Discovery Proxy for Multicast DNS-Based Service DiscoveryApple Inc.One Apple Park WayCupertinoCalifornia95014United States of America+1 (408) 996-1010cheshire@apple.com
INT
DNSSDMulticast DNSDNS-Based Service DiscoveryThis document specifies a network proxy that uses Multicast DNS
to automatically populate the wide-area unicast Domain Name System
namespace
with records describing devices and services found on the local
link.Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
. Introduction
. Operational Analogy
. Conventions and Terminology Used in This Document
. Compatibility Considerations
. Discovery Proxy Operation
. Delegated Subdomain for DNS-based Service Discovery
Records
. Domain Enumeration
. Domain Enumeration via Unicast Queries
. Domain Enumeration via Multicast Queries
. Delegated Subdomain for LDH Host Names
. Delegated Subdomain for Reverse Mapping
. Data Translation
. DNS TTL Limiting
. Suppressing Unusable Records
. NSEC and NSEC3 Queries
. No Text-Encoding Translation
. Application-Specific Data Translation
. Answer Aggregation
. Administrative DNS Records
. DNS SOA (Start of Authority) Record
. DNS NS Records
. DNS Delegation Records
. DNS SRV Records
. Domain Enumeration Records
. DNSSEC Considerations
. Online Signing Only
. NSEC and NSEC3 Records
. IPv6 Considerations
. Security Considerations
. Authenticity
. Privacy
. Denial of Service
. IANA Considerations
. References
. Normative References
. Informative References
. Implementation Status
. Already Implemented and Deployed
. Already Implemented
. Partially Implemented
Acknowledgments
Author's Address
IntroductionMulticast DNS and its
companion technology DNS-based Service Discovery were created to provide IP networking with the ease
of use and autoconfiguration for which AppleTalk was well known .For a small home network consisting of just a single link (or a few
physical links bridged together to appear as a single logical link from
the point of view of IP), Multicast DNS is sufficient for client devices
to look up the ".local" host names of peers on the same home network,
and to use Multicast DNS-based
Service Discovery (DNS-SD) to discover services offered on that
home network.For a larger network consisting of multiple links that are
interconnected using IP-layer routing instead of link-layer bridging,
link-local Multicast DNS alone is insufficient because link-local
Multicast DNS packets, by design, are not propagated onto other
links.Using link-local multicast packets for Multicast DNS was a conscious
design choice . Even when
limited to a single link, multicast traffic is still generally
considered to be more expensive than unicast, because multicast traffic
impacts many devices instead of just a single recipient. In addition,
with some technologies like Wi-Fi , multicast traffic is inherently less
efficient and less reliable than unicast, because Wi-Fi multicast
traffic is sent at lower data rates, and is not acknowledged .
Increasing the amount of expensive multicast traffic by flooding it
across multiple links would make the traffic load even worse.Partitioning the network into many small links curtails the spread
of expensive multicast traffic but limits the discoverability of
services.
At the opposite end of the spectrum, using a very large local link with
thousands of hosts enables better
service discovery but at the cost of larger amounts of multicast
traffic.Performing DNS-based Service Discovery using purely Unicast DNS is
more efficient and doesn't require large multicast domains but does
require that the relevant data be available in the Unicast DNS
namespace.
The Unicast DNS namespace in question could fall within a traditionally
assigned globally unique domain name, or it could be within a private
local
unicast domain name such as ".home.arpa" .In the DNS-SD specification ("Populating
the DNS with Information") discusses various possible ways that a
service's PTR, SRV, TXT, and address records can make their way into the
Unicast DNS namespace, including manual zone file configuration , DNS Update , and
proxies
of various kinds.One option is to make the relevant data available in the Unicast DNS
namespace by
manual DNS configuration. This option has been used for
many years at IETF meetings to advertise the IETF terminal room printer.
Details of this example are given in the
Roadmap document. However, this manual DNS configuration is
labor intensive, error prone, and requires a reasonable degree of DNS
expertise.Another option is to populate the Unicast DNS namespace by having
the devices offering the services do that themselves, using DNS Update
.
However, this requires configuration
of DNS Update keys on those devices, which has proven onerous and
impractical for simple devices like printers and network cameras.Hence, to facilitate efficient and reliable DNS-based Service
Discovery,
a hybrid is needed that combines the ease of use of
Multicast DNS with the efficiency and scalability of Unicast DNS.This document specifies a type of proxy called a "Discovery Proxy"
that uses Multicast DNS
to discover
Multicast DNS records on its local link on demand, and makes
corresponding
DNS records visible in the Unicast DNS namespace.In principle, similar mechanisms could be defined
for other local discovery protocols, by creating a proxy that
(i) uses the protocol in question to discover local information on
demand, and then
(ii) makes corresponding DNS records visible in the Unicast
DNS namespace. Such mechanisms for other local discovery
protocols could be addressed in future documents.The design of the Discovery Proxy is guided by the previously
published DNS-based Service Discovery requirements document
.In simple terms, a descriptive DNS name is chosen for
each link in an organization.
Using a DNS NS record, responsibility for that DNS name is delegated to
a Discovery Proxy physically attached to that link.
When a remote client issues a unicast query for a name falling
within
the delegated subdomain, the normal DNS delegation mechanism
results in the unicast query arriving at the Discovery Proxy,
since it has been declared authoritative for those names.
Now, instead of consulting a textual zone file on disk to discover
the answer to the query as a traditional authoritative DNS server would,
a Discovery Proxy consults its local link, using Multicast DNS,
to find the answer to the question.For fault tolerance reasons, there may be more than one
Discovery Proxy serving a given link.Note that the Discovery Proxy uses a "pull" model.
Until some remote client has requested data,
the local link is not queried using Multicast DNS.
In the idle state, in the absence
of client requests, the Discovery Proxy sends no packets and imposes
no burden on the network. It operates purely "on demand".An alternative proposal that has been discussed is a proxy that
performs DNS updates to a remote DNS server on behalf of the Multicast
DNS devices on the local network. The difficulty with this is that
Multicast DNS devices do not routinely announce their records on the
network. Generally, they remain silent until queried. This means that
the complete set of Multicast DNS records in use on a link can only be
discovered by active querying, not by passive listening. Because of
this, a proxy can only know what names exist on a link by issuing
queries for them, and since it would be impractical to issue queries for
every possible name just to find out which names exist and which do not,
there is no reasonable way for a proxy to programmatically learn all the
answers it would need to push up to the remote DNS server using DNS
Update. Even if such a mechanism were possible, it would risk
generating high load on the network continuously, even when there are no
clients with any interest in that data.Hence, having a model where the query comes to the Discovery Proxy
is much more efficient than
a model where the Discovery Proxy pushes the answers out
to some other remote DNS server.A client seeking to discover services and other information performs
this by sending traditional DNS queries to the Discovery Proxy or by
sending DNS Push Notification subscription requests .How a client discovers what domain name(s) to use for its
DNS-based Service Discovery queries
(and, consequently, what Discovery Proxy or Proxies to use)
is described in .The diagram below illustrates a network topology using a
Discovery Proxy to provide discovery service to a remote client.Note that there need not be any Discovery Proxy on the link
to which the remote client is directly attached.
The remote client communicates directly with the Discovery Proxy
using normal unicast TCP/IP communication mechanisms,
potentially spanning multiple IP hops,
possibly including VPN tunnels and other similar
long-distance communication channels.
Operational AnalogyA Discovery Proxy does not operate as a multicast relay or multicast
forwarder. There is no danger of multicast forwarding loops that result
in traffic storms, because no multicast packets are forwarded. A
Discovery Proxy operates as a proxy for remote clients,
performing
queries on their behalf and reporting the results back.A reasonable analogy is making a telephone call to a colleague at
your workplace and saying, "I'm out of the office right now. Would you
mind bringing up a printer browser window and telling me the names of
the printers you see?" That entails no risk of a forwarding loop causing
a traffic storm, because no multicast packets are sent over the
telephone call.A similar analogy, instead of enlisting another human being
to initiate the service discovery operation on your behalf, is
to log in to your own desktop work computer using screen sharing
and then run the printer browser yourself to see the list of printers.
Or, log in using Secure Shell (ssh) and type "dns-sd -B _ipp._tcp" and
observe the
list of discovered printer names. In neither case is there any risk
of a forwarding loop causing a traffic storm, because no multicast
packets are being sent over the screen-sharing or ssh connection.The Discovery Proxy provides another way of performing remote
queries,
which uses a different protocol instead of screen sharing or ssh.
The Discovery Proxy mechanism can be thought of as a custom Remote
Procedure Call (RPC) protocol that allows a remote client to exercise
the Multicast DNS APIs on the Discovery Proxy device, just as a local
client running on the Discovery Proxy device would use those APIs.When the Discovery Proxy software performs Multicast DNS
operations, the exact same Multicast DNS caching mechanisms are
applied as when any other client software on that Discovery Proxy
device performs Multicast DNS operations, regardless of whether that be
running
a printer browser client locally, a remote user running the
printer browser client via a screen-sharing connection, a remote
user logged in via ssh running a command-line tool like "dns-sd",
or a remote user sending DNS requests that cause a Discovery Proxy
to perform discovery operations on its behalf.Conventions and Terminology Used in This Document
The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are
to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
The Discovery Proxy builds on Multicast DNS,
which works between hosts on the same link.
