref>.</t> Notifications <xref target="RFC8765" format="default"></xref>.</t>
        <t>Clients supporting unicast DNS Service Discovery SHOULD <bcp14>SHOULD</bcp14> implement
        <xref target="Push">DNS
        DNS Push Notifications</xref> Notifications <xref target="RFC8765" format="default"></xref>
        for improved user experience.</t>

        <t>Clients

<!-- [rfced] FYI: We've udpated two uses of "DNS Push" as a stand alone noun
to "DNS Push Notifications" to match all other instances in this
document. Please review and let us know if updates are needed.

Original:
   Clients and Discovery Proxies MAY support both DNS LLQ and DNS Push,
   and when...

Updated:
   Clients and Discovery Proxies MAY support both DNS LLQ and DNS Push
   Notifications, and when...
-->
        <t>Clients and Discovery Proxies <bcp14>MAY</bcp14> support both
        DNS&nbsp;LLQ and
	DNS&nbsp;Push, DNS&nbsp;Push Notifications, and when talking to a
        Discovery Proxy that supports both, the client may use either
        protocol, as it so chooses, though it is expected that only
        DNS&nbsp;Push Notifications will continue to be supported in the long
        run.</t> <t>When a Discovery Proxy receives a query using DNS&nbsp;LLQ
        or DNS Push Notifications, it responds immediately using the Multicast
        DNS records it already has in its cache (if any).  This provides a
        good client user experience by providing a near-instantaneous
        response. Simultaneously, the Discovery Proxy issues a Multicast DNS
        query on the local link to discover if there are any additional
        Multicast DNS records it did not already know about. Should additional
        Multicast DNS responses be received, these are then delivered to the
        client using additional DNS&nbsp;LLQ or DNS Push Notification update
        messages.  The timeliness of such update messages is limited only by
        the timeliness of the device responding to the Multicast DNS query. If
        the Multicast DNS device responds quickly, then the update message is
        delivered quickly. If the Multicast DNS device responds slowly, then
        the update message is delivered slowly.  The benefit of using update
        messages is that the Discovery Proxy can respond promptly because it
        doesn't have to delay its unicast response to allow for the expected
        worst-case delay for receiving all the Multicast DNS responses.  Even
        if a proxy were to try to provide reliability by assuming an
        excessively pessimistic worst-case time (thereby giving a very poor
        user experience) experience), there would still be the risk of a slow Multicast
        DNS device taking even longer than that worst-case time (e.g., a device that is not
        even powered on until ten seconds after the initial query is received) received),
        resulting in incomplete responses. Using an update message solves this dilemma:
        dilemma; even very late responses are not lost; they lost and are delivered in
        subsequent update messages.</t>

        <?rfc needLines="16" ?>
        <t>There are two factors
<!-- [rfced] FYI: We have updated the following sentence to clarify what is
meant by "that". Please let us know if this is incorrect.

Original:
   Even if a proxy were to try to provide reliability by assuming an
   excessively pessimistic worst-case time ... there would still be the risk of a
   slow Multicast DNS device taking even longer than that (e.g., a device that determine specifically how responses
        are generated:</t>

        <t>The first factor is whether
   not even powered on until ten seconds after the initial query from the client used
        LLQ is received)
   resulting in incomplete responses.

Updated:
   Even if a proxy were to try to provide reliability by assuming an
   excessively pessimistic worst-case time, ... there would still be the risk of
   a slow Multicast DNS device taking even longer than that worst-case time
   (e.g., a device that is not even powered on until ten seconds after the
   initial query is received), resulting in incomplete responses.
-->
        <t>There are two factors that determine specifically how responses
        are generated:</t>

<!-- [rfced] May this text be updated for clarity?

Original:
    The first factor is whether the query from the client used LLQ or DNS Push
    Notifications (used for long-lived service browsing PTR queries) or not
    (used for one-shot operations like SRV or address record queries).

Perhaps:
   The first factor is whether or not the query from the client used LLQ or
   DNS Push Notifications.  Either is used for long-lived service browsing PTR
   queries, while not using them is for one-shot operations like SRV or
   address record queries.
-->
        <t>
    The first factor is whether the query from the client used LLQ or DNS Push
    Notifications (used for long-lived service browsing PTR queries) or not
    (used for one-shot operations like SRV or address record queries).
    Note that queries using LLQ or DNS Push Notifications are
        received directly from the client.  Queries not using LLQ or DNS Push
        Notifications are generally received via the client's configured
        recursive (caching) name server.</t>
        <t>The second factor is whether or not the Discovery Proxy already has
        at least one record in its cache that positively answers the question.
          <list style='symbols'>
            <t>Not
        </t>

<!-- [rfced] Are the following bullet points sufficiently introduced after
"The second factor is whether the Discovery Proxy already has at least
one record in its cache that positively answers the question."?
Would "If:" or "The cases are as follows:"

Original:
   The second factor is whether the Discovery Proxy already has at least
   one record in its cache that positively answers the question.

   o  Not using LLQ or Push Notifications; no answer in
	    cache:<vspace/> cache:
      Issue an mDNS query, exactly as a local client would issue an mDNS
            query on the local link for ...

Perhaps:
   The second factor is whether or not the desired Discovery Proxy already has
   at least one record name, type and
            class, including retransmissions, as appropriate, according to in its cache that positively answers the question.

   The cases are as follows:

   *  Not using LLQ or Push Notifications; no answer in cache:

      Issue an mDNS query exactly as a local client would issue an mDNS ...
-->
        <ul spacing="normal">
          <li>
            <t>Not using LLQ or Push Notifications; no answer in
	    cache:</t>
            <t>
            Issue an mDNS query exactly as a local client would issue an mDNS
            query on the local link for the desired record name, type, and
            class, including retransmissions, as appropriate, according to the
            established mDNS retransmission schedule <xref
	    target="RFC6762"/>. target="RFC6762"
            format="default"/>.  As soon as any Multicast DNS response packet
            is received that contains one or more positive answers to that
            question (with or without the Cache Flush bit <xref target="RFC6762"/>
	    set),
            target="RFC6762" format="default"/> set) or a negative answer
            (signified via a Multicast DNS NSEC record <xref target="RFC6762"/>), target="RFC6762"
            format="default"/>), the Discovery Proxy generates a Unicast DNS
            response packet containing the corresponding (filtered and
            translated) answers and sends it to the remote client. If after
            six seconds no Multicast DNS answers have been received, cancel
            the mDNS query and return a negative response to the remote
            client.  Six seconds is enough time to transmit three mDNS queries, queries
            and allow some time for responses to arrive.<vspace/> arrive.</t>
            <t>
            DNS TTLs in responses MUST <bcp14>MUST</bcp14> be capped to at most ten
	    seconds.<vspace/>
	    seconds.</t>
            <t>
            (Reasoning: Queries not using LLQ or Push Notifications are
	    generally queries
            that that expect an answer from only one device,
            so the first response is also the only response.)
            <vspace blankLines="1"/>
            </t>

