| draft-ietf-dnssd-push-15.txt | draft-ietf-dnssd-push-16.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force T. Pusateri | Internet Engineering Task Force T. Pusateri | |||
| Internet-Draft Unaffiliated | Internet-Draft Unaffiliated | |||
| Intended status: Standards Track S. Cheshire | Intended status: Standards Track S. Cheshire | |||
| Expires: March 21, 2019 Apple Inc. | Expires: May 9, 2019 Apple Inc. | |||
| September 17, 2018 | November 5, 2018 | |||
| DNS Push Notifications | DNS Push Notifications | |||
| draft-ietf-dnssd-push-15 | draft-ietf-dnssd-push-16 | |||
| Abstract | Abstract | |||
| The Domain Name System (DNS) was designed to return matching records | The Domain Name System (DNS) was designed to return matching records | |||
| efficiently for queries for data that are relatively static. When | efficiently for queries for data that are relatively static. When | |||
| those records change frequently, DNS is still efficient at returning | those records change frequently, DNS is still efficient at returning | |||
| the updated results when polled, as long as the polling rate is not | the updated results when polled, as long as the polling rate is not | |||
| too high. But there exists no mechanism for a client to be | too high. But there exists no mechanism for a client to be | |||
| asynchronously notified when these changes occur. This document | asynchronously notified when these changes occur. This document | |||
| defines a mechanism for a client to be notified of such changes to | defines a mechanism for a client to be notified of such changes to | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 21, 2019. | This Internet-Draft will expire on May 9, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 29 ¶ | skipping to change at page 2, line 29 ¶ | |||
| 6.2. DNS Push Notification SUBSCRIBE . . . . . . . . . . . . . 13 | 6.2. DNS Push Notification SUBSCRIBE . . . . . . . . . . . . . 13 | |||
| 6.2.1. SUBSCRIBE Request . . . . . . . . . . . . . . . . . . 13 | 6.2.1. SUBSCRIBE Request . . . . . . . . . . . . . . . . . . 13 | |||
| 6.2.2. SUBSCRIBE Response . . . . . . . . . . . . . . . . . 16 | 6.2.2. SUBSCRIBE Response . . . . . . . . . . . . . . . . . 16 | |||
| 6.3. DNS Push Notification Updates . . . . . . . . . . . . . . 19 | 6.3. DNS Push Notification Updates . . . . . . . . . . . . . . 19 | |||
| 6.3.1. PUSH Message . . . . . . . . . . . . . . . . . . . . 19 | 6.3.1. PUSH Message . . . . . . . . . . . . . . . . . . . . 19 | |||
| 6.4. DNS Push Notification UNSUBSCRIBE . . . . . . . . . . . . 22 | 6.4. DNS Push Notification UNSUBSCRIBE . . . . . . . . . . . . 22 | |||
| 6.4.1. UNSUBSCRIBE Request . . . . . . . . . . . . . . . . . 22 | 6.4.1. UNSUBSCRIBE Request . . . . . . . . . . . . . . . . . 22 | |||
| 6.5. DNS Push Notification RECONFIRM . . . . . . . . . . . . . 24 | 6.5. DNS Push Notification RECONFIRM . . . . . . . . . . . . . 24 | |||
| 6.5.1. RECONFIRM Request . . . . . . . . . . . . . . . . . . 24 | 6.5.1. RECONFIRM Request . . . . . . . . . . . . . . . . . . 24 | |||
| 6.5.2. RECONFIRM Response . . . . . . . . . . . . . . . . . 26 | 6.5.2. RECONFIRM Response . . . . . . . . . . . . . . . . . 26 | |||
| 6.6. Client-Initiated Termination . . . . . . . . . . . . . . 28 | 6.6. DNS Stateful Operations TLV Context Summary . . . . . . . 28 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 29 | 6.7. Client-Initiated Termination . . . . . . . . . . . . . . 29 | |||
| 7.1. Security Services . . . . . . . . . . . . . . . . . . . . 29 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 30 | |||
| 7.2. TLS Name Authentication . . . . . . . . . . . . . . . . . 29 | 7.1. Security Services . . . . . . . . . . . . . . . . . . . . 30 | |||
| 7.3. TLS Compression . . . . . . . . . . . . . . . . . . . . . 30 | 7.2. TLS Name Authentication . . . . . . . . . . . . . . . . . 30 | |||
| 7.4. TLS Session Resumption . . . . . . . . . . . . . . . . . 30 | 7.3. TLS Compression . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 | 7.4. TLS Session Resumption . . . . . . . . . . . . . . . . . 31 | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 31 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 33 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 33 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 33 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35 | 10.2. Informative References . . . . . . . . . . . . . . . . . 34 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37 | ||||
| 1. Introduction | 1. Introduction | |||
| Domain Name System (DNS) records may be updated using DNS Update | Domain Name System (DNS) records may be updated using DNS Update | |||
| [RFC2136]. Other mechanisms such as a Discovery Proxy [DisProx] can | [RFC2136]. Other mechanisms such as a Discovery Proxy [DisProx] can | |||
| also generate changes to a DNS zone. This document specifies a | also generate changes to a DNS zone. This document specifies a | |||
| protocol for DNS clients to subscribe to receive asynchronous | protocol for DNS clients to subscribe to receive asynchronous | |||
| notifications of changes to RRSets of interest. It is immediately | notifications of changes to RRSets of interest. It is immediately | |||
| relevant in the case of DNS Service Discovery [RFC6763] but is not | relevant in the case of DNS Service Discovery [RFC6763] but is not | |||
| limited to that use case, and provides a general DNS mechanism for | limited to that use case, and provides a general DNS mechanism for | |||
| skipping to change at page 5, line 39 ¶ | skipping to change at page 5, line 39 ¶ | |||
| Supporting DNS Updates and DNS Push Notifications on the same server | Supporting DNS Updates and DNS Push Notifications on the same server | |||
| is OPTIONAL. A DNS Push Notification server does NOT also have to | is OPTIONAL. A DNS Push Notification server does NOT also have to | |||
| support DNS Update. | support DNS Update. | |||
| DNS Updates and DNS Push Notifications may be handled on different | DNS Updates and DNS Push Notifications may be handled on different | |||
| ports on the same target host, in which case they are not considered | ports on the same target host, in which case they are not considered | |||
| to be the "same server" for the purposes of this specification, and | to be the "same server" for the purposes of this specification, and | |||
| communications with these two ports are handled independently. | communications with these two ports are handled independently. | |||
| Standard DNS Queries MAY be sent over a DNS Push Notification | Standard DNS Queries MAY be sent over a DNS Push Notification | |||
| connection, provided that these are queries for names falling within | connection. For any zone for which the server is authoritative, it | |||
| the server's zone (the <zone> in the "_dns-push-tls._tcp.<zone>" SRV | MUST respond authoritatively for queries on names falling within that | |||
| record). The RD (Recursion Desired) bit MUST be zero. If a query is | zone (e.g., the <zone> in the "_dns-push-tls._tcp.<zone>" SRV record) | |||
| received with the RD bit set, matching records for names falling | both for DNS Push Notification queries and for normal DNS queries. | |||
| within the server's zones should be returned with the RA (Recursion | For names for which the server is acting as a caching resolver, e.g. | |||
