<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE rfcSYSTEM "rfc2629-xhtml.ent">[ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" submissionType="IETF"docName="draft-ietf-dnssd-update-lease-08"docName="draft-ietf-dnssd-update-lease-latest" number="9664" updates="" obsoletes="" ipr="trust200902"xmlns:xi="http://www.w3.org/2001/XInclude"version="3"scripts="Common,Latin"sortRefs="false" consensus="true" symRefs="true" tocDepth="3" tocInclude="true" xml:lang="en"> <front> <titleabbrev='Dynamic DNSabbrev='DNS UpdateLeases'> AnLease'>An EDNS(0)optionOption tonegotiateNegotiate Leases on DNSUpdates </title>Updates</title> <seriesInfo name="RFC" value="9664"/> <authorinitials='S'initials='S.' surname='Cheshire' fullname='Stuart Cheshire'> <organization>Apple Inc.</organization> <address> <postal> <street>One Apple Park Way</street> <city>Cupertino</city><region>California</region><region>CA</region> <code>95014</code><country>USA</country><country>United States of America</country> </postal> <phone>+1 408 974 3207</phone> <email>cheshire@apple.com</email> </address> </author> <authorinitials="T"initials="T." surname="Lemon" fullname="Ted Lemon"> <organization>AppleInc</organization>Inc.</organization> <address> <postal> <street>P.O. Box 958</street> <city>Brattleboro</city><region>Vermont</region><region>VT</region> <country>United States of America</country> <code>05302</code> </postal> <email>mellon@fugue.com</email> </address> </author><date>2023-07-07</date> <area>Internet</area> <workgroup>Internet Engineering Task Force</workgroup><date month="October" year="2024"/> <area>INT</area> <workgroup>dnssd</workgroup> <keyword>DNS Update</keyword> <abstract> <t>This document describes an EDNS(0) option that can be usedbybetween DNS UpdaterequestorsRequesters and authoritative DNS servers to include aleaselifetime (lease duration) in a DNS Update orresponse,DNS Update Response, allowing a server to garbage collect staleresource recordsResource Records that have been added by DNSUpdates</t>Updates if they are not renewed.</t> </abstract><note removeInRFC="true"> <name>About This Document</name> <t> The latest revision of this draft can be found at <eref target="https://dnssd-wg.github.io/draft-ietf-dnssd-update-lease/draft-ietf-dnssd-update-lease.html"/>. Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-dnssd-update-lease/"/>. </t> <t> Discussion of this document takes place on the DNSSD Working Group mailing list (<eref target="mailto:dnssd@ietf.org"/>), which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/dnssd/"/>. Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/dnssd/"/>. </t> <t>Source for this draft and an issue tracker can be found at <eref target="https://github.com/dnssd-wg/draft-ietf-dnssd-update-lease"/>.</t> </note></front> <middle> <section> <name>Introduction</name> <t>DynamicDNSUpdate in the Domain Name System (DNS Update) <xref target="RFC2136"/> allows for a mapping from a persistent hostname toa dynamican IPaddress.address that changes over time. This capability is particularly beneficial to mobile hosts, whose IPaddressaddresses may frequently change with location. However, the mobile nature of such hosts often means thatdynamically updated resource recordsResource Records (RRs) added using DNS Update are not properly deleted.Consider, forFor instance, consider a mobile user who publishes addressrecordsRRs viadynamic update.DNS Update. If this user moves their laptop out of range of the Wi-Fi access point, the addressrecordRR containing stale information may remain on the authoritative DNS server indefinitely.AnThus, an extension toDynamicDNS Update isthusrequired to tell the server to automatically deleteresource records if they are not refreshedRRs after a period oftime.</t>time if they are not refreshed.