          </li>
          <li>
            <t>Not using LLQ or Push Notifications; at least one answer in
	    cache:<vspace/>
	    cache:</t>
            <t>
            Send a response right away to minimise delay.<vspace/> minimize delay.</t>
            <t>
            DNS TTLs in responses MUST <bcp14>MUST</bcp14> be capped to at most ten
	    seconds.<vspace/>
	    seconds.</t>
            <t>
            No local mDNS queries are performed.<vspace/> performed.</t>
            <t>
            (Reasoning: Queries not using LLQ or Push Notifications are
	    generally queries
            that that expect an answer from only one device.
            Given RRSet TTL harmonisation, harmonization, if the proxy has
            one Multicast DNS answer in its cache, it can reasonably
            assume that it has all of them.)</t>
          </li>
          <li>
            <t>Using LLQ or Push Notifications; no answer in cache:<vspace/> cache:</t>
            <t>
            As in the case above with no answer in the cache, perform mDNS
            querying for six seconds, seconds and send a response to the remote
            client as soon as any relevant mDNS response is received.<vspace/> received.</t>
            <t>
            If after six seconds no relevant mDNS response has been received,
            return a negative response to the remote client
            (for LLQ; not applicable for Push Notifications).<vspace/> Notifications).</t>
            <t>
            (Reasoning: We don't need to rush to send an empty
	    answer.)<vspace/>
            Whether
	    answer.)</t>
            <t>
            Regardless of whether or not a relevant mDNS response is received within
            six seconds, the query remains active for as long as the
            client maintains the LLQ or Push Notification state, and if mDNS
	    answers are
            received later, LLQ or Push Notification messages are
	    sent.<vspace/>
	    sent.</t>
            <t>
            DNS TTLs in responses are returned unmodified.</t>
          </li>
          <li>
            <t>Using LLQ or Push Notifications; at least one answer in
	    cache:<vspace/>
	    cache:</t>
            <t>
            As in the case above with at least one answer in the cache,
            send a response right away to minimise delay.<vspace/> minimize delay.</t>
            <t>
            The query remains active for as long as the client maintains the
            LLQ or Push Notification state, state and results in the transmission of
            mDNS queries, queries with appropriate Known Answer lists, lists to determine if
            further answers are available.  If additional mDNS answers are
            received later, LLQ or Push Notification messages are
	    sent.<vspace/> sent.</t>
            <t>
            (Reasoning: We want UI that is displayed very rapidly, rapidly yet
            continues to remain accurate even as the network environment
	    changes.)<vspace/>
            changes.)</t>
            <t>
            DNS TTLs in responses are returned unmodified.</t>
          </list>
        </t>
          </li>
        </ul>
        <t>The "negative responses" referred to above are
        "no error no answer" negative responses, not NXDOMAIN.
        This is because the Discovery Proxy cannot know all the Multicast
        DNS domain names that may exist on a link at any given time,
        so any name with no answers may have child names that do exist,
        making it an "empty nonterminal" non-terminal" name.</t>

<?rfc needLines="30" ?>
        <t>Note that certain aspects of the behavior described here
        do not have to be implemented overtly by the Discovery Proxy;
        they occur naturally as a result of using existing Multicast DNS
	APIs.</t>
        <t>For example, in the first case above (no LLQ or Push Notifications, Notifications
        and no answers in the cache) cache), if a new Multicast DNS query is requested
        (either by a local client, client or by the Discovery Proxy on behalf of a
        remote client), and there is not already an identical Multicast DNS
        query active, active and there are no matching answers already in the
        Multicast DNS cache on the Discovery Proxy device, then this will
        cause a series of Multicast DNS query packets to be issued with
        exponential backoff.  The exponential backoff sequence in some
        implementations starts at one second and then doubles for each
        retransmission (0, 1, 3, 7 seconds, etc.) etc.), and in others others, it starts at one
        second and then triples for each retransmission (0, 1, 4, 13 seconds,
        etc.).  In either case, if no response has been received after six
        seconds, that is long enough that the underlying Multicast DNS
        implementation will have sent three query packets without receiving
        any response.  At that point point, the Discovery Proxy cancels its Multicast
        DNS query (so no further Multicast DNS query packets will be sent for
        this query) and returns a negative response to the remote client via
        unicast.</t>
        <t>The six-second delay is chosen to be long enough to give enough
        time for devices to respond, yet short enough not to be too onerous
        for a human user waiting for a response.  For example, using the "dig"
        DNS debugging tool, the current default settings result in it waiting
        a total of 15 seconds for a reply (three transmissions of the query
        packet, with a wait of 5 seconds after each packet) packet), which is ample
        time for it to have received a negative reply from a Discovery Proxy
        after six seconds.</t>

        <t>The

<!-- [rfced] The following sentence may be unclear as it's currently
formatted. What is also occuring naturally?

Original:
   The statement that for a one-shot query (i.e., no LLQ or Push
   Notifications requested), if at least one answer is already available in
   the cache then a Discovery Proxy should not issue additional mDNS query
   packets, also occurs naturally as a result of using existing Multicast DNS
   APIs.
        If

Perhaps:
   Regarding the following statement:
       For a new Multicast DNS one-shot query is requested
        (either locally, (i.e., no LLQ or by Push Notification srequested)
       if at least one answer is already available in the cache, then a
       Discovery Proxy on behalf should not issue additional mDNS query packets.

   Such a scenario would also occur naturally as a result of using existing
   Multicast DNS APIs.

Or perhaps:
   [First sentence deleted]

   For a remote
	client),
        for which there are relevant answers one-shot query (i.e., no LLQ or Push Notifications requested), if
   at least one answer is already available in the
        Multicast DNS cache on the cache, then a Discovery
   Proxy device,
        and after the answers are delivered the should not issue additional mDNS query packets.