| Available) bit clear. If the query is for a name not in the server's | when the server is the local resolver, for any query for which it | |||
| zone, an error with RCODE NOTAUTH (Not Authoritative) should be | supports DNS Push Notifications, it MUST also support standard | |||
| returned. | queries. | |||
| DNS Push Notification clients are NOT required to implement DNS | DNS Push Notification clients are NOT required to implement DNS | |||
| Update Prerequisite processing. Prerequisites are used to perform | Update Prerequisite processing. Prerequisites are used to perform | |||
| tentative atomic test-and-set type operations when a client updates | tentative atomic test-and-set type operations when a client updates | |||
| records on a server, and that concept has no applicability when it | records on a server, and that concept has no applicability when it | |||
| comes to an authoritative server unilaterally informing a client of | comes to an authoritative server unilaterally informing a client of | |||
| changes to DNS records. | changes to DNS records. | |||
| This DNS Push Notification specification includes support for DNS | This DNS Push Notification specification includes support for DNS | |||
| classes, for completeness. However, in practice, it is anticipated | classes, for completeness. However, in practice, it is anticipated | |||
| skipping to change at page 6, line 25 ¶ | skipping to change at page 6, line 25 ¶ | |||
| DNS Push Notifications impose less load on the responding server than | DNS Push Notifications impose less load on the responding server than | |||
| rapid polling would, but Push Notifications do still have a cost, so | rapid polling would, but Push Notifications do still have a cost, so | |||
| DNS Push Notification clients must not recklessly create an excessive | DNS Push Notification clients must not recklessly create an excessive | |||
| number of Push Notification subscriptions. Specifically: | number of Push Notification subscriptions. Specifically: | |||
| (a) A subscription should only be active when there is a valid reason | (a) A subscription should only be active when there is a valid reason | |||
| to need live data (for example, an on-screen display is currently | to need live data (for example, an on-screen display is currently | |||
| showing the results to the user) and the subscription SHOULD be | showing the results to the user) and the subscription SHOULD be | |||
| cancelled as soon as the need for that data ends (for example, when | cancelled as soon as the need for that data ends (for example, when | |||
| the user dismisses that display). Implementations MAY want to | the user dismisses that display). Implementations may want to | |||
| implement idle timeouts, so that if the user ceases interacting with | implement idle timeouts, so that if the user ceases interacting with | |||
| the device, the display showing the result of the DNS Push | the device, the subscription is cancelled. | |||
| Notification subscription is automatically dismissed after a certain | ||||
| period of inactivity. For example, if a user presses the "Print" | ||||
| button on their smartphone, and then leaves the phone showing the | ||||
| printer discovery screen until the phone goes to sleep, then the | ||||
| printer discovery screen should be automatically dismissed as the | ||||
| device goes to sleep. If the user does still intend to print, this | ||||
| will require them to press the "Print" button again when they wake | ||||
| their phone up. | ||||
| (b) A DNS Push Notification client SHOULD NOT routinely keep a DNS | (b) A DNS Push Notification client SHOULD NOT routinely keep a DNS | |||
| Push Notification subscription active 24 hours a day, 7 days a week, | Push Notification subscription active 24 hours a day, 7 days a week, | |||
| just to keep a list in memory up to date so that if the user does | just to keep a list in memory up to date so that if the user does | |||
| choose to bring up an on-screen display of that data, it can be | choose to bring up an on-screen display of that data, it can be | |||
| displayed really fast. DNS Push Notifications are designed to be | displayed really fast. DNS Push Notifications are designed to be | |||
| fast enough that there is no need to pre-load a "warm" list in memory | fast enough that there is no need to pre-load a "warm" list in memory | |||
| just in case it might be needed later. | just in case it might be needed later. | |||
| Generally, as described in the DNS Stateful Operations specification | Generally, as described in the DNS Stateful Operations specification | |||
| skipping to change at page 8, line 18 ¶ | skipping to change at page 8, line 18 ¶ | |||
| number of Push Notification subscriptions. This number will vary | number of Push Notification subscriptions. This number will vary | |||
| from server to server and is based on physical machine | from server to server and is based on physical machine | |||
| characteristics, network bandwidth, and operating system resource | characteristics, network bandwidth, and operating system resource | |||
| allocation. After a client establishes a session to a DNS server, | allocation. After a client establishes a session to a DNS server, | |||
| each subscription is individually accepted or rejected. Servers may | each subscription is individually accepted or rejected. Servers may | |||
| employ various techniques to limit subscriptions to a manageable | employ various techniques to limit subscriptions to a manageable | |||
| level. Correspondingly, the client is free to establish simultaneous | level. Correspondingly, the client is free to establish simultaneous | |||
| sessions to alternate DNS servers that support DNS Push Notifications | sessions to alternate DNS servers that support DNS Push Notifications | |||
| for the zone and distribute subscriptions at the client's discretion. | for the zone and distribute subscriptions at the client's discretion. | |||
| In this way, both clients and servers can react to resource | In this way, both clients and servers can react to resource | |||
| constraints. Token bucket rate limiting schemes are also effective | constraints. | |||
| in providing fairness by a server across numerous client requests. | ||||
| 6. Protocol Operation | 6. Protocol Operation | |||
| The DNS Push Notification protocol is a session-oriented protocol, | The DNS Push Notification protocol is a session-oriented protocol, | |||
| and makes use of DNS Stateful Operations (DSO) [DSO]. | and makes use of DNS Stateful Operations (DSO) [DSO]. | |||
| For details of the DSO message format refer to the DNS Stateful | For details of the DSO message format refer to the DNS Stateful | |||
| Operations specification [DSO]. Those details are not repeated here. | Operations specification [DSO]. Those details are not repeated here. | |||
| DNS Push Notification clients and servers MUST support DSO, but (as | DNS Push Notification clients and servers MUST support DSO. A single | |||
| stated in the DSO specification [DSO]) the server SHOULD NOT issue | server can support DNS Queries, DNS Updates, and DNS Push | |||
| any DSO messages until after the client has first initiated an | Notifications (using DSO) on the same TCP port. | |||
| acknowledged DSO message of its own. A single server can support DNS | ||||
| Queries, DNS Updates, and DNS Push Notifications (using DSO) on the | ||||
| same TCP port, and until the client has sent at least one DSO | ||||
