draft-ietf-dnssd-hybrid-07.txt   draft-ietf-dnssd-hybrid-08.txt 
Internet Engineering Task Force S. Cheshire Internet Engineering Task Force S. Cheshire
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track September 13, 2017 Intended status: Standards Track March 18, 2018
Expires: March 17, 2018 Expires: September 19, 2018
Discovery Proxy for Multicast DNS-Based Service Discovery Discovery Proxy for Multicast DNS-Based Service Discovery
draft-ietf-dnssd-hybrid-07 draft-ietf-dnssd-hybrid-08
Abstract Abstract
This document specifies a mechanism that uses Multicast DNS to This document specifies a network proxy that uses Multicast DNS to
automatically populate the wide-area unicast Domain Name System automatically populate the wide-area unicast Domain Name System
namespace with records describing devices and services found on the namespace with records describing devices and services found on the
local link. local link.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 17, 2018. This Internet-Draft will expire on September 19, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 36 skipping to change at page 2, line 36
6.1. DNS SOA (Start of Authority) Record . . . . . . . . . . . 26 6.1. DNS SOA (Start of Authority) Record . . . . . . . . . . . 26
6.2. DNS NS Records . . . . . . . . . . . . . . . . . . . . . 27 6.2. DNS NS Records . . . . . . . . . . . . . . . . . . . . . 27
6.3. DNS SRV Records . . . . . . . . . . . . . . . . . . . . . 27 6.3. DNS SRV Records . . . . . . . . . . . . . . . . . . . . . 27
7. DNSSEC Considerations . . . . . . . . . . . . . . . . . . . . 28 7. DNSSEC Considerations . . . . . . . . . . . . . . . . . . . . 28
7.1. On-line signing only . . . . . . . . . . . . . . . . . . 28 7.1. On-line signing only . . . . . . . . . . . . . . . . . . 28
7.2. NSEC and NSEC3 Records . . . . . . . . . . . . . . . . . 28 7.2. NSEC and NSEC3 Records . . . . . . . . . . . . . . . . . 28
8. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 29 8. IPv6 Considerations . . . . . . . . . . . . . . . . . . . . . 29
9. Security Considerations . . . . . . . . . . . . . . . . . . . 30 9. Security Considerations . . . . . . . . . . . . . . . . . . . 30
9.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . 30 9.1. Authenticity . . . . . . . . . . . . . . . . . . . . . . 30
9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 30 9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 30
9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 31 9.3. Denial of Service . . . . . . . . . . . . . . . . . . . . 30
10. Intelectual Property Rights . . . . . . . . . . . . . . . . . 32 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 32 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 32
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 33 12.1. Normative References . . . . . . . . . . . . . . . . . . 32
13.1. Normative References . . . . . . . . . . . . . . . . . . 33 12.2. Informative References . . . . . . . . . . . . . . . . . 33
13.2. Informative References . . . . . . . . . . . . . . . . . 34
Appendix A. Implementation Status . . . . . . . . . . . . . . . 36 Appendix A. Implementation Status . . . . . . . . . . . . . . . 36
A.1. Already Implemented and Deployed . . . . . . . . . . . . 36 A.1. Already Implemented and Deployed . . . . . . . . . . . . 36
A.2. Already Implemented . . . . . . . . . . . . . . . . . . . 36 A.2. Already Implemented . . . . . . . . . . . . . . . . . . . 36
A.3. Partially Implemented . . . . . . . . . . . . . . . . . . 36 A.3. Partially Implemented . . . . . . . . . . . . . . . . . . 36
A.4. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 37 A.4. Not Yet Implemented . . . . . . . . . . . . . . . . . . . 37
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 37 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 37
1. Introduction 1. Introduction
Multicast DNS [RFC6762] and its companion technology DNS-based Multicast DNS [RFC6762] and its companion technology DNS-based
Service Discovery [RFC6763] were created to provide IP networking Service Discovery [RFC6763] were created to provide IP networking
with the ease-of-use and autoconfiguration for which AppleTalk was with the ease-of-use and autoconfiguration for which AppleTalk was
well known [RFC6760] [ZC]. well known [RFC6760] [ZC] [Roadmap].
For a small home network consisting of just a single link (or a few For a small home network consisting of just a single link (or a few
physical links bridged together to appear as a single logical link physical links bridged together to appear as a single logical link
from the point of view of IP) Multicast DNS [RFC6762] is sufficient from the point of view of IP) Multicast DNS [RFC6762] is sufficient
for client devices to look up the ".local" host names of peers on the for client devices to look up the ".local" host names of peers on the
same home network, and to use Multicast DNS-Based Service Discovery same home network, and to use Multicast DNS-Based Service Discovery
(DNS-SD) [RFC6763] to discover services offered on that home network. (DNS-SD) [RFC6763] to discover services offered on that home network.
For a larger network consisting of multiple links that are For a larger network consisting of multiple links that are
interconnected using IP-layer routing instead of link-layer bridging, interconnected using IP-layer routing instead of link-layer bridging,
skipping to change at page 3, line 32 skipping to change at page 3, line 32
Multicast DNS packets, by design, are not propagated onto other Multicast DNS packets, by design, are not propagated onto other
links. links.
Using link-local multicast packets for Multicast DNS was a conscious Using link-local multicast packets for Multicast DNS was a conscious
design choice [RFC6762]. Even when limited to a single link, design choice [RFC6762]. Even when limited to a single link,
multicast traffic is still generally considered to be more expensive multicast traffic is still generally considered to be more expensive
than unicast, because multicast traffic impacts many devices, instead than unicast, because multicast traffic impacts many devices, instead
of just a single recipient. In addition, with some technologies like of just a single recipient. In addition, with some technologies like
Wi-Fi [IEEE-11], multicast traffic is inherently less efficient and Wi-Fi [IEEE-11], multicast traffic is inherently less efficient and
less reliable than unicast, because Wi-Fi multicast traffic is sent less reliable than unicast, because Wi-Fi multicast traffic is sent
using the lower data rates, and is not acknowledged. Multiplying the at lower data rates, and is not acknowledged. Increasing the amount
amount of expensive multicast traffic by flooding it across multiple of expensive multicast traffic by flooding it across multiple links
links would make the traffic load even worse. would make the traffic load even worse.
Partitioning the network into many small links curtails the spread of Partitioning the network into many small links curtails the spread of
expensive multicast traffic, but limits the discoverability of expensive multicast traffic, but limits the discoverability of
services. Using a very large local link with thousands of hosts services. At the opposite end of the spectrum, using a very large
enables better service discovery, but at the cost of larger amounts local link with thousands of hosts enables better service discovery,
of multicast traffic. but at the cost of larger amounts of multicast traffic.
Performing DNS-Based Service Discovery using purely Unicast DNS is Performing DNS-Based Service Discovery using purely Unicast DNS is
more efficient and doesn't require excessively large multicast more efficient and doesn't require large multicast domains, but does
domains, but requires that the relevant data be available in the require that the relevant data be available in the Unicast DNS
Unicast DNS namespace. The Unicast DNS namespace in question could namespace. The Unicast DNS namespace in question could fall within a
fall within a traditionally assigned globally unique domain name, or traditionally assigned globally unique domain name, or could use a
could use a private local unicast domain name such as ".home.arpa" private local unicast domain name such as ".home.arpa"
[HOME].) [I-D.ietf-homenet-dot].)
In the DNS-SD specification [RFC6763], Section 10 ("Populating the In the DNS-SD specification [RFC6763], Section 10 ("Populating the
DNS with Information") discusses various possible ways that a DNS with Information") discusses various possible ways that a
service's PTR, SRV, TXT and address records can make their way into service's PTR, SRV, TXT and address records can make their way into
the Unicast DNS namespace, including manual zone file configuration the Unicast DNS namespace, including manual zone file configuration
[RFC1034] [RFC1035], DNS Update [RFC2136] [RFC3007] and proxies of [RFC1034] [RFC1035], DNS Update [RFC2136] [RFC3007] and proxies of
various kinds. various kinds.
Making the relevant data available in the Unicast DNS namespace by Making the relevant data available in the Unicast DNS namespace by
manual DNS configuration (as has been done for many years at IETF manual DNS configuration is one option. This option has been used
meetings to advertise the IETF Terminal Room printer) is labor for many years at IETF meetings to advertise the IETF Terminal Room
intensive, error prone, and requires a reasonable degree of DNS printer. Details of this example are given in Appendix A of the
expertise. Roadmap document [Roadmap]. However, this manual DNS configuration
is labor intensive, error prone, and requires a reasonable degree of
DNS expertise.
Populating the Unicast DNS namespace via DNS Update by the devices Populating the Unicast DNS namespace via DNS Update by the devices
offering the services themselves requires configuration of DNS Update offering the services themselves is another option [RegProt]
keys on those devices, which has proven onerous and impractical for [DNS-UL]. However, this requires configuration of DNS Update keys on
simple devices like printers and network cameras. those devices, which has proven onerous and impractical for simple
devices like printers and network cameras.
Hence, to facilitate efficient and reliable DNS-Based Service Hence, to facilitate efficient and reliable DNS-Based Service
Discovery, a compromise is needed that combines the ease-of-use of Discovery, a compromise is needed that combines the ease-of-use of
Multicast DNS with the efficiency and scalability of Unicast DNS. Multicast DNS with the efficiency and scalability of Unicast DNS.
This document specifies a type of proxy called a "Multicast Discovery This document specifies a type of proxy called a "Discovery Proxy"
Proxy" (or just "Discovery Proxy") that uses Multicast DNS [RFC6762] that uses Multicast DNS [RFC6762] to discover Multicast DNS records
to discover Multicast DNS records on its local link, and makes on its local link, and makes corresponding DNS records visible in the
corresponding DNS records visible in the Unicast DNS namespace. Unicast DNS namespace.
In principle, similar mechanisms could be defined using other local In principle, similar mechanisms could be defined using other local
service discovery protocols, to discover local information and then service discovery protocols, to discover local information and then
make corresponding DNS records visible in the Unicast DNS namespace. make corresponding DNS records visible in the Unicast DNS namespace.
Such mechanisms for other local service discovery protocols could be Such mechanisms for other local service discovery protocols could be
addressed in future documents. addressed in future documents.
The design of the Discovery Proxy is guided by the previously The design of the Discovery Proxy is guided by the previously
published Requirements for Scalable DNS-Based Service [RFC7558]. published requirements document [RFC7558].
In simple terms, a descriptive DNS name is chosen for each link in an In simple terms, a descriptive DNS name is chosen for each link in an
organization. Using a DNS NS record, responsibility for that DNS organization. Using a DNS NS record, responsibility for that DNS
name is delegated to a Discovery Proxy physically attached to that name is delegated to a Discovery Proxy physically attached to that
link. Now, when a remote client issues a unicast query for a name link. Now, when a remote client issues a unicast query for a name
falling within the delegated subdomain, the normal DNS delegation falling within the delegated subdomain, the normal DNS delegation
mechanism results in the unicast query arriving at the Discovery mechanism results in the unicast query arriving at the Discovery
Proxy, since it has been declared authoritative for those names. Proxy, since it has been declared authoritative for those names.
