rfc8766xml2.original.xml   rfc8766.xml 
<?xml version="1.0" encoding="UTF-8"?> <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd"> <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!--
Check output with <http://tools.ietf.org/tools/idnits/>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most
I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.35) -->
<!-- give errors regarding ID-nits and DTD validation -->
<?rfc strict="yes" ?>
<!-- control the table of contents (ToC) --> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" number="8766" consensus="true" c
<!-- generate a ToC --> ategory="std" docName="draft-ietf-dnssd-hybrid-10" ipr="trust200902" obsoletes="
<?rfc toc="yes"?> " updates="" submissionType="IETF" xml:lang="en" tocInclude="true" tocDepth="3"
<!-- the number of levels of subsections in ToC. default: 3 --> symRefs="true" sortRefs="false" version="3">
<?rfc tocdepth="3"?>
<!-- control references --> <!-- [rfced] May we sort the references alphabetically
<!-- use anchors instead of numbers for refs, i.e, [RFC2119] instead of [1] (i.e., set sortrefs="true"), or do you prefer the current order?
--> -->
<?rfc symrefs="yes"?>
<!-- sort the reference entries alphabetically -->
<?rfc sortrefs="no" ?>
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<!-- do not start each main section on a new page -->
<?rfc compact="yes" ?>
<!-- keep one blank line between list items -->
<?rfc subcompact="no" ?>
<!-- encourage use of "xml2rfc" tool -->
<?rfc rfcprocack="yes" ?>
<!-- end of list of popular I-D processing instructions -->
<rfc category="std" docName="draft-ietf-dnssd-hybrid-10" ipr="trust200902">
<front> <front>
<title abbrev='Multicast Service Discovery Proxy'>Discovery Proxy <title abbrev="Multicast Service Discovery Proxy">Discovery Proxy
for Multicast DNS-Based Service Discovery</title> for Multicast DNS-Based Service Discovery</title>
<author initials='S.' surname='Cheshire' fullname='Stuart Cheshire'> <seriesInfo name="RFC" value="8766"/>
<author initials="S." surname="Cheshire" fullname="Stuart Cheshire">
<organization>Apple Inc.</organization> <organization>Apple Inc.</organization>
<address> <address>
<postal> <postal>
<street>One Apple Park Way</street> <street>One Apple Park Way</street>
<city>Cupertino</city> <city>Cupertino</city>
<region>California</region> <region>California</region>
<code>95014</code> <code>95014</code>
<country>USA</country> <country>United States of America</country>
</postal> </postal>
<phone>+1 (408) 996-1010</phone> <phone>+1 (408) 996-1010</phone>
<email>cheshire@apple.com</email> <email>cheshire@apple.com</email>
</address> </address>
</author> </author>
<date year='2019' month='March' day='24'/> <date year="2020" month="March"/>
<area>Internet</area> <area>INT</area>
<workgroup>Internet Engineering Task Force</workgroup> <workgroup>DNSSD</workgroup>
<keyword>Multicast DNS</keyword> <keyword>Multicast DNS</keyword>
<keyword>DNS-Based Service Discovery</keyword> <keyword>DNS-Based Service Discovery</keyword>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<abstract> <abstract>
<t>This document specifies a network proxy that uses Multicast DNS <t>This document specifies a network proxy that uses Multicast DNS
to automatically populate the wide-area unicast Domain Name System to automatically populate the wide-area unicast Domain Name System
namespace namespace
with records describing devices and services found on the local with records describing devices and services found on the local
link.</t> link.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<?rfc needLines="31" ?> <section numbered="true" toc="default">
<section title="Introduction"> <name>Introduction</name>
<t><xref target="RFC6762">Multicast DNS</xref> and its companion <t>Multicast DNS <xref target="RFC6762" format="default"></xref> and its
technology companion technology DNS-based Service Discovery <xref target="RFC6763"
DNS-based Service Discovery <xref target="RFC6763"/> were created to format="default"/> were created to provide IP networking with the ease
provide of use and autoconfiguration for which AppleTalk was well known <xref
IP networking with the ease-of-use and autoconfiguration for which target="RFC6760" format="default"/> <xref target="ZC" format="default"/>
AppleTalk was well known <xref target="RFC6760"/> <xref target="ZC"/> <xref target="I-D.cheshire-dnssd-roadmap" format="default"/>.</t>
<xref target="Roadmap"/>.</t>
<t>For a small home network consisting of just a single link (or a few <t>For a small home network consisting of just a single link (or a few
physical links bridged together to appear as a single logical link from physical links bridged together to appear as a single logical link from
the point of view of IP) the point of view of IP), Multicast DNS <xref target="RFC6762"
<xref target="RFC6762">Multicast DNS</xref> is sufficient for client format="default"></xref> is sufficient for client devices
devices to look up the ".local" host names of peers on the same home network
to look up the ".local" host names of peers on the same home network, and to use Multicast DNS-based
and Service Discovery (DNS-SD) <xref target="RFC6763" format="default"></xref>
to use Multicast <xref target="RFC6763">DNS-Based Service Discovery to discover services offered on that
(DNS-SD)</xref> home network.</t>
to discover services offered on that home network.</t>
<t>For a larger network consisting of multiple links that are <t>For a larger network consisting of multiple links that are
interconnected using IP-layer routing instead of link-layer bridging, interconnected using IP-layer routing instead of link-layer bridging,
link-local Multicast DNS alone is insufficient because link-local link-local Multicast DNS alone is insufficient because link-local
Multicast DNS packets, by design, are not propagated onto other Multicast DNS packets, by design, are not propagated onto other
links.</t> links.</t>
<t>Using link-local multicast packets for Multicast DNS was a conscious
<t>Using link-local multicast packets for Multicast DNS design choice <xref target="RFC6762" format="default"/>. Even when
was a conscious design choice <xref target="RFC6762"/>. limited to a single link, multicast traffic is still generally
Even when limited to a single link, multicast traffic is still considered to be more expensive than unicast, because multicast traffic
generally considered to be more expensive than unicast, because impacts many devices instead of just a single recipient. In addition,
multicast traffic impacts many devices, instead of just a single with some technologies like Wi-Fi <xref target="IEEE-11"
recipient. format="default"></xref>, multicast traffic is inherently less
In addition, with some technologies like <xref efficient and less reliable than unicast, because Wi-Fi multicast
target="IEEE-11">Wi-Fi</xref>, traffic is sent at lower data rates, and is not acknowledged <xref
multicast traffic is inherently less efficient and less reliable than target="I-D.ietf-mboned-ieee802-mcast-problems" format="default"/>.
unicast, because Increasing the amount of expensive multicast traffic by flooding it
Wi-Fi multicast traffic is sent at lower data rates, and is not across multiple links would make the traffic load even worse.</t>
acknowledged <xref target="Mcast"/>.
Increasing the amount of expensive multicast traffic by flooding
it across multiple links would make the traffic load even worse.</t>
<t>Partitioning the network into many small links curtails the spread <t>Partitioning the network into many small links curtails the spread
of expensive multicast traffic, but limits the discoverability of of expensive multicast traffic but limits the discoverability of
services. services.
At the opposite end of the spectrum, using a very large local link with At the opposite end of the spectrum, using a very large local link with
thousands of hosts enables better thousands of hosts enables better
service discovery, but at the cost of larger amounts of multicast service discovery but at the cost of larger amounts of multicast
traffic.</t> traffic.</t>
<t>Performing DNS-based Service Discovery using purely Unicast DNS is
<t>Performing DNS-Based Service Discovery using purely Unicast DNS is more efficient and doesn't require large multicast domains but does
more efficient and doesn't require large multicast domains, but does
require that the relevant data be available in the Unicast DNS require that the relevant data be available in the Unicast DNS
namespace. namespace.
The Unicast DNS namespace in question could fall within a traditionally The Unicast DNS namespace in question could fall within a traditionally
assigned globally unique domain name, or could use a private local assigned globally unique domain name or could use a private local
unicast domain name such as ".home.arpa" <xref target="RFC8375"/>.</t> unicast domain name such as ".home.arpa" <xref target="RFC8375" format="de
fault"/>.</t>
<t>In the DNS-SD specification <xref target="RFC6763" sectionFormat="comma
" section="10"/> ("Populating
the DNS with Information") discusses various possible ways that a
service's PTR, SRV, TXT, and address records can make their way into the
Unicast DNS namespace, including manual zone file configuration <xref
target="RFC1034" format="default"/> <xref target="RFC1035"
format="default"/>, DNS&nbsp;Update <xref target="RFC2136"
format="default"/> <xref target="RFC3007" format="default"/>, and proxies
of various kinds.</t>
<t>In the <xref target="RFC6763">DNS-SD specification</xref>, <t>Making the relevant data available in the Unicast DNS namespace by
Section 10 ("Populating the DNS with Information") manual DNS configuration is one option. This option has been used for
discusses various possible ways that a service's PTR, SRV, TXT and many years at IETF meetings to advertise the IETF terminal room printer.
address records can make their way into the Unicast DNS namespace, Details of this example are given in <xref
including manual zone file configuration target="I-D.cheshire-dnssd-roadmap" sectionFormat="of" section="A">the
<xref target="RFC1034"/> <xref target="RFC1035"/>, Roadmap document</xref>. However, this manual DNS configuration is
DNS&nbsp;Update <xref target="RFC2136"/> <xref target="RFC3007"/> labor intensive, error prone, and requires a reasonable degree of DNS
and proxies of various kinds.</t> expertise.</t>
<t>Making the relevant data available in the Unicast DNS namespace <!-- [rfced] In the following sentence, it may be a bit confusing with regard
by manual DNS configuration is one option. This option has been used to "by the devices". How might we update?
for many years at IETF meetings to advertise the IETF Terminal Room
printer.
Details of this example are given in Appendix A of
<xref target="Roadmap">the Roadmap document</xref>.
However, this manual DNS configuration is labor intensive,
error prone, and requires a reasonable degree of DNS expertise.</t>
Original:
Populating the Unicast DNS namespace via DNS Update by the devices offering
the services themselves is...
Perhaps:
Populating the Unicast DNS namespace via DNS Update using the devices
offering the services themselves is...
-->
<t>Populating the Unicast DNS namespace via DNS Update by the <t>Populating the Unicast DNS namespace via DNS Update by the
devices offering the services themselves is another option <xref devices offering the services themselves is another option <xref target="I
target="RegProt"/> <xref target="DNS-UL"/>. -D.sctl-service-registration" format="default"/> <xref target="I-D.sekar-dns-ul"
format="default"/>.
However, this requires configuration However, this requires configuration
of DNS Update keys on those devices, which has proven onerous and of DNS Update keys on those devices, which has proven onerous and
impractical for simple devices like printers and network cameras.</t> impractical for simple devices like printers and network cameras.</t>
<t>Hence, to facilitate efficient and reliable DNS-based Service
<t>Hence, to facilitate efficient and reliable DNS-Based Service
Discovery, Discovery,
a compromise is needed that combines the ease-of-use of a compromise is needed that combines the ease of use of
Multicast DNS with the efficiency and scalability of Unicast DNS.</t> Multicast DNS with the efficiency and scalability of Unicast DNS.</t>
<t>This document specifies a type of proxy called a "Discovery Proxy" <t>This document specifies a type of proxy called a "Discovery Proxy"
that uses <xref target="RFC6762">Multicast DNS</xref> to discover that uses Multicast DNS <xref target="RFC6762" format="default"></xref> to discover
Multicast DNS records on its local link, and makes corresponding Multicast DNS records on its local link, and makes corresponding
DNS records visible in the Unicast DNS namespace.</t> DNS records visible in the Unicast DNS namespace.</t>
<t>In principle, similar mechanisms could be defined using other <t>In principle, similar mechanisms could be defined using other
local service discovery protocols, to discover local information local service discovery protocols to discover local information
and then make corresponding DNS records visible in the Unicast and then make corresponding DNS records visible in the Unicast
DNS namespace. Such mechanisms for other local service discovery DNS namespace. Such mechanisms for other local service discovery
protocols could be addressed in future documents.</t> protocols could be addressed in future documents.</t>
<t>The design of the Discovery Proxy is guided by the previously <t>The design of the Discovery Proxy is guided by the previously
published published requirements document
<xref target="RFC7558">requirements document</xref>.</t> <xref target="RFC7558" format="default"></xref>.</t>
<t>In simple terms, a descriptive DNS name is chosen for <t>In simple terms, a descriptive DNS name is chosen for
each link in an organization. each link in an organization.
Using a DNS NS record, responsibility for that DNS name is delegated to Using a DNS NS record, responsibility for that DNS name is delegated to
a Discovery Proxy physically attached to that link. a Discovery Proxy physically attached to that link.
Now, when a remote client issues a unicast query for a name falling Now, when a remote client issues a unicast query for a name falling
within within
the delegated subdomain, the normal DNS delegation mechanism the delegated subdomain, the normal DNS delegation mechanism
results in the unicast query arriving at the Discovery Proxy, results in the unicast query arriving at the Discovery Proxy
since it has been declared authoritative for those names. since it has been declared authoritative for those names.
Now, instead of consulting a textual zone file on disk to discover Now, instead of consulting a textual zone file on disk to discover
the answer to the query, as a traditional DNS server would, the answer to the query as a traditional DNS server would,
a Discovery Proxy consults its local link, using Multicast DNS, a Discovery Proxy consults its local link, using Multicast DNS,
to find the answer to the question.</t> to find the answer to the question.</t>
<!-- [rfced] In the following sentences, does "now" mean the process was
different in the past, or can it be removed? Also, it sounds odd
having "Now" twice sequentially; is there another word or phrase that
can be used?
<t>For fault tolerance reasons there may be more than one Original:
Now, when a remote client issues a unicast query for a name falling within
the delegated subdomain, the normal DNS delegation mechanism results in the
unicast query arriving at the Discovery Proxy, since it has been declared
authoritative for those names. Now, instead of consulting a textual zone
file on disk to discover the answer to the query, as a traditional DNS
server would, a Discovery Proxy consults its local link, using Multicast
DNS, to find the answer to the question.
-->
<t>For fault tolerance reasons, there may be more than one
Discovery Proxy serving a given link.</t> Discovery Proxy serving a given link.</t>
<t>Note that the Discovery Proxy uses a "pull" model. <t>Note that the Discovery Proxy uses a "pull" model.
The local link is not queried using Multicast DNS until some remote The local link is not queried using Multicast DNS until some remote
client has requested that data. In the idle state, in the absence client has requested that data. In the idle state, in the absence
of client requests, the Discovery Proxy sends no packets and imposes of client requests, the Discovery Proxy sends no packets and imposes
no burden on the network. It operates purely "on demand".</t> no burden on the network. It operates purely "on demand".</t>
<t>An alternative proposal that has been discussed is a proxy that <t>An alternative proposal that has been discussed is a proxy that
performs performs DNS updates to a remote DNS server on behalf of the Multicast
DNS updates to a remote DNS server on behalf of the Multicast DNS DNS devices on the local network. The difficulty with this is that
devices on the local network. Multicast DNS devices do not routinely announce their records on the
The difficulty with this is is that network. Generally, they remain silent until queried. This means that
Multicast DNS devices do not routinely announce their records the complete set of Multicast DNS records in use on a link can only be
on the network. Generally they remain silent until queried. discovered by active querying, not by passive listening. Because of
This means that the complete set of Multicast DNS records in use on a this, a proxy can only know what names exist on a link by issuing
link can only be discovered by active querying, not by passive queries for them, and since it would be impractical to issue queries for
listening. every possible name just to find out which names exist and which do not,
Because of this, a proxy can only know what names exist on a link there is no reasonable way for a proxy to programmatically learn all the
by issuing queries for them, and since it would be impractical to answers it would need to push up to the remote DNS server using DNS
issue queries for every possible name just to find out which names Update. Even if such a mechanism were possible, it would risk
exist and which do not, there is no reasonable way for a proxy to generating high load on the network continuously, even when there are no
programmatically learn all the answers it would need to push up to clients with any interest in that data.</t>
the remote DNS server using DNS Update.
Even if such a mechanism were possible, it would risk generating
high load on the network continuously, even when there are
no clients with any interest in that data.</t>
<t>Hence, having a model where the query comes to the Discovery Proxy <t>Hence, having a model where the query comes to the Discovery Proxy
is much more efficient than is much more efficient than
a model where the Discovery Proxy pushes the answers out a model where the Discovery Proxy pushes the answers out
to some other remote DNS server.</t> to some other remote DNS server.</t>
<t>A client seeking to discover services and other information achieves
<t>A client seeking to discover services and other information this by sending traditional DNS queries to the Discovery Proxy or by
achieves this by sending traditional DNS queries to the Discovery Proxy, sending DNS Push Notification subscription requests <xref
or by sending target="RFC8765" format="default"></xref>.</t>
<xref target="Push">DNS Push Notification subscription
requests</xref>.</t>
<t>How a client discovers what domain name(s) to use for its service <t>How a client discovers what domain name(s) to use for its service
discovery queries, discovery queries
(and consequently what Discovery Proxy or Proxies to use) (and, consequently, what Discovery Proxy or Proxies to use)
is described in <xref target="dom-enum"/>.</t> is described in <xref target="dom-enum" format="default"/>.</t>
<t>The diagram below illustrates a network topology using a <t>The diagram below illustrates a network topology using a
Discovery Proxy to provide discovery service to a remote client.</t> Discovery Proxy to provide discovery service to a remote client.</t>
<figure><artwork> <!-- [rfced] Would you like to add a title to the figure in Section 1?
-->
<figure>
<artwork name="" type="" align="left" alt=""><![CDATA[
+--------+ Unicast +-----------+ +---------+ +---------+ +--------+ Unicast +-----------+ +---------+ +---------+
| Remote | Communcation | Discovery | | Network | | Network | | Remote | Communication | Discovery | | Network | | Network |
| Client |---- . . . -----| Proxy | | Printer | | Camera | | Client |---- . . . -----| Proxy | | Printer | | Camera |
+--------+ +-----------+ +---------+ +---------+ +--------+ +-----------+ +---------+ +---------+
| | | | | |
-------------------------------------------- --------------------------------------------
Multicast-capable LAN segment (e.g., Ethernet) Multicast-capable LAN segment (e.g., Ethernet)
</artwork></figure> ]]></artwork>
</figure>
</section>
<?rfc needLines="31" ?> <section numbered="true" toc="default">
</section> <name>Operational Analogy</name>
<t>A Discovery Proxy does not operate as a multicast relay or multicast
forwarder. There is no danger of multicast forwarding loops that result
in traffic storms, because no multicast packets are forwarded. A
Discovery Proxy operates as a *proxy* for a remote client, performing
queries on its behalf and reporting the results back.</t>
<t>A reasonable analogy is making a telephone call to a colleague at
your workplace and saying, "I'm out of the office right now. Would you
mind bringing up a printer browser window and telling me the names of
the printers you see?" That entails no risk of a forwarding loop causing
a traffic storm, because no multicast packets are sent over the
telephone call.</t>
<section title="Operational Analogy"> <!-- [rfced] May "ssh" be written out as follows?
<t>A Discovery Proxy does not operate as a multicast relay, or multicast
forwarder.
There is no danger of multicast forwarding loops that result in traffic
storms,
because no multicast packets are forwarded.
A Discovery Proxy operates as a *proxy* for a remote client,
performing queries on its behalf and reporting the results back.</t>
<t>A reasonable analogy is making a telephone call to a colleague Original: Or log in using ssh and type ...
at your workplace and saying, "I'm out of the office right now. Would
you Perhaps: Or, log in using the Secure Shell (SSH) protocol and type ...
mind bringing up a printer browser window and telling me the names of -->
the
printers you see?" That entails no risk of a forwarding loop causing a
traffic storm, because no multicast packets are sent over the telephone
call.</t>
<t>A similar analogy, instead of enlisting another human being <t>A similar analogy, instead of enlisting another human being
to initiate the service discovery operation on your behalf, is to initiate the service discovery operation on your behalf, is
to log into your own desktop work computer using screen sharing, to log in to your own desktop work computer using screen sharing
and then run the printer browser yourself to see the list of printers. and then run the printer browser yourself to see the list of printers.