| message, the server does not know what kind of client has connected | ||||
| to it. Once the client has indicated willingness to use DSO by | ||||
| sending one of its own, either side of the session may then initiate | ||||
| further DSO messages at any time. | ||||
| A DNS Push Notification exchange begins with the client discovering | A DNS Push Notification exchange begins with the client discovering | |||
| the appropriate server, using the procedure described in Section 6.1, | the appropriate server, using the procedure described in Section 6.1, | |||
| and then making a TLS/TCP connection to it. | and then making a TLS/TCP connection to it. | |||
| A typical DNS Push Notification client will immediately issue a DSO | A typical DNS Push Notification client will immediately issue a DSO | |||
| Keepalive operation to request a session timeout or keepalive | Keepalive operation to request a session timeout or keepalive | |||
| interval longer than the the 15-second default, but this is not | interval longer than the the 15-second default, but this is not | |||
| required. A DNS Push Notification client MAY issue other requests on | required. A DNS Push Notification client MAY issue other requests on | |||
| the session first, and only issue a DSO Keepalive operation later if | the session first, and only issue a DSO Keepalive operation later if | |||
| skipping to change at page 10, line 13 ¶ | skipping to change at page 10, line 13 ¶ | |||
| client to server. | client to server. | |||
| 6.1. Discovery | 6.1. Discovery | |||
| The first step in DNS Push Notification subscription is to discover | The first step in DNS Push Notification subscription is to discover | |||
| an appropriate DNS server that supports DNS Push Notifications for | an appropriate DNS server that supports DNS Push Notifications for | |||
| the desired zone. | the desired zone. | |||
| The client begins by opening a DSO Session to its normal configured | The client begins by opening a DSO Session to its normal configured | |||
| DNS recursive resolver and requesting a Push Notification | DNS recursive resolver and requesting a Push Notification | |||
| subscription. If this is successful, then the recursive resolver | subscription. This connection is made to the default DNS-over-TLS | |||
| will make appropriate Push Notification subscriptions on the client's | port as defined in DNS over TLS [RFC7858]. If this connection is | |||
| behalf, and the client will receive appropriate results. If the | successful, then the recursive resolver will make appropriate Push | |||
| recursive resolver does not support Push Notification subscriptions, | Notification subscriptions on the client's behalf, and the client | |||
| then it will return an error code, and the client should proceed to | will receive appropriate results. | |||
| discover the appropriate server for direct communication. The client | ||||
| MUST also determine which TCP port on the server is listening for | ||||
| connections, which need not be (and often is not) the typical TCP | ||||
| port 53 used for conventional DNS, or TCP port 853 used for DNS over | ||||
| TLS [RFC7858]. | ||||
| The algorithm described here is an iterative algorithm, which starts | In many contexts, the local recursive resolver will be able to handle | |||
| with the full name of the record to which the client wishes to | push notifications for all zones that the client may need to follow. | |||
| subscribe. Successive SOA queries are then issued, trimming one | In other cases, the client may require Push Notifications from more | |||
| label each time, until the closest enclosing authoritative server is | than one zone, and those zones may be served by different servers. | |||
| discovered. There is also an optimization to enable the client to | Therefore, it is assumed that the client may need to maintain | |||
| take a "short cut" directly to the SOA record of the closest | connections to more than one DNS Push server. | |||
| enclosing authoritative server in many cases. | ||||
| In some cases, the recursive resolver may not be able to get answers | ||||
| for a particular zone. In this case, rather than returning SERVFAIL, | ||||
| the resolver returns NOTAUTH. This signals the client that queries | ||||
| for this zone can't be handled by the local caching resolver. For | ||||
| that zone, the client SHOULD contact the zone's DNS Push server | ||||
| itself, even if all other DNS Push queries can be handled by the | ||||
| local resolver. This may be necessary in cases where the client is | ||||
| connected to a VPN, for example, or where the client has a pre- | ||||
| established trust relationship with the owner of the zone that allows | ||||
| the client, but not the local resolver, to successfully get answers | ||||
| for queries in that zone. | ||||
| If the recursive resolver does not support Push Notification | ||||
| subscriptions, then it will return an error code, DSONOTIMPL. This | ||||
| occurs when the local resolver follows the procedure below and does | ||||
| not find an SRV record indicating support for DNS Push Notifications. | ||||
| In case of either failure, the client should proceed to discover the | ||||
| appropriate server for direct communication. The client MUST also | ||||
| determine which TCP port on the server is listening for connections, | ||||
| which need not be (and often is not) the typical TCP port 53 used for | ||||
| conventional DNS, or TCP port 853 used for DNS over TLS. | ||||
| The discovery algorithm described here is an iterative algorithm, | ||||
| which starts with the full name of the record to which the client | ||||
| wishes to subscribe. Successive SOA queries are then issued, | ||||
| trimming one label each time, until the closest enclosing | ||||
| authoritative server is discovered. There is also an optimization to | ||||
| enable the client to take a "short cut" directly to the SOA record of | ||||
| the closest enclosing authoritative server in many cases. | ||||
| 1. The client begins the discovery by sending a DNS query to its | 1. The client begins the discovery by sending a DNS query to its | |||
| local resolver, with record type SOA [RFC1035] for the record | local resolver, with record type SOA [RFC1035] for the record | |||
| name to which it wishes to subscribe. As an example, suppose the | name to which it wishes to subscribe. As an example, suppose the | |||
| client wishes to subscribe to PTR records with the name | client wishes to subscribe to PTR records with the name | |||
| _ipp._tcp.foo.example.com (to discover Internet Printing Protocol | _ipp._tcp.foo.example.com (to discover Internet Printing Protocol | |||
| (IPP) printers [RFC8010] [RFC8011] being advertised at | (IPP) printers [RFC8010] [RFC8011] being advertised at | |||
| "foo.example.com"). The client begins by sending an SOA query | "foo.example.com"). The client begins by sending an SOA query | |||
| for _ipp._tcp.foo.example.com to the local recursive resolver. | for _ipp._tcp.foo.example.com to the local recursive resolver. | |||
| The goal is to determine the server authoritative for the name | The goal is to determine the server authoritative for the name | |||
| skipping to change at page 11, line 9 ¶ | skipping to change at page 11, line 33 ¶ | |||
| 2. If the requested SOA record exists, it will be returned in the | 2. If the requested SOA record exists, it will be returned in the | |||