Now, instead of consulting a textual zone file on disk to discover Now, instead of consulting a textual zone file on disk to discover
the answer to the query, as a traditional DNS server would, a the answer to the query, as a traditional DNS server would, a
skipping to change at page 5, line 11 skipping to change at page 5, line 14
For fault tolerance reasons there may be more than one Discovery For fault tolerance reasons there may be more than one Discovery
Proxy serving a given link. Proxy serving a given link.
Note that the Discovery Proxy uses a "pull" model. The local link is Note that the Discovery Proxy uses a "pull" model. The local link is
not queried using Multicast DNS until some remote client has not queried using Multicast DNS until some remote client has
requested that data. In the idle state, in the absence of client requested that data. In the idle state, in the absence of client
requests, the Discovery Proxy sends no packets and imposes no burden requests, the Discovery Proxy sends no packets and imposes no burden
on the network. It operates purely "on demand". on the network. It operates purely "on demand".
An alternative proposal that has been suggested is a proxy that An alternative proposal that has been discussed is a proxy that
performs DNS updates to a remote DNS server on behalf of the performs DNS updates to a remote DNS server on behalf of the
Multicast DNS devices on the local network. The difficulty of this Multicast DNS devices on the local network. The difficulty with this
is that the proxy would have to be issuing all possible Multicast DNS is is that Multicast DNS devices do not routinely announce their
queries all the time, to discover all the answers it needed to push records on the network. Generally they remain silent until queried.
up to the remote DNS server using DNS Update. It would thus generate This means that the complete set of Multicast DNS records in use on a
very high load on the network continuously, even when there were no link can only be discovered by active querying, not by passive
clients with any interest in that data. listening. Because of this, a proxy can only know what names exist
on a link by issuing queries for them, and since it would be
impractical to issue queries for every possible name just to find out
which names exist and which do not, there is no reasonable way for a
proxy to programmatically learn all the answers it would need to push
up to the remote DNS server using DNS Update. Even if such a
mechanism were possible, it would risk generating high load on the
network continuously, even when there are no clients with any
interest in that data.
Hence, having a model where the query comes to the Discovery Proxy is Hence, having a model where the query comes to the Discovery Proxy is
much more efficient than a model where the Discovery Proxy pushes the much more efficient than a model where the Discovery Proxy pushes the
answers out to some other remote DNS server. answers out to some other remote DNS server.
A client seeking to discover services and other information achieves A client seeking to discover services and other information achieves
this by sending traditional DNS queries to the Discovery Proxy, or by this by sending traditional DNS queries to the Discovery Proxy, or by
sending DNS Push Notification subscription requests [PUSH]. sending DNS Push Notification subscription requests [Push].
How a client discovers what domain name(s) to use for its service
discovery queries, (and consequently what Discovery Proxy or Proxies
to use) is described in Section 5.2.
The diagram below illustrates a network topology using a Discovery
Proxy to provide discovery service to a remote client.
+--------+ Unicast +-----------+ +---------+ +---------+
| Remote | Communcation | Discovery | | Network | | Network |
| Client |---- . . . -----| Proxy | | Printer | | Camera |
+--------+ +-----------+ +---------+ +---------+
| | |
--------------------------------------------
Multicast-capable LAN segment (e.g., Ethernet)
2. Operational Analogy 2. Operational Analogy
A Discovery Proxy does not operate as a multicast relay, or multicast A Discovery Proxy does not operate as a multicast relay, or multicast
forwarder. There is no danger of multicast forwarding loops that forwarder. There is no danger of multicast forwarding loops that
result in traffic storms, because no multicast packets are forwarded. result in traffic storms, because no multicast packets are forwarded.
A Discovery Proxy operates as a *proxy* for a remote client, A Discovery Proxy operates as a *proxy* for a remote client,
performing queries on its behalf and reporting the results back. performing queries on its behalf and reporting the results back.
A reasonable analogy would be making a telephone call to a colleague A reasonable analogy is making a telephone call to a colleague at
at your workplace and saying, "I'm out of the office right now. your workplace and saying, "I'm out of the office right now. Would
Would you mind bringing up a printer browser window and telling me you mind bringing up a printer browser window and telling me the
the names of the printers you see?" That entails no risk of a names of the printers you see?" That entails no risk of a forwarding
forwarding loop causing a traffic storm, because no multicast packets loop causing a traffic storm, because no multicast packets are sent
are sent over the telephone call. over the telephone call.
A similar analogy, instead of enlisting another human being to A similar analogy, instead of enlisting another human being to
initiate the service discovery operation on your behalf, would be to initiate the service discovery operation on your behalf, is to log
log into your own desktop work computer using screen sharing, and into your own desktop work computer using screen sharing, and then
then run the printer browser yourself to see the list of printers. run the printer browser yourself to see the list of printers. Or log
Or log in using ssh and type "dns-sd -B _ipp._tcp" and observe the in using ssh and type "dns-sd -B _ipp._tcp" and observe the list of
list of discovered printer names. In neither case is there any risk discovered printer names. In neither case is there any risk of a
of a forwarding loop causing a traffic storm, because no multicast forwarding loop causing a traffic storm, because no multicast packets
packets are being sent over the screen sharing or ssh connection. are being sent over the screen sharing or ssh connection.
The Discovery Proxy provides another way of performing remote The Discovery Proxy provides another way of performing remote
queries, just using a different protocol instead of screen sharing or queries, just using a different protocol instead of screen sharing or
ssh. ssh.
When the Discovery Proxy software performs Multicast DNS operations, When the Discovery Proxy software performs Multicast DNS operations,
the exact same Multicast DNS caching mechanisms are applied as when the exact same Multicast DNS caching mechanisms are applied as when
any other client software on that Discovery Proxy device performs any other client software on that Discovery Proxy device performs
Multicast DNS operations, whether that be running a printer browser Multicast DNS operations, whether that be running a printer browser
client locally, or a remote user running the printer browser client client locally, or a remote user running the printer browser client
via a screen sharing connection, or a remote user logged in via ssh via a screen sharing connection, or a remote user logged in via ssh
running a command-line tool like "dns-sd". running a command-line tool like "dns-sd".
3. Conventions and Terminology Used in this Document 3. Conventions and Terminology Used in this Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",
"OPTIONAL" in this document are to be interpreted as described in and "OPTIONAL" in this document are to be interpreted as described
"Key words for use in RFCs to Indicate Requirement Levels" [RFC2119]. in "Key words for use in RFCs to Indicate Requirement Levels",
when, and only when, they appear in all capitals, as shown here
[RFC2119] [RFC8174].
The Discovery Proxy builds on Multicast DNS, which works between The Discovery Proxy builds on Multicast DNS, which works between
hosts on the same link. A set of hosts is considered to be "on the hosts on the same link. For the purposes of this document a set of
same link" if: hosts is considered to be "on the same link" if:
o when any host A from that set sends a packet to any other host B o when any host from that set sends a packet to any other host in
in that set, using unicast, multicast, or broadcast, the entire that set, using unicast, multicast, or broadcast, the entire link-
link-layer packet payload arrives unmodified, and layer packet payload arrives unmodified, and
o a broadcast sent over that link by any host from that set of hosts o a broadcast sent over that link, by any host from that set of
can be received by every other host in that set hosts, can be received by every other host in that set.
The link-layer *header* may be modified, such as in Token Ring Source The link-layer *header* may be modified, such as in Token Ring Source
Routing [IEEE-5], but not the link-layer *payload*. In particular, Routing [IEEE-5], but not the link-layer *payload*. In particular,
if any device forwarding a packet modifies any part of the IP header if any device forwarding a packet modifies any part of the IP header
or IP payload then the packet is no longer considered to be on the or IP payload then the packet is no longer considered to be on the
same link. This means that the packet may pass through devices such same link. This means that the packet may pass through devices such
as repeaters, bridges, hubs or switches and still be considered to be as repeaters, bridges, hubs or switches and still be considered to be
on the same link for the purpose of this document, but not through a on the same link for the purpose of this document, but not through a
device such as an IP router that decrements the IP TTL or otherwise device such as an IP router that decrements the IP TTL or otherwise
modifies the IP header. modifies the IP header.
skipping to change at page 8, line 5 skipping to change at page 7, line 50
Existing devices that advertise services using Multicast DNS work Existing devices that advertise services using Multicast DNS work
with Discovery Proxy. with Discovery Proxy.
Existing clients that support DNS-Based Service Discovery over Existing clients that support DNS-Based Service Discovery over
Unicast DNS work with Discovery Proxy. Service Discovery over Unicast DNS work with Discovery Proxy. Service Discovery over
Unicast DNS was introduced in Mac OS X 10.4 in April 2005, as is Unicast DNS was introduced in Mac OS X 10.4 in April 2005, as is
included in Apple products introduced since then, including iPhone included in Apple products introduced since then, including iPhone
and iPad, as well as products from other vendors, such as Microsoft and iPad, as well as products from other vendors, such as Microsoft
Windows 10. Windows 10.
An overview of the larger collection of related Service Discovery
technologies, and how Discovery Proxy relates to those, is given in
the Service Discovery Road Map document [Roadmap].
5. Discovery Proxy Operation 5. Discovery Proxy Operation
In a typical configuration, a Discovery Proxy is configured to be In a typical configuration, a Discovery Proxy is configured to be
authoritative [RFC1034] [RFC1035] for four DNS subdomains, and authoritative [RFC1034] [RFC1035] for four or more DNS subdomains,
authority for these subdomains is delegated to it via NS records: and authority for these subdomains is delegated to it via NS records:
A DNS subdomain for service discovery records. A DNS subdomain for service discovery records.
This subdomain name may contain rich text, including spaces and This subdomain name may contain rich text, including spaces and
other punctuation. This is because this subdomain name is used other punctuation. This is because this subdomain name is used
only in graphical user interfaces, where rich text is appropriate. only in graphical user interfaces, where rich text is appropriate.
A DNS subdomain for host name records. A DNS subdomain for host name records.
This subdomain name SHOULD be limited to letters, digits and This subdomain name SHOULD be limited to letters, digits and
hyphens, to facilitate convenient use of host names in command- hyphens, to facilitate convenient use of host names in command-
line interfaces. line interfaces.
A DNS subdomain for IPv6 Reverse Mapping records. One or more DNS subdomains for IPv4 Reverse Mapping records.
This subdomain name will be a name that ends in "ip6.arpa." These subdomains will have names that ends in "in-addr.arpa."
A DNS subdomain for IPv4 Reverse Mapping records. One or more DNS subdomains for IPv6 Reverse Mapping records.
This subdomain name will be a name that ends in "in-addr.arpa." These subdomains will have names that ends in "ip6.arpa."
In an enterprise network the naming and delegation of these In an enterprise network the naming and delegation of these
subdomains is typically performed by conscious action of the network subdomains is typically performed by conscious action of the network
administrator. In a home network naming and delegation would administrator. In a home network naming and delegation would
typically be performed using some automatic configuration mechanism typically be performed using some automatic configuration mechanism
such as HNCP [RFC7788]. such as HNCP [RFC7788].
These three varieties of delegated subdomains (service discovery, These three varieties of delegated subdomains (service discovery,
host names, and reverse mapping) are described below in sections host names, and reverse mapping) are described below in Section 5.1,
Section 5.1, Section 5.3 and Section 5.4. Section 5.3 and Section 5.4.
How a client discovers where to issue its service discovery queries How a client discovers where to issue its service discovery queries
is described below in section Section 5.2. is described below in Section 5.2.