Or log in using ssh and type "dns-sd -B _ipp._tcp" and observe the Or, log in using ssh and type "dns-sd -B _ipp._tcp" and observe the
list of discovered printer names. In neither case is there any risk list of discovered printer names. In neither case is there any risk
of a forwarding loop causing a traffic storm, because no multicast of a forwarding loop causing a traffic storm, because no multicast
packets are being sent over the screen sharing or ssh connection.</t> packets are being sent over the screen-sharing or ssh connection.</t>
<t>The Discovery Proxy provides another way of performing remote <t>The Discovery Proxy provides another way of performing remote
queries, queries,
except using a different protocol instead of screen sharing or ssh.</t> except that it uses a different protocol instead of screen sharing or ssh.
</t>
<t>When the Discovery Proxy software performs Multicast DNS <t>When the Discovery Proxy software performs Multicast DNS
operations, the exact same Multicast DNS caching mechanisms are operations, the exact same Multicast DNS caching mechanisms are
applied as when any other client software on that Discovery Proxy applied as when any other client software on that Discovery Proxy
device performs Multicast DNS operations, whether that be running device performs Multicast DNS operations, regardless of whether that be ru
a printer browser client locally, or a remote user running the nning
printer browser client via a screen sharing connection, or a remote a printer browser client locally, a remote user running the
printer browser client via a screen-sharing connection, a remote
user logged in via ssh running a command-line tool like "dns-sd", user logged in via ssh running a command-line tool like "dns-sd",
or a remote user sending DNS requests that cause a Discovery Proxy or a remote user sending DNS requests that cause a Discovery Proxy
to perform discovery operations on its behalf.</t> to perform discovery operations on its behalf.</t>
<?rfc needLines="15" ?>
</section> </section>
<section title="Conventions and Terminology Used in this Document"> <section numbered="true" toc="default">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", <name>Conventions and Terminology Used in This Document</name>
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",<vspace
/> <t>
and "OPTIONAL" in this document are to be interpreted as The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
described<vspace /> IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
in "Key words for use in RFCs to Indicate Requirement Levels",<vspace /> NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
when, and only when, they appear in all capitals, as shown here<vspace RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
/> "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
<xref target="RFC2119"/> <xref target="RFC8174"/>.</t> be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
<t>The Discovery Proxy builds on Multicast DNS, <t>The Discovery Proxy builds on Multicast DNS,
which works between hosts on the same link. which works between hosts on the same link.
For the purposes of this document For the purposes of this document,
a set of hosts is considered to be "on the same link" if: a set of hosts is considered to be "on the same link" if:
<list style='symbols'> </t>
<t>when any host from that set sends a packet to any other host <!-- [rfced] This document uses asterisks for emphasis on several words.
May this be changed to <em> in the XML? (It generates italics in the
HTML and PDF outputs; underscores in the TXT.)
Original:
The link-layer *header* may be...
...
but not the link-layer *payload*.
-->
<ul spacing="normal">
<li>when any host from that set sends a packet to any other host
in that set, using unicast, multicast, or broadcast, the entire in that set, using unicast, multicast, or broadcast, the entire
link-layer packet payload arrives unmodified, and</t> link-layer packet payload arrives unmodified, and</li>
<t>a broadcast sent over that link, by any host from that set of <li>a broadcast sent over that link, by any host from that set of
hosts, hosts,
can be received by every other host in that set.</t> can be received by every other host in that set.</li>
</list> </ul>
<t>
The link-layer *header* may be modified, such as in The link-layer *header* may be modified, such as in Token Ring Source Rout
<xref target="IEEE-5">Token Ring Source Routing</xref>, ing
<xref target="IEEE802.5" format="default"></xref>,
but not the link-layer *payload*. but not the link-layer *payload*.
In particular, if any device forwarding a packet modifies any In particular, if any device forwarding a packet modifies any
part of the IP header or IP payload then the packet is no longer part of the IP header or IP payload, then the packet is no longer
considered to be on the same link. This means that the packet may considered to be on the same link. This means that the packet may
pass through devices such as repeaters, bridges, hubs or switches pass through devices such as repeaters, bridges, hubs, or switches
and still be considered to be on the same link for the purpose of and still be considered to be on the same link for the purpose of
this document, but not through a device such as an IP router that this document, but not through a device such as an IP router that
decrements the IP TTL or otherwise modifies the IP header.</t> decrements the IP TTL or otherwise modifies the IP header.</t>
</section> </section>
<section anchor="compatibility" title="Compatibility Considerations"> <section anchor="compatibility" numbered="true" toc="default">
<name>Compatibility Considerations</name>
<t>No changes to existing devices are required to work with a Discovery <t>No changes to existing devices are required to work with a Discovery
Proxy.</t> Proxy.</t>
<t>Existing devices that advertise services using Multicast DNS work <t>Existing devices that advertise services using Multicast DNS work
with Discovery Proxy.</t> with a Discovery Proxy.</t>
<t>Existing clients that support DNS-Based Service Discovery over <!-- [rfced] The following sentence may be confusing due to its length. How
Unicast DNS might we rephrase for clarity?
work with Discovery Proxy.
Service Discovery over Unicast DNS was introduced in Mac OS X 10.4 in
April 2005,
as is included in Apple products introduced since then, including iPhone
and iPad,
as well as products from other vendors, such as Microsoft Windows
10.</t>
<t>An overview of the larger collection of related Service Discovery Original:
technologies, and how Discovery Proxy relates to those, is given in Service Discovery over
<xref target="Roadmap">the Service Discovery Road Map Unicast DNS was introduced in Mac OS X 10.4 in April 2005, as is
document</xref>.</t> included in Apple products introduced since then, including iPhone
and iPad, as well as products from other vendors, such as Microsoft
Windows 10.
<?rfc needLines="22" ?> Perhaps:
Service Discovery over Unicast DNS was introduced in Mac OS X (version
10.4) in April of 2005 and has been included in Apple products introduced
since then such as the iPhone and iPad. It has also been included in
products from other vendors such as Microsoft Windows 10.
-->
<t>Existing clients that support DNS-based Service Discovery over
Unicast DNS work with a Discovery Proxy. Service Discovery over Unicast
DNS was introduced in Mac OS X 10.4 in April 2005 and has been included in
Apple products introduced since then, including the iPhone and iPad as wel
l
as products from other vendors such as Microsoft Windows 10.</t>
<t>An overview of the larger collection of related Service Discovery
technologies, and how Discovery Proxies relate to those, is given in the
Service Discovery Road Map document <xref
target="I-D.cheshire-dnssd-roadmap" format="default"></xref>.</t>
</section> </section>
<section anchor="operation" title="Discovery Proxy Operation"> <!-- [rfced] Would the following sentence be clearer with "as shown below," to
better set up the four definitions it leads into following the colon?
Original:
In a typical configuration, a Discovery Proxy is configured to be
authoritative [RFC1034] [RFC1035] for four or more DNS subdomains, and
authority for these subdomains is delegated to it via NS records:
A DNS subdomain for service discovery records.
...
Perhaps:
In a typical configuration, a Discovery Proxy is configured to be
authoritative [RFC1034] [RFC1035] for four or more DNS subdomains, as shown
below, and authority for these subdomains is delegated to it via NS records:
A DNS subdomain for service discovery records.
...
-->
<section anchor="operation" numbered="true" toc="default">
<name>Discovery Proxy Operation</name>
<t>In a typical configuration, a Discovery Proxy is configured <t>In a typical configuration, a Discovery Proxy is configured
to be authoritative <xref target="RFC1034"/> <xref target="RFC1035"/> to be authoritative <xref target="RFC1034" format="default"/> <xref target ="RFC1035" format="default"/>
for four or more DNS subdomains, and authority for four or more DNS subdomains, and authority
for these subdomains is delegated to it via NS records: for these subdomains is delegated to it via NS records:
<list style="hanging"> </t>
<t hangText="A DNS subdomain for service discovery records."><vspace <dl newline="true" spacing="normal">
/> <dt>A DNS subdomain for service discovery records.</dt>
<dd>
This subdomain name may contain rich text, including This subdomain name may contain rich text, including
spaces and other punctuation. This is because this spaces and other punctuation. This is because this
subdomain name is used only in graphical user interfaces, subdomain name is used only in graphical user interfaces
where rich text is appropriate.</t> where rich text is appropriate.</dd>
<t hangText="A DNS subdomain for host name records."><vspace /> <dt>A DNS subdomain for host name records.</dt>
This subdomain name SHOULD be limited to letters, digits and <dd>
hyphens, This subdomain name <bcp14>SHOULD</bcp14> be limited to letters, digit
to facilitate convenient use of host names in command-line s, and
interfaces.</t> hyphens in order to facilitate the convenient use of host names in comm
<t hangText="One or more DNS subdomains for IPv4 Reverse Mapping and-line
records."><vspace /> interfaces.</dd>
These subdomains will have names that ends in "in-addr.arpa."</t> <dt>One or more DNS subdomains for IPv4 Reverse Mapping records.</dt>
<t hangText="One or more DNS subdomains for IPv6 Reverse Mapping <dd>
records."><vspace /> These subdomains will have names that end in "in-addr.arpa".</dd>
These subdomains will have names that ends in "ip6.arpa."</t> <dt>One or more DNS subdomains for IPv6 Reverse Mapping records
</list> .</dt>
</t> <dd>
These subdomains will have names that end in "ip6.arpa".</dd>
<t>In an enterprise network the naming and delegation of these </dl>
<t>In an enterprise network, the naming and delegation of these
subdomains subdomains
is typically performed by conscious action of the network administrator. is typically performed by conscious action of the network administrator.
In a home network naming and delegation would typically be performed In a home network, naming and delegation would typically be performed
using some automatic configuration mechanism such as HNCP using some automatic configuration mechanism such as Home Networking
<xref target="RFC7788"/>.</t> Control Protocol (HNCP)
<xref target="RFC7788" format="default"/>.</t>
<t>These three varieties of delegated subdomains <t>These three varieties of delegated subdomains
(service discovery, host names, and reverse mapping) are described below (service discovery, host names, and reverse mapping) are described below
in in Sections <xref target="dom-sd" format="counter"/>, <xref
<xref target="dom-sd"/>, target="dom-host" format="counter"/>, and <xref target="dom-rev" format="c
<xref target="dom-host"/> and ounter"/>.</t>
<xref target="dom-rev"/>.</t>
<t>How a client discovers where to issue its service discovery queries <t>How a client discovers where to issue its service discovery queries
is described is described in <xref target="dom-enum" format="default"/>.</t>
below in <xref target="dom-enum"/>.</t> <section anchor="dom-sd" numbered="true" toc="default">
<name>Delegated Subdomain for Service Discovery Records</name>
<?rfc needLines="28" ?> <t>In its simplest form, each link in an organization
<section anchor="dom-sd" title="Delegated Subdomain for Service is assigned a unique Unicast DNS domain name such as
Discovery Records">
<t>In its simplest form, each link in an organization
is assigned a unique Unicast DNS domain name, such as
"Building&nbsp;1.example.com" or "Building&nbsp;1.example.com" or
"2nd&nbsp;Floor.Building&nbsp;3.example.com". "2nd&nbsp;Floor.Building&nbsp;3.example.com".
Grouping multiple links under a single Unicast DNS domain Grouping multiple links under a single Unicast DNS domain
name is to be specified in a future companion document, but for name is to be specified in a future companion document, but for
the purposes of this document, assume that each link has its own the purposes of this document, assume that each link has its own
unique Unicast DNS domain name. unique Unicast DNS domain name.
In a graphical user interface these names are not displayed In a graphical user interface, these names are not displayed
as strings with dots as shown above, but something more as strings with dots as shown above, but something more
akin to a typical file browser graphical user interface akin to a typical file browser graphical user interface
(which is harder to illustrate in a text-only document) (which is harder to illustrate in a text-only document)
showing folders, subfolders and files in a file system. showing folders, subfolders, and files in a file system.
<figure align="left" anchor="browser" title="Illustrative </t>
GUI"><artwork><![CDATA[
+---------------+--------------+-------------+-------------------+
| *example.com* | Building 1 | 1st Floor | Alice's printer |
| | Building 2 | *2nd Floor* | Bob's printer |
| | *Building 3* | 3rd Floor | Charlie's printer |
| | Building 4 | 4th Floor | |
| | Building 5 | | |
| | Building 6 | | |
+---------------+--------------+-------------+-------------------+]]></artwork>
</figure>
</t>
<t>Each named link in an organization has one or more Discovery Proxies <table anchor="browser">
which <name>Illustrative GUI
serve it. This Discovery Proxy function for each link could be performed </name>
by a <tbody>
device like a router or switch that is physically attached to that link. <tr>
In the parent domain, NS records <td align="center">*example.com*</td>
are used to delegate ownership of each defined link name <td align="center">Building 1</td>
(e.g.,&nbsp;"Building&nbsp;1.example.com") <td align="center">1st Floor</td>
to the one or more Discovery Proxies that serve the named link. <td align="center">Alice's printer</td>
In other words, the Discovery Proxies are the authoritative name </tr>
servers for that subdomain.
As in the rest of DNS-Based Service Discovery, all names are represented
as-is
using plain UTF-8 encoding, and, as described in <xref
target="notrans"/>,
no text encoding translations are performed.</t>
<t>With appropriate <xref target="IEEE-1Q">VLAN configuration</xref> <tr>
a single Discovery Proxy device could have a logical presence on <td align="center"></td>
many links, and serve as the Discovery Proxy for all those links. <td align="center">Building 2</td>
In such a configuration the Discovery Proxy device would have a single <td align="center">*2nd Floor*</td>
physical <xref target="IEEE-3">Ethernet</xref> port, configured as a <td align="center">Bob's printer</td>
VLAN trunk port, which would appear to software on that device as </tr>
multiple
virtual Ethernet interfaces, one connected to each of the VLAN
links.</t>
<t>As an alternative to using VLAN technology, using a <tr>
<xref target="Relay">Multicast DNS Discovery Relay</xref> <td align="center"></td>
is another way that a Discovery Proxy can have <td align="center">*Building 3*</td>
a ‘virtual’ presence on a remote link.</t> <td align="center">3rd Floor</td>
<td align="center">Charlie's printer</td>
</tr>
<?rfc needLines="6" ?> <tr>
<t>When a DNS-SD client issues a Unicast DNS query to discover services <td align="center"></td>
in a particular Unicast DNS subdomain <td align="center">Building 4</td>
(e.g.,&nbsp;"_printer._tcp.Building&nbsp;1.example.com.&nbsp;PTR&nbsp;?") <td align="center">4th Floor</td>
the normal DNS delegation mechanism results in that query being <td align="center"></td>
forwarded until it reaches the delegated authoritative name server </tr>
for that subdomain, namely the Discovery Proxy on the link in question.
Like a conventional Unicast DNS server,
a Discovery Proxy implements the usual Unicast DNS protocol
<xref target="RFC1034"/> <xref target="RFC1035"/> over UDP and TCP.
However, unlike a conventional Unicast DNS server that
generates answers from the data in its manually-configured zone file,
a Discovery Proxy generates answers using Multicast DNS.
A Discovery Proxy does this by consulting
its Multicast DNS cache and/or issuing Multicast DNS queries,
as appropriate, according to the usual protocol
rules of <xref target="RFC6762">Multicast DNS</xref>,
for the corresponding Multicast DNS name, type and class,
with the delegated zone part of the name replaced with ".local"
(e.g.,&nbsp;in this case, "_printer._tcp.local.&nbsp;PTR&nbsp;?").
Then, from the received Multicast DNS data, the Discovery Proxy
synthesizes the appropriate Unicast DNS response, with the
".local" top-level label replaced with with the name of the delegated
zone.
How long the Discovery Proxy should wait to accumulate Multicast DNS
responses before sending its unicast reply is described below in <xref
target="aggregation"/>.</t>
<t>The existing Multicast DNS caching mechanism is used <tr>
to minimize unnecessary Multicast DNS queries on the wire. <td align="center"></td>
The Discovery Proxy is acting as a client of the underlying Multicast <td align="center">Building 5</td>
DNS <td align="center"></td>
subsystem, and benefits from the same caching and efficiency <td align="center"></td>
measures as any other client using that subsystem.</t> </tr>
<t>Note that the contents of the delegated zone, <tr>
generated as it is by performing ".local" Multicast DNS queries, <td align="center"></td>
mirrors the records available on the local link via Multicast DNS <td align="center">Building 6</td>
very closely, but not precisely. <td align="center"></td>
There is not a full bidirectional equivalence between the two. <td align="center"></td>
Certain records that are available via Multicast DNS may not have </tr>
equivalents in the delegated zone, </tbody>
possibly because they are invalid or not relevant in the delegated zone, </table>
or
because they are being supressed because they are unusable outside the
local link
(see <xref target="unusable"/>).
Conversely, certain records that appear in the delegated zone may not
have
corresponding records available on the local link via Multicast DNS.
In particular there are certain administrative SRV records
(see <xref target="admin"/>) that logically fall within the delegated
zone,
but semantically represent metadata *about* the zone rather than records
*within* the zone, and consequently these administrative records in the
delegated zone
do not have any corresponding counterparts in the Multicast DNS
namespace of the local link.</t>
<?rfc needLines="26" ?> <!-- [rfced] Please clarify "Discovery Proxy function for each link".
</section> May it be rephrased as follows or otherwise?
<section anchor="dom-enum" title="Domain Enumeration"> Original:
<t>A DNS-SD client performs Domain Enumeration <xref This Discovery Proxy function for each link could be performed by a device
target="RFC6763"/> like a router or switch that is physically attached to that link.
via certain PTR queries, using both unicast and multicast.
If it receives a Domain Name configuration via
<xref target="RFC2132">DHCP option 15</xref>,
then it issues unicast queries using this domain.
It issues unicast queries using names derived from its
IPv4 subnet address(es) and
IPv6 prefix(es).
These are described below in <xref target="unicast"/>.
It also issues multicast Domain Enumeration queries in the "local"
domain
<xref target="RFC6762"/>.
These are described below in <xref target="multicast"/>.
The results of all the Domain Enumeration queries are combined for
Service Discovery purposes.</t>
<section anchor="unicast" title="Domain Enumeration via Unicast Perhaps:
Queries"> This Discovery Proxy function could be performed for each link by a device
<t>The administrator creates Domain Enumeration like a router or switch that is physically attached to that link.
PTR records <xref target="RFC6763"/> -->
to inform clients of available service discovery domains. <t>Each named link in an organization has one or more Discovery
Two varieties of such Domain Enumeration PTR records exist; Proxies that serve it. This Discovery Proxy function for each link
those with names derived from the domain name communicated to the could be performed by a device like a router or switch that is
clients via DHCP, physically attached to that link. In the parent domain, NS records
and those with names derived from IPv4 subnet address(es) and IPv6 are used to delegate ownership of each defined link name
prefix(es) in use by the clients. (e.g.,&nbsp;"Building&nbsp;1.example.com") to one or more
Below is an example showing the name-based variety:</t> Discovery Proxies that serve the named link. In other words, the
<figure><artwork> Discovery Proxies are the authoritative name servers for that
subdomain. As in the rest of DNS-based Service Discovery, all names
are represented as-is using plain UTF-8 encoding and, as described in
<xref target="notrans" format="default"/>, no text-encoding
translations are performed.</t>
<t>With appropriate VLAN
configuration <xref target="IEEE802.1Q" format="default"></xref>, a sing
le Discovery Proxy device could have a
logical presence on many links and serve as the Discovery Proxy for
all those links. In such a configuration, the Discovery Proxy device
would have a single physical Ethernet <xref target="IEEE-3"
format="default"></xref> port, configured as a VLAN trunk
port, which would appear to software on that device as multiple
virtual Ethernet interfaces, one connected to each of the VLAN
links.</t>
<t>As an alternative to using VLAN technology, using a Multicast DNS Dis
covery Relay
<xref target="I-D.sctl-dnssd-mdns-relay" format="default"></xref>
is another way that a Discovery Proxy can have
a "virtual" presence on a remote link.</t>
<t>When a DNS-SD client issues a Unicast DNS query to discover
services in a particular Unicast DNS subdomain
(e.g.,&nbsp;"_printer._tcp.Building&nbsp;1.example.com.&nbsp;PTR&nbsp;?"