For the purposes of this document,
a set of hosts is considered to be "on the same link" if:
when any host from that set sends a packet to any other host
in that set, using unicast, multicast, or broadcast, the entire
link-layer packet payload arrives unmodified, and
a broadcast sent over that link, by any host from that set of
hosts,
can be received by every other host in that set.
The link-layer header may be modified, such as in Token Ring
Source Routing
,
but not the link-layer payload.
In particular, if any device forwarding a packet modifies any
part of the IP header or IP payload, then the packet is no longer
considered to be on the same link. This means that the packet may
pass through devices such as repeaters, bridges, hubs, or switches
and still be considered to be on the same link for the purpose of
this document, but not through a device such as an IP router that
decrements the IP TTL or otherwise modifies the IP header.Compatibility ConsiderationsNo changes to existing devices are required to work with a Discovery
Proxy.Existing devices that advertise services using Multicast DNS work
with a Discovery Proxy.Existing clients that support DNS-based Service Discovery over
Unicast DNS work with a Discovery Proxy. DNS-based Service Discovery
over Unicast
DNS was introduced in Mac OS X 10.4 Tiger in April 2005 and has been
included in
Apple products introduced since then, including the iPhone and iPad.
It has also been included in
products from other vendors, such as Microsoft Windows 10.An overview of the larger collection of associated DNS-based Service
Discovery
technologies, and how the Discovery Proxy technology relates to those,
is given in the
Service Discovery Road Map document .Discovery Proxy OperationIn a typical configuration, a Discovery Proxy is configured
to be authoritative
for four or more DNS subdomains, listed below.
Authority for these subdomains is delegated
from the parent domain to the Discovery Proxy
in the usual way for DNS delegation, via NS records.
A DNS subdomain for DNS-based Service Discovery records.
This subdomain name may contain rich text, including
spaces and other punctuation. This is because this
subdomain name is used only in graphical user interfaces,
where rich text is appropriate.
A DNS subdomain for host name records.
This subdomain name SHOULD be limited to letters,
digits, and
hyphens in order to facilitate the convenient use of host
names in
command-line
interfaces.
One or more DNS subdomains for IPv4 Reverse Mapping records.
These subdomains will have names that end in "in-addr.arpa".
One or more DNS subdomains for IPv6 Reverse Mapping records.
These subdomains will have names that end in "ip6.arpa".
In an enterprise network, the naming and delegation of these
subdomains
is typically performed by conscious action of the network administrator.
In a home network, naming and delegation would typically be performed
using some automatic configuration mechanism such as Home Networking
Control Protocol (HNCP)
.These three varieties of delegated subdomains
(service discovery, host names, and reverse mapping) are described below
in Sections , , and .How a client discovers where to issue its DNS-based Service Discovery
queries
is described in .Delegated Subdomain for DNS-based Service Discovery
RecordsIn its simplest form, each link in an organization
is assigned a unique Unicast DNS domain name such as
"Building 1.example.com" or
"2nd Floor.Building 3.example.com".
Grouping multiple links under a single Unicast DNS domain
name is to be specified in a future companion document, but for
the purposes of this document, assume that each link has its own
unique Unicast DNS domain name.
In a graphical user interface these names are not displayed
as strings with dots as shown above, but something more
akin to a typical file browser graphical user interface
(which is harder to illustrate in a text-only document)
showing folders, subfolders, and files in a file system.
Each named link in an organization has one or more Discovery
Proxies that serve it. This Discovery Proxy function
could be performed by a device like a router or switch that is
physically attached to that link. In the parent domain, NS records
are used to delegate ownership of each defined link name
(e.g., "Building 1.example.com") to one or more
Discovery Proxies that serve the named link. In other words, the
Discovery Proxies are the authoritative name servers for that
subdomain. As in the rest of DNS-based Service Discovery, all names
are represented as-is using plain UTF-8 encoding and, as described in
, no text-encoding
translations are performed.With appropriate VLAN
configuration , a
single Discovery Proxy device could have a
logical presence on many links and serve as the Discovery Proxy for
all those links. In such a configuration, the Discovery Proxy device
would have a single physical Ethernet port, configured as a VLAN trunk
port, which would appear to software on that device as multiple
virtual Ethernet interfaces, one connected to each of the VLAN
links.As an alternative to using VLAN technology, using a Multicast DNS
Discovery Relay
is another way that a Discovery Proxy can have
a "virtual" presence on a remote link.When a DNS-SD client issues a Unicast DNS query to discover
services in a particular Unicast DNS subdomain
(e.g., "_ipp._tcp.Building 1.example.com. PTR ?"),
the normal DNS delegation mechanism results in that query being
forwarded until it reaches the delegated authoritative name server for
that subdomain, namely, the Discovery Proxy on the link in question.
Like a conventional Unicast DNS server, a Discovery Proxy implements
the usual Unicast DNS protocol over UDP
and TCP. However, unlike a conventional Unicast DNS server that
generates answers from the data in its manually configured zone file,
a Discovery Proxy learns answers using Multicast DNS. A Discovery
Proxy does this by consulting its Multicast DNS cache and/or issuing
Multicast DNS queries, as appropriate according to the usual protocol
rules of Multicast DNS ,
for the corresponding Multicast DNS name, type, and class, with the
delegated zone part of the name replaced with ".local" (e.g., in
this case, "_ipp._tcp.local. PTR ?"). Then, from the
received Multicast DNS data, the Discovery Proxy synthesizes the
appropriate Unicast DNS response, with the ".local" top-level label
of the owner name
replaced with the name of the delegated zone.
Further details of the name translation rules are
described in .
Rules specifying how long the Discovery
Proxy should wait to accumulate Multicast DNS responses before sending
its unicast reply are described in .
The existing Multicast DNS caching mechanism is used to minimize
unnecessary Multicast DNS queries on the wire. The Discovery Proxy is
acting as a client of the underlying Multicast DNS subsystem and
benefits from the same caching and efficiency measures as any other
client using that subsystem.Note that the contents of the delegated zone, generated as it is by
performing ".local" Multicast DNS queries, mirrors the records
available on the local link via Multicast DNS very closely, but not
precisely. There is not a full bidirectional equivalence between the
two. Certain records that are available via Multicast DNS may not
have equivalents in the delegated zone possibly because they are
invalid or not relevant in the delegated zone or because they are
being suppressed because they are unusable outside the local link (see
). Conversely, certain
records that appear in the delegated zone may not have corresponding
records available on the local link via Multicast DNS. In particular,
there are certain administrative SRV records (see ) that logically fall within the delegated zone but
semantically represent metadata about the zone rather than
records
within the zone. Consequently, these administrative records
in
the delegated zone do not have any corresponding counterparts in the
Multicast DNS namespace of the local link.Domain EnumerationA DNS-SD client performs Domain Enumeration via certain PTR queries, using both unicast and
multicast.If a DNS-SD client receives a Domain Name configuration via DHCP
then it issues
unicast queries derived from this domain name. It also issues unicast
queries using
names derived from its IPv4 subnet address(es) and IPv6 prefix(es).
These unicast Domain Enumeration queries are described
in .
A DNS-SD client
also issues multicast Domain Enumeration queries in the "local" domain
, as described in
. The results of all the
Domain Enumeration queries are combined for DNS-based Service
Discovery
purposes.Domain Enumeration via Unicast QueriesThe (human or automated) administrator creates
Unicast DNS Domain Enumeration PTR records to inform clients of available
service discovery domains. Two varieties of such Unicast DNS Domain
Enumeration
PTR records exist: those with names derived from the domain name
communicated to the clients via
DHCP option 15,
and those with names derived
from either IPv4 subnet address(es) or IPv6 prefix(es) in use by the
clients. Below is an example showing the name-based variety,
where the DHCP server configured the client with the domain name
"example.com":
b._dns-sd._udp.example.com. PTR Building 1.example.com.
PTR Building 2.example.com.
PTR Building 3.example.com.
PTR Building 4.example.com.
db._dns-sd._udp.example.com. PTR Building 1.example.com.
lb._dns-sd._udp.example.com. PTR Building 1.example.com.The meaning of these records is defined in the DNS-based Service
Discovery specification but, for convenience, is repeated
here.
The "b" ("browse") records tell the client device the list of
browsing domains to display for the user to select from. The "db"
("default browse") record tells the client device which domain in
that list should be selected by default. The "db" domain
MUST be one of the domains in the "b" list; if not,
then no domain is selected by default. The "lb" ("legacy browse")
record tells the client device which domain to automatically browse
on behalf of applications that don't implement user interface for
multi-domain
browsing (which is most of them at the time of writing). The "lb"
domain is often the same as the "db" domain, or sometimes the "db"
domain plus one or more others that should be included in the list
of automatic browsing domains for legacy clients.Note that in the example above, for clarity, space characters in
names are shown as actual spaces. If this data is manually entered
into a textual zone file for authoritative server software such as
BIND, care must be taken because the space character is used as a
field separator, and other characters like dot ('.'), semicolon
(';'), dollar ('$'), backslash ('\'), etc., also have special
meaning. These characters have to be escaped when entered into a
textual zone file, following the rules in the DNS specification. For
example, a literal space in a name is represented in the textual
zone file using '\032', so "Building 1.example.com" is entered
as "Building\0321.example.com".DNS responses are limited to a maximum size of 65535 bytes.