   This would also occur naturally as a result of using existing Multicast
   DNS APIs.
-->
        <t>The statement that for a one-shot query (i.e., no LLQ or Push
        Notifications requested), if at least one answer is already available
        in the cache, then
	cancelled a Discovery Proxy should not issue additional mDNS
        query packets, also occurs naturally as a result of using existing
        Multicast DNS APIs.
   If a new Multicast DNS query is requested
   (either locally, or by the Discovery Proxy on behalf of a remote
   client), for which there are relevant answers already in the
   Multicast DNS cache on the Discovery Proxy device, and after the
   answers are delivered the Multicast DNS query is then canceled
   immediately, then no Multicast DNS query packets will be generated
   for this query.
	</t>
<!-- [rfced] The following sentence seems fragmented and unclear,
in part due to one instance of "then" separate from the "If/then"
structure. May it be rephrased as follows or otherwise?

Original:
   If a new Multicast DNS query is requested
   (either locally, or by the Discovery Proxy on behalf of a remote
   client), for which there are relevant answers already in the
   Multicast DNS cache on the Discovery Proxy device, and after the
   answers are delivered the Multicast DNS query is then cancelled
   immediately, then no Multicast DNS query packets will be generated
   for this query.

Perhaps:
    If a new Multicast DNS query is requested (either locally or by the
    Discovery Proxy on behalf of a remote client) for which there are
    relevant answers already in the Multicast DNS cache on the Discovery Proxy
    device, and, if after the answers are delivered, the Multicast DNS query is
    canceled immediately, then no Multicast DNS query packets will be
    generated for this query.

Or:
    If (a) a new Multicast DNS query is requested (either locally or by the
    Discovery Proxy on behalf of a remote client), for which there are
    relevant answers already in the Multicast DNS cache on the Discovery Proxy
    device, and (b) after the answers are delivered, the Multicast DNS query is
    cancelled immediately, then no Multicast DNS query packets will be
    generated for this
	query.</t>

      <?rfc needLines="19" ?> query.
-->
      </section>
    </section>

    <section anchor="admin" title="Administrative numbered="true" toc="default">
      <name>Administrative DNS Records"> Records</name>
      <section anchor="soa" title="DNS numbered="true" toc="default">
        <name>DNS SOA (Start of Authority) Record"> Record</name>
        <t>The MNAME field SHOULD <bcp14>SHOULD</bcp14> contain the host name of the Discovery Proxy
	device
        (i.e., the same domain name as the rdata of the NS record delegating
	the
        relevant zone(s) to this Discovery Proxy device).</t>
        <t>The RNAME field SHOULD <bcp14>SHOULD</bcp14> contain the mailbox of the person
	responsible
        for administering this Discovery Proxy device.</t>
        <t>The SERIAL field MUST <bcp14>MUST</bcp14> be zero.</t>
        <t>Zone transfers are undefined for Discovery Proxy zones, and
	consequently
        consequently, the REFRESH, RETRY RETRY, and EXPIRE fields have no useful
        meaning for Discovery Proxy zones.  These fields SHOULD <bcp14>SHOULD</bcp14>
        contain reasonable default values.  The RECOMMENDED <bcp14>RECOMMENDED</bcp14>
        values are: REFRESH 7200, RETRY 3600, and EXPIRE 86400.</t>
        <t>The MINIMUM field (used to control the lifetime of negative cache
	entries)
        SHOULD
        <bcp14>SHOULD</bcp14> contain the value 10.
        The value of ten seconds is chosen based on user-experience
	considerations
        (see <xref target="ttl"/>).</t> target="ttl" format="default"/>).</t>
        <t>In the event that there are multiple Discovery Proxy devices on a
        link for fault tolerance reasons, this will result in clients
        receiving inconsistent SOA records (different MNAME, MNAME and possibly
        RNAME) depending on which Discovery Proxy answers their SOA query.
        However, since clients generally have no reason to use the MNAME or
        RNAME data, this is unlikely to cause any problems.</t>
<?rfc needLines="22" ?>
      </section>
      <section anchor="ns" title="DNS numbered="true" toc="default">
        <name>DNS NS Records"> Records</name>
        <t>In the event that there are multiple Discovery Proxy devices on a
        link for fault tolerance reasons, the parent zone MUST <bcp14>MUST</bcp14>
        be configured with NS records giving the names
        of all the Discovery Proxy devices on the link.</t>
        <t>Each Discovery Proxy device MUST <bcp14>MUST</bcp14> be configured to answer NS queries
        for the zone apex name by giving its own NS record,
        and the NS records of its fellow Discovery Proxy devices on the same
        link, so that it can return the correct answers for NS queries.</t>
        <t>The target host name in the RDATA of an NS record MUST NOT <bcp14>MUST NOT</bcp14>
	reference
        a name that falls within any zone delegated to a Discovery Proxy.
        Apart from the zone apex name,
        all other host names that fall within a zone delegated to a Discovery
	Proxy
        correspond to local Multicast DNS host names,
        which logically belong to the respective Multicast DNS hosts defending
	those names,
        not the Discovery Proxy.
        Generally speaking, the Discovery Proxy does not own or control the
	delegated zone;
        it is merely a conduit to the corresponding ".local" namespace,
        which is controlled by the Multicast DNS hosts on that link.
        If an NS record were to reference a manually-determined manually determined host name
        that falls within a delegated zone,
        that manually-determined manually determined host name may inadvertently conflict with a
	corresponding
        ".local" host name that is owned and controlled by some device on that
	link.
        </t>
      </section>
      <section anchor="delegation" title="DNS numbered="true" toc="default">
        <name>DNS Delegation Records"> Records</name>
        <t>Since the <xref target="RFC6762">Multicast target="RFC6762" format="default">Multicast DNS specification</xref>
        states that there can be no delegation (subdomains) within a ".local"
	namespace,
        this implies that
        any name within a zone delegated to a Discovery Proxy
        (except for
        (except for the zone apex name itself)
        cannot have any answers for any DNS queries for RRTYPEs SOA, NS, or
	DS.
        Consequently:
        </t>
<!-- [rfced] May this text be updated as follows for clarity?
This would reduce the amount of commas and stacked "for" clauses.

Original:
   ....  Consequently:

   [...]

   o  for any query for RRTYPEs SOA, NS, or DS, for any name within a
      zone delegated to a Discovery Proxy, other than the zone apex
      name, instead of translating the query to its corresponding
      Multicast DNS ".local" equivalent, a Discovery Proxy MUST generate
      an immediate negative answer.

Perhaps:
   ....  Consequently:

   [...]