</t> </section> <section> <name>Conventions and Terminology Used inthisThis Document</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> <section><name>Abbreviations</name><name>Terminology</name> <dl><dt>DNS-SD</dt><dd>DNS-based service discovery<dt>DNS-SD:</dt><dd>DNS-based Service Discovery <xref target="RFC6763"/></dd><dt>EDNS(0)</dt><dd>Extension<dt>EDNS(0):</dt><dd>Extension Mechanisms forDNS, version 0DNS <xref target="RFC6891"/></dd> <dt>Update Lease option:</dt><dd>Update Lease EDNS(0) option</dd> <dt>Lease:</dt><dd>An agreement by an authoritative DNS server to continue to publish a record from the time of registration until the lease duration has elapsed and then stop publishing it</dd> <dt>Lease Duration:</dt><dd>The time between the start and end of a lease</dd> <dt>Lease Update Request:</dt><dd>DNS Update Request containing an Update Lease option</dd> <dt>Lease Update Response:</dt><dd>DNS Update Response containing an Update Lease option</dd> <dt>RR:</dt><dd>Resource Record</dd> <dt>Registration Request:</dt><dd>A Lease Update Request that is constructed with the purpose of adding new information that is not thought to already be present on the authoritative DNS server</dd> <dt>Registration:</dt><dd>The result of a successful Registration Request</dd> <dt>Refresh Request:</dt><dd>A Lease Update Request that extends the lease duration on an existing Registration</dd> <dt>Refresh:</dt><dd>The result of a successful Refresh Request</dd> </dl> </section> </section> <section> <name>Mechanisms</name> <t>TheEDNS(0)Update Lease option is included in a standard DNS UpdatemessageRequest <xref target="RFC2136"/> within an EDNS(0) OPT pseudo-RR <xref target="RFC6891"/>.</t> </section> <section anchor="update"><name>Update Message<name>Lease Update Request and Response Format</name> <t>Dynamic DNSLease UpdateLeasesRequests and Responses are formatted as standard DNSDynamicUpdate messages <xref target="RFC2136"/>.This update MUSTSuch messages <bcp14>MUST</bcp14> include the EDNS(0) OPTRR, as described inRR <xref target="RFC6891"/>. This OPT RRMUST<bcp14>MUST</bcp14> include an EDNS(0) Option as shown below.</t> <t>The Update Lease EDNS(0) option is formatted as follows:</t><figure align="center" anchor="lease_opt" suppress-title="true"><artwork align="center"><![CDATA[ Field Name Field Type Description ---------------------------------------------------------------- OPTION-CODE u_int16_t UPDATE-LEASE (2) OPTION-LENGTH u_int16_t 4<table anchor="lease_opt"> <name></name> <thead> <tr> <th>Field Name</th> <th>Field Type</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>OPTION-CODE</td> <td>u_int16_t</td> <td>UPDATE-LEASE (2)</td> </tr> <tr> <td>OPTION-LENGTH</td> <td>u_int16_t</td> <td>4 (LEASE) or 8LEASE u_int32_t desired(LEASE + KEY-LEASE)</td> </tr> <tr> <td>LEASE</td> <td>u_int32_t</td> <td>desired lease(request)duration (Lease Update Request) or granted lease(response),duration (Lease Update response), inseconds KEY-LEASE u_int32_t optionalseconds</td> </tr> <tr> <td>KEY-LEASE</td> <td>u_int32_t</td> <td>optional desired (or granted) lease duration for KEYrecords,RRs, inseconds ]]></artwork></figure> <t>Updateseconds</td> </tr> </tbody> </table> <t>Lease Update Requests contain, in the LEASE field of the OPT RDATA, an unsigned 32-bit integer indicating the leaselifetime,duration in seconds, desired by therequestor,Requester, represented in network (big-endian) byte order. In Lease Update Responses, this field contains the actual lease duration granted by the authoritative DNS server. The lease durations granted by the server may be less than, greater than, or equal to the value requested by therequestor.</t>Requester.</t> <t>There are two variants of theEDNS(0) UPDATE-LEASE option, the basic (4-byte)Update Lease option: The 4-byte variant and theextended (8-byte)8-byte variant.</t> <t>In thebasic (4-byte)4-byte variant, the LEASE indicated in the Update Lease option applies to allresource recordsRRs in the Update section.</t> <t>In theextended (8-byte)8-byte variant, the Update Lease communicates two leaselifetimes.durations. The LEASE indicated in the Update Lease option applies to allresource recordsRRs in the Update section*except*<em>except</em> for KEYrecords.RRs. The KEY-LEASE indicated in the Update Lease option applies to KEYrecordsRRs in the Update section.</t><t>The reason<t>More information about how the two variants are used is given in <xref target="server-behavior" format="default"/>.</t> <t> KEYrecord can beRRs are given a special leasetime is that this record isduration because these RRs are used in the DNS-SD Service Registration Protocol <xreftarget="I-D.ietf-dnssd-srp"/>target="RFC9665"/> to reserve a name (or names) when the service is notpresent.