draft-ietf-dnsext-mdns-00.txt   draft-ietf-dnsext-mdns-01.txt 
DNSEXT Working Group Levon Esibov DNSEXT Working Group Levon Esibov
INTERNET-DRAFT Bernard Aboba INTERNET-DRAFT Bernard Aboba
Category: Standards Track Dave Thaler Category: Standards Track Dave Thaler
<draft-ietf-dnsext-mdns-00.txt> Microsoft <draft-ietf-dnsext-mdns-01.txt> Microsoft
November 16, 2000 6 July 2001
Multicast DNS Multicast DNS
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026. provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other groups Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet- Drafts. may also distribute working documents as Internet- Drafts.
skipping to change at page 1, line 31 skipping to change at page 1, line 31
or to cite them other than as "work in progress." or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract Abstract
Today, with the rise of home networking, there are an increasing number Today, with the rise of home networking, there are an increasing number
of small networks operating without a DNS server. In order to allow DNS of ad-hoc networks operating without a DNS server. In order to allow DNS
name resolution in such environments, the use of a multicast DNS is name resolution in such environments, the use of a multicast DNS is
proposed. proposed.
Table of Contents
1. Introduction .......................................... 3
2. Name resolution using multicast DNS ................... 3
2.1 Behavior of the sender and responder ............ 3
3. Usage model ........................................... 4
4. Sequence of events .................................... 8
5. Conflict resolution ................................... 8
5.1 Considerations for multiple interfaces .......... 10
6. IANA considerations ................................... 11
7. ARPA domain considerations ............................ 11
8. References ............................................ 12
9. Security considerations ............................... 13
ACKNOWLEDGMENTS .............................................. 13
AUTHORS' ADDRESSES ........................................... 14
Intellectual Property Statement .............................. 14
Full Copyright Statement ..................................... 15
1. Introduction 1. Introduction
Multicast DNS enables DNS name resolution in the scenarios when Multicast DNS enables DNS name resolution in the scenarios when
conventional DNS name resolution is not possible. Namely, when there are conventional DNS name resolution is not possible. Namely, when there are
no DNS servers available on the network or available DNS servers do not no DNS servers available on the network or available DNS servers do not
provide name resolution for the names of the hosts on the local provide name resolution for the names of the hosts on the local network.
network. The latter case, for example, corresponds to a scenario when a The latter case, for example, corresponds to a scenario when a network
home network that doesn't have a DNS server is connected to the Internet that doesn't have a DNS server is connected to the Internet through an
through an ISP and the home network hosts are configured with the ISP's ISP and the network hosts are configured with the ISP's DNS server for
DNS server for the name resolution. The ISP's DNS server provides the the name resolution. The ISP's DNS server provides the name resolution
name resolution for the names registered on the Internet, but doesn't for the names registered on the Internet, but doesn't provide name
provide name resolution for the names of the hosts on the home network. resolution for the names of the hosts on the network.
This document discusses multicast DNS, an extension to the DNS protocol This document discusses multicast DNS, an extension to the DNS protocol
which consists of a single change to the method of use, and no change to which consists of a single change to the method of use, and no change to
the format of DNS packets. the format of DNS packets.
Discovery of the services in general as well as discovery of the DNS Service discovery in general as well as discovery of DNS servers using
servers in particular using multicast DNS is left outside of the scope mDNS in particular is outside of the scope of this document, as is name
of this document. resolution over non-multicast capable media.
Name resolution over non-multicast capable media is left outside of the
scope of this document.
In this document, the key words "MAY", "MUST, "MUST NOT", "optional", In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
"recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
described in [1]. described in [1].
2. Name resolution using Multicast DNS 2. Name resolution using Multicast DNS
This extension to the DNS protocol consists of a single change to the This extension to the DNS protocol consists of a single change to the
method of use, and no change whatsoever to the current format of DNS method of use, and no change to the current format of DNS packets.
packets. Namely, this extension allows multicast DNS queries to be sent Namely, this extension allows multicast DNS queries to be sent to and
to and received on port 53 using the LINKLOCAL addresses [2] for IPv4 received on port 53.
and IPv6 (below in this text referred as LINKLOCAL address), which are
yet to be assigned by IANA. LINKLOCAL addresses are used to prevent
propagation of the multicast DNS traffic across the routers that may
cause network flooding. Propagation of the multicast DNS packets within
the boundaries is considered sufficient to enable DNS name resolution,
since the expectation is that if a network has a router, then this
router can function as a mini-DHCP server, as described in [3], and a
DNS proxy, possibly implementing dynamic DNS. Thus there is not expected
to be a need for use of multicast DNS in networks with multiple
segments.