5.1. Delegated Subdomain for Service Discovery Records 5.1. Delegated Subdomain for Service Discovery Records
In its simplest form, each link in an organization is assigned a In its simplest form, each link in an organization is assigned a
unique Unicast DNS domain name, such as "Building 1.example.com" or unique Unicast DNS domain name, such as "Building 1.example.com" or
"2nd Floor.Building 3.example.com". Grouping multiple links under a "2nd Floor.Building 3.example.com". Grouping multiple links under a
single Unicast DNS domain name is to be specified in a future single Unicast DNS domain name is to be specified in a future
companion document, but for the purposes of this document, assume companion document, but for the purposes of this document, assume
that each link has its own unique Unicast DNS domain name. In a that each link has its own unique Unicast DNS domain name. In a
graphical user interface these names are not displayed as strings graphical user interface these names are not displayed as strings
skipping to change at page 9, line 37 skipping to change at page 9, line 37
Figure 1: Illustrative GUI Figure 1: Illustrative GUI
Each named link in an organization has one or more Discovery Proxies Each named link in an organization has one or more Discovery Proxies
which serve it. This Discovery Proxy function for each link could be which serve it. This Discovery Proxy function for each link could be
performed by a device like a router or switch that is physically performed by a device like a router or switch that is physically
attached to that link. In the parent domain, NS records are used to attached to that link. In the parent domain, NS records are used to
delegate ownership of each defined link name delegate ownership of each defined link name
(e.g., "Building 1.example.com") to the one or more Discovery Proxies (e.g., "Building 1.example.com") to the one or more Discovery Proxies
that serve the named link. In other words, the Discovery Proxies are that serve the named link. In other words, the Discovery Proxies are
the authoritative name servers for that subdomain. the authoritative name servers for that subdomain. As in the rest of
DNS-Based Service Discovery, all names are represented as-is using
plain UTF-8 encoding, and, as described in Section 5.5.4, no text
encoding translations are performed.
With appropriate VLAN configuration [IEEE-1Q] a single Discovery With appropriate VLAN configuration [IEEE-1Q] a single Discovery
Proxy device could have a logical presence on many links, and serve Proxy device could have a logical presence on many links, and serve
as the Discovery Proxy for all those links. In such a configuration as the Discovery Proxy for all those links. In such a configuration
the Discovery Proxy device would have a single physical Ethernet the Discovery Proxy device would have a single physical Ethernet
[IEEE-3] port, configured as a VLAN trunk port, which would appear to [IEEE-3] port, configured as a VLAN trunk port, which would appear to
software on that device as multiple virtual Ethernet interfaces, one software on that device as multiple virtual Ethernet interfaces, one
connected to each of the VLAN links. connected to each of the VLAN links.
As an alternative to using VLAN technology, using a Multicast DNS
Discovery Relay [Relay] is another way that a Discovery Proxy can
have a 'virtual' presence on a remote link.
When a DNS-SD client issues a Unicast DNS query to discover services When a DNS-SD client issues a Unicast DNS query to discover services
in a particular Unicast DNS subdomain in a particular Unicast DNS subdomain
(e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS (e.g., "_printer._tcp.Building 1.example.com. PTR ?") the normal DNS
delegation mechanism results in that query being forwarded until it delegation mechanism results in that query being forwarded until it
reaches the delegated authoritative name server for that subdomain, reaches the delegated authoritative name server for that subdomain,
namely the Discovery Proxy on the link in question. Like a namely the Discovery Proxy on the link in question. Like a
conventional Unicast DNS server, a Discovery Proxy implements the conventional Unicast DNS server, a Discovery Proxy implements the
usual Unicast DNS protocol [RFC1034] [RFC1035] over UDP and TCP. usual Unicast DNS protocol [RFC1034] [RFC1035] over UDP and TCP.
However, unlike a conventional Unicast DNS server that generates However, unlike a conventional Unicast DNS server that generates
answers from the data in its manually-configured zone file, a answers from the data in its manually-configured zone file, a
Discovery Proxy generates answers using Multicast DNS. A Discovery Discovery Proxy generates answers using Multicast DNS. A Discovery
Proxy does this by consulting its Multicast DNS cache and/or issuing Proxy does this by consulting its Multicast DNS cache and/or issuing
Multicast DNS queries for the corresponding Multicast DNS name, type Multicast DNS queries for the corresponding Multicast DNS name, type
and class, (e.g., in this case, "_printer._tcp.local. PTR ?"). Then, and class, (e.g., in this case, "_printer._tcp.local. PTR ?"). Then,
from the received Multicast DNS data, the Discovery Proxy synthesizes from the received Multicast DNS data, the Discovery Proxy synthesizes
the appropriate Unicast DNS response. How long the Discovery Proxy the appropriate Unicast DNS response. How long the Discovery Proxy
should wait to accumulate Multicast DNS responses is described below should wait to accumulate Multicast DNS responses is described below
in section Section 5.6. in Section 5.6.
Naturally, the existing Multicast DNS caching mechanism is used to The existing Multicast DNS caching mechanism is used to minimize
minimize unnecessary Multicast DNS queries on the wire. The unnecessary Multicast DNS queries on the wire. The Discovery Proxy
Discovery Proxy is acting as a client of the underlying Multicast DNS is acting as a client of the underlying Multicast DNS subsystem, and
subsystem, and benefits from the same caching and efficiency measures benefits from the same caching and efficiency measures as any other
as any other client using that subsystem. client using that subsystem.
5.2. Domain Enumeration 5.2. Domain Enumeration
A DNS-SD client performs Domain Enumeration [RFC6763] via certain PTR A DNS-SD client performs Domain Enumeration [RFC6763] via certain PTR
queries, using both unicast and multicast. If it receives a Domain queries, using both unicast and multicast. If it receives a Domain
Name configuration via DHCP option 15 [RFC2132], then it issues Name configuration via DHCP option 15 [RFC2132], then it issues
unicast queries using this domain. It issues unicast queries using unicast queries using this domain. It issues unicast queries using
names derived from its IPv6 prefix(es) and IPv4 subnet address(es). names derived from its IPv4 subnet address(es) and IPv6 prefix(es).
These are described below in Section 5.2.1. It also issues multicast These are described below in Section 5.2.1. It also issues multicast
Domain Enumeration queries in the "local" domain [RFC6762]. These Domain Enumeration queries in the "local" domain [RFC6762]. These
are described below in Section 5.2.2. The results of all the Domain are described below in Section 5.2.2. The results of all the Domain
Enumeration queries are combined for Service Discovery purposes. Enumeration queries are combined for Service Discovery purposes.
5.2.1. Domain Enumeration via Unicast Queries 5.2.1. Domain Enumeration via Unicast Queries
The administrator creates Domain Enumeration PTR records [RFC6763] to The administrator creates Domain Enumeration PTR records [RFC6763] to
inform clients of available service discovery domains, e.g.,: inform clients of available service discovery domains. Two varieties
of such Domain Enumeration PTR records exist; those with names
derived from the domain name communicated to the clients via DHCP,
and those with names derived from IPv4 subnet address(es) and IPv6
prefix(es) in use by the clients. Below is an example showing the
name-based variety:
b._dns-sd._udp.example.com. PTR Building 1.example.com. b._dns-sd._udp.example.com. PTR Building 1.example.com.
PTR Building 2.example.com. PTR Building 2.example.com.
PTR Building 3.example.com. PTR Building 3.example.com.
PTR Building 4.example.com. PTR Building 4.example.com.
db._dns-sd._udp.example.com. PTR Building 1.example.com. db._dns-sd._udp.example.com. PTR Building 1.example.com.
lb._dns-sd._udp.example.com. PTR Building 1.example.com. lb._dns-sd._udp.example.com. PTR Building 1.example.com.
The "b" ("browse") records tell the client device the list of The meaning of these records is defined in the DNS Service Discovery
browsing domains to display for the user to select from and the "db" specification [RFC6763] but for convenience is repeated here. The
("default browse") record tells the client device which domain in "b" ("browse") records tell the client device the list of browsing
that list should be selected by default. The "lb" ("legacy browse") domains to display for the user to select from. The "db" ("default
record tells the client device which domain to automatically browse browse") record tells the client device which domain in that list
on behalf of applications that don't implement UI for multi-domain should be selected by default. The "db" domain MUST be one of the
browsing (which is most of them, as of 2017). The "lb" domain is domains in the "b" list; if not then no domain is selected by
often the same as the "db" domain, or sometimes the "db" domain plus default. The "lb" ("legacy browse") record tells the client device
one or more others that should be included in the list of automatic which domain to automatically browse on behalf of applications that
browsing domains for legacy clients. don't implement UI for multi-domain browsing (which is most of them,
at the time of writing). The "lb" domain is often the same as the
"db" domain, or sometimes the "db" domain plus one or more others
that should be included in the list of automatic browsing domains for
legacy clients.
Note that in the example above, for clarity, space characters in
names are shown as actual spaces. If this data is manually entered
into a textual zone file for authoritative server software such as
BIND, care must be taken because the space character is used as a
field separator, and other characters like dot ('.'), semicolon
(';'), dollar ('$'), backslash ('\'), etc., also have special
meaning. These characters have to be escaped when entered into a
textual zone file, following the rules in Section 5.1 of the DNS
specification [RFC1035]. For example, a literal space in a name is
represented in the textual zone file using '\032', so "Building
1.example.com." is entered as "Building\0321.example.com."
DNS responses are limited to a maximum size of 65535 bytes. This DNS responses are limited to a maximum size of 65535 bytes. This
limits the maximum number of domains that can be returned for a limits the maximum number of domains that can be returned for a
Domain Enumeration query, as follows: Domain Enumeration query, as follows:
A DNS response header is 12 bytes. That's typically followed by a A DNS response header is 12 bytes. That's typically followed by a
single qname (up to 256 bytes) plus qtype (2 bytes) and qclass single qname (up to 256 bytes) plus qtype (2 bytes) and qclass
(2 bytes), leaving 65275 for the Answer Section. (2 bytes), leaving 65275 for the Answer Section.
An Answer Section Resource Record consists of: An Answer Section Resource Record consists of:
skipping to change at page 13, line 7 skipping to change at page 13, line 7
maximum-sized names, and there is some similarity between names so maximum-sized names, and there is some similarity between names so
that reasonable name compression is possible, each Answer that reasonable name compression is possible, each Answer
Section Resource Record may average 140 bytes, which means that the Section Resource Record may average 140 bytes, which means that the
Answer Section can contain up to 466 domains. Answer Section can contain up to 466 domains.
It is anticipated that this should be sufficient for even a large It is anticipated that this should be sufficient for even a large
corporate network or university campus. corporate network or university campus.
5.2.2. Domain Enumeration via Multicast Queries 5.2.2. Domain Enumeration via Multicast Queries
Since a Discovery Proxy exists on many, if not all, the links in an In the case where Discovery Proxy functionality is widely deployed
enterprise, it offers an additional way to provide Domain Enumeration within an enterprise (either by having a Discovery Proxy on each
data for clients. link, or by having a Discovery Proxy with a remote 'virtual' presence
on each link using VLANs or Multicast DNS Discovery Relays [Relay])
this offers an additional way to provide Domain Enumeration data for
clients.