</t>present. </t> <t>In the case of a KEYrecordRR and some otherrecord,RR, obviously the KEYLEASElease duration applies to thekey,KEY RR, and theLEASElease duration applies to the otherrecord.RR. If more than onerecordRR that is not a KEYrecordRR is added by theupdate,Lease Update Request, theLEASElease duration (not the KEYLEASE)lease duration) is applied to all suchrecords. RecordsRRs. RRs that are removed are permanently removed.</t> <section anchor="update-refresh"> <name>Types ofDNSLease UpdateRequest messages</name>Requests</name> <t>This document describes two types ofupdates:Lease Update Requests: Registrations and Refreshes. A Registration Request is aDNSLease Update Request that is intended to add information not already present on the authoritative DNS server. A Refresh Request is intended simply to renew the lease on a previous Registration without changing anything.Both messagesRegistrations and Refreshes areDNSboth Lease Updatemessages,Requests, so the term"DNS"Lease Updatemessage"Request" is to specify behavior that is the same for both types of DNSUpdate message.</t>Update.</t> <t>In somecasescases, it may be necessary to add new information without removing old information. For the purpose of this document, suchmessagesLease Update Requests arereferred to asRegistrations, although ineffecteffect, they may also refresh whatever information is unchanged from a previous registration.</t> </section> <sectionanchor="requestor"> <name>Requestoranchor="requester"> <name>Requester Behavior</name> <t>DNS Updaterequestors MUSTRequesters <bcp14>MUST</bcp14> send an Update Lease option with any DNS Update thatisupdates RRs that are not intended to be present indefinitely. The Update Lease optionSHOULD<bcp14>SHOULD</bcp14> specify atime intervallease duration that is no shorter than 1800 seconds (30 minutes).Requestors MAYRequesters <bcp14>MAY</bcp14> specify a shorter lease duration if they anticipate that therecordsRRs being updated will changesoonermore frequently than every 30 minutes.RequestorsRequesters that expect the updatedrecordsRRs to be relatively staticSHOULD<bcp14>SHOULD</bcp14> request appropriately longerleases.</t>lease durations.</t> <t>If the DNSresponseResponse received by therequestorRequester does not include an Update Lease option, this is an indication that the authoritative DNS server does not support the Update Lease option.The requestor SHOULD inIn thiscasecase, the Requester <bcp14>SHOULD</bcp14> continue sending RefreshmessagesRequests (see below) as if the server had returned an identicalupdate leaseUpdate Lease option in itsresponse.</t>Response.</t> <t>If the DNSresponseResponse does include an Update Lease option, therequestor MUSTRequester <bcp14>MUST</bcp14> use theinterval(s)durations returned in this option when determining when to send Refreshmessages.Requests. This is true both if theinterval(s)durations returned by the server are shorter and if they are longer.</t> <t>When sending aRegistration,Registration Request, therequestor MUSTRequester <bcp14>MUST</bcp14> delay the initial transmission by a random amount of time across the range of 0-3000 milliseconds, with a granularity of no more than 10 milliseconds. This prevents synchronization of multiple devices of the same type at a site upon recovery from a power failure. This requirement applies only to the initial Registration Request onstartup:startup; sinceRefreshesRefresh Requests include a random factor as well, any synchronization that occurs after such an event should quickly randomize.</t><t>Note: the requirement for 10ms<aside> <t>The 10 ms granularity is a scheduling requirement intended to result in an even spread ofrequests,Requests so that everyrequestRequest doesn't come an exact number of seconds after startup. This requirement should not be construed as requiring anything of the link layer on which the packet is transmitted: the link layer may well impose its own constraints on the timing at which a message is sent, and this document does not claim to override such constraints.