),
the normal DNS delegation mechanism results in that query being
forwarded until it reaches the delegated authoritative name server for
that subdomain, namely, the Discovery Proxy on the link in question.
Like a conventional Unicast DNS server, a Discovery Proxy implements
the usual Unicast DNS protocol <xref target="RFC1034"
format="default"/> <xref target="RFC1035" format="default"/> over UDP
and TCP. However, unlike a conventional Unicast DNS server that
generates answers from the data in its manually configured zone file,
a Discovery Proxy generates answers using Multicast DNS. A Discovery
Proxy does this by consulting its Multicast DNS cache and/or issuing
Multicast DNS queries, as appropriate according to the usual protocol
rules of Multicast DNS <xref target="RFC6762" format="default"></xref>,
for the corresponding Multicast DNS name, type, and class, with the
delegated zone part of the name replaced with ".local" (e.g.,&nbsp;in
this case, "_printer._tcp.local.&nbsp;PTR&nbsp;?"). Then, from the
received Multicast DNS data, the Discovery Proxy synthesizes the
appropriate Unicast DNS response, with the ".local" top-level label
replaced with the name of the delegated zone. How long the Discovery
Proxy should wait to accumulate Multicast DNS responses before sending
its unicast reply is described in <xref target="aggregation"
format="default"/>.</t>
<t>The existing Multicast DNS caching mechanism is used to minimize
unnecessary Multicast DNS queries on the wire. The Discovery Proxy is
acting as a client of the underlying Multicast DNS subsystem and
benefits from the same caching and efficiency measures as any other
client using that subsystem.</t>
<t>Note that the contents of the delegated zone, generated as it is by
performing ".local" Multicast DNS queries, mirrors the records
available on the local link via Multicast DNS very closely, but not
precisely. There is not a full bidirectional equivalence between the
two. Certain records that are available via Multicast DNS may not
have equivalents in the delegated zone possibly because they are
invalid or not relevant in the delegated zone or because they are
being suppressed because they are unusable outside the local link (see
<xref target="unusable" format="default"/>). Conversely, certain
records that appear in the delegated zone may not have corresponding
records available on the local link via Multicast DNS. In particular,
there are certain administrative SRV records (see <xref target="admin"
format="default"/>) that logically fall within the delegated zone but
semantically represent metadata *about* the zone rather than records
*within* the zone. Consequently, these administrative records in
the delegated zone do not have any corresponding counterparts in the
Multicast DNS namespace of the local link.</t>
</section>
<section anchor="dom-enum" numbered="true" toc="default">
<name>Domain Enumeration</name>
<t>A DNS-SD client performs Domain Enumeration <xref target="RFC6763"
format="default"/> via certain PTR queries using both unicast and
multicast. If it receives a Domain Name configuration via DHCP option
15 <xref target="RFC2132" format="default"></xref>, then it issues
unicast queries using this domain. It issues unicast queries using
names derived from its IPv4 subnet address(es) and IPv6 prefix(es),
which are described in <xref target="unicast" format="default"/>. It
also issues multicast Domain Enumeration queries in the "local" domain
<xref target="RFC6762" format="default"/>, which are described in
<xref target="multicast" format="default"/>. The results of all the
Domain Enumeration queries are combined for Service Discovery
purposes.</t>
<section anchor="unicast" numbered="true" toc="default">
<name>Domain Enumeration via Unicast Queries</name>
<t>The administrator creates Domain Enumeration PTR records <xref
target="RFC6763" format="default"/> to inform clients of available
service discovery domains. Two varieties of such Domain Enumeration
PTR records exist: those with names derived from the domain name
communicated to the clients via DHCP and those with names derived
from either IPv4 subnet address(es) or IPv6 prefix(es) in use by the
clients. Below is an example showing the name-based variety:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
b._dns-sd._udp.example.com. PTR Building 1.example.com. b._dns-sd._udp.example.com. PTR Building 1.example.com.
PTR Building 2.example.com. PTR Building 2.example.com.
PTR Building 3.example.com. PTR Building 3.example.com.
PTR Building 4.example.com. PTR Building 4.example.com.
db._dns-sd._udp.example.com. PTR Building 1.example.com. db._dns-sd._udp.example.com. PTR Building 1.example.com.
lb._dns-sd._udp.example.com. PTR Building lb._dns-sd._udp.example.com. PTR Building
1.example.com.</artwork></figure> 1.example.com.]]></artwork>
<t>The meaning of these records is defined in the <xref target="RFC676
3"
format="default">DNS Service
Discovery specification</xref> but, for convenience, is repeated here.
The "b" ("browse") records tell the client device the list of
browsing domains to display for the user to select from. The "db"
("default browse") record tells the client device which domain in
that list should be selected by default. The "db" domain
<bcp14>MUST</bcp14> be one of the domains in the "b" list; if not,
then no domain is selected by default. The "lb" ("legacy browse")
record tells the client device which domain to automatically browse
on behalf of applications that don't implement UI for multi-domain
browsing (which is most of them at the time of writing). The "lb"
domain is often the same as the "db" domain or sometimes the "db"
domain plus one or more others that should be included in the list
of automatic browsing domains for legacy clients.</t>
<t>Note that in the example above, for clarity, space characters in
names are shown as actual spaces. If this data is manually entered
into a textual zone file for authoritative server software such as
BIND, care must be taken because the space character is used as a
field separator, and other characters like dot ('.'), semicolon
(';'), dollar ('$'), backslash ('\'), etc., also have special meaning.
These characters have to be escaped when entered into a textual zone
file, following the rules in <xref target="RFC1035"
sectionFormat="of" section="5.1">the DNS specification</xref>. For
example, a literal space in a name is represented in the textual
zone file using '\032', so "Building 1.example.com." is entered as
"Building\0321.example.com."</t>
<!-- [rfced] In the following sentence, is the period following "Building
1.example.com" part of the actual name? If so, we will include a period
after the quotation marks to indicate the end of the sentence.
<t>The meaning of these records is defined in the We note that some instances of ".example.com" end in a period and others
<xref target="RFC6763">DNS Service Discovery specification</xref> do not; please review.
but for convenience is repeated here.
The "b" ("browse") records tell the client device the
list of browsing domains to display for the user to select from.
The "db" ("default browse") record tells the client device
which domain in that list should be selected by default.
The "db" domain MUST be one of the domains in the "b" list;
if not then no domain is selected by default.
The "lb" ("legacy browse") record tells the client device which domain
to automatically browse on behalf of applications that don't implement
UI for multi-domain browsing (which is most of them, at the time of
writing).
The "lb" domain is often the same as the "db" domain, or sometimes
the "db" domain plus one or more others that should be included in
the list of automatic browsing domains for legacy clients.</t>
<t>Note that in the example above, for clarity, Original:
space characters in names are shown as actual spaces. For example, a literal space in a name is
If this data is manually entered into a textual zone file for represented in the textual zone file using '\032', so "Building
authoritative server 1.example.com." is entered as "Building\0321.example.com."
software such as BIND, care must be taken because the space character ...
is used as These subdomains will have names that end in "in-addr.arpa."
a field separator, and other characters like dot ('.'), semicolon
(';'),
dollar ('$'), backslash ('\'), etc., also have special meaning.
These characters have to be escaped when entered into a textual zone
file,
following the rules in Section 5.1 of the
<xref target="RFC1035">DNS specification</xref>.
For example, a literal space in a name is represented in the textual
zone file
using '\032', so "Building 1.example.com." is entered as
"Building\0321.example.com."</t>
<?rfc needLines="15" ?> Perhaps:
<t>DNS responses are limited to a maximum size of 65535 bytes. For example, a literal space in a name is
represented in the textual zone file using "\032", so "Building
1.example.com." is entered as "Building\0321.example.com.".
...
These subdomains will have names that end in "in-addr.arpa.".
-->
<t>DNS responses are limited to a maximum size of 65535 bytes.
This limits the maximum number of domains that can be returned for This limits the maximum number of domains that can be returned for
a Domain Enumeration query, as follows:</t> a Domain Enumeration query as follows:</t>
<t>A DNS response header is 12 bytes.
<t>A DNS response header is 12 bytes.
That's typically followed by a single qname (up to 256 bytes) That's typically followed by a single qname (up to 256 bytes)
plus qtype (2&nbsp;bytes) and qclass (2&nbsp;bytes), leaving 65275 plus qtype (2&nbsp;bytes) and qclass (2&nbsp;bytes), leaving 65275
for the Answer Section.</t> for the Answer Section.</t>
<t>An Answer Section Resource Record consists of: <!-- [rfced] This document uses a mix of numerals ("10") and spelled out
<?rfc subcompact="yes" ?> numbers ("ten") for quantities of seconds and other technical content.
<list style='symbols'> Please let us know if you were following a specific guideline, or if
<t>Owner name, encoded as a two-byte compression pointer</t> you would you like to make any changes for consistency.
<t>Two-byte rrtype (type PTR)</t> Examples:
<t>Two-byte rrclass (class IN)</t> Section 5.2.1: 2 bytes vs. two-byte
<t>Four-byte ttl</t> Section 6.1: the value 10 vs. value of ten seconds
<t>Two-byte rdlength</t> -->
<t>rdata (domain name, up to 256 bytes)</t> <t>An Answer Section Resource Record consists of:
</list> </t>
<?rfc subcompact="no" ?>
</t>
<t>This means that each Resource Record in the Answer Section can <!-- [rfced] Should capitalization be changed in this list?
We see all-caps usage in past RFCs.
Current:
* Owner name encoded as a two-byte compression pointer
* Two-byte rrtype (type PTR)
* Two-byte rrclass (class IN)
* Four-byte ttl
* Two-byte rdlength
* rdata (domain name, up to 256 bytes)
Perhaps:
* Owner name encoded as a two-byte compression pointer
* Two-byte RRTYPE (type PTR)
* Two-byte RRCLASS (class IN)
* Four-byte TTL
* Two-byte RDLENGTH
* RDATA (domain name, up to 256 bytes)
-->
<ul spacing="compact">
<li>Owner name encoded as a two-byte compression pointer</li>
<li>Two-byte rrtype (type PTR)</li>
<li>Two-byte rrclass (class IN)</li>
<li>Four-byte ttl</li>
<li>Two-byte rdlength</li>
<li>rdata (domain name, up to 256 bytes)</li>
</ul>
<t>This means that each Resource Record in the Answer Section can
take up to 268 bytes total, which means that the Answer Section take up to 268 bytes total, which means that the Answer Section
can contain, in the worst case, no more than 243 domains.</t> can contain, in the worst case, no more than 243 domains.</t>
<t>In a more typical scenario, where the domain names are not all
<t>In a more typical scenario, where the domain names are not all
maximum-sized names, and there is some similarity between names maximum-sized names, and there is some similarity between names
so that reasonable name compression is possible, each Answer so that reasonable name compression is possible, each Answer
Section Resource Record may average 140 bytes, which means that Section Resource Record may average 140 bytes, which means that
the Answer Section can contain up to 466 domains.</t> the Answer Section can contain up to 466 domains.</t>
<t>It is anticipated that this should be sufficient for even a large
<t>It is anticipated that this should be sufficient for even a large
corporate network or university campus.</t> corporate network or university campus.</t>
<?rfc needLines="21" ?> </section>
</section> <section anchor="multicast" numbered="true" toc="default">
<name>Domain Enumeration via Multicast Queries</name>
<section anchor="multicast" title="Domain Enumeration via Multicast <t>In the case where Discovery Proxy functionality is widely
Queries"> deployed within an enterprise (either by having a Discovery Proxy on
each link or by having a Discovery Proxy with a remote "virtual"
<t>In the case where Discovery Proxy functionality is widely deployed presence on each link using VLANs or Multicast DNS Discovery Relays
within an enterprise (either by having a Discovery Proxy on each link, <xref target="I-D.sctl-dnssd-mdns-relay" format="default"></xref>),
or by having a Discovery Proxy with a remote ‘virtual’ presence on this offers an additional way to provide Domain Enumeration data for
each link clients.</t>
using VLANs or <xref target="Relay">Multicast DNS Discovery <t>A Discovery Proxy can be configured to generate Multicast DNS
Relays</xref>)
this offers an additional way to provide Domain Enumeration data for
clients.</t>
<t>A Discovery Proxy can be configured to generate Multicast DNS
responses responses
for the following Multicast DNS Domain Enumeration queries issued by for the following Multicast DNS Domain Enumeration queries issued by
clients:</t> clients:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<figure><artwork>
b._dns-sd._udp.local. PTR ? b._dns-sd._udp.local. PTR ?
db._dns-sd._udp.local. PTR ? db._dns-sd._udp.local. PTR ?
lb._dns-sd._udp.local. PTR ?</artwork></figure> lb._dns-sd._udp.local. PTR ?]]></artwork>
<t>This provides the ability for Discovery Proxies to indicate
<t>This provides the ability for Discovery Proxies to indicate recommended browsing domains to DNS-SD clients on a per-link
recommended browsing domains granularity. In some enterprises, it may be preferable to provide
to DNS-SD clients on a per-link granularity. In some enterprises it this per-link configuration data in the form of a Discovery Proxy
may be configuration rather than populating the Unicast DNS servers with
preferable to provide this per-link configuration data in the form of the same data (in the "ip6.arpa" or "in-addr.arpa" domains).</t>
Discovery Proxy configuration, rather than populating the Unicast DNS <t>Regardless of how the network operator chooses to provide this
servers
with the same data (in the "ip6.arpa" or "in-addr.arpa" domains).</t>
<t>Regardless of how the network operator chooses to provide this
configuration configuration
data, clients will perform Domain Enumeration via both unicast and data, clients will perform Domain Enumeration via both unicast and
multicast multicast
queries, and then combine the results of these queries.</t> queries and then combine the results of these queries.</t>
<?rfc needLines="30" ?>
</section> </section>
</section> </section>
<section anchor="dom-host" numbered="true" toc="default">
<section anchor="dom-host" title="Delegated Subdomain for LDH Host <name>Delegated Subdomain for LDH Host Names</name>
Names">
<t>DNS-SD service instance names and domains are allowed <t>DNS-SD service instance names and domains are allowed
to contain arbitrary <xref target="RFC5198">Net-Unicode text</xref>, to contain arbitrary Net-Unicode text <xref target="RFC5198" format="def
encoded as <xref target="RFC3629">precomposed UTF-8</xref>.</t> ault"></xref>
encoded as precomposed UTF-8 <xref target="RFC3629" format="default"></x
ref>.</t>
<t>Users typically interact with service discovery software by <t>Users typically interact with service discovery software by
viewing a list of discovered service instance names on a display, viewing a list of discovered service instance names on a display
and selecting one of them by pointing, touching, or clicking. and selecting one of them by pointing, touching, or clicking.
Similarly, in software that provides a multi-domain DNS-SD user Similarly, in software that provides a multi-domain DNS-SD user
interface, users view a list of offered domains on the display interface, users view a list of offered domains on the display
and select one of them by pointing, touching, or clicking. and select one of them by pointing, touching, or clicking.
To use a service, users don't have to remember domain or instance To use a service, users don't have to remember domain or instance
names, or type them; users just have to be able to recognize what names, or type them; users just have to be able to recognize what
they see on the display and touch or click on the thing they want.</t> they see on the display and touch or click on the thing they want.</t>
<t>In contrast, host names are often remembered and typed. Also, host
<t>In contrast, host names are often remembered and typed. names have historically been used in command-line interfaces where
Also, host names have historically been used in command-line spaces can be inconvenient. For this reason, host names have
interfaces traditionally been restricted to letters, digits, and hyphens (LDH)
where spaces can be inconvenient. For this reason, host names have with no spaces or other punctuation.</t> <t>While we do want to allow
traditionally been restricted to letters, digits and hyphens (LDH), rich text for DNS-SD service instance names and domains, it is
with advisable, for maximum compatibility with existing usage, to restrict
no spaces or other punctuation.</t> host names to the traditional letter-digit-hyphen rules. This means
that while the service name
<t>While we do want to allow rich text for DNS-SD service "My&nbsp;Printer._ipp._tcp.Building&nbsp;1.example.com" is acceptable
instance names and domains, it is advisable, for maximum and desirable (it is displayed in a graphical user interface as an
compatibility with existing usage, to restrict host names instance called "My&nbsp;Printer" in the domain "Building&nbsp;1" at
to the traditional letter-digit-hyphen rules. "example.com"), the host name "My-Printer.Building&nbsp;1.example.com"
This means that while a service name is less desirable (because of the space in "Building&nbsp;1").</t>
"My&nbsp;Printer._ipp._tcp.Building&nbsp;1.example.com" <t>To accommodate this difference in allowable characters, a Discovery
is acceptable and desirable Proxy <bcp14>SHOULD</bcp14> support having two separate subdomains
(it is displayed in a graphical user interface as an instance called delegated to it for each link it serves: one whose name is allowed to
"My&nbsp;Printer" in the domain "Building&nbsp;1" at "example.com"), contain arbitrary Net-Unicode text <xref target="RFC5198"
a host name "My-Printer.Building&nbsp;1.example.com" is less desirable format="default"/> and a second more constrained subdomain whose name
(because of the space in "Building&nbsp;1").</t> is restricted to contain only letters, digits, and hyphens, to be used
for host name records (names of 'A' and 'AAAA' address records). The
<t>To accomodate this difference in allowable characters, a Discovery restricted names may be any valid name consisting of only letters,
Proxy digits, and hyphens, including Punycode-encoded names <xref
SHOULD support having two separate subdomains delegated to it target="RFC3492" format="default"/>.
for each link it serves, one whose name
is allowed to contain arbitrary Net-Unicode text <xref
target="RFC5198"/>,
and a second more constrained subdomain whose name is restricted to
contain
only letters, digits, and hyphens, to be used for host name records
(names of 'A' and 'AAAA' address records).
The restricted names may be any valid name consisting of only
letters, digits, and hyphens, including Punycode-encoded names <xref
target="RFC3492"/>.
</t> </t>
<?rfc needLines="12" ?>
<t>For example, a Discovery Proxy could have the two subdomains <t>For example, a Discovery Proxy could have the two subdomains
"Building&nbsp;1.example.com" and "bldg1.example.com" delegated to it. "Building&nbsp;1.example.com" and "bldg1.example.com" delegated to it.
The Discovery Proxy would then translate these two Multicast DNS The Discovery Proxy would then translate these two Multicast DNS
records:</t> records:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<figure><artwork>
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.
prnt.local. A 203.0.113.2</artwork></figure> prnt.local. A 203.0.113.2]]></artwork>
<t>into Unicast DNS records as follows:</t> <t>into Unicast DNS records as follows:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<figure><artwork>
My Printer._ipp._tcp.Building 1.example.com. My Printer._ipp._tcp.Building 1.example.com.