   *  for any query for RRTYPEs SOA, NS, or DS, a Discovery Proxy MUST
      generate an immediate negative answer for any name within a zone
      delegated to a Discovery Proxy (other than the zone apex name itself)
        cannot have any answers for any name) instead
      of translating the query to its corresponding Multicast DNS queries for RRTYPEs SOA, NS, or
	DS.
        Consequently:
          <list style='symbols'>
            <t>for ".local"
      equivalent.
-->
        <ul spacing="normal">
          <li>for any query for the zone apex name of a zone delegated to a
          Discovery Proxy, the Discovery Proxy MUST <bcp14>MUST</bcp14> generate
          the appropriate immediate answers as described above, and</t>
            <t>for and</li>

          <li>
      for any query for RRTYPEs SOA, NS, or DS, for any name within a
      zone delegated to a Discovery Proxy, other than the zone apex
      name, instead of translating the query to its corresponding
      Multicast DNS ".local" equivalent, a Discovery Proxy MUST <bcp14>MUST</bcp14> generate
      an immediate negative answer.</t>
          </list>
        </t> answer.
         </li>
        </ul>
      </section>

      <section anchor="srv" title="DNS numbered="true" toc="default">
        <name>DNS SRV Records"> Records</name>
        <t>There are certain special DNS records that logically fall within
        the delegated unicast DNS subdomain, but rather than mapping to their
        corresponding ".local" namesakes, they actually contain metadata
        pertaining to the operation of the delegated unicast DNS subdomain
        itself.  They do not exist in the corresponding ".local" namespace of
        the local link.  For these queries queries, a Discovery Proxy MUST
        <bcp14>MUST</bcp14> generate immediate answers, whether positive or
        negative, to avoid delays while clients wait for their query to be
        answered.  For example, if a Discovery Proxy does not implement
	Long-Lived Queries <xref target="LLQ">Long-Lived Queries</xref>
        target="RFC8764" format="default"></xref>,
        then it MUST <bcp14>MUST</bcp14> return an immediate negative answer to
        tell the client this without delay, delay instead of passing the query
        through to the local network as a query for
        <spanx style="verb">_dns&nbhy;llq._udp.local.</spanx>,
        <tt>_dns&nbhy;llq._udp.local.</tt> and then waiting unsuccessfully for
        answers that will not be forthcoming.</t>
        <t>If a Discovery Proxy implements
        Long-Lived Queries <xref target="LLQ">Long-Lived Queries</xref> target="RFC8764" format="default"></xref>,
        then it MUST <bcp14>MUST</bcp14> positively respond to
        <spanx style="verb">_dns&nbhy;llq._udp.&lt;zone&gt;&nbsp;SRV</spanx>
        <tt>_dns&nbhy;llq._udp.&lt;zone&gt;&nbsp;SRV</tt>
	queries,
        <spanx style="verb">_dns&nbhy;llq._tcp.&lt;zone&gt;&nbsp;SRV</spanx>
        <tt>_dns&nbhy;llq._tcp.&lt;zone&gt;&nbsp;SRV</tt>
	queries, and
        <spanx
	    style="verb">_dns&nbhy;llq&nbhy;tls._tcp.&lt;zone&gt;&nbsp;SRV</spanx>
        <tt>_dns&nbhy;llq&nbhy;tls._tcp.&lt;zone&gt;&nbsp;SRV</tt>
	queries as appropriate,
        else appropriate.
        Otherwise, it MUST <bcp14>MUST</bcp14> return an immediate negative answer for those
	queries.</t>
        <t>If a Discovery Proxy implements
        <xref target="Push">DNS
        DNS Push Notifications</xref> Notifications <xref target="RFC8765" format="default"></xref>,
        then it MUST <bcp14>MUST</bcp14> positively respond to
        <spanx style="verb">_dns&nbhy;push&nbhy;tls._tcp.&lt;zone&gt;</spanx>
	queries,
        else
        <tt>_dns&nbhy;push&nbhy;tls._tcp.&lt;zone&gt;</tt>
	queries.
        Otherwise, it MUST <bcp14>MUST</bcp14> return an immediate negative answer for those
	queries.</t>
        <t>A Discovery Proxy MUST <bcp14>MUST</bcp14> return an immediate negative answer for
        <spanx
	    style="verb">_dns&nbhy;update._udp.&lt;zone&gt;&nbsp;SRV</spanx>
        <tt>_dns&nbhy;update._udp.&lt;zone&gt;&nbsp;SRV</tt>
	queries,
        <spanx
	    style="verb">_dns&nbhy;update._tcp.&lt;zone&gt;&nbsp;SRV</spanx>
        <tt>_dns&nbhy;update._tcp.&lt;zone&gt;&nbsp;SRV</tt>
	queries, and
        <spanx
	    style="verb">_dns&nbhy;update-tls._tcp.&lt;zone&gt;&nbsp;SRV</spanx>
        <tt>_dns&nbhy;update-tls._tcp.&lt;zone&gt;&nbsp;SRV</tt>
	queries,
        since using DNS Update <xref target="RFC2136">DNS Update</xref> target="RFC2136" format="default"></xref> to change
        zones generated dynamically from local Multicast DNS data is not
	possible.</t>

      <?rfc needLines="29" ?>
      </section>
    </section>
    <section anchor="DNSSEC" title="DNSSEC Considerations"> numbered="true" toc="default">
      <name>DNSSEC Considerations</name>
      <section title="On-line signing only"> numbered="true" toc="default">
        <name>Online Signing Only</name>
        <t>The Discovery Proxy acts as the authoritative name server for
        designated subdomains, and if DNSSEC is to be used, the Discovery
        Proxy needs to possess a copy of the signing keys, keys in order to
        generate authoritative signed data from the local Multicast DNS
        responses it receives.
        Off-line  Offline signing is not applicable to
        Discovery Proxy.</t>
      </section>
      <section title="NSEC numbered="true" toc="default">
        <name>NSEC and NSEC3 Records"> Records</name>
        <t>In DNSSEC
        NSEC <xref target="RFC4034">NSEC</xref> target="RFC4034" format="default"></xref> and
        NSEC3 <xref target="RFC5155">NSEC3</xref> target="RFC5155" format="default"></xref>, records
        are used to assert the nonexistence of certain names,
        also described as "authenticated denial of existence".</t>

<!-- [rfced] FYI: We've added "to" before "assert" in the following sentence
as it seems it was a typo. Please let us know if this is not
the intended meaning.

Original:
   Instead, when generating a negative response, a Discovery Proxy
   programmatically synthesizes a single NSEC record assert the nonexistence
   of just the...