This limits the maximum number of domains that can be returned for
a Domain Enumeration query as follows:A DNS response header is 12 bytes.
That's typically followed by a single qname (up to 256 bytes)
plus qtype (2 bytes) and qclass (2 bytes), leaving 65275
for the Answer Section.An Answer Section Resource Record consists of:
Owner name, encoded as a compression pointer, 2 bytes
RRTYPE (type PTR), 2 bytes
RRCLASS (class IN), 2 bytes
TTL, 4 bytes
RDLENGTH, 2 bytes
RDATA (domain name), up to 256 bytes
This means that each Resource Record in the Answer Section can
take up to 268 bytes total, which means that the Answer Section
can contain, in the worst case, no more than 243 domains.In a more typical scenario, where the domain names are not all
maximum-sized names, and there is some similarity between names
so that reasonable name compression is possible, each Answer
Section Resource Record may average 140 bytes, which means that
the Answer Section can contain up to 466 domains.It is anticipated that this should be sufficient for even a large
corporate network or university campus.Domain Enumeration via Multicast QueriesIn the case where Discovery Proxy functionality is widely
deployed within an enterprise (either by having a Discovery Proxy
physically on
each link, or by having a Discovery Proxy with a remote "virtual"
presence on each link using VLANs or Multicast DNS Discovery Relays
),
this offers an additional way to provide Domain Enumeration
configuration data for
clients.Note that this function of the Discovery Proxy is
supplementary to the primary purpose of the Discovery Proxy,
which is to facilitate remote clients discovering services
on the Discovery Proxy's local link.
This publication of Domain Enumeration configuration data
via link-local multicast on the Discovery
Proxy's local link is performed for the benefit of local
clients
attached to that link, and typically directs those clients to
contact other distant Discovery Proxies attached to other links.
Generally, a client does not need to use the local Discovery
Proxy on its own link, because a client is generally able to
perform its own Multicast DNS queries on that link.
(The exception to this is when the local Wi-Fi access point is
blocking or filtering local multicast traffic, requiring even local
clients to use their local Discovery Proxy to perform local
discovery.)A Discovery Proxy can be configured to generate Multicast DNS
responses
for the following Multicast DNS Domain Enumeration queries issued by
clients:
b._dns-sd._udp.local. PTR ?
db._dns-sd._udp.local. PTR ?
lb._dns-sd._udp.local. PTR ?This provides the ability for Discovery Proxies to indicate
recommended browsing domains to DNS-SD clients on a per-link
granularity. In some enterprises, it may be preferable to provide
this per-link configuration information in the form of Discovery
Proxy
configuration data rather than by populating the Unicast DNS servers
with
the same data (in the "ip6.arpa" or "in-addr.arpa" domains).Regardless of how the network operator chooses to provide this
configuration
data, clients will perform Domain Enumeration via both unicast and
multicast
queries and then combine the results of these queries.Delegated Subdomain for LDH Host NamesDNS-SD service instance names and domains are allowed
to contain arbitrary Net-Unicode text ,
encoded as precomposed UTF-8 .Users typically interact with service discovery software by
viewing a list of discovered service instance names on a display
and selecting one of them by pointing, touching, or clicking.
Similarly, in software that provides a multi-domain DNS-SD user
interface, users view a list of offered domains on the display
and select one of them by pointing, touching, or clicking.
To use a service, users don't have to remember domain or instance
names, or type them; users just have to be able to recognize what
they see on the display and touch or click on the thing they want.In contrast, host names are often remembered and typed. Also, host
names have historically been used in command-line interfaces where
spaces can be inconvenient. For this reason, host names have
traditionally been restricted to letters, digits, and hyphens (LDH)
with no spaces or other punctuation.While we do want to allow
rich text for DNS-SD service instance names and domains, it is
advisable, for maximum compatibility with existing usage, to restrict
host names to the traditional letter-digit-hyphen rules. This means
that while the service name
"My Printer._ipp._tcp.Building 1.example.com" is acceptable
and desirable (it is displayed in a graphical user interface as an
instance called "My Printer" in the domain "Building 1" at
"example.com"), the host name "My-Printer.Building 1.example.com"
is less desirable (because of the space in "Building 1").To accommodate this difference in allowable characters, a Discovery
Proxy SHOULD support having two separate subdomains
delegated to it for each link it serves: one whose name is allowed to
contain arbitrary Net-Unicode text , and a second more constrained subdomain whose name
is restricted to contain only letters, digits, and hyphens, to be used
for host name records (names of 'A' and 'AAAA' address records). The
restricted names may be any valid name consisting of only letters,
digits, and hyphens, including Punycode-encoded names .
For example, a Discovery Proxy could have the two subdomains
"Building 1.example.com" and "bldg‑1.example.com" delegated
to it.
The Discovery Proxy would then translate these two Multicast DNS
records:
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.
prnt.local. A 203.0.113.2into Unicast DNS records as follows:
My Printer._ipp._tcp.Building 1.example.com.
SRV 0 0 631 prnt.bldg-1.example.com.
prnt.bldg-1.example.com. A 203.0.113.2Note that the SRV record name is translated using the rich-text
domain name ("Building 1.example.com"), and the address record
name is translated using the LDH domain ("bldg‑1.example.com").
Further details of the name translation rules are
described in .A Discovery Proxy MAY support only a single
rich-text Net-Unicode domain and use that domain for all records,
including 'A' and 'AAAA' address records, but implementers choosing
this option should be aware that this choice may produce host names
that are awkward to use in command-line environments. Whether or not
this is
an issue depends on whether users in the target environment are
expected to be using command-line interfaces.A Discovery Proxy MUST NOT be restricted to support
only a
letter-digit-hyphen
subdomain, because that results in an unnecessarily poor user
experience.As described in , for
clarity, in examples here space characters in names are shown as
actual spaces. If
this dynamically discovered data were to be manually entered into a
textual zone file (which
it isn't), then spaces would need to be represented using '\032', so
"My Printer._ipp._tcp.Building 1.example.com" would become
"My\032Printer._ipp._tcp.Building\0321.example.com".
Note that the '\032' representation does not appear in DNS messages
sent over the air. In the wire format of DNS messages, spaces are sent as
spaces, not as '\032', and likewise, in a graphical user interface at the
client device, spaces are shown as spaces, not as '\032'.
Delegated Subdomain for Reverse MappingA Discovery Proxy can facilitate easier management of reverse
mapping domains, particularly for IPv6 addresses where manual
management may be more onerous than it is for IPv4 addresses.To achieve this, in the parent domain, NS records are used to
delegate ownership of the appropriate reverse mapping domain to
the Discovery Proxy. In other words, the Discovery Proxy becomes the
authoritative name server for the reverse mapping domain.
For fault tolerance reasons, there may be more than one
Discovery Proxy serving a given link.If a given link is using the IPv4 subnet 203.0.113/24,
then the domain "113.0.203.in-addr.arpa"
is delegated to the Discovery Proxy for that link.If a given link is using the
IPv6 prefix 2001:0DB8:1234:5678::/64,
then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa"
is delegated to the Discovery Proxy for that link.When a reverse mapping query arrives at the Discovery Proxy, it
issues the identical query on its local link, as a Multicast DNS
query.
The mechanism to force an apparently unicast name to be resolved using
link-local Multicast DNS varies depending on the API set being used.
For example, in the "dns_sd.h" APIs (available on macOS, iOS, Bonjour
for Windows, Linux, and Android), using kDNSServiceFlagsForceMulticast
indicates that the DNSServiceQueryRecord() call should perform the
query using Multicast DNS. Other API sets have different ways of
forcing multicast queries. When the host owning that IPv4 or IPv6
address responds with a name of the form "something.local", the
Discovery Proxy rewrites it to use its configured LDH host name
domain instead of ".local" and returns the response to the caller.For example, a Discovery Proxy with the two subdomains
"113.0.203.in‑addr.arpa" and "bldg‑1.example.com" delegated
to it
would translate this Multicast DNS record:
2.113.0.203.in-addr.arpa. PTR prnt.local.into this Unicast DNS response:
2.113.0.203.in-addr.arpa. PTR prnt.bldg-1.example.com.In this example the "prnt.local" host name is translated
using the delegated LDH subdomain, as described in
.Subsequent queries for the prnt.bldg‑1.example.com address
record, falling as it does within the bldg‑1.example.com domain,
which is delegated to this Discovery Proxy, will arrive at this
Discovery Proxy where they are answered by issuing Multicast DNS
queries
and using the received Multicast DNS answers to synthesize Unicast
DNS responses, as described above.Note that this description assumes that all addresses on a given
IPv4 subnet or IPv6 prefix are mapped to host names using the
Discovery
Proxy mechanism.
