rfc8766xml2.original.xml   rfc8766.xml 
<?xml version="1.0" encoding="UTF-8"?> <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd"> <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!--
Check output with <http://tools.ietf.org/tools/idnits/>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most
I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.35) -->
<!-- give errors regarding ID-nits and DTD validation -->
<?rfc strict="yes" ?>
<!-- control the table of contents (ToC) -->
<!-- generate a ToC -->
<?rfc toc="yes"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<?rfc tocdepth="3"?>
<!-- control references -->
<!-- use anchors instead of numbers for refs, i.e, [RFC2119] instead of [1]
<?rfc symrefs="yes"?>
<!-- sort the reference entries alphabetically -->
<?rfc sortrefs="no" ?>
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<!-- do not start each main section on a new page -->
<?rfc compact="yes" ?>
<!-- keep one blank line between list items -->
<?rfc subcompact="no" ?>
<!-- encourage use of "xml2rfc" tool -->
<?rfc rfcprocack="yes" ?>
<!-- end of list of popular I-D processing instructions -->
<rfc category="std" docName="draft-ietf-dnssd-hybrid-10" ipr="trust200902"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" number="8766" consensus="true"
category="std" docName="draft-ietf-dnssd-hybrid-10" ipr="trust200902"
obsoletes="" updates="" submissionType="IETF" xml:lang="en"
tocInclude="true" tocDepth="3" symRefs="true" sortRefs="false"
version="3">
<front> <front>
<title abbrev='Multicast Service Discovery Proxy'>Discovery Proxy <title abbrev="Multicast Service Discovery Proxy">Discovery Proxy
for Multicast DNS-Based Service Discovery</title> for Multicast DNS-Based Service Discovery</title>
<author initials='S.' surname='Cheshire' fullname='Stuart Cheshire'> <seriesInfo name="RFC" value="8766"/>
<author initials="S." surname="Cheshire" fullname="Stuart Cheshire">
<organization>Apple Inc.</organization> <organization>Apple Inc.</organization>
<address> <address>
<postal> <postal>
<street>One Apple Park Way</street> <street>One Apple Park Way</street>
<city>Cupertino</city> <city>Cupertino</city>
<region>California</region> <region>California</region>
<code>95014</code> <code>95014</code>
<country>USA</country> <country>United States of America</country>
</postal> </postal>
<phone>+1 (408) 996-1010</phone> <phone>+1 (408) 996-1010</phone>
<email>cheshire@apple.com</email> <email>cheshire@apple.com</email>
</address> </address>
</author> </author>
<date year='2019' month='March' day='24'/> <date year="2020" month="June"/>
<area>Internet</area> <area>INT</area>
<workgroup>Internet Engineering Task Force</workgroup> <workgroup>DNSSD</workgroup>
<keyword>Multicast DNS</keyword> <keyword>Multicast DNS</keyword>
<keyword>DNS-Based Service Discovery</keyword> <keyword>DNS-Based Service Discovery</keyword>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<abstract> <abstract>
<t>This document specifies a network proxy that uses Multicast DNS <t>This document specifies a network proxy that uses Multicast DNS
to automatically populate the wide-area unicast Domain Name System to automatically populate the wide-area unicast Domain Name System
namespace namespace
with records describing devices and services found on the local with records describing devices and services found on the local
link.</t> link.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<?rfc needLines="31" ?> <section numbered="true" toc="default">
<section title="Introduction"> <name>Introduction</name>
<t><xref target="RFC6762">Multicast DNS</xref> and its companion <t>Multicast DNS <xref target="RFC6762" format="default"></xref> and its
technology companion technology DNS-based Service Discovery <xref target="RFC6763"
DNS-based Service Discovery <xref target="RFC6763"/> were created to format="default"/> were created to provide IP networking with the ease
provide of use and autoconfiguration for which AppleTalk was well known <xref
IP networking with the ease-of-use and autoconfiguration for which target="RFC6760" format="default"/> <xref target="ZC" format="default"/>
AppleTalk was well known <xref target="RFC6760"/> <xref target="ZC"/> <xref target="I-D.cheshire-dnssd-roadmap" format="default"/>.</t>
<xref target="Roadmap"/>.</t>
<t>For a small home network consisting of just a single link (or a few <t>For a small home network consisting of just a single link (or a few
physical links bridged together to appear as a single logical link from physical links bridged together to appear as a single logical link from
the point of view of IP) the point of view of IP), Multicast DNS <xref target="RFC6762"
<xref target="RFC6762">Multicast DNS</xref> is sufficient for client format="default"></xref> is sufficient for client devices
devices
to look up the ".local" host names of peers on the same home network, to look up the ".local" host names of peers on the same home network,
and and to use Multicast DNS-based
to use Multicast <xref target="RFC6763">DNS-Based Service Discovery Service Discovery (DNS-SD) <xref target="RFC6763"
(DNS-SD)</xref> format="default"></xref> to discover services offered on that
to discover services offered on that home network.</t> home network.</t>
<t>For a larger network consisting of multiple links that are <t>For a larger network consisting of multiple links that are
interconnected using IP-layer routing instead of link-layer bridging, interconnected using IP-layer routing instead of link-layer bridging,
link-local Multicast DNS alone is insufficient because link-local link-local Multicast DNS alone is insufficient because link-local
Multicast DNS packets, by design, are not propagated onto other Multicast DNS packets, by design, are not propagated onto other
links.</t> links.</t>
<t>Using link-local multicast packets for Multicast DNS was a conscious
<t>Using link-local multicast packets for Multicast DNS design choice <xref target="RFC6762" format="default"/>. Even when
was a conscious design choice <xref target="RFC6762"/>. limited to a single link, multicast traffic is still generally
Even when limited to a single link, multicast traffic is still considered to be more expensive than unicast, because multicast traffic
generally considered to be more expensive than unicast, because impacts many devices instead of just a single recipient. In addition,
multicast traffic impacts many devices, instead of just a single with some technologies like Wi-Fi <xref target="IEEE-11"
recipient. format="default"></xref>, multicast traffic is inherently less
In addition, with some technologies like <xref efficient and less reliable than unicast, because Wi-Fi multicast
target="IEEE-11">Wi-Fi</xref>, traffic is sent at lower data rates, and is not acknowledged <xref
multicast traffic is inherently less efficient and less reliable than target="I-D.ietf-mboned-ieee802-mcast-problems" format="default"/>.
unicast, because Increasing the amount of expensive multicast traffic by flooding it
Wi-Fi multicast traffic is sent at lower data rates, and is not across multiple links would make the traffic load even worse.</t>
acknowledged <xref target="Mcast"/>.
Increasing the amount of expensive multicast traffic by flooding
it across multiple links would make the traffic load even worse.</t>
<t>Partitioning the network into many small links curtails the spread <t>Partitioning the network into many small links curtails the spread
of expensive multicast traffic, but limits the discoverability of of expensive multicast traffic but limits the discoverability of
services. services.
At the opposite end of the spectrum, using a very large local link with At the opposite end of the spectrum, using a very large local link with
thousands of hosts enables better thousands of hosts enables better
service discovery, but at the cost of larger amounts of multicast service discovery but at the cost of larger amounts of multicast
traffic.</t> traffic.</t>
<t>Performing DNS-based Service Discovery using purely Unicast DNS is
<t>Performing DNS-Based Service Discovery using purely Unicast DNS is more efficient and doesn't require large multicast domains but does
more efficient and doesn't require large multicast domains, but does
require that the relevant data be available in the Unicast DNS require that the relevant data be available in the Unicast DNS
namespace. namespace.
The Unicast DNS namespace in question could fall within a traditionally The Unicast DNS namespace in question could fall within a traditionally
assigned globally unique domain name, or could use a private local assigned globally unique domain name, or it could be within a private
unicast domain name such as ".home.arpa" <xref target="RFC8375"/>.</t> local
unicast domain name such as ".home.arpa" <xref target="RFC8375"
<t>In the <xref target="RFC6763">DNS-SD specification</xref>, format="default"/>.</t>
Section 10 ("Populating the DNS with Information") <t>In the DNS-SD specification <xref target="RFC6763"
discusses various possible ways that a service's PTR, SRV, TXT and sectionFormat="comma" section="10"/> ("Populating
address records can make their way into the Unicast DNS namespace, the DNS with Information") discusses various possible ways that a
including manual zone file configuration service's PTR, SRV, TXT, and address records can make their way into the
<xref target="RFC1034"/> <xref target="RFC1035"/>, Unicast DNS namespace, including manual zone file configuration <xref
DNS&nbsp;Update <xref target="RFC2136"/> <xref target="RFC3007"/> target="RFC1034" format="default"/> <xref target="RFC1035"
and proxies of various kinds.</t> format="default"/>, DNS&nbsp;Update <xref target="RFC2136"
format="default"/> <xref target="RFC3007" format="default"/>, and
proxies
of various kinds.</t>
<t>Making the relevant data available in the Unicast DNS namespace <t>One option is to make the relevant data available in the Unicast DNS
by manual DNS configuration is one option. This option has been used namespace by
for many years at IETF meetings to advertise the IETF Terminal Room manual DNS configuration. This option has been used for
printer. many years at IETF meetings to advertise the IETF terminal room printer.
Details of this example are given in Appendix A of Details of this example are given in <xref
<xref target="Roadmap">the Roadmap document</xref>. target="I-D.cheshire-dnssd-roadmap" sectionFormat="of" section="A">the
However, this manual DNS configuration is labor intensive, Roadmap document</xref>. However, this manual DNS configuration is
error prone, and requires a reasonable degree of DNS expertise.</t> labor intensive, error prone, and requires a reasonable degree of DNS
expertise.</t>
<t>Populating the Unicast DNS namespace via DNS Update by the <t>Another option is to populate the Unicast DNS namespace by having
devices offering the services themselves is another option <xref the devices offering the services do that themselves, using DNS Update
target="RegProt"/> <xref target="DNS-UL"/>. <xref target="I-D.sctl-service-registration" format="default"/>
<xref target="I-D.sekar-dns-ul" format="default"/>.
However, this requires configuration However, this requires configuration
of DNS Update keys on those devices, which has proven onerous and of DNS Update keys on those devices, which has proven onerous and
impractical for simple devices like printers and network cameras.</t> impractical for simple devices like printers and network cameras.</t>
<t>Hence, to facilitate efficient and reliable DNS-based Service
<t>Hence, to facilitate efficient and reliable DNS-Based Service
Discovery, Discovery,
a compromise is needed that combines the ease-of-use of a hybrid is needed that combines the ease of use of
Multicast DNS with the efficiency and scalability of Unicast DNS.</t> Multicast DNS with the efficiency and scalability of Unicast DNS.</t>
<t>This document specifies a type of proxy called a "Discovery Proxy" <t>This document specifies a type of proxy called a "Discovery Proxy"
that uses <xref target="RFC6762">Multicast DNS</xref> to discover that uses Multicast DNS <xref target="RFC6762" format="default"></xref>
Multicast DNS records on its local link, and makes corresponding to discover
Multicast DNS records on its local link on demand, and makes
corresponding
DNS records visible in the Unicast DNS namespace.</t> DNS records visible in the Unicast DNS namespace.</t>
<t>In principle, similar mechanisms could be defined
<t>In principle, similar mechanisms could be defined using other for other local discovery protocols, by creating a proxy that
local service discovery protocols, to discover local information (i) uses the protocol in question to discover local information on
and then make corresponding DNS records visible in the Unicast demand, and then
DNS namespace. Such mechanisms for other local service discovery (ii) makes corresponding DNS records visible in the Unicast
DNS namespace. Such mechanisms for other local discovery
protocols could be addressed in future documents.</t> protocols could be addressed in future documents.</t>
<t>The design of the Discovery Proxy is guided by the previously <t>The design of the Discovery Proxy is guided by the previously
published published DNS-based Service Discovery requirements document
<xref target="RFC7558">requirements document</xref>.</t> <xref target="RFC7558" format="default"></xref>.</t>
<t>In simple terms, a descriptive DNS name is chosen for <t>In simple terms, a descriptive DNS name is chosen for
each link in an organization. each link in an organization.
Using a DNS NS record, responsibility for that DNS name is delegated to Using a DNS NS record, responsibility for that DNS name is delegated to
a Discovery Proxy physically attached to that link. a Discovery Proxy physically attached to that link.
Now, when a remote client issues a unicast query for a name falling When a remote client issues a unicast query for a name falling
within within
the delegated subdomain, the normal DNS delegation mechanism the delegated subdomain, the normal DNS delegation mechanism
results in the unicast query arriving at the Discovery Proxy, results in the unicast query arriving at the Discovery Proxy,
since it has been declared authoritative for those names. since it has been declared authoritative for those names.
Now, instead of consulting a textual zone file on disk to discover Now, instead of consulting a textual zone file on disk to discover
the answer to the query, as a traditional DNS server would, the answer to the query as a traditional authoritative DNS server would,
a Discovery Proxy consults its local link, using Multicast DNS, a Discovery Proxy consults its local link, using Multicast DNS,
to find the answer to the question.</t> to find the answer to the question.</t>
<t>For fault tolerance reasons there may be more than one <t>For fault tolerance reasons, there may be more than one
Discovery Proxy serving a given link.</t> Discovery Proxy serving a given link.</t>
<t>Note that the Discovery Proxy uses a "pull" model. <t>Note that the Discovery Proxy uses a "pull" model.
The local link is not queried using Multicast DNS until some remote Until some remote client has requested data,
client has requested that data. In the idle state, in the absence the local link is not queried using Multicast DNS.
In the idle state, in the absence
of client requests, the Discovery Proxy sends no packets and imposes of client requests, the Discovery Proxy sends no packets and imposes
no burden on the network. It operates purely "on demand".</t> no burden on the network. It operates purely "on demand".</t>
<t>An alternative proposal that has been discussed is a proxy that <t>An alternative proposal that has been discussed is a proxy that
performs performs DNS updates to a remote DNS server on behalf of the Multicast
DNS updates to a remote DNS server on behalf of the Multicast DNS DNS devices on the local network. The difficulty with this is that
devices on the local network. Multicast DNS devices do not routinely announce their records on the
The difficulty with this is is that network. Generally, they remain silent until queried. This means that
Multicast DNS devices do not routinely announce their records the complete set of Multicast DNS records in use on a link can only be
on the network. Generally they remain silent until queried. discovered by active querying, not by passive listening. Because of
This means that the complete set of Multicast DNS records in use on a this, a proxy can only know what names exist on a link by issuing
link can only be discovered by active querying, not by passive queries for them, and since it would be impractical to issue queries for
listening. every possible name just to find out which names exist and which do not,
Because of this, a proxy can only know what names exist on a link there is no reasonable way for a proxy to programmatically learn all the
by issuing queries for them, and since it would be impractical to answers it would need to push up to the remote DNS server using DNS
issue queries for every possible name just to find out which names Update. Even if such a mechanism were possible, it would risk
exist and which do not, there is no reasonable way for a proxy to generating high load on the network continuously, even when there are no
programmatically learn all the answers it would need to push up to clients with any interest in that data.</t>
the remote DNS server using DNS Update.
Even if such a mechanism were possible, it would risk generating
high load on the network continuously, even when there are
no clients with any interest in that data.</t>
<t>Hence, having a model where the query comes to the Discovery Proxy <t>Hence, having a model where the query comes to the Discovery Proxy
is much more efficient than is much more efficient than
a model where the Discovery Proxy pushes the answers out a model where the Discovery Proxy pushes the answers out
to some other remote DNS server.</t> to some other remote DNS server.</t>
<t>A client seeking to discover services and other information performs
<t>A client seeking to discover services and other information this by sending traditional DNS queries to the Discovery Proxy or by
achieves this by sending traditional DNS queries to the Discovery Proxy, sending DNS Push Notification subscription requests <xref
or by sending target="RFC8765" format="default"></xref>.</t>
<xref target="Push">DNS Push Notification subscription <t>How a client discovers what domain name(s) to use for its
requests</xref>.</t> DNS-based Service Discovery queries
(and, consequently, what Discovery Proxy or Proxies to use)
<t>How a client discovers what domain name(s) to use for its service is described in <xref target="dom-enum" format="default"/>.</t>
discovery queries,
(and consequently what Discovery Proxy or Proxies to use)
is described in <xref target="dom-enum"/>.</t>
<t>The diagram below illustrates a network topology using a <t>The diagram below illustrates a network topology using a
Discovery Proxy to provide discovery service to a remote client.</t> Discovery Proxy to provide discovery service to a remote client.</t>
<figure><artwork> <figure>
+--------+ Unicast +-----------+ +---------+ +---------+ <name>Example Deployment</name>
| Remote | Communcation | Discovery | | Network | | Network | <artwork name="" type="" align="center" alt=""><![CDATA[
| Client |---- . . . -----| Proxy | | Printer | | Camera | +--------+ Unicast +-----------+ +---------+ +---------+
+--------+ +-----------+ +---------+ +---------+ | Remote | Communication | Discovery | | Network | | Network |
| | | | Client |---- . . . ----| Proxy | | Printer | | Camera |
-------------------------------------------- +--------+ +-----------+ +---------+ +---------+
| | | |
------------ --------------------------------------------
Multicast-capable LAN segment (e.g., Ethernet) Multicast-capable LAN segment (e.g., Ethernet)
</artwork></figure>
<?rfc needLines="31" ?> ]]></artwork>
</section> </figure>
<section title="Operational Analogy"> <t>Note that there need not be any Discovery Proxy on the link
<t>A Discovery Proxy does not operate as a multicast relay, or multicast to which the remote client is directly attached.
forwarder. The remote client communicates directly with the Discovery Proxy
There is no danger of multicast forwarding loops that result in traffic using normal unicast TCP/IP communication mechanisms,
storms, potentially spanning multiple IP hops,
because no multicast packets are forwarded. possibly including VPN tunnels and other similar
A Discovery Proxy operates as a *proxy* for a remote client, long-distance communication channels.
performing queries on its behalf and reporting the results back.</t> </t>
<t>A reasonable analogy is making a telephone call to a colleague </section>
at your workplace and saying, "I'm out of the office right now. Would
you <section numbered="true" toc="default">
<name>Operational Analogy</name>
<t>A Discovery Proxy does not operate as a multicast relay or multicast
forwarder. There is no danger of multicast forwarding loops that result
in traffic storms, because no multicast packets are forwarded. A
Discovery Proxy operates as a <em>proxy</em> for remote clients,
performing
queries on their behalf and reporting the results back.</t>
<t>A reasonable analogy is making a telephone call to a colleague at
your workplace and saying, "I'm out of the office right now. Would you
mind bringing up a printer browser window and telling me the names of mind bringing up a printer browser window and telling me the names of
the the printers you see?" That entails no risk of a forwarding loop causing
printers you see?" That entails no risk of a forwarding loop causing a a traffic storm, because no multicast packets are sent over the
traffic storm, because no multicast packets are sent over the telephone telephone call.</t>
call.</t>
<t>A similar analogy, instead of enlisting another human being <t>A similar analogy, instead of enlisting another human being
to initiate the service discovery operation on your behalf, is to initiate the service discovery operation on your behalf, is
to log into your own desktop work computer using screen sharing, to log in to your own desktop work computer using screen sharing
and then run the printer browser yourself to see the list of printers. and then run the printer browser yourself to see the list of printers.