2.1 Behavior of the sender and responder The messages are sent using the LINKLOCAL addresses [2] for IPv4 and
IPv6 (below referred as the LINKLOCAL address), which are yet to be
assigned by IANA. LINKLOCAL addresses are used to prevent propagation of
multicast DNS traffic across routers, potentially flooding the network.
For the purpose of this document a device that sends a multicast query Propagation of multicast DNS packets within the local subnet is
is called a "sender", while a device that listens to (but not considered sufficient to enable DNS name resolution in small adhoc
necessarily responds to) a multicast query is called "responder". A networks. The assumption is that if a network has a router, then the
device configured to be a "responder" may also be a "sender". A device network either has a DNS server or the router can function as a DNS
configured to not be a "responder" cannot be a "sender". proxy, possibly implementing dynamic DNS.
In the future, mDNS may be defined to support greater than LINKLOCAL
multicast scope. This would occur if LINKLOCAL mDNS deployment is
successful, the assumption that mDNS is not needed in multiple subnets
proves incorrect, and multicast routing becomes ubiquitous. For
example, it is not clear that this assumption will be valid in large
adhoc networking scenarios.
Once we have experience in mDNS deployment in terms of administrative
issues, usability and impact on the network it will be possible
reevaluate which multicast scopes are appropriate for use with mDNS.
2.1. Behavior of the sender and responder
For the purpose of this document a host that sends a multicast query is
called a "sender", while a host that listens to (but not necessarily
responds to) a multicast query is called "responder". A host configured
to be a "responder" may also be a "sender". A host configured to not be
a "responder" cannot be a "sender".
2.1.1. Behavior of senders
A sender sends multicast DNS query for any legal Type of resource record A sender sends multicast DNS query for any legal Type of resource record
(e.g. A, PTR, etc) for a name within the ".local.arpa." domain to the (e.g. A, PTR, etc.) for a name within the ".local.arpa." domain to the
LINKLOCAL address. The RD (Recursion Desired) bit MUST NOT be set. If a LINKLOCAL address. The RD (Recursion Desired) bit MUST NOT be set. If a
responder receives a query with the header containing RD set bit, the responder receives a query with the header containing RD set bit, the
responder MUST ignore the RD bit. responder MUST ignore the RD bit.
If the multicast query is not positively resolved ("positively resolved" If the multicast query is not positively resolved ("positively resolved"
refers in this document to the response with the RCODE set to 0) during refers in this document to a response with the RCODE set to 0) during a
a limited amount of time, then a sender MAY repeat the transmission of a limited amount of time, then a sender MAY repeat the transmission of a
query in order to assure themselves that the query has been received by query in order to assure themselves that the query has been received by
a host capable of responding to the query. Repetition MUST NOT be a host capable of responding to the query.
attempted more than 5 times, and the repetition SHOULD NOT be repeated
more often than once per 0.1 seconds to reduce the unnecessary network Repetition MUST NOT be attempted more than 3 times and SHOULD NOT be
traffic. Retry intervals SHOULD be exponentially increased. repeated more often than once per second to reduce unnecessary network
traffic. The delay between attempts should be randomised so as to avoid
synchronisation effects.
2.1.2. Behavior of responders
A responder listens on port 53 on the LINKLOCAL address. Responders MUST A responder listens on port 53 on the LINKLOCAL address. Responders MUST
respond to multicast queries to those and only those names for which respond to multicast queries to those and only those names for which
they are authoritative. As an example, computer they are authoritative. As an example, computer
"host.example.com.local.arpa." is authoritative for the domain "host.example.com.local.arpa." is authoritative for the domain
"host.example.com.local.arpa.". When such host receives a multicast DNS "host.example.com.local.arpa.". On receiving a multicast DNS A record
query for an A record for the name "host.example.com.local.arpa." it query for the name "host.example.com.local.arpa." such a host responds
responds with an A record(s) that contains its IP address(es) in the with A record(s) that contain IP address(es) in the RDATA of the record.
RDATA of the record.