It would be possible to implement a Discovery Proxy that can be
configured
so that some address-to-name mappings are performed using Multicast
DNS
on the local link, while other address-to-name mappings within the
same
IPv4 subnet or IPv6 prefix are configured manually.Data TranslationFor the delegated rich-text and LDH subdomains,
generating appropriate Multicast DNS queries
involves translating from the configured DNS domain
(e.g., "Building 1.example.com") on the Unicast DNS side
to ".local" on the Multicast DNS side.For the delegated reverse-mapping subdomain,
generating appropriate Multicast DNS queries
involves using the appropriate API mechanism to
indicate that a query should be performed using
Multicast DNS, as described in
.Generating appropriate Unicast DNS responses from the
received Multicast DNS answers involves translating back
from ".local" to the appropriate configured Unicast DNS
domain as necessary, as described below.In the examples below, the delegated subdomains are as follows:
Delegated subdomain for rich-text names Building 1.example.com.
Delegated subdomain for LDH names bldg‑1.example.com.
Delegated subdomain for IPv4 reverse mapping 113.0.203.in-addr.arpa.Names in Multicast DNS answers that do not end in ".local"
do not require any translation.Names in Multicast DNS answers that end in ".local"
are only meaningful on the local link, and require translation
to make them useable by clients outside the local link.Names that end in ".local" may appear both as the
owner names of received Multicast DNS answer records,
and in the RDATA of received Multicast DNS answer records.In a received Multicast DNS answer record,
if the owner name ends with ".local",
then the ".local" top-level label is replaced with the name
of the delegated subdomain as was used in the originating query.In a received Multicast DNS answer record,
if a name in the RDATA ends with ".local",
then the name is translated according to the delegated subdomain
that was used in the originating query, as explained below.For queries in subdomains delegated for LDH host names,
".local" names in RDATA
are translated to that delegated LDH subdomain.
For example, a query for "thing.bldg‑1.example.com" will be
translated to a
Multicast DNS query for "thing.local". If that query returns this
CNAME record:
thing.local. CNAME prnt.local.then both the owner name and the name in the RDATA
are translated from ".local" to the LDH subdomain
"bldg‑1.example.com":
thing.bldg‑1.example.com. CNAME prnt.bldg‑1.example.com.For queries in subdomains delegated for reverse mapping names,
".local" names in RDATA
are translated to the delegated LDH subdomain, if one is configured,
or to the delegated rich-text subdomain otherwise.
For example, consider a reverse mapping query that returns this PTR
record:
2.113.0.203.in-addr.arpa. PTR prnt.local.The owner name is not translated because it does not end in
".local".
The name in the RDATA is
translated from ".local" to the LDH subdomain
"bldg‑1.example.com":
2.113.0.203.in-addr.arpa. PTR prnt.bldg‑1.example.com.For queries in subdomains delegated for rich-text names,
".local" names in RDATA
are translated according to whether or not they represent host names
(i.e., RDATA names that are the owner names of A and AAAA DNS
records).
RDATA names ending in ".local" that represent host names
are translated to the delegated LDH subdomain, if one is configured,
or to the delegated rich-text subdomain otherwise.
All other RDATA names ending in ".local"
are translated to the delegated rich-text subdomain.
For example, consider a DNS-SD service browsing PTR query
that returns this PTR record for IPP printing:
_ipp._tcp.local. PTR My Printer._ipp._tcp.local.Both the owner name and the name in the RDATA
are translated from ".local" to the rich-text subdomain:
_ipp._tcp.Building 1.example.com.
PTR My Printer._ipp._tcp.Building 1.example.com.In contrast, consider a query
that returns this SRV record for a specific IPP printing instance:
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.As for all queries, the owner name
is translated to the delegated subdomain of the originating query,
the delegated rich-text subdomain "Building 1.example.com".
However, the ".local" name in the RDATA
is the target host name field of an SRV record,
a field that is used exclusively for host names.
Consequently it is translated to the LDH subdomain
"bldg‑1.example.com",
if configured, instead of the rich-text subdomain:
My Printer._ipp._tcp.Building 1.example.com.
SRV 0 0 631 prnt.bldg‑1.example.com.Other beneficial translation and filtering operations are described
below.DNS TTL LimitingFor efficiency, Multicast DNS typically uses moderately high DNS
TTL values. For example, the typical TTL on DNS-SD service browsing
PTR records is 75
minutes. What makes these moderately high TTLs acceptable is the
cache coherency mechanisms built in to the Multicast DNS protocol,
which protect against stale data persisting for too long. When a
service shuts down gracefully, it sends goodbye packets to remove
its service browsing PTR record(s) immediately from neighboring
caches. If a service
shuts down abruptly without sending goodbye packets, the Passive
Observation Of Failures (POOF) mechanism described in the Multicast DNS
specification comes into play to purge the cache of stale
data.A traditional Unicast DNS client on a distant remote link does
not get to participate in these Multicast DNS cache coherency
mechanisms on the local link. For traditional Unicast DNS queries
(those received without using Long-Lived Queries (LLQ) or DNS Push
Notification subscriptions ), the DNS TTLs reported in the resulting Unicast
DNS response MUST be capped to be no more than ten
seconds.Similarly, for negative responses, the negative caching TTL
indicated in the SOA record should also be ten seconds (see ).This value of ten seconds is chosen based on user-experience
considerations.For negative caching, suppose a user is attempting to access a
remote device (e.g., a printer), and they are unsuccessful because
that device is powered off. Suppose they then place a telephone call
and ask for the device to be powered on. We want the device to
become available to the user within a reasonable time period. It is
reasonable to expect it to take on the order of ten seconds for a
simple device with a simple embedded operating system to power
on. Once the device is powered on and has announced its presence on
the network via Multicast DNS, we would like it to take no more than
a further ten seconds for stale negative cache entries to expire
from Unicast DNS caches, making the device available to the user
desiring to access it.Similar reasoning applies to capping positive TTLs at ten
seconds.
In the event of a device moving location, getting a new DHCP
address,
or other renumbering events, we would like the updated information
to
be available to remote clients in a relatively timely fashion.However, network administrators should be aware that many
recursive
resolvers by default are configured to impose a minimum
TTL of
30 seconds. If stale data appears to be persisting in the network to
the
extent that it adversely impacts user experience, network
administrators
are advised to check the configuration of their recursive
resolvers.For received Unicast DNS queries that use LLQ or
DNS Push Notifications ,
the Multicast DNS
record's TTL SHOULD be
returned unmodified, because the notification channel exists
to inform the remote client as records come and go.
For further details about Long-Lived Queries and its newer
replacement,
DNS Push Notifications, see .Suppressing Unusable RecordsA Discovery Proxy SHOULD offer a configurable
option,
enabled by default, to suppress Unicast DNS answers
for records that are not useful outside the local link.
When the option to suppress unusable records is enabled:
For a Discovery Proxy that is serving only clients outside the
local link,
DNS A and AAAA records for
IPv4 link-local addresses
and
IPv6 link-local addresses SHOULD be suppressed.
Similarly, for sites that have multiple private address
realms ,
in cases where the Discovery Proxy can determine that the
querying client
is in a different address realm, private addresses SHOULD NOT be
communicated to that client.
IPv6 Unique Local Addresses SHOULD be suppressed
in cases where the Discovery Proxy can determine that the
querying client
is in a different IPv6 address realm.
By the same logic, DNS SRV records that reference target host
names that have no addresses usable by the requester should be
suppressed, and likewise, DNS-SD service browsing PTR records
that point to unusable
SRV records should similarly be suppressed.
NSEC and NSEC3 QueriesMulticast DNS devices do not routinely announce their records
on the network. Generally, they remain silent until queried.
This means that the complete set of Multicast DNS records in use on
a
link can only be discovered by active querying, not by passive
listening.
Because of this, a Discovery Proxy can only know what names exist on
a link
by issuing queries for them, and since it would be impractical to
issue queries for every possible name just to find out which names
exist and which do not, a Discovery Proxy cannot programmatically
generate the traditional Unicast DNS
NSEC and
NSEC3 records
that assert the nonexistence of a large range of names.When queried for an NSEC or NSEC3 record type, the Discovery
Proxy issues
a qtype "ANY" query using Multicast DNS on the local link and then
generates an NSEC or NSEC3 response with a Type Bit Map signifying
which record types do and do not exist for just the specific name
queried,
and no other names.Multicast DNS NSEC records received on the local link
MUST NOT be forwarded unmodified to a unicast
querier, because there
are
slight differences in the NSEC record data.
In particular, Multicast DNS NSEC records do not have the NSEC
bit set in the Type Bit Map, whereas conventional Unicast DNS
NSEC records do have the NSEC bit set.No Text-Encoding TranslationA Discovery Proxy does no translation between text encodings.