Or log in using ssh and type "dns-sd -B _ipp._tcp" and observe the Or, log in using Secure Shell (ssh) and type "dns-sd -B _ipp._tcp" and
observe the
list of discovered printer names. In neither case is there any risk list of discovered printer names. In neither case is there any risk
of a forwarding loop causing a traffic storm, because no multicast of a forwarding loop causing a traffic storm, because no multicast
packets are being sent over the screen sharing or ssh connection.</t> packets are being sent over the screen-sharing or ssh connection.</t>
<t>The Discovery Proxy provides another way of performing remote <t>The Discovery Proxy provides another way of performing remote
queries, queries,
except using a different protocol instead of screen sharing or ssh.</t> which uses a different protocol instead of screen sharing or ssh.
The Discovery Proxy mechanism can be thought of as a custom Remote
Procedure Call (RPC) protocol that allows a remote client to exercise
the Multicast DNS APIs on the Discovery Proxy device, just as a local
client running on the Discovery Proxy device would use those APIs.</t>
<t>When the Discovery Proxy software performs Multicast DNS <t>When the Discovery Proxy software performs Multicast DNS
operations, the exact same Multicast DNS caching mechanisms are operations, the exact same Multicast DNS caching mechanisms are
applied as when any other client software on that Discovery Proxy applied as when any other client software on that Discovery Proxy
device performs Multicast DNS operations, whether that be running device performs Multicast DNS operations, regardless of whether that be
a printer browser client locally, or a remote user running the running
printer browser client via a screen sharing connection, or a remote a printer browser client locally, a remote user running the
printer browser client via a screen-sharing connection, a remote
user logged in via ssh running a command-line tool like "dns-sd", user logged in via ssh running a command-line tool like "dns-sd",
or a remote user sending DNS requests that cause a Discovery Proxy or a remote user sending DNS requests that cause a Discovery Proxy
to perform discovery operations on its behalf.</t> to perform discovery operations on its behalf.</t>
<?rfc needLines="15" ?>
</section> </section>
<section title="Conventions and Terminology Used in this Document"> <section numbered="true" toc="default">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", <name>Conventions and Terminology Used in This Document</name>
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",<vspace
/> <t>
and "OPTIONAL" in this document are to be interpreted as The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
described<vspace /> "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
in "Key words for use in RFCs to Indicate Requirement Levels",<vspace /> NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
when, and only when, they appear in all capitals, as shown here<vspace "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
/> "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are
<xref target="RFC2119"/> <xref target="RFC8174"/>.</t> to be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
<t>The Discovery Proxy builds on Multicast DNS, <t>The Discovery Proxy builds on Multicast DNS,
which works between hosts on the same link. which works between hosts on the same link.
For the purposes of this document For the purposes of this document,
a set of hosts is considered to be "on the same link" if: a set of hosts is considered to be "on the same link" if:
<list style='symbols'> </t>
<t>when any host from that set sends a packet to any other host
<ul spacing="normal">
<li>when any host from that set sends a packet to any other host
in that set, using unicast, multicast, or broadcast, the entire in that set, using unicast, multicast, or broadcast, the entire
link-layer packet payload arrives unmodified, and</t> link-layer packet payload arrives unmodified, and</li>
<t>a broadcast sent over that link, by any host from that set of <li>a broadcast sent over that link, by any host from that set of
hosts, hosts,
can be received by every other host in that set.</t> can be received by every other host in that set.</li>
</list> </ul>
<t>
The link-layer *header* may be modified, such as in The link-layer <em>header</em> may be modified, such as in Token Ring
<xref target="IEEE-5">Token Ring Source Routing</xref>, Source Routing
but not the link-layer *payload*. <xref target="IEEE-5" format="default"></xref>,
but not the link-layer <em>payload</em>.
In particular, if any device forwarding a packet modifies any In particular, if any device forwarding a packet modifies any
part of the IP header or IP payload then the packet is no longer part of the IP header or IP payload, then the packet is no longer
considered to be on the same link. This means that the packet may considered to be on the same link. This means that the packet may
pass through devices such as repeaters, bridges, hubs or switches pass through devices such as repeaters, bridges, hubs, or switches
and still be considered to be on the same link for the purpose of and still be considered to be on the same link for the purpose of
this document, but not through a device such as an IP router that this document, but not through a device such as an IP router that
decrements the IP TTL or otherwise modifies the IP header.</t> decrements the IP TTL or otherwise modifies the IP header.</t>
</section> </section>
<section anchor="compatibility" title="Compatibility Considerations"> <section anchor="compatibility" numbered="true" toc="default">
<name>Compatibility Considerations</name>
<t>No changes to existing devices are required to work with a Discovery <t>No changes to existing devices are required to work with a Discovery
Proxy.</t> Proxy.</t>
<t>Existing devices that advertise services using Multicast DNS work <t>Existing devices that advertise services using Multicast DNS work
with Discovery Proxy.</t> with a Discovery Proxy.</t>
<t>Existing clients that support DNS-Based Service Discovery over
Unicast DNS
work with Discovery Proxy.
Service Discovery over Unicast DNS was introduced in Mac OS X 10.4 in
April 2005,
as is included in Apple products introduced since then, including iPhone
and iPad,
as well as products from other vendors, such as Microsoft Windows
10.</t>
<t>An overview of the larger collection of related Service Discovery
technologies, and how Discovery Proxy relates to those, is given in
<xref target="Roadmap">the Service Discovery Road Map
document</xref>.</t>
<?rfc needLines="22" ?> <t>Existing clients that support DNS-based Service Discovery over
Unicast DNS work with a Discovery Proxy. DNS-based Service Discovery
over Unicast
DNS was introduced in Mac OS X 10.4 Tiger in April 2005 and has been
included in
Apple products introduced since then, including the iPhone and iPad.
It has also been included in
products from other vendors, such as Microsoft Windows 10.</t>
<t>An overview of the larger collection of associated DNS-based Service
Discovery
technologies, and how the Discovery Proxy technology relates to those,
is given in the
Service Discovery Road Map document <xref
target="I-D.cheshire-dnssd-roadmap" format="default"></xref>.</t>
</section> </section>
<section anchor="operation" title="Discovery Proxy Operation"> <section anchor="operation" numbered="true" toc="default">
<name>Discovery Proxy Operation</name>
<t>In a typical configuration, a Discovery Proxy is configured <t>In a typical configuration, a Discovery Proxy is configured
to be authoritative <xref target="RFC1034"/> <xref target="RFC1035"/> to be authoritative <xref target="RFC1034" format="default"/> <xref
for four or more DNS subdomains, and authority target="RFC1035" format="default"/>
for these subdomains is delegated to it via NS records: for four or more DNS subdomains, listed below.
<list style="hanging"> Authority for these subdomains is delegated
<t hangText="A DNS subdomain for service discovery records."><vspace from the parent domain to the Discovery Proxy
/> in the usual way for DNS delegation, via NS records.
</t>
<dl newline="true" spacing="normal">
<dt>A DNS subdomain for DNS-based Service Discovery records.</dt>
<dd>
This subdomain name may contain rich text, including This subdomain name may contain rich text, including
spaces and other punctuation. This is because this spaces and other punctuation. This is because this
subdomain name is used only in graphical user interfaces, subdomain name is used only in graphical user interfaces,
where rich text is appropriate.</t> where rich text is appropriate.</dd>
<t hangText="A DNS subdomain for host name records."><vspace /> <dt>A DNS subdomain for host name records.</dt>
This subdomain name SHOULD be limited to letters, digits and <dd>
hyphens, This subdomain name <bcp14>SHOULD</bcp14> be limited to letters,
to facilitate convenient use of host names in command-line digits, and
interfaces.</t> hyphens in order to facilitate the convenient use of host
<t hangText="One or more DNS subdomains for IPv4 Reverse Mapping names in
records."><vspace /> command-line
These subdomains will have names that ends in "in-addr.arpa."</t> interfaces.</dd>
<t hangText="One or more DNS subdomains for IPv6 Reverse Mapping <dt>One or more DNS subdomains for IPv4 Reverse Mapping records.</dt>
records."><vspace /> <dd>
These subdomains will have names that ends in "ip6.arpa."</t> These subdomains will have names that end in "in-addr.arpa".</dd>
</list> <dt>One or more DNS subdomains for IPv6 Reverse Mapping records.</dt>
</t> <dd>
These subdomains will have names that end in "ip6.arpa".</dd>
<t>In an enterprise network the naming and delegation of these </dl>
<t>In an enterprise network, the naming and delegation of these
subdomains subdomains
is typically performed by conscious action of the network administrator. is typically performed by conscious action of the network administrator.
In a home network naming and delegation would typically be performed In a home network, naming and delegation would typically be performed
using some automatic configuration mechanism such as HNCP using some automatic configuration mechanism such as Home Networking
<xref target="RFC7788"/>.</t> Control Protocol (HNCP)
<xref target="RFC7788" format="default"/>.</t>
<t>These three varieties of delegated subdomains <t>These three varieties of delegated subdomains
(service discovery, host names, and reverse mapping) are described below (service discovery, host names, and reverse mapping) are described below
in in Sections <xref target="dom-sd" format="counter"/>, <xref
<xref target="dom-sd"/>, target="dom-host" format="counter"/>, and <xref target="dom-rev"
<xref target="dom-host"/> and format="counter"/>.</t>
<xref target="dom-rev"/>.</t> <t>How a client discovers where to issue its DNS-based Service Discovery
queries
<t>How a client discovers where to issue its service discovery queries is described in <xref target="dom-enum" format="default"/>.</t>
is described <section anchor="dom-sd" numbered="true" toc="default">
below in <xref target="dom-enum"/>.</t> <name>Delegated Subdomain for DNS-based Service Discovery
Records</name>
<?rfc needLines="28" ?> <t>In its simplest form, each link in an organization
<section anchor="dom-sd" title="Delegated Subdomain for Service is assigned a unique Unicast DNS domain name such as
Discovery Records">
<t>In its simplest form, each link in an organization
is assigned a unique Unicast DNS domain name, such as
"Building&nbsp;1.example.com" or "Building&nbsp;1.example.com" or
"2nd&nbsp;Floor.Building&nbsp;3.example.com". "2nd&nbsp;Floor.Building&nbsp;3.example.com".
Grouping multiple links under a single Unicast DNS domain Grouping multiple links under a single Unicast DNS domain
name is to be specified in a future companion document, but for name is to be specified in a future companion document, but for
the purposes of this document, assume that each link has its own the purposes of this document, assume that each link has its own
unique Unicast DNS domain name. unique Unicast DNS domain name.
In a graphical user interface these names are not displayed In a graphical user interface these names are not displayed
as strings with dots as shown above, but something more as strings with dots as shown above, but something more
akin to a typical file browser graphical user interface akin to a typical file browser graphical user interface
(which is harder to illustrate in a text-only document) (which is harder to illustrate in a text-only document)
showing folders, subfolders and files in a file system. showing folders, subfolders, and files in a file system.
<figure align="left" anchor="browser" title="Illustrative </t>
GUI"><artwork><![CDATA[
<figure anchor="browser">
<name>Illustrative GUI
</name>
<artwork align="center" name="" type="" alt=""><![CDATA[
+---------------+--------------+-------------+-------------------+ +---------------+--------------+-------------+-------------------+
| *example.com* | Building 1 | 1st Floor | Alice's printer | | *example.com* | Building 1 | 1st Floor | Alice's printer |
| | Building 2 | *2nd Floor* | Bob's printer | | | Building 2 | *2nd Floor* | Bob's printer |
| | *Building 3* | 3rd Floor | Charlie's printer | | | *Building 3* | 3rd Floor | Charlie's printer |
| | Building 4 | 4th Floor | | | | Building 4 | 4th Floor | |
| | Building 5 | | | | | Building 5 | | |
| | Building 6 | | | | | Building 6 | | |
+---------------+--------------+-------------+-------------------+]]></artwork> +---------------+--------------+-------------+-------------------+
</figure>
</t>
<t>Each named link in an organization has one or more Discovery Proxies
which
serve it. This Discovery Proxy function for each link could be performed
by a
device like a router or switch that is physically attached to that link.
In the parent domain, NS records
are used to delegate ownership of each defined link name
(e.g.,&nbsp;"Building&nbsp;1.example.com")
to the one or more Discovery Proxies that serve the named link.
In other words, the Discovery Proxies are the authoritative name
servers for that subdomain.
As in the rest of DNS-Based Service Discovery, all names are represented
as-is
using plain UTF-8 encoding, and, as described in <xref
target="notrans"/>,
no text encoding translations are performed.</t>
<t>With appropriate <xref target="IEEE-1Q">VLAN configuration</xref> ]]></artwork>
a single Discovery Proxy device could have a logical presence on </figure>
many links, and serve as the Discovery Proxy for all those links.
In such a configuration the Discovery Proxy device would have a single
physical <xref target="IEEE-3">Ethernet</xref> port, configured as a
VLAN trunk port, which would appear to software on that device as
multiple
virtual Ethernet interfaces, one connected to each of the VLAN
links.</t>
<t>As an alternative to using VLAN technology, using a <t>Each named link in an organization has one or more Discovery
<xref target="Relay">Multicast DNS Discovery Relay</xref> Proxies that serve it. This Discovery Proxy function
could be performed by a device like a router or switch that is
physically attached to that link. In the parent domain, NS records
are used to delegate ownership of each defined link name
(e.g.,&nbsp;"Building&nbsp;1.example.com") to one or more
Discovery Proxies that serve the named link. In other words, the
Discovery Proxies are the authoritative name servers for that
subdomain. As in the rest of DNS-based Service Discovery, all names
are represented as-is using plain UTF-8 encoding and, as described in
<xref target="notrans" format="default"/>, no text-encoding
translations are performed.</t>
<t>With appropriate VLAN
configuration <xref target="IEEE-1Q" format="default"></xref>, a
single Discovery Proxy device could have a
logical presence on many links and serve as the Discovery Proxy for
all those links. In such a configuration, the Discovery Proxy device
would have a single physical Ethernet <xref target="IEEE-3"
format="default"></xref> port, configured as a VLAN trunk
port, which would appear to software on that device as multiple
virtual Ethernet interfaces, one connected to each of the VLAN
links.</t>
<t>As an alternative to using VLAN technology, using a Multicast DNS
Discovery Relay
<xref target="I-D.sctl-dnssd-mdns-relay" format="default"></xref>
is another way that a Discovery Proxy can have is another way that a Discovery Proxy can have
a ‘virtual’ presence on a remote link.</t> a "virtual" presence on a remote link.</t>
<t>When a DNS-SD client issues a Unicast DNS query to discover
<?rfc needLines="6" ?> services in a particular Unicast DNS subdomain
<t>When a DNS-SD client issues a Unicast DNS query to discover services (e.g.,&nbsp;"_ipp._tcp.Building&nbsp;1.example.com.&nbsp;PTR&nbsp;?"),
in a particular Unicast DNS subdomain the normal DNS delegation mechanism results in that query being
(e.g.,&nbsp;"_printer._tcp.Building&nbsp;1.example.com.&nbsp;PTR&nbsp;?") forwarded until it reaches the delegated authoritative name server for
the normal DNS delegation mechanism results in that query being that subdomain, namely, the Discovery Proxy on the link in question.
forwarded until it reaches the delegated authoritative name server Like a conventional Unicast DNS server, a Discovery Proxy implements
for that subdomain, namely the Discovery Proxy on the link in question. the usual Unicast DNS protocol <xref target="RFC1034"
Like a conventional Unicast DNS server, format="default"/> <xref target="RFC1035" format="default"/> over UDP
a Discovery Proxy implements the usual Unicast DNS protocol and TCP. However, unlike a conventional Unicast DNS server that
<xref target="RFC1034"/> <xref target="RFC1035"/> over UDP and TCP. generates answers from the data in its manually configured zone file,
However, unlike a conventional Unicast DNS server that a Discovery Proxy learns answers using Multicast DNS. A Discovery
generates answers from the data in its manually-configured zone file, Proxy does this by consulting its Multicast DNS cache and/or issuing
a Discovery Proxy generates answers using Multicast DNS. Multicast DNS queries, as appropriate according to the usual protocol
A Discovery Proxy does this by consulting rules of Multicast DNS <xref target="RFC6762"
its Multicast DNS cache and/or issuing Multicast DNS queries, format="default"></xref>,
as appropriate, according to the usual protocol for the corresponding Multicast DNS name, type, and class, with the
rules of <xref target="RFC6762">Multicast DNS</xref>, delegated zone part of the name replaced with ".local" (e.g.,&nbsp;in
for the corresponding Multicast DNS name, type and class, this case, "_ipp._tcp.local.&nbsp;PTR&nbsp;?"). Then, from the
with the delegated zone part of the name replaced with ".local" received Multicast DNS data, the Discovery Proxy synthesizes the
(e.g.,&nbsp;in this case, "_printer._tcp.local.&nbsp;PTR&nbsp;?"). appropriate Unicast DNS response, with the ".local" top-level label
Then, from the received Multicast DNS data, the Discovery Proxy of the owner name
synthesizes the appropriate Unicast DNS response, with the replaced with the name of the delegated zone.
".local" top-level label replaced with with the name of the delegated Further details of the name translation rules are
zone. described in <xref target="translation" format="default"/>.
How long the Discovery Proxy should wait to accumulate Multicast DNS Rules specifying how long the Discovery
responses before sending its unicast reply is described below in <xref Proxy should wait to accumulate Multicast DNS responses before sending
target="aggregation"/>.</t> its unicast reply are described in <xref target="aggregation"
format="default"/>.