A Discovery Proxy can be configured to generate Multicast DNS A Discovery Proxy can be configured to generate Multicast DNS
responses for the following Multicast DNS Domain Enumeration queries responses for the following Multicast DNS Domain Enumeration queries
issued by clients: issued by clients:
b._dns-sd._udp.local. PTR ? b._dns-sd._udp.local. PTR ?
db._dns-sd._udp.local. PTR ? db._dns-sd._udp.local. PTR ?
lb._dns-sd._udp.local. PTR ? lb._dns-sd._udp.local. PTR ?
This provides the ability for Discovery Proxies to indicate This provides the ability for Discovery Proxies to indicate
skipping to change at page 14, line 27 skipping to change at page 14, line 27
have to remember domain or instance names, or type them; users just have to remember domain or instance names, or type them; users just
have to be able to recognize what they see on the display and touch have to be able to recognize what they see on the display and touch
or click on the thing they want. or click on the thing they want.
In contrast, host names are often remembered and typed. Also, host In contrast, host names are often remembered and typed. Also, host
names have historically been used in command-line interfaces where names have historically been used in command-line interfaces where
spaces can be inconvenient. For this reason, host names have spaces can be inconvenient. For this reason, host names have
traditionally been restricted to letters, digits and hyphens (LDH), traditionally been restricted to letters, digits and hyphens (LDH),
with no spaces or other punctuation. with no spaces or other punctuation.
While we still want to allow rich text for DNS-SD service instance While we do want to allow rich text for DNS-SD service instance names
names and domains, it is advisable, for maximum compatibility with and domains, it is advisable, for maximum compatibility with existing
existing usage, to restrict host names to the traditional letter- usage, to restrict host names to the traditional letter-digit-hyphen
digit-hyphen rules. This means that while a service name rules. This means that while a service name
"My Printer._ipp._tcp.Building 1.example.com" is acceptable and "My Printer._ipp._tcp.Building 1.example.com" is acceptable and
desirable (it is displayed in a graphical user interface as an desirable (it is displayed in a graphical user interface as an
instance called "My Printer" in the domain "Building 1" at instance called "My Printer" in the domain "Building 1" at
"example.com"), a host name "My-Printer.Building 1.example.com" is "example.com"), a host name "My-Printer.Building 1.example.com" is
less desirable (because of the space in "Building 1"). less desirable (because of the space in "Building 1").
To accomodate this difference in allowable characters, a Discovery To accomodate this difference in allowable characters, a Discovery
Proxy SHOULD support having two separate subdomains delegated to it Proxy SHOULD support having two separate subdomains delegated to it
for each link it serves, one whose name is allowed to contain for each link it serves, one whose name is allowed to contain
arbitrary Net-Unicode text [RFC5198], and a second more constrained arbitrary Net-Unicode text [RFC5198], and a second more constrained
subdomain whose name is restricted to contain only letters, digits, subdomain whose name is restricted to contain only letters, digits,
and hyphens, to be used for host name records (names of 'A' and and hyphens, to be used for host name records (names of 'A' and
'AAAA' address records). 'AAAA' address records). The restricted names may be any valid name
consisting of only letters, digits, and hyphens, including Punycode-
encoded names [RFC3492].
For example, a Discovery Proxy could have the two subdomains For example, a Discovery Proxy could have the two subdomains
"Building 1.example.com" and "bldg1.example.com" delegated to it. "Building 1.example.com" and "bldg1.example.com" delegated to it.
The Discovery Proxy would then translate these two Multicast DNS The Discovery Proxy would then translate these two Multicast DNS
records: records:
My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local. My Printer._ipp._tcp.local. SRV 0 0 631 prnt.local.
prnt.local. A 203.0.113.2 prnt.local. A 203.0.113.2
into Unicast DNS records as follows: into Unicast DNS records as follows:
skipping to change at page 16, line 5 skipping to change at page 15, line 35
address records, but implementers choosing this option should be address records, but implementers choosing this option should be
aware that this choice may produce host names that are awkward to use aware that this choice may produce host names that are awkward to use
in command-line environments. Whether this is an issue depends on in command-line environments. Whether this is an issue depends on
whether users in the target environment are expected to be using whether users in the target environment are expected to be using
command-line interfaces. command-line interfaces.
A Discovery Proxy MUST NOT be restricted to support only a letter- A Discovery Proxy MUST NOT be restricted to support only a letter-
digit-hyphen subdomain, because that results in an unnecessarily poor digit-hyphen subdomain, because that results in an unnecessarily poor
user experience. user experience.
As described above in Section 5.2.1, for clarity, space characters in
names are shown as actual spaces. If this data were to be manually
entered into a textual zone file (which it isn't) then spaces would
need to be represented using '\032', so
"My Printer._ipp._tcp.Building 1.example.com." would become
"My\032Printer._ipp._tcp.Building\0321.example.com."
Note that the '\032' representation does not appear in the network
packets sent over the air. In the wire format of DNS messages,
spaces are sent as spaces, not as '\032', and likewise, in a
graphical user interface at the client device, spaces are shown as
spaces, not as '\032'.
5.4. Delegated Subdomain for Reverse Mapping 5.4. Delegated Subdomain for Reverse Mapping
A Discovery Proxy can facilitate easier management of reverse mapping A Discovery Proxy can facilitate easier management of reverse mapping
domains, particularly for IPv6 addresses where manual management may domains, particularly for IPv6 addresses where manual management may
be more onerous than it is for IPv4 addresses. be more onerous than it is for IPv4 addresses.
To achieve this, in the parent domain, NS records are used to To achieve this, in the parent domain, NS records are used to
delegate ownership of the appropriate reverse mapping domain to the delegate ownership of the appropriate reverse mapping domain to the
Discovery Proxy. In other words, the Discovery Proxy becomes the Discovery Proxy. In other words, the Discovery Proxy becomes the
authoritative name server for the reverse mapping domain. For fault authoritative name server for the reverse mapping domain. For fault
tolerance reasons there may be more than one Discovery Proxy serving tolerance reasons there may be more than one Discovery Proxy serving
a given link. a given link.
If a given link is using the IPv4 subnet 203.0.113/24,
then the domain "113.0.203.in-addr.arpa"
is delegated to the Discovery Proxy for that link.
For example, if a given link is using the For example, if a given link is using the
IPv6 prefix 2001:0DB8:1234:5678/64, IPv6 prefix 2001:0DB8:1234:5678/64,
then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa" then the domain "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa"
is delegated to the Discovery Proxy for that link. is delegated to the Discovery Proxy for that link.
If a given link is using the IPv4 subnet 203.0.113/24,
then the domain "113.0.203.in-addr.arpa"
is delegated to the Discovery Proxy for that link.
When a reverse mapping query arrives at the Discovery Proxy, it When a reverse mapping query arrives at the Discovery Proxy, it
issues the identical query on its local link as a Multicast DNS issues the identical query on its local link as a Multicast DNS
query. The mechanism to force an apparently unicast name to be query. The mechanism to force an apparently unicast name to be
resolved using link-local Multicast DNS varies depending on the API resolved using link-local Multicast DNS varies depending on the API
set being used. For example, in the "/usr/include/dns_sd.h" APIs set being used. For example, in the "dns_sd.h" APIs
(available on macOS, iOS, Bonjour for Windows, Linux and Android), (available on macOS, iOS, Bonjour for Windows, Linux and Android),
using kDNSServiceFlagsForceMulticast indicates that the using kDNSServiceFlagsForceMulticast indicates that the
DNSServiceQueryRecord() call should perform the query using Multicast DNSServiceQueryRecord() call should perform the query using Multicast
DNS. Other APIs sets have different ways of forcing multicast DNS. Other APIs sets have different ways of forcing multicast
queries. When the host owning that IPv6 or IPv4 address responds queries. When the host owning that IPv4 or IPv6 address responds
with a name of the form "something.local", the Discovery Proxy with a name of the form "something.local", the Discovery Proxy
rewrites that to use its configured LDH host name domain instead of rewrites that to use its configured LDH host name domain instead of
"local", and returns the response to the caller. "local", and returns the response to the caller.
For example, a Discovery Proxy with the two subdomains For example, a Discovery Proxy with the two subdomains
"113.0.203.in-addr.arpa" and "bldg1.example.com" delegated to it "113.0.203.in-addr.arpa" and "bldg1.example.com" delegated to it
would translate this Multicast DNS record: would translate this Multicast DNS record:
2.113.0.203.in-addr.arpa. PTR prnt.local. 2.113.0.203.in-addr.arpa. PTR prnt.local.
skipping to change at page 18, line 5 skipping to change at page 17, line 22
2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com. 2.113.0.203.in-addr.arpa. PTR prnt.bldg1.example.com.
Subsequent queries for the prnt.bldg1.example.com address record, Subsequent queries for the prnt.bldg1.example.com address record,
falling as it does within the bldg1.example.com domain, which is falling as it does within the bldg1.example.com domain, which is
delegated to the Discovery Proxy, will arrive at the Discovery Proxy, delegated to the Discovery Proxy, will arrive at the Discovery Proxy,
where they are answered by issuing Multicast DNS queries and using where they are answered by issuing Multicast DNS queries and using
the received Multicast DNS answers to synthesize Unicast DNS the received Multicast DNS answers to synthesize Unicast DNS
responses, as described above. responses, as described above.
Note that this design assumes that all addresses on a given IPv4
subnet or IPv6 prefix are mapped to hostnames using the Discovery
Proxy mechanism. It would be possible to implement a Discovery Proxy
that can be configured so that some address-to-name mappings are
performed using Multicast DNS on the local link, while other address-
to-name mappings within the same IPv4 subnet or IPv6 prefix are
configured manually.
5.5. Data Translation 5.5. Data Translation
Generating the appropriate Multicast DNS queries involves, Generating the appropriate Multicast DNS queries involves,
at the very least, translating from the configured DNS domain at the very least, translating from the configured DNS domain
(e.g., "Building 1.example.com") on the Unicast DNS side to "local" (e.g., "Building 1.example.com") on the Unicast DNS side to "local"
on the Multicast DNS side. on the Multicast DNS side.
Generating the appropriate Unicast DNS responses involves translating Generating the appropriate Unicast DNS responses involves translating
back from "local" to the appropriate configured DNS Unicast domain. back from "local" to the appropriate configured DNS Unicast domain.
skipping to change at page 18, line 26 skipping to change at page 18, line 26
below. below.
5.5.1. DNS TTL limiting 5.5.1. DNS TTL limiting
For efficiency, Multicast DNS typically uses moderately high DNS TTL For efficiency, Multicast DNS typically uses moderately high DNS TTL
values. For example, the typical TTL on DNS-SD PTR records is 75 values. For example, the typical TTL on DNS-SD PTR records is 75
minutes. What makes these moderately high TTLs acceptable is the minutes. What makes these moderately high TTLs acceptable is the
cache coherency mechanisms built in to the Multicast DNS protocol cache coherency mechanisms built in to the Multicast DNS protocol
which protect against stale data persisting for too long. When a which protect against stale data persisting for too long. When a
service shuts down gracefully, it sends goodbye packets to remove its service shuts down gracefully, it sends goodbye packets to remove its
PTR records immediately from neighbouring caches. If a service shuts PTR records immediately from neighboring caches. If a service shuts
down abruptly without sending goodbye packets, the Passive down abruptly without sending goodbye packets, the Passive
Observation Of Failures (POOF) mechanism described in Section 10.5 of Observation Of Failures (POOF) mechanism described in Section 10.5 of
the Multicast DNS specification [RFC6762] comes into play to purge the Multicast DNS specification [RFC6762] comes into play to purge
the cache of stale data. the cache of stale data.