SRV 0 0 631 prnt.bldg1.example.com. SRV 0 0 631 prnt.bldg1.example.com.
prnt.bldg1.example.com. A 203.0.113.2</artwork></figure> prnt.bldg1.example.com. A 203.0.113.2]]></artwork>
<t>Note that the SRV record name is translated using the rich-text <t>Note that the SRV record name is translated using the rich-text
domain name ("Building&nbsp;1.example.com") and the address record domain name ("Building&nbsp;1.example.com"), and the address record
name is translated using the LDH domain ("bldg1.example.com").</t> name is translated using the LDH domain ("bldg1.example.com").</t>
<t>A Discovery Proxy <bcp14>MAY</bcp14> support only a single
<t>A Discovery Proxy MAY support only a single rich text Net-Unicode rich-text Net-Unicode domain and use that domain for all records,
domain, and including 'A' and 'AAAA' address records, but implementers choosing
use that domain for all records, including 'A' and 'AAAA' address this option should be aware that this choice may produce host names
records, that are awkward to use in command-line environments. Whether or not th
but implementers choosing this option should be aware that this choice is is
may produce host names that are awkward to use in command-line an issue depends on whether users in the target environment are
environments. expected to be using command-line interfaces.</t>
Whether this is an issue depends on whether users in the target <t>A Discovery Proxy <bcp14>MUST NOT</bcp14> be restricted to support on
environment ly a
are expected to be using command-line interfaces.</t>
<t>A Discovery Proxy MUST NOT be restricted to support only a
letter-digit-hyphen letter-digit-hyphen
subdomain, because that results in an unnecessarily poor user subdomain, because that results in an unnecessarily poor user
experience.</t> experience.</t>
<t>As described above in <xref target="unicast"/>, for clarity, <t>As described in <xref target="unicast" format="default"/>, for
space characters in names are shown as actual spaces. clarity, space characters in names are shown as actual spaces. If
If this data were to be manually entered into a textual zone file this data were to be manually entered into a textual zone file (which
(which it isn't) it isn't), then spaces would need to be represented using '\032', so
then spaces would need to be represented using '\032', so
"My&nbsp;Printer._ipp._tcp.Building&nbsp;1.example.com." would become "My&nbsp;Printer._ipp._tcp.Building&nbsp;1.example.com." would become
"My\032Printer._ipp._tcp.Building\0321.example.com."<vspace /> "My\032Printer._ipp._tcp.Building\0321.example.com."</t>
Note that the '\032' representation does not appear <t>
in the network packets sent over the air. Note that the '\032' representation does not appear in the network packets
In the wire format of DNS messages, spaces are sent as spaces, not as sent over the air. In the wire format of DNS messages, spaces are sent as
'\032', spaces, not as '\032', and likewise, in a graphical user interface at the
and likewise, in a graphical user interface at the client device, client device, spaces are shown as spaces, not as '\032'.
spaces are shown as spaces, not as '\032'. </t>
</t> </section>
<?rfc needLines="36" ?>
</section>
<section anchor="dom-rev" title="Delegated Subdomain for Reverse <section anchor="dom-rev" numbered="true" toc="default">
Mapping"> <name>Delegated Subdomain for Reverse Mapping</name>
<t>A Discovery Proxy can facilitate easier management of reverse <t>A Discovery Proxy can facilitate easier management of reverse
mapping domains, particularly for IPv6 addresses where manual mapping domains particularly for IPv6 addresses where manual
management may be more onerous than it is for IPv4 addresses.</t> management may be more onerous than it is for IPv4 addresses.</t>
<t>To achieve this, in the parent domain, NS records are used to <t>To achieve this, in the parent domain, NS records are used to
delegate ownership of the appropriate reverse mapping domain to delegate ownership of the appropriate reverse mapping domain to
the Discovery Proxy. In other words, the Discovery Proxy becomes the the Discovery Proxy. In other words, the Discovery Proxy becomes the
authoritative name server for the reverse mapping domain. authoritative name server for the reverse mapping domain.
For fault tolerance reasons there may be more than one For fault tolerance reasons, there may be more than one
Discovery Proxy serving a given link.</t> Discovery Proxy serving a given link.</t>
<t>If a given link is using the IPv4 subnet 203.0.113/24,
<t>If a given link is using the IPv4 subnet 203.0.113/24,<vspace/> then the domain "113.0.203.in-addr.arpa"
then the domain "113.0.203.in-addr.arpa"<vspace/>
is delegated to the Discovery Proxy for that link.</t> is delegated to the Discovery Proxy for that link.</t>
<t>For example, if a given link is using the
<t>For example, if a given link is using the<vspace/> IPv6 prefix 2001:0DB8:1234:5678/64,
IPv6 prefix 2001:0DB8:1234:5678/64,<vspace/> then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa"
then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa"<vspace/>
is delegated to the Discovery Proxy for that link.</t> is delegated to the Discovery Proxy for that link.</t>
<t>When a reverse mapping query arrives at the Discovery Proxy, it <t>When a reverse mapping query arrives at the Discovery Proxy, it
issues issues the identical query on its local link as a Multicast DNS query.
the identical query on its local link as a Multicast DNS query. The mechanism to force an apparently unicast name to be resolved using
The mechanism to force an apparently unicast name to be resolved link-local Multicast DNS varies depending on the API set being used.
using link-local Multicast DNS varies depending on the API set being For example, in the "dns_sd.h" APIs (available on macOS, iOS, Bonjour
used. for Windows, Linux, and Android), using kDNSServiceFlagsForceMulticast
For example, in the "dns_sd.h" APIs<vspace/> indicates that the DNSServiceQueryRecord() call should perform the
(available on macOS, iOS, Bonjour for Windows, Linux and Android), query using Multicast DNS. Other API sets have different ways of
using kDNSServiceFlagsForceMulticast forcing multicast queries. When the host owning that IPv4 or IPv6
indicates that the DNSServiceQueryRecord() address responds with a name of the form "something.local", the
call should perform the query using Multicast DNS. Discovery Proxy rewrites it to use its configured LDH host name
Other APIs sets have different ways of forcing multicast queries. domain instead of "local" and returns the response to the caller.</t>
When the host owning that IPv4 or IPv6 address responds
with a name of the form "something.local", the Discovery Proxy
rewrites that to use its configured LDH host name domain instead
of "local", and returns the response to the caller.</t>
<?rfc needLines="15" ?>
<t>For example, a Discovery Proxy with the two subdomains <t>For example, a Discovery Proxy with the two subdomains
"113.0.203.in&nbhy;addr.arpa" and "bldg1.example.com" delegated to it "113.0.203.in&nbhy;addr.arpa" and "bldg1.example.com" delegated to it
would translate this Multicast DNS record:</t> would translate this Multicast DNS record:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<figure><artwork> 2.113.0.203.in-addr.arpa. PTR prnt.local.]]></artwork>
2.113.0.203.in-addr.arpa. PTR prnt.local.</artwork></figure>
<t>into this Unicast DNS response:</t> <t>into this Unicast DNS response:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<figure><artwork> 2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com.]]></artwork>
2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com.</artwork></figure>
<t>Subsequent queries for the prnt.bldg1.example.com address <t>Subsequent queries for the prnt.bldg1.example.com address
record, falling as it does within the bldg1.example.com domain, record, falling as it does within the bldg1.example.com domain,
which is delegated to the Discovery Proxy, will arrive at the which is delegated to the Discovery Proxy, will arrive at the
Discovery Proxy, where they are answered by issuing Multicast DNS Discovery Proxy where they are answered by issuing Multicast DNS
queries queries
and using the received Multicast DNS answers to synthesize Unicast and using the received Multicast DNS answers to synthesize Unicast
DNS responses, as described above.</t> DNS responses, as described above.</t>
<t>Note that this design assumes that all addresses on a given <t>Note that this design assumes that all addresses on a given
IPv4 subnet or IPv6 prefix are mapped to hostnames using the Discovery IPv4 subnet or IPv6 prefix are mapped to hostnames using the Discovery
Proxy mechanism. Proxy mechanism.
It would be possible to implement a Discovery Proxy that can be It would be possible to implement a Discovery Proxy that can be
configured configured
so that some address-to-name mappings are performed using Multicast so that some address-to-name mappings are performed using Multicast
DNS DNS
on the local link, while other address-to-name mappings within the on the local link, while other address-to-name mappings within the
same same
IPv4 subnet or IPv6 prefix are configured manually.</t> IPv4 subnet or IPv6 prefix are configured manually.</t>
skipping to change at line 864 skipping to change at line 859
<t>Note that this design assumes that all addresses on a given <t>Note that this design assumes that all addresses on a given
IPv4 subnet or IPv6 prefix are mapped to hostnames using the Discovery IPv4 subnet or IPv6 prefix are mapped to hostnames using the Discovery
Proxy mechanism. Proxy mechanism.
It would be possible to implement a Discovery Proxy that can be It would be possible to implement a Discovery Proxy that can be
configured configured
so that some address-to-name mappings are performed using Multicast so that some address-to-name mappings are performed using Multicast
DNS DNS
on the local link, while other address-to-name mappings within the on the local link, while other address-to-name mappings within the
same same
IPv4 subnet or IPv6 prefix are configured manually.</t> IPv4 subnet or IPv6 prefix are configured manually.</t>
<?rfc needLines="46" ?>
</section> </section>
<section title="Data Translation"> <section numbered="true" toc="default">
<t>Generating the appropriate Multicast DNS queries involves,<vspace/> <name>Data Translation</name>
<t>Generating the appropriate Multicast DNS queries involves,
at the very least, translating from the configured DNS domain at the very least, translating from the configured DNS domain
(e.g.,&nbsp;"Building&nbsp;1.example.com") on the Unicast DNS side (e.g.,&nbsp;"Building&nbsp;1.example.com") on the Unicast DNS side
to "local" on the Multicast DNS side.</t> to "local" on the Multicast DNS side.</t>
<t>Generating the appropriate Unicast DNS responses involves <t>Generating the appropriate Unicast DNS responses involves
translating back from "local" to the appropriate configured DNS translating back from "local" to the appropriate configured DNS
Unicast domain.</t> Unicast domain.</t>
<t>Other beneficial translation and filtering operations are described <t>Other beneficial translation and filtering operations are described
below.</t> below.</t>
<section anchor="ttl" numbered="true" toc="default">
<section anchor="ttl" title="DNS TTL limiting"> <name>DNS TTL Limiting</name>
<t>For efficiency, Multicast DNS typically uses moderately high <t>For efficiency, Multicast DNS typically uses moderately high DNS
DNS TTL values. For example, the typical TTL on DNS-SD PTR records TTL values. For example, the typical TTL on DNS-SD PTR records is 75
is 75 minutes. What makes these moderately high TTLs acceptable minutes. What makes these moderately high TTLs acceptable is the
is the cache coherency mechanisms built in to the Multicast DNS cache coherency mechanisms built in to the Multicast DNS protocol
protocol which protect against stale data persisting for too long. that protect against stale data persisting for too long. When a
When a service shuts down gracefully, it sends goodbye packets service shuts down gracefully, it sends goodbye packets to remove
to remove its PTR records immediately from neighboring caches. its PTR records immediately from neighboring caches. If a service
If a service shuts down abruptly without sending goodbye packets, shuts down abruptly without sending goodbye packets, the Passive
the Passive Observation Of Failures (POOF) mechanism described Observation Of Failures (POOF) mechanism described in <xref
in Section 10.5 of the <xref target="RFC6762">Multicast DNS target="RFC6762" sectionFormat="of" section="10.5">the Multicast DNS
specification</xref> specification</xref> comes into play to purge the cache of stale data.
comes into play to purge the cache of stale data.</t> </t>
<t>A traditional Unicast DNS client on a distant remote link does <t>A traditional Unicast DNS client on a distant remote link does
not get to participate not get to participate in these Multicast DNS cache coherency
in these Multicast DNS cache coherency mechanisms on the local link. mechanisms on the local link. For traditional Unicast DNS queries
For traditional Unicast DNS queries (those received without using Long-Lived Queries (LLQ) <xref
(those received without using Long-Lived Query <xref target="LLQ"/> target="RFC8764" format="default"/> or DNS Push
or DNS Push Notification subscriptions <xref target="Push"/>) Notification subscriptions <xref target="RFC8765"
the DNS TTLs reported in the resulting Unicast DNS response format="default"/>), the DNS TTLs reported in the resulting Unicast
MUST be capped to be no more than ten seconds.</t> DNS response <bcp14>MUST</bcp14> be capped to be no more than ten
seconds.</t>
<t>Similarly, for negative responses, the negative caching TTL <t>Similarly, for negative responses, the negative caching TTL
indicated indicated in the SOA record <xref target="RFC2308"
in the SOA record <xref target="RFC2308"/> should also be ten format="default"/> should also be ten seconds (see <xref target="soa"
seconds format="default"/>).</t>
(<xref target="soa"/>).</t>
<t>This value of ten seconds is chosen based on user-experience <t>This value of ten seconds is chosen based on user-experience
considerations.</t> considerations.</t>
<t>For negative caching, suppose a user is attempting to access a <t>For negative caching, suppose a user is attempting to access a
remote remote device (e.g., a printer), and they are unsuccessful because
device (e.g., a printer), and they are unsuccessful because that that device is powered off. Suppose they then place a telephone call
device and ask for the device to be powered on. We want the device to
is powered off. Suppose they then place a telephone call and ask for become available to the user within a reasonable time period. It is
the reasonable to expect it to take on the order of ten seconds for a
device to be powered on. We want the device to become available to simple device with a simple embedded operating system to power
the on. Once the device is powered on and has announced its presence on
user within a reasonable time period. It is reasonable to expect it the network via Multicast DNS, we would like it to take no more than
to a further ten seconds for stale negative cache entries to expire
take on the order of ten seconds for a simple device with a simple from Unicast DNS caches, making the device available to the user
embedded operating system to power on. Once the device is powered on desiring to access it.</t>
and
has announced its presence on the network via Multicast DNS, we
would
like it to take no more than a further ten seconds for stale
negative
cache entries to expire from Unicast DNS caches, making the device
available to the user desiring to access it.</t>
<t>Similar reasoning applies to capping positive TTLs at ten <t>Similar reasoning applies to capping positive TTLs at ten
seconds. seconds.
In the event of a device moving location, getting a new DHCP In the event of a device moving location, getting a new DHCP
address, address,
or other renumbering events, we would like the updated information or other renumbering events, we would like the updated information
to to
be available to remote clients in a relatively timely fashion.</t> be available to remote clients in a relatively timely fashion.</t>
<t>However, network administrators should be aware that many <t>However, network administrators should be aware that many
recursive recursive
(caching) DNS servers by default are configured to impose a minimum (caching) DNS servers by default are configured to impose a minimum
TTL of TTL of
30 seconds. If stale data appears to be persisting in the network to 30 seconds. If stale data appears to be persisting in the network to
the the
extent that it adversely impacts user experience, network extent that it adversely impacts user experience, network
administrators administrators
are advised to check the configuration of their recursive DNS are advised to check the configuration of their recursive DNS
servers.</t> servers.</t>
skipping to change at line 950 skipping to change at line 929
<t>However, network administrators should be aware that many <t>However, network administrators should be aware that many
recursive recursive
(caching) DNS servers by default are configured to impose a minimum (caching) DNS servers by default are configured to impose a minimum
TTL of TTL of
30 seconds. If stale data appears to be persisting in the network to 30 seconds. If stale data appears to be persisting in the network to
the the
extent that it adversely impacts user experience, network extent that it adversely impacts user experience, network
administrators administrators
are advised to check the configuration of their recursive DNS are advised to check the configuration of their recursive DNS
servers.</t> servers.</t>
<t>For received Unicast DNS queries that use LLQ <xref target="RFC8764
<t>For received Unicast DNS queries that use LLQ <xref " format="default"/> or
target="LLQ"/> or DNS Push Notifications <xref target="RFC8765" format="default"/>, the
DNS Push Notifications <xref target="Push"/>, the Multicast DNS Multicast DNS
record's TTL SHOULD be record's TTL <bcp14>SHOULD</bcp14> be
returned unmodified, because the Push Notification channel exists returned unmodified, because the Push Notification channel exists
to inform the remote client as records come and go. to inform the remote client as records come and go.
For further details about Long-Lived Queries, and its newer For further details about Long-Lived Queries and its newer
replacement, replacement,
DNS Push Notifications, see <xref target="aggregation"/>.</t> DNS Push Notifications, see <xref target="aggregation" format="default "/>.</t>
</section> </section>
<section anchor="unusable" numbered="true" toc="default">
<section anchor="unusable" title="Suppressing Unusable Records"> <name>Suppressing Unusable Records</name>
<t>A Discovery Proxy SHOULD offer a configurable option, <t>A Discovery Proxy <bcp14>SHOULD</bcp14> offer a configurable option
,
enabled by default, to suppress Unicast DNS answers enabled by default, to suppress Unicast DNS answers
for records that are not useful outside the local link. for records that are not useful outside the local link.
When the option to suppress unusable records is enabled: When the option to suppress unusable records is enabled:
<list style='symbols'> </t>
<ul spacing="normal">
<t>DNS A and AAAA records for <li>DNS A and AAAA records for
IPv4 link-local addresses <xref target="RFC3927"/> IPv4 link-local addresses <xref target="RFC3927" format="default"/
>
and and
IPv6 link-local addresses <xref target="RFC4862"/> IPv6 link-local addresses <xref target="RFC4862" format="default"/
SHOULD be suppressed.</t> >
<bcp14>SHOULD</bcp14> be suppressed.</li>
<t>Similarly, for sites that have multiple private address <li>Similarly, for sites that have multiple private address
realms <xref target="RFC1918"/>, realms <xref target="RFC1918" format="default"/>,
in cases where the Discovery Proxy can determine that the in cases where the Discovery Proxy can determine that the
querying client querying client
is in a different address realm, private addresses SHOULD NOT be is in a different address realm, private addresses <bcp14>SHOULD N
communicated to that client.</t> OT</bcp14> be
communicated to that client.</li>
<t><xref target="RFC4193">IPv6 Unique Local Addresses</xref> <li>
SHOULD be suppressed IPv6 Unique Local Addresses <xref target="RFC4193" format="default
"></xref>
<bcp14>SHOULD</bcp14> be suppressed
in cases where the Discovery Proxy can determine that the in cases where the Discovery Proxy can determine that the
querying client querying client
is in a different IPv6 address realm.</t> is in a different IPv6 address realm.</li>
<li>By the same logic, DNS SRV records that reference target host
<t>By the same logic, DNS SRV records that reference target host
names that have no addresses usable by the requester should be names that have no addresses usable by the requester should be
suppressed, and likewise, DNS PTR records that point to unusable suppressed, and likewise, DNS PTR records that point to unusable
SRV records should be similarly be suppressed.</t> SRV records should similarly be suppressed.</li>
</list> </ul>
</t>
<?rfc needLines="8" ?>
</section> </section>
<section numbered="true" toc="default">
<section title="NSEC and NSEC3 queries"> <name>NSEC and NSEC3 Queries</name>
<t>Multicast DNS devices do not routinely announce their records <t>Multicast DNS devices do not routinely announce their records
on the network. Generally they remain silent until queried. on the network. Generally, they remain silent until queried.
This means that the complete set of Multicast DNS records in use on This means that the complete set of Multicast DNS records in use on
a a
link can only be discovered by active querying, not by passive link can only be discovered by active querying, not by passive
listening. listening.