Specifically, a Discovery Proxy does no translation between Punycode
encoding and UTF-8 encoding , either in
the owner name of DNS records or anywhere in the RDATA of DNS
records (such as the RDATA of PTR records, SRV records, NS records,
or other record types like TXT, where it is ambiguous whether the
RDATA may contain DNS names). All bytes are treated as-is with no
attempt at text-encoding translation. A client implementing
DNS-based Service Discovery will use UTF-8 encoding for its unicast DNS-based
Service Discovery
queries, which the Discovery Proxy passes through without any
text-encoding translation to the Multicast DNS subsystem. Responses
from the Multicast DNS subsystem are similarly returned, without any
text-encoding translation, back to the requesting unicast
client.Application-Specific Data TranslationThere may be cases where Application-Specific Data Translation is
appropriate.For example, AirPrint printers tend to advertise fairly verbose
information about their capabilities in their DNS-SD TXT record.
TXT record sizes in the range of 500-1000 bytes are not uncommon.
This information is a legacy from lineprinter (LPR) printing,
because LPR does not have in-band capability negotiation, so all of
this information is conveyed using the DNS-SD TXT record instead.
Internet Printing Protocol (IPP) printing does have in-band
capability negotiation, but for convenience, printers tend to
include
the same capability information in their IPP DNS-SD TXT records as
well. For local Multicast DNS (mDNS) use, this extra TXT record
information is
wasteful but not fatal. However, when a Discovery Proxy
aggregates data from multiple printers on a link, and sends it via
unicast (via UDP or TCP), this amount of unnecessary TXT record
information can result in large responses. A DNS reply over TCP
carrying information about 70 printers with an average of 700 bytes
per printer adds up to about 50 kilobytes of data. Therefore, a
Discovery Proxy that is aware of the specifics of an
application-layer protocol such as AirPrint (which uses IPP) can
elide unnecessary key/value pairs from the DNS-SD TXT record for
better network efficiency.Also, the DNS-SD TXT record for many printers contains an
"adminurl" key (e.g.,
"adminurl=http://printername.local/status.html"). For this URL to
be
useful outside the local link, the embedded ".local" host name needs
to be translated to an appropriate name with larger scope. It is
easy to translate ".local" names when they appear in well-defined
places: as a record's owner name, or in domain name fields in the
RDATA of record types
like PTR and SRV. In the printing case, some application-specific
knowledge about the semantics of the "adminurl" key is needed for
the Discovery Proxy to know that it contains a name that needs to be
translated. This is somewhat analogous to the need for NAT gateways
to contain ALGs (Application-Level Gateways) to facilitate the
correct translation of protocols that embed addresses in unexpected
places.To avoid the need for application-specific knowledge about the
semantics of particular TXT record keys, protocol designers are
advised to avoid placing link-local names or link-local IP addresses
in TXT record keys if translation of those names or addresses would
be required for off-link operation. In the printing case, the
consequence of failing to translate the "adminurl" key
correctly would be that, when accessed from a different link,
printing
will still work, but clicking the "Admin" user interface button will
fail to
open the printer's administration page. Rather than duplicating the
host name from the service's SRV record in its "adminurl" key,
thereby having the same host name appear in two places, a better
design might have been to omit the host name from the "adminurl"
key and instead have the client implicitly substitute the target
host name from the service's SRV record in place of a missing host
name in the "adminurl" key. That way, the desired host name only
appears once and is in a well-defined place where software like
the Discovery Proxy is expecting to find it.Note that this kind of Application-Specific Data Translation is
expected to be very rare; it is the exception rather than the rule.
This is an example of a common theme in computing. It is frequently
the case that it is wise to start with a clean, layered design with
clear boundaries. Then, in certain special cases, those layer
boundaries may be violated where the performance and efficiency
benefits outweigh the inelegance of the layer violation.These layer violations are optional. They are done primarily for
efficiency reasons and generally should not be required for correct
operation. A Discovery Proxy MAY operate solely at
the mDNS layer without any knowledge of semantics at the DNS-SD
layer or above.Answer AggregationIn a simple analysis, simply gathering multicast answers and
forwarding them in a unicast response seems adequate, but it raises
the question of how long the Discovery Proxy should wait to be sure
that it has received all the Multicast DNS answers it needs to form a
complete Unicast DNS response. If it waits too little time, then it
risks its Unicast DNS response being incomplete. If it waits too
long, then it creates a poor user experience at the client end. In
fact, there may be no time that is both short enough to produce a
good user experience and at the same time long enough to reliably
produce complete results.Similarly, the Discovery Proxy (the authoritative name server for
the subdomain in question) needs to decide what DNS TTL to report
for these records. If the TTL is too long, then the recursive
resolvers issuing queries on behalf of their clients risk
caching stale data for too long. If the TTL is too short, then the
amount of network traffic will be more than necessary. In fact, there
may be no TTL that is both short enough to avoid undesirable stale
data and, at the same time, long enough to be efficient on the
network.Both these dilemmas are solved by the use of DNS Long-Lived Queries
(LLQ)
or its newer replacement,
DNS Push Notifications .Clients supporting unicast DNS-based Service Discovery
SHOULD implement
DNS Push Notifications
for improved user experience.Clients and Discovery Proxies MAY support both
LLQ and DNS Push Notifications, and when talking to a
Discovery Proxy that supports both, the client may use either
protocol, as it chooses, though it is expected that only
DNS Push Notifications will continue to be supported in the long
run.When a Discovery Proxy receives a query using LLQ
or DNS Push Notifications, it responds immediately using the Multicast
DNS records it already has in its cache (if any). This provides a
good client user experience by providing a near-instantaneous
response. Simultaneously, the Discovery Proxy issues a Multicast DNS
query on the local link to discover if there are any additional
Multicast DNS records it did not already know about. Should additional
Multicast DNS responses be received, these are then delivered to the
client using additional LLQ or DNS Push Notification update
messages. The timeliness of such update messages is limited only by
the timeliness of the device responding to the Multicast DNS query. If
the Multicast DNS device responds quickly, then the update message is
delivered quickly. If the Multicast DNS device responds slowly, then
the update message is delivered slowly. The benefit of using multiple
update
messages to deliver results as they become available is that the
Discovery
Proxy can respond promptly because it doesn't have to deliver all the
results in a single response that needs to be delayed to allow for the
expected worst-case delay for receiving all the Multicast DNS
responses.With a proxy that supported only standard DNS queries, even if it
were to try to provide reliability by assuming an
excessively pessimistic worst-case time (thereby giving a very poor
user experience), there would still be the risk of a slow Multicast
DNS device taking even longer than that worst-case time (e.g., a
device that is not
even powered on until ten seconds after the initial query is
received),
resulting in incomplete responses.
Using update messages to deliver subsequent asynchronous replies
solves this
dilemma: even very late responses are not lost; they are delivered in
subsequent update messages.Note that while normal DNS queries are generally received via the
client's configured
recursive resolver, LLQ and DNS Push Notification subscriptions may be
received directly from the client.There are two factors that determine how unicast responses
are generated:The first factor is whether or not the Discovery Proxy already has
at least one record in its cache that answers the question.
The second factor is whether the client used a normal DNS query,
or established a subscription using LLQ or DNS Push Notifications.
Normal DNS queries
are typically used for one-shot operations like SRV or address record
queries.
LLQ and DNS Push Notification subscriptions
are typically used for long-lived service browsing PTR queries.
Normal DNS queries and LLQ each have different response timing depending
on the cache state, yielding the first four cases listed below.
DNS Push Notifications, the newer protocol, has uniform behavior
regardless of cache state, yielding the fifth case listed below.
Standard DNS query; no answer in
cache:
Issue an mDNS query on the local link, exactly as a local client
would issue an mDNS query, for the desired record name, type, and
class, including retransmissions, as appropriate, according to the
established mDNS retransmission schedule . The Discovery Proxy awaits Multicast DNS
responses.
As soon as any Multicast DNS response packet
is received that contains one or more positive answers to that
question (with or without the Cache Flush bit set) or a negative answer
(signified via a Multicast DNS NSEC record ), the Discovery Proxy generates a Unicast DNS
response message containing the corresponding (filtered and
translated) answers and sends it to the remote client.
If after
six seconds no relevant Multicast DNS answers have been received,
cancel
the mDNS query and return a negative response to the remote
client. Six seconds is enough time
for the underlying Multicast DNS subsystem
to transmit three mDNS queries
and allow some time for responses to arrive.
(Reasoning: Queries not using LLQ or Push Notifications are
generally queries
that expect an answer from only one device,
so the first response is also the only response.)
DNS TTLs in responses MUST be capped to at most ten
seconds.
Standard DNS query; at least one answer in
cache:
No local mDNS queries are performed.
The Discovery Proxy generates a Unicast DNS
response message containing the answer(s) from the cache right
away, to minimize delay.
(Reasoning: Queries not using LLQ or Push Notifications are
generally queries
that expect an answer from only one device.
Given RRSet TTL harmonization, if the proxy has
one Multicast DNS answer in its cache, it can reasonably
assume that it has the whole set.)
DNS TTLs in responses MUST be capped to at most ten
seconds.
Long-Lived Query (LLQ); no answer in cache:
As in the case above with no answer in the cache, plan to perform
mDNS
querying for six seconds, returning an LLQ response message to the
remote
client as soon as any relevant mDNS response is received.