A traditional Unicast DNS client on a remote link does not get to A traditional Unicast DNS client on a distant remote link does not
participate in these Multicast DNS cache coherency mechanisms on the get to participate in these Multicast DNS cache coherency mechanisms
local link. For traditional Unicast DNS queries (those received on the local link. For traditional Unicast DNS queries (those
without using Long-Lived Query [LLQ] or DNS Push Notification [PUSH]) received without using Long-Lived Query [DNS-LLQ] or DNS Push
the DNS TTLs reported in the resulting Unicast DNS response SHOULD be Notification subscriptions [Push]) the DNS TTLs reported in the
capped to be no more than ten seconds. resulting Unicast DNS response MUST be capped to be no more than ten
seconds.
Similarly, for negative responses, the negative caching TTL indicated Similarly, for negative responses, the negative caching TTL indicated
in the SOA record [RFC2308] should also be ten seconds (Section 6.1). in the SOA record [RFC2308] should also be ten seconds (Section 6.1).
This value of ten seconds is chosen based on user-experience This value of ten seconds is chosen based on user-experience
considerations. considerations.
For negative caching, suppose a user is attempting to access a remote For negative caching, suppose a user is attempting to access a remote
device (e.g., a printer), and they are unsuccessful because that device (e.g., a printer), and they are unsuccessful because that
device is powered off. Suppose they then place a telephone call and device is powered off. Suppose they then place a telephone call and
skipping to change at page 19, line 21 skipping to change at page 19, line 23
or other renumbering events, we would like the updated information to or other renumbering events, we would like the updated information to
be available to remote clients in a relatively timely fashion. be available to remote clients in a relatively timely fashion.
However, network administrators should be aware that many recursive However, network administrators should be aware that many recursive
(caching) DNS servers by default are configured to impose a minimum (caching) DNS servers by default are configured to impose a minimum
TTL of 30 seconds. If stale data appears to be persisting in the TTL of 30 seconds. If stale data appears to be persisting in the
network to the extent that it adversely impacts user experience, network to the extent that it adversely impacts user experience,
network administrators are advised to check the configuration of network administrators are advised to check the configuration of
their recursive DNS servers. their recursive DNS servers.
For received Unicast DNS queries that use LLQ or DNS Push For received Unicast DNS queries that use LLQ [DNS-LLQ] or DNS Push
Notification, the Multicast DNS record's TTL SHOULD be returned Notifications [Push], the Multicast DNS record's TTL SHOULD be
unmodified, because the Push Notification channel exists to inform returned unmodified, because the Push Notification channel exists to
the remote client as records come and go. For further details about inform the remote client as records come and go. For further details
Long-Lived Queries, and its newer replacement, DNS Push about Long-Lived Queries, and its newer replacement, DNS Push
Notifications, see Section 5.6. Notifications, see Section 5.6.
5.5.2. Suppressing Unusable Records 5.5.2. Suppressing Unusable Records
A Discovery Proxy SHOULD suppress Unicast DNS answers for records A Discovery Proxy SHOULD suppress Unicast DNS answers for records
that are not useful outside the local link. For example, DNS AAAA that are not useful outside the local link. For example, DNS A and
and A records for IPv6 link-local addresses [RFC4862] and IPv4 link- AAAA records for IPv4 link-local addresses [RFC3927] and IPv6 link-
local addresses [RFC3927] SHOULD be suppressed. Similarly, for sites local addresses [RFC4862] SHOULD be suppressed. Similarly, for sites
that have multiple private address realms [RFC1918], in cases where that have multiple private address realms [RFC1918], in cases where
the Discovery Proxy can determine that the querying client is in a the Discovery Proxy can determine that the querying client is in a
different address realm, private addresses MUST NOT be communicated different address realm, private addresses SHOULD NOT be communicated
to that client. IPv6 Unique Local Addresses [RFC4193] SHOULD be to that client. IPv6 Unique Local Addresses [RFC4193] SHOULD be
suppressed in cases where the Discovery Proxy can determine that the suppressed in cases where the Discovery Proxy can determine that the
querying client is in a different IPv6 address realm. querying client is in a different IPv6 address realm.
By the same logic, DNS SRV records that reference target host names By the same logic, DNS SRV records that reference target host names
that have no addresses usable by the requester should be suppressed, that have no addresses usable by the requester should be suppressed,
and likewise, DNS PTR records that point to unusable SRV records and likewise, DNS PTR records that point to unusable SRV records
should be similarly be suppressed. should be similarly be suppressed.
5.5.3. NSEC and NSEC3 queries 5.5.3. NSEC and NSEC3 queries
Since a Discovery Proxy only knows what names exist on the local link Multicast DNS devices do not routinely announce their records on the
by issuing queries for them, and since it would be impractical to network. Generally they remain silent until queried. This means
issue queries for every possible name just to find out which names that the complete set of Multicast DNS records in use on a link can
exist and which do not, a Discovery Proxy cannot programatically only be discovered by active querying, not by passive listening.
generate the traditional NSEC and NSEC3 records which assert the Because of this, a Discovery Proxy can only know what names exist on
nonexistence of a large range of names. a link by issuing queries for them, and since it would be impractical
to issue queries for every possible name just to find out which names
exist and which do not, a Discovery Proxy cannot programmatically
generate the traditional NSEC [RFC4034] and NSEC3 [RFC5155] records
which assert the nonexistence of a large range of names.
When queried for an NSEC or NSEC3 record type, the Discovery Proxy When queried for an NSEC or NSEC3 record type, the Discovery Proxy
issues a qtype "ANY" query using Multicast DNS on the local link, and issues a qtype "ANY" query using Multicast DNS on the local link, and
then generates an NSEC or NSEC3 response signifying which record then generates an NSEC or NSEC3 response with a Type Bit Map
types do and do not exist just the specific name queried, and no signifying which record types do and do not exist for just the
others. specific name queried, and no other names.
Multicast DNS NSEC records received on the local link MUST NOT be Multicast DNS NSEC records received on the local link MUST NOT be
forwarded unmodified to a unicast querier, because there are slight forwarded unmodified to a unicast querier, because there are slight
differences in the NSEC record data. In particular, Multicast DNS differences in the NSEC record data. In particular, Multicast DNS
NSEC records do not have the NSEC bit set in the Type Bit Map, NSEC records do not have the NSEC bit set in the Type Bit Map,
whereas conventional Unicast DNS NSEC records do have the NSEC bit whereas conventional Unicast DNS NSEC records do have the NSEC bit
set. set.
5.5.4. No Text Encoding Translation 5.5.4. No Text Encoding Translation
A Discovery Proxy does no translation between text encodings. A Discovery Proxy does no translation between text encodings.
Specifically, a Discovery Proxy does no translation between Punycode Specifically, a Discovery Proxy does no translation between Punycode
and UTF-8, either in the owner name of DNS records, or anywhere in encoding [RFC3492] and UTF-8 encoding [RFC3629], either in the owner
the RDATA of DNS records (such as the RDATA of PTR records, SRV name of DNS records, or anywhere in the RDATA of DNS records (such as
records, NS records, or other record types like TXT, where it is the RDATA of PTR records, SRV records, NS records, or other record
ambiguous whether the RDATA may contain DNS names). All bytes are types like TXT, where it is ambiguous whether the RDATA may contain
treated as-is, with no attempt at text encoding translation. A DNS names). All bytes are treated as-is, with no attempt at text
client implementing DNS-based Service Discovery [RFC6763] will use encoding translation. A client implementing DNS-based Service
UTF-8 encoding for its service discovery queries, which the Discovery Discovery [RFC6763] will use UTF-8 encoding for its service discovery
Proxy passes through without any text encoding translation to the queries, which the Discovery Proxy passes through without any text
Multicast DNS subsystem. Responses from the Multicast DNS subsystem encoding translation to the Multicast DNS subsystem. Responses from
are similarly returned, without any text encoding translation, back the Multicast DNS subsystem are similarly returned, without any text
to the requesting client. encoding translation, back to the requesting client.
5.5.5. Application-Specific Data Translation 5.5.5. Application-Specific Data Translation
There may be cases where Application-Specific Data Translation is There may be cases where Application-Specific Data Translation is
appropriate. appropriate.
For example, AirPrint printers tend to advertise fairly verbose For example, AirPrint printers tend to advertise fairly verbose
information about their capabilities in their DNS-SD TXT record. TXT information about their capabilities in their DNS-SD TXT record. TXT
record sizes in the range 500-1000 bytes are not uncommon. This record sizes in the range 500-1000 bytes are not uncommon. This
information is a legacy from LPR printing, because LPR does not have information is a legacy from LPR printing, because LPR does not have
skipping to change at page 21, line 44 skipping to change at page 21, line 44
larger scope. It is easy to translate ".local" names when they larger scope. It is easy to translate ".local" names when they
appear in well-defined places, either as a record's name, or in the appear in well-defined places, either as a record's name, or in the
rdata of record types like PTR and SRV. In the printing case, some rdata of record types like PTR and SRV. In the printing case, some
application-specific knowledge about the semantics of the "adminurl" application-specific knowledge about the semantics of the "adminurl"
key is needed for the Discovery Proxy to know that it contains a name key is needed for the Discovery Proxy to know that it contains a name
that needs to be translated. This is somewhat analogous to the need that needs to be translated. This is somewhat analogous to the need
for NAT gateways to contain ALGs (Application-Specific Gateways) to for NAT gateways to contain ALGs (Application-Specific Gateways) to
facilitate the correct translation of protocols that embed addresses facilitate the correct translation of protocols that embed addresses
in unexpected places. in unexpected places.
As is the case with NAT ALGs, protocol designers are advised to avoid To avoid the need for application-specific knowledge about the
communicating names and addresses in nonstandard locations, because semantics of particular TXT record keys, protocol designers are
those "hidden" names and addresses are at risk of not being advised to avoid placing link-local names or link-local IP addresses
translated when necessary, resulting in operational failures. In the in TXT record keys, if translation of those names or addresses would
printing case, the operational failure of failing to translate the be required for off-link operation. In the printing case, the
"adminurl" key correctly is that, when accessed from a different operational failure of failing to translate the "adminurl" key
link, printing will still work, but clicking the "Admin" UI button correctly is that, when accessed from a different link, printing will
will fail to open the printer's administration page. Rather than still work, but clicking the "Admin" UI button will fail to open the
duplicating the host name from the service's SRV record in its printer's administration page. Rather than duplicating the host name
"adminurl" key, thereby having the same host name appear in two from the service's SRV record in its "adminurl" key, thereby having
places, a better design might have been to omit the host name from the same host name appear in two places, a better design might have
the "adminurl" key, and instead have the client implicitly substitute been to omit the host name from the "adminurl" key, and instead have
the target host name from the service's SRV record in place of a the client implicitly substitute the target host name from the
missing host name in the "adminurl" key. That way the desired host service's SRV record in place of a missing host name in the
name only appears once, and it is in a well-defined place where "adminurl" key. That way the desired host name only appears once,
software like the Discovery Proxy is expecting to find it. and it is in a well-defined place where software like the Discovery
Proxy is expecting to find it.