| Answer section with a NOERROR response code, and the client has | Answer section with a NOERROR response code, and the client has | |||
| succeeded in discovering the information it needs. (This text is | succeeded in discovering the information it needs. (This text is | |||
| not placing any new requirements on DNS recursive resolvers. It | not placing any new requirements on DNS recursive resolvers. It | |||
| is merely describing the existing operation of the DNS protocol | is merely describing the existing operation of the DNS protocol | |||
| [RFC1034] [RFC1035].) | [RFC1034] [RFC1035].) | |||
| 3. If the requested SOA record does not exist, the client will get | 3. If the requested SOA record does not exist, the client will get | |||
| back a NOERROR/NODATA response or an NXDOMAIN/Name Error | back a NOERROR/NODATA response or an NXDOMAIN/Name Error | |||
| response. In either case, the local resolver SHOULD include the | response. In either case, the local resolver would normally | |||
| SOA record for the zone of the requested name in the Authority | include the SOA record for the zone of the requested name in the | |||
| Section. If the SOA record is received in the Authority Section, | Authority Section. If the SOA record is received in the | |||
| then the client has succeeded in discovering the information it | Authority Section, then the client has succeeded in discovering | |||
| needs. (This text is not placing any new requirements on DNS | the information it needs. (This text is not placing any new | |||
| recursive resolvers. It is merely describing the existing | requirements on DNS recursive resolvers. It is merely describing | |||
| operation of the DNS protocol regarding negative responses | the existing operation of the DNS protocol regarding negative | |||
| [RFC2308].) | responses [RFC2308].) | |||
| 4. If the client receives a response containing no SOA record, then | 4. If the client receives a response containing no SOA record, then | |||
| it proceeds with the iterative approach. The client strips the | it proceeds with the iterative approach. The client strips the | |||
| leading label from the current query name and if the resulting | leading label from the current query name and if the resulting | |||
| name has at least one label in it, the client sends a new SOA | name has at least one label in it, the client sends a new SOA | |||
| query, and processing continues at step 2 above, repeating the | query, and processing continues at step 2 above, repeating the | |||
| iterative search until either an SOA is received, or the query | iterative search until either an SOA is received, or the query | |||
| name is empty. In the case of an empty name, this is a network | name is empty. In the case of an empty name, this is a network | |||
| configuration error which should not happen and the client gives | configuration error which should not happen and the client gives | |||
| up. The client may retry the operation at a later time, of the | up. The client may retry the operation at a later time, of the | |||
| skipping to change at page 13, line 12 ¶ | skipping to change at page 13, line 12 ¶ | |||
| discovery process can be completed nearly instantaneously by the | discovery process can be completed nearly instantaneously by the | |||
| client, using only locally-stored cached data. | client, using only locally-stored cached data. | |||
| 6.2. DNS Push Notification SUBSCRIBE | 6.2. DNS Push Notification SUBSCRIBE | |||
| After connecting, and requesting a longer idle timeout and/or | After connecting, and requesting a longer idle timeout and/or | |||
| keepalive interval if necessary, a DNS Push Notification client then | keepalive interval if necessary, a DNS Push Notification client then | |||
| indicates its desire to receive DNS Push Notifications for a given | indicates its desire to receive DNS Push Notifications for a given | |||
| domain name by sending a SUBSCRIBE request over the established DSO | domain name by sending a SUBSCRIBE request over the established DSO | |||
| session to the server. A SUBSCRIBE request is encoded in a DSO [DSO] | session to the server. A SUBSCRIBE request is encoded in a DSO [DSO] | |||
| message. This specification defines a DSO TLV for DNS Push | message. This specification defines a primary DSO TLV for DNS Push | |||
| Notification SUBSCRIBE Requests/Responses (tentatively DSO Type Code | Notification SUBSCRIBE Requests (tentatively DSO Type Code 0x40). | |||
| 0x40). | ||||
| The entity that initiates a SUBSCRIBE request is by definition the | The entity that initiates a SUBSCRIBE request is by definition the | |||
| client. A server MUST NOT send a SUBSCRIBE request over an existing | client. A server MUST NOT send a SUBSCRIBE request over an existing | |||
| session from a client. If a server does send a SUBSCRIBE request | session from a client. If a server does send a SUBSCRIBE request | |||
| over a DSO session initiated by a client, this is a fatal error and | over a DSO session initiated by a client, this is a fatal error and | |||
| the client should immediately abort the connection with a TCP RST (or | the client should immediately abort the connection with a TCP RST (or | |||
| equivalent for other protocols). | equivalent for other protocols). | |||
| 6.2.1. SUBSCRIBE Request | 6.2.1. SUBSCRIBE Request | |||
| skipping to change at page 16, line 34 ¶ | skipping to change at page 16, line 34 ¶ | |||
| subscription was accepted. Supported RCODEs are as follows: | subscription was accepted. Supported RCODEs are as follows: | |||
| +-----------+-------+-----------------------------------------------+ | +-----------+-------+-----------------------------------------------+ | |||
| | Mnemonic | Value | Description | | | Mnemonic | Value | Description | | |||
| +-----------+-------+-----------------------------------------------+ | +-----------+-------+-----------------------------------------------+ | |||
| | NOERROR | 0 | SUBSCRIBE successful. | | | NOERROR | 0 | SUBSCRIBE successful. | | |||
| | FORMERR | 1 | Server failed to process request due to a | | | FORMERR | 1 | Server failed to process request due to a | | |||
| | | | malformed request. | | | | | malformed request. | | |||
| | SERVFAIL | 2 | Server failed to process request due to a | | | SERVFAIL | 2 | Server failed to process request due to a | | |||
| | | | problem with the server. | | | | | problem with the server. | | |||
| | NXDOMAIN | 3 | NOT APPLICABLE. DNS Push Notification servers | | ||||
| | | | MUST NOT return NXDOMAIN errors in response | | ||||
| | | | to SUBSCRIBE requests. | | ||||
| | NOTIMP | 4 | Server does not implement DSO. | | | NOTIMP | 4 | Server does not implement DSO. | | |||
| | REFUSED | 5 | Server refuses to process request for policy | | | REFUSED | 5 | Server refuses to process request for policy | | |||
| | | | or security reasons. | | | | | or security reasons. | | |||
| | NOTAUTH | 9 | Server is not authoritative for the requested | | | NOTAUTH | 9 | Server is not authoritative for the requested | | |||
| | | | name. | | | | | name. | | |||
| | DSOTYPENI | 11 | SUBSCRIBE operation not supported. | | | DSOTYPENI | 11 | SUBSCRIBE operation not supported. | | |||
| +-----------+-------+-----------------------------------------------+ | +-----------+-------+-----------------------------------------------+ | |||
| SUBSCRIBE Response codes | Table 1: SUBSCRIBE Response codes | |||