If after six seconds no relevant mDNS answers have been received,
and the client has not cancelled its Long-Lived Query,
return a negative LLQ response message to the remote client.
(Reasoning: We don't need to rush to send an empty
answer.)
Regardless of whether or not a relevant mDNS response is received
within
six seconds, the Long-Lived Query remains active for as long as
the
client maintains the LLQ state, and results in the ongoing
transmission of mDNS queries until the Long-Lived Query is
cancelled.
If the set of mDNS answers changes, LLQ Event Response messages
are sent.
DNS TTLs in responses are returned unmodified.
Long-Lived Query (LLQ); at least one answer in
cache:
As in the case above with at least one answer in the cache,
the Discovery Proxy generates a unicast LLQ
response message containing the answer(s) from the cache right
away, to minimize delay.
The Long-Lived Query remains active for as long as the client
maintains the LLQ state,
and results in the transmission of mDNS queries
(with appropriate Known Answer lists)
to determine if further answers are available.
If the set of mDNS answers changes, LLQ Event Response messages
are sent.
(Reasoning: We want a user interface that is displayed very
rapidly yet
continues to remain accurate even as the network environment
changes.)
DNS TTLs in responses are returned unmodified.
Push Notification Subscription
The Discovery Proxy acknowledges the subscription request
immediately.
If one or more answers are already available in the cache,
those answers are then sent in an immediately following DNS PUSH
message.
The Push Notification subscription remains active until the client
cancels the subscription,
and results in the transmission of mDNS queries
(with appropriate Known Answer lists)
to determine if further answers are available.
If the set of mDNS answers changes, further DNS PUSH messages are
sent.
(Reasoning: We want a user interface that is displayed very
rapidly yet
continues to remain accurate even as the network environment
changes.)
DNS TTLs in responses are returned unmodified.
Where the text above refers to returning "a negative response to
the remote client", it is describing returning a "no error no answer"
negative response, not NXDOMAIN. This is because the Discovery Proxy
cannot know all the Multicast DNS domain names that may exist on a
link at any given time, so any name with no answers may have child
names that do exist, making it an "empty non-terminal" name.Note that certain aspects of the behavior described here
do not have to be implemented overtly by the Discovery Proxy;
they occur naturally as a result of using existing Multicast DNS
APIs.For example, in the first case above (standard DNS query and no
answers in the cache), if a new Multicast DNS query is requested
(either by a local client on the Discovery Proxy device, or by the
Discovery Proxy software on that device on behalf of a remote client),
and there is not already an identical Multicast DNS query active and
there are no matching answers already in the Multicast DNS cache on
the Discovery Proxy device, then this will cause a series of Multicast
DNS query packets to be issued with exponential backoff. The
exponential backoff sequence in some implementations starts at one
second and then doubles for each retransmission (0, 1, 3, 7 seconds,
etc.), and in others, it starts at one second and then triples for
each retransmission (0, 1, 4, 13 seconds, etc.). In either case, if
no response has been received after six seconds, that is long enough
that the underlying Multicast DNS implementation will have sent three
query packets without receiving any response. At that point, the
Discovery Proxy cancels its Multicast DNS query (so no further
Multicast DNS query packets will be sent for this query) and returns a
negative response to the remote client via unicast.The six-second delay is chosen to be long enough to give enough
time for devices to respond, yet short enough not to be too onerous
for a human user waiting for a response. For example, using the "dig"
DNS debugging tool, the current default settings result in it waiting
a total of 15 seconds for a reply (three transmissions of the DNS UDP
query packet, with a wait of 5 seconds after each packet), which is
ample time for it to have received a negative reply from a Discovery
Proxy after six seconds.The text above states that for a standard DNS query,
if at least one answer is already available in the cache, then a
Discovery Proxy should not issue additional mDNS query packets.
This also occurs naturally as a result of using existing
Multicast DNS APIs.
If a new Multicast DNS query is requested
(either locally, or by the Discovery Proxy on behalf of a remote client)
for which there are relevant answers already in the Multicast DNS
cache on the Discovery Proxy device, and after the answers are
delivered the Multicast DNS query is immediately cancelled, then
no Multicast DNS query packets will be generated for this query.
Administrative DNS RecordsDNS SOA (Start of Authority) RecordThe MNAME field SHOULD contain the host name of the
Discovery Proxy
device
(i.e., the same domain name as the RDATA of the NS record delegating
the
relevant zone(s) to this Discovery Proxy device).The RNAME field SHOULD contain the mailbox of the
person
responsible
for administering this Discovery Proxy device.The SERIAL field MUST be zero.Zone transfers are undefined for Discovery Proxy zones, and
consequently, the REFRESH, RETRY, and EXPIRE fields have no useful
meaning for Discovery Proxy zones. These fields SHOULD
contain reasonable default values. The RECOMMENDED
values are: REFRESH 7200, RETRY 3600, and EXPIRE 86400.The MINIMUM field (used to control the lifetime of negative cache
entries)
SHOULD contain the value 10.
This value is chosen based on user-experience
considerations
(see ).In the event that there are multiple Discovery Proxy devices on a
link for fault tolerance reasons, this will result in clients
receiving inconsistent SOA records (different MNAME and possibly
RNAME) depending on which Discovery Proxy answers their SOA query.
However, since clients generally have no reason to use the MNAME or
RNAME data, this is unlikely to cause any problems.DNS NS RecordsIn the event that there are multiple Discovery Proxy devices on a
link for fault tolerance reasons, the parent zone MUST
be configured with NS records giving the names
of all the Discovery Proxy devices on the link.Each Discovery Proxy device MUST be configured to
answer NS queries
for the zone apex name by giving its own NS record,
and the NS records of its fellow Discovery Proxy devices on the same
link, so that it can return the correct answers for NS queries.The target host name in the RDATA of an NS record MUST NOT
reference
a name that falls within any zone delegated to a Discovery Proxy.
Apart from the zone apex name,
all other host names (names of A and AAAA DNS records)
that fall within a zone delegated to a Discovery
Proxy
correspond to local Multicast DNS host names,
which logically belong to the respective Multicast DNS hosts defending
those names,
not the Discovery Proxy.
Generally speaking, the Discovery Proxy does not own or control the
delegated zone;
it is merely a conduit to the corresponding ".local" namespace,
which is controlled by the Multicast DNS hosts on that link.
If an NS record were to reference a manually determined host name
that falls within a delegated zone,
that manually determined host name may inadvertently conflict with a
corresponding
".local" host name that is owned and controlled by some device on that
link.
DNS Delegation RecordsSince the Multicast DNS
specification states that there can be no delegation
(subdomains) within a ".local" namespace, this implies that any name
within a zone delegated to a Discovery Proxy (except for the zone apex
name itself) cannot have any answers for any DNS queries for RRTYPEs
SOA, NS, or DS. Consequently:
for any query for the zone apex name of a zone delegated to a
Discovery Proxy, the Discovery Proxy MUST generate
the appropriate immediate answers as described above, and
for any query for any name below the zone apex, for RRTYPEs SOA, NS,
or DS,
the Discovery Proxy MUST generate
an immediate negative answer.
DNS SRV RecordsThere are certain special DNS records that logically fall within
the delegated Unicast DNS subdomain, but rather than mapping to their
corresponding ".local" namesakes, they actually contain metadata
pertaining to the operation of the delegated Unicast DNS subdomain
itself. They do not exist in the corresponding ".local" namespace of
the local link. For these queries, a Discovery Proxy
MUST generate immediate answers, whether positive or
negative, to avoid delays while clients wait for their query to be
answered.For example, if a Discovery Proxy implements Long-Lived Queries
, then it
MUST positively respond to
_dns‑llq._udp.<zone> SRV queries,
_dns‑llq._tcp.<zone> SRV queries, and
_dns‑llq‑tls._tcp.<zone> SRV queries as
appropriate. If it does not implement Long-Lived Queries, it
MUST return an immediate negative answer for those
queries, instead of passing those queries through to the local network
as Multicast DNS queries and then waiting unsuccessfully for answers
that will not be forthcoming.If a Discovery Proxy implements
DNS Push Notifications ,
then it MUST positively respond to
_dns‑push‑tls._tcp.<zone>
queries.