<t>The existing Multicast DNS caching mechanism is used </t>
to minimize unnecessary Multicast DNS queries on the wire. <t>The existing Multicast DNS caching mechanism is used to minimize
The Discovery Proxy is acting as a client of the underlying Multicast unnecessary Multicast DNS queries on the wire. The Discovery Proxy is
DNS acting as a client of the underlying Multicast DNS subsystem and
subsystem, and benefits from the same caching and efficiency benefits from the same caching and efficiency measures as any other
measures as any other client using that subsystem.</t> client using that subsystem.</t>
<t>Note that the contents of the delegated zone, generated as it is by
<t>Note that the contents of the delegated zone, performing ".local" Multicast DNS queries, mirrors the records
generated as it is by performing ".local" Multicast DNS queries, available on the local link via Multicast DNS very closely, but not
mirrors the records available on the local link via Multicast DNS precisely. There is not a full bidirectional equivalence between the
very closely, but not precisely. two. Certain records that are available via Multicast DNS may not
There is not a full bidirectional equivalence between the two. have equivalents in the delegated zone possibly because they are
Certain records that are available via Multicast DNS may not have invalid or not relevant in the delegated zone or because they are
equivalents in the delegated zone, being suppressed because they are unusable outside the local link (see
possibly because they are invalid or not relevant in the delegated zone, <xref target="unusable" format="default"/>). Conversely, certain
or records that appear in the delegated zone may not have corresponding
because they are being supressed because they are unusable outside the records available on the local link via Multicast DNS. In particular,
local link there are certain administrative SRV records (see <xref target="admin"
(see <xref target="unusable"/>). format="default"/>) that logically fall within the delegated zone but
Conversely, certain records that appear in the delegated zone may not semantically represent metadata <em>about</em> the zone rather than
have records
corresponding records available on the local link via Multicast DNS. <em>within</em> the zone. Consequently, these administrative records
In particular there are certain administrative SRV records in
(see <xref target="admin"/>) that logically fall within the delegated the delegated zone do not have any corresponding counterparts in the
zone, Multicast DNS namespace of the local link.</t>
but semantically represent metadata *about* the zone rather than records </section>
*within* the zone, and consequently these administrative records in the
delegated zone
do not have any corresponding counterparts in the Multicast DNS
namespace of the local link.</t>
<?rfc needLines="26" ?> <section anchor="dom-enum" numbered="true" toc="default">
</section> <name>Domain Enumeration</name>
<t>A DNS-SD client performs Domain Enumeration <xref target="RFC6763"
format="default"/> via certain PTR queries, using both unicast and
multicast.</t>
<section anchor="dom-enum" title="Domain Enumeration"> <t>If a DNS-SD client receives a Domain Name configuration via DHCP
<t>A DNS-SD client performs Domain Enumeration <xref then it issues
target="RFC6763"/> unicast queries derived from this domain name. It also issues unicast
via certain PTR queries, using both unicast and multicast. queries using
If it receives a Domain Name configuration via names derived from its IPv4 subnet address(es) and IPv6 prefix(es).
<xref target="RFC2132">DHCP option 15</xref>, These unicast Domain Enumeration queries are described
then it issues unicast queries using this domain. in <xref target="unicast" format="default"/>.
It issues unicast queries using names derived from its A DNS-SD client
IPv4 subnet address(es) and also issues multicast Domain Enumeration queries in the "local" domain
IPv6 prefix(es). <xref target="RFC6762" format="default"/>, as described in
These are described below in <xref target="unicast"/>. <xref target="multicast" format="default"/>. The results of all the
It also issues multicast Domain Enumeration queries in the "local" Domain Enumeration queries are combined for DNS-based Service
domain Discovery
<xref target="RFC6762"/>. purposes.</t>
These are described below in <xref target="multicast"/>.
The results of all the Domain Enumeration queries are combined for
Service Discovery purposes.</t>
<section anchor="unicast" title="Domain Enumeration via Unicast <section anchor="unicast" numbered="true" toc="default">
Queries"> <name>Domain Enumeration via Unicast Queries</name>
<t>The administrator creates Domain Enumeration <t>The (human or automated) administrator creates
PTR records <xref target="RFC6763"/> Unicast DNS Domain Enumeration PTR records <xref
to inform clients of available service discovery domains. target="RFC6763" format="default"/> to inform clients of available
Two varieties of such Domain Enumeration PTR records exist; service discovery domains. Two varieties of such Unicast DNS Domain
those with names derived from the domain name communicated to the Enumeration
clients via DHCP, PTR records exist: those with names derived from the domain name
and those with names derived from IPv4 subnet address(es) and IPv6 communicated to the clients via
prefix(es) in use by the clients. <xref target="RFC2132" format="default">DHCP option 15</xref>,
Below is an example showing the name-based variety:</t> and those with names derived
<figure><artwork> from either IPv4 subnet address(es) or IPv6 prefix(es) in use by the
clients. Below is an example showing the name-based variety,
where the DHCP server configured the client with the domain name
"example.com":</t>
<artwork name="" type="" align="center" alt=""><![CDATA[
b._dns-sd._udp.example.com. PTR Building 1.example.com. b._dns-sd._udp.example.com. PTR Building 1.example.com.
PTR Building 2.example.com. PTR Building 2.example.com.
PTR Building 3.example.com. PTR Building 3.example.com.
PTR Building 4.example.com. PTR Building 4.example.com.
db._dns-sd._udp.example.com. PTR Building 1.example.com. db._dns-sd._udp.example.com. PTR Building 1.example.com.
lb._dns-sd._udp.example.com. PTR Building lb._dns-sd._udp.example.com. PTR Building 1.example.com.]]></artwork>
1.example.com.</artwork></figure> <t>The meaning of these records is defined in the <xref
target="RFC6763"
<t>The meaning of these records is defined in the format="default">DNS-based Service
<xref target="RFC6763">DNS Service Discovery specification</xref> Discovery specification</xref> but, for convenience, is repeated
but for convenience is repeated here. here.
The "b" ("browse") records tell the client device the The "b" ("browse") records tell the client device the list of
list of browsing domains to display for the user to select from. browsing domains to display for the user to select from. The "db"
The "db" ("default browse") record tells the client device ("default browse") record tells the client device which domain in
which domain in that list should be selected by default. that list should be selected by default. The "db" domain
The "db" domain MUST be one of the domains in the "b" list; <bcp14>MUST</bcp14> be one of the domains in the "b" list; if not,
if not then no domain is selected by default. then no domain is selected by default. The "lb" ("legacy browse")
The "lb" ("legacy browse") record tells the client device which domain record tells the client device which domain to automatically browse
to automatically browse on behalf of applications that don't implement on behalf of applications that don't implement user interface for
UI for multi-domain browsing (which is most of them, at the time of multi-domain
writing). browsing (which is most of them at the time of writing). The "lb"
The "lb" domain is often the same as the "db" domain, or sometimes domain is often the same as the "db" domain, or sometimes the "db"
the "db" domain plus one or more others that should be included in domain plus one or more others that should be included in the list
the list of automatic browsing domains for legacy clients.</t> of automatic browsing domains for legacy clients.</t>
<t>Note that in the example above, for clarity, space characters in
<t>Note that in the example above, for clarity, names are shown as actual spaces. If this data is manually entered
space characters in names are shown as actual spaces. into a textual zone file for authoritative server software such as
If this data is manually entered into a textual zone file for BIND, care must be taken because the space character is used as a
authoritative server field separator, and other characters like dot ('.'), semicolon
software such as BIND, care must be taken because the space character (';'), dollar ('$'), backslash ('\'), etc., also have special
is used as meaning. These characters have to be escaped when entered into a
a field separator, and other characters like dot ('.'), semicolon textual zone file, following the rules in <xref target="RFC1035"
(';'), sectionFormat="of" section="5.1">the DNS specification</xref>. For
dollar ('$'), backslash ('\'), etc., also have special meaning. example, a literal space in a name is represented in the textual
These characters have to be escaped when entered into a textual zone zone file using '\032', so "Building&nbsp;1.example.com" is entered
file, as "Building\0321.example.com".</t>
following the rules in Section 5.1 of the
<xref target="RFC1035">DNS specification</xref>.
For example, a literal space in a name is represented in the textual
zone file
using '\032', so "Building 1.example.com." is entered as
"Building\0321.example.com."</t>
<?rfc needLines="15" ?> <t>DNS responses are limited to a maximum size of 65535 bytes.
<t>DNS responses are limited to a maximum size of 65535 bytes.
This limits the maximum number of domains that can be returned for This limits the maximum number of domains that can be returned for
a Domain Enumeration query, as follows:</t> a Domain Enumeration query as follows:</t>
<t>A DNS response header is 12 bytes.
<t>A DNS response header is 12 bytes.
That's typically followed by a single qname (up to 256 bytes) That's typically followed by a single qname (up to 256 bytes)
plus qtype (2&nbsp;bytes) and qclass (2&nbsp;bytes), leaving 65275 plus qtype (2&nbsp;bytes) and qclass (2&nbsp;bytes), leaving 65275
for the Answer Section.</t> for the Answer Section.</t>
<t>An Answer Section Resource Record consists of: <t>An Answer Section Resource Record consists of:
<?rfc subcompact="yes" ?> </t>
<list style='symbols'>
<t>Owner name, encoded as a two-byte compression pointer</t>
<t>Two-byte rrtype (type PTR)</t>
<t>Two-byte rrclass (class IN)</t>
<t>Four-byte ttl</t>
<t>Two-byte rdlength</t>
<t>rdata (domain name, up to 256 bytes)</t>
</list>
<?rfc subcompact="no" ?>
</t>
<t>This means that each Resource Record in the Answer Section can <ul spacing="compact">
<li>Owner name, encoded as a compression pointer, 2 bytes</li>
<li>RRTYPE (type PTR), 2 bytes</li>
<li>RRCLASS (class IN), 2 bytes</li>
<li>TTL, 4 bytes</li>
<li>RDLENGTH, 2 bytes</li>
<li>RDATA (domain name), up to 256 bytes</li>
</ul>
<t>This means that each Resource Record in the Answer Section can
take up to 268 bytes total, which means that the Answer Section take up to 268 bytes total, which means that the Answer Section
can contain, in the worst case, no more than 243 domains.</t> can contain, in the worst case, no more than 243 domains.</t>
<t>In a more typical scenario, where the domain names are not all
<t>In a more typical scenario, where the domain names are not all
maximum-sized names, and there is some similarity between names maximum-sized names, and there is some similarity between names
so that reasonable name compression is possible, each Answer so that reasonable name compression is possible, each Answer
Section Resource Record may average 140 bytes, which means that Section Resource Record may average 140 bytes, which means that
the Answer Section can contain up to 466 domains.</t> the Answer Section can contain up to 466 domains.</t>
<t>It is anticipated that this should be sufficient for even a large
<t>It is anticipated that this should be sufficient for even a large
corporate network or university campus.</t> corporate network or university campus.</t>
<?rfc needLines="21" ?>
</section> </section>
<section anchor="multicast" numbered="true" toc="default">
<name>Domain Enumeration via Multicast Queries</name>
<t>In the case where Discovery Proxy functionality is widely
deployed within an enterprise (either by having a Discovery Proxy
physically on
each link, or by having a Discovery Proxy with a remote "virtual"
presence on each link using VLANs or Multicast DNS Discovery Relays
<xref target="I-D.sctl-dnssd-mdns-relay" format="default"></xref>),
this offers an additional way to provide Domain Enumeration
configuration data for
clients.</t>
<section anchor="multicast" title="Domain Enumeration via Multicast <t>Note that this function of the Discovery Proxy is
Queries"> supplementary to the primary purpose of the Discovery Proxy,
which is to facilitate <em>remote</em> clients discovering services
<t>In the case where Discovery Proxy functionality is widely deployed on the Discovery Proxy's local link.
within an enterprise (either by having a Discovery Proxy on each link, This publication of Domain Enumeration configuration data
or by having a Discovery Proxy with a remote ‘virtual’ presence on via link-local multicast on the Discovery
each link Proxy's local link is performed for the benefit of <em>local</em>
using VLANs or <xref target="Relay">Multicast DNS Discovery clients
Relays</xref>) attached to that link, and typically directs those clients to
this offers an additional way to provide Domain Enumeration data for contact other distant Discovery Proxies attached to other links.
clients.</t> Generally, a client does not need to use the local Discovery
Proxy on its own link, because a client is generally able to
perform its own Multicast DNS queries on that link.
(The exception to this is when the local Wi-Fi access point is
blocking or filtering local multicast traffic, requiring even local
clients to use their local Discovery Proxy to perform local
discovery.)</t>
<t>A Discovery Proxy can be configured to generate Multicast DNS <t>A Discovery Proxy can be configured to generate Multicast DNS
responses responses
for the following Multicast DNS Domain Enumeration queries issued by for the following Multicast DNS Domain Enumeration queries issued by
clients:</t> clients:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<figure><artwork>
b._dns-sd._udp.local. PTR ? b._dns-sd._udp.local. PTR ?
db._dns-sd._udp.local. PTR ? db._dns-sd._udp.local. PTR ?
lb._dns-sd._udp.local. PTR ?</artwork></figure> lb._dns-sd._udp.local. PTR ?]]></artwork>
<t>This provides the ability for Discovery Proxies to indicate
<t>This provides the ability for Discovery Proxies to indicate recommended browsing domains to DNS-SD clients on a per-link
recommended browsing domains granularity. In some enterprises, it may be preferable to provide
to DNS-SD clients on a per-link granularity. In some enterprises it this per-link configuration information in the form of Discovery
may be Proxy
preferable to provide this per-link configuration data in the form of configuration data rather than by populating the Unicast DNS servers
Discovery Proxy configuration, rather than populating the Unicast DNS with
servers the same data (in the "ip6.arpa" or "in-addr.arpa" domains).</t>
with the same data (in the "ip6.arpa" or "in-addr.arpa" domains).</t> <t>Regardless of how the network operator chooses to provide this
configuration
<t>Regardless of how the network operator chooses to provide this
configuration
data, clients will perform Domain Enumeration via both unicast and data, clients will perform Domain Enumeration via both unicast and
multicast multicast
queries, and then combine the results of these queries.</t> queries and then combine the results of these queries.</t>
<?rfc needLines="30" ?>
</section> </section>
</section> </section>
<section anchor="dom-host" numbered="true" toc="default">
<section anchor="dom-host" title="Delegated Subdomain for LDH Host <name>Delegated Subdomain for LDH Host Names</name>
Names">
<t>DNS-SD service instance names and domains are allowed <t>DNS-SD service instance names and domains are allowed
to contain arbitrary <xref target="RFC5198">Net-Unicode text</xref>, to contain arbitrary Net-Unicode text <xref target="RFC5198"
encoded as <xref target="RFC3629">precomposed UTF-8</xref>.</t> format="default"></xref>,
encoded as precomposed UTF-8 <xref target="RFC3629"
format="default"></xref>.</t>
<t>Users typically interact with service discovery software by <t>Users typically interact with service discovery software by
viewing a list of discovered service instance names on a display, viewing a list of discovered service instance names on a display
and selecting one of them by pointing, touching, or clicking. and selecting one of them by pointing, touching, or clicking.
Similarly, in software that provides a multi-domain DNS-SD user Similarly, in software that provides a multi-domain DNS-SD user
interface, users view a list of offered domains on the display interface, users view a list of offered domains on the display
and select one of them by pointing, touching, or clicking. and select one of them by pointing, touching, or clicking.
To use a service, users don't have to remember domain or instance To use a service, users don't have to remember domain or instance
names, or type them; users just have to be able to recognize what names, or type them; users just have to be able to recognize what
they see on the display and touch or click on the thing they want.</t> they see on the display and touch or click on the thing they want.</t>
<t>In contrast, host names are often remembered and typed. Also, host
<t>In contrast, host names are often remembered and typed. names have historically been used in command-line interfaces where
Also, host names have historically been used in command-line spaces can be inconvenient. For this reason, host names have
interfaces traditionally been restricted to letters, digits, and hyphens (LDH)
where spaces can be inconvenient. For this reason, host names have with no spaces or other punctuation.</t> <t>While we do want to allow
traditionally been restricted to letters, digits and hyphens (LDH), rich text for DNS-SD service instance names and domains, it is
with advisable, for maximum compatibility with existing usage, to restrict
no spaces or other punctuation.</t> host names to the traditional letter-digit-hyphen rules. This means
that while the service name
<t>While we do want to allow rich text for DNS-SD service "My&nbsp;Printer._ipp._tcp.Building&nbsp;1.example.com" is acceptable
instance names and domains, it is advisable, for maximum and desirable (it is displayed in a graphical user interface as an
compatibility with existing usage, to restrict host names instance called "My&nbsp;Printer" in the domain "Building&nbsp;1" at
to the traditional letter-digit-hyphen rules. "example.com"), the host name "My-Printer.Building&nbsp;1.example.com"
This means that while a service name is less desirable (because of the space in "Building&nbsp;1").</t>
"My&nbsp;Printer._ipp._tcp.Building&nbsp;1.example.com" <t>To accommodate this difference in allowable characters, a Discovery
is acceptable and desirable Proxy <bcp14>SHOULD</bcp14> support having two separate subdomains
(it is displayed in a graphical user interface as an instance called delegated to it for each link it serves: one whose name is allowed to
"My&nbsp;Printer" in the domain "Building&nbsp;1" at "example.com"), contain arbitrary Net-Unicode text <xref target="RFC5198"
a host name "My-Printer.Building&nbsp;1.example.com" is less desirable format="default"/>, and a second more constrained subdomain whose name
(because of the space in "Building&nbsp;1").</t> is restricted to contain only letters, digits, and hyphens, to be used
for host name records (names of 'A' and 'AAAA' address records). The
<t>To accomodate this difference in allowable characters, a Discovery restricted names may be any valid name consisting of only letters,
Proxy digits, and hyphens, including Punycode-encoded names <xref
SHOULD support having two separate subdomains delegated to it target="RFC3492" format="default"/>.
for each link it serves, one whose name
is allowed to contain arbitrary Net-Unicode text <xref
target="RFC5198"/>,
and a second more constrained subdomain whose name is restricted to
contain
only letters, digits, and hyphens, to be used for host name records
(names of 'A' and 'AAAA' address records).
The restricted names may be any valid name consisting of only
letters, digits, and hyphens, including Punycode-encoded names <xref
target="RFC3492"/>.
</t> </t>
<?rfc needLines="12" ?>
<t>For example, a Discovery Proxy could have the two subdomains <t>For example, a Discovery Proxy could have the two subdomains
"Building&nbsp;1.example.com" and "bldg1.example.com" delegated to it. "Building&nbsp;1.example.com" and "bldg&nbhy;1.example.com" delegated
to it.
The Discovery Proxy would then translate these two Multicast DNS The Discovery Proxy would then translate these two Multicast DNS
records:</t> records:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<figure><artwork>
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.
prnt.local. A 203.0.113.2</artwork></figure> prnt.local. A 203.0.113.2]]></artwork>
<t>into Unicast DNS records as follows:</t> <t>into Unicast DNS records as follows:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<figure><artwork>
My Printer._ipp._tcp.Building 1.example.com. My Printer._ipp._tcp.Building 1.example.com.
SRV 0 0 631 prnt.bldg1.example.com. SRV 0 0 631 prnt.bldg-1.example.com.
prnt.bldg1.example.com. A 203.0.113.2</artwork></figure> prnt.bldg-1.example.com. A 203.0.113.2]]></artwork>
<t>Note that the SRV record name is translated using the rich-text <t>Note that the SRV record name is translated using the rich-text
domain name ("Building&nbsp;1.example.com") and the address record domain name ("Building&nbsp;1.example.com"), and the address record
name is translated using the LDH domain ("bldg1.example.com").</t> name is translated using the LDH domain ("bldg&nbhy;1.example.com").