Because of this, a Discovery Proxy can only know what names exist on Because of this, a Discovery Proxy can only know what names exist on
a link a link
by issuing queries for them, and since it would be impractical to by issuing queries for them, and since it would be impractical to
issue queries for every possible name just to find out which names issue queries for every possible name just to find out which names
exist and which do not, a Discovery Proxy cannot programmatically exist and which do not, a Discovery Proxy cannot programmatically
generate the traditional generate the traditional
<xref target="RFC4034">NSEC</xref> and NSEC <xref target="RFC4034" format="default"></xref> and
<xref target="RFC5155">NSEC3</xref> records NSEC3 <xref target="RFC5155" format="default"></xref> records
which assert the nonexistence of a large range of names.</t> that assert the nonexistence of a large range of names.</t>
<t>When queried for an NSEC or NSEC3 record type, the Discovery <t>When queried for an NSEC or NSEC3 record type, the Discovery
Proxy issues Proxy issues
a qtype "ANY" query using Multicast DNS on the local link, and then a qtype "ANY" query using Multicast DNS on the local link and then
generates an NSEC or NSEC3 response with a Type Bit Map signifying generates an NSEC or NSEC3 response with a Type Bit Map signifying
which record types do and do not exist for just the specific name which record types do and do not exist for just the specific name
queried, queried,
and no other names.</t> and no other names.</t>
<t>Multicast DNS NSEC records received on the local link <t>Multicast DNS NSEC records received on the local link
MUST NOT be forwarded unmodified to a unicast querier, because there <bcp14>MUST NOT</bcp14> be forwarded unmodified to a unicast querier, because there
are are
slight differences in the NSEC record data. slight differences in the NSEC record data.
In particular, Multicast DNS NSEC records do not have the NSEC In particular, Multicast DNS NSEC records do not have the NSEC
bit set in the Type Bit Map, whereas conventional Unicast DNS bit set in the Type Bit Map, whereas conventional Unicast DNS
NSEC records do have the NSEC bit set.</t> NSEC records do have the NSEC bit set.</t>
</section> </section>
<section anchor="notrans" numbered="true" toc="default">
<section anchor="notrans" title="No Text Encoding Translation"> <name>No Text-Encoding Translation</name>
<t>A Discovery Proxy does no translation between text encodings. <t>A Discovery Proxy does no translation between text encodings.
Specifically, a Discovery Proxy does no translation between Specifically, a Discovery Proxy does no translation between Punycode
<xref target="RFC3492">Punycode encoding</xref> and encoding <xref
<xref target="RFC3629">UTF-8 encoding</xref>, target="RFC3492" format="default"></xref> and UTF-8 encoding <xref
either in the owner name of DNS records, or anywhere in the RDATA of target="RFC3629" format="default"></xref>, either in
DNS records the owner name of DNS records or anywhere in the RDATA of DNS
(such as the RDATA of PTR records, SRV records, NS records, or other records (such as the RDATA of PTR records, SRV records, NS records,
record types or other record types like TXT, where it is ambiguous whether the
like TXT, where it is ambiguous whether the RDATA may contain DNS RDATA may contain DNS names). All bytes are treated as-is with no
names). attempt at text-encoding translation. A client implementing
All bytes are treated as-is, with no attempt at text encoding DNS-based Service Discovery <xref target="RFC6763"
translation. format="default"/> will use UTF-8 encoding for its service discovery
A client implementing DNS-based Service Discovery <xref queries, which the Discovery Proxy passes through without any
target="RFC6763"/> text-encoding translation to the Multicast DNS subsystem. Responses
will use UTF-8 encoding for its service discovery queries, which the from the Multicast DNS subsystem are similarly returned, without any
Discovery Proxy passes through without any text encoding translation text-encoding translation, back to the requesting client.</t>
to the Multicast DNS subsystem.
Responses from the Multicast DNS subsystem are similarly returned,
without any text encoding translation, back to the requesting
client.</t>
<?rfc needLines="13" ?>
</section> </section>
<section title="Application-Specific Data Translation"> <section numbered="true" toc="default">
<name>Application-Specific Data Translation</name>
<t>There may be cases where Application-Specific Data Translation is <t>There may be cases where Application-Specific Data Translation is
appropriate.</t> appropriate.</t>
<!-- [rfced] FYI: We added the word "of" in "use this extra TXT record".
Please review.
Original:
For local mDNS use this extra TXT record information is inefficient, but
not fatal.
Updated:
For local multicast DNS (mDNS), use of this extra TXT record information
is inefficient but not fatal.
-->
<t>For example, AirPrint printers tend to advertise fairly verbose <t>For example, AirPrint printers tend to advertise fairly verbose
information about their capabilities in their DNS-SD TXT record. information about their capabilities in their DNS-SD TXT record.
TXT record sizes in the range 500-1000 bytes are not uncommon. TXT record sizes in the range of 500-1000 bytes are not uncommon.
This information is a legacy from LPR printing, because LPR does not This information is a legacy from lineprinter (LPR) printing,
have in-band capability negotiation, so all of this information is because LPR does not have in-band capability negotiation, so all of
conveyed using the DNS-SD TXT record instead. this information is conveyed using the DNS-SD TXT record instead.
IPP printing does have in-band capability negotiation, but for Internet Printing Protocol (IPP) printing does have in-band
convenience printers tend to include the same capability information capability negotiation, but for convenience, printers tend to include
in their IPP DNS-SD TXT records as well. For local mDNS use this the same capability information in their IPP DNS-SD TXT records as
extra TXT record information is inefficient, but not fatal. well. For local multicast DNS (mDNS), use of this extra TXT record inf
However, when a Discovery Proxy aggregates data from multiple ormation is
printers inefficient but not fatal. However, when a Discovery Proxy
on a link, and sends it via unicast (via UDP or TCP) aggregates data from multiple printers on a link, and sends it via
this amount of unnecessary TXT record information can unicast (via UDP or TCP), this amount of unnecessary TXT record
result in large responses. information can result in large responses. A DNS reply over TCP
A DNS reply over TCP carrying information about 70 printers carrying information about 70 printers with an average of 700 bytes
with an average of 700 bytes per printer adds up to about per printer adds up to about 50 kilobytes of data. Therefore, a
50 kilobytes of data. Discovery Proxy that is aware of the specifics of an
Therefore, a Discovery Proxy that is aware of application-layer protocol such as AirPrint (which uses IPP) can
the specifics of an application-layer protocol such as elide unnecessary key/value pairs from the DNS-SD TXT record for
AirPrint (which uses IPP) can elide unnecessary key/value pairs from better network efficiency.</t>
the DNS-SD TXT record for better network efficiency.</t>
<t>Also, the DNS-SD TXT record for many printers contains an <t>Also, the DNS-SD TXT record for many printers contains an
"adminurl" "adminurl" key similar to
key something like "adminurl=http://printername.local/status.html". "adminurl=http://printername.local/status.html". For this URL to be
For this URL to be useful outside the local link, the embedded useful outside the local link, the embedded ".local" hostname needs
".local" to be translated to an appropriate name with larger scope. It is
hostname needs to be translated to an appropriate name with larger easy to translate ".local" names when they appear in well-defined
scope. places either as a record's name or in the rdata of record types
It is easy to translate ".local" names when they appear in like PTR and SRV. In the printing case, some application-specific
well-defined places, knowledge about the semantics of the "adminurl" key is needed for
either as a record's name, or in the rdata of record types like PTR the Discovery Proxy to know that it contains a name that needs to be
and SRV. translated. This is somewhat analogous to the need for NAT gateways
In the printing case, some application-specific knowledge about the to contain ALGs (Application-Specific Gateways) to facilitate the
semantics of the "adminurl" key is needed for the Discovery Proxy correct translation of protocols that embed addresses in unexpected
to know that it contains a name that needs to be translated. places.</t>
This is somewhat analogous to the need for NAT gateways to contain
ALGs
(Application-Specific Gateways) to facilitate the correct
translation
of protocols that embed addresses in unexpected places.</t>
<t>To avoid the need for application-specific knowledge about the <t>To avoid the need for application-specific knowledge about the
semantics of particular TXT record keys, protocol designers are semantics of particular TXT record keys, protocol designers are
advised to avoid advised to avoid placing link-local names or link-local IP addresses
placing link-local names or link-local IP addresses in TXT record in TXT record keys if translation of those names or addresses would
keys, be required for off-link operation. In the printing case, the
if translation of those names or addresses would be required for operational failure of failing to translate the "adminurl" key
off-link operation. correctly is that, when accessed from a different link, printing
In the printing case, the operational failure of failing to will still work, but clicking the "Admin" UI button will fail to
translate open the printer's administration page. Rather than duplicating the
the "adminurl" key correctly is that, when accessed from a different host name from the service's SRV record in its "adminurl" key,
link, thereby having the same host name appear in two places, a better
printing will still work, but clicking the "Admin" UI button design might have been to omit the host name from the "adminurl"
will fail to open the printer's administration page. key and instead have the client implicitly substitute the target
Rather than duplicating the host name from the service's SRV record host name from the service's SRV record in place of a missing host
in its name in the "adminurl" key. That way, the desired host name only
"adminurl" key, thereby having the same host name appear in two appears once and is in a well-defined place where software like
places, the Discovery Proxy is expecting to find it.</t>
a better design might have been to omit the host name from the
"adminurl" key,
and instead have the client implicitly substitute the target host
name from the service's SRV record in place of a missing host name
in the "adminurl" key.
That way the desired host name only appears once, and it is in a
well-defined place
where software like the Discovery Proxy is expecting to find it.</t>
<t>Note that this kind of Application-Specific Data Translation is <t>Note that this kind of Application-Specific Data Translation is
expected to be very rare. It is the exception, rather than the rule. expected to be very rare; it is the exception rather than the rule.
This is an example of a common theme in computing. This is an example of a common theme in computing. It is frequently
It is frequently the case that it is wise to start with a clean, the case that it is wise to start with a clean, layered design with
layered design, with clear boundaries. Then, in certain special clear boundaries. Then, in certain special cases, those layer
cases, boundaries may be violated where the performance and efficiency
those layer boundaries may be violated, where the performance and benefits outweigh the inelegance of the layer violation.</t>
efficiency benefits outweigh the inelegance of the layer
violation.</t>
<t>These layer violations are optional. They are done primarily for <t>These layer violations are optional. They are done primarily for
efficiency efficiency reasons and generally should not be required for correct
reasons, and generally should not be required for correct operation. operation. A Discovery Proxy <bcp14>MAY</bcp14> operate solely at
A Discovery Proxy MAY operate solely at the mDNS layer, the mDNS layer without any knowledge of semantics at the DNS-SD
without any knowledge of semantics at the DNS-SD layer or above.</t> layer or above.</t>
</section>
<?rfc needLines="30" ?>
</section> </section>
</section> <section anchor="aggregation" numbered="true" toc="default">
<name>Answer Aggregation</name>
<section anchor="aggregation" title="Answer Aggregation">
<t>In a simple analysis, simply gathering multicast answers and <t>In a simple analysis, simply gathering multicast answers and
forwarding them forwarding them in a unicast response seems adequate, but it raises
in a unicast response seems adequate, but it raises the the question of how long the Discovery Proxy should wait to be sure
question of how long the Discovery Proxy should wait to be sure that that it has received all the Multicast DNS answers it needs to form a
it has received complete Unicast DNS response. If it waits too little time, then it
all the Multicast DNS answers it needs to form a complete Unicast DNS risks its Unicast DNS response being incomplete. If it waits too
response. long, then it creates a poor user experience at the client end. In
If it waits too little time, then it risks its Unicast DNS response fact, there may be no time that is both short enough to produce a
being incomplete. good user experience and at the same time long enough to reliably
If it waits too long, then it creates a poor user experience at the produce complete results.</t>
client end. <t>Similarly, the Discovery Proxy (the authoritative name server for
In fact, there may be no time which is both short enough to produce a the subdomain in question) needs to decide what DNS TTL to report
good for these records. If the TTL is too long, then the recursive
user experience and at the same time long enough to reliably produce (caching) name servers issuing queries on behalf of their clients risk
complete results.</t> caching stale data for too long. If the TTL is too short, then the
amount of network traffic will be more than necessary. In fact, there
<t>Similarly, the Discovery Proxy may be no TTL that is both short enough to avoid undesirable stale
-- the authoritative name server for the subdomain in question -- data and, at the same time, long enough to be efficient on the
needs to decide what DNS TTL to report for these records. network.</t>
If the TTL is too long then the recursive (caching) name servers <t>Both these dilemmas are solved by the use of DNS Long-Lived Queries
issuing queries on behalf of their clients risk caching stale
data for too long. If the TTL is too short then the amount of
network traffic will be more than necessary.
In fact, there may be no TTL which is both short enough to avoid
undesirable stale data and at the same time long enough to be
efficient on the network.</t>
<t>Both these dilemmas are solved by use of DNS Long-Lived Queries
(DNS&nbsp;LLQ) (DNS&nbsp;LLQ)
<xref target="LLQ"/> or its newer replacement, <xref target="RFC8764" format="default"/> or its newer replacement,
<xref target="Push">DNS Push Notifications</xref>.</t> DNS Push Notifications <xref target="RFC8765" format="default"></xref>.<
/t>
<t>Clients supporting unicast DNS Service Discovery SHOULD implement <t>Clients supporting unicast DNS Service Discovery <bcp14>SHOULD</bcp14
<xref target="Push">DNS Push Notifications</xref> > implement
DNS Push Notifications <xref target="RFC8765" format="default"></xref>
for improved user experience.</t> for improved user experience.</t>
<t>Clients and Discovery Proxies MAY support both DNS&nbsp;LLQ and <!-- [rfced] FYI: We've udpated two uses of "DNS Push" as a stand alone noun
DNS&nbsp;Push, to "DNS Push Notifications" to match all other instances in this
and when talking to a Discovery Proxy that supports both, the client document. Please review and let us know if updates are needed.
may use either protocol, as it chooses, though it is expected
that only DNS&nbsp;Push will continue to be supported in the long
run.</t>
<t>When a Discovery Proxy receives a query using DNS&nbsp;LLQ or Original:
DNS Push Notifications, it responds immediately using the Clients and Discovery Proxies MAY support both DNS LLQ and DNS Push,
Multicast DNS records it already has in its cache (if any). and when...
This provides a good client user experience by providing a
near-instantaneous Updated:
Clients and Discovery Proxies MAY support both DNS LLQ and DNS Push
Notifications, and when...
-->
<t>Clients and Discovery Proxies <bcp14>MAY</bcp14> support both
DNS&nbsp;LLQ and DNS&nbsp;Push Notifications, and when talking to a
Discovery Proxy that supports both, the client may use either
protocol, as it so chooses, though it is expected that only
DNS&nbsp;Push Notifications will continue to be supported in the long
run.</t> <t>When a Discovery Proxy receives a query using DNS&nbsp;LLQ
or DNS Push Notifications, it responds immediately using the Multicast
DNS records it already has in its cache (if any). This provides a
good client user experience by providing a near-instantaneous
response. Simultaneously, the Discovery Proxy issues a Multicast DNS response. Simultaneously, the Discovery Proxy issues a Multicast DNS
query on the query on the local link to discover if there are any additional
local link to discover if there are any additional Multicast DNS Multicast DNS records it did not already know about. Should additional
records it Multicast DNS responses be received, these are then delivered to the
did not already know about. Should additional Multicast DNS responses client using additional DNS&nbsp;LLQ or DNS Push Notification update
be messages. The timeliness of such update messages is limited only by
received, these are then delivered to the client using additional the timeliness of the device responding to the Multicast DNS query. If
DNS&nbsp;LLQ the Multicast DNS device responds quickly, then the update message is
or DNS Push Notification update messages. delivered quickly. If the Multicast DNS device responds slowly, then
The timeliness of such update messages is limited only by the the update message is delivered slowly. The benefit of using update
timeliness of the messages is that the Discovery Proxy can respond promptly because it
device responding to the Multicast DNS query. If the Multicast DNS doesn't have to delay its unicast response to allow for the expected
device worst-case delay for receiving all the Multicast DNS responses. Even
responds quickly, then the update message is delivered quickly. If the if a proxy were to try to provide reliability by assuming an
Multicast excessively pessimistic worst-case time (thereby giving a very poor
DNS device responds slowly, then the update message is delivered user experience), there would still be the risk of a slow Multicast
slowly. DNS device taking even longer than that worst-case time (e.g., a device
The benefit of using update messages is that the Discovery Proxy can that is not
respond promptly even powered on until ten seconds after the initial query is received),
because it doesn't have to delay its unicast response to allow for resulting in incomplete responses. Using an update message solves this
the expected worst-case delay for receiving all the Multicast DNS dilemma; even very late responses are not lost and are delivered in
responses. subsequent update messages.</t>
Even if a proxy were to try to provide reliability by assuming an <!-- [rfced] FYI: We have updated the following sentence to clarify what is
excessively pessimistic worst-case time (thereby giving a very meant by "that". Please let us know if this is incorrect.
poor user experience) there would still be the risk of a slow
Multicast DNS device taking even longer than that (e.g., a device
that is not even powered on until ten seconds after the initial
query is received) resulting in incomplete responses. Using update
message solves
this dilemma: even very late responses are not lost; they are
delivered
in subsequent update messages.</t>
<?rfc needLines="16" ?> Original:
Even if a proxy were to try to provide reliability by assuming an
excessively pessimistic worst-case time ... there would still be the risk of
a
slow Multicast DNS device taking even longer than that (e.g., a device that i
s
not even powered on until ten seconds after the initial query is received)
resulting in incomplete responses.
Updated:
Even if a proxy were to try to provide reliability by assuming an
excessively pessimistic worst-case time, ... there would still be the risk of
a slow Multicast DNS device taking even longer than that worst-case time
(e.g., a device that is not even powered on until ten seconds after the
initial query is received), resulting in incomplete responses.
-->
<t>There are two factors that determine specifically how responses <t>There are two factors that determine specifically how responses
are generated:</t> are generated:</t>
<t>The first factor is whether the query from the client used <!-- [rfced] May this text be updated for clarity?
LLQ or DNS Push Notifications
(used for long-lived service browsing PTR queries)
or not (used for one-shot operations like SRV or address record
queries).
Note that queries using LLQ or DNS Push Notifications are received
directly
from the client.
Queries not using LLQ or DNS Push Notifications are generally received
via the
client's configured recursive (caching) name server.</t>
<t>The second factor is whether the Discovery Proxy already has at Original:
least The first factor is whether the query from the client used LLQ or DNS Push
one record in its cache that positively answers the question. Notifications (used for long-lived service browsing PTR queries) or not
<list style='symbols'> (used for one-shot operations like SRV or address record queries).
Perhaps:
The first factor is whether or not the query from the client used LLQ or
DNS Push Notifications. Either is used for long-lived service browsing PTR
queries, while not using them is for one-shot operations like SRV or
address record queries.
-->
<t>
The first factor is whether the query from the client used LLQ or DNS Push
Notifications (used for long-lived service browsing PTR queries) or not
(used for one-shot operations like SRV or address record queries).
Note that queries using LLQ or DNS Push Notifications are
received directly from the client. Queries not using LLQ or DNS Push
Notifications are generally received via the client's configured
recursive (caching) name server.</t>
<t>The second factor is whether or not the Discovery Proxy already has
at least one record in its cache that positively answers the question.
</t>
<!-- [rfced] Are the following bullet points sufficiently introduced after
"The second factor is whether the Discovery Proxy already has at least
one record in its cache that positively answers the question."?
Would "If:" or "The cases are as follows:"
Original:
The second factor is whether the Discovery Proxy already has at least
one record in its cache that positively answers the question.
o Not using LLQ or Push Notifications; no answer in cache:
Issue an mDNS query, exactly as a local client would issue an mDNS ...
Perhaps:
The second factor is whether or not the Discovery Proxy already has
at least one record in its cache that positively answers the question.
The cases are as follows:
* Not using LLQ or Push Notifications; no answer in cache:
Issue an mDNS query exactly as a local client would issue an mDNS ...