In conventional DNS terminology a DNS server authoritative for a zone is In conventional DNS terminology a DNS server authoritative for a zone is
authoritative for all the domain names under the zone root except for authoritative for all the domain names under the zone root except for
the branches delegated into separate zones. Contrary to conventional DNS the branches delegated into separate zones. Contrary to conventional DNS
terminology, a responder is authoritative only for the zone root. For terminology, a responder is authoritative only for the zone root. For
example the host "host.example.com.local.arpa." is not authoritative for example the host "host.example.com.local.arpa." is not authoritative for
the name "child.host.example.com.local.arpa." unless the host is the name "child.host.example.com.local.arpa." unless the host is
configured with multiple names, including "host.example.com.local.arpa." configured with multiple names, including "host.example.com.local.arpa."
and "child.host.example.com.local.arpa.". The purpose of such limitation and "child.host.example.com.local.arpa.". The purpose of limiting the
of the name authority scope of a responder is to prevent complication name authority scope of a responder is to prevent complications that
that could be caused by coexistence of two or more devices with the could be caused by coexistence of two or more hosts with the names
names representing child and parent (or grandparents) nodes in the DNS representing child and parent (or grandparent) nodes in the DNS tree,
tree, for example, "host.example.com.local.arpa." and for example, "host.example.com.local.arpa." and
"child.host.example.com.local.arpa.". In this example (unless this "child.host.example.com.local.arpa.".
limitation introduced) the multicast query for an A record for the name
"child.host.example.com.local.arpa." would cause two authoritative
responses: name error received from "host.example.com.local.arpa.", and
requested A record - from "child.host.example.com.local.arpa.". To
prevent such ambiguity, we could propose to implement multicast enabled
devices to perform a dynamic update of the parent (or grandparent) zone
with a delegation to a child zone, in this example a host
"child.host.example.com.local.arpa." would send a dynamic update for
the NS and glue A record to the "host.example.com.local.arpa.", but this
approach significantly complicates implementation of the multicast DNS
and would not be acceptable for a lightweight devices.
The response to the multicast query is composed in exactly the same In this example (unless this limitation is introduced) a multicast query
manner as in case of a response to the unicast DNS query as specified for an A record for the name "child.host.example.com.local.arpa." would
in [4]. Responders MUST never respond using cached data, and the AA result in two authoritative responses: name error received from
(Authoritative Answer) bit MUST be set. The response is sent to the "host.example.com.local.arpa.", and a requested A record - from
sender via unicast. If a TC (truncation) bit is set in the response, "child.host.example.com.local.arpa.". To prevent this ambiguity,
then the sender MAY use the response if it contains all necessary multicast enabled hosts could perform a dynamic update of the parent (or
information, or the sender MAY discard the response and resend the query grandparent) zone with a delegation to a child zone. In this example a
over TCP or using EDNS0 with larger window using unicast address of the host "child.host.example.com.local.arpa." would send a dynamic update
for the NS and glue A record to "host.example.com.local.arpa.", but this
approach significantly complicates implementation of multicast DNS and
would not be acceptable for lightweight hosts.
responder. The RA (Recursion Available) bit in the header of the A response to a multicast query is composed in exactly the same manner
response MUST NOT be set. Even if the RA bit is set in the response as a response to the unicast DNS query as specified in [4]. Responders
header, the sender MUST ignore it. The responder MUST set the Hop Limit MUST never respond using cached data, and the AA (Authoritative Answer)
field in IPv6 header and TTL field in IPv4 header of all responses to bit MUST be set. The response is sent to the sender via unicast. A
the multicast DNS query to 255. The sender MUST verify that the Hop response to an mDNS query MUST have RCODE set to zero, since mDNS
Limit field in IPv6 header and TTL field in IPv4 header of each response responders MUST NOT send error replies in response to mDNS queries.
to the multicast DNS query is set to 255. If it is not, then sender MUST
ignore such response. If a TC (truncation) bit is set in the response, then the sender MAY use
the response if it contains all necessary information, or the sender MAY
discard the response and resend the query over TCP or using EDNS0 with
larger window using the unicast address of the responder. The RA
(Recursion Available) bit in the header of the response MUST NOT be set.
Even if the RA bit is set in the response header, the sender MUST ignore
it.