</t><t>Note: the reason for the 3000ms (three second)</aside> <aside> <t>The use of a 3000 ms (3-second) randomintervaldelay as opposed to some other randomintervaldelay is to allow for enough time to meaningfully spread the load when many devices renew at once, without delaying so long that the delay in discovery of devices becomes obvious to an end user. A 3-second random delay means that if thereareare, forexampleexample, 100 devices, and the random number generator spread is even, we would have one renewal every30ms.30 ms. In practice, on relatively constrained devices acting asSRPService Registration Protocol (SRP) servers, we are seeing the processing time for an SRP registration taking on the order of7ms,7 ms, so this seems reasonable.</t> </aside> </section><section><section anchor="server-behavior"> <name>Server Behavior</name><t>DNS Servers<t>Authoritative DNS servers implementing the Update Lease optionMUST<bcp14>MUST</bcp14> include an Update Lease option in response to any successful DNS Update (RCODE=0) that includes an Update Lease option. ServersMAY<bcp14>MAY</bcp14> returndifferentleaseinterval(s) thandurations different from those specified by therequestor,Requester, grantingrelativelylongeror shorterleases to reduce network traffic due toRefreshes,Refreshes or shorter leases to reduce the lifetime of staledata, respectively.</t> <t>Note thatdata.</t> <t>Although both the 4-byte and 8-bytevariantvariants are valid on bothclientsrequesters and servers,but clientsolder (pre-standard) requesters and servers may exist thatdo notsupport only thenewer 8-byte4-byte variant. Therefore,clientsrequesters and servers thatdo support(as required by thisvariantspecification) support both variants must account for the possibility that theserverpeer with which they are communicatingdoes not.</t>may be an older implementation that supports only the 4-byte variant.</t> <t>Aclientserver that receivesa 4-bytean 8-byte variant from aserver when it sentrequester <bcp14>MUST</bcp14> respond with an 8-byte variantMUST treat the 4-byte variant as specifying bothgiving the granted leasetime and the key lease time. Atimes.</t> <t>A server thatsupports the 8-bytereceives a 4-byte variantMUSTfrom a requester <bcp14>MUST</bcp14> treat the 4-byte variant as specifying both the leasetimeduration and thekeyKEY leasetime. When a server receives a 4-byte variant, it MUSTduration and <bcp14>MUST</bcp14> respond with a 4-byte variant. In thiscasecase, the key and the otherrecordsRRs expire at the same time.</t> <t>A requester that receives a 4-byte variant from a server when it sent an 8-byte variant in its request <bcp14>MUST</bcp14> treat the 4-byte variant as specifying both the lease duration and the KEY lease duration.</t> </section> </section> <section anchor="refresh"> <name>RefreshMessages</name>Requests</name> <t>A RefreshmessageRequest is a DNS UpdatemessageRequest that is sent to the server after an initial DNS Update has beensent,sent in order to prevent the update'srecordsRRs from being garbage collected.</t> <section> <name>RefreshMessageRequest Format</name> <t>RefreshmessagesRequests are formatted likeDynamicUpdateLeasesLease Requests and Update Lease Responses (see <xreftarget="update"/> "Update Message Format").target="update" format="default"/>). The RefreshmessageRequest is constructed with the assumption that theresult of theprevious Registration or Refresh is still in effect.The Refresh message will, inIn the case that therecordsRRs added in a previous update were for some reason garbagecollected,collected (e.g., because of a server reboot that resulted in loss of state), the Refresh Request will result in thoserecordsRRs being added again.</t> <t>The Refreshmessage SHOULD NOTRequest <bcp14>SHOULD NOT</bcp14> include anyupdateDNS Update prerequisites thatwouldwill fail if therequestor'sRequester's previous Registration or Refresh is still in effect. It alsoSHOULD NOT<bcp14>SHOULD NOT</bcp14> include prerequisites that would fail if therecordsRRs affected by the previous Registration or Refresh are no longerpresent--thatpresent; that is, the Refresh Request should also work as aRegistration.Registration Request. There may be cases where this is notpossible,possible; in whichcasecase, the response from the server can be used to determine how to proceed when the Refresh Request fails.</t><t>An update message<t>A Lease Update Request that changes the authoritative DNS server state resulting from a previous Refresh or Registration is aRegistration,Registration Request, not aRefresh.