| This document specifies only these RCODE values for SUBSCRIBE | This document specifies only these RCODE values for SUBSCRIBE | |||
| Responses. Servers sending SUBSCRIBE Responses SHOULD use one of | Responses. Servers sending SUBSCRIBE Responses SHOULD use one of | |||
| these values. However, future circumstances may create situations | these values. Note that NXDOMAIN is not a valid RCODE in response to | |||
| where other RCODE values are appropriate in SUBSCRIBE Responses, so | a SUBSCRIBE Request. However, future circumstances may create | |||
| clients MUST be prepared to accept SUBSCRIBE Responses with any RCODE | situations where other RCODE values are appropriate in SUBSCRIBE | |||
| value. | Responses, so clients MUST be prepared to accept SUBSCRIBE Responses | |||
| with any other RCODE value. | ||||
| If the server sends a nonzero RCODE in the SUBSCRIBE response, that | If the server sends a nonzero RCODE in the SUBSCRIBE response, that | |||
| means (a) the client is (at least partially) misconfigured, (b) the | means | |||
| server resources are exhausted, or (c) there is some other unknown | ||||
| failure on the server. In any case, the client shouldn't retry the | a. the client is (at least partially) misconfigured, | |||
| subscription right away. Either end can terminate the session, but | b. the server resources are exhausted, or | |||
| the client may want to try this subscription again, or it may have | c. there is some other unknown failure on the server. | |||
| other successful subscriptions that it doesn't want to abandon. If | ||||
| the server sends a nonzero RCODE then it SHOULD append a Retry Delay | In any case, the client shouldn't retry the subscription to this | |||
| TLV [DSO] to the response specifying a delay before the client | server right away. If multiple SRV records were returned as | |||
| described in discovery Section 6.1, Paragraph 7, a subsequent server | ||||
| can be tried immediately. | ||||
| If the client has other successful subscriptions to this server, | ||||
| these subscriptions can remain even though additional subscriptions | ||||
| may be refused. Neither the client, nor the server are required to | ||||
| close the connection, although, either end may choose to do so. | ||||
| If the server sends a nonzero RCODE then it SHOULD append a Retry | ||||
| Delay TLV [DSO] to the response specifying a delay before the client | ||||
| attempts this operation again. Recommended values for the delay for | attempts this operation again. Recommended values for the delay for | |||
| different RCODE values are given below. These recommended values | different RCODE values are given below. These recommended values | |||
| apply both to the default values a server should place in the Retry | apply both to the default values a server should place in the Retry | |||
| Delay TLV, and the default values a client should assume if the | Delay TLV, and the default values a client should assume if the | |||
| server provides no Retry Delay TLV. | server provides no Retry Delay TLV. | |||
| For RCODE = 1 (FORMERR) the delay may be any value selected by the | For RCODE = 1 (FORMERR) the delay may be any value selected by the | |||
| implementer. A value of five minutes is RECOMMENDED, to reduce | implementer. A value of five minutes is RECOMMENDED, to reduce | |||
| the risk of high load from defective clients. | the risk of high load from defective clients. | |||
| skipping to change at page 17, line 43 ¶ | skipping to change at page 18, line 5 ¶ | |||
| be one hour. Note that in such a case, a server that doesn't | be one hour. Note that in such a case, a server that doesn't | |||
| implement DSO is unlikely to place a Retry Delay TLV in its | implement DSO is unlikely to place a Retry Delay TLV in its | |||
| response, so this recommended value in particular applies to what | response, so this recommended value in particular applies to what | |||
| a client should assume by default. | a client should assume by default. | |||
| For RCODE = 5 (REFUSED), which occurs on a server that implements | For RCODE = 5 (REFUSED), which occurs on a server that implements | |||
| DNS Push Notifications, but is currently configured to disallow | DNS Push Notifications, but is currently configured to disallow | |||
| DNS Push Notifications, the retry delay may be any value selected | DNS Push Notifications, the retry delay may be any value selected | |||
| by the implementer and/or configured by the operator. | by the implementer and/or configured by the operator. | |||
| This is a misconfiguration, since this server is listed in a | If the server being queried is not the local resolver, this is a | |||
| misconfiguration, since this server is listed in a | ||||
| "_dns-push-tls._tcp.<zone>" SRV record, but the server itself is | "_dns-push-tls._tcp.<zone>" SRV record, but the server itself is | |||
| not currently configured to support DNS Push Notifications. Since | not currently configured to support DNS Push Notifications for | |||
| it is possible that the misconfiguration may be repaired at any | that zone. Since it is possible that the misconfiguration may be | |||
| time, the retry delay should not be set too high. By default, a | repaired at any time, the retry delay should not be set too high. | |||
| value of 5 minutes is RECOMMENDED. | By default, a value of 5 minutes is RECOMMENDED. | |||
| For RCODE = 9 (NOTAUTH), which occurs on a server that implements | For RCODE = 9 (NOTAUTH), which occurs on a server that implements | |||
| DNS Push Notifications, but is not configured to be authoritative | DNS Push Notifications, but is not configured to be authoritative | |||
| for the requested name, the retry delay may be any value selected | for the requested name, the retry delay may be any value selected | |||
| by the implementer and/or configured by the operator. | by the implementer and/or configured by the operator. | |||
| This is a misconfiguration, since this server is listed in a | This is a misconfiguration, since this server is listed in a | |||
| "_dns-push-tls._tcp.<zone>" SRV record, but the server itself is | "_dns-push-tls._tcp.<zone>" SRV record, but the server itself is | |||
| not currently configured to support DNS Push Notifications for | not currently configured to support DNS Push Notifications for | |||
| that zone. Since it is possible that the misconfiguration may be | that zone. Since it is possible that the misconfiguration may be | |||
| skipping to change at page 21, line 36 ¶ | skipping to change at page 21, line 36 ¶ | |||
| Similarly, when both an SRV and a TXT record are deleted from a given | Similarly, when both an SRV and a TXT record are deleted from a given | |||
| name, and no other records of any kind exist for that name, the | name, and no other records of any kind exist for that name, the | |||
| server SHOULD send a "delete all RRsets from a name" PUSH message, | server SHOULD send a "delete all RRsets from a name" PUSH message, | |||
| not two separate "delete an RRset from a name" PUSH messages. | not two separate "delete an RRset from a name" PUSH messages. | |||
| A server SHOULD combine multiple change notifications in a single | A server SHOULD combine multiple change notifications in a single | |||
| PUSH message when possible, even if those change notifications apply | PUSH message when possible, even if those change notifications apply | |||