2.1.3. mDNS addressing
For IPv4 LINKLOCAL addressing, section 2.4 of [6] lays out the rules
with respect to source address selection, TTL settings, and acceptable
source/destination address combinations. IPv6 LINKLOCAL addressing is
described in [9]. mDNS queries and responses MUST obey the rules laid
out in these documents.
In composing an mDNS response, the responder MUST set the Hop Limit
field in the IPv6 header and the TTL field in IPv4 header of the
multicast DNS response to 255. The sender MUST verify that the Hop Limit
field in IPv6 header and TTL field in IPv4 header of each response to
the multicast DNS query is set to 255. If it is not, then sender MUST
ignore the response.
Implementation note:
In the sockets API for IPv4, the IP_TTL and IP_MULTICAST_TTL socket
options are used to specify the TTL of outgoing unicast and multicast
packets. The IP_RECVTTL socket option is available on some platforms
to receive the IPv4 TTL of received packets with recvmsg(). RFC 2292
specifies similar options for specifying and receiving the IPv6 Hop
Limit.
2.1.4. Use of DNS TTL
The responder should use a pre-configured TTL [5] value in the records The responder should use a pre-configured TTL [5] value in the records
returned in the multicast DNS query response. Due to the TTL returned in the multicast DNS query response. Due to the TTL
minimalization necessary when caching an RRset, all TTLs in an RRset minimalization necessary when caching an RRset, all TTLs in an RRset
MUST be set to the same value. MUST be set to the same value. In the additional and authority section
of the response the responder includes the same records as a DNS server
would insert in the response to the unicast DNS query.
The responder includes in the additional and authority section of the 2.1.5. No/multiple responses
response the same records, as a DNS server would insert in the response
to the unicast DNS query.
Sender MUST anticipate receiving no replies to some multicasted queries, The sender MUST anticipate receiving no replies to some multicast
in the event that no responders are available within the multicast queries, in the event that no responders are available within the
scope, or in the event that no positive non-null responses exist to the multicast scope, or in the event that no positive non-null responses
transmitted query. exist for the transmitted query.
If no positive response is received, a resolver treats it as a response If no positive response is received, a resolver treats it as a response
that no records of the specified type and class for the specified name that no records of the specified type and class for the specified name
exist (NXRRSET), which SHOULD be cached for a period that SHOULD NOT exist (NXRRSET).
exceed 5 seconds.
Sender MUST anticipate receiving multiple replies to the same The sender MUST anticipate receiving multiple replies to the same
multicasted query, in the event that several multicast DNS enabled multicast query, in the event that several multicast DNS enabled
computers receive the query and respond with valid answers. When this computers receive the query and respond with valid answers. When this
occurs, the responses MAY first be concatenated, and then treated in the occurs, the responses MAY first be concatenated, and then treated in the
same manner that multiple RRs received from the same DNS server would, same manner that multiple RRs received from the same DNS server would,
ordinarily. ordinarily.
3. Usage model 3. Usage model
A device configured to be a "responder" may also be a "sender". A device A host configured to be an mDNS "responder" MUST also be configured as a
configured to not be a "responder" cannot be a "sender". "sender". A host not configured as a "responder" MUST NOT be a "sender".
Multicast DNS usage is determined by the domain search configuration as Multicast DNS usage is determined by the domain search configuration as
well as by special treatment of the ".local.arpa." namespace. Any well as by special treatment of the ".local.arpa." namespace. Any host
device whose domain search configuration contains ".local.arpa." domain whose domain search configuration contains the ".local.arpa." domain is
is configured to behave as "responder". A device configured to be a configured to behave as "responder". The sender treats queries for
"responder" may also be a "sender". A device cannot be configured to
behave as one (i.e. sender or responder), but not another. The sender ".local.arpa." as a special case. The domain search list can be
treats queries for ".local.arpa." as a special case. The domain search configured manually or automatically via a DHCP option [3].
list can be configured manually or automatically via a DHCP option.
A sender MUST NOT send a unicast query for names ending with the A sender MUST NOT send a unicast query for names ending with the
".local.arpa." suffix except in the case when a sender repeats a query ".local.arpa." suffix except when:
over TCP after it received a response to the previous multicast query
with TC bit set or unless sender's cache contains NS resource record
that enables sender to send a query directly to the devices
authoritative for the name in query.