</t>Refresh Request.</t> <t>The Update Lease option in a RefreshmessageRequest contains the desired new lease duration for Requests, and the actual granted lease for Responses. The lease duration provided in LEASEinterval indicatedin the Update Lease option applies to allresource recordsRRs in the Update section of the Refreshrequest,Request, except thatif a KEY-LEASE intervalwhen the 8-byte Update Lease variant isincluded as well, that intervalsent, the duration specified in KEY-LEASE applies to any KEYrecordsRRs included in the Update section.</t> </section> <section><name>Requestor<name>Requester Behavior</name> <t>ArequestorRequester that intendsthatfor itsrecordsRRs from a previousupdate, whether aRegistration ora Refresh,Refresh to remainactive, MUSTactive <bcp14>MUST</bcp14> send a RefreshmessageRequest before the leaseelapses, or elseexpires; otherwise, therecordsRRs will be removed by the server.</t> <t>In order to preventrecordsRegistrations expiring,requestors MUSTRequesters <bcp14>MUST</bcp14> refreshresource records before they expire. At the time of registration,them. When a Lease Update Request succeeds, theclientrequester computesan intervala time limit that is 80% of the leasetimeduration plus a random offset between00% and 5% of the leasetime.duration. The random offset is to prevent refreshes from being synchronized. When thisintervaltime limit has expired, theclient MUST refresh the messagerequester <bcp14>MUST</bcp14> send a Refresh Request if the data in the initial Registration should continue to be advertised.</t> <t>For Refreshmessages,Requests, the server is expected to return an Update Lease option, if supported, just as with the initialRegistration.Registration Request. As with theRegistration,Registration Request, therequestor MUSTRequester <bcp14>MUST</bcp14> use theinterval(s) specifieddurations returned by the server in the Lease Update Response when determining when to send the next Refreshmessage.</t>Request.</t> <t>When sending Refreshmessages,Requests, therequestor MUSTRequester <bcp14>MUST</bcp14> include an Update Lease option, as it didforin the initialRegistration.Registration Request. The Update Lease optionMAY<bcp14>MAY</bcp14> either specify the sameintervalsdurations as in the initialRegistration,Registration Request orMAYuse the values returned by the server in the previous Lease UpdateResponse, whether it was a response to a Registration a Refresh.Response. As with responses toRegistrations,Registration Requests, therequestor MUSTRequester <bcp14>MUST</bcp14> use theintervalslease durations returned by the server in the response when determining when to send the next Refreshmessage.</t>Request.</t> <t>If the Requester sends a Refresh Request message and does not receive a response from the authoritative DNS server, then the Requester should implement a reasonable retry strategy to attempt to refresh the record registrations before they expire. Given that 15% - 20% of the lease lifetime still remains, these retransmissions do not need to be overly aggressive. For example, the Requester could retry nine more times, spaced uniformly at equal intervals from the time of the first failed Refresh attempt until the expiration time of the records. After the expiration time of the records, the Refresh Request effectively turns into a new Registration Request, and further retransmissions after this proceed as described in <xref target="retransmission"/>.</t> <section> <name>Coalescing RefreshMessages</name>Requests</name> <t>If therequestorRequester has performed multiplesuccessfulRegistrations with a singleserver, the requestor MAY include Refreshesserver for different RRs, the Requester <bcp14>MAY</bcp14> send a Refresh Request containing RRs from all such Registrations to that server in a singlemessage.Refresh Request. This effectively places allrecordsRRs for arequestorRequester on the same expiration schedule, reducing network traffic due to Refreshes.