| to different subscriptions. Conceptually, a PUSH message is a | to different subscriptions. Conceptually, a PUSH message is a | |||
| session-level mechanism, not a subscription-level mechanism. | session-level mechanism, not a subscription-level mechanism. | |||
| The TTL of an added record is stored by the client and decremented as | The TTL of an added record is stored by the client. While the | |||
| time passes, with the caveat that for as long as a relevant | subscription is active, the TTL is not decremented, because a change | |||
| subscription is active, the TTL does not decrement below 1 second. | to the TTL would produce a new update. For as long as a relevant | |||
| For as long as a relevant subscription remains active, the client | subscription remains active, the client SHOULD assume that when a | |||
| SHOULD assume that when a record goes away the server will notify it | record goes away the server will notify it of that fact. | |||
| of that fact. Consequently, a client does not have to poll to verify | Consequently, a client does not have to poll to verify that the | |||
| that the record is still there. Once a subscription is cancelled | record is still there. Once a subscription is cancelled | |||
| (individually, or as a result of the DSO session being closed) record | (individually, or as a result of the DSO session being closed) record | |||
| aging resumes and records are removed from the local cache when their | aging for records covered by the subscription resumes and records are | |||
| TTL reaches zero. | removed from the local cache when their TTL reaches zero. | |||
| 6.4. DNS Push Notification UNSUBSCRIBE | 6.4. DNS Push Notification UNSUBSCRIBE | |||
| To cancel an individual subscription without closing the entire DSO | To cancel an individual subscription without closing the entire DSO | |||
| session, the client sends an UNSUBSCRIBE message over the established | session, the client sends an UNSUBSCRIBE message over the established | |||
| DSO session to the server. The UNSUBSCRIBE message is encoded as a | DSO session to the server. The UNSUBSCRIBE message is encoded as a | |||
| DSO [DSO] unidirectional message. This specification defines a DSO | DSO [DSO] unidirectional message. This specification defines a | |||
| TLV for DNS Push Notification UNSUBSCRIBE Requests/Responses | primary unidirectional DSO TLV for DNS Push Notification UNSUBSCRIBE | |||
| (tentatively DSO Type Code 0x42). | Requests (tentatively DSO Type Code 0x42). | |||
| A server MUST NOT initiate an UNSUBSCRIBE request. If a server does | A server MUST NOT initiate an UNSUBSCRIBE request. If a server does | |||
| send an UNSUBSCRIBE request over a DSO session initiated by a client, | send an UNSUBSCRIBE request over a DSO session initiated by a client, | |||
| this is a fatal error and the client should immediately abort the | this is a fatal error and the client should immediately abort the | |||
| connection with a TCP RST (or equivalent for other protocols). | connection with a TCP RST (or equivalent for other protocols). | |||
| 6.4.1. UNSUBSCRIBE Request | 6.4.1. UNSUBSCRIBE Request | |||
| An UNSUBSCRIBE request begins with the standard DSO 12-byte header | An UNSUBSCRIBE request begins with the standard DSO 12-byte header | |||
| [DSO], followed by the UNSUBSCRIBE TLV. An UNSUBSCRIBE request | [DSO], followed by the UNSUBSCRIBE TLV. An UNSUBSCRIBE request | |||
| skipping to change at page 24, line 33 ¶ | skipping to change at page 24, line 33 ¶ | |||
| that the disputed records are in fact no longer valid, then | that the disputed records are in fact no longer valid, then | |||
| subsequent DNS PUSH Messages will be generated to inform interested | subsequent DNS PUSH Messages will be generated to inform interested | |||
| clients. Thus, one client discovering that a previously-advertised | clients. Thus, one client discovering that a previously-advertised | |||
| device (like a network printer) is no longer present has the side | device (like a network printer) is no longer present has the side | |||
| effect of informing all other interested clients that the device in | effect of informing all other interested clients that the device in | |||
| question is now gone. | question is now gone. | |||
| 6.5.1. RECONFIRM Request | 6.5.1. RECONFIRM Request | |||
| A RECONFIRM request begins with the standard DSO 12-byte header | A RECONFIRM request begins with the standard DSO 12-byte header | |||
| [DSO], followed by the RECONFIRM TLV. A RECONFIRM request message is | [DSO], followed by the primary DSO RECONFIRM TLV. A RECONFIRM | |||
| illustrated in Figure 4. | request message is illustrated in Figure 4. | |||
| The MESSAGE ID field MUST be set to a unique value, that the client | The MESSAGE ID field MUST be set to a unique value, that the client | |||
| is not using for any other active operation on this DSO session. For | is not using for any other active operation on this DSO session. For | |||
| the purposes here, a MESSAGE ID is in use on this session if the | the purposes here, a MESSAGE ID is in use on this session if the | |||
| client has used it in a request for which it has not yet received a | client has used it in a request for which it has not yet received a | |||
| response, or if the client has used it for a subscription which it | response, or if the client has used it for a subscription which it | |||
| has not yet cancelled using UNSUBSCRIBE. In the RECONFIRM response | has not yet cancelled using UNSUBSCRIBE. In the RECONFIRM response | |||
| the server MUST echo back the MESSAGE ID value unchanged. | the server MUST echo back the MESSAGE ID value unchanged. | |||
| The other header fields MUST be set as described in the DSO | The other header fields MUST be set as described in the DSO | |||
| skipping to change at page 26, line 35 ¶ | skipping to change at page 26, line 35 ¶ | |||
| reconfirmation request. Supported RCODEs are as follows: | reconfirmation request. Supported RCODEs are as follows: | |||
| +-----------+-------+-----------------------------------------------+ | +-----------+-------+-----------------------------------------------+ | |||
| | Mnemonic | Value | Description | | | Mnemonic | Value | Description | | |||
| +-----------+-------+-----------------------------------------------+ | +-----------+-------+-----------------------------------------------+ | |||
| | NOERROR | 0 | RECONFIRM accepted. | | | NOERROR | 0 | RECONFIRM accepted. | | |||
| | FORMERR | 1 | Server failed to process request due to a | | | FORMERR | 1 | Server failed to process request due to a | | |||
| | | | malformed request. | | | | | malformed request. | | |||
| | SERVFAIL | 2 | Server failed to process request due to a | | | SERVFAIL | 2 | Server failed to process request due to a | | |||
| | | | problem with the server. | | | | | problem with the server. | | |||
| | NXDOMAIN | 3 | NOT APPLICABLE. DNS Push Notification servers | | ||||
| | | | MUST NOT return NXDOMAIN errors in response | | ||||
| | | | to RECONFIRM requests. | | ||||
| | NOTIMP | 4 | Server does not implement DSO. | | | NOTIMP | 4 | Server does not implement DSO. | | |||
| | REFUSED | 5 | Server refuses to process request for policy | | | REFUSED | 5 | Server refuses to process request for policy | | |||
| | | | or security reasons. | | | | | or security reasons. | | |||
| | NOTAUTH | 9 | Server is not authoritative for the requested | | | NOTAUTH | 9 | Server is not authoritative for the requested | | |||