Updated:
   Instead, when generating a negative response, a Discovery Proxy
   programmatically synthesizes a single NSEC record to assert the nonexistence
   of just the...
-->
        <t>Since a Discovery Proxy only knows what names exist on the local
        link by issuing queries for them, and since it would be impractical to
        issue queries for every possible name just to find out which names
        exist and which do not, a Discovery Proxy cannot programmatically
        synthesize the traditional NSEC and NSEC3 records which that assert the
        nonexistence of a large range of names.  Instead, when generating a
        negative response, a Discovery Proxy programmatically synthesizes a
        single NSEC record to assert the nonexistence of just the specific
        name queried, queried and no others.  Since the Discovery Proxy has the zone
        signing key, it can do this on demand.  Since the NSEC record asserts
        the nonexistence of only a single name, zone walking is not a concern, so
        and NSEC3 is therefore not necessary.</t>
        <t>Note that this applies only to traditional immediate DNS queries,
        which may return immediate negative answers when no immediate positive
        answer is available.  When used with a
        <xref target="Push">DNS DNS Push Notification subscription</xref>
        subscription <xref target="RFC8765"
        format="default"></xref>, there are no negative answers, merely the
        absence of answers so far, which may change in the future if answers
        become available.</t>

      <?rfc needLines="19" ?>
      </section>
    </section>
    <section title="IPv6 Considerations"> numbered="true" toc="default">
      <name>IPv6 Considerations</name>
      <t>An IPv4-only host and an IPv6-only host behave as "ships that pass in
      the night". Even if they are on the same Ethernet <xref
      target="IEEE-3">Ethernet</xref>, target="IEEE-3"
      format="default"></xref>, neither is aware of the other's traffic. For
      this reason, each link may have *two* unrelated ".local." zones, zones: one for
      IPv4 and one for IPv6.
      Since  Since, for practical purposes, a group of
      IPv4-only hosts and a group of IPv6-only hosts on the same Ethernet act
      as if they were on two entirely separate Ethernet segments, it is
      unsurprising that their use of the ".local." zone should occur exactly
      as it would if they really were on two entirely separate Ethernet
      segments.</t>
      <t>It will be desirable to have a mechanism to 'stitch' "stitch" together
      these two unrelated ".local." zones so that they appear as one.
      Such a mechanism will need to be able to differentiate between a
      dual-stack (v4/v6) host participating in both ".local."
      zones, and two different hosts, hosts: one IPv4-only and the other IPv6-only,
      which are both trying to use the same name(s). Such a mechanism
      will be specified in a future companion document.</t>
      <t>At present, it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that a Discovery Proxy be configured
      with a single domain name for both the IPv4 and IPv6 ".local." zones
      on the local link, and when a unicast query is received, it should
      issue Multicast DNS queries using both IPv4 and IPv6 on the local link, link
      and then combine the results.</t>

    <?rfc needLines="25" ?>
    </section>
    <section title="Security Considerations"> numbered="true" toc="default">
      <name>Security Considerations</name>
      <section title="Authenticity"> numbered="true" toc="default">
        <name>Authenticity</name>
        <t>A service proves its presence on a link by its ability to
        answer link-local multicast queries on that link.
        If greater security is desired, then the Discovery Proxy mechanism
        should not be used, and something with stronger security should
        be used instead, instead such as authenticated secure DNS Update
        <xref target="RFC2136"/> target="RFC2136" format="default"/> <xref target="RFC3007"/>.</t> target="RFC3007" format="default"/>.</t>
      </section>
      <section title="Privacy"> numbered="true" toc="default">
        <name>Privacy</name> <t>The Domain Name System is, generally speaking,
        a global public database.  Records that exist in the Domain Name
        System name hierarchy can be queried by name from, in principle,
        anywhere in the world.  If services on a mobile device (like a laptop
        computer) are made visible via the Discovery Proxy mechanism, then
        when those services become visible in a domain such as "My&nbsp;House.example.com" that
        "My&nbsp;House.example.com", it might indicate to (potentially
        hostile) observers that the mobile device is in my house. a private home.  When those
        services disappear from "My&nbsp;House.example.com" "My&nbsp;House.example.com", that change could
        be used by observers to infer when the mobile device (and possibly its
        owner) may have left the house.  The privacy of this information may
        be protected using techniques like firewalls, split-view DNS, and
        Virtual Private Networks (VPNs), as are customarily used today to
        protect the privacy of corporate DNS information.</t>
        <t>The privacy issue is particularly serious for the IPv4 and IPv6
	reverse zones.
        If the public delegation of the reverse zones points to the
        Discovery Proxy, and the Discovery Proxy is reachable globally,
        then it could leak a significant amount of information.
        Attackers could discover hosts that otherwise might
        not be easy to identify, and learn their hostnames.
        Attackers could also discover the existence of links
        where hosts frequently come and go.</t>
        <t>The Discovery Proxy could also provide sensitive records only to
	authenticated
        users. This is a general DNS problem, not specific to the Discovery
	Proxy.
        Work is underway in the IETF to tackle this problem <xref
	target="RFC7626"/>.</t> target="RFC7626" format="default"/>.</t>
      </section>
      <section title="Denial numbered="true" toc="default">
        <name>Denial of Service"> Service</name>
        <t>A remote attacker could use a rapid series of unique Unicast DNS
        queries to induce a Discovery Proxy to generate a rapid series of
        corresponding Multicast DNS queries on one or more of its local links.
        Multicast traffic is generally more expensive than unicast traffic
        -- traffic,
        especially on Wi-Fi links -- links, which makes this attack particularly
        serious.  To limit the damage that can be caused by such attacks, a
        Discovery Proxy (or the underlying Multicast DNS subsystem which that it
        utilizes) MUST <bcp14>MUST</bcp14> implement Multicast DNS query rate
        limiting appropriate to the link technology in question. For today's
        802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast
        packets per second is sufficient to consume approximately 100% of the
        wireless spectrum) spectrum), a limit of 20 Multicast DNS query packets per
        second is RECOMMENDED. <bcp14>RECOMMENDED</bcp14>.  On other link technologies like
        Gigabit Ethernet Ethernet, higher limits may be appropriate.  A consequence of
        this rate limiting is that a rogue remote client could issue an
        excessive number of queries, queries resulting in denial of service to other
        legitimate remote clients attempting to use that Discovery Proxy.
        However, this is preferable to a rogue remote client being able to
        inflict even greater harm on the local network, which could impact the
        correct operation of all local clients on that network.</t>

      <?rfc needLines="28" ?>
      </section>
    </section>
    <section title="IANA Considerations"> numbered="true" toc="default">
      <name>IANA Considerations</name>
      <t>This document has no IANA Considerations.</t>
    </section>