</t> <t>In doing so, therequestorRequester includes in the RefreshmessageRequest all existingupdates toRRs previously successfylly registered on the server, including those not yet close to expiration, so long as at least oneresource recordRR updated in themessageRefresh Request has elapsed at least 75% of its originallease.lease duration. If therequestorRequester uses UDP, therequestor MUST NOTRequester <bcp14>MUST NOT</bcp14> coalesce RefreshmessagesRequests if doing so would cause truncation of themessage;Request; in this case, therequestor shouldRequester eithersendsends multiplemessagesRequests orshould useuses TCP to send theentire updatecomplete Refresh Request at once.</t><t>Requestors SHOULD NOT<t>Requesters <bcp14>SHOULD NOT</bcp14> send a RefreshmessagesRequest when all of therecordsRRs in the Refresh Request would have more than 50% of their leaseintervalduration remaining before expiry. However, there may be cases where therequestorRequester needs to send an earlyRefresh,Refresh Request, and itMAY<bcp14>MAY</bcp14> do so. For example, a power-constrained (sleepy) device may need to sendan updatea Refresh Request when the radio is powered so as to avoid having to power it up later.</t> <t>Another case where this may be needed isifwhen the leaseintervalduration registered with the server is no longer appropriate and theRequestorRequester wishes to negotiate a different leaseinterval.duration. However, in this case, if the server does not honor the requestedintervallease duration in its response, therequestor MUST NOTRequester <bcp14>MUST NOT</bcp14> retry this negotiation.</t> </section> </section> <section> <name>Server Behavior</name> <t>Upon receiving a valid Refresh Request, the serverMUST<bcp14>MUST</bcp14> send an acknowledgment. This acknowledgment isidentical to thea Lease Update Responseformatas described in <xref target="update"/>"Update Message Format",and contains the new lease duration of theresource recordsRegistration being Refreshed. The serverMUST NOT<bcp14>MUST NOT</bcp14> increment the serial number of a zone as the result of aRefresh.</t>Refresh Request if the operation does not result in any change to the zone contents.</t> <t>However, the server's state may not match what theclientrequester expects. In this case, a Refresh Request may actually appear to be aRegistration,Registration Request, from the server's perspective. If the Refresh Request changes the contents of the zone, the serverMUST<bcp14>MUST</bcp14> update the zone serial number.</t> </section> </section><section><section anchor="retransmission"> <name>Retransmission Strategy</name> <t>The DNS protocol, including DNS updates, can operate over UDP or TCP. When using UDP, reliable transmission must be guaranteed by retransmitting if a DNS UDP message is not acknowledged in a reasonableinterval.amount of time. Section <xref target="RFC1035" section="4.2.1"sectionFormat="of"/>sectionFormat="bare"/> of the DNS specification <xref target="RFC1035"/> provides some guidance on this topic, as does Section <xref target="RFC1536" section="1"sectionFormat="of"/>.sectionFormat="bare"/> of the IETF's guide to common DNS implementation errors <xref target="RFC1536"/>. Section <xref target="RFC8085" section="3.1.3"sectionFormat="of"/>sectionFormat="bare"/> of the UDP Usage Guidelines <xref target="RFC8085"/> also provides useful guidance that is particularly relevant to DNS.</t> </section> <section> <name>Garbage Collection</name> <t>If theUpdate Leaselease duration ofa resource recordan RR elapses without being refreshed, the authoritative DNS serverMUST NOT<bcp14>MUST NOT</bcp14> returnthe expired recordthat RR in answers to queries. The serverMAY<bcp14>MAY</bcp14> deletethe recordthat RR from its database. The leaseinterval(s)durations returned by the server to therequestorRequester are used in determining when the lease ona resource recordan RR has expired.</t> <t>For allresource recordsRRs other than a KEYrecordRR included in aDNSLease Updaterequest,Request, theUpdate Leaselease duration is the LEASE value in the Update Lease option. For KEYrecords,RRs, if the optional KEY-LEASE value was included, thisintervalduration is used rather than theintervalduration specified in the LEASE. If the KEY-LEASE was not specified, theintervalduration specified in the LEASE isused.used for all RRs in the Lease Update Request. </t> </section><section title="Security Considerations"> <t><xref<section> <name>Security Considerations</name> <t>Section <xref target="RFC2136" section="8"sectionFormat="of"/>sectionFormat="bare"/> of the DNS Update specification <xref target="RFC2136"/> describes problems that can occur around DNS updates. Servers implementing this specification should follow these recommendations.