It is not expected that a device "host.example.com." will be manually a. A sender repeats a query over TCP after it received a response
configured to have additional name "host.example.com.local.arpa." when to the previous multicast query with the TC bit set, or
it is configured to use multicast DNS. Instead, a responder with a name
"host.example.com." configured with ".local.arpa." suffix in its domain b. The sender's cache contains an NS resource record that enables
search configuration is authoritative for the name the sender to send a query directly to the hosts
"host.example.com.local.arpa.". I.e. when responder with the name authoritative for the name in the query.
"host.example.com." receives an A type query for the name
"host.example.com.local.arpa." it authoritatively responds to the query. It is not expected that a host named "host.example.com." will be
manually configured to have the additional name
"host.example.com.local.arpa." when it is configured to use multicast
DNS. Instead, a responder with a name "host.example.com." configured
with ".local.arpa." suffix in its domain search configuration is
authoritative for the name "host.example.com.local.arpa.". For example,
when a responder with the name "host.example.com." receives an A type
query for the name "host.example.com.local.arpa." it authoritatively
responds to the query.
If ".local.arpa" is not in the domain search list, then multicast DNS If ".local.arpa" is not in the domain search list, then multicast DNS
MUST NOT be used by a device. This implies that the device will neither MUST NOT be used. This implies that the host will neither listen on the
listen on the DNS LINKLOCAL multicast address, nor will it send queries DNS LINKLOCAL multicast address, nor will it send queries to that
to that address. An auto-configured host will typically have address. An auto-configured host will typically have ".local.arpa" first
".local.arpa" first in its search list so that it will be enabled to in its search list so that it will be enabled to use multicast DNS.
use mDNS. Typically an enterprise host will not have ".local.arpa" in Typically an enterprise host will not have ".local.arpa" in its search
its search list at all so that it will not use mDNS. list at all so that it will not use multicast DNS.
The same device may use multicast DNS queries for the name resolution of The same host MAY use multicast DNS queries for the resolution of names
the names ending with ".local.arpa.", and unicast DNS queries for name ending with ".local.arpa.", and unicast DNS queries for resolution of
resolution of all other names. When a DNS client is requested by a user all other names. When a user or application requests a DNS client to
or application to perform a name resolution of a dot-terminated name resolve a dot-terminated name that contains a ".local.arpa" suffix, the
that contains a ".local.arpa" suffix, a query for such name MUST be query for such a name MUST be multicast and the name SHOULD NOT be
multicasted and such name should not be concatenated with any suffix. concatenated with any suffix.
If a DNS server is running on a device, the device MUST NOT listen for If a DNS server is running on a host, the host MUST NOT listen for
the multicast DNS queries, to prevent a device from listening on port 53 multicast DNS queries, to prevent the host from listening on port 53 and
and intercepting DNS queries directed to a DNS server. A DNS server may intercepting DNS queries directed to a DNS server. By default, a DNS
listen and respond to the multicast queries. A DNS server by default server MUST NOT listen to multicast DNS queries. For a DNS server, the
doesn't listen to the multicast DNS queries. Presence of the presence of ".local.arpa." in the domain search list MUST NOT enable
".local.arpa." in the domain search list doesn't affect the multicast DNS.
configuration on the DNS server.
4. Sequence of events 4. Sequence of events
The sequence of events for usage of multicast DNS is as follows: The sequence of events for multicast DNS usage is as follows:
1. If a sender needs to resolve a query for a name 1. If a sender needs to resolve a query for a name
"host.example.com.local.arpa", then it sends a multicast query to the "host.example.com.local.arpa", then it sends a multicast query to the
LINKLOCAL multicast address. LINKLOCAL multicast address.
2. A responder responds to this query only if it is authoritative 2. A responder responds to this query only if it is authoritative
for the domain name "host.example.com.local.arpa". The responder sends for the domain name "host.example.com.local.arpa". The responder sends
a response to the sender via unicast over UDP. a response to the sender via unicast over UDP.
3. Upon the reception of the response the sender verifies that the Hop 3. Upon the reception of the response, the sender verifies that the Hop
Limit field in IPv6 header or TTL field in IPv4 header (depending on Limit field in IPv6 header or TTL field in IPv4 header (depending on
used protocol) of the response is set to 255. If it is, then sender the protocol used) of the response is set to 255. If the destination
address is a LINKLOCAL address, then the sender verifies use of a
LINKLOCAL source address. If these conditions are met, then the sender
uses and caches the returned response. If not, then the sender ignores uses and caches the returned response. If not, then the sender ignores
the response and continues waiting for the response. the response and continues waiting for the response.