Otherwise, it MUST return an immediate negative answer
for those
queries.A Discovery Proxy MUST return an immediate negative
answer for
_dns‑update._udp.<zone> SRV
queries,
_dns‑update._tcp.<zone> SRV
queries, and
_dns‑update-tls._tcp.<zone> SRV
queries,
since using DNS Update
to change
zones generated dynamically from local Multicast DNS data is not
possible.Domain Enumeration RecordsIf the network operator chooses to use address-based
unicast Domain Enumeration queries for client configuration
(see ),
and the network operator also chooses to delegate the enclosing
reverse mapping subdomain to a Discovery Proxy,
then that Discovery Proxy becomes responsible for serving
the answers to those address-based unicast Domain Enumeration
queries.As with the SRV metadata records described above, a Discovery Proxy
configured with delegated reverse mapping subdomains is responsible
for generating immediate (positive or negative) answers for
address-based unicast Domain Enumeration queries, rather than
passing them though to the underlying Multicast DNS subsystem and
then waiting unsuccessfully for answers that will not be
forthcoming.DNSSEC ConsiderationsOnline Signing OnlyThe Discovery Proxy acts as the authoritative name server for
designated subdomains, and if DNSSEC is to be used, the Discovery
Proxy needs to possess a copy of the signing keys in order to
generate authoritative signed data from the local Multicast DNS
responses it receives. Offline signing is not applicable to
Discovery Proxy.NSEC and NSEC3 RecordsIn DNSSEC,
NSEC and NSEC3 records
are used to assert the nonexistence of certain names,
also described as "authenticated denial of existence"
.Since a Discovery Proxy only knows what names exist on the local
link by issuing queries for them, and since it would be impractical to
issue queries for every possible name just to find out which names
exist and which do not, a Discovery Proxy cannot programmatically
synthesize the traditional NSEC and NSEC3 records that assert the
nonexistence of a large range of names. Instead, when generating a
negative response, a Discovery Proxy programmatically synthesizes a
single NSEC record asserting the nonexistence of just the specific
name queried and no others. Since the Discovery Proxy has the zone
signing key, it can do this on demand. Since the NSEC record asserts
the nonexistence of only a single name, zone walking is not a concern,
and NSEC3 is therefore not necessary.Note that this applies only to traditional immediate DNS queries,
which may return immediate negative answers when no immediate positive
answer is available. When used with a DNS Push Notification
subscription , there are no negative answers, merely the
absence of answers so far, which may change in the future if answers
become available.IPv6 ConsiderationsAn IPv4-only host and an IPv6-only host behave as "ships that pass in
the night". Even if they are on the same Ethernet , neither is aware of the other's traffic. For
this reason, each link may have two unrelated ".local." zones:
one for
IPv4 and one for IPv6. Since, for practical purposes, a group of
IPv4-only hosts and a group of IPv6-only hosts on the same Ethernet act
as if they were on two entirely separate Ethernet segments, it is
unsurprising that their use of the ".local." zone should occur exactly
as it would if they really were on two entirely separate Ethernet
segments.It will be desirable to have a mechanism to "stitch" together
these two unrelated ".local." zones so that they appear as one.
Such a mechanism will need to be able to differentiate between a
dual-stack (v4/v6) host participating in both ".local."
zones, and two different hosts: one IPv4-only and the other IPv6-only,
which are both trying to use the same name(s). Such a mechanism
will be specified in a future companion document.At present, it is RECOMMENDED that a Discovery Proxy
be configured
with a single domain name for both the IPv4 and IPv6 ".local." zones
on the local link, and when a unicast query is received, it should
issue Multicast DNS queries using both IPv4 and IPv6 on the local link
and then combine the results.Security ConsiderationsAuthenticityA service proves its presence on a link by its ability to
answer link-local multicast queries on that link.
If greater security is desired, then the Discovery Proxy mechanism
should not be used, and something with stronger security should
be used instead such as authenticated secure DNS Update
.PrivacyThe Domain Name System is, generally speaking,
a global public database. Records that exist in the Domain Name
System name hierarchy can be queried by name from, in principle,
anywhere in the world. If services on a mobile device (like a laptop
computer) are made visible via the Discovery Proxy mechanism, then
when those services become visible in a domain such as
"My House.example.com", it might indicate to (potentially
hostile) observers that the mobile device is in the owner's home.
When those
services disappear from "My House.example.com", that change could
be used by observers to infer when the mobile device (and possibly its
owner) may have left the house. The privacy of this information may
be protected using techniques like firewalls, split-view DNS, and
Virtual Private Networks (VPNs), as are customarily used today to
protect the privacy of corporate DNS information.The privacy issue is particularly serious for the IPv4 and IPv6
reverse zones.
If the public delegation of the reverse zones points to the
Discovery Proxy, and the Discovery Proxy is reachable globally,
then it could leak a significant amount of information.
Attackers could discover hosts that otherwise might
not be easy to identify, and learn their host names.
Attackers could also discover the existence of links
where hosts frequently come and go.The Discovery Proxy could provide sensitive records only to
authenticated
users. This is a general DNS problem, not specific to the Discovery
Proxy.
Work is underway in the IETF to tackle this problem .Denial of ServiceA remote attacker could use a rapid series of unique Unicast DNS
queries to induce a Discovery Proxy to generate a rapid series of
corresponding Multicast DNS queries on one or more of its local links.
Multicast traffic is generally more expensive than unicast traffic,
especially on Wi-Fi links
,
which makes this attack particularly
serious. To limit the damage that can be caused by such attacks, a
Discovery Proxy (or the underlying Multicast DNS subsystem that it
utilizes) MUST implement Multicast DNS query rate
limiting appropriate to the link technology in question. For today's
802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast
packets per second is sufficient to consume approximately 100% of the
wireless spectrum), a limit of 20 Multicast DNS query packets per
second is RECOMMENDED. On other link technologies like
Gigabit Ethernet, higher limits may be appropriate. A consequence of
this rate limiting is that a rogue remote client could issue an
excessive number of queries resulting in denial of service to other
legitimate remote clients attempting to use that Discovery Proxy.
However, this is preferable to a rogue remote client being able to
inflict even greater harm on the local network, which could impact the
correct operation of all local clients on that network.IANA ConsiderationsThis document has no IANA actions.ReferencesNormative ReferencesDomain names - concepts and facilitiesThis RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.Domain names - implementation and specificationThis RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.Address Allocation for Private InternetsThis document describes address allocation for private internets. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Negative Caching of DNS Queries (DNS NCACHE)RFC1034 provided a description of how to cache negative responses. It however had a fundamental flaw in that it did not allow a name server to hand out those cached responses to other resolvers, thereby greatly reducing the effect of the caching. This document addresses issues raise in the light of experience and replaces RFC1034 Section 4.3.4. [STANDARDS-TRACK]UTF-8, a transformation format of ISO 10646ISO/IEC 10646-1 defines a large character set called the Universal Character Set (UCS) which encompasses most of the world's writing systems. The originally proposed encodings of the UCS, however, were not compatible with many current applications and protocols, and this has led to the development of UTF-8, the object of this memo. UTF-8 has the characteristic of preserving the full US-ASCII range, providing compatibility with file systems, parsers and other software that rely on US-ASCII values but are transparent to other values. This memo obsoletes and replaces RFC 2279.Dynamic Configuration of IPv4 Link-Local AddressesTo participate in wide-area IP networking, a host needs to be configured with IP addresses for its interfaces, either manually by the user or automatically from a source on the network such as a Dynamic Host Configuration Protocol (DHCP) server. Unfortunately, such address configuration information may not always be available. It is therefore beneficial for a host to be able to depend on a useful subset of IP networking functions even when no address configuration is available. This document describes how a host may automatically configure an interface with an IPv4 address within the 169.254/16 prefix that is valid for communication with other devices connected to the same physical (or logical) link.IPv4 Link-Local addresses are not suitable for communication with devices not directly connected to the same physical (or logical) link, and are only used where stable, routable addresses are not available (such as on ad hoc or isolated networks). This document does not recommend that IPv4 Link-Local addresses and routable addresses be configured simultaneously on the same interface. [STANDARDS-TRACK]Resource Records for the DNS Security ExtensionsThis document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK]IPv6 Stateless Address AutoconfigurationThis document specifies the steps a host takes in deciding how to autoconfigure its interfaces in IP version 6. The autoconfiguration process includes generating a link-local address, generating global addresses via stateless address autoconfiguration, and the Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link. [STANDARDS-TRACK]DNS Security (DNSSEC) Hashed Authenticated Denial of ExistenceThe Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record (RR) for authenticated denial of existence. This document introduces an alternative resource record, NSEC3, which similarly provides authenticated denial of existence. However, it also provides measures against zone enumeration and permits gradual expansion of delegation-centric zones. [STANDARDS-TRACK]Unicode Format for Network InterchangeThe Internet today is in need of a standardized form for the transmission of internationalized "text" information, paralleling the specifications for the use of ASCII that date from the early days of the ARPANET. This document specifies that format, using UTF-8 with normalization and specific line-ending sequences. [STANDARDS-TRACK]Multicast DNSAs networked devices become smaller, more portable, and more ubiquitous, the ability to operate with less configured infrastructure is increasingly important. In particular, the ability to look up DNS resource record data types (including, but not limited to, host names) in the absence of a conventional managed DNS server is useful.Multicast DNS (mDNS) provides the ability to perform DNS-like operations on the local link in the absence of any conventional Unicast DNS server. In addition, Multicast DNS designates a portion of the DNS namespace to be free for local use, without the need to pay any annual fee, and without the need to set up delegations or otherwise configure a conventional DNS server to answer for those names.The primary benefits of Multicast DNS names are that (i) they require little or no administration or configuration to set them up, (ii) they work when no infrastructure is present, and (iii) they work during infrastructure failures.DNS-Based Service DiscoveryThis document specifies how DNS resource records are named and structured to facilitate service discovery. Given a type of service that a client is looking for, and a domain in which the client is looking for that service, this mechanism allows clients to discover a list of named instances of that desired service, using standard DNS queries. This mechanism is referred to as DNS-based Service Discovery, or DNS-SD.