</t> <t>Several additional issues can arise when relying on the Update Leaseoption. First,option.</t> <t>First, a too-long leasetimeduration is not much differentthanfrom no leasetime:duration: therecordsRRs associated withthis lease timesuch a Registration will effectively never be cleaned up. Servers implementing Update Lease should have a default upper bound on the maximum acceptable value both for the LEASE and KEY-LEASE values sent by theclient. Servers MAY provide a way for the operator to change this upper limit.requester. Default values for these limits of 24 hours and 7 days, respectively, areRECOMMENDED.</t><bcp14>RECOMMENDED</bcp14>. Servers <bcp14>MAY</bcp14> provide a way for the operator to change this upper limit.</t> <t>The second issue is that a too-short lease can result in increased server load asrequestorsRequesters rapidly renewthe lease.such Registrations. A delay in renewing could result in thedataregistered RRs being removed prematurely. Servers implementing Update LeaseMUST<bcp14>MUST</bcp14> have a default minimum leaseintervalduration that avoids this issue.We RECOMMEND aA minimum of 30 seconds for both the LEASE and KEY-LEASEintervals.durations is <bcp14>RECOMMENDED</bcp14>. However, in most cases, much longer leasetimesdurations (for example, an hour)are RECOMMENDED.</t><bcp14>SHOULD</bcp14> be used. Servers <bcp14>MAY</bcp14> provide a way for the operator to change this lower limit.</t> <t>There may be some cost associated with renewing leases. A malicious (or buggy)clientrequester could renew at a high rate in order to overload the server more than it would be overloaded by query traffic. This risk is present forregularan authoritative server handling normal (no-lease) DNSupdateUpdates as well.The server MUST enforce a minimum interval between updates. After a Refresh or Registration has been successfully processed and acknowledged, another UpdateServers should follow established industry best practices to guard against flooding attacks, both for malicious flooding ofeither type from the client during that interval MUST be silently ignored by the server.</t>DNS messages over UDP and for similar flooding attacks using TCP <xref target="SYN" format="default"/> <xref target="RFC4953" format="default"/>.</t> <t>Some authentication strategy should be used when accepting DNS updates. Shared secret <xref target="RFC8945"/> or public key signing(e.g.(e.g., SIG(0) <xref target="RFC2931"/>) should be required. Keys should have limited authority: compromise of a key should not result in compromise of the entire contents of one or more zones managed by the server. Key management strategy is out of scope for this document.An example of a key management strategy can be found inService Registration Protocol <xreftarget="I-D.ietf-dnssd-srp"/>, whichtarget="RFC9665"/> uses"first come, first-served naming"DNS Update Leases with "First Come, First Served Naming" rather than an explicit trust establishmentprocess,process to confer update permission to a set ofrecords.</t>RRs.</t> </section> <section> <name>IANA Considerations</name><t>The EDNS(0) OPTION CODE 2<t>IANA hasalready been assigned for this DNS extension. This document appears inupdated theDNS"DNS EDNS0 Option Codes(OPT)(OPT)" registry <xreftarget="EDNS0Codes"/> with the name 'UL' and the status 'On-hold,' and a document reference to an older version of this document. When this document has been approved, the IANA is asked to update the registrytarget="EDNS0Reg"/> asfollows:</t> <sourcecode> OLD: Value: 2 Name: UL Status: On-hold Reference: http://files.dns-sd.org/draft-sekar-dns-ul.txt NEW: Value:regards value 2Name: Update Lease Status: Standard Reference: [this document] </sourcecode>as follows:</t> <dl newline="false" spacing="compact"> <dt>Value:</dt> <dd>2</dd> <dt>Name:</dt> <dd>Update Lease</dd> <dt>Status:</dt> <dd>Standard</dd> <dt>Reference:</dt> <dd>RFC 9664</dd> </dl> </section><section></middle> <back> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2136.