    <section title="Acknowledgments">
      <t>Thanks to Markus Stenberg for helping develop the policy
      regarding the four styles of unicast response according to what
      data is immediately available in the cache.
      Thanks to
      Anders Brandt,
      Ben Campbell,
      Tim Chown,
      Alissa Cooper,
      Spencer Dawkins,
      Ralph Droms,
      Joel Halpern,
      Ray Hunter,
      Joel Jaeggli,
      Warren Kumari,
      Ted Lemon,
      Alexey Melnikov,
      Kathleen Moriarty,
      Tom Pusateri,
      Eric Rescorla,
      Adam Roach,
      David Schinazi,
      Markus Stenberg,
      Dave Thaler,
      and Andrew Yourtchenko for their comments.</t>

      <?rfc needLines="33" ?> actions.</t>
    </section>

  </middle>
  <back>
    <references title="Normative References">
      <?rfc include="reference.RFC.1034" ?>
      <?rfc include="reference.RFC.1035" ?>
      <?rfc include="reference.RFC.1918" ?>
      <?rfc include="reference.RFC.2119" ?>
      <?rfc include="reference.RFC.2308" ?>
      <?rfc include="reference.RFC.3629" ?>
      <?rfc include="reference.RFC.3927" ?>
      <?rfc include="reference.RFC.4034" ?>
      <?rfc include="reference.RFC.4862" ?>
      <?rfc include="reference.RFC.5155" ?>
      <?rfc include="reference.RFC.5198" ?>
      <?rfc include="reference.RFC.6762" ?>
      <?rfc include="reference.RFC.6763" ?>
      <?rfc include="reference.RFC.8174" ?>
      <?rfc include="reference.RFC.8490" ?>

      <?rfc include="reference.I-D.ietf-dnssd-push"             anchor='Push'
      ?>

<displayreference target="I-D.cheshire-dnssd-roadmap" to="ROADMAP"/>

<displayreference target="I-D.sctl-service-registration" to="REG-PROT"/>

<displayreference target="I-D.sctl-dnssd-mdns-relay" to="RELAY"/>

<displayreference target="I-D.ietf-mboned-ieee802-mcast-problems" to="MCAST"/>

<displayreference target="I-D.sekar-dns-ul" to="DNS-UL"/>

    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1918.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2308.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3629.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3927.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4034.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4862.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5155.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5198.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6762.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6763.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8490.xml"/>

<!-- draft-ietf-dnssd-push-25; companion document 8765 -->
<reference anchor='RFC8765' target="https://www.rfc-editor.org/info/rfc8765">
        <front>
        <title>DNS Push Notifications
	</title>
        <author initials='T' surname='Pusateri' fullname='Tom Pusateri'>
                <organization />
        </author>
        <author initials='S' surname='Cheshire' fullname='Stuart Cheshire'>
                <organization />
        </author>
        <date month='March' year='2020' />
        </front>
        <seriesInfo name='RFC' value='8765' />
        <seriesInfo name="DOI" value="10.17487/RFC8765"/>
</reference>

      </references>

    <?rfc needLines="6" ?>
    <references title="Informative References">

      <?rfc include="reference.I-D.cheshire-dnssd-roadmap"
      anchor='Roadmap' ?>
      <?rfc include="reference.I-D.sekar-dns-ul"
      anchor='DNS-UL' ?>
      <?rfc include="reference.I-D.sekar-dns-llq"               anchor='LLQ'
      ?>
      <?rfc include="reference.I-D.sctl-service-registration"
      anchor='RegProt' ?>
      <?rfc include="reference.I-D.sctl-dnssd-mdns-relay"       anchor='Relay'
      ?>
      <?rfc include="reference.I-D.ietf-mboned-ieee802-mcast-problems"
      anchor='Mcast' ?>
      <?rfc include="reference.RFC.2132" ?>
      <?rfc include="reference.RFC.2136" ?>
      <?rfc include="reference.RFC.3007" ?>
      <?rfc include="reference.RFC.3492" ?>
      <?rfc include="reference.RFC.4193" ?>
      <?rfc include="reference.RFC.6760" ?>
      <?rfc include="reference.RFC.7558" ?>
      <?rfc include="reference.RFC.7626" ?>
      <?rfc include="reference.RFC.7788" ?>
      <?rfc include="reference.RFC.8375" ?>
      <references>
        <name>Informative References</name>

       <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.cheshire-dnssd-roadmap.xml"/>

       <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.sekar-dns-ul.xml"/>

<!-- draft-sekar-dns-llq ; companion document 8764 -->

<reference anchor='RFC8764' target="https://www.rfc-editor.org/info/rfc8764">
  <front>
    <title>Apple's DNS Long-Lived Queries Protocol</title>

    <author initials='S' surname='Cheshire' fullname='Stuart Cheshire'>
      <organization />
    </author>

    <author initials='M' surname='Krochmal' fullname='Marc Krochmal'>
      <organization />
    </author>

    <date month='March' year='2020' />
  </front>

  <seriesInfo name='RFC' value='RFC8764' />
  <seriesInfo name="DOI" value="10.17487/RFC8764"/>
</reference>

       <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.sctl-service-registration.xml"/>

       <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.sctl-dnssd-mdns-relay.xml"/>

       <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-mboned-ieee802-mcast-problems.xml"/>

        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2132.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2136.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3007.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3492.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4193.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6760.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7558.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7626.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7788.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8375.xml"/>

        <reference anchor="ohp" anchor="OHP" target="https://github.com/sbyx/ohybridproxy/">
          <front>
          <title>Discovery Proxy (Hybrid Proxy) implementation for
	  OpenWrt</title>
            <title>
	      ohybridproxy - an mDNS/DNS hybrid-proxy based on mDNSResponder
	    </title>
            <author/>
          <date/>
	    <date month="June" year="2017"/>
          </front>
	  <refcontent>commit 464d6c9</refcontent>

        </reference>

        <reference anchor="ZC">
          <front>
            <title>Zero Configuration Networking: The Definitive Guide</title>
            <seriesInfo name="ISBN" value="0-596-10100-7"/>
            <author initials="S." surname="Cheshire" fullname="Stuart Cheshire"/>
            <author initials="D.H." surname="Steinberg" fullname="Daniel H. Steinberg"/>
            <date year="2005" month="December"/>
          </front>
        <seriesInfo name="O'Reilly
            <refcontent>O'Reilly Media, Inc." value=""/>
        <seriesInfo name="ISBN" value="0-596-10100-7"/> Inc.</refcontent>
        </reference>

<!-- Patterned after
      http://xml.resource.org/public/rfc/bibxml2/_reference.IEEE.802-3.1998.xml [rfced] FYI: Since the URL provided for [IEEE-1Q] is 404 Not Found,
we've updated the URL to <https://ieeexplore.ieee.org/document/6991462>.
Please let us know if this is not preferred.