| | | | name. | | | | | name. | | |||
| | DSOTYPENI | 11 | RECONFIRM operation not supported. | | | DSOTYPENI | 11 | RECONFIRM operation not supported. | | |||
| +-----------+-------+-----------------------------------------------+ | +-----------+-------+-----------------------------------------------+ | |||
| RECONFIRM Response codes | Table 2: RECONFIRM Response codes | |||
| This document specifies only these RCODE values for RECONFIRM | This document specifies only these RCODE values for RECONFIRM | |||
| Responses. Servers sending RECONFIRM Responses SHOULD use one of | Responses. Servers sending RECONFIRM Responses SHOULD use one of | |||
| these values. However, future circumstances may create situations | these values. Note that NXDOMAIN is not a valid RCODE in response to | |||
| where other RCODE values are appropriate in RECONFIRM Responses, so | a RECONFIRM Request. However, future circumstances may create | |||
| clients MUST be prepared to accept RECONFIRM Responses with any RCODE | situations where other RCODE values are appropriate in RECONFIRM | |||
| value. | Responses, so clients MUST be prepared to accept RECONFIRM Responses | |||
| with any other RCODE value. | ||||
| Nonzero RCODE values signal some kind of error. | Nonzero RCODE values signal some kind of error. | |||
| RCODE value FORMERR indicates a message format error, for example | RCODE value FORMERR indicates a message format error, for example | |||
| TYPE or CLASS being ANY (255). | TYPE or CLASS being ANY (255). | |||
| RCODE value SERVFAIL indicates that the server has exhausted its | RCODE value SERVFAIL indicates that the server has exhausted its | |||
| resources or other serious problem occurred. | resources or other serious problem occurred. | |||
| RCODE values NOTIMP indicates that the server does not support DSO, | RCODE values NOTIMP indicates that the server does not support DSO, | |||
| skipping to change at page 28, line 5 ¶ | skipping to change at page 28, line 5 ¶ | |||
| Nonzero RCODE values SERVFAIL, REFUSED and DSOTYPENI are benign from | Nonzero RCODE values SERVFAIL, REFUSED and DSOTYPENI are benign from | |||
| the client's point of view. The client may log them to aid in | the client's point of view. The client may log them to aid in | |||
| debugging, but otherwise they require no special action. | debugging, but otherwise they require no special action. | |||
| Nonzero RCODE values other than these three indicate a serious | Nonzero RCODE values other than these three indicate a serious | |||
| problem with the client. After sending an error response other than | problem with the client. After sending an error response other than | |||
| one of these three, the server SHOULD send a DSO Retry Delay TLV to | one of these three, the server SHOULD send a DSO Retry Delay TLV to | |||
| end the DSO session, as described in the DSO specification [DSO]. | end the DSO session, as described in the DSO specification [DSO]. | |||
| 6.6. Client-Initiated Termination | 6.6. DNS Stateful Operations TLV Context Summary | |||
| This document defines four new DSO TLVs. As suggested in [DSO], | ||||
| Section 8.2, the valid contexts of these new TLV types are summarized | ||||
| below. | ||||
| The client TLV contexts are: | ||||
| C-P: Client primary TLV | ||||
| C-U: Client primary unidirectional TLV | ||||
| C-A: Client additional TLV | ||||
| CRP: Client response primary TLV | ||||
| CRA: Client response additional TLV | ||||
| +-------------+-----+-----+-----+-----+-----+ | ||||
| | TLV Type | C-P | C-U | C-A | CRP | CRA | | ||||
| +-------------+-----+-----+-----+-----+-----+ | ||||
| | SUBSCRIBE | X | | | | | | ||||
| | PUSH | | | | | | | ||||
| | UNSUBSCRIBE | | X | | | | | ||||
| | RECONFIRM | X | | | | | | ||||
| +-------------+-----+-----+-----+-----+-----+ | ||||
| Table 3: DSO TLV Client Context Summary | ||||
| The server TLV contexts are: | ||||
| S-P: Server primary TLV | ||||
| S-U: Server primary unidirectional TLV | ||||
| S-A: Server additional TLV | ||||
| SRP: Server response primary TLV | ||||
| SRA: Server response additional TLV | ||||
| +-------------+-----+-----+-----+-----+-----+ | ||||
| | TLV Type | S-P | S-U | S-A | SRP | SRA | | ||||
| +-------------+-----+-----+-----+-----+-----+ | ||||
| | SUBSCRIBE | | | | | | | ||||
| | PUSH | | X | | | | | ||||
| | UNSUBSCRIBE | | | | | | | ||||
| | RECONFIRM | | | | | | | ||||
| +-------------+-----+-----+-----+-----+-----+ | ||||
| Table 4: DSO TLV Server Context Summary | ||||
| 6.7. Client-Initiated Termination | ||||
| An individual subscription is terminated by sending an UNSUBSCRIBE | An individual subscription is terminated by sending an UNSUBSCRIBE | |||
| TLV for that specific subscription, or all subscriptions can be | TLV for that specific subscription, or all subscriptions can be | |||
| cancelled at once by the client closing the DSO session. When a | cancelled at once by the client closing the DSO session. When a | |||
| client terminates an individual subscription (via UNSUBSCRIBE) or all | client terminates an individual subscription (via UNSUBSCRIBE) or all | |||
| subscriptions on that DSO session (by ending the session) it is | subscriptions on that DSO session (by ending the session) it is | |||
| signaling to the server that it is longer interested in receiving | signaling to the server that it is longer interested in receiving | |||
| those particular updates. It is informing the server that the server | those particular updates. It is informing the server that the server | |||
| may release any state information it has been keeping with regards to | may release any state information it has been keeping with regards to | |||
| these particular subscriptions. | these particular subscriptions. | |||
| skipping to change at page 29, line 7 ¶ | skipping to change at page 30, line 7 ¶ | |||
| If a client has performed operations on this session that it would | If a client has performed operations on this session that it would | |||
| not want lost (like DNS updates) then the client SHOULD do an orderly | not want lost (like DNS updates) then the client SHOULD do an orderly | |||
| disconnect, sending a TLS close_notify followed by a TCP FIN. (In | disconnect, sending a TLS close_notify followed by a TCP FIN. (In | |||
| the BSD Sockets API, sending a TCP FIN is achieved by calling | the BSD Sockets API, sending a TCP FIN is achieved by calling | |||
| "shutdown(s,SHUT_WR)" and keeping the socket open until all remaining | "shutdown(s,SHUT_WR)" and keeping the socket open until all remaining | |||
| data has been read from it.) | data has been read from it.) | |||
| 7. Security Considerations | 7. Security Considerations | |||
| The Strict Privacy Usage Profile for DNS over TLS is strongly | The Strict Privacy Usage Profile for DNS over TLS is REQUIRED for DNS | |||
| recommended for DNS Push Notifications as defined in "Usage Profiles | Push Notifications as defined in "Usage Profiles for DNS over TLS and | |||
| for DNS over TLS and DNS over DTLS" [RFC8310]. The Opportunistic | DNS over DTLS" [RFC8310]. Cleartext connections for DNS Push | |||
| Privacy Usage Profile is permissible as a way to support incremental | Notifications are not permissible. Since this is a new protocol, | |||
| deployment of security capabilities. Cleartext connections for DNS | transition mechanisms from the Opportunistic Privacy profile are | |||