Further details of the name translation rules are
<t>A Discovery Proxy MAY support only a single rich text Net-Unicode described in <xref target="translation" format="default"/>.</t>
domain, and <t>A Discovery Proxy <bcp14>MAY</bcp14> support only a single
use that domain for all records, including 'A' and 'AAAA' address rich-text Net-Unicode domain and use that domain for all records,
records, including 'A' and 'AAAA' address records, but implementers choosing
but implementers choosing this option should be aware that this choice this option should be aware that this choice may produce host names
may produce host names that are awkward to use in command-line that are awkward to use in command-line environments. Whether or not
environments. this is
Whether this is an issue depends on whether users in the target an issue depends on whether users in the target environment are
environment expected to be using command-line interfaces.</t>
are expected to be using command-line interfaces.</t> <t>A Discovery Proxy <bcp14>MUST NOT</bcp14> be restricted to support
only a
<t>A Discovery Proxy MUST NOT be restricted to support only a
letter-digit-hyphen letter-digit-hyphen
subdomain, because that results in an unnecessarily poor user subdomain, because that results in an unnecessarily poor user
experience.</t> experience.</t>
<t>As described above in <xref target="unicast"/>, for clarity, <t>As described in <xref target="unicast" format="default"/>, for
space characters in names are shown as actual spaces. clarity, in examples here space characters in names are shown as
If this data were to be manually entered into a textual zone file actual spaces. If
(which it isn't) this dynamically discovered data were to be manually entered into a
then spaces would need to be represented using '\032', so textual zone file (which
"My&nbsp;Printer._ipp._tcp.Building&nbsp;1.example.com." would become it isn't), then spaces would need to be represented using '\032', so
"My\032Printer._ipp._tcp.Building\0321.example.com."<vspace /> "My&nbsp;Printer._ipp._tcp.Building&nbsp;1.example.com" would become
Note that the '\032' representation does not appear "My\032Printer._ipp._tcp.Building\0321.example.com".</t>
in the network packets sent over the air. <t>
In the wire format of DNS messages, spaces are sent as spaces, not as Note that the '\032' representation does not appear in DNS messages
'\032', sent over the air. In the wire format of DNS messages, spaces are sent as
and likewise, in a graphical user interface at the client device, spaces, not as '\032', and likewise, in a graphical user interface at the
spaces are shown as spaces, not as '\032'. client device, spaces are shown as spaces, not as '\032'.
</t> </t>
</section>
<?rfc needLines="36" ?>
</section>
<section anchor="dom-rev" title="Delegated Subdomain for Reverse <section anchor="dom-rev" numbered="true" toc="default">
Mapping"> <name>Delegated Subdomain for Reverse Mapping</name>
<t>A Discovery Proxy can facilitate easier management of reverse <t>A Discovery Proxy can facilitate easier management of reverse
mapping domains, particularly for IPv6 addresses where manual mapping domains, particularly for IPv6 addresses where manual
management may be more onerous than it is for IPv4 addresses.</t> management may be more onerous than it is for IPv4 addresses.</t>
<t>To achieve this, in the parent domain, NS records are used to <t>To achieve this, in the parent domain, NS records are used to
delegate ownership of the appropriate reverse mapping domain to delegate ownership of the appropriate reverse mapping domain to
the Discovery Proxy. In other words, the Discovery Proxy becomes the the Discovery Proxy. In other words, the Discovery Proxy becomes the
authoritative name server for the reverse mapping domain. authoritative name server for the reverse mapping domain.
For fault tolerance reasons there may be more than one For fault tolerance reasons, there may be more than one
Discovery Proxy serving a given link.</t> Discovery Proxy serving a given link.</t>
<t>If a given link is using the IPv4 subnet 203.0.113/24,
<t>If a given link is using the IPv4 subnet 203.0.113/24,<vspace/> then the domain "113.0.203.in-addr.arpa"
then the domain "113.0.203.in-addr.arpa"<vspace/>
is delegated to the Discovery Proxy for that link.</t> is delegated to the Discovery Proxy for that link.</t>
<t>If a given link is using the
<t>For example, if a given link is using the<vspace/> IPv6 prefix 2001:0DB8:1234:5678::/64,
IPv6 prefix 2001:0DB8:1234:5678/64,<vspace/> then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa"
then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa"<vspace/>
is delegated to the Discovery Proxy for that link.</t> is delegated to the Discovery Proxy for that link.</t>
<t>When a reverse mapping query arrives at the Discovery Proxy, it <t>When a reverse mapping query arrives at the Discovery Proxy, it
issues issues the identical query on its local link, as a Multicast DNS
the identical query on its local link as a Multicast DNS query. query.
The mechanism to force an apparently unicast name to be resolved The mechanism to force an apparently unicast name to be resolved using
using link-local Multicast DNS varies depending on the API set being link-local Multicast DNS varies depending on the API set being used.
used. For example, in the "dns_sd.h" APIs (available on macOS, iOS, Bonjour
For example, in the "dns_sd.h" APIs<vspace/> for Windows, Linux, and Android), using kDNSServiceFlagsForceMulticast
(available on macOS, iOS, Bonjour for Windows, Linux and Android), indicates that the DNSServiceQueryRecord() call should perform the
using kDNSServiceFlagsForceMulticast query using Multicast DNS. Other API sets have different ways of
indicates that the DNSServiceQueryRecord() forcing multicast queries. When the host owning that IPv4 or IPv6
call should perform the query using Multicast DNS. address responds with a name of the form "something.local", the
Other APIs sets have different ways of forcing multicast queries. Discovery Proxy rewrites it to use its configured LDH host name
When the host owning that IPv4 or IPv6 address responds domain instead of ".local" and returns the response to the caller.</t>
with a name of the form "something.local", the Discovery Proxy
rewrites that to use its configured LDH host name domain instead
of "local", and returns the response to the caller.</t>
<?rfc needLines="15" ?>
<t>For example, a Discovery Proxy with the two subdomains <t>For example, a Discovery Proxy with the two subdomains
"113.0.203.in&nbhy;addr.arpa" and "bldg1.example.com" delegated to it "113.0.203.in&nbhy;addr.arpa" and "bldg&nbhy;1.example.com" delegated
to it
would translate this Multicast DNS record:</t> would translate this Multicast DNS record:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
<figure><artwork> 2.113.0.203.in-addr.arpa. PTR prnt.local.]]></artwork>
2.113.0.203.in-addr.arpa. PTR prnt.local.</artwork></figure>
<t>into this Unicast DNS response:</t> <t>into this Unicast DNS response:</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
2.113.0.203.in-addr.arpa. PTR prnt.bldg-1.example.com.]]></artwork>
<figure><artwork> <t>In this example the "prnt.local" host name is translated
2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com.</artwork></figure> using the delegated LDH subdomain, as described in
<xref target="translation" format="default"/>.</t>
<t>Subsequent queries for the prnt.bldg1.example.com address <t>Subsequent queries for the prnt.bldg&nbhy;1.example.com address
record, falling as it does within the bldg1.example.com domain, record, falling as it does within the bldg&nbhy;1.example.com domain,
which is delegated to the Discovery Proxy, will arrive at the which is delegated to this Discovery Proxy, will arrive at this
Discovery Proxy, where they are answered by issuing Multicast DNS Discovery Proxy where they are answered by issuing Multicast DNS
queries queries
and using the received Multicast DNS answers to synthesize Unicast and using the received Multicast DNS answers to synthesize Unicast
DNS responses, as described above.</t> DNS responses, as described above.</t>
<t>Note that this description assumes that all addresses on a given
<t>Note that this design assumes that all addresses on a given IPv4 subnet or IPv6 prefix are mapped to host names using the
IPv4 subnet or IPv6 prefix are mapped to hostnames using the Discovery Discovery
Proxy mechanism. Proxy mechanism.
It would be possible to implement a Discovery Proxy that can be It would be possible to implement a Discovery Proxy that can be
configured configured
so that some address-to-name mappings are performed using Multicast so that some address-to-name mappings are performed using Multicast
DNS DNS
on the local link, while other address-to-name mappings within the on the local link, while other address-to-name mappings within the
same same
IPv4 subnet or IPv6 prefix are configured manually.</t> IPv4 subnet or IPv6 prefix are configured manually.</t>
<?rfc needLines="46" ?>
</section> </section>
<section title="Data Translation"> <section anchor="translation" numbered="true" toc="default">
<t>Generating the appropriate Multicast DNS queries involves,<vspace/> <name>Data Translation</name>
at the very least, translating from the configured DNS domain
<t>For the delegated rich-text and LDH subdomains,
generating appropriate Multicast DNS queries
involves translating from the configured DNS domain
(e.g.,&nbsp;"Building&nbsp;1.example.com") on the Unicast DNS side (e.g.,&nbsp;"Building&nbsp;1.example.com") on the Unicast DNS side
to "local" on the Multicast DNS side.</t> to ".local" on the Multicast DNS side.</t>
<t>Generating the appropriate Unicast DNS responses involves <t>For the delegated reverse-mapping subdomain,
translating back from "local" to the appropriate configured DNS generating appropriate Multicast DNS queries
Unicast domain.</t> involves using the appropriate API mechanism to
indicate that a query should be performed using
Multicast DNS, as described in
<xref target="dom-rev" format="default"/>.</t>
<t>Other beneficial translation and filtering operations are described <t>Generating appropriate Unicast DNS responses from the
below.</t> received Multicast DNS answers involves translating back
from ".local" to the appropriate configured Unicast DNS
domain as necessary, as described below.</t>
<section anchor="ttl" title="DNS TTL limiting"> <t>In the examples below, the delegated subdomains are as follows:</t>
<t>For efficiency, Multicast DNS typically uses moderately high
DNS TTL values. For example, the typical TTL on DNS-SD PTR records
is 75 minutes. What makes these moderately high TTLs acceptable
is the cache coherency mechanisms built in to the Multicast DNS
protocol which protect against stale data persisting for too long.
When a service shuts down gracefully, it sends goodbye packets
to remove its PTR records immediately from neighboring caches.
If a service shuts down abruptly without sending goodbye packets,
the Passive Observation Of Failures (POOF) mechanism described
in Section 10.5 of the <xref target="RFC6762">Multicast DNS
specification</xref>
comes into play to purge the cache of stale data.</t>
<t>A traditional Unicast DNS client on a distant remote link does <artwork name="" type="" align="left" alt="">
not get to participate Delegated subdomain for rich-text names Building 1.example.com.
in these Multicast DNS cache coherency mechanisms on the local link. Delegated subdomain for LDH names bldg&nbhy;1.example.com.
For traditional Unicast DNS queries Delegated subdomain for IPv4 reverse mapping 113.0.203.in-addr.arpa.</artwork>
(those received without using Long-Lived Query <xref target="LLQ"/>
or DNS Push Notification subscriptions <xref target="Push"/>)
the DNS TTLs reported in the resulting Unicast DNS response
MUST be capped to be no more than ten seconds.</t>
<t>Similarly, for negative responses, the negative caching TTL <t>Names in Multicast DNS answers that do not end in ".local"
indicated do not require any translation.</t>
in the SOA record <xref target="RFC2308"/> should also be ten
seconds
(<xref target="soa"/>).</t>
<t>This value of ten seconds is chosen based on user-experience <t>Names in Multicast DNS answers that end in ".local"
considerations.</t> are only meaningful on the local link, and require translation
to make them useable by clients outside the local link.</t>
<t>For negative caching, suppose a user is attempting to access a <t>Names that end in ".local" may appear both as the
remote owner names of received Multicast DNS answer records,
device (e.g., a printer), and they are unsuccessful because that and in the RDATA of received Multicast DNS answer records.</t>
device
is powered off. Suppose they then place a telephone call and ask for <t>In a received Multicast DNS answer record,
the if the owner name ends with ".local",
device to be powered on. We want the device to become available to then the ".local" top-level label is replaced with the name
the of the delegated subdomain as was used in the originating query.</t>
user within a reasonable time period. It is reasonable to expect it
to <t>In a received Multicast DNS answer record,
take on the order of ten seconds for a simple device with a simple if a name in the RDATA ends with ".local",
embedded operating system to power on. Once the device is powered on then the name is translated according to the delegated subdomain
and that was used in the originating query, as explained below.</t>
has announced its presence on the network via Multicast DNS, we
would <t>For queries in subdomains delegated for LDH host names,
like it to take no more than a further ten seconds for stale ".local" names in RDATA
negative are translated to that delegated LDH subdomain.
cache entries to expire from Unicast DNS caches, making the device For example, a query for "thing.bldg&nbhy;1.example.com" will be
available to the user desiring to access it.</t> translated to a
Multicast DNS query for "thing.local". If that query returns this
CNAME record:</t>
<artwork name="" type="" align="left" alt="">
thing.local. CNAME prnt.local.</artwork>
<t>then both the owner name and the name in the RDATA
are translated from ".local" to the LDH subdomain
"bldg&nbhy;1.example.com":</t>
<artwork name="" type="" align="left" alt="">
thing.bldg&nbhy;1.example.com. CNAME prnt.bldg&nbhy;1.example.com.</artwork>
<t>For queries in subdomains delegated for reverse mapping names,
".local" names in RDATA
are translated to the delegated LDH subdomain, if one is configured,
or to the delegated rich-text subdomain otherwise.
For example, consider a reverse mapping query that returns this PTR
record:</t>
<artwork name="" type="" align="left" alt="">
2.113.0.203.in-addr.arpa. PTR prnt.local.</artwork>
<t>The owner name is not translated because it does not end in
".local".
The name in the RDATA is
translated from ".local" to the LDH subdomain
"bldg&nbhy;1.example.com":</t>
<artwork name="" type="" align="left" alt="">
2.113.0.203.in-addr.arpa. PTR prnt.bldg&nbhy;1.example.com.</artwork>
<t>For queries in subdomains delegated for rich-text names,
".local" names in RDATA
are translated according to whether or not they represent host names
(i.e., RDATA names that are the owner names of A and AAAA DNS
records).
RDATA names ending in ".local" that represent host names
are translated to the delegated LDH subdomain, if one is configured,
or to the delegated rich-text subdomain otherwise.
All other RDATA names ending in ".local"
are translated to the delegated rich-text subdomain.
For example, consider a DNS-SD service browsing PTR query
that returns this PTR record for IPP printing:</t>
<artwork name="" type="" align="left" alt="">
_ipp._tcp.local. PTR My Printer._ipp._tcp.local.</artwork>
<t>Both the owner name and the name in the RDATA
are translated from ".local" to the rich-text subdomain:</t>
<artwork name="" type="" align="left" alt="">
_ipp._tcp.Building 1.example.com.
PTR My Printer._ipp._tcp.Building 1.example.com.</artwork>
<t>In contrast, consider a query
that returns this SRV record for a specific IPP printing instance:</t>
<artwork name="" type="" align="left" alt="">
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.</artwork>
<t>As for all queries, the owner name
is translated to the delegated subdomain of the originating query,
the delegated rich-text subdomain "Building&nbsp;1.example.com".
However, the ".local" name in the RDATA
is the target host name field of an SRV record,
a field that is used exclusively for host names.
Consequently it is translated to the LDH subdomain
"bldg&nbhy;1.example.com",
if configured, instead of the rich-text subdomain:
</t>
<artwork name="" type="" align="left" alt="">
My Printer._ipp._tcp.Building 1.example.com.
SRV 0 0 631 prnt.bldg&nbhy;1.example.com.</artwo
rk>
<t>Other beneficial translation and filtering operations are described
below.</t>
<section anchor="ttl" numbered="true" toc="default">
<name>DNS TTL Limiting</name>
<t>For efficiency, Multicast DNS typically uses moderately high DNS
TTL values. For example, the typical TTL on DNS-SD service browsing
PTR records is 75
minutes. What makes these moderately high TTLs acceptable is the
cache coherency mechanisms built in to the Multicast DNS protocol,
which protect against stale data persisting for too long. When a
service shuts down gracefully, it sends goodbye packets to remove
its service browsing PTR record(s) immediately from neighboring
caches. If a service
shuts down abruptly without sending goodbye packets, the Passive
Observation Of Failures (POOF) mechanism described in <xref
target="RFC6762" sectionFormat="of" section="10.5">the Multicast DNS
specification</xref> comes into play to purge the cache of stale
data.</t>
<t>A traditional Unicast DNS client on a distant remote link does
not get to participate in these Multicast DNS cache coherency
mechanisms on the local link. For traditional Unicast DNS queries
(those received without using Long-Lived Queries (LLQ) <xref
target="RFC8764" format="default"/> or DNS Push
Notification subscriptions <xref target="RFC8765"
format="default"/>), the DNS TTLs reported in the resulting Unicast
DNS response <bcp14>MUST</bcp14> be capped to be no more than ten
seconds.</t>
<t>Similarly, for negative responses, the negative caching TTL
indicated in the SOA record <xref target="RFC2308"
format="default"/> should also be ten seconds (see <xref
target="soa"
format="default"/>).</t>
<t>This value of ten seconds is chosen based on user-experience
considerations.</t>
<t>For negative caching, suppose a user is attempting to access a
remote device (e.g., a printer), and they are unsuccessful because
that device is powered off. Suppose they then place a telephone call
and ask for the device to be powered on. We want the device to
become available to the user within a reasonable time period. It is
reasonable to expect it to take on the order of ten seconds for a
simple device with a simple embedded operating system to power
on. Once the device is powered on and has announced its presence on
the network via Multicast DNS, we would like it to take no more than
a further ten seconds for stale negative cache entries to expire
from Unicast DNS caches, making the device available to the user
desiring to access it.</t>
<t>Similar reasoning applies to capping positive TTLs at ten <t>Similar reasoning applies to capping positive TTLs at ten
seconds. seconds.
In the event of a device moving location, getting a new DHCP In the event of a device moving location, getting a new DHCP
address, address,
or other renumbering events, we would like the updated information or other renumbering events, we would like the updated information
to to
be available to remote clients in a relatively timely fashion.</t> be available to remote clients in a relatively timely fashion.</t>
<t>However, network administrators should be aware that many <t>However, network administrators should be aware that many
recursive recursive
(caching) DNS servers by default are configured to impose a minimum resolvers by default are configured to impose a minimum
TTL of TTL of
30 seconds. If stale data appears to be persisting in the network to 30 seconds. If stale data appears to be persisting in the network to
the the
extent that it adversely impacts user experience, network extent that it adversely impacts user experience, network
administrators administrators
are advised to check the configuration of their recursive DNS are advised to check the configuration of their recursive
servers.</t> resolvers.</t>
<t>For received Unicast DNS queries that use LLQ <xref <t>For received Unicast DNS queries that use LLQ <xref
target="LLQ"/> or target="RFC8764" format="default"/> or
DNS Push Notifications <xref target="Push"/>, the Multicast DNS DNS Push Notifications <xref target="RFC8765" format="default"/>,
record's TTL SHOULD be the Multicast DNS
returned unmodified, because the Push Notification channel exists record's TTL <bcp14>SHOULD</bcp14> be
returned unmodified, because the notification channel exists
to inform the remote client as records come and go. to inform the remote client as records come and go.