5. Name conflicts 5. Conflict resolution
It is required to verify the uniqueness of the host DNS name when a host There are some scenarios when multiple responders MAY respond to the
boots, when its name is changed, or when it is configured to use same query. There are other scenarios when only one responder may
multicast DNS (such as when the domain search option is changed to respond to a query. Resource records for which the latter queries are
include ".local.arpa."). submitted are referred as UNIQUE throughout this document. The
uniqueness of a resource record depends on a nature of the name in the
query and type of the query. For example it is expected that:
A gratuitous name resolution query SHOULD be done to check for a name - multiple hosts may respond to a query for a SRV type record
conflict. This is done by having the resolver send a multicast query for - multiple hosts may respond to a query for an A type record for a
a SOA type query for its own name (i.e. for the name it is authoritative cluster name (assigned to multiple hosts in the cluster)
for). If the query is not positively resolved then host assumes - only a single host may respond to a query for an A type record for
authority for the name. If the query is positively resolved, then the a hostname.
host should verify that the computer name specified in the RDATA of the
SOA record in the answer section of the response is its own computer
name. If the host verifies it, then it assumes authority for its name.
If the host cannot match the returned computer name to its computer
name, then a conflict has been detected. In order to resolve name
conflict, the host will change the name.
A host that has detected a name conflict MUST NOT use the name. This Every responder that responds to a multicast DNS query and/or dynamic
means that the host MUST NOT respond to multicast queries for that name update request AND includes a UNIQUE record in the response:
and MUST NOT respond to other multicast queries with the records that
contain in RDATA name in conflict (for example, PTR record). 1. MUST verify that there is no other host within the scope of the
multicast DNS query propagation that can return a DNS record
for the same name, type and class.
2. MUST NOT include a UNIQUE resource record in the
response without having verified its uniqueness.
Where a host is configured to respond to multicast DNS queries on more
than one interface, the host MUST verify resource record uniqueness on
each interface for each UNIQUE resource record that could be used on
that interface. To accomplish this, the host MUST multicast a dynamic
DNS update request as specified in RFC 2136 [11] for each new UNIQUE
resource record. Uniqueness verification is carried out when the host:
- starts up or
- is configured to respond to the multicast DNS queries on
some interface or
- is configured to respond to the multicast DNS queries using
additional UNIQUE DNS records.
Below we describe the data to be specified in the dynamic update
request:
Header section
contains values according to [RFC 2136].
Zone section
The zone name in the zone section MUST be set to the name of the
UNIQUE record. The zone type in the zone section MUST be set to
SOA. The zone class in the zone section MUST be set to the class of
the UNIQUE record.
Prerequisite section
This section MUST contain a record set whose semantics are
described in RFC 2136 [11], Section 2.4.3 "RRset Does Not Exist",
requesting that RRs with the NAME and TYPE of the UNIQUE record do
not exist.
Update section
This section MUST be left empty.
Additional section
This section is set according to RFC 2136.
When a host that owns a UNIQUE record receives a dynamic update request
that requests that the UNIQUE resource record set does not exist, the
host MUST respond via unicast with the YXRRSET error, according to the
rules described in Section 3 of RFC 2136 [11].
After client receives an YXRRSET response to its dynamic update request
that a UNIQUE resource record does not exist, the host MUST not use the
UNIQUE resource record in responses to multicast queries and dynamic
update requests.
Note that this name conflict detection mechanism doesn't prevent name Note that this name conflict detection mechanism doesn't prevent name
conflicts when previously separate networks are connected by a bridge. conflicts when previously partitioned segments are connected by a
Name conflict in such situation is detected when a sender receives more bridge. In such a situation, name conflicts are detected when a sender
than one response to its multicasted DNS query. Such sender sends using receives more than one response to its multicast DNS query. In this
unicast the first response that it received to all responders, except case, the sender sends the first response that it received to all
the first one, that responded to this query. A host that receives a
response for a query for it's own name, even if it didn't send such responders that responded to this query except the first one, using
query, sends a multicast query for the SOA record for the name that it unicast. A host that receives a query response containing a UNIQUE
is authoritative for. Based on the response the host detects the name resource record that it owns, even if it didn't send such a query, MUST
conflict and acts according to the description above. verify that no other host within the multicast DNS scope is
authoritative for the same name, using the dynamic DNS update request
mechanism described above.