| Push Notifications are not permissible. | deemed unnecessary. | |||
| DNSSEC is RECOMMENDED for the authentication of DNS Push Notification | DNSSEC is RECOMMENDED for the authentication of DNS Push Notification | |||
| servers. TLS alone does not provide complete security. TLS | servers. TLS alone does not provide complete security. TLS | |||
| certificate verification can provide reasonable assurance that the | certificate verification can provide reasonable assurance that the | |||
| client is really talking to the server associated with the desired | client is really talking to the server associated with the desired | |||
| host name, but since the desired host name is learned via a DNS SRV | host name, but since the desired host name is learned via a DNS SRV | |||
| query, if the SRV query is subverted then the client may have a | query, if the SRV query is subverted then the client may have a | |||
| secure connection to a rogue server. DNSSEC can provided added | secure connection to a rogue server. DNSSEC can provided added | |||
| confidence that the SRV query has not been subverted. | confidence that the SRV query has not been subverted. | |||
| skipping to change at page 30, line 32 ¶ | skipping to change at page 31, line 32 ¶ | |||
| In order to reduce the chances of compression-related attacks, TLS- | In order to reduce the chances of compression-related attacks, TLS- | |||
| level compression SHOULD be disabled when using TLS versions 1.2 and | level compression SHOULD be disabled when using TLS versions 1.2 and | |||
| earlier. In TLS 1.3 [RFC8446], TLS-level compression has been | earlier. In TLS 1.3 [RFC8446], TLS-level compression has been | |||
| removed completely. | removed completely. | |||
| 7.4. TLS Session Resumption | 7.4. TLS Session Resumption | |||
| TLS Session Resumption is permissible on DNS Push Notification | TLS Session Resumption is permissible on DNS Push Notification | |||
| servers. The server may keep TLS state with Session IDs [RFC5246] or | servers. The server may keep TLS state with Session IDs [RFC5246] or | |||
| operate in stateless mode by sending a Session Ticket [RFC5077] to | operate in stateless mode by sending a Session Ticket [RFC5077] to | |||
| the client for it to store. However, once the DSO session is closed, | the client for it to store. However, closing the TLS connection | |||
| any existing subscriptions will be dropped. When the TLS session is | terminates the DSO session. When the TLS session is resumed, the DNS | |||
| resumed, the DNS Push Notification server will not have any | Push Notification server will not have any subscription state and | |||
| subscription state and will proceed as with any other new DSO | will proceed as with any other new DSO session. Use of TLS Session | |||
| session. Use of TLS Session Resumption allows a new TLS connection | Resumption may allow a TLS connection to be set up more quickly, but | |||
| to be set up more quickly, but the client will still have to recreate | the client will still have to recreate any desired subscriptions. | |||
| any desired subscriptions. | ||||
| 8. IANA Considerations | 8. IANA Considerations | |||
| This document defines a new service name to be published in the IANA | This document defines a new service name to be published in the IANA | |||
| Registry Service Types [RFC6335][ST] that is only applicable for the | Registry Service Types [RFC6335][ST] that is only applicable for the | |||
| TCP protocol. | TCP protocol. | |||
| +-----------------------+------+----------------------+-------------+ | ||||
| | Name | Port | Value | Definition | | ||||
| +-----------------------+------+----------------------+-------------+ | ||||
| | DNS Push Notification | None | "_dns-push-tls._tcp" | Section 6.1 | | ||||
| | Service Type | | | | | ||||
| +-----------------------+------+----------------------+-------------+ | ||||
| Table 5: IANA Service Type Assignments | ||||
| This document also defines four new DNS Stateful Operation TLV types | This document also defines four new DNS Stateful Operation TLV types | |||
| to be recorded in the IANA DSO Type Code Registry. | to be recorded in the IANA DSO Type Code Registry. | |||
| +----------------------------+----------------------+---------------+ | +-------------+------------------------+---------------+ | |||
| | Name | Value | Definition | | | Name | Value | Definition | | |||
| +----------------------------+----------------------+---------------+ | +-------------+------------------------+---------------+ | |||
| | DNS Push Notifcation | "_dns-push-tls._tcp" | Section 6.1 | | | SUBSCRIBE | TBA (tentatively 0x40) | Section 6.2 | | |||
| | Service Type | | | | | PUSH | TBA (tentatively 0x41) | Section 6.3.1 | | |||
| | SUBSCRIBE | TBA (tentatively | Section 6.2 | | | UNSUBSCRIBE | TBA (tentatively 0x42) | Section 6.4 | | |||
| | | 0x40) | | | | RECONFIRM | TBA (tentatively 0x43) | Section 6.5.1 | | |||
| | PUSH | TBA (tentatively | Section 6.3.1 | | +-------------+------------------------+---------------+ | |||
| | | 0x41) | | | ||||
| | UNSUBSCRIBE | TBA (tentatively | Section 6.4 | | ||||
| | | 0x42) | | | ||||
| | RECONFIRM | TBA (tentatively | Section 6.5.1 | | ||||
| | | 0x43) | | | ||||
| +----------------------------+----------------------+---------------+ | ||||
| Table 1: IANA Assignments | Table 6: IANA DSO TLV Type Code Assignments | |||
| 9. Acknowledgements | 9. Acknowledgements | |||
| The authors would like to thank Kiren Sekar and Marc Krochmal for | The authors would like to thank Kiren Sekar and Marc Krochmal for | |||
| previous work completed in this field. | previous work completed in this field. | |||
| This draft has been improved due to comments from Ran Atkinson, Tim | This draft has been improved due to comments from Ran Atkinson, Tim | |||
| Chown, Mark Delany, Ralph Droms, Bernie Volz, Jan Komissar, Manju | Chown, Mark Delany, Ralph Droms, Bernie Volz, Jan Komissar, Manju | |||
| Shankar Rao, Markus Stenberg, Dave Thaler, Soraia Zlatkovic, Sara | Shankar Rao, Markus Stenberg, Dave Thaler, Soraia Zlatkovic, Sara | |||
| Dickinson, and Andrew Sullivan. | Dickinson, and Andrew Sullivan. Ted Lemon provided clarifying text | |||
| that was greatly appreciated. | ||||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [DSO] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S., | [DSO] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S., | |||
| Lemon, T., and T. Pusateri, "DNS Stateful Operations", | Lemon, T., and T. Pusateri, "DNS Stateful Operations", | |||
| draft-ietf-dnsop-session-signal-14 (work in progress), | draft-ietf-dnsop-session-signal-18 (work in progress), | |||
| August 2018. | October 2018. | |||
| [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | |||
| DOI 10.17487/RFC0768, August 1980, | DOI 10.17487/RFC0768, August 1980, | |||
| <https://www.rfc-editor.org/info/rfc768>. | <https://www.rfc-editor.org/info/rfc768>. | |||
| [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, | [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, | |||
| RFC 793, DOI 10.17487/RFC0793, September 1981, | RFC 793, DOI 10.17487/RFC0793, September 1981, | |||
| <https://www.rfc-editor.org/info/rfc793>. | <https://www.rfc-editor.org/info/rfc793>. | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| End of changes. 34 change blocks. | ||||
| 149 lines changed or deleted | 212 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||