For further details about Long-Lived Queries, and its newer For further details about Long-Lived Queries and its newer
replacement, replacement,
DNS Push Notifications, see <xref target="aggregation"/>.</t> DNS Push Notifications, see <xref target="aggregation"
format="default"/>.</t>
</section> </section>
<section anchor="unusable" numbered="true" toc="default">
<section anchor="unusable" title="Suppressing Unusable Records"> <name>Suppressing Unusable Records</name>
<t>A Discovery Proxy SHOULD offer a configurable option, <t>A Discovery Proxy <bcp14>SHOULD</bcp14> offer a configurable
option,
enabled by default, to suppress Unicast DNS answers enabled by default, to suppress Unicast DNS answers
for records that are not useful outside the local link. for records that are not useful outside the local link.
When the option to suppress unusable records is enabled: When the option to suppress unusable records is enabled:
<list style='symbols'> </t>
<ul spacing="normal">
<t>DNS A and AAAA records for <li>For a Discovery Proxy that is serving only clients outside the
IPv4 link-local addresses <xref target="RFC3927"/> local link,
DNS A and AAAA records for
IPv4 link-local addresses <xref target="RFC3927"
format="default"/>
and and
IPv6 link-local addresses <xref target="RFC4862"/> IPv6 link-local addresses <xref target="RFC4862"
SHOULD be suppressed.</t> format="default"/>
<bcp14>SHOULD</bcp14> be suppressed.</li>
<t>Similarly, for sites that have multiple private address <li>Similarly, for sites that have multiple private address
realms <xref target="RFC1918"/>, realms <xref target="RFC1918" format="default"/>,
in cases where the Discovery Proxy can determine that the in cases where the Discovery Proxy can determine that the
querying client querying client
is in a different address realm, private addresses SHOULD NOT be is in a different address realm, private addresses <bcp14>SHOULD
communicated to that client.</t> NOT</bcp14> be
communicated to that client.</li>
<t><xref target="RFC4193">IPv6 Unique Local Addresses</xref> <li>
SHOULD be suppressed IPv6 Unique Local Addresses <xref target="RFC4193"
format="default"></xref>
<bcp14>SHOULD</bcp14> be suppressed
in cases where the Discovery Proxy can determine that the in cases where the Discovery Proxy can determine that the
querying client querying client
is in a different IPv6 address realm.</t> is in a different IPv6 address realm.</li>
<li>By the same logic, DNS SRV records that reference target host
<t>By the same logic, DNS SRV records that reference target host
names that have no addresses usable by the requester should be names that have no addresses usable by the requester should be
suppressed, and likewise, DNS PTR records that point to unusable suppressed, and likewise, DNS-SD service browsing PTR records
SRV records should be similarly be suppressed.</t> that point to unusable
</list> SRV records should similarly be suppressed.</li>
</t> </ul>
<?rfc needLines="8" ?>
</section> </section>
<section numbered="true" toc="default">
<section title="NSEC and NSEC3 queries"> <name>NSEC and NSEC3 Queries</name>
<t>Multicast DNS devices do not routinely announce their records <t>Multicast DNS devices do not routinely announce their records
on the network. Generally they remain silent until queried. on the network. Generally, they remain silent until queried.
This means that the complete set of Multicast DNS records in use on This means that the complete set of Multicast DNS records in use on
a a
link can only be discovered by active querying, not by passive link can only be discovered by active querying, not by passive
listening. listening.
Because of this, a Discovery Proxy can only know what names exist on Because of this, a Discovery Proxy can only know what names exist on
a link a link
by issuing queries for them, and since it would be impractical to by issuing queries for them, and since it would be impractical to
issue queries for every possible name just to find out which names issue queries for every possible name just to find out which names
exist and which do not, a Discovery Proxy cannot programmatically exist and which do not, a Discovery Proxy cannot programmatically
generate the traditional generate the traditional Unicast DNS
<xref target="RFC4034">NSEC</xref> and NSEC <xref target="RFC4034" format="default"></xref> and
<xref target="RFC5155">NSEC3</xref> records NSEC3 <xref target="RFC5155" format="default"></xref> records
which assert the nonexistence of a large range of names.</t> that assert the nonexistence of a large range of names.</t>
<t>When queried for an NSEC or NSEC3 record type, the Discovery <t>When queried for an NSEC or NSEC3 record type, the Discovery
Proxy issues Proxy issues
a qtype "ANY" query using Multicast DNS on the local link, and then a qtype "ANY" query using Multicast DNS on the local link and then
generates an NSEC or NSEC3 response with a Type Bit Map signifying generates an NSEC or NSEC3 response with a Type Bit Map signifying
which record types do and do not exist for just the specific name which record types do and do not exist for just the specific name
queried, queried,
and no other names.</t> and no other names.</t>
<t>Multicast DNS NSEC records received on the local link <t>Multicast DNS NSEC records received on the local link
MUST NOT be forwarded unmodified to a unicast querier, because there <bcp14>MUST NOT</bcp14> be forwarded unmodified to a unicast
are querier, because there
are
slight differences in the NSEC record data. slight differences in the NSEC record data.
In particular, Multicast DNS NSEC records do not have the NSEC In particular, Multicast DNS NSEC records do not have the NSEC
bit set in the Type Bit Map, whereas conventional Unicast DNS bit set in the Type Bit Map, whereas conventional Unicast DNS
NSEC records do have the NSEC bit set.</t> NSEC records do have the NSEC bit set.</t>
</section> </section>
<section anchor="notrans" numbered="true" toc="default">
<section anchor="notrans" title="No Text Encoding Translation"> <name>No Text-Encoding Translation</name>
<t>A Discovery Proxy does no translation between text encodings. <t>A Discovery Proxy does no translation between text encodings.
Specifically, a Discovery Proxy does no translation between Specifically, a Discovery Proxy does no translation between Punycode
<xref target="RFC3492">Punycode encoding</xref> and encoding <xref
<xref target="RFC3629">UTF-8 encoding</xref>, target="RFC3492" format="default"></xref> and UTF-8 encoding <xref
either in the owner name of DNS records, or anywhere in the RDATA of target="RFC3629" format="default"></xref>, either in
DNS records the owner name of DNS records or anywhere in the RDATA of DNS
(such as the RDATA of PTR records, SRV records, NS records, or other records (such as the RDATA of PTR records, SRV records, NS records,
record types or other record types like TXT, where it is ambiguous whether the
like TXT, where it is ambiguous whether the RDATA may contain DNS RDATA may contain DNS names). All bytes are treated as-is with no
names). attempt at text-encoding translation. A client implementing
All bytes are treated as-is, with no attempt at text encoding DNS-based Service Discovery <xref target="RFC6763"
translation. format="default"/> will use UTF-8 encoding for its unicast DNS-based
A client implementing DNS-based Service Discovery <xref Service Discovery
target="RFC6763"/> queries, which the Discovery Proxy passes through without any
will use UTF-8 encoding for its service discovery queries, which the text-encoding translation to the Multicast DNS subsystem. Responses
Discovery Proxy passes through without any text encoding translation from the Multicast DNS subsystem are similarly returned, without any
to the Multicast DNS subsystem. text-encoding translation, back to the requesting unicast
Responses from the Multicast DNS subsystem are similarly returned, client.</t>
without any text encoding translation, back to the requesting
client.</t>
<?rfc needLines="13" ?>
</section> </section>
<section title="Application-Specific Data Translation"> <section numbered="true" toc="default">
<name>Application-Specific Data Translation</name>
<t>There may be cases where Application-Specific Data Translation is <t>There may be cases where Application-Specific Data Translation is
appropriate.</t> appropriate.</t>
<t>For example, AirPrint printers tend to advertise fairly verbose <t>For example, AirPrint printers tend to advertise fairly verbose
information about their capabilities in their DNS-SD TXT record. information about their capabilities in their DNS-SD TXT record.
TXT record sizes in the range 500-1000 bytes are not uncommon. TXT record sizes in the range of 500-1000 bytes are not uncommon.
This information is a legacy from LPR printing, because LPR does not This information is a legacy from lineprinter (LPR) printing,
have in-band capability negotiation, so all of this information is because LPR does not have in-band capability negotiation, so all of
conveyed using the DNS-SD TXT record instead. this information is conveyed using the DNS-SD TXT record instead.
IPP printing does have in-band capability negotiation, but for Internet Printing Protocol (IPP) printing does have in-band
convenience printers tend to include the same capability information capability negotiation, but for convenience, printers tend to
in their IPP DNS-SD TXT records as well. For local mDNS use this include
extra TXT record information is inefficient, but not fatal. the same capability information in their IPP DNS-SD TXT records as
However, when a Discovery Proxy aggregates data from multiple well. For local Multicast DNS (mDNS) use, this extra TXT record
printers information is
on a link, and sends it via unicast (via UDP or TCP) wasteful but not fatal. However, when a Discovery Proxy
this amount of unnecessary TXT record information can aggregates data from multiple printers on a link, and sends it via
result in large responses. unicast (via UDP or TCP), this amount of unnecessary TXT record
A DNS reply over TCP carrying information about 70 printers information can result in large responses. A DNS reply over TCP
with an average of 700 bytes per printer adds up to about carrying information about 70 printers with an average of 700 bytes
50 kilobytes of data. per printer adds up to about 50 kilobytes of data. Therefore, a
Therefore, a Discovery Proxy that is aware of Discovery Proxy that is aware of the specifics of an
the specifics of an application-layer protocol such as application-layer protocol such as AirPrint (which uses IPP) can
AirPrint (which uses IPP) can elide unnecessary key/value pairs from elide unnecessary key/value pairs from the DNS-SD TXT record for
the DNS-SD TXT record for better network efficiency.</t> better network efficiency.</t>
<t>Also, the DNS-SD TXT record for many printers contains an <t>Also, the DNS-SD TXT record for many printers contains an
"adminurl" "adminurl" key (e.g.,
key something like "adminurl=http://printername.local/status.html". "adminurl=http://printername.local/status.html"). For this URL to
For this URL to be useful outside the local link, the embedded be
".local" useful outside the local link, the embedded ".local" host name needs
hostname needs to be translated to an appropriate name with larger to be translated to an appropriate name with larger scope. It is
scope. easy to translate ".local" names when they appear in well-defined
It is easy to translate ".local" names when they appear in places: as a record's owner name, or in domain name fields in the
well-defined places, RDATA of record types
either as a record's name, or in the rdata of record types like PTR like PTR and SRV. In the printing case, some application-specific
and SRV. knowledge about the semantics of the "adminurl" key is needed for
In the printing case, some application-specific knowledge about the the Discovery Proxy to know that it contains a name that needs to be
semantics of the "adminurl" key is needed for the Discovery Proxy translated. This is somewhat analogous to the need for NAT gateways
to know that it contains a name that needs to be translated. to contain ALGs (Application-Level Gateways) to facilitate the
This is somewhat analogous to the need for NAT gateways to contain correct translation of protocols that embed addresses in unexpected
ALGs places.</t>
(Application-Specific Gateways) to facilitate the correct
translation
of protocols that embed addresses in unexpected places.</t>
<t>To avoid the need for application-specific knowledge about the <t>To avoid the need for application-specific knowledge about the
semantics of particular TXT record keys, protocol designers are semantics of particular TXT record keys, protocol designers are
advised to avoid advised to avoid placing link-local names or link-local IP addresses
placing link-local names or link-local IP addresses in TXT record in TXT record keys if translation of those names or addresses would
keys, be required for off-link operation. In the printing case, the
if translation of those names or addresses would be required for consequence of failing to translate the "adminurl" key
off-link operation. correctly would be that, when accessed from a different link,
In the printing case, the operational failure of failing to printing
translate will still work, but clicking the "Admin" user interface button will
the "adminurl" key correctly is that, when accessed from a different fail to
link, open the printer's administration page. Rather than duplicating the
printing will still work, but clicking the "Admin" UI button host name from the service's SRV record in its "adminurl" key,
will fail to open the printer's administration page. thereby having the same host name appear in two places, a better
Rather than duplicating the host name from the service's SRV record design might have been to omit the host name from the "adminurl"
in its key and instead have the client implicitly substitute the target
"adminurl" key, thereby having the same host name appear in two host name from the service's SRV record in place of a missing host
places, name in the "adminurl" key. That way, the desired host name only
a better design might have been to omit the host name from the appears once and is in a well-defined place where software like
"adminurl" key, the Discovery Proxy is expecting to find it.</t>
and instead have the client implicitly substitute the target host
name from the service's SRV record in place of a missing host name
in the "adminurl" key.
That way the desired host name only appears once, and it is in a
well-defined place
where software like the Discovery Proxy is expecting to find it.</t>
<t>Note that this kind of Application-Specific Data Translation is <t>Note that this kind of Application-Specific Data Translation is
expected to be very rare. It is the exception, rather than the rule. expected to be very rare; it is the exception rather than the rule.
This is an example of a common theme in computing. This is an example of a common theme in computing. It is frequently
It is frequently the case that it is wise to start with a clean, the case that it is wise to start with a clean, layered design with
layered design, with clear boundaries. Then, in certain special clear boundaries. Then, in certain special cases, those layer
cases, boundaries may be violated where the performance and efficiency
those layer boundaries may be violated, where the performance and benefits outweigh the inelegance of the layer violation.</t>
efficiency benefits outweigh the inelegance of the layer
violation.</t>
<t>These layer violations are optional. They are done primarily for <t>These layer violations are optional. They are done primarily for
efficiency efficiency reasons and generally should not be required for correct
reasons, and generally should not be required for correct operation. operation. A Discovery Proxy <bcp14>MAY</bcp14> operate solely at
A Discovery Proxy MAY operate solely at the mDNS layer, the mDNS layer without any knowledge of semantics at the DNS-SD
without any knowledge of semantics at the DNS-SD layer or above.</t> layer or above.</t>
</section>
<?rfc needLines="30" ?>
</section> </section>
</section> <section anchor="aggregation" numbered="true" toc="default">
<name>Answer Aggregation</name>
<section anchor="aggregation" title="Answer Aggregation">
<t>In a simple analysis, simply gathering multicast answers and <t>In a simple analysis, simply gathering multicast answers and
forwarding them forwarding them in a unicast response seems adequate, but it raises
in a unicast response seems adequate, but it raises the the question of how long the Discovery Proxy should wait to be sure
question of how long the Discovery Proxy should wait to be sure that that it has received all the Multicast DNS answers it needs to form a
it has received complete Unicast DNS response. If it waits too little time, then it
all the Multicast DNS answers it needs to form a complete Unicast DNS risks its Unicast DNS response being incomplete. If it waits too
response. long, then it creates a poor user experience at the client end. In
If it waits too little time, then it risks its Unicast DNS response fact, there may be no time that is both short enough to produce a
being incomplete. good user experience and at the same time long enough to reliably
If it waits too long, then it creates a poor user experience at the produce complete results.</t>
client end. <t>Similarly, the Discovery Proxy (the authoritative name server for
In fact, there may be no time which is both short enough to produce a the subdomain in question) needs to decide what DNS TTL to report
good for these records. If the TTL is too long, then the recursive
user experience and at the same time long enough to reliably produce resolvers issuing queries on behalf of their clients risk
complete results.</t> caching stale data for too long. If the TTL is too short, then the
amount of network traffic will be more than necessary. In fact, there
<t>Similarly, the Discovery Proxy may be no TTL that is both short enough to avoid undesirable stale
-- the authoritative name server for the subdomain in question -- data and, at the same time, long enough to be efficient on the
needs to decide what DNS TTL to report for these records. network.</t>
If the TTL is too long then the recursive (caching) name servers <t>Both these dilemmas are solved by the use of DNS Long-Lived Queries
issuing queries on behalf of their clients risk caching stale (LLQ)
data for too long. If the TTL is too short then the amount of <xref target="RFC8764" format="default"/> or its newer replacement,
network traffic will be more than necessary. DNS Push Notifications <xref target="RFC8765"
In fact, there may be no TTL which is both short enough to avoid format="default"></xref>.</t>
undesirable stale data and at the same time long enough to be <t>Clients supporting unicast DNS-based Service Discovery
efficient on the network.</t> <bcp14>SHOULD</bcp14> implement
DNS Push Notifications <xref target="RFC8765" format="default"></xref>
<t>Both these dilemmas are solved by use of DNS Long-Lived Queries
(DNS&nbsp;LLQ)
<xref target="LLQ"/> or its newer replacement,
<xref target="Push">DNS Push Notifications</xref>.</t>
<t>Clients supporting unicast DNS Service Discovery SHOULD implement
<xref target="Push">DNS Push Notifications</xref>
for improved user experience.</t> for improved user experience.</t>
<t>Clients and Discovery Proxies MAY support both DNS&nbsp;LLQ and <t>Clients and Discovery Proxies <bcp14>MAY</bcp14> support both
DNS&nbsp;Push, LLQ and DNS&nbsp;Push Notifications, and when talking to a
and when talking to a Discovery Proxy that supports both, the client Discovery Proxy that supports both, the client may use either
may use either protocol, as it chooses, though it is expected protocol, as it chooses, though it is expected that only
that only DNS&nbsp;Push will continue to be supported in the long DNS&nbsp;Push Notifications will continue to be supported in the long
run.</t> run.</t>
<t>When a Discovery Proxy receives a query using DNS&nbsp;LLQ or <t>When a Discovery Proxy receives a query using LLQ
DNS Push Notifications, it responds immediately using the or DNS Push Notifications, it responds immediately using the Multicast
Multicast DNS records it already has in its cache (if any). DNS records it already has in its cache (if any). This provides a
This provides a good client user experience by providing a good client user experience by providing a near-instantaneous
near-instantaneous
response. Simultaneously, the Discovery Proxy issues a Multicast DNS response. Simultaneously, the Discovery Proxy issues a Multicast DNS
query on the query on the local link to discover if there are any additional
local link to discover if there are any additional Multicast DNS Multicast DNS records it did not already know about. Should additional
records it Multicast DNS responses be received, these are then delivered to the
did not already know about. Should additional Multicast DNS responses client using additional LLQ or DNS Push Notification update
be messages. The timeliness of such update messages is limited only by
received, these are then delivered to the client using additional the timeliness of the device responding to the Multicast DNS query. If
DNS&nbsp;LLQ the Multicast DNS device responds quickly, then the update message is
or DNS Push Notification update messages. delivered quickly. If the Multicast DNS device responds slowly, then
The timeliness of such update messages is limited only by the the update message is delivered slowly. The benefit of using multiple
timeliness of the update
device responding to the Multicast DNS query. If the Multicast DNS messages to deliver results as they become available is that the
device Discovery
responds quickly, then the update message is delivered quickly. If the Proxy can respond promptly because it doesn't have to deliver all the
Multicast results in a single response that needs to be delayed to allow for the
DNS device responds slowly, then the update message is delivered expected worst-case delay for receiving all the Multicast DNS
slowly. responses.</t>
The benefit of using update messages is that the Discovery Proxy can
respond promptly
because it doesn't have to delay its unicast response to allow for
the expected worst-case delay for receiving all the Multicast DNS
responses.