Note that this kind of Application-Specific Data Translation is Note that this kind of Application-Specific Data Translation is
expected to be very rare. It is the exception, rather than the rule. expected to be very rare. It is the exception, rather than the rule.
This is an example of a common theme in computing. It is frequently This is an example of a common theme in computing. It is frequently
the case that it is wise to start with a clean, layered design, with the case that it is wise to start with a clean, layered design, with
clear boundaries. Then, in certain special cases, those layer clear boundaries. Then, in certain special cases, those layer
boundaries may be violated, where the performance and efficiency boundaries may be violated, where the performance and efficiency
benefits outweigh the inelegance of the layer violation. benefits outweigh the inelegance of the layer violation.
These layer violations are optional. They are done primarily for These layer violations are optional. They are done primarily for
skipping to change at page 23, line 29 skipping to change at page 23, line 29
the subdomain in question -- needs to decide what DNS TTL to report the subdomain in question -- needs to decide what DNS TTL to report
for these records. If the TTL is too long then the recursive for these records. If the TTL is too long then the recursive
(caching) name servers issuing queries on behalf of their clients (caching) name servers issuing queries on behalf of their clients
risk caching stale data for too long. If the TTL is too short then risk caching stale data for too long. If the TTL is too short then
the amount of network traffic will be more than necessary. In fact, the amount of network traffic will be more than necessary. In fact,
there may be no TTL which is both short enough to avoid undesirable there may be no TTL which is both short enough to avoid undesirable
stale data and at the same time long enough to be efficient on the stale data and at the same time long enough to be efficient on the
network. network.
Both these dilemmas are solved by use of DNS Long-Lived Queries Both these dilemmas are solved by use of DNS Long-Lived Queries
(DNS LLQ) [LLQ] or its newer replacement, DNS Push Notifications (DNS LLQ) [DNS-LLQ] or its newer replacement, DNS Push Notifications
[PUSH]. [Push].
Clients supporting unicast DNS Service Discovery SHOULD implement DNS Clients supporting unicast DNS Service Discovery SHOULD implement DNS
Push Notifications [PUSH] for improved user experience. Push Notifications [Push] for improved user experience.
Clients and Discovery Proxies MAY support both DNS LLQ and DNS Push, Clients and Discovery Proxies MAY support both DNS LLQ and DNS Push,
and when talking to a Discovery Proxy that supports both, the client and when talking to a Discovery Proxy that supports both, the client
may use either protocol, as it chooses, though it is expected that may use either protocol, as it chooses, though it is expected that
only DNS Push will continue to be supported in the long run. only DNS Push will continue to be supported in the long run.
When a Discovery Proxy receives a query using DNS LLQ or DNS Push When a Discovery Proxy receives a query using DNS LLQ or DNS Push
Notification, it responds immediately using the Multicast DNS records Notifications, it responds immediately using the Multicast DNS
it already has in its cache (if any). This provides a good client records it already has in its cache (if any). This provides a good
user experience by providing a near-instantaneous response. client user experience by providing a near-instantaneous response.
Simultaneously, the Discovery Proxy issues a Multicast DNS query on Simultaneously, the Discovery Proxy issues a Multicast DNS query on
the local link to discover if there are any additional Multicast DNS the local link to discover if there are any additional Multicast DNS
records it did not already know about. Should additional Multicast records it did not already know about. Should additional Multicast
DNS responses be received, these are then delivered to the client DNS responses be received, these are then delivered to the client
using additional DNS LLQ or DNS Push Notification update messages. using additional DNS LLQ or DNS Push Notification update messages.
The timeliness of such update messages is limited only by the The timeliness of such update messages is limited only by the
timeliness of the device responding to the Multicast DNS query. If timeliness of the device responding to the Multicast DNS query. If
the Multicast DNS device responds quickly, then the update message is the Multicast DNS device responds quickly, then the update message is
delivered quickly. If the Multicast DNS device responds slowly, then delivered quickly. If the Multicast DNS device responds slowly, then
the update message is delivered slowly. The benefit of using update the update message is delivered slowly. The benefit of using update
skipping to change at page 24, line 21 skipping to change at page 24, line 21
DNS device taking even longer than that (e.g., a device that is not DNS device taking even longer than that (e.g., a device that is not
even powered on until ten seconds after the initial query is even powered on until ten seconds after the initial query is
received) resulting in incomplete responses. Using update message received) resulting in incomplete responses. Using update message
solves this dilemma: even very late responses are not lost; they are solves this dilemma: even very late responses are not lost; they are
delivered in subsequent update messages. delivered in subsequent update messages.
There are two factors that determine specifically how responses are There are two factors that determine specifically how responses are
generated: generated:
The first factor is whether the query from the client used LLQ or DNS The first factor is whether the query from the client used LLQ or DNS
Push Notification (typical with long-lived service browsing PTR Push Notifications (used for long-lived service browsing PTR queries)
queries) or not (typical with one-shot operations like SRV or address or not (used for one-shot operations like SRV or address record
record queries). Note that queries using LLQ or DNS Push queries). Note that queries using LLQ or DNS Push Notifications are
Notification are received directly from the client. Queries not received directly from the client. Queries not using LLQ or DNS Push
using LLQ or DNS Push Notification are generally received via the Notifications are generally received via the client's configured
client's configured recursive (caching) name server. recursive (caching) name server.
The second factor is whether the Discovery Proxy already has at least The second factor is whether the Discovery Proxy already has at least
one record in its cache that positively answers the question. one record in its cache that positively answers the question.
o Not using LLQ or Push Notification; no answer in cache: o Not using LLQ or Push Notifications; no answer in cache:
Issue an mDNS query, exactly as a local client would issue an mDNS Issue an mDNS query, exactly as a local client would issue an mDNS
query on the local link for the desired record name, type and query on the local link for the desired record name, type and
class, including retransmissions, as appropriate, according to the class, including retransmissions, as appropriate, according to the
established mDNS retransmission schedule [RFC6762]. As soon as established mDNS retransmission schedule [RFC6762]. As soon as
any Multicast DNS response packet is received that contains one or any Multicast DNS response packet is received that contains one or
more positive answers to that question (with or without the Cache more positive answers to that question (with or without the Cache
Flush bit [RFC6762] set), or a negative answer (signified via a Flush bit [RFC6762] set), or a negative answer (signified via a
Multicast DNS NSEC record [RFC6762]), the Discovery Proxy Multicast DNS NSEC record [RFC6762]), the Discovery Proxy
generates a Unicast DNS response packet containing the generates a Unicast DNS response packet containing the
corresponding (filtered and translated) answers and sends it to corresponding (filtered and translated) answers and sends it to
the remote client. If after six seconds no Multicast DNS answers the remote client. If after six seconds no Multicast DNS answers
have been received, return a negative response to the remote have been received, return a negative response to the remote
client. Six seconds is enough time to transmit three mDNS client. Six seconds is enough time to transmit three mDNS
queries, and allow some time for responses to arrive. queries, and allow some time for responses to arrive.
DNS TTLs in responses are capped to at most ten seconds. DNS TTLs in responses MUST be capped to at most ten seconds.
(Reasoning: Queries not using LLQ or Push Notifications are
o Not using LLQ or Push Notification; at least one answer in cache: generally queries that that expect an answer from only one device,
so the first response is also the only response.)
o Not using LLQ or Push Notifications; at least one answer in cache:
Send response right away to minimise delay. Send response right away to minimise delay.
DNS TTLs in responses are capped to at most ten seconds. DNS TTLs in responses MUST be capped to at most ten seconds.
No local mDNS queries are performed. No local mDNS queries are performed.
(Reasoning: Given RRSet TTL harmonisation, if the proxy has one (Reasoning: Queries not using LLQ or Push Notifications are
Multicast DNS answer in its cache, it can reasonably assume that generally queries that that expect an answer from only one device.
it has all of them.) Given RRSet TTL harmonisation, if the proxy has one Multicast DNS
answer in its cache, it can reasonably assume that it has all of
them.)
o Using LLQ or Push Notification; no answer in cache: o Using LLQ or Push Notifications; no answer in cache:
As in the case above with no answer in the cache, perform mDNS As in the case above with no answer in the cache, perform mDNS
querying for six seconds, and send a response to the remote client querying for six seconds, and send a response to the remote client
as soon as any relevant mDNS response is received. as soon as any relevant mDNS response is received.
If after six seconds no relevant mDNS response has been received, If after six seconds no relevant mDNS response has been received,
return negative response to the remote client (for LLQ; not return negative response to the remote client (for LLQ; not
applicable for PUSH). applicable for Push Notifications).
(Reasoning: We don't need to rush to send an empty answer.) (Reasoning: We don't need to rush to send an empty answer.)
Whether or not a relevant mDNS response is received within six Whether or not a relevant mDNS response is received within six
seconds, the query remains active for as long as the client seconds, the query remains active for as long as the client
maintains the LLQ or PUSH state, and if mDNS answers are received maintains the LLQ or Push Notification state, and if mDNS answers
later, LLQ or PUSH update messages are sent. are received later, LLQ or Push Notification messages are sent.
DNS TTLs in responses are returned unmodified. DNS TTLs in responses are returned unmodified.
o Using LLQ or Push Notification; at least one answer in cache: o Using LLQ or Push Notifications; at least one answer in cache:
As in the case above with at least one answer in cache, send As in the case above with at least one answer in cache, send
response right away to minimise delay. response right away to minimise delay.
The query remains active for as long as the client maintains the The query remains active for as long as the client maintains the
LLQ or PUSH state, and if additional mDNS answers are received LLQ or Push Notification state, and results in transmission of
later, LLQ or PUSH update messages are sent. mDNS queries, with appropriate Known Answer lists, to determine if
further answers are available. If additional mDNS answers are
received later, LLQ or Push Notification messages are sent.
(Reasoning: We want UI that is displayed very rapidly, yet (Reasoning: We want UI that is displayed very rapidly, yet
continues to remain accurate even as the network environment continues to remain accurate even as the network environment
changes.) changes.)
DNS TTLs in responses are returned unmodified. DNS TTLs in responses are returned unmodified.
Note that the "negative responses" referred to above are "no error no Note that the "negative responses" referred to above are "no error no
answer" negative responses, not NXDOMAIN. This is because the answer" negative responses, not NXDOMAIN. This is because the
Discovery Proxy cannot know all the Multicast DNS domain names that Discovery Proxy cannot know all the Multicast DNS domain names that
may exist on a link at any given time, so any name with no answers may exist on a link at any given time, so any name with no answers
may have child names that do exist, making it an "empty nonterminal" may have child names that do exist, making it an "empty nonterminal"
skipping to change at page 27, line 20 skipping to change at page 27, line 20
Proxy devices on the link. Proxy devices on the link.
Each Discovery Proxy device MUST be configured with its own NS Each Discovery Proxy device MUST be configured with its own NS
record, and with the NS records of its fellow Discovery Proxy devices record, and with the NS records of its fellow Discovery Proxy devices
on the same link, so that it can return the correct answers for NS on the same link, so that it can return the correct answers for NS
queries. queries.