Original:
   [IEEE-1Q]    "IEEE Standard for Local and metropolitan area networks - Bridges and
                Bridged Networks", IEEE Std 802.1Q-2014, November 2014,
                <http://standards.ieee.org/getieee802/download/802-1Q-2014.pdf>.

Updated:
   [IEEE802.1Q]
              IEEE, "IEEE Standard for Local and metropolitan area
              networks - Bridges and Bridged Networks", IEEE Std
              802.1Q-2014, DOI 10.1109/IEEESTD.2014.6991462, 2014,
              <https://ieeexplore.ieee.org/document/6991462>.
-->
      <reference anchor="IEEE-1Q"
		 target="http://standards.ieee.org/getieee802/download/802-1Q-2014.pdf"> anchor="IEEE802.1Q" target="https://ieeexplore.ieee.org/document/6991462">
          <front>
          <title>
          IEEE
            <title>IEEE Standard for Local and metropolitan area
	    networks -- Bridges and Bridged Networks
            </title>
          <author/>
            <author>
	      <organization>IEEE</organization>
	    </author>
	    <date year="2014" month="November"/> year="2014"/>
          </front>
        <seriesInfo name="IEEE" value="Std 802.1Q-2014"/> name="IEEE Std" value="802.1Q-2014"/>
	<seriesInfo name="DOI" value="10.1109/IEEESTD.2014.6991462"/>
        </reference>

<!-- [rfced] The URL for reference [IEEE-3] is 404 Not Found,
and the reference itself has been superseded by a 2018 version. Should
this reference be updated as follows or otherwise?

NOTE: There is also a persistant link that points to the most recent version
should the reference be superseded in the future.

Original:
   [IEEE-3] "Information technology - Telecommunications and information exchange
            between systems - Local and metropolitan area networks - Specific
            requirements - Part 3: Carrier Sense Multiple Access with Collision
            Detection (CMSA/CD) Access Method and Physical Layer Specifications", IEEE
            Std 802.3-2008, December 2008,
            <http://standards.ieee.org/getieee802/802.3.html>.

Perhaps:
   [IEEE802.3]   IEEE, "IEEE Standard for Ethernet", IEEE 802.3-2018,
                 DOI 10.1109/IEEESTD.2018.8457469
                 <https://ieeexplore.ieee.org/document/8457469>.
-->
        <reference anchor="IEEE-3" target="http://standards.ieee.org/getieee802/802.3.html">
          <front>
            <title>
            Information technology - Telecommunications and information
	    exchange between systems -
            Local and metropolitan area networks - Specific requirements -
            Part 3: Carrier Sense Multiple Access with Collision Detection
	    (CMSA/CD)
	    (CSMA/CD)
            Access Method and Physical Layer Specifications
            </title>
            <seriesInfo name="IEEE Std" value="802.3-2008"/>
            <author/>
            <date year="2008" month="December"/>
          </front>
        <seriesInfo name="IEEE" value="Std 802.3-2008"/>
        </reference>

<!-- [rfced] FYI: We have updated reference [IEEE-5] with a URL to
match the other IEEE references in this document. Note that this
standard is currently withdrawn.

Original:
   [IEEE-5]   Institute of Electrical and Electronics Engineers,
              "Information technology - Telecommunications and
              information exchange between systems - Local and
              metropolitan area networks - Specific requirements - Part
              5: Token ring access method and physical layer
              specification", IEEE Std 802.5-1998, 1995.

Updated:
   [IEEE802.5]
              IEEE, "Telecommunications and information exchange between
              systems - Local and metropolitan area networks - Part 5:
              Token ring access method and physical layer
              specifications", IEEE Std 802.5-1998, 1998,
              <https://standards.ieee.org/standard/802_5-1998.html>.
-->
        <reference anchor="IEEE-5"> anchor="IEEE802.5" target="https://standards.ieee.org/standard/802_5-1998.html">
          <front>
          <title>Information
            <title>
Telecommunications and information exchange between systems - Local and
metropolitan area networks - Part 5: Token ring access method and physical
layer specifications
</title>
            <seriesInfo name="IEEE Std" value="802.5-1998"/>
            <author>
              <organization>IEEE</organization>
            </author>
	    <date year="1998"/>
          </front>
        </reference>

<!-- [rfced] The URL for [IEEE-11] is 404 Not Found, and 802.11-2007 has
been superseded by a 2016 version. Should this reference be updated
as shown below or otherwise?

Original:
   [IEEE-11]  "Information technology - Telecommunications and
              information exchange between systems - Local and
              metropolitan area networks - Specific requirements - Part 5: Token ring access method
              11: Wireless LAN Medium Access Control (MAC) and physical layer
	  specification</title>
          <author><organization>Institute of Electrical Physical
              Layer (PHY) Specifications", IEEE Std 802.11-2007, June
              2007, <http://standards.ieee.org/getieee802/802.11.html>.

Perhaps:
    [IEEE802.11] IEEE, "Telecommunications and Electronics
	  Engineers</organization></author>
          <date month="" year="1995" />
        </front>
        <seriesInfo name="IEEE" value="Std 802.5-1998"/>
      </reference> information exchange between
                 systems Local and metropolitan area networks -Specific
                 requirements - Part 11: Wireless LAN Medium Access Control
                 (MAC) and Physical Layer (PHY) Specifications", IEEE Std
                 802.11-2016, 2016,
                 <https://standards.ieee.org/standard/802_11-2016.html>.
-->
        <reference anchor="IEEE-11" target="http://standards.ieee.org/getieee802/802.11.html">
          <front>
            <title>
            Information technology - Telecommunications and information
	    exchange between systems -
            Local and metropolitan area networks - Specific requirements -
            Part 11: Wireless LAN Medium Access Control (MAC) and Physical
	    Layer (PHY) Specifications
            </title>
            <seriesInfo name="IEEE Std" value="802.11-2007"/>
            <author/>
            <date year="2007" month="June"/>
          </front>
        <seriesInfo name="IEEE" value="Std 802.11-2007"/>
        </reference>