Even if a proxy were to try to provide reliability by assuming an
excessively pessimistic worst-case time (thereby giving a very
poor user experience) there would still be the risk of a slow
Multicast DNS device taking even longer than that (e.g., a device
that is not even powered on until ten seconds after the initial
query is received) resulting in incomplete responses. Using update
message solves
this dilemma: even very late responses are not lost; they are
delivered
in subsequent update messages.</t>
<?rfc needLines="16" ?> <t>With a proxy that supported only standard DNS queries, even if it
<t>There are two factors that determine specifically how responses were to try to provide reliability by assuming an
excessively pessimistic worst-case time (thereby giving a very poor
user experience), there would still be the risk of a slow Multicast
DNS device taking even longer than that worst-case time (e.g., a
device that is not
even powered on until ten seconds after the initial query is
received),
resulting in incomplete responses.
Using update messages to deliver subsequent asynchronous replies
solves this
dilemma: even very late responses are not lost; they are delivered in
subsequent update messages.</t>
<t>Note that while normal DNS queries are generally received via the
client's configured
recursive resolver, LLQ and DNS Push Notification subscriptions may be
received directly from the client.</t>
<t>There are two factors that determine how unicast responses
are generated:</t> are generated:</t>
<t>The first factor is whether the query from the client used <t>The first factor is whether or not the Discovery Proxy already has
LLQ or DNS Push Notifications at least one record in its cache that answers the question.
(used for long-lived service browsing PTR queries) </t>
or not (used for one-shot operations like SRV or address record <t>
queries). The second factor is whether the client used a normal DNS query,
Note that queries using LLQ or DNS Push Notifications are received or established a subscription using LLQ or DNS Push Notifications.
directly Normal DNS queries
from the client. are typically used for one-shot operations like SRV or address record
Queries not using LLQ or DNS Push Notifications are generally received queries.
via the LLQ and DNS Push Notification subscriptions
client's configured recursive (caching) name server.</t> are typically used for long-lived service browsing PTR queries.
Normal DNS queries and LLQ each have different response timing depending
on the cache state, yielding the first four cases listed below.
DNS Push Notifications, the newer protocol, has uniform behavior
regardless of cache state, yielding the fifth case listed below.</t>
<t>The second factor is whether the Discovery Proxy already has at <ul spacing="normal">
least <li>
one record in its cache that positively answers the question. <t>Standard DNS query; no answer in
<list style='symbols'> cache:</t>
<t>Not using LLQ or Push Notifications; no answer in <t>
cache:<vspace/> Issue an mDNS query on the local link, exactly as a local client
Issue an mDNS query, exactly as a local client would issue an mDNS would issue an mDNS query, for the desired record name, type, and
query on the local link for the desired record name, type and class, including retransmissions, as appropriate, according to the
class, including retransmissions, as appropriate, according to established mDNS retransmission schedule <xref target="RFC6762"
the established mDNS retransmission schedule <xref format="default"/>. The Discovery Proxy awaits Multicast DNS
target="RFC6762"/>. responses.</t>
As soon as any Multicast DNS response packet is received that <t>
contains one or more positive answers to that question As soon as any Multicast DNS response packet
(with or without the Cache Flush bit <xref target="RFC6762"/> is received that contains one or more positive answers to that
set), question (with or without the Cache Flush bit <xref
or a negative answer (signified via a Multicast DNS NSEC record target="RFC6762" format="default"/> set) or a negative answer
<xref target="RFC6762"/>), (signified via a Multicast DNS NSEC record <xref target="RFC6762"
the Discovery Proxy generates a Unicast DNS response packet format="default"/>), the Discovery Proxy generates a Unicast DNS
containing the response message containing the corresponding (filtered and
corresponding (filtered and translated) answers and sends it to translated) answers and sends it to the remote client.</t>
the remote <t>
client. If after six seconds no Multicast DNS answers have been If after
received, six seconds no relevant Multicast DNS answers have been received,
cancel the mDNS query and cancel
return a negative response to the remote client. the mDNS query and return a negative response to the remote
Six seconds is enough time to transmit three mDNS queries, client. Six seconds is enough time
and allow some time for responses to arrive.<vspace/> for the underlying Multicast DNS subsystem
DNS TTLs in responses MUST be capped to at most ten to transmit three mDNS queries
seconds.<vspace/> and allow some time for responses to arrive.</t>
<t>
(Reasoning: Queries not using LLQ or Push Notifications are (Reasoning: Queries not using LLQ or Push Notifications are
generally queries generally queries
that that expect an answer from only one device, that expect an answer from only one device,
so the first response is also the only response.) so the first response is also the only response.)</t>
<vspace blankLines="1"/> <t>
</t> DNS TTLs in responses <bcp14>MUST</bcp14> be capped to at most ten
seconds.</t>
</li>
<t>Not using LLQ or Push Notifications; at least one answer in <li>
cache:<vspace/> <t>Standard DNS query; at least one answer in
Send response right away to minimise delay.<vspace/> cache:</t>
DNS TTLs in responses MUST be capped to at most ten <t>
seconds.<vspace/> No local mDNS queries are performed.</t>
No local mDNS queries are performed.<vspace/> <t>
The Discovery Proxy generates a Unicast DNS
response message containing the answer(s) from the cache right
away, to minimize delay.</t>
<t>
(Reasoning: Queries not using LLQ or Push Notifications are (Reasoning: Queries not using LLQ or Push Notifications are
generally queries generally queries
that that expect an answer from only one device. that expect an answer from only one device.
Given RRSet TTL harmonisation, if the proxy has Given RRSet TTL harmonization, if the proxy has
one Multicast DNS answer in its cache, it can reasonably one Multicast DNS answer in its cache, it can reasonably
assume that it has all of them.)</t> assume that it has the whole set.)</t>
<t>
DNS TTLs in responses <bcp14>MUST</bcp14> be capped to at most ten
seconds.</t>
</li>
<t>Using LLQ or Push Notifications; no answer in cache:<vspace/> <li>
As in the case above with no answer in the cache, perform mDNS <t>Long-Lived Query (LLQ); no answer in cache:</t>
querying for six seconds, and send a response to the remote <t>
client as soon as any relevant mDNS response is received.<vspace/> As in the case above with no answer in the cache, plan to perform
If after six seconds no relevant mDNS response has been received, mDNS
return negative response to the remote client querying for six seconds, returning an LLQ response message to the
(for LLQ; not applicable for Push Notifications).<vspace/> remote
client as soon as any relevant mDNS response is received.</t>
<t>
If after six seconds no relevant mDNS answers have been received,
and the client has not cancelled its Long-Lived Query,
return a negative LLQ response message to the remote client.</t>
<t>
(Reasoning: We don't need to rush to send an empty (Reasoning: We don't need to rush to send an empty
answer.)<vspace/> answer.)</t>
Whether or not a relevant mDNS response is received within <t>
six seconds, the query remains active for as long as the Regardless of whether or not a relevant mDNS response is received
client maintains the LLQ or Push Notification state, and if mDNS within
answers are six seconds, the Long-Lived Query remains active for as long as
received later, LLQ or Push Notification messages are the
sent.<vspace/> client maintains the LLQ state, and results in the ongoing
transmission of mDNS queries until the Long-Lived Query is
cancelled.
If the set of mDNS answers changes, LLQ Event Response messages
are sent.</t>
<t>
DNS TTLs in responses are returned unmodified.</t> DNS TTLs in responses are returned unmodified.</t>
</li>
<t>Using LLQ or Push Notifications; at least one answer in <li>
cache:<vspace/> <t>Long-Lived Query (LLQ); at least one answer in
As in the case above with at least one answer in cache, cache:</t>
send response right away to minimise delay.<vspace/> <t>
The query remains active for as long as the client As in the case above with at least one answer in the cache,
maintains the LLQ or Push Notification state, and the Discovery Proxy generates a unicast LLQ
results in transmission of mDNS queries, with appropriate Known response message containing the answer(s) from the cache right
Answer lists, away, to minimize delay.</t>
<t>
The Long-Lived Query remains active for as long as the client
maintains the LLQ state,
and results in the transmission of mDNS queries
(with appropriate Known Answer lists)
to determine if further answers are available. to determine if further answers are available.
If additional mDNS answers are If the set of mDNS answers changes, LLQ Event Response messages
received later, LLQ or Push Notification messages are are sent.</t>
sent.<vspace/> <t>
(Reasoning: We want UI that is displayed very rapidly, yet (Reasoning: We want a user interface that is displayed very
continues rapidly yet
to remain accurate even as the network environment continues to remain accurate even as the network environment
changes.)<vspace/> changes.)</t>
<t>
DNS TTLs in responses are returned unmodified.</t> DNS TTLs in responses are returned unmodified.</t>
</list> </li>
</t>
<t>The "negative responses" referred to above are <li>
"no error no answer" negative responses, not NXDOMAIN. <t>Push Notification Subscription</t>
This is because the Discovery Proxy cannot know all the Multicast <t>
DNS domain names that may exist on a link at any given time, The Discovery Proxy acknowledges the subscription request
so any name with no answers may have child names that do exist, immediately.</t>
making it an "empty nonterminal" name.</t> <t>
If one or more answers are already available in the cache,
those answers are then sent in an immediately following DNS PUSH
message.</t>
<t>
The Push Notification subscription remains active until the client
cancels the subscription,
and results in the transmission of mDNS queries
(with appropriate Known Answer lists)
to determine if further answers are available.
If the set of mDNS answers changes, further DNS PUSH messages are
sent.</t>
<t>
(Reasoning: We want a user interface that is displayed very
rapidly yet
continues to remain accurate even as the network environment
changes.)</t>
<t>
DNS TTLs in responses are returned unmodified.</t>
</li>
</ul>
<?rfc needLines="30" ?> <t>Where the text above refers to returning "a negative response to
the remote client", it is describing returning a "no error no answer"
negative response, not NXDOMAIN. This is because the Discovery Proxy
cannot know all the Multicast DNS domain names that may exist on a
link at any given time, so any name with no answers may have child
names that do exist, making it an "empty non-terminal" name.</t>
<t>Note that certain aspects of the behavior described here <t>Note that certain aspects of the behavior described here
do not have to be implemented overtly by the Discovery Proxy; do not have to be implemented overtly by the Discovery Proxy;
they occur naturally as a result of using existing Multicast DNS they occur naturally as a result of using existing Multicast DNS
APIs.</t> APIs.</t>
<t>For example, in the first case above (standard DNS query and no
answers in the cache), if a new Multicast DNS query is requested
(either by a local client on the Discovery Proxy device, or by the
Discovery Proxy software on that device on behalf of a remote client),
and there is not already an identical Multicast DNS query active and
there are no matching answers already in the Multicast DNS cache on
the Discovery Proxy device, then this will cause a series of Multicast
DNS query packets to be issued with exponential backoff. The
exponential backoff sequence in some implementations starts at one
second and then doubles for each retransmission (0, 1, 3, 7 seconds,
etc.), and in others, it starts at one second and then triples for
each retransmission (0, 1, 4, 13 seconds, etc.). In either case, if
no response has been received after six seconds, that is long enough
that the underlying Multicast DNS implementation will have sent three
query packets without receiving any response. At that point, the
Discovery Proxy cancels its Multicast DNS query (so no further
Multicast DNS query packets will be sent for this query) and returns a
negative response to the remote client via unicast.</t>
<t>The six-second delay is chosen to be long enough to give enough
time for devices to respond, yet short enough not to be too onerous
for a human user waiting for a response. For example, using the "dig"
DNS debugging tool, the current default settings result in it waiting
a total of 15 seconds for a reply (three transmissions of the DNS UDP
query packet, with a wait of 5 seconds after each packet), which is
ample time for it to have received a negative reply from a Discovery
Proxy after six seconds.</t>
<t>For example, <t>The text above states that for a standard DNS query,
in the first case above (no LLQ or Push Notifications, and no answers if at least one answer is already available in the cache, then a
in the cache) Discovery Proxy should not issue additional mDNS query packets.
if a new Multicast DNS query is requested This also occurs naturally as a result of using existing
(either by a local client, or by the Discovery Proxy on behalf of a Multicast DNS APIs.
remote client), If a new Multicast DNS query is requested
and there is not already an identical Multicast DNS query active, (either locally, or by the Discovery Proxy on behalf of a remote client)
and there are no matching answers already in the for which there are relevant answers already in the Multicast DNS
Multicast DNS cache on the Discovery Proxy device, cache on the Discovery Proxy device, and after the answers are
then this will cause a series delivered the Multicast DNS query is immediately cancelled, then
of Multicast DNS query packets to be issued with exponential backoff. no Multicast DNS query packets will be generated for this query.
The exponential backoff sequence in some implementations starts at one </t>
second
and then doubles for each retransmission (0, 1, 3, 7 seconds, etc.)
and in others starts at one second
and then triples for each retransmission (0, 1, 4, 13 seconds, etc.).
In either case, if no response has been received after six seconds,
that is long enough that the underlying Multicast DNS implementation
will have sent three query packets without receiving any response.
At that point the Discovery Proxy cancels its Multicast DNS query
(so no further Multicast DNS query packets will be sent for this
query)
and returns a negative response to the remote client via unicast.</t>
<t>The six-second delay is chosen to be
long enough to give enough time for devices to respond, yet
short enough not to be too onerous for a human user waiting for a
response.
For example, using the "dig" DNS debugging tool, the current default
settings
result in it waiting a total of 15 seconds for a reply
(three transmissions of the query packet, with a wait of 5 seconds
after each packet)
which is ample time for it to have received a negative reply from a
Discovery Proxy
after six seconds.</t>
<t>The statement that for a one-shot query (i.e., no LLQ or Push
Notifications requested),
if at least one answer is already available in the cache
then a Discovery Proxy should not issue additional mDNS query packets,
also occurs naturally as a result of using existing Multicast DNS
APIs.
If a new Multicast DNS query is requested
(either locally, or by the Discovery Proxy on behalf of a remote
client),
for which there are relevant answers already in the
Multicast DNS cache on the Discovery Proxy device,
and after the answers are delivered the Multicast DNS query is then
cancelled immediately,
then no Multicast DNS query packets will be generated for this
query.</t>
<?rfc needLines="19" ?> </section>
</section> </section>
</section>
<section anchor="admin" title="Administrative DNS Records">
<section anchor="soa" title="DNS SOA (Start of Authority) Record">
<t>The MNAME field SHOULD contain the host name of the Discovery Proxy <section anchor="admin" numbered="true" toc="default">
<name>Administrative DNS Records</name>
<section anchor="soa" numbered="true" toc="default">
<name>DNS SOA (Start of Authority) Record</name>
<t>The MNAME field <bcp14>SHOULD</bcp14> contain the host name of the
Discovery Proxy
device device
(i.e., the same domain name as the rdata of the NS record delegating (i.e., the same domain name as the RDATA of the NS record delegating
the the
relevant zone(s) to this Discovery Proxy device).</t> relevant zone(s) to this Discovery Proxy device).</t>
<t>The RNAME field <bcp14>SHOULD</bcp14> contain the mailbox of the
<t>The RNAME field SHOULD contain the mailbox of the person person
responsible responsible
for administering this Discovery Proxy device.</t> for administering this Discovery Proxy device.</t>
<t>The SERIAL field <bcp14>MUST</bcp14> be zero.</t>
<t>The SERIAL field MUST be zero.</t>
<t>Zone transfers are undefined for Discovery Proxy zones, and <t>Zone transfers are undefined for Discovery Proxy zones, and
consequently the consequently, the REFRESH, RETRY, and EXPIRE fields have no useful
REFRESH, RETRY and EXPIRE fields have no useful meaning for Discovery meaning for Discovery Proxy zones. These fields <bcp14>SHOULD</bcp14>
Proxy zones. contain reasonable default values. The <bcp14>RECOMMENDED</bcp14>
These fields SHOULD contain reasonable default values. values are: REFRESH 7200, RETRY 3600, and EXPIRE 86400.</t>
The RECOMMENDED values are: REFRESH 7200, RETRY 3600, EXPIRE
86400.</t>
<t>The MINIMUM field (used to control the lifetime of negative cache <t>The MINIMUM field (used to control the lifetime of negative cache
entries) entries)
SHOULD contain the value 10. <bcp14>SHOULD</bcp14> contain the value 10.
The value of ten seconds is chosen based on user-experience This value is chosen based on user-experience
considerations considerations
(see <xref target="ttl"/>).</t> (see <xref target="ttl" format="default"/>).</t>
<t>In the event that there are multiple Discovery Proxy devices on a <t>In the event that there are multiple Discovery Proxy devices on a
link for fault tolerance reasons, this will result in clients link for fault tolerance reasons, this will result in clients
receiving inconsistent SOA records (different MNAME, and possibly receiving inconsistent SOA records (different MNAME and possibly
RNAME) RNAME) depending on which Discovery Proxy answers their SOA query.
depending on which Discovery Proxy answers their SOA query.
However, since clients generally have no reason to use the MNAME or However, since clients generally have no reason to use the MNAME or
RNAME RNAME data, this is unlikely to cause any problems.</t>
data, this is unlikely to cause any problems.</t>
<?rfc needLines="22" ?>
</section> </section>
<section anchor="ns" numbered="true" toc="default">
<section anchor="ns" title="DNS NS Records"> <name>DNS NS Records</name>
<t>In the event that there are multiple Discovery Proxy devices on a <t>In the event that there are multiple Discovery Proxy devices on a
link for fault tolerance reasons, the parent zone MUST link for fault tolerance reasons, the parent zone <bcp14>MUST</bcp14>
be configured with NS records giving the names be configured with NS records giving the names
of all the Discovery Proxy devices on the link.</t> of all the Discovery Proxy devices on the link.</t>
<t>Each Discovery Proxy device <bcp14>MUST</bcp14> be configured to
<t>Each Discovery Proxy device MUST be configured to answer NS queries answer NS queries
for the zone apex name by giving its own NS record, for the zone apex name by giving its own NS record,
and the NS records of its fellow Discovery Proxy devices on the same and the NS records of its fellow Discovery Proxy devices on the same
link, so that it can return the correct answers for NS queries.</t> link, so that it can return the correct answers for NS queries.</t>
<t>The target host name in the RDATA of an NS record <bcp14>MUST
<t>The target host name in the RDATA of an NS record MUST NOT NOT</bcp14>
reference reference
a name that falls within any zone delegated to a Discovery Proxy. a name that falls within any zone delegated to a Discovery Proxy.