6.3. DNS SRV Records 6.3. DNS SRV Records
In the event that a Discovery Proxy implements Long-Lived Queries In the event that a Discovery Proxy implements Long-Lived Queries
[LLQ] and/or DNS Push Notifications [PUSH] (as most SHOULD) they MUST [DNS-LLQ] and/or DNS Push Notifications [Push] (as most SHOULD) they
generate answers for the appropriate corresponding MUST generate answers for the appropriate corresponding
_dns-llq._udp.<zone> and/or _dns-push-tls._tcp.<zone> SRV record _dns-llq._udp.<zone> and/or _dns-push-tls._tcp.<zone> SRV record
queries. These records are conceptually inserted into the namespace queries. These records are conceptually inserted into the namespace
of the corresponding zones. They do not exist in the ".local" of the relevant zones. They do not exist in the corresponding
namespace of the local link. ".local" namespace of the local link.
7. DNSSEC Considerations 7. DNSSEC Considerations
7.1. On-line signing only 7.1. On-line signing only
The Discovery Proxy acts as the authoritative name server for The Discovery Proxy acts as the authoritative name server for
designated subdomains, and if DNSSEC is to be used, the Discovery designated subdomains, and if DNSSEC is to be used, the Discovery
Proxy needs to possess a copy of the signing keys, in order to Proxy needs to possess a copy of the signing keys, in order to
generate authoritative signed data from the local Multicast DNS generate authoritative signed data from the local Multicast DNS
responses it receives. Off-line signing not applicable to Discovery responses it receives. Off-line signing is not applicable to
Proxy. Discovery Proxy.
7.2. NSEC and NSEC3 Records 7.2. NSEC and NSEC3 Records
In DNSSEC, NSEC and NSEC3 records are used to assert the nonexistence In DNSSEC NSEC [RFC4034] and NSEC3 [RFC5155] records are used to
of certain names, also described as "authenticated denial of assert the nonexistence of certain names, also described as
existence". "authenticated denial of existence".
Since a Discovery Proxy only knows what names exist on the local link Since a Discovery Proxy only knows what names exist on the local link
by issuing queries for them, and since it would be impractical to by issuing queries for them, and since it would be impractical to
issue queries for every possible name just to find out which names issue queries for every possible name just to find out which names
exist and which do not, a Discovery Proxy cannot programatically exist and which do not, a Discovery Proxy cannot programmatically
synthesize the traditional NSEC and NSEC3 records which assert the synthesize the traditional NSEC and NSEC3 records which assert the
nonexistence of a large range names. Instead, when generating a nonexistence of a large range of names. Instead, when generating a
negative response, a Discovery Proxy programatically synthesizes a negative response, a Discovery Proxy programmatically synthesizes a
single NSEC record assert the nonexistence of just the specific name single NSEC record assert the nonexistence of just the specific name
queried, and no others. Since the Discovery Proxy has the zone queried, and no others. Since the Discovery Proxy has the zone
signing key, it can do this on demand. Since the NSEC record asserts signing key, it can do this on demand. Since the NSEC record asserts
the nonexistence of only a single name, zone walking is not a the nonexistence of only a single name, zone walking is not a
concern, so NSEC3 is not necessary. concern, so NSEC3 is not necessary.
Note that this applies only to traditional immediate DNS queries, Note that this applies only to traditional immediate DNS queries,
which may return immediate negative answers when no immediate which may return immediate negative answers when no immediate
positive answer is available. When used with a DNS Push Notification positive answer is available. When used with a DNS Push Notification
subscription [PUSH] there are no negative answers, merely the absence subscription [Push] there are no negative answers, merely the absence
of answers so far, which may change in the future if answers become of answers so far, which may change in the future if answers become
available. available.
8. IPv6 Considerations 8. IPv6 Considerations
An IPv6-only host and an IPv4-only host behave as "ships that pass in An IPv4-only host and an IPv6-only host behave as "ships that pass in
the night". Even if they are on the same Ethernet [IEEE-3], neither the night". Even if they are on the same Ethernet [IEEE-3], neither
is aware of the other's traffic. For this reason, each link may have is aware of the other's traffic. For this reason, each link may have
*two* unrelated ".local." zones, one for IPv6 and one for IPv4. *two* unrelated ".local." zones, one for IPv4 and one for IPv6.
Since for practical purposes, a group of IPv6-only hosts and a group Since for practical purposes, a group of IPv4-only hosts and a group
of IPv4-only hosts on the same Ethernet act as if they were on two of IPv6-only hosts on the same Ethernet act as if they were on two
entirely separate Ethernet segments, it is unsurprising that their entirely separate Ethernet segments, it is unsurprising that their
use of the ".local." zone should occur exactly as it would if they use of the ".local." zone should occur exactly as it would if they
really were on two entirely separate Ethernet segments. really were on two entirely separate Ethernet segments.
It will be desirable to have a mechanism to 'stitch' together these It will be desirable to have a mechanism to 'stitch' together these
two unrelated ".local." zones so that they appear as one. Such two unrelated ".local." zones so that they appear as one. Such
mechanism will need to be able to differentiate between a dual-stack mechanism will need to be able to differentiate between a dual-stack
(v4/v6) host participating in both ".local." zones, and two different (v4/v6) host participating in both ".local." zones, and two different
hosts, one IPv6-only and the other IPv4-only, which are both trying hosts, one IPv4-only and the other IPv6-only, which are both trying
to use the same name(s). Such a mechanism will be specified in a to use the same name(s). Such a mechanism will be specified in a
future companion document. future companion document.
At present, it is RECOMMENDED that a Discovery Proxy be configured At present, it is RECOMMENDED that a Discovery Proxy be configured
with a single domain name for both the IPv4 and IPv6 ".local." zones with a single domain name for both the IPv4 and IPv6 ".local." zones
on the local link, and when a unicast query is received, it should on the local link, and when a unicast query is received, it should
issue Multicast DNS queries using both IPv4 and IPv6 on the local issue Multicast DNS queries using both IPv4 and IPv6 on the local
link, and then combine the results. link, and then combine the results.
9. Security Considerations 9. Security Considerations
skipping to change at page 30, line 32 skipping to change at page 30, line 32
services become visible in a domain such as "My House.example.com" services become visible in a domain such as "My House.example.com"
that might indicate to (potentially hostile) observers that the that might indicate to (potentially hostile) observers that the
mobile device is in my house. When those services disappear from mobile device is in my house. When those services disappear from
"My House.example.com" that change could be used by observers to "My House.example.com" that change could be used by observers to
infer when the mobile device (and possibly its owner) may have left infer when the mobile device (and possibly its owner) may have left
the house. The privacy of this information may be protected using the house. The privacy of this information may be protected using
techniques like firewalls, split-view DNS, and Virtual Private techniques like firewalls, split-view DNS, and Virtual Private
Networks (VPNs), as are customarily used today to protect the privacy Networks (VPNs), as are customarily used today to protect the privacy
of corporate DNS information. of corporate DNS information.
The privacy issue is particularly serious for the IPv4 and IPv6
reverse zones. If the public delegation of the reverse zones points
to the Discovery Proxy, and the Discovery Proxy is reachable
globally, then it could leak a significant amount of information.
Attackers could discover hosts that otherwise might not be easy to
identify, and learn their hostnames. Attackers could also discover
the existence of links where hosts frequently come and go.
The Discovery Proxy could also provide sensitive records only to The Discovery Proxy could also provide sensitive records only to
authenticated users. This is a general DNS problem, not specific to authenticated users. This is a general DNS problem, not specific to
the Discovery Proxy. Work is underway in the IETF to tackle this the Discovery Proxy. Work is underway in the IETF to tackle this
problem [RFC7626]. problem [RFC7626].
9.3. Denial of Service 9.3. Denial of Service
A remote attacker could use a rapid series of unique Unicast DNS A remote attacker could use a rapid series of unique Unicast DNS
queries to induce a Discovery Proxy to generate a rapid series of queries to induce a Discovery Proxy to generate a rapid series of
corresponding Multicast DNS queries on one or more of its local corresponding Multicast DNS queries on one or more of its local
skipping to change at page 31, line 22 skipping to change at page 31, line 13
particularly serious. To limit the damage that can be caused by such particularly serious. To limit the damage that can be caused by such
attacks, a Discovery Proxy (or the underlying Multicast DNS subsystem attacks, a Discovery Proxy (or the underlying Multicast DNS subsystem
which it utilizes) MUST implement Multicast DNS query rate limiting which it utilizes) MUST implement Multicast DNS query rate limiting
appropriate to the link technology in question. For today's appropriate to the link technology in question. For today's
802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast 802.11b/g/n/ac Wi-Fi links (for which approximately 200 multicast
packets per second is sufficient to consume approximately 100% of the packets per second is sufficient to consume approximately 100% of the
wireless spectrum) a limit of 20 Multicast DNS query packets per wireless spectrum) a limit of 20 Multicast DNS query packets per
second is RECOMMENDED. On other link technologies like Gigabit second is RECOMMENDED. On other link technologies like Gigabit
Ethernet higher limits may be appropriate. A consequence of this Ethernet higher limits may be appropriate. A consequence of this
rate limiting is that a rogue remote client could issue an excessive rate limiting is that a rogue remote client could issue an excessive
number of queries, resuling in denial of service to other remote number of queries, resulting in denial of service to other legitimate
clients attempting to use that Discovery Proxy. However, this is remote clients attempting to use that Discovery Proxy. However, this
preferable to a rogue remote client being able to inflict even is preferable to a rogue remote client being able to inflict even
greater harm on the local network, which could impact the correct greater harm on the local network, which could impact the correct
operation of all local clients on that network. operation of all local clients on that network.
10. Intelectual Property Rights 10. IANA Considerations
Apple has submitted an IPR disclosure concerning the technique
proposed in this document. Details are available on the IETF IPR
disclosure page [IPR2119].
11. IANA Considerations
This document has no IANA Considerations. This document has no IANA Considerations.
12. Acknowledgments 11. Acknowledgments
Thanks to Markus Stenberg for helping develop the policy regarding Thanks to Markus Stenberg for helping develop the policy regarding
the four styles of unicast response according to what data is the four styles of unicast response according to what data is
immediately available in the cache. Thanks to Anders Brandt, Tim immediately available in the cache. Thanks to Anders Brandt, Ben
Chown, Ralph Droms, Ray Hunter, Ted Lemon, Tom Pusateri, Markus Campbell, Tim Chown, Alissa Cooper, Spencer Dawkins, Ralph Droms,
Stenberg, Dave Thaler, and Andrew Yourtchenko for their comments. Joel Halpern, Ray Hunter, Joel Jaeggli, Warren Kumari, Ted Lemon,
Alexey Melnikov, Kathleen Moriarty, Tom Pusateri, Eric Rescorla, Adam
Roach, David Schinazi, Markus Stenberg, Dave Thaler, and Andrew
Yourtchenko for their comments.
13. References 12. References
13.1. Normative References 12.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>. November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets", and E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
<http://www.rfc-editor.org/info/rfc1918>. <https://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc2119>. editor.org/info/rfc2119>.
[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998,
<http://www.rfc-editor.org/info/rfc2308>. <https://www.rfc-editor.org/info/rfc2308>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <http://www.rfc-editor.org/info/rfc3629>. 2003, <https://www.rfc-editor.org/info/rfc3629>.
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of IPv4 Link-Local Addresses", RFC 3927, Configuration of IPv4 Link-Local Addresses", RFC 3927,
DOI 10.17487/RFC3927, May 2005, DOI 10.17487/RFC3927, May 2005, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc3927>. editor.org/info/rfc3927>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, Address Autoconfiguration", RFC 4862,
DOI 10.17487/RFC4862, September 2007, DOI 10.17487/RFC4862, September 2007, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc4862>. editor.org/info/rfc4862>.