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6891.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1536.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2931.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4953.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6763.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8085.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8945.xml"/> <!-- [I-D.ietf-dnssd-srp] companion document RFC 9665--> <reference anchor="RFC9665" target="https://www.rfc-editor.org/info/rfc9665"> <front> <title>Service Registration Protocol for DNS-Based Service Discovery</title> <author fullname="Ted Lemon" initials="T." surname="Lemon"> <organization>Apple Inc.</organization> </author> <author fullname="Stuart Cheshire" initials="S." surname="Cheshire"> <organization>Apple Inc.</organization> </author> <date month="October" year="2024"/> </front> <seriesInfo name="RFC" value="9665"/> <seriesInfo name="DOI" value="10.17487/RFC9665"/> </reference> <reference anchor="EDNS0Reg" target="https://www.iana.org/assignments/dns-parameters"> <front> <title>DNS EDNS0 Option Codes (OPT)</title> <author> <organization>IANA</organization> </author> </front> </reference> <reference anchor="SYN" target="https://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/ipj_9-4.pdf"> <front> <title>Defenses Against TCP SYN Flooding Attacks</title> <author initials="W." surname="Eddy" fullname="Wesley Eddy"> <organization>Verizon Federal Network Systems</organization> <address> <email>weddy@grc.nasa.gov</email> </address> </author> <date year="2006" month="December"/> <keyword>TCP</keyword> </front> <refcontent>The Internet Protocol Journal</refcontent> <refcontent>Cisco Systems</refcontent> <refcontent>Volume 9</refcontent> <refcontent>Number 4</refcontent> </reference> </references> </references> <section numbered="false"> <name>Acknowledgments</name> <t>Thanks toMarc Krochmal and Kiren Sekar<contact fullname="Marc Krochmal"/> and <contact fullname="Kiren Sekar"/> for their work in 2006 on the precursor to this document. Thanks also toRoger Pantos and Chris Sharp<contact fullname="Roger Pantos"/> and <contact fullname="Chris Sharp"/> for their contributions. Thanks toChris Box, Esko Dijk, Jonathan Hui, Peter<contact fullname="Chris Box"/>, <contact fullname="Esko Dijk"/>, <contact fullname="Jonathan Hui"/>, <contact fullname="Peter vanDijk, Abtin Keshvarzian, Nathan Dyck, Steve Hanna, Gabriel Montenegro, Kangping Dong, and Tim WicinskiDijk"/>, <contact fullname="Abtin Keshvarzian"/>, <contact fullname="Nathan Dyck"/>, <contact fullname="Steve Hanna"/>, <contact fullname="Gabriel Montenegro"/>, <contact fullname="Kangping Dong"/>, and <contact fullname="Tim Wicinski"/> for their working group reviews of this document. Thanks toDavid Dong, Olafur Gudmundsson, Brian Trammel, and Shivan Sahib<contact fullname="David Dong"/>, <contact fullname="Olafur Gudmundsson"/>, <contact fullname="Brian Trammel"/>, and <contact fullname="Shivan Sahib"/> for their directorate reviews and IANA reviews.</t> </section></middle> <back> <!-- This needLines directive is to keep the Authors' Addresses heading from being split from the list --> <!-- <displayreference target="I-D.sctl-service-registration" to="RegProt"/> --> <!-- <displayreference target="I-D.ietf-dnssd-hybrid" to="I-D.ietf-dnssd-hybrid"/> appears to not work in xml2rfc 2.6.2 --> <references title="Normative References"> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2136.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6891.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references> <references title="Informative References"> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1536.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2931.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6763.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8085.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8945.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-dnssd-srp.xml"/> <reference anchor="EDNS0Codes" target="https://www.iana.org/assignments/dns-parameters/dns-parameters.xml"> <front> <title>DNS EDNS0 Option Codes (OPT)</title> <author/> <date month="April" year="2023"/> </front> </reference> </references></back> </rfc>