Apart from the zone apex name, Apart from the zone apex name,
all other host names that fall within a zone delegated to a Discovery all other host names (names of A and AAAA DNS records)
that fall within a zone delegated to a Discovery
Proxy Proxy
correspond to local Multicast DNS host names, correspond to local Multicast DNS host names,
which logically belong to the respective Multicast DNS hosts defending which logically belong to the respective Multicast DNS hosts defending
those names, those names,
not the Discovery Proxy. not the Discovery Proxy.
Generally speaking, the Discovery Proxy does not own or control the Generally speaking, the Discovery Proxy does not own or control the
delegated zone; delegated zone;
it is merely a conduit to the corresponding ".local" namespace, it is merely a conduit to the corresponding ".local" namespace,
which is controlled by the Multicast DNS hosts on that link. which is controlled by the Multicast DNS hosts on that link.
If an NS record were to reference a manually-determined host name If an NS record were to reference a manually determined host name
that falls within a delegated zone, that falls within a delegated zone,
that manually-determined host name may inadvertently conflict with a that manually determined host name may inadvertently conflict with a
corresponding corresponding
".local" host name that is owned and controlled by some device on that ".local" host name that is owned and controlled by some device on that
link. link.
</t> </t>
</section> </section>
<section anchor="delegation" numbered="true" toc="default">
<section anchor="delegation" title="DNS Delegation Records"> <name>DNS Delegation Records</name>
<t>Since the <xref target="RFC6762">Multicast DNS specification</xref> <t>Since the <xref target="RFC6762" format="default">Multicast DNS
states that there can be no delegation (subdomains) within a ".local" specification</xref> states that there can be no delegation
namespace, (subdomains) within a ".local" namespace, this implies that any name
this implies that within a zone delegated to a Discovery Proxy (except for the zone apex
any name within a zone delegated to a Discovery Proxy name itself) cannot have any answers for any DNS queries for RRTYPEs
(except for the zone apex name itself) SOA, NS, or DS. Consequently:
cannot have any answers for any DNS queries for RRTYPEs SOA, NS, or
DS.
Consequently:
<list style='symbols'>
<t>for any query for the zone apex name of a zone delegated to a
Discovery Proxy,
the Discovery Proxy MUST generate the appropriate immediate
answers as described above, and</t>
<t>for any query for RRTYPEs SOA, NS, or DS,
for any name within a zone delegated to a Discovery Proxy,
other than the zone apex name,
instead of translating the query to its corresponding Multicast
DNS ".local" equivalent,
a Discovery Proxy MUST generate an immediate negative answer.</t>
</list>
</t> </t>
<ul spacing="normal">
<li>for any query for the zone apex name of a zone delegated to a
Discovery Proxy, the Discovery Proxy <bcp14>MUST</bcp14> generate
the appropriate immediate answers as described above, and</li>
<li>
for any query for any name below the zone apex, for RRTYPEs SOA, NS,
or DS,
the Discovery Proxy <bcp14>MUST</bcp14> generate
an immediate negative answer.
</li>
</ul>
</section> </section>
<section anchor="srv" title="DNS SRV Records"> <section anchor="srv" numbered="true" toc="default">
<t>There are certain special DNS records that logically <name>DNS SRV Records</name>
fall within the delegated unicast DNS subdomain, <t>There are certain special DNS records that logically fall within
but rather than mapping to their corresponding ".local" namesakes, the delegated Unicast DNS subdomain, but rather than mapping to their
they actually contain metadata pertaining to the operation corresponding ".local" namesakes, they actually contain metadata
of the delegated unicast DNS subdomain itself. pertaining to the operation of the delegated Unicast DNS subdomain
They do not exist in the corresponding ".local" namespace of the local itself. They do not exist in the corresponding ".local" namespace of
link. the local link. For these queries, a Discovery Proxy
For these queries a Discovery Proxy MUST generate immediate answers, <bcp14>MUST</bcp14> generate immediate answers, whether positive or
whether positive or negative, to avoid delays while clients wait for negative, to avoid delays while clients wait for their query to be
their query to be answered. answered.</t>
For example, if a Discovery Proxy does not implement
<xref target="LLQ">Long-Lived Queries</xref>
then it MUST return an immediate negative answer to tell the client
this without delay,
instead of passing the query through to the local network as a query
for
<spanx style="verb">_dns&nbhy;llq._udp.local.</spanx>,
and then waiting unsuccessfully for answers that will not be
forthcoming.</t>
<t>If a Discovery Proxy implements <t>For example, if a Discovery Proxy implements Long-Lived Queries
<xref target="LLQ">Long-Lived Queries</xref> <xref target="RFC8764" format="default"></xref>, then it
then it MUST positively respond to <bcp14>MUST</bcp14> positively respond to
<spanx style="verb">_dns&nbhy;llq._udp.&lt;zone&gt;&nbsp;SRV</spanx> <tt>_dns&nbhy;llq._udp.&lt;zone&gt;&nbsp;SRV</tt> queries,
queries, <tt>_dns&nbhy;llq._tcp.&lt;zone&gt;&nbsp;SRV</tt> queries, and
<spanx style="verb">_dns&nbhy;llq._tcp.&lt;zone&gt;&nbsp;SRV</spanx> <tt>_dns&nbhy;llq&nbhy;tls._tcp.&lt;zone&gt;&nbsp;SRV</tt> queries as
queries, and appropriate. If it does not implement Long-Lived Queries, it
<spanx <bcp14>MUST</bcp14> return an immediate negative answer for those
style="verb">_dns&nbhy;llq&nbhy;tls._tcp.&lt;zone&gt;&nbsp;SRV</spanx queries, instead of passing those queries through to the local network
> as Multicast DNS queries and then waiting unsuccessfully for answers
queries as appropriate, that will not be forthcoming.</t>
else it MUST return an immediate negative answer for those
queries.</t>
<t>If a Discovery Proxy implements <t>If a Discovery Proxy implements
<xref target="Push">DNS Push Notifications</xref> DNS Push Notifications <xref target="RFC8765"
then it MUST positively respond to format="default"></xref>,
<spanx style="verb">_dns&nbhy;push&nbhy;tls._tcp.&lt;zone&gt;</spanx> then it <bcp14>MUST</bcp14> positively respond to
queries, <tt>_dns&nbhy;push&nbhy;tls._tcp.&lt;zone&gt;</tt>
else it MUST return an immediate negative answer for those queries.
Otherwise, it <bcp14>MUST</bcp14> return an immediate negative answer
for those
queries.</t> queries.</t>
<t>A Discovery Proxy <bcp14>MUST</bcp14> return an immediate negative
<t>A Discovery Proxy MUST return an immediate negative answer for answer for
<spanx <tt>_dns&nbhy;update._udp.&lt;zone&gt;&nbsp;SRV</tt>
style="verb">_dns&nbhy;update._udp.&lt;zone&gt;&nbsp;SRV</spanx>
queries, queries,
<spanx <tt>_dns&nbhy;update._tcp.&lt;zone&gt;&nbsp;SRV</tt>
style="verb">_dns&nbhy;update._tcp.&lt;zone&gt;&nbsp;SRV</spanx>
queries, and queries, and
<spanx <tt>_dns&nbhy;update-tls._tcp.&lt;zone&gt;&nbsp;SRV</tt>
style="verb">_dns&nbhy;update-tls._tcp.&lt;zone&gt;&nbsp;SRV</spanx>
queries, queries,
since using <xref target="RFC2136">DNS Update</xref> to change since using DNS Update <xref target="RFC2136" format="default"></xref>
to change
zones generated dynamically from local Multicast DNS data is not zones generated dynamically from local Multicast DNS data is not
possible.</t> possible.</t>
<?rfc needLines="29" ?>
</section> </section>
</section>
<section anchor="DNSSEC" title="DNSSEC Considerations"> <section numbered="true" toc="default">
<name>Domain Enumeration Records</name>
<t>If the network operator chooses to use address-based
unicast Domain Enumeration queries for client configuration
(see <xref target="unicast" format="default"/>),
and the network operator also chooses to delegate the enclosing
reverse mapping subdomain to a Discovery Proxy,
then that Discovery Proxy becomes responsible for serving
the answers to those address-based unicast Domain Enumeration
queries.</t>
<section title="On-line signing only"> <t>As with the SRV metadata records described above, a Discovery Proxy
configured with delegated reverse mapping subdomains is responsible
for generating immediate (positive or negative) answers for
address-based unicast Domain Enumeration queries, rather than
passing them though to the underlying Multicast DNS subsystem and
then waiting unsuccessfully for answers that will not be
forthcoming.</t>
</section>
</section>
<section anchor="DNSSEC" numbered="true" toc="default">
<name>DNSSEC Considerations</name>
<section numbered="true" toc="default">
<name>Online Signing Only</name>
<t>The Discovery Proxy acts as the authoritative name server for <t>The Discovery Proxy acts as the authoritative name server for
designated subdomains, and if DNSSEC is to be used, the Discovery designated subdomains, and if DNSSEC is to be used, the Discovery
Proxy needs to Proxy needs to possess a copy of the signing keys in order to
possess a copy of the signing keys, in order to generate authoritative generate authoritative signed data from the local Multicast DNS
signed data from the local Multicast DNS responses it receives. responses it receives. Offline signing is not applicable to
Off-line signing is not applicable to Discovery Proxy.</t> Discovery Proxy.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="NSEC and NSEC3 Records"> <name>NSEC and NSEC3 Records</name>
<t>In DNSSEC <t>In DNSSEC,
<xref target="RFC4034">NSEC</xref> and NSEC and NSEC3 records
<xref target="RFC5155">NSEC3</xref> records
are used to assert the nonexistence of certain names, are used to assert the nonexistence of certain names,
also described as "authenticated denial of existence".</t> also described as "authenticated denial of existence"
<xref target="RFC4034" format="default"></xref>
<xref target="RFC5155" format="default"></xref>.</t>
<t>Since a Discovery Proxy only knows what names exist on the local <t>Since a Discovery Proxy only knows what names exist on the local
link link by issuing queries for them, and since it would be impractical to
by issuing queries for them, and since it would be impractical to
issue queries for every possible name just to find out which names issue queries for every possible name just to find out which names
exist and which do not, a Discovery Proxy cannot programmatically exist and which do not, a Discovery Proxy cannot programmatically
synthesize the traditional NSEC and NSEC3 records which assert the synthesize the traditional NSEC and NSEC3 records that assert the
nonexistence of a large range of names. nonexistence of a large range of names. Instead, when generating a
Instead, when generating a negative response, negative response, a Discovery Proxy programmatically synthesizes a
a Discovery Proxy programmatically synthesizes a single NSEC record single NSEC record asserting the nonexistence of just the specific
assert the nonexistence of just the specific name queried, and no name queried and no others. Since the Discovery Proxy has the zone
others. signing key, it can do this on demand. Since the NSEC record asserts
Since the Discovery Proxy has the zone signing key, it can do this on the nonexistence of only a single name, zone walking is not a concern,
demand. and NSEC3 is therefore not necessary.</t>
Since the NSEC record asserts the nonexistence of only a single name,
zone walking is not a concern, so NSEC3 is not necessary.</t>
<t>Note that this applies only to traditional immediate DNS queries, <t>Note that this applies only to traditional immediate DNS queries,
which may return immediate negative answers when which may return immediate negative answers when no immediate positive
no immediate positive answer is available. answer is available. When used with a DNS Push Notification
When used with a subscription <xref target="RFC8765"
<xref target="Push">DNS Push Notification subscription</xref> format="default"></xref>, there are no negative answers, merely the
there are no negative answers, merely the absence of answers so far, absence of answers so far, which may change in the future if answers
which may change in the future if answers become available.</t> become available.</t>
<?rfc needLines="19" ?>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="IPv6 Considerations"> <name>IPv6 Considerations</name>
<t>An IPv4-only host and an IPv6-only host behave as "ships that pass in <t>An IPv4-only host and an IPv6-only host behave as "ships that pass in
the night". Even if they are on the same <xref the night". Even if they are on the same Ethernet <xref target="IEEE-3"
target="IEEE-3">Ethernet</xref>, neither is aware format="default"></xref>, neither is aware of the other's traffic. For
of the other's traffic. For this reason, each link may have this reason, each link may have <em>two</em> unrelated ".local." zones:
*two* unrelated ".local." zones, one for IPv4 and one for IPv6. one for
Since for practical purposes, a group of IPv4-only hosts and a group IPv4 and one for IPv6. Since, for practical purposes, a group of
of IPv6-only hosts on the same Ethernet act as if they were on two IPv4-only hosts and a group of IPv6-only hosts on the same Ethernet act
entirely separate Ethernet segments, it is unsurprising that their as if they were on two entirely separate Ethernet segments, it is
use of the ".local." zone should occur exactly as it would if unsurprising that their use of the ".local." zone should occur exactly
they really were on two entirely separate Ethernet segments.</t> as it would if they really were on two entirely separate Ethernet
segments.</t>
<t>It will be desirable to have a mechanism to 'stitch' together <t>It will be desirable to have a mechanism to "stitch" together
these two unrelated ".local." zones so that they appear as one. these two unrelated ".local." zones so that they appear as one.
Such mechanism will need to be able to differentiate between a Such a mechanism will need to be able to differentiate between a
dual-stack (v4/v6) host participating in both ".local." dual-stack (v4/v6) host participating in both ".local."
zones, and two different hosts, one IPv4-only and the other IPv6-only, zones, and two different hosts: one IPv4-only and the other IPv6-only,
which are both trying to use the same name(s). Such a mechanism which are both trying to use the same name(s). Such a mechanism
will be specified in a future companion document.</t> will be specified in a future companion document.</t>
<t>At present, it is <bcp14>RECOMMENDED</bcp14> that a Discovery Proxy
<t>At present, it is RECOMMENDED that a Discovery Proxy be configured be configured
with a single domain name for both the IPv4 and IPv6 ".local." zones with a single domain name for both the IPv4 and IPv6 ".local." zones
on the local link, and when a unicast query is received, it should on the local link, and when a unicast query is received, it should
issue Multicast DNS queries using both IPv4 and IPv6 on the local link, issue Multicast DNS queries using both IPv4 and IPv6 on the local link
and then combine the results.</t> and then combine the results.</t>
<?rfc needLines="25" ?>
</section> </section>
<section numbered="true" toc="default">
<section title="Security Considerations"> <name>Security Considerations</name>
<section title="Authenticity"> <section numbered="true" toc="default">
<name>Authenticity</name>
<t>A service proves its presence on a link by its ability to <t>A service proves its presence on a link by its ability to
answer link-local multicast queries on that link. answer link-local multicast queries on that link.
If greater security is desired, then the Discovery Proxy mechanism If greater security is desired, then the Discovery Proxy mechanism
should not be used, and something with stronger security should should not be used, and something with stronger security should
be used instead, such as authenticated secure DNS Update be used instead such as authenticated secure DNS Update
<xref target="RFC2136"/> <xref target="RFC3007"/>.</t> <xref target="RFC2136" format="default"/> <xref target="RFC3007"
format="default"/>.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Privacy"> <name>Privacy</name> <t>The Domain Name System is, generally speaking,
<t>The Domain Name System is, generally speaking, a global public a global public database. Records that exist in the Domain Name
database. System name hierarchy can be queried by name from, in principle,
Records that exist in the Domain Name System name hierarchy anywhere in the world. If services on a mobile device (like a laptop
can be queried by name from, in principle, anywhere in the world. computer) are made visible via the Discovery Proxy mechanism, then
If services on a mobile device (like a laptop computer) are made when those services become visible in a domain such as
visible "My&nbsp;House.example.com", it might indicate to (potentially
via the Discovery Proxy mechanism, then when those services become hostile) observers that the mobile device is in the owner's home.
visible When those
in a domain such as "My&nbsp;House.example.com" that might indicate to services disappear from "My&nbsp;House.example.com", that change could
(potentially hostile) observers that the mobile device is in my house. be used by observers to infer when the mobile device (and possibly its
When those services disappear from "My&nbsp;House.example.com" owner) may have left the house. The privacy of this information may
that change could be used by observers to infer when the be protected using techniques like firewalls, split-view DNS, and
mobile device (and possibly its owner) may have left the house. Virtual Private Networks (VPNs), as are customarily used today to
The privacy of this information may be protected using techniques protect the privacy of corporate DNS information.</t>
like firewalls, split-view DNS, and Virtual Private Networks (VPNs),
as are customarily used today
to protect the privacy of corporate DNS information.</t>
<t>The privacy issue is particularly serious for the IPv4 and IPv6 <t>The privacy issue is particularly serious for the IPv4 and IPv6
reverse zones. reverse zones.
If the public delegation of the reverse zones points to the If the public delegation of the reverse zones points to the
Discovery Proxy, and the Discovery Proxy is reachable globally, Discovery Proxy, and the Discovery Proxy is reachable globally,
then it could leak a significant amount of information. then it could leak a significant amount of information.
Attackers could discover hosts that otherwise might Attackers could discover hosts that otherwise might
not be easy to identify, and learn their hostnames. not be easy to identify, and learn their host names.
Attackers could also discover the existence of links Attackers could also discover the existence of links
where hosts frequently come and go.</t> where hosts frequently come and go.</t>
<t>The Discovery Proxy could provide sensitive records only to
<t>The Discovery Proxy could also provide sensitive records only to
authenticated authenticated
users. This is a general DNS problem, not specific to the Discovery users. This is a general DNS problem, not specific to the Discovery
Proxy. Proxy.
Work is underway in the IETF to tackle this problem <xref Work is underway in the IETF to tackle this problem <xref
target="RFC7626"/>.</t> target="RFC7626" format="default"/>.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Denial of Service"> <name>Denial of Service</name>
<t>A remote attacker could use a rapid series of unique Unicast DNS <t>A remote attacker could use a rapid series of unique Unicast DNS
queries to induce a Discovery Proxy to generate a rapid series of queries to induce a Discovery Proxy to generate a rapid series of
corresponding Multicast DNS queries on one or more of its local links. corresponding Multicast DNS queries on one or more of its local links.