-->
<ul spacing="normal">
<li>
<t>Not using LLQ or Push Notifications; no answer in <t>Not using LLQ or Push Notifications; no answer in
cache:<vspace/> cache:</t>
Issue an mDNS query, exactly as a local client would issue an mDNS <t>
query on the local link for the desired record name, type and Issue an mDNS query exactly as a local client would issue an mDNS
class, including retransmissions, as appropriate, according to query on the local link for the desired record name, type, and
the established mDNS retransmission schedule <xref class, including retransmissions, as appropriate, according to the
target="RFC6762"/>. established mDNS retransmission schedule <xref target="RFC6762"
As soon as any Multicast DNS response packet is received that format="default"/>. As soon as any Multicast DNS response packet
contains one or more positive answers to that question is received that contains one or more positive answers to that
(with or without the Cache Flush bit <xref target="RFC6762"/> question (with or without the Cache Flush bit <xref
set), target="RFC6762" format="default"/> set) or a negative answer
or a negative answer (signified via a Multicast DNS NSEC record (signified via a Multicast DNS NSEC record <xref target="RFC6762"
<xref target="RFC6762"/>), format="default"/>), the Discovery Proxy generates a Unicast DNS
the Discovery Proxy generates a Unicast DNS response packet response packet containing the corresponding (filtered and
containing the translated) answers and sends it to the remote client. If after
corresponding (filtered and translated) answers and sends it to six seconds no Multicast DNS answers have been received, cancel
the remote the mDNS query and return a negative response to the remote
client. If after six seconds no Multicast DNS answers have been client. Six seconds is enough time to transmit three mDNS queries
received, and allow some time for responses to arrive.</t>
cancel the mDNS query and <t>
return a negative response to the remote client. DNS TTLs in responses <bcp14>MUST</bcp14> be capped to at most ten
Six seconds is enough time to transmit three mDNS queries, seconds.</t>
and allow some time for responses to arrive.<vspace/> <t>
DNS TTLs in responses MUST be capped to at most ten
seconds.<vspace/>
(Reasoning: Queries not using LLQ or Push Notifications are (Reasoning: Queries not using LLQ or Push Notifications are
generally queries generally queries
that that expect an answer from only one device, that expect an answer from only one device,
so the first response is also the only response.) so the first response is also the only response.)
<vspace blankLines="1"/>
</t> </t>
</li>
<li>
<t>Not using LLQ or Push Notifications; at least one answer in <t>Not using LLQ or Push Notifications; at least one answer in
cache:<vspace/> cache:</t>
Send response right away to minimise delay.<vspace/> <t>
DNS TTLs in responses MUST be capped to at most ten Send a response right away to minimize delay.</t>
seconds.<vspace/> <t>
No local mDNS queries are performed.<vspace/> DNS TTLs in responses <bcp14>MUST</bcp14> be capped to at most ten
seconds.</t>
<t>
No local mDNS queries are performed.</t>
<t>
(Reasoning: Queries not using LLQ or Push Notifications are (Reasoning: Queries not using LLQ or Push Notifications are
generally queries generally queries
that that expect an answer from only one device. that expect an answer from only one device.
Given RRSet TTL harmonisation, if the proxy has Given RRSet TTL harmonization, if the proxy has
one Multicast DNS answer in its cache, it can reasonably one Multicast DNS answer in its cache, it can reasonably
assume that it has all of them.)</t> assume that it has all of them.)</t>
</li>
<t>Using LLQ or Push Notifications; no answer in cache:<vspace/> <li>
<t>Using LLQ or Push Notifications; no answer in cache:</t>
<t>
As in the case above with no answer in the cache, perform mDNS As in the case above with no answer in the cache, perform mDNS
querying for six seconds, and send a response to the remote querying for six seconds and send a response to the remote
client as soon as any relevant mDNS response is received.<vspace/> client as soon as any relevant mDNS response is received.</t>
<t>
If after six seconds no relevant mDNS response has been received, If after six seconds no relevant mDNS response has been received,
return negative response to the remote client return a negative response to the remote client
(for LLQ; not applicable for Push Notifications).<vspace/> (for LLQ; not applicable for Push Notifications).</t>
<t>
(Reasoning: We don't need to rush to send an empty (Reasoning: We don't need to rush to send an empty
answer.)<vspace/> answer.)</t>
Whether or not a relevant mDNS response is received within <t>
Regardless of whether or not a relevant mDNS response is received wi
thin
six seconds, the query remains active for as long as the six seconds, the query remains active for as long as the
client maintains the LLQ or Push Notification state, and if mDNS client maintains the LLQ or Push Notification state, and if mDNS
answers are answers are
received later, LLQ or Push Notification messages are received later, LLQ or Push Notification messages are
sent.<vspace/> sent.</t>
<t>
DNS TTLs in responses are returned unmodified.</t> DNS TTLs in responses are returned unmodified.</t>
</li>
<li>
<t>Using LLQ or Push Notifications; at least one answer in <t>Using LLQ or Push Notifications; at least one answer in
cache:<vspace/> cache:</t>
As in the case above with at least one answer in cache, <t>
send response right away to minimise delay.<vspace/> As in the case above with at least one answer in the cache,
The query remains active for as long as the client send a response right away to minimize delay.</t>
maintains the LLQ or Push Notification state, and <t>
results in transmission of mDNS queries, with appropriate Known The query remains active for as long as the client maintains the
Answer lists, LLQ or Push Notification state and results in the transmission of
to determine if further answers are available. mDNS queries with appropriate Known Answer lists to determine if
If additional mDNS answers are further answers are available. If additional mDNS answers are
received later, LLQ or Push Notification messages are received later, LLQ or Push Notification messages are sent.</t>
sent.<vspace/> <t>
(Reasoning: We want UI that is displayed very rapidly, yet (Reasoning: We want UI that is displayed very rapidly yet
continues continues to remain accurate even as the network environment
to remain accurate even as the network environment changes.)</t>
changes.)<vspace/> <t>
DNS TTLs in responses are returned unmodified.</t> DNS TTLs in responses are returned unmodified.</t>
</list> </li>
</t> </ul>
<t>The "negative responses" referred to above are <t>The "negative responses" referred to above are
"no error no answer" negative responses, not NXDOMAIN. "no error no answer" negative responses, not NXDOMAIN.
This is because the Discovery Proxy cannot know all the Multicast This is because the Discovery Proxy cannot know all the Multicast
DNS domain names that may exist on a link at any given time, DNS domain names that may exist on a link at any given time,
so any name with no answers may have child names that do exist, so any name with no answers may have child names that do exist,
making it an "empty nonterminal" name.</t> making it an "empty non-terminal" name.</t>
<?rfc needLines="30" ?>
<t>Note that certain aspects of the behavior described here <t>Note that certain aspects of the behavior described here
do not have to be implemented overtly by the Discovery Proxy; do not have to be implemented overtly by the Discovery Proxy;
they occur naturally as a result of using existing Multicast DNS they occur naturally as a result of using existing Multicast DNS
APIs.</t> APIs.</t>
<t>For example, in the first case above (no LLQ or Push Notifications
and no answers in the cache), if a new Multicast DNS query is requested
(either by a local client or by the Discovery Proxy on behalf of a
remote client), and there is not already an identical Multicast DNS
query active and there are no matching answers already in the
Multicast DNS cache on the Discovery Proxy device, then this will
cause a series of Multicast DNS query packets to be issued with
exponential backoff. The exponential backoff sequence in some
implementations starts at one second and then doubles for each
retransmission (0, 1, 3, 7 seconds, etc.), and in others, it starts at o
ne
second and then triples for each retransmission (0, 1, 4, 13 seconds,
etc.). In either case, if no response has been received after six
seconds, that is long enough that the underlying Multicast DNS
implementation will have sent three query packets without receiving
any response. At that point, the Discovery Proxy cancels its Multicast
DNS query (so no further Multicast DNS query packets will be sent for
this query) and returns a negative response to the remote client via
unicast.</t>
<t>The six-second delay is chosen to be long enough to give enough
time for devices to respond, yet short enough not to be too onerous
for a human user waiting for a response. For example, using the "dig"
DNS debugging tool, the current default settings result in it waiting
a total of 15 seconds for a reply (three transmissions of the query
packet, with a wait of 5 seconds after each packet), which is ample
time for it to have received a negative reply from a Discovery Proxy
after six seconds.</t>
<t>For example, <!-- [rfced] The following sentence may be unclear as it's currently
in the first case above (no LLQ or Push Notifications, and no answers formatted. What is also occuring naturally?
in the cache)
if a new Multicast DNS query is requested
(either by a local client, or by the Discovery Proxy on behalf of a
remote client),
and there is not already an identical Multicast DNS query active,
and there are no matching answers already in the
Multicast DNS cache on the Discovery Proxy device,
then this will cause a series
of Multicast DNS query packets to be issued with exponential backoff.
The exponential backoff sequence in some implementations starts at one
second
and then doubles for each retransmission (0, 1, 3, 7 seconds, etc.)
and in others starts at one second
and then triples for each retransmission (0, 1, 4, 13 seconds, etc.).
In either case, if no response has been received after six seconds,
that is long enough that the underlying Multicast DNS implementation
will have sent three query packets without receiving any response.
At that point the Discovery Proxy cancels its Multicast DNS query
(so no further Multicast DNS query packets will be sent for this
query)
and returns a negative response to the remote client via unicast.</t>
<t>The six-second delay is chosen to be Original:
long enough to give enough time for devices to respond, yet The statement that for a one-shot query (i.e., no LLQ or Push
short enough not to be too onerous for a human user waiting for a Notifications requested), if at least one answer is already available in
response. the cache then a Discovery Proxy should not issue additional mDNS query
For example, using the "dig" DNS debugging tool, the current default packets, also occurs naturally as a result of using existing Multicast DNS
settings APIs.
result in it waiting a total of 15 seconds for a reply
(three transmissions of the query packet, with a wait of 5 seconds Perhaps:
after each packet) Regarding the following statement:
which is ample time for it to have received a negative reply from a For a one-shot query (i.e., no LLQ or Push Notification srequested)
Discovery Proxy if at least one answer is already available in the cache, then a
after six seconds.</t> Discovery Proxy should not issue additional mDNS query packets.
Such a scenario would also occur naturally as a result of using existing
Multicast DNS APIs.
Or perhaps:
[First sentence deleted]
For a one-shot query (i.e., no LLQ or Push Notifications requested), if
at least one answer is already available in the cache, then a Discovery
Proxy should not issue additional mDNS query packets.
This would also occur naturally as a result of using existing Multicast
DNS APIs.
-->
<t>The statement that for a one-shot query (i.e., no LLQ or Push <t>The statement that for a one-shot query (i.e., no LLQ or Push
Notifications requested), Notifications requested), if at least one answer is already available
if at least one answer is already available in the cache in the cache, then a Discovery Proxy should not issue additional mDNS
then a Discovery Proxy should not issue additional mDNS query packets, query packets, also occurs naturally as a result of using existing
also occurs naturally as a result of using existing Multicast DNS Multicast DNS APIs.
APIs. If a new Multicast DNS query is requested
If a new Multicast DNS query is requested (either locally, or by the Discovery Proxy on behalf of a remote
(either locally, or by the Discovery Proxy on behalf of a remote client), for which there are relevant answers already in the
client), Multicast DNS cache on the Discovery Proxy device, and after the
for which there are relevant answers already in the answers are delivered the Multicast DNS query is then canceled
Multicast DNS cache on the Discovery Proxy device, immediately, then no Multicast DNS query packets will be generated
and after the answers are delivered the Multicast DNS query is then for this query.
cancelled immediately, </t>
then no Multicast DNS query packets will be generated for this <!-- [rfced] The following sentence seems fragmented and unclear,
query.</t> in part due to one instance of "then" separate from the "If/then"
structure. May it be rephrased as follows or otherwise?
<?rfc needLines="19" ?> Original:
</section> If a new Multicast DNS query is requested
</section> (either locally, or by the Discovery Proxy on behalf of a remote
client), for which there are relevant answers already in the
Multicast DNS cache on the Discovery Proxy device, and after the
answers are delivered the Multicast DNS query is then cancelled
immediately, then no Multicast DNS query packets will be generated
for this query.
<section anchor="admin" title="Administrative DNS Records"> Perhaps:
If a new Multicast DNS query is requested (either locally or by the
Discovery Proxy on behalf of a remote client) for which there are
relevant answers already in the Multicast DNS cache on the Discovery Proxy
device, and, if after the answers are delivered, the Multicast DNS query is
canceled immediately, then no Multicast DNS query packets will be
generated for this query.
<section anchor="soa" title="DNS SOA (Start of Authority) Record"> Or:
If (a) a new Multicast DNS query is requested (either locally or by the
Discovery Proxy on behalf of a remote client), for which there are
relevant answers already in the Multicast DNS cache on the Discovery Proxy
device, and (b) after the answers are delivered, the Multicast DNS query is
cancelled immediately, then no Multicast DNS query packets will be
generated for this query.
-->
</section>
</section>
<t>The MNAME field SHOULD contain the host name of the Discovery Proxy <section anchor="admin" numbered="true" toc="default">
<name>Administrative DNS Records</name>
<section anchor="soa" numbered="true" toc="default">
<name>DNS SOA (Start of Authority) Record</name>
<t>The MNAME field <bcp14>SHOULD</bcp14> contain the host name of the Di
scovery Proxy
device device
(i.e., the same domain name as the rdata of the NS record delegating (i.e., the same domain name as the rdata of the NS record delegating
the the
relevant zone(s) to this Discovery Proxy device).</t> relevant zone(s) to this Discovery Proxy device).</t>
<t>The RNAME field <bcp14>SHOULD</bcp14> contain the mailbox of the pers
<t>The RNAME field SHOULD contain the mailbox of the person on
responsible responsible
for administering this Discovery Proxy device.</t> for administering this Discovery Proxy device.</t>
<t>The SERIAL field <bcp14>MUST</bcp14> be zero.</t>
<t>The SERIAL field MUST be zero.</t>
<t>Zone transfers are undefined for Discovery Proxy zones, and <t>Zone transfers are undefined for Discovery Proxy zones, and
consequently the consequently, the REFRESH, RETRY, and EXPIRE fields have no useful
REFRESH, RETRY and EXPIRE fields have no useful meaning for Discovery meaning for Discovery Proxy zones. These fields <bcp14>SHOULD</bcp14>
Proxy zones. contain reasonable default values. The <bcp14>RECOMMENDED</bcp14>
These fields SHOULD contain reasonable default values. values are: REFRESH 7200, RETRY 3600, and EXPIRE 86400.</t>
The RECOMMENDED values are: REFRESH 7200, RETRY 3600, EXPIRE
86400.</t>
<t>The MINIMUM field (used to control the lifetime of negative cache <t>The MINIMUM field (used to control the lifetime of negative cache
entries) entries)
SHOULD contain the value 10. <bcp14>SHOULD</bcp14> contain the value 10.
The value of ten seconds is chosen based on user-experience The value of ten seconds is chosen based on user-experience
considerations considerations
(see <xref target="ttl"/>).</t> (see <xref target="ttl" format="default"/>).</t>
<t>In the event that there are multiple Discovery Proxy devices on a <t>In the event that there are multiple Discovery Proxy devices on a
link for fault tolerance reasons, this will result in clients link for fault tolerance reasons, this will result in clients
receiving inconsistent SOA records (different MNAME, and possibly receiving inconsistent SOA records (different MNAME and possibly
RNAME) RNAME) depending on which Discovery Proxy answers their SOA query.
depending on which Discovery Proxy answers their SOA query.
However, since clients generally have no reason to use the MNAME or However, since clients generally have no reason to use the MNAME or
RNAME RNAME data, this is unlikely to cause any problems.</t>
data, this is unlikely to cause any problems.</t>
<?rfc needLines="22" ?>
</section> </section>
<section anchor="ns" numbered="true" toc="default">
<section anchor="ns" title="DNS NS Records"> <name>DNS NS Records</name>
<t>In the event that there are multiple Discovery Proxy devices on a <t>In the event that there are multiple Discovery Proxy devices on a
link for fault tolerance reasons, the parent zone MUST link for fault tolerance reasons, the parent zone <bcp14>MUST</bcp14>
be configured with NS records giving the names be configured with NS records giving the names
of all the Discovery Proxy devices on the link.</t> of all the Discovery Proxy devices on the link.</t>
<t>Each Discovery Proxy device <bcp14>MUST</bcp14> be configured to answ
<t>Each Discovery Proxy device MUST be configured to answer NS queries er NS queries
for the zone apex name by giving its own NS record, for the zone apex name by giving its own NS record,
and the NS records of its fellow Discovery Proxy devices on the same and the NS records of its fellow Discovery Proxy devices on the same
link, so that it can return the correct answers for NS queries.</t> link, so that it can return the correct answers for NS queries.</t>
<t>The target host name in the RDATA of an NS record <bcp14>MUST NOT</bc
<t>The target host name in the RDATA of an NS record MUST NOT p14>
reference reference
a name that falls within any zone delegated to a Discovery Proxy. a name that falls within any zone delegated to a Discovery Proxy.
Apart from the zone apex name, Apart from the zone apex name,
all other host names that fall within a zone delegated to a Discovery all other host names that fall within a zone delegated to a Discovery
Proxy Proxy
correspond to local Multicast DNS host names, correspond to local Multicast DNS host names,
which logically belong to the respective Multicast DNS hosts defending which logically belong to the respective Multicast DNS hosts defending
those names, those names,
not the Discovery Proxy. not the Discovery Proxy.
Generally speaking, the Discovery Proxy does not own or control the Generally speaking, the Discovery Proxy does not own or control the
delegated zone; delegated zone;
it is merely a conduit to the corresponding ".local" namespace, it is merely a conduit to the corresponding ".local" namespace,
which is controlled by the Multicast DNS hosts on that link. which is controlled by the Multicast DNS hosts on that link.
If an NS record were to reference a manually-determined host name If an NS record were to reference a manually determined host name
that falls within a delegated zone, that falls within a delegated zone,
that manually-determined host name may inadvertently conflict with a that manually determined host name may inadvertently conflict with a
corresponding corresponding
".local" host name that is owned and controlled by some device on that ".local" host name that is owned and controlled by some device on that
link. link.
</t> </t>
</section> </section>
<section anchor="delegation" numbered="true" toc="default">
<section anchor="delegation" title="DNS Delegation Records"> <name>DNS Delegation Records</name>
<t>Since the <xref target="RFC6762">Multicast DNS specification</xref> <t>Since the <xref target="RFC6762" format="default">Multicast DNS speci
fication</xref>
states that there can be no delegation (subdomains) within a ".local" states that there can be no delegation (subdomains) within a ".local"
namespace, namespace,
this implies that this implies that
any name within a zone delegated to a Discovery Proxy any name within a zone delegated to a Discovery Proxy
(except for the zone apex name itself) (except for the zone apex name itself)
cannot have any answers for any DNS queries for RRTYPEs SOA, NS, or cannot have any answers for any DNS queries for RRTYPEs SOA, NS, or
DS. DS.
Consequently: Consequently:
<list style='symbols'>
<t>for any query for the zone apex name of a zone delegated to a
Discovery Proxy,
the Discovery Proxy MUST generate the appropriate immediate
answers as described above, and</t>
<t>for any query for RRTYPEs SOA, NS, or DS,
for any name within a zone delegated to a Discovery Proxy,
other than the zone apex name,
instead of translating the query to its corresponding Multicast
DNS ".local" equivalent,
a Discovery Proxy MUST generate an immediate negative answer.</t>
</list>
</t> </t>
</section> <!-- [rfced] May this text be updated as follows for clarity?
This would reduce the amount of commas and stacked "for" clauses.
<section anchor="srv" title="DNS SRV Records"> Original:
<t>There are certain special DNS records that logically .... Consequently:
fall within the delegated unicast DNS subdomain,
but rather than mapping to their corresponding ".local" namesakes, [...]
they actually contain metadata pertaining to the operation
of the delegated unicast DNS subdomain itself. o for any query for RRTYPEs SOA, NS, or DS, for any name within a
They do not exist in the corresponding ".local" namespace of the local zone delegated to a Discovery Proxy, other than the zone apex
link. name, instead of translating the query to its corresponding
For these queries a Discovery Proxy MUST generate immediate answers, Multicast DNS ".local" equivalent, a Discovery Proxy MUST generate
whether positive or negative, to avoid delays while clients wait for an immediate negative answer.
their query to be answered.