      </references>

    <?rfc needLines="40" ?>
    </references>

<!-- [rfced] Although it's not mandatory, the recommendation in RFC 7942
is to remove Implementation Status sections from Internet-Drafts when
published as RFCs. Please let us know if the section should be removed.
-->

    <section anchor="implementation" title="Implementation Status"> numbered="true" toc="default">
      <name>Implementation Status</name>
      <t>Some aspects of the mechanism specified in this document already
      exist in
      deployed software. Some aspects are new. This section outlines which
      aspects
      already exist and which are new.</t>
      <section title="Already numbered="true" toc="default">
        <name>Already Implemented and Deployed"> Deployed</name>
        <t>Domain enumeration by the client (the
        "b._dns-sd._udp" queries) is already implemented and deployed.</t>
        <t>Unicast queries to the indicated discovery domain is already
        implemented and deployed.</t>
        <t>These are implemented and deployed in Mac OS X 10.4 and later
        (including all versions of Apple iOS, on all iPhone and iPads),
        in Bonjour for Windows,
        and in Android 4.1 "Jelly Bean" (API Level 16) and later.</t>
        <t>Domain enumeration and unicast querying have been
        used for several years at IETF meetings to make Terminal Room terminal room
        printers discoverable from outside the Terminal terminal room. When an IETF
        attendee presses Cmd-P "Cmd&nbhy;P" on a Mac, or selects AirPrint on an iPad
        or iPhone, and the Terminal terminal room printers appear, that it is because
        the client is sending unicast DNS queries to the IETF DNS servers.
        A walk-through giving the details of this particular specific example
        is given in Appendix A of <xref target="Roadmap">the target="I-D.cheshire-dnssd-roadmap"
	sectionFormat="of" section="A">the Roadmap
	document</xref>.</t>
      </section>

      <section title="Already Implemented"> numbered="true" toc="default">
        <name>Already Implemented</name>
        <t>A minimal portable Discovery Proxy implementation has been produced
	by
        Markus Stenberg and Steven Barth, which runs on OS X and several Linux
        variants including OpenWrt <xref target="ohp"/>. target="OHP" format="default"/>.
        It was demonstrated at the Berlin IETF in July 2013.</t>

        <t>Tom

<!-- [rfced] We have added "system" after "Unix/Linux" in the following
sentence for clarity. Please let us know if this is not preferred or
changes the intended meaning.

Original:
   Tom Pusateri has an implementation that runs on any Unix/Linux.

Updated:
   Tom Pusateri has an implementation that runs on any Unix/Linux system.
-->
        <t>Tom Pusateri has an implementation that runs on any Unix/Linux system. It
        has a RESTful interface for management and an experimental demo CLI
        command-line interface (CLI) and web interface.</t>
        <t>Ted Lemon also has produced a portable implementation of Discovery
	Proxy,
        which is available in the mDNSResponder open source code.</t>
        <t>The Long-Lived Query mechanism <xref target="LLQ"/> target="RFC8764" format="default"/>
        referred to in this specification exists and is deployed, deployed
        but was not standardized by the IETF.
        The IETF has developed a superior Long-Lived Query mechanism
        called DNS Push Notifications <xref target="Push"/>, target="RFC8765" format="default"/>,
        which is built on DNS Stateful Operations <xref target="RFC8490"/>. target="RFC8490" format="default"/>.

        The pragmatic short-term deployment approach is for vendors
        to produce Discovery Proxies that implement both the deployed
        Long-Lived Query mechanism <xref target="LLQ"/> target="RFC8764" format="default"/>
        (for today's clients) and the new
        DNS Push Notifications mechanism <xref target="Push"/> target="RFC8765" format="default"/>
        as the preferred long-term direction.</t>
      </section>
      <section title="Partially Implemented"> numbered="true" toc="default">
        <name>Partially Implemented</name>
        <t>The current APIs make multiple domains visible to client
        software, but most client UI UIs today lumps lump all discovered services
        into a single flat list. This is largely a chicken-and-egg
        problem. Application writers were naturally reluctant to spend
        time writing domain-aware UI code when few customers today would
        benefit from it. If Discovery Proxy deployment becomes common, then
        application writers will have a reason to provide better UI.
        Existing applications will work with the Discovery Proxy, Proxy but will
        show all services in a single flat list. Applications with
        improved UI will group services by domain.</t>
      </section>
    </section>
    <section numbered="false" toc="default">
      <name>Acknowledgments</name>
      <t>Thanks to <contact fullname="Markus Stenberg"/> for helping develop the policy
      regarding the four styles of unicast response according to what
      data is immediately available in the cache.
      Thanks to
      <contact fullname="Anders Brandt"/>,
      <contact fullname="Ben Campbell"/>,
      <contact fullname="Tim Chown"/>,
       <contact fullname="Alissa Cooper"/>,
       <contact fullname="Spencer Dawkins"/>,
       <contact fullname="Ralph Droms"/>,
       <contact fullname="Joel Halpern"/>,
       <contact fullname="Ray Hunter"/>,
       <contact fullname="Joel Jaeggli"/>,
       <contact fullname="Warren Kumari"/>,
       <contact fullname="Ted Lemon"/>,
       <contact fullname="Alexey Melnikov"/>,
       <contact fullname="Kathleen Moriarty"/>,
       <contact fullname="Tom Pusateri"/>,
       <contact fullname="Eric Rescorla"/>,
       <contact fullname="Adam Roach"/>,
       <contact fullname="David Schinazi"/>,
       <contact fullname="Markus Stenberg"/>,
       <contact fullname="Dave Thaler"/>,
      and  <contact fullname="Andrew Yourtchenko"/> for their comments.</t>
    </section>

<!-- [rfced] This document appears to use "Service Discovery" and "service
discovery" interchangably. Is a certain capitalization preferred?
Perhaps the term should only be capitalized in "DNS-based Service Discovery"?

Original:
   ...are combined for Service Discovery purposes.
   ...Users typically interact with service discovery software by
   ...implementing DNS-based Service Discovery
   ...supporting unicast DNS Service Discovery
   ...other local service discovery protocols
   ...DNS subdomain for service discovery records

FYI: We have updated all uses of "DNS-Based Service Discovery" to
instead be "DNS-based Service Discovery" (note lowercased "based") to
match RFC 6763. Please let us know if this is not preferred.
-->

<!-- [rfced]  Documents in this cluster use both "DNS Service Discovery" and
"DNS-based Service Discovery". Should all instances be updated to the latter
per RFC 6763, or is the mix acceptable? Note that your reply will also be
applied to RFCs-to-be 8764 and 8765.
-->

  </back>
</rfc>