Multicast traffic is generally more expensive than unicast traffic Multicast traffic is generally more expensive than unicast traffic,
-- especially on Wi-Fi links -- especially on Wi-Fi links
which makes this attack particularly serious. <xref target="I-D.ietf-mboned-ieee802-mcast-problems"
To limit the damage that can be caused by such attacks, a Discovery format="default"/>,
Proxy which makes this attack particularly
(or the underlying Multicast DNS subsystem which it utilizes) MUST serious. To limit the damage that can be caused by such attacks, a
implement Multicast DNS query rate limiting appropriate to the link Discovery Proxy (or the underlying Multicast DNS subsystem that it
technology in question. For today's 802.11b/g/n/ac Wi-Fi links utilizes) <bcp14>MUST</bcp14> implement Multicast DNS query rate
(for which approximately 200 multicast packets per second is limiting appropriate to the link technology in question. For today's
sufficient 802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast
to consume approximately 100% of the wireless spectrum) packets per second is sufficient to consume approximately 100% of the
a limit of 20 Multicast DNS query packets per second is RECOMMENDED. wireless spectrum), a limit of 20 Multicast DNS query packets per
On other link technologies like Gigabit Ethernet higher limits second is <bcp14>RECOMMENDED</bcp14>. On other link technologies like
may be appropriate. Gigabit Ethernet, higher limits may be appropriate. A consequence of
A consequence of this rate limiting is that a rogue remote client this rate limiting is that a rogue remote client could issue an
could issue an excessive number of queries, resulting in denial of excessive number of queries resulting in denial of service to other
service to other legitimate remote clients attempting to use that legitimate remote clients attempting to use that Discovery Proxy.
Discovery Proxy.
However, this is preferable to a rogue remote client being able to However, this is preferable to a rogue remote client being able to
inflict even greater harm on the local network, which could impact inflict even greater harm on the local network, which could impact the
the correct operation of all local clients on that network.</t> correct operation of all local clients on that network.</t>
<?rfc needLines="28" ?>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="IANA Considerations"> <name>IANA Considerations</name>
<t>This document has no IANA Considerations.</t> <t>This document has no IANA actions.</t>
</section> </section>
<section title="Acknowledgments">
<t>Thanks to Markus Stenberg for helping develop the policy
regarding the four styles of unicast response according to what
data is immediately available in the cache.
Thanks to
Anders Brandt,
Ben Campbell,
Tim Chown,
Alissa Cooper,
Spencer Dawkins,
Ralph Droms,
Joel Halpern,
Ray Hunter,
Joel Jaeggli,
Warren Kumari,
Ted Lemon,
Alexey Melnikov,
Kathleen Moriarty,
Tom Pusateri,
Eric Rescorla,
Adam Roach,
David Schinazi,
Markus Stenberg,
Dave Thaler,
and Andrew Yourtchenko for their comments.</t>
<?rfc needLines="33" ?>
</section>
</middle> </middle>
<back> <back>
<references title="Normative References">
<?rfc include="reference.RFC.1034" ?>
<?rfc include="reference.RFC.1035" ?>
<?rfc include="reference.RFC.1918" ?>
<?rfc include="reference.RFC.2119" ?>
<?rfc include="reference.RFC.2308" ?>
<?rfc include="reference.RFC.3629" ?>
<?rfc include="reference.RFC.3927" ?>
<?rfc include="reference.RFC.4034" ?>
<?rfc include="reference.RFC.4862" ?>
<?rfc include="reference.RFC.5155" ?>
<?rfc include="reference.RFC.5198" ?>
<?rfc include="reference.RFC.6762" ?>
<?rfc include="reference.RFC.6763" ?>
<?rfc include="reference.RFC.8174" ?>
<?rfc include="reference.RFC.8490" ?>
<?rfc include="reference.I-D.ietf-dnssd-push" anchor='Push' <displayreference target="I-D.cheshire-dnssd-roadmap" to="ROADMAP"/>
?>
</references> <displayreference target="I-D.sctl-service-registration" to="REG-PROT"/>
<?rfc needLines="6" ?> <displayreference target="I-D.sctl-dnssd-mdns-relay" to="RELAY"/>
<references title="Informative References">
<?rfc include="reference.I-D.cheshire-dnssd-roadmap" <displayreference target="I-D.ietf-mboned-ieee802-mcast-problems" to="MCAST"/>
anchor='Roadmap' ?>
<?rfc include="reference.I-D.sekar-dns-ul"
anchor='DNS-UL' ?>
<?rfc include="reference.I-D.sekar-dns-llq" anchor='LLQ'
?>
<?rfc include="reference.I-D.sctl-service-registration"
anchor='RegProt' ?>
<?rfc include="reference.I-D.sctl-dnssd-mdns-relay" anchor='Relay'
?>
<?rfc include="reference.I-D.ietf-mboned-ieee802-mcast-problems"
anchor='Mcast' ?>
<?rfc include="reference.RFC.2132" ?>
<?rfc include="reference.RFC.2136" ?>
<?rfc include="reference.RFC.3007" ?>
<?rfc include="reference.RFC.3492" ?>
<?rfc include="reference.RFC.4193" ?>
<?rfc include="reference.RFC.6760" ?>
<?rfc include="reference.RFC.7558" ?>
<?rfc include="reference.RFC.7626" ?>
<?rfc include="reference.RFC.7788" ?>
<?rfc include="reference.RFC.8375" ?>
<reference anchor="ohp" target="https://github.com/sbyx/ohybridproxy/"> <displayreference target="I-D.sekar-dns-ul" to="DNS-UL"/>
<front>
<title>Discovery Proxy (Hybrid Proxy) implementation for
OpenWrt</title>
<author/>
<date/>
</front>
</reference>
<reference anchor="ZC"> <references>
<name>References</name>
<references>
<name>Normative References</name>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.10
34.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.10
35.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.19
18.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.21
19.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.23
08.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.36
29.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.39
27.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.40
34.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.48
62.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.51
55.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.51
98.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.67
62.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.67
63.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.81
74.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.84
90.xml"/>
<reference anchor='RFC8765' target="https://www.rfc-editor.org/info/rfc8765">
<front> <front>
<title>Zero Configuration Networking: The Definitive Guide</title> <title>DNS Push Notifications
<author initials="S." surname="Cheshire" fullname="Stuart </title>
Cheshire"/> <author initials='T' surname='Pusateri' fullname='Tom Pusateri'>
<author initials="D.H." surname="Steinberg" fullname="Daniel <organization />
H. Steinberg"/> </author>
<date year="2005" month="December"/> <author initials='S' surname='Cheshire' fullname='Stuart Cheshire'>
<organization />
</author>
<date month='June' year='2020' />
</front> </front>
<seriesInfo name="O'Reilly Media, Inc." value=""/> <seriesInfo name='RFC' value='8765' />
<seriesInfo name="ISBN" value="0-596-10100-7"/> <seriesInfo name="DOI" value="10.17487/RFC8765"/>
</reference> </reference>
</references>
<references>
<name>Informative References</name>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.sek
ar-dns-ul.xml"/>
<!-- Patterned after
http://xml.resource.org/public/rfc/bibxml2/_reference.IEEE.802-3.1998.xml
-->
<reference anchor="IEEE-1Q" <reference anchor="IEEE-1Q"
target="http://standards.ieee.org/getieee802/download/802-1Q-201 target="https://ieeexplore.ieee.org/document/6991462">
4.pdf"> <front>
<front> <title>IEEE Standard for Local and metropolitan area
<title> networks -- Bridges and Bridged Networks
IEEE Standard for Local and metropolitan area networks -- </title>
Bridges and Bridged Networks <author>
</title> <organization>IEEE</organization>
<author/> </author>
<date year="2014" month="November"/> <date year="2014"/>
</front> </front>
<seriesInfo name="IEEE" value="Std 802.1Q-2014"/> <seriesInfo name="IEEE Std" value="802.1Q-2014"/>
<seriesInfo name="DOI" value="10.1109/IEEESTD.2014.6991462"/>
</reference> </reference>
<reference anchor="IEEE-3" <reference anchor="IEEE-3"
target="http://standards.ieee.org/getieee802/802.3.html"> target="https://ieeexplore.ieee.org/document/8457469">
<front> <front>
<title> <title>
Information technology - Telecommunications and information IEEE Standard for Ethernet
exchange between systems - </title>
Local and metropolitan area networks - Specific requirements - <seriesInfo name="IEEE Std" value="802.3-2018"/>
Part 3: Carrier Sense Multiple Access with Collision Detection <seriesInfo name="DOI" value="10.1109/IEEESTD.2018.8457469"/>
(CMSA/CD) <author>
Access Method and Physical Layer Specifications <organization>IEEE</organization>
</title> </author>
<author/> <date year="2008" month="December"/>
<date year="2008" month="December"/> </front>
</front> </reference>
<seriesInfo name="IEEE" value="Std 802.3-2008"/>
</reference>
<reference anchor="IEEE-5"> <reference anchor="IEEE-5"
<front> target="https://standards.ieee.org/standard/802_5-1998.html
<title>Information technology - Telecommunications and information ">
exchange <front>
between systems - Local and metropolitan area networks - Specific <title>
requirements - Telecommunications and information exchange between systems - Local and
Part 5: Token ring access method and physical layer metropolitan area networks - Part 5: Token ring access method and physical
specification</title> layer specifications
<author><organization>Institute of Electrical and Electronics </title>
Engineers</organization></author> <seriesInfo name="IEEE Std" value="802.5-1998"/>
<date month="" year="1995" /> <author>
</front> <organization>IEEE</organization>
<seriesInfo name="IEEE" value="Std 802.5-1998"/> </author>
</reference> <date year="1998"/>
</front>
</reference>
<reference anchor="IEEE-11" <reference anchor="IEEE-11"
target="http://standards.ieee.org/getieee802/802.11.html"> target="https://standards.ieee.org/standard/802_11-2016.htm
<front> l">
<title> <front>
<title>
Information technology - Telecommunications and information Information technology - Telecommunications and information
exchange between systems - exchange between systems -
Local and metropolitan area networks - Specific requirements - Local and metropolitan area networks - Specific requirements -
Part 11: Wireless LAN Medium Access Control (MAC) and Physical Part 11: Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications Layer (PHY) Specifications
</title> </title>
<author/> <seriesInfo name="IEEE Std" value="802.11-2016"/>
<date year="2007" month="June"/> <author>
</front> <organization>IEEE
<seriesInfo name="IEEE" value="Std 802.11-2007"/> </organization>
</reference> </author>
<date year="2016" month="December"/>
</front>
</reference>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.iet
f-mboned-ieee802-mcast-problems.xml"/>
<reference anchor="OHP"
target="https://github.com/sbyx/ohybridproxy/">
<front>
<title>
ohybridproxy - an mDNS/DNS hybrid-proxy based on
mDNSResponder
</title>
<author/>
<date month="June" year="2017"/>
</front>
<refcontent>commit 464d6c9</refcontent>
</reference>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.sct
l-service-registration.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.sct
l-dnssd-mdns-relay.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.21
32.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.21
36.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.30
07.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.34
92.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.41
93.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.67
60.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.75
58.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.76
26.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.77
88.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.83
75.xml"/>
<reference anchor='RFC8764' target="https://www.rfc-editor.org/info/rfc8764">
<front>
<title>Apple's DNS Long-Lived Queries Protocol</title>
<author initials='S' surname='Cheshire' fullname='Stuart Cheshire'>
<organization />
</author>
<author initials='M' surname='Krochmal' fullname='Marc Krochmal'>
<organization />
</author>
<date month='June' year='2020' />
</front>
<seriesInfo name='RFC' value='8764' />
<seriesInfo name="DOI" value="10.17487/RFC8764"/>
</reference>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.che
shire-dnssd-roadmap.xml"/>
<reference anchor="ZC">
<front>
<title>Zero Configuration Networking: The Definitive Guide</title>
<seriesInfo name="ISBN" value="0-596-10100-7"/>
<author initials="S." surname="Cheshire" fullname="Stuart
Cheshire"/>
<author initials="D.H." surname="Steinberg" fullname="Daniel
H. Steinberg"/>
<date year="2005" month="December"/>
</front>
<refcontent>O'Reilly Media, Inc.</refcontent>
</reference>
</references>
</references> </references>
<?rfc needLines="40" ?> <section anchor="implementation" numbered="true" toc="default">
<section anchor="implementation" title="Implementation Status"> <name>Implementation Status</name>
<t>Some aspects of the mechanism specified in this document already <t>Some aspects of the mechanism specified in this document already
exist in exist in
deployed software. Some aspects are new. This section outlines which deployed software. Some aspects are new. This section outlines which
aspects aspects
already exist and which are new.</t> already exist and which are new.</t>
<section numbered="true" toc="default">
<section title="Already Implemented and Deployed"> <name>Already Implemented and Deployed</name>
<t>Domain enumeration by the client (the <t>Domain enumeration by the client
"b._dns-sd._udp" queries) is already implemented and deployed.</t> ("b._dns-sd._udp.&lt;zone&gt;" queries) is already implemented and
deployed.</t>
<t>Unicast queries to the indicated discovery domain is already <t>Performing unicast queries to the indicated discovery domain is
already
implemented and deployed.</t> implemented and deployed.</t>
<t>These are implemented and deployed in Mac OS X 10.4 Tiger and later
<t>These are implemented and deployed in Mac OS X 10.4 and later (including all versions of Apple iOS, on all models of iPhones, iPads,
(including all versions of Apple iOS, on all iPhone and iPads), Apple TVs and HomePods),
in Bonjour for Windows, in Bonjour for Windows,
and in Android 4.1 "Jelly Bean" (API Level 16) and later.</t> and in Android 4.1 "Jelly Bean" (API Level 16) and later.</t>
<t>Domain enumeration and unicast querying have been <t>Domain enumeration and unicast querying have been
used for several years at IETF meetings to make Terminal Room used for several years at IETF meetings to make terminal room
printers discoverable from outside the Terminal room. When an IETF printers discoverable from outside the terminal room. When an IETF
attendee presses Cmd-P on a Mac, or selects AirPrint on an iPad attendee presses "Cmd&nbhy;P" on a Mac, or selects AirPrint on an iPad
or iPhone, and the Terminal room printers appear, that is because or iPhone, and the terminal room printers appear, it is because
the client is sending unicast DNS queries to the IETF DNS servers. the client is sending Unicast DNS queries to the IETF DNS servers.
A walk-through giving the details of this particular specific example A walk-through giving the details of this particular specific example
is given in Appendix A of <xref target="Roadmap">the Roadmap is given in <xref target="I-D.cheshire-dnssd-roadmap"
sectionFormat="of" section="A">the Roadmap
document</xref>.</t> document</xref>.</t>
</section> <t>The Long-Lived Query mechanism <xref target="RFC8764"
format="default"/>
referred to in this specification exists and is deployed
but was not standardized by the IETF.
The IETF has developed a superior Long-Lived Query mechanism
called DNS Push Notifications <xref target="RFC8765"
format="default"/>,
which is built on DNS Stateful Operations <xref target="RFC8490"
format="default"/>.
DNS Push Notifications is implemented and deployed in Mac OS X 10.15
and later,
and iOS 13 and later.</t>
<section title="Already Implemented"> </section>
<section numbered="true" toc="default">
<name>Already Implemented</name>
<t>A minimal portable Discovery Proxy implementation has been produced <t>A minimal portable Discovery Proxy implementation has been produced
by by
Markus Stenberg and Steven Barth, which runs on OS X and several Linux Markus Stenberg and Steven Barth, which runs on OS X and several Linux
variants including OpenWrt <xref target="ohp"/>. variants including OpenWrt <xref target="OHP" format="default"/>.
It was demonstrated at the Berlin IETF in July 2013.</t> It was demonstrated at the Berlin IETF in July 2013.</t>
<t>Tom Pusateri has an implementation that runs on any Unix/Linux. <t>Tom Pusateri has an implementation that runs on any Unix/Linux
It has a RESTful interface for management and an experimental demo CLI system. It
and web interface.</t> has a RESTful interface for management and an experimental demo
command-line interface (CLI) and web interface.</t>
<t>Ted Lemon also has produced a portable implementation of Discovery <t>Ted Lemon also has produced a portable implementation of Discovery
Proxy, Proxy,
which is available in the mDNSResponder open source code.</t> which is available in the mDNSResponder open source code.</t>
<t>The Long-Lived Query mechanism <xref target="LLQ"/>
referred to in this specification exists and is deployed,
but was not standardized by the IETF.
The IETF has developed a superior Long-Lived Query mechanism
called DNS Push Notifications <xref target="Push"/>,
which is built on DNS Stateful Operations <xref target="RFC8490"/>.
The pragmatic short-term deployment approach is for vendors
to produce Discovery Proxies that implement both the deployed
Long-Lived Query mechanism <xref target="LLQ"/>
(for today's clients) and the new
DNS Push Notifications mechanism <xref target="Push"/>
as the preferred long-term direction.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Partially Implemented"> <name>Partially Implemented</name>
<t>The current APIs make multiple domains visible to client <t>At the time of writing,
software, but most client UI today lumps all discovered services existing APIs make multiple domains visible to client software,
but most client user interfaces lump all discovered services
into a single flat list. This is largely a chicken-and-egg into a single flat list. This is largely a chicken-and-egg
problem. Application writers were naturally reluctant to spend problem. Application writers were naturally reluctant to spend
time writing domain-aware UI code when few customers today would time writing domain-aware user interface code when few customers would
benefit from it. If Discovery Proxy deployment becomes common, then benefit from it. If Discovery Proxy deployment becomes common, then
application writers will have a reason to provide better UI. application writers will have a reason to provide a better user
Existing applications will work with the Discovery Proxy, but will experience.
Existing applications will work with the Discovery Proxy but will
show all services in a single flat list. Applications with show all services in a single flat list. Applications with
improved UI will group services by domain.</t> improved user interfaces will show services grouped by domain.</t>
</section> </section>
</section> </section>
<section numbered="false" toc="default">
<name>Acknowledgments</name>
<t>Thanks to <contact fullname="Markus Stenberg"/> for helping develop
the policy
regarding the four styles of unicast response according to what
data is immediately available in the cache.
Thanks to
<contact fullname="Anders Brandt"/>,
<contact fullname="Ben Campbell"/>,
<contact fullname="Tim Chown"/>,
<contact fullname="Alissa Cooper"/>,
<contact fullname="Spencer Dawkins"/>,
<contact fullname="Ralph Droms"/>,
<contact fullname="Joel Halpern"/>,
<contact fullname="Ray Hunter"/>,
<contact fullname="Joel Jaeggli"/>,
<contact fullname="Warren Kumari"/>,
<contact fullname="Ted Lemon"/>,
<contact fullname="Alexey Melnikov"/>,
<contact fullname="Kathleen Moriarty"/>,
<contact fullname="Tom Pusateri"/>,
<contact fullname="Eric Rescorla"/>,
<contact fullname="Adam Roach"/>,
<contact fullname="David Schinazi"/>,
<contact fullname="Markus Stenberg"/>,
<contact fullname="Dave Thaler"/>,
and <contact fullname="Andrew Yourtchenko"/> for their comments.</t>
</section>
</back> </back>
</rfc> </rfc>
 End of changes. 266 change blocks. 
1494 lines changed or deleted 1665 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/