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
Security (DNSSEC) Hashed Authenticated Denial of
Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008,
<https://www.rfc-editor.org/info/rfc5155>.
[RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network
Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008,
<http://www.rfc-editor.org/info/rfc5198>. <https://www.rfc-editor.org/info/rfc5198>.
[RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
December 2012. DOI 10.17487/RFC6762, February 2013, <https://www.rfc-
editor.org/info/rfc6762>.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, December 2012. Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
<https://www.rfc-editor.org/info/rfc6763>.
[PUSH] Pusateri, T. and S. Cheshire, "DNS Push Notifications", [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
draft-ietf-dnssd-push-12 (work in progress), July 2017. 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
13.2. Informative References [Push] Pusateri, T. and S. Cheshire, "DNS Push Notifications",
draft-ietf-dnssd-push-14 (work in progress), March 2018.
[HOME] Pfister, P. and T. Lemon, "Special Use Domain [DSO] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S.,
'.home.arpa'", draft-ietf-homenet-dot-07 (work in Lemon, T., and T. Pusateri, "DNS Stateful Operations",
progress), June 2017. draft-ietf-dnsop-session-signal-07 (work in progress),
March 2018.
[IPR2119] "Apple Inc.'s Statement about IPR related to Hybrid 12.2. Informative References
Unicast/Multicast DNS-Based Service Discovery",
<https://datatracker.ietf.org/ipr/2119/>.
[ohp] "Discovery Proxy (Hybrid Proxy) implementation for [I-D.ietf-homenet-dot]
OpenWrt", <https://github.com/sbyx/ohybridproxy/>. Pfister, P. and T. Lemon, "Special Use Domain
'home.arpa.'", draft-ietf-homenet-dot-14 (work in
progress), September 2017.
[LLQ] Sekar, K., "DNS Long-Lived Queries", draft-sekar-dns- [Roadmap] Cheshire, S., "Service Discovery Road Map", draft-
cheshire-dnssd-roadmap-01 (work in progress), March 2018.
[DNS-UL] Sekar, K., "Dynamic DNS Update Leases", draft-sekar-dns-
ul-01 (work in progress), August 2006.
[DNS-LLQ] Sekar, K., "DNS Long-Lived Queries", draft-sekar-dns-
llq-01 (work in progress), August 2006. llq-01 (work in progress), August 2006.
[RegProt] Cheshire, S. and T. Lemon, "Service Registration Protocol
for DNS-Based Service Discovery", draft-sctl-service-
registration-00 (work in progress), July 2017.
[Relay] Cheshire, S. and T. Lemon, "Multicast DNS Discovery
Relay", draft-sctl-dnssd-mdns-relay-04 (work in progress),
March 2018.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997,
<http://www.rfc-editor.org/info/rfc2132>. <https://www.rfc-editor.org/info/rfc2132>.
[RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS UPDATE)", "Dynamic Updates in the Domain Name System (DNS UPDATE)",
RFC 2136, DOI 10.17487/RFC2136, April 1997, RFC 2136, DOI 10.17487/RFC2136, April 1997,
<http://www.rfc-editor.org/info/rfc2136>. <https://www.rfc-editor.org/info/rfc2136>.
[RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic [RFC3007] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, DOI 10.17487/RFC3007, November 2000, Update", RFC 3007, DOI 10.17487/RFC3007, November 2000,
<http://www.rfc-editor.org/info/rfc3007>. <https://www.rfc-editor.org/info/rfc3007>.
[RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode
for Internationalized Domain Names in Applications
(IDNA)", RFC 3492, DOI 10.17487/RFC3492, March 2003,
<https://www.rfc-editor.org/info/rfc3492>.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005,
<http://www.rfc-editor.org/info/rfc4193>. <https://www.rfc-editor.org/info/rfc4193>.
[RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol
to Replace the AppleTalk Name Binding Protocol (NBP)",
RFC 6760, DOI 10.17487/RFC6760, February 2013,
<https://www.rfc-editor.org/info/rfc6760>.
[RFC7558] Lynn, K., Cheshire, S., Blanchet, M., and D. Migault, [RFC7558] Lynn, K., Cheshire, S., Blanchet, M., and D. Migault,
"Requirements for Scalable DNS-Based Service Discovery "Requirements for Scalable DNS-Based Service Discovery
(DNS-SD) / Multicast DNS (mDNS) Extensions", RFC 7558, (DNS-SD) / Multicast DNS (mDNS) Extensions", RFC 7558,
DOI 10.17487/RFC7558, July 2015, DOI 10.17487/RFC7558, July 2015, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc7558>. editor.org/info/rfc7558>.
[RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626, [RFC7626] Bortzmeyer, S., "DNS Privacy Considerations", RFC 7626,
DOI 10.17487/RFC7626, August 2015, DOI 10.17487/RFC7626, August 2015, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc7626>. editor.org/info/rfc7626>.
[RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking [RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking
Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April
2016, <http://www.rfc-editor.org/info/rfc7788>. 2016, <https://www.rfc-editor.org/info/rfc7788>.
[RFC6760] Cheshire, S. and M. Krochmal, "Requirements for a Protocol [ohp] "Discovery Proxy (Hybrid Proxy) implementation for
to Replace the AppleTalk Name Binding Protocol (NBP)", OpenWrt", <https://github.com/sbyx/ohybridproxy/>.
RFC 6760, December 2012.
[ZC] Cheshire, S. and D. Steinberg, "Zero Configuration [ZC] Cheshire, S. and D. Steinberg, "Zero Configuration
Networking: The Definitive Guide", O'Reilly Media, Inc. , Networking: The Definitive Guide", O'Reilly Media, Inc. ,
ISBN 0-596-10100-7, December 2005. ISBN 0-596-10100-7, December 2005.
[IEEE-1Q] "IEEE Standard for Local and metropolitan area networks -- [IEEE-1Q] "IEEE Standard for Local and metropolitan area networks --
Bridges and Bridged Networks", IEEE Std 802.1Q-2014, Bridges and Bridged Networks", IEEE Std 802.1Q-2014,
November 2014, <http://standards.ieee.org/getieee802/ November 2014, <http://standards.ieee.org/getieee802/
download/802-1Q-2014.pdf>. download/802-1Q-2014.pdf>.
skipping to change at page 36, line 29 skipping to change at page 36, line 29
These are implemented and deployed in Mac OS X 10.4 and later These are implemented and deployed in Mac OS X 10.4 and later
(including all versions of Apple iOS, on all iPhone and iPads), in (including all versions of Apple iOS, on all iPhone and iPads), in
Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16) Bonjour for Windows, and in Android 4.1 "Jelly Bean" (API Level 16)
and later. and later.
Domain enumeration and unicast querying have been used for several Domain enumeration and unicast querying have been used for several
years at IETF meetings to make Terminal Room printers discoverable years at IETF meetings to make Terminal Room printers discoverable
from outside the Terminal room. When an IETF attendee presses Cmd-P from outside the Terminal room. When an IETF attendee presses Cmd-P
on a Mac, or selects AirPrint on an iPad or iPhone, and the Terminal on a Mac, or selects AirPrint on an iPad or iPhone, and the Terminal
room printers appear, that is because the client is sending unicast room printers appear, that is because the client is sending unicast
DNS queries to the IETF DNS servers. DNS queries to the IETF DNS servers. A walk-through giving the
details of this particular specific example is given in Appendix A of
the Roadmap document [Roadmap].
A.2. Already Implemented A.2. Already Implemented
A minimal portable Discovery Proxy implementation has been produced A minimal portable Discovery Proxy implementation has been produced
by Markus Stenberg and Steven Barth, which runs on OS X and several by Markus Stenberg and Steven Barth, which runs on OS X and several
Linux variants including OpenWrt [ohp]. It was demonstrated at the Linux variants including OpenWrt [ohp]. It was demonstrated at the
Berlin IETF in July 2013. Berlin IETF in July 2013.
Tom Pusateri also has an implementation that runs on any Unix/Linux. Tom Pusateri also has an implementation that runs on any Unix/Linux.
It has a RESTful interface for management and an experimental demo It has a RESTful interface for management and an experimental demo
skipping to change at page 37, line 5 skipping to change at page 37, line 7
The current APIs make multiple domains visible to client software, The current APIs make multiple domains visible to client software,
but most client UI today lumps all discovered services into a single but most client UI today lumps all discovered services into a single
flat list. This is largely a chicken-and-egg problem. Application flat list. This is largely a chicken-and-egg problem. Application
writers were naturally reluctant to spend time writing domain-aware writers were naturally reluctant to spend time writing domain-aware
UI code when few customers today would benefit from it. If Discovery UI code when few customers today would benefit from it. If Discovery
Proxy deployment becomes common, then application writers will have a Proxy deployment becomes common, then application writers will have a
reason to provide better UI. Existing applications will work with reason to provide better UI. Existing applications will work with
the Discovery Proxy, but will show all services in a single flat the Discovery Proxy, but will show all services in a single flat
list. Applications with improved UI will group services by domain. list. Applications with improved UI will group services by domain.
The Long-Lived Query mechanism [LLQ] referred to in this The Long-Lived Query mechanism [DNS-LLQ] referred to in this
specification exists and is deployed, but has not been standardized specification exists and is deployed, but has not been standardized
by the IETF. The IETF is considering standardizing a superior Long- by the IETF. The IETF is developing a superior Long-Lived Query
Lived Query mechanism called DNS Push Notifications [PUSH]. The mechanism called DNS Push Notifications [Push], which is based on DNS
pragmatic short-term deployment approach is for vendors to produce Stateful Operations [DSO],. The pragmatic short-term deployment
Discovery Proxies that implement both the deployed Long-Lived Query approach is for vendors to produce Discovery Proxies that implement
mechanism [LLQ] (for today's clients) and the new DNS Push both the deployed Long-Lived Query mechanism [DNS-LLQ] (for today's
Notifications mechanism [PUSH] as the preferred long-term direction. clients) and the new DNS Push Notifications mechanism [Push] as the
preferred long-term direction.
The translating/filtering Discovery Proxy specified in this document. Implementations of the translating/filtering Discovery Proxy
Implementations are under development, and operational experience specified in this document are under development, and operational
with these implementations has guided updates to this document. experience with these implementations has guided updates to this
document.
A.4. Not Yet Implemented A.4. Not Yet Implemented
Client implementations of the new DNS Push Notifications mechanism Client implementations of the new DNS Push Notifications mechanism
[PUSH] are currently underway. [Push] are currently underway.
A mechanism to 'stitch' together multiple ".local." zones so that
they appear as one. Such a stitching mechanism will be specified in
a future companion document. This stitching mechanism addresses the
issue that if a printer is physically moved from one link to another,
then conceptually the old service has disappeared from the DNS
namespace, and a new service with a similar name has appeared. This
stitching mechanism will allow a service to change its point of
attachment without changing the name by which it can be found.
Author's Address Author's Address
Stuart Cheshire Stuart Cheshire
Apple Inc. Apple Inc.
1 Infinite Loop 1 Infinite Loop
Cupertino, California 95014 Cupertino, California 95014
USA USA
Phone: +1 408 974 3207 Phone: +1 408 974 3207
 End of changes. 116 change blocks. 
283 lines changed or deleted 417 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/