For example, if a Discovery Proxy does not implement Perhaps:
<xref target="LLQ">Long-Lived Queries</xref> .... Consequently:
then it MUST return an immediate negative answer to tell the client
this without delay, [...]
instead of passing the query through to the local network as a query
for * for any query for RRTYPEs SOA, NS, or DS, a Discovery Proxy MUST
<spanx style="verb">_dns&nbhy;llq._udp.local.</spanx>, generate an immediate negative answer for any name within a zone
and then waiting unsuccessfully for answers that will not be delegated to a Discovery Proxy (other than the zone apex name) instead
forthcoming.</t> of translating the query to its corresponding Multicast DNS ".local"
equivalent.
-->
<ul spacing="normal">
<li>for any query for the zone apex name of a zone delegated to a
Discovery Proxy, the Discovery Proxy <bcp14>MUST</bcp14> generate
the appropriate immediate answers as described above, and</li>
<li>
for any query for RRTYPEs SOA, NS, or DS, for any name within a
zone delegated to a Discovery Proxy, other than the zone apex
name, instead of translating the query to its corresponding
Multicast DNS ".local" equivalent, a Discovery Proxy <bcp14>MUST</bcp14> g
enerate
an immediate negative answer.
</li>
</ul>
</section>
<section anchor="srv" numbered="true" toc="default">
<name>DNS SRV Records</name>
<t>There are certain special DNS records that logically fall within
the delegated unicast DNS subdomain, but rather than mapping to their
corresponding ".local" namesakes, they actually contain metadata
pertaining to the operation of the delegated unicast DNS subdomain
itself. They do not exist in the corresponding ".local" namespace of
the local link. For these queries, a Discovery Proxy
<bcp14>MUST</bcp14> generate immediate answers, whether positive or
negative, to avoid delays while clients wait for their query to be
answered. For example, if a Discovery Proxy does not implement
Long-Lived Queries <xref
target="RFC8764" format="default"></xref>,
then it <bcp14>MUST</bcp14> return an immediate negative answer to
tell the client this without delay instead of passing the query
through to the local network as a query for
<tt>_dns&nbhy;llq._udp.local.</tt> and then waiting unsuccessfully for
answers that will not be forthcoming.</t>
<t>If a Discovery Proxy implements <t>If a Discovery Proxy implements
<xref target="LLQ">Long-Lived Queries</xref> Long-Lived Queries <xref target="RFC8764" format="default"></xref>,
then it MUST positively respond to then it <bcp14>MUST</bcp14> positively respond to
<spanx style="verb">_dns&nbhy;llq._udp.&lt;zone&gt;&nbsp;SRV</spanx> <tt>_dns&nbhy;llq._udp.&lt;zone&gt;&nbsp;SRV</tt>
queries, queries,
<spanx style="verb">_dns&nbhy;llq._tcp.&lt;zone&gt;&nbsp;SRV</spanx> <tt>_dns&nbhy;llq._tcp.&lt;zone&gt;&nbsp;SRV</tt>
queries, and queries, and
<spanx <tt>_dns&nbhy;llq&nbhy;tls._tcp.&lt;zone&gt;&nbsp;SRV</tt>
style="verb">_dns&nbhy;llq&nbhy;tls._tcp.&lt;zone&gt;&nbsp;SRV</spanx queries as appropriate.
> Otherwise, it <bcp14>MUST</bcp14> return an immediate negative answer fo
queries as appropriate, r those
else it MUST return an immediate negative answer for those
queries.</t> queries.</t>
<t>If a Discovery Proxy implements <t>If a Discovery Proxy implements
<xref target="Push">DNS Push Notifications</xref> DNS Push Notifications <xref target="RFC8765" format="default"></xref>,
then it MUST positively respond to then it <bcp14>MUST</bcp14> positively respond to
<spanx style="verb">_dns&nbhy;push&nbhy;tls._tcp.&lt;zone&gt;</spanx> <tt>_dns&nbhy;push&nbhy;tls._tcp.&lt;zone&gt;</tt>
queries, queries.
else it MUST return an immediate negative answer for those Otherwise, it <bcp14>MUST</bcp14> return an immediate negative answer fo
r those
queries.</t> queries.</t>
<t>A Discovery Proxy <bcp14>MUST</bcp14> return an immediate negative an
<t>A Discovery Proxy MUST return an immediate negative answer for swer for
<spanx <tt>_dns&nbhy;update._udp.&lt;zone&gt;&nbsp;SRV</tt>
style="verb">_dns&nbhy;update._udp.&lt;zone&gt;&nbsp;SRV</spanx>
queries, queries,
<spanx <tt>_dns&nbhy;update._tcp.&lt;zone&gt;&nbsp;SRV</tt>
style="verb">_dns&nbhy;update._tcp.&lt;zone&gt;&nbsp;SRV</spanx>
queries, and queries, and
<spanx <tt>_dns&nbhy;update-tls._tcp.&lt;zone&gt;&nbsp;SRV</tt>
style="verb">_dns&nbhy;update-tls._tcp.&lt;zone&gt;&nbsp;SRV</spanx>
queries, queries,
since using <xref target="RFC2136">DNS Update</xref> to change since using DNS Update <xref target="RFC2136" format="default"></xref> t o change
zones generated dynamically from local Multicast DNS data is not zones generated dynamically from local Multicast DNS data is not
possible.</t> possible.</t>
<?rfc needLines="29" ?>
</section> </section>
</section> </section>
<section anchor="DNSSEC" numbered="true" toc="default">
<section anchor="DNSSEC" title="DNSSEC Considerations"> <name>DNSSEC Considerations</name>
<section numbered="true" toc="default">
<section title="On-line signing only"> <name>Online Signing Only</name>
<t>The Discovery Proxy acts as the authoritative name server for <t>The Discovery Proxy acts as the authoritative name server for
designated subdomains, and if DNSSEC is to be used, the Discovery designated subdomains, and if DNSSEC is to be used, the Discovery
Proxy needs to Proxy needs to possess a copy of the signing keys in order to
possess a copy of the signing keys, in order to generate authoritative generate authoritative signed data from the local Multicast DNS
signed data from the local Multicast DNS responses it receives. responses it receives. Offline signing is not applicable to
Off-line signing is not applicable to Discovery Proxy.</t> Discovery Proxy.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="NSEC and NSEC3 Records"> <name>NSEC and NSEC3 Records</name>
<t>In DNSSEC <t>In DNSSEC
<xref target="RFC4034">NSEC</xref> and NSEC <xref target="RFC4034" format="default"></xref> and
<xref target="RFC5155">NSEC3</xref> records NSEC3 <xref target="RFC5155" format="default"></xref>, records
are used to assert the nonexistence of certain names, are used to assert the nonexistence of certain names,
also described as "authenticated denial of existence".</t> also described as "authenticated denial of existence".</t>
<!-- [rfced] FYI: We've added "to" before "assert" in the following sentence
as it seems it was a typo. Please let us know if this is not
the intended meaning.
Original:
Instead, when generating a negative response, a Discovery Proxy
programmatically synthesizes a single NSEC record assert the nonexistence
of just the...
Updated:
Instead, when generating a negative response, a Discovery Proxy
programmatically synthesizes a single NSEC record to assert the nonexistence
of just the...
-->
<t>Since a Discovery Proxy only knows what names exist on the local <t>Since a Discovery Proxy only knows what names exist on the local
link link by issuing queries for them, and since it would be impractical to
by issuing queries for them, and since it would be impractical to
issue queries for every possible name just to find out which names issue queries for every possible name just to find out which names
exist and which do not, a Discovery Proxy cannot programmatically exist and which do not, a Discovery Proxy cannot programmatically
synthesize the traditional NSEC and NSEC3 records which assert the synthesize the traditional NSEC and NSEC3 records that assert the
nonexistence of a large range of names. nonexistence of a large range of names. Instead, when generating a
Instead, when generating a negative response, negative response, a Discovery Proxy programmatically synthesizes a
a Discovery Proxy programmatically synthesizes a single NSEC record single NSEC record to assert the nonexistence of just the specific
assert the nonexistence of just the specific name queried, and no name queried and no others. Since the Discovery Proxy has the zone
others. signing key, it can do this on demand. Since the NSEC record asserts
Since the Discovery Proxy has the zone signing key, it can do this on the nonexistence of only a single name, zone walking is not a concern,
demand. and NSEC3 is therefore not necessary.</t>
Since the NSEC record asserts the nonexistence of only a single name,
zone walking is not a concern, so NSEC3 is not necessary.</t>
<t>Note that this applies only to traditional immediate DNS queries, <t>Note that this applies only to traditional immediate DNS queries,
which may return immediate negative answers when which may return immediate negative answers when no immediate positive
no immediate positive answer is available. answer is available. When used with a DNS Push Notification
When used with a subscription <xref target="RFC8765"
<xref target="Push">DNS Push Notification subscription</xref> format="default"></xref>, there are no negative answers, merely the
there are no negative answers, merely the absence of answers so far, absence of answers so far, which may change in the future if answers
which may change in the future if answers become available.</t> become available.</t>
<?rfc needLines="19" ?>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="IPv6 Considerations"> <name>IPv6 Considerations</name>
<t>An IPv4-only host and an IPv6-only host behave as "ships that pass in <t>An IPv4-only host and an IPv6-only host behave as "ships that pass in
the night". Even if they are on the same <xref the night". Even if they are on the same Ethernet <xref target="IEEE-3"
target="IEEE-3">Ethernet</xref>, neither is aware format="default"></xref>, neither is aware of the other's traffic. For
of the other's traffic. For this reason, each link may have this reason, each link may have *two* unrelated ".local." zones: one for
*two* unrelated ".local." zones, one for IPv4 and one for IPv6. IPv4 and one for IPv6. Since, for practical purposes, a group of
Since for practical purposes, a group of IPv4-only hosts and a group IPv4-only hosts and a group of IPv6-only hosts on the same Ethernet act
of IPv6-only hosts on the same Ethernet act as if they were on two as if they were on two entirely separate Ethernet segments, it is
entirely separate Ethernet segments, it is unsurprising that their unsurprising that their use of the ".local." zone should occur exactly
use of the ".local." zone should occur exactly as it would if as it would if they really were on two entirely separate Ethernet
they really were on two entirely separate Ethernet segments.</t> segments.</t>
<t>It will be desirable to have a mechanism to "stitch" together
<t>It will be desirable to have a mechanism to 'stitch' together
these two unrelated ".local." zones so that they appear as one. these two unrelated ".local." zones so that they appear as one.
Such mechanism will need to be able to differentiate between a Such a mechanism will need to be able to differentiate between a
dual-stack (v4/v6) host participating in both ".local." dual-stack (v4/v6) host participating in both ".local."
zones, and two different hosts, one IPv4-only and the other IPv6-only, zones, and two different hosts: one IPv4-only and the other IPv6-only,
which are both trying to use the same name(s). Such a mechanism which are both trying to use the same name(s). Such a mechanism
will be specified in a future companion document.</t> will be specified in a future companion document.</t>
<t>At present, it is <bcp14>RECOMMENDED</bcp14> that a Discovery Proxy be
<t>At present, it is RECOMMENDED that a Discovery Proxy be configured configured
with a single domain name for both the IPv4 and IPv6 ".local." zones with a single domain name for both the IPv4 and IPv6 ".local." zones
on the local link, and when a unicast query is received, it should on the local link, and when a unicast query is received, it should
issue Multicast DNS queries using both IPv4 and IPv6 on the local link, issue Multicast DNS queries using both IPv4 and IPv6 on the local link
and then combine the results.</t> and then combine the results.</t>
<?rfc needLines="25" ?>
</section> </section>
<section numbered="true" toc="default">
<section title="Security Considerations"> <name>Security Considerations</name>
<section title="Authenticity"> <section numbered="true" toc="default">
<name>Authenticity</name>
<t>A service proves its presence on a link by its ability to <t>A service proves its presence on a link by its ability to
answer link-local multicast queries on that link. answer link-local multicast queries on that link.
If greater security is desired, then the Discovery Proxy mechanism If greater security is desired, then the Discovery Proxy mechanism
should not be used, and something with stronger security should should not be used, and something with stronger security should
be used instead, such as authenticated secure DNS Update be used instead such as authenticated secure DNS Update
<xref target="RFC2136"/> <xref target="RFC3007"/>.</t> <xref target="RFC2136" format="default"/> <xref target="RFC3007" format=
"default"/>.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Privacy"> <name>Privacy</name> <t>The Domain Name System is, generally speaking,
<t>The Domain Name System is, generally speaking, a global public a global public database. Records that exist in the Domain Name
database. System name hierarchy can be queried by name from, in principle,
Records that exist in the Domain Name System name hierarchy anywhere in the world. If services on a mobile device (like a laptop
can be queried by name from, in principle, anywhere in the world. computer) are made visible via the Discovery Proxy mechanism, then
If services on a mobile device (like a laptop computer) are made when those services become visible in a domain such as
visible "My&nbsp;House.example.com", it might indicate to (potentially
via the Discovery Proxy mechanism, then when those services become hostile) observers that the mobile device is in a private home. When th
visible ose
in a domain such as "My&nbsp;House.example.com" that might indicate to services disappear from "My&nbsp;House.example.com", that change could
(potentially hostile) observers that the mobile device is in my house. be used by observers to infer when the mobile device (and possibly its
When those services disappear from "My&nbsp;House.example.com" owner) may have left the house. The privacy of this information may
that change could be used by observers to infer when the be protected using techniques like firewalls, split-view DNS, and
mobile device (and possibly its owner) may have left the house. Virtual Private Networks (VPNs), as are customarily used today to
The privacy of this information may be protected using techniques protect the privacy of corporate DNS information.</t>
like firewalls, split-view DNS, and Virtual Private Networks (VPNs),
as are customarily used today
to protect the privacy of corporate DNS information.</t>
<t>The privacy issue is particularly serious for the IPv4 and IPv6 <t>The privacy issue is particularly serious for the IPv4 and IPv6
reverse zones. reverse zones.
If the public delegation of the reverse zones points to the If the public delegation of the reverse zones points to the
Discovery Proxy, and the Discovery Proxy is reachable globally, Discovery Proxy, and the Discovery Proxy is reachable globally,
then it could leak a significant amount of information. then it could leak a significant amount of information.
Attackers could discover hosts that otherwise might Attackers could discover hosts that otherwise might
not be easy to identify, and learn their hostnames. not be easy to identify, and learn their hostnames.
Attackers could also discover the existence of links Attackers could also discover the existence of links
where hosts frequently come and go.</t> where hosts frequently come and go.</t>
<t>The Discovery Proxy could also provide sensitive records only to <t>The Discovery Proxy could also provide sensitive records only to
authenticated authenticated
users. This is a general DNS problem, not specific to the Discovery users. This is a general DNS problem, not specific to the Discovery
Proxy. Proxy.
Work is underway in the IETF to tackle this problem <xref Work is underway in the IETF to tackle this problem <xref target="RFC762
target="RFC7626"/>.</t> 6" format="default"/>.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Denial of Service"> <name>Denial of Service</name>
<t>A remote attacker could use a rapid series of unique Unicast DNS <t>A remote attacker could use a rapid series of unique Unicast DNS
queries to induce a Discovery Proxy to generate a rapid series of queries to induce a Discovery Proxy to generate a rapid series of
corresponding Multicast DNS queries on one or more of its local links. corresponding Multicast DNS queries on one or more of its local links.
Multicast traffic is generally more expensive than unicast traffic Multicast traffic is generally more expensive than unicast traffic,
-- especially on Wi-Fi links -- especially on Wi-Fi links, which makes this attack particularly
which makes this attack particularly serious. serious. To limit the damage that can be caused by such attacks, a
To limit the damage that can be caused by such attacks, a Discovery Discovery Proxy (or the underlying Multicast DNS subsystem that it
Proxy utilizes) <bcp14>MUST</bcp14> implement Multicast DNS query rate
(or the underlying Multicast DNS subsystem which it utilizes) MUST limiting appropriate to the link technology in question. For today's
implement Multicast DNS query rate limiting appropriate to the link 802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast
technology in question. For today's 802.11b/g/n/ac Wi-Fi links packets per second is sufficient to consume approximately 100% of the
(for which approximately 200 multicast packets per second is wireless spectrum), a limit of 20 Multicast DNS query packets per
sufficient second is <bcp14>RECOMMENDED</bcp14>. On other link technologies like
to consume approximately 100% of the wireless spectrum) Gigabit Ethernet, higher limits may be appropriate. A consequence of
a limit of 20 Multicast DNS query packets per second is RECOMMENDED. this rate limiting is that a rogue remote client could issue an
On other link technologies like Gigabit Ethernet higher limits excessive number of queries resulting in denial of service to other
may be appropriate. legitimate remote clients attempting to use that Discovery Proxy.
A consequence of this rate limiting is that a rogue remote client
could issue an excessive number of queries, resulting in denial of
service to other legitimate remote clients attempting to use that
Discovery Proxy.
However, this is preferable to a rogue remote client being able to However, this is preferable to a rogue remote client being able to
inflict even greater harm on the local network, which could impact inflict even greater harm on the local network, which could impact the
the correct operation of all local clients on that network.</t> correct operation of all local clients on that network.</t>
<?rfc needLines="28" ?>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="IANA Considerations"> <name>IANA Considerations</name>
<t>This document has no IANA Considerations.</t> <t>This document has no IANA actions.</t>
</section> </section>
<section title="Acknowledgments">
<t>Thanks to Markus Stenberg for helping develop the policy
regarding the four styles of unicast response according to what
data is immediately available in the cache.