Based on the result, the host detects whether there is a name conflict
and acts as described above.
5.1. Considerations for Multiple Interfaces
A multi-homed host may elect to configure multicast DNS on only one of
its active interfaces. In many situations this will be adequate.
However, should a host wish to configure multicast DNS on more than one
of its active interfaces, there are some additional precautions it MUST
take. Implementers who are not planning to support multicast DNS on
multiple interfaces simultaneously may skip this section.
A multi-homed host checks the uniqueness of UNIQUE records as described
in Section 5.
The situation is illustrated in figure 1 below:
---------- ----------
| | | |
[A] [myhost] [myhost]
Figure 1. LINKLOCAL name conflict
In this situation, the multi-homed myhost will probe for, and defend,
its host name on both interfaces. A conflict will be detected on one
interface, but not the other, and as a result, the multi-homed myhost
will not be able to respond with a host RR for "myhost".
Since names are only unique per-link, hosts on different links could be
using the same name. If an mDNS client sends requests over multiple
interfaces, and receives replies from more than one, the result returned
to the client is defined by the implementation. The situation is
illustrated in figure 2 below.
---------- ----------
| | | |
[A] [myhost] [A]
Figure 2. Off-segment name conflict
If host myhost is configured to use mDNS on both interfaces, it will
send mDNS queries on both interfaces. When host myhost sends a query
for the host RR for name "A" it will receive a response from hosts on
both interfaces. Host myhost will then forward a response from the
first responder to the second responder, who will attempt to verify the
uniqueness of host RR for its name, but will not discover a conflict,
since the conflicting host resides on a different subnet. Therefore it
will continue using its name. This illustrates that the proposed name
conflict resolution mechanism does not support resolution of conflicts
between hosts on different subnets. This problem can also occur with
unicast DNS when a multi-homed host is connected to two different
networks with separated name spaces. It is not the intent of this
document to address the issue of uniqueness of names within DNS.
6. IANA Considerations 6. IANA Considerations
Authors will contact IANA to reserve LINKLOCAL IPv4 and IPv6 addresses. Authors will contact IANA to reserve LINKLOCAL IPv4 and IPv6 addresses.
7. Security Considerations 7. ARPA domain considerations
This document specifies the use of a new sub-domain of the "ARPA"
domain. According to Section 2.1 of the ARPA Guidelines [12], this
specification requires description and justification.
The 'local.arpa' domain is used to distinguish a local namespace. This
namespace differs from others in the following respects:
- Name servers responding to requests for names in this
domain have different rules concerning authority. As
explained in Section 2.1, mDNS servers have limited
scope of authority, not extending to sub-domains of
domain they are authoritative for.
- DNS servers SHOULD NOT forward queries for domain names
in the local.arpa domain - if the server cannot answer
the query from its own database, it should reply with a
non-authoritative NXDOMAIN.
- Hosts may derive their own names in this namespace,
independent of centralized authorization and registration
(as defined in section 3 and section 5).
- There is no delegation or administrative structure to
sub-domains of '.local.arpa'.
How protocol objects are mapped into lookup keys:
Names are associated with resources which can be requested
according to the DNS protocol. However, recursive lookup
is impossible. Further, mDNS specifies only the use of
multicast to transmit these requests.
8. References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Meyer, D., "Administratively Scoped IP Multicast", BCP 23, RFC
2365, July 1998.
[3] Aboba, B., "DHCP Domain Search Option", Internet draft (work in
progress), draft-aboba-dhc-domsearch-02.txt, June 2001.
[4] Mockapetris, P., "Domain Names - Implementation and Specification",
RFC 1035, November 1987.
[5] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", RFC
1034, November, 1987.
[6] Cheshire, S., Aboba, B., "Dynamic Configuration of IPv4 Link-Local
Addresses", Internet draft (work in progress), draft-ietf-zeroconf-
ipv4-linklocal-03.txt, June 2001.
[7] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA
Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[8] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
Specification", RFC 2460, December 1998.
[9] Hinden, R., Deering, S., "IP Version 6 Addressing Architecture",
RFC 2373, July 1998.
[10] Information technology - Telecommunications and information
exchange between systems - Local and metropolitan area networks -
Specific Requirements Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) Specifications, IEEE Std.