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.DNS Stateful OperationsThis document defines a new DNS OPCODE for DNS Stateful Operations (DSO). DSO messages communicate operations within persistent stateful sessions using Type Length Value (TLV) syntax. Three TLVs are defined that manage session timeouts, termination, and encryption padding, and a framework is defined for extensions to enable new stateful operations. This document updates RFC 1035 by adding a new DNS header OPCODE that has both different message semantics and a new result code. This document updates RFC 7766 by redefining a session, providing new guidance on connection reuse, and providing a new mechanism for handling session idle timeouts.DNS Push NotificationsInformative ReferencesDynamic DNS Update LeasesThis document proposes a method of extending Dynamic DNS Update to contain an update lease lifetime, allowing a server to garbage collect stale resource records.Work in ProgressIEEE Standard for Local and metropolitan area networks -- Bridges and Bridged NetworksIEEEIEEE Standard for EthernetIEEETelecommunications and information exchange between systems - Local and metropolitan area networks - Part 5: Token ring access method and physical layer specificationsIEEEInformation technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) SpecificationsIEEEMulticast Considerations over IEEE 802 Wireless MediaWell-known issues with multicast have prevented the deployment of multicast in 802.11 (wifi) and other local-area wireless environments. This document describes the problems of known limitations with wireless (primarily 802.11) Layer-2 multicast. Also described are certain multicast enhancement features that have been specified by the IETF, and by IEEE 802, for wireless media, as well as some operational choices that can be taken to improve the performance of the network. Finally, some recommendations are provided about the usage and combination of these features and operational choices.Work in Progressohybridproxy - an mDNS/DNS hybrid-proxy based on mDNSRespondercommit 464d6c9Service Registration Protocol for DNS-Based Service DiscoveryThe DNS-SD Service Registration Protocol uses the standard DNS Update mechanism to enable DNS-Based Service Discovery using only unicast packets. This eliminates the dependency on Multicast DNS as the foundation layer, which greatly improves scalability and improves performance on networks where multicast service is not an optimal choice, particularly 802.11 (Wi-Fi) and 802.15.4 (IoT) networks. DNS-SD Service registration uses public keys and SIG(0) to allow services to defend their registrations against attack.Work in ProgressMulticast DNS Discovery RelayThis document extends the specification of the Discovery Proxy for Multicast DNS-Based Service Discovery. It describes a lightweight relay mechanism, a Discovery Relay, which allows Discovery Proxies to provide service on multicast links to which they are not directly attached.Work in ProgressDHCP Options and BOOTP Vendor ExtensionsThis document specifies the current set of DHCP options. Future options will be specified in separate RFCs. The current list of valid options is also available in ftp://ftp.isi.edu/in-notes/iana/assignments. [STANDARDS-TRACK]Dynamic Updates in the Domain Name System (DNS UPDATE)Using this specification of the UPDATE opcode, it is possible to add or delete RRs or RRsets from a specified zone. Prerequisites are specified separately from update operations, and can specify a dependency upon either the previous existence or nonexistence of an RRset, or the existence of a single RR. [STANDARDS-TRACK]Secure Domain Name System (DNS) Dynamic UpdateThis document proposes a method for performing secure Domain Name System (DNS) dynamic updates. [STANDARDS-TRACK]Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)Punycode is a simple and efficient transfer encoding syntax designed for use with Internationalized Domain Names in Applications (IDNA). It uniquely and reversibly transforms a Unicode string into an ASCII string. ASCII characters in the Unicode string are represented literally, and non-ASCII characters are represented by ASCII characters that are allowed in host name labels (letters, digits, and hyphens). This document defines a general algorithm called Bootstring that allows a string of basic code points to uniquely represent any string of code points drawn from a larger set. Punycode is an instance of Bootstring that uses particular parameter values specified by this document, appropriate for IDNA. [STANDARDS-TRACK]Unique Local IPv6 Unicast AddressesThis document defines an IPv6 unicast address format that is globally unique and is intended for local communications, usually inside of a site. These addresses are not expected to be routable on the global Internet. [STANDARDS-TRACK]Requirements for a Protocol to Replace the AppleTalk Name Binding Protocol (NBP)One of the goals of the authors of Multicast DNS (mDNS) and DNS-Based Service Discovery (DNS-SD) was to retire AppleTalk and the AppleTalk Name Binding Protocol (NBP) and to replace them with an IP-based solution. This document presents a brief overview of the capabilities of AppleTalk NBP and outlines the properties required of an IP-based replacement.Requirements for Scalable DNS-Based Service Discovery (DNS-SD) / Multicast DNS (mDNS) ExtensionsDNS-based Service Discovery (DNS-SD) over Multicast DNS (mDNS) is widely used today for discovery and resolution of services and names on a local link, but there are use cases to extend DNS-SD/mDNS to enable service discovery beyond the local link. This document provides a problem statement and a list of requirements for scalable DNS-SD.DNS Privacy ConsiderationsThis document describes the privacy issues associated with the use of the DNS by Internet users. It is intended to be an analysis of the present situation and does not prescribe solutions.Home Networking Control ProtocolThis document describes the Home Networking Control Protocol (HNCP), an extensible configuration protocol, and a set of requirements for home network devices. HNCP is described as a profile of and extension to the Distributed Node Consensus Protocol (DNCP). HNCP enables discovery of network borders, automated configuration of addresses, name resolution, service discovery, and the use of any routing protocol that supports routing based on both the source and destination address.Special-Use Domain 'home.arpa.'This document specifies the behavior that is expected from the Domain Name System with regard to DNS queries for names ending with '.home.arpa.' and designates this domain as a special-use domain name. 'home.arpa.' is designated for non-unique use in residential home networks. The Home Networking Control Protocol (HNCP) is updated to use the 'home.arpa.' domain instead of '.home'.Apple's DNS Long-Lived Queries ProtocolService Discovery Road MapOver the course of several years, a rich collection of technologies has developed around DNS-Based Service Discovery, described across multiple documents. This "Road Map" document gives an overview of how these related but separate technologies (and their documents) fit together, to facilitate service discovery in various environments.Work in ProgressZero Configuration Networking: The Definitive GuideO'Reilly Media, Inc.Implementation StatusSome aspects of the mechanism specified in this document already
exist in
deployed software. Some aspects are new. This section outlines which
aspects
already exist and which are new.Already Implemented and DeployedDomain enumeration by the client
("b._dns-sd._udp.<zone>" queries) is already implemented and
deployed.Performing unicast queries to the indicated discovery domain is
already
implemented and deployed.These are implemented and deployed in Mac OS X 10.4 Tiger and later
(including all versions of Apple iOS, on all models of iPhones, iPads,
Apple TVs and HomePods),
in Bonjour for Windows,
and in Android 4.1 "Jelly Bean" (API Level 16) and later.Domain enumeration and unicast querying have been
used for several years at IETF meetings to make terminal room
printers discoverable from outside the terminal room. When an IETF
attendee presses "Cmd‑P" on a Mac, or selects AirPrint on an iPad
or iPhone, and the terminal room printers appear, it is because
the client is sending Unicast DNS queries to the IETF DNS servers.
A walk-through giving the details of this particular specific example
is given in the Roadmap
document.The Long-Lived Query mechanism
referred to in this specification exists and is deployed
but was not standardized by the IETF.
The IETF has developed a superior Long-Lived Query mechanism
called DNS Push Notifications ,
which is built on DNS Stateful Operations .
DNS Push Notifications is implemented and deployed in Mac OS X 10.15
and later,
and iOS 13 and later.Already ImplementedA minimal portable Discovery Proxy implementation has been produced
by
Markus Stenberg and Steven Barth, which runs on OS X and several Linux
variants including OpenWrt .
It was demonstrated at the Berlin IETF in July 2013.Tom Pusateri has an implementation that runs on any Unix/Linux
system. It
has a RESTful interface for management and an experimental demo
command-line interface (CLI) and web interface.Ted Lemon also has produced a portable implementation of Discovery
Proxy,
which is available in the mDNSResponder open source code.Partially ImplementedAt the time of writing,
existing APIs make multiple domains visible to client software,
but most client user interfaces lump all discovered services
into a single flat list. This is largely a chicken-and-egg
problem. Application writers were naturally reluctant to spend
time writing domain-aware user interface code when few customers would
benefit from it. If Discovery Proxy deployment becomes common, then
application writers will have a reason to provide a better user
experience.
Existing applications will work with the Discovery Proxy but will
show all services in a single flat list. Applications with
improved user interfaces will show services grouped by domain.AcknowledgmentsThanks to for helping develop
the policy
regarding the four styles of unicast response according to what
data is immediately available in the cache.
Thanks to
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
and for their comments.Author's AddressApple Inc.One Apple Park WayCupertinoCalifornia95014United States of America+1 (408) 996-1010cheshire@apple.com