Thanks to
Anders Brandt,
Ben Campbell,
Tim Chown,
Alissa Cooper,
Spencer Dawkins,
Ralph Droms,
Joel Halpern,
Ray Hunter,
Joel Jaeggli,
Warren Kumari,
Ted Lemon,
Alexey Melnikov,
Kathleen Moriarty,
Tom Pusateri,
Eric Rescorla,
Adam Roach,
David Schinazi,
Markus Stenberg,
Dave Thaler,
and Andrew Yourtchenko for their comments.</t>
<?rfc needLines="33" ?>
</section>
</middle> </middle>
<back> <back>
<references title="Normative References">
<?rfc include="reference.RFC.1034" ?>
<?rfc include="reference.RFC.1035" ?>
<?rfc include="reference.RFC.1918" ?>
<?rfc include="reference.RFC.2119" ?>
<?rfc include="reference.RFC.2308" ?>
<?rfc include="reference.RFC.3629" ?>
<?rfc include="reference.RFC.3927" ?>
<?rfc include="reference.RFC.4034" ?>
<?rfc include="reference.RFC.4862" ?>
<?rfc include="reference.RFC.5155" ?>
<?rfc include="reference.RFC.5198" ?>
<?rfc include="reference.RFC.6762" ?>
<?rfc include="reference.RFC.6763" ?>
<?rfc include="reference.RFC.8174" ?>
<?rfc include="reference.RFC.8490" ?>
<?rfc include="reference.I-D.ietf-dnssd-push" anchor='Push' <displayreference target="I-D.cheshire-dnssd-roadmap" to="ROADMAP"/>
?>
</references> <displayreference target="I-D.sctl-service-registration" to="REG-PROT"/>
<?rfc needLines="6" ?> <displayreference target="I-D.sctl-dnssd-mdns-relay" to="RELAY"/>
<references title="Informative References">
<?rfc include="reference.I-D.cheshire-dnssd-roadmap" <displayreference target="I-D.ietf-mboned-ieee802-mcast-problems" to="MCAST"/>
anchor='Roadmap' ?>
<?rfc include="reference.I-D.sekar-dns-ul"
anchor='DNS-UL' ?>
<?rfc include="reference.I-D.sekar-dns-llq" anchor='LLQ'
?>
<?rfc include="reference.I-D.sctl-service-registration"
anchor='RegProt' ?>
<?rfc include="reference.I-D.sctl-dnssd-mdns-relay" anchor='Relay'
?>
<?rfc include="reference.I-D.ietf-mboned-ieee802-mcast-problems"
anchor='Mcast' ?>
<?rfc include="reference.RFC.2132" ?>
<?rfc include="reference.RFC.2136" ?>
<?rfc include="reference.RFC.3007" ?>
<?rfc include="reference.RFC.3492" ?>
<?rfc include="reference.RFC.4193" ?>
<?rfc include="reference.RFC.6760" ?>
<?rfc include="reference.RFC.7558" ?>
<?rfc include="reference.RFC.7626" ?>
<?rfc include="reference.RFC.7788" ?>
<?rfc include="reference.RFC.8375" ?>
<reference anchor="ohp" target="https://github.com/sbyx/ohybridproxy/"> <displayreference target="I-D.sekar-dns-ul" to="DNS-UL"/>
<front>
<title>Discovery Proxy (Hybrid Proxy) implementation for
OpenWrt</title>
<author/>
<date/>
</front>
</reference>
<reference anchor="ZC"> <references>
<front> <name>References</name>
<title>Zero Configuration Networking: The Definitive Guide</title> <references>
<author initials="S." surname="Cheshire" fullname="Stuart <name>Normative References</name>
Cheshire"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<author initials="D.H." surname="Steinberg" fullname="Daniel FC.1034.xml"/>
H. Steinberg"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<date year="2005" month="December"/> FC.1035.xml"/>
</front> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<seriesInfo name="O'Reilly Media, Inc." value=""/> FC.1918.xml"/>
<seriesInfo name="ISBN" value="0-596-10100-7"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
</reference> FC.2119.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.2308.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.3629.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.3927.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4034.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4862.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.5155.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.5198.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.6762.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.6763.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8174.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8490.xml"/>
<!-- Patterned after <!-- draft-ietf-dnssd-push-25; companion document 8765 -->
http://xml.resource.org/public/rfc/bibxml2/_reference.IEEE.802-3.1998.xml <reference anchor='RFC8765' target="https://www.rfc-editor.org/info/rfc8765">
-->
<reference anchor="IEEE-1Q"
target="http://standards.ieee.org/getieee802/download/802-1Q-201
4.pdf">
<front> <front>
<title> <title>DNS Push Notifications
IEEE Standard for Local and metropolitan area networks -- </title>
Bridges and Bridged Networks <author initials='T' surname='Pusateri' fullname='Tom Pusateri'>
</title> <organization />
<author/> </author>
<date year="2014" month="November"/> <author initials='S' surname='Cheshire' fullname='Stuart Cheshire'>
<organization />
</author>
<date month='March' year='2020' />
</front> </front>
<seriesInfo name="IEEE" value="Std 802.1Q-2014"/> <seriesInfo name='RFC' value='8765' />
</reference> <seriesInfo name="DOI" value="10.17487/RFC8765"/>
</reference>
<reference anchor="IEEE-3" </references>
target="http://standards.ieee.org/getieee802/802.3.html"> <references>
<front> <name>Informative References</name>
<title>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I
-D.cheshire-dnssd-roadmap.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I
-D.sekar-dns-ul.xml"/>
<!-- draft-sekar-dns-llq ; companion document 8764 -->
<reference anchor='RFC8764' target="https://www.rfc-editor.org/info/rfc8764">
<front>
<title>Apple's DNS Long-Lived Queries Protocol</title>
<author initials='S' surname='Cheshire' fullname='Stuart Cheshire'>
<organization />
</author>
<author initials='M' surname='Krochmal' fullname='Marc Krochmal'>
<organization />
</author>
<date month='March' year='2020' />
</front>
<seriesInfo name='RFC' value='RFC8764' />
<seriesInfo name="DOI" value="10.17487/RFC8764"/>
</reference>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I
-D.sctl-service-registration.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I
-D.sctl-dnssd-mdns-relay.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I
-D.ietf-mboned-ieee802-mcast-problems.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.2132.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.2136.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.3007.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.3492.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4193.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.6760.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.7558.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.7626.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.7788.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8375.xml"/>
<reference anchor="OHP" target="https://github.com/sbyx/ohybridproxy/">
<front>
<title>
ohybridproxy - an mDNS/DNS hybrid-proxy based on mDNSResponder
</title>
<author/>
<date month="June" year="2017"/>
</front>
<refcontent>commit 464d6c9</refcontent>
</reference>
<reference anchor="ZC">
<front>
<title>Zero Configuration Networking: The Definitive Guide</title>
<seriesInfo name="ISBN" value="0-596-10100-7"/>
<author initials="S." surname="Cheshire" fullname="Stuart Cheshire"/
>
<author initials="D.H." surname="Steinberg" fullname="Daniel H. Stei
nberg"/>
<date year="2005" month="December"/>
</front>
<refcontent>O'Reilly Media, Inc.</refcontent>
</reference>
<!-- [rfced] FYI: Since the URL provided for [IEEE-1Q] is 404 Not Found,
we've updated the URL to <https://ieeexplore.ieee.org/document/6991462>.
Please let us know if this is not preferred.
Original:
[IEEE-1Q] "IEEE Standard for Local and metropolitan area networks - Bridge
s and
Bridged Networks", IEEE Std 802.1Q-2014, November 2014,
<http://standards.ieee.org/getieee802/download/802-1Q-2014.pdf>.
Updated:
[IEEE802.1Q]
IEEE, "IEEE Standard for Local and metropolitan area
networks - Bridges and Bridged Networks", IEEE Std
802.1Q-2014, DOI 10.1109/IEEESTD.2014.6991462, 2014,
<https://ieeexplore.ieee.org/document/6991462>.
-->
<reference anchor="IEEE802.1Q" target="https://ieeexplore.ieee.org/documen
t/6991462">
<front>
<title>IEEE Standard for Local and metropolitan area
networks -- Bridges and Bridged Networks
</title>
<author>
<organization>IEEE</organization>
</author>
<date year="2014"/>
</front>
<seriesInfo name="IEEE Std" value="802.1Q-2014"/>
<seriesInfo name="DOI" value="10.1109/IEEESTD.2014.6991462"/>
</reference>
<!-- [rfced] The URL for reference [IEEE-3] is 404 Not Found,
and the reference itself has been superseded by a 2018 version. Should
this reference be updated as follows or otherwise?
NOTE: There is also a persistant link that points to the most recent version
should the reference be superseded in the future.
Original:
[IEEE-3] "Information technology - Telecommunications and information exchang
e
between systems - Local and metropolitan area networks - Specific
requirements - Part 3: Carrier Sense Multiple Access with Collision
Detection (CMSA/CD) Access Method and Physical Layer Specifications"
, IEEE
Std 802.3-2008, December 2008,
<http://standards.ieee.org/getieee802/802.3.html>.
Perhaps:
[IEEE802.3] IEEE, "IEEE Standard for Ethernet", IEEE 802.3-2018,
DOI 10.1109/IEEESTD.2018.8457469
<https://ieeexplore.ieee.org/document/8457469>.
-->
<reference anchor="IEEE-3" target="http://standards.ieee.org/getieee802/
802.3.html">
<front>
<title>
Information technology - Telecommunications and information Information technology - Telecommunications and information
exchange between systems - exchange between systems -
Local and metropolitan area networks - Specific requirements - Local and metropolitan area networks - Specific requirements -
Part 3: Carrier Sense Multiple Access with Collision Detection Part 3: Carrier Sense Multiple Access with Collision Detection
(CMSA/CD) (CSMA/CD)
Access Method and Physical Layer Specifications Access Method and Physical Layer Specifications
</title> </title>
<author/> <seriesInfo name="IEEE Std" value="802.3-2008"/>
<date year="2008" month="December"/> <author/>
</front> <date year="2008" month="December"/>
<seriesInfo name="IEEE" value="Std 802.3-2008"/> </front>
</reference> </reference>
<reference anchor="IEEE-5"> <!-- [rfced] FYI: We have updated reference [IEEE-5] with a URL to
<front> match the other IEEE references in this document. Note that this
<title>Information technology - Telecommunications and information standard is currently withdrawn.
exchange
between systems - Local and metropolitan area networks - Specific
requirements -
Part 5: Token ring access method and physical layer
specification</title>
<author><organization>Institute of Electrical and Electronics
Engineers</organization></author>
<date month="" year="1995" />
</front>
<seriesInfo name="IEEE" value="Std 802.5-1998"/>
</reference>
<reference anchor="IEEE-11" Original:
target="http://standards.ieee.org/getieee802/802.11.html"> [IEEE-5] Institute of Electrical and Electronics Engineers,
<front> "Information technology - Telecommunications and
<title> information exchange between systems - Local and
metropolitan area networks - Specific requirements - Part
5: Token ring access method and physical layer
specification", IEEE Std 802.5-1998, 1995.
Updated:
[IEEE802.5]
IEEE, "Telecommunications and information exchange between
systems - Local and metropolitan area networks - Part 5:
Token ring access method and physical layer
specifications", IEEE Std 802.5-1998, 1998,
<https://standards.ieee.org/standard/802_5-1998.html>.
-->
<reference anchor="IEEE802.5" target="https://standards.ieee.org/standar
d/802_5-1998.html">
<front>
<title>
Telecommunications and information exchange between systems - Local and
metropolitan area networks - Part 5: Token ring access method and physical
layer specifications
</title>
<seriesInfo name="IEEE Std" value="802.5-1998"/>
<author>
<organization>IEEE</organization>
</author>
<date year="1998"/>
</front>
</reference>
<!-- [rfced] The URL for [IEEE-11] is 404 Not Found, and 802.11-2007 has
been superseded by a 2016 version. Should this reference be updated
as shown below or otherwise?
Original:
[IEEE-11] "Information technology - Telecommunications and
information exchange between systems - Local and
metropolitan area networks - Specific requirements - Part
11: Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications", IEEE Std 802.11-2007, June
2007, <http://standards.ieee.org/getieee802/802.11.html>.
Perhaps:
[IEEE802.11] IEEE, "Telecommunications and information exchange between
systems Local and metropolitan area networks -Specific
requirements - Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) Specifications", IEEE Std
802.11-2016, 2016,
<https://standards.ieee.org/standard/802_11-2016.html>.
-->
<reference anchor="IEEE-11" target="http://standards.ieee.org/getieee802
/802.11.html">
<front>
<title>
Information technology - Telecommunications and information Information technology - Telecommunications and information
exchange between systems - exchange between systems -
Local and metropolitan area networks - Specific requirements - Local and metropolitan area networks - Specific requirements -
Part 11: Wireless LAN Medium Access Control (MAC) and Physical Part 11: Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications Layer (PHY) Specifications
</title> </title>
<author/> <seriesInfo name="IEEE Std" value="802.11-2007"/>
<date year="2007" month="June"/> <author/>
</front> <date year="2007" month="June"/>
<seriesInfo name="IEEE" value="Std 802.11-2007"/> </front>
</reference> </reference>
</references>
</references> </references>
<?rfc needLines="40" ?> <!-- [rfced] Although it's not mandatory, the recommendation in RFC 7942
<section anchor="implementation" title="Implementation Status"> is to remove Implementation Status sections from Internet-Drafts when
published as RFCs. Please let us know if the section should be removed.
-->
<section anchor="implementation" numbered="true" toc="default">
<name>Implementation Status</name>
<t>Some aspects of the mechanism specified in this document already <t>Some aspects of the mechanism specified in this document already
exist in exist in
deployed software. Some aspects are new. This section outlines which deployed software. Some aspects are new. This section outlines which
aspects aspects
already exist and which are new.</t> already exist and which are new.</t>
<section numbered="true" toc="default">
<section title="Already Implemented and Deployed"> <name>Already Implemented and Deployed</name>
<t>Domain enumeration by the client (the <t>Domain enumeration by the client (the
"b._dns-sd._udp" queries) is already implemented and deployed.</t> "b._dns-sd._udp" queries) is already implemented and deployed.</t>
<t>Unicast queries to the indicated discovery domain is already <t>Unicast queries to the indicated discovery domain is already
implemented and deployed.</t> implemented and deployed.</t>
<t>These are implemented and deployed in Mac OS X 10.4 and later <t>These are implemented and deployed in Mac OS X 10.4 and later
(including all versions of Apple iOS, on all iPhone and iPads), (including all versions of Apple iOS, on all iPhone and iPads),
in Bonjour for Windows, in Bonjour for Windows,
and in Android 4.1 "Jelly Bean" (API Level 16) and later.</t> and in Android 4.1 "Jelly Bean" (API Level 16) and later.</t>
<t>Domain enumeration and unicast querying have been <t>Domain enumeration and unicast querying have been
used for several years at IETF meetings to make Terminal Room used for several years at IETF meetings to make terminal room
printers discoverable from outside the Terminal room. When an IETF printers discoverable from outside the terminal room. When an IETF
attendee presses Cmd-P on a Mac, or selects AirPrint on an iPad attendee presses "Cmd&nbhy;P" on a Mac, or selects AirPrint on an iPad
or iPhone, and the Terminal room printers appear, that is because or iPhone, and the terminal room printers appear, it is because
the client is sending unicast DNS queries to the IETF DNS servers. the client is sending unicast DNS queries to the IETF DNS servers.
A walk-through giving the details of this particular specific example A walk-through giving the details of this particular specific example
is given in Appendix A of <xref target="Roadmap">the Roadmap is given in <xref target="I-D.cheshire-dnssd-roadmap"
sectionFormat="of" section="A">the Roadmap
document</xref>.</t> document</xref>.</t>
</section> </section>
<section title="Already Implemented"> <section numbered="true" toc="default">
<name>Already Implemented</name>
<t>A minimal portable Discovery Proxy implementation has been produced <t>A minimal portable Discovery Proxy implementation has been produced
by by
Markus Stenberg and Steven Barth, which runs on OS X and several Linux Markus Stenberg and Steven Barth, which runs on OS X and several Linux
variants including OpenWrt <xref target="ohp"/>. variants including OpenWrt <xref target="OHP" format="default"/>.
It was demonstrated at the Berlin IETF in July 2013.</t> It was demonstrated at the Berlin IETF in July 2013.</t>
<t>Tom Pusateri has an implementation that runs on any Unix/Linux. <!-- [rfced] We have added "system" after "Unix/Linux" in the following
It has a RESTful interface for management and an experimental demo CLI sentence for clarity. Please let us know if this is not preferred or
and web interface.</t> changes the intended meaning.
Original:
Tom Pusateri has an implementation that runs on any Unix/Linux.
Updated:
Tom Pusateri has an implementation that runs on any Unix/Linux system.
-->
<t>Tom Pusateri has an implementation that runs on any Unix/Linux system
. It
has a RESTful interface for management and an experimental demo
command-line interface (CLI) and web interface.</t>
<t>Ted Lemon also has produced a portable implementation of Discovery <t>Ted Lemon also has produced a portable implementation of Discovery
Proxy, Proxy,
which is available in the mDNSResponder open source code.</t> which is available in the mDNSResponder open source code.</t>
<t>The Long-Lived Query mechanism <xref target="RFC8764" format="default
<t>The Long-Lived Query mechanism <xref target="LLQ"/> "/>
referred to in this specification exists and is deployed, referred to in this specification exists and is deployed
but was not standardized by the IETF. but was not standardized by the IETF.
The IETF has developed a superior Long-Lived Query mechanism The IETF has developed a superior Long-Lived Query mechanism
called DNS Push Notifications <xref target="Push"/>, called DNS Push Notifications <xref target="RFC8765" format="default"/>,
which is built on DNS Stateful Operations <xref target="RFC8490"/>. which is built on DNS Stateful Operations <xref target="RFC8490" format=
"default"/>.
The pragmatic short-term deployment approach is for vendors The pragmatic short-term deployment approach is for vendors
to produce Discovery Proxies that implement both the deployed to produce Discovery Proxies that implement both the deployed
Long-Lived Query mechanism <xref target="LLQ"/> Long-Lived Query mechanism <xref target="RFC8764" format="default"/>
(for today's clients) and the new (for today's clients) and the new
DNS Push Notifications mechanism <xref target="Push"/> DNS Push Notifications mechanism <xref target="RFC8765" format="default" />
as the preferred long-term direction.</t> as the preferred long-term direction.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Partially Implemented"> <name>Partially Implemented</name>
<t>The current APIs make multiple domains visible to client <t>The current APIs make multiple domains visible to client
software, but most client UI today lumps all discovered services software, but most client UIs today lump all discovered services
into a single flat list. This is largely a chicken-and-egg into a single flat list. This is largely a chicken-and-egg
problem. Application writers were naturally reluctant to spend problem. Application writers were naturally reluctant to spend
time writing domain-aware UI code when few customers today would time writing domain-aware UI code when few customers today would
benefit from it. If Discovery Proxy deployment becomes common, then benefit from it. If Discovery Proxy deployment becomes common, then
application writers will have a reason to provide better UI. application writers will have a reason to provide better UI.
Existing applications will work with the Discovery Proxy, but will Existing applications will work with the Discovery Proxy but will
show all services in a single flat list. Applications with show all services in a single flat list. Applications with
improved UI will group services by domain.</t> improved UI will group services by domain.</t>
</section> </section>
</section> </section>
<section numbered="false" toc="default">
<name>Acknowledgments</name>
<t>Thanks to <contact fullname="Markus Stenberg"/> for helping develop the
policy
regarding the four styles of unicast response according to what
data is immediately available in the cache.
Thanks to
<contact fullname="Anders Brandt"/>,
<contact fullname="Ben Campbell"/>,
<contact fullname="Tim Chown"/>,
<contact fullname="Alissa Cooper"/>,
<contact fullname="Spencer Dawkins"/>,
<contact fullname="Ralph Droms"/>,
<contact fullname="Joel Halpern"/>,
<contact fullname="Ray Hunter"/>,
<contact fullname="Joel Jaeggli"/>,
<contact fullname="Warren Kumari"/>,
<contact fullname="Ted Lemon"/>,
<contact fullname="Alexey Melnikov"/>,
<contact fullname="Kathleen Moriarty"/>,
<contact fullname="Tom Pusateri"/>,
<contact fullname="Eric Rescorla"/>,
<contact fullname="Adam Roach"/>,
<contact fullname="David Schinazi"/>,
<contact fullname="Markus Stenberg"/>,
<contact fullname="Dave Thaler"/>,
and <contact fullname="Andrew Yourtchenko"/> for their comments.</t>
</section>
<!-- [rfced] This document appears to use "Service Discovery" and "service
discovery" interchangably. Is a certain capitalization preferred?
Perhaps the term should only be capitalized in "DNS-based Service Discovery"?
Original:
...are combined for Service Discovery purposes.
...Users typically interact with service discovery software by
...implementing DNS-based Service Discovery
...supporting unicast DNS Service Discovery
...other local service discovery protocols
...DNS subdomain for service discovery records
FYI: We have updated all uses of "DNS-Based Service Discovery" to
instead be "DNS-based Service Discovery" (note lowercased "based") to
match RFC 6763. Please let us know if this is not preferred.
-->
<!-- [rfced] Documents in this cluster use both "DNS Service Discovery" and
"DNS-based Service Discovery". Should all instances be updated to the latter
per RFC 6763, or is the mix acceptable? Note that your reply will also be
applied to RFCs-to-be 8764 and 8765.
-->
</back> </back>
</rfc> </rfc>
 End of changes. 279 change blocks. 
1390 lines changed or deleted 1674 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/