802.11-1997, 1997.
[11] Vixie, P., Thomson, S., Rekhter, Y., Bound, J., "Dynamic Updates in
the Domain Name System (DNS UPDATE)", RFC 2136, April 1997.
[12] Huston, G., "Management Guidelines & Operational Requirements for
the Internet Infrastructure Domain ("ARPA")", Internet draft (work
in progress), draft-iab-arpa-02.txt, May 2001.
9. Security Considerations
This draft does not prescribe a means of securing the multicast DNS This draft does not prescribe a means of securing the multicast DNS
mechanism. It is possible that hosts will allocate conflicting names for mechanism. It is possible that hosts will allocate conflicting names for
a period of time, or that non-conforming hosts will attempt to deny a period of time, or that non-conforming hosts will attempt to deny
service to other hosts by allocating the same name. Such attacks also service to other hosts by allocating the same name. Such attacks also
allow nodes to receive packets destined for other nodes. The protocol allow nodes to receive packets destined for other nodes. The protocol
reduces the exposure to such threats in the absence of authentication reduces the exposure to such threats in the absence of authentication by
by ignoring multicast DNS query response packets received from off-link ignoring multicast DNS query response packets received from off-link
senders. The Hop Limit field in IPv6 and TTL field in IPv4 of all senders.
received packets is verified to contain 255, the maximum legal value.
Because routers decrement the Hop Limit on all packets they forward, In all received responses, the Hop Limit field in IPv6 and the TTL field
received packets containing a Hop Limit of 255 must have originated in IPv4 are verified to contain 255, the maximum legal value. Since
from a neighbor. routers decrement the Hop Limit on all packets they forward, received
packets containing a Hop Limit of 255 must have originated from a
neighbor. Packets destined for a LINKLOCAL address are verified to have
been sent from a LINKLOCAL source address.
These threats are most serious in wireless networks such as 802.11, These threats are most serious in wireless networks such as 802.11,
since attackers on a wired network will require physical access to the since attackers on a wired network will require physical access to the
home network, while wireless attackers may reside outside the home. In home network, while wireless attackers may reside outside the home.
order to provide for privacy equivalent to a wired network, the 802.11 Link-layer security will serve to secure mDNS against the above threats
specification provides for RC4-based encryption. This is known as the if it is available. For example, where 802.11 "Wired Equivalency
"Wired Equivalency Privacy" (WEP) specification. Where WEP is Privacy" (WEP) [10] is implemented, a casual attacker is likely to be
implemented, an attacker will need to obtain the WEP key prior to deterred from gaining access to the home network.
gaining access to the home network.
The mechanism specified in this draft does not require use of the The mechanism specified in this draft does not require use of the
DNSSEC, which means that the responses to the multicast DNS queries may DNSSEC, which means that the responses to the multicast DNS queries may
not be authenticated. If a network contains a "signed key distribution not be authenticated. If a network contains a "signed key distribution
center" for all (or at least some) of the DNS zones that the responders center" for all (or at least some) of the DNS zones that the responders
are authoritative for, then those devices on such a network are are authoritative for, then hosts on such a network are configured with
configured with the key for the top zone, "local.arpa." (hosted by the key for the top zone, "local.arpa." (hosted by "signed keys
"signed keys distribution center") may use DNSSEC for the authentication distribution center") and may use DNSSEC for authentication of the
of the responders using DNSSEC. responders using DNSSEC.
8. Acknowledgements Acknowledgments
The authors would like to thank Stuart Cheshire, Michael Patton, Erik This work builds upon original work done on multicast DNS by Bill
Guttman, Olafur Gudmundsson, Thomas Narten, Mark Andrews, Erik Nordmark, Manning and Bill Woodcock. The authors gratefully acknowledge their
Myrong Hattig, Bill Manning and James Gilroy for comments on this draft. contribution to the current specification. Constructive input has also
been received from Mark Andrews, Stuart Cheshire, Robert Elz, James
Gilroy, Olafur Gudmundsson, Erik Guttman, Myron Hattig, Thomas Narten,
Erik Nordmark, Sander Van-Valkenburg and Tomohide Nagashima.
9. Authors' Addresses Authors' Addresses
Levon Esibov Levon Esibov
Microsoft Corporation Microsoft Corporation
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
EMail: levone@microsoft.com EMail: levone@microsoft.com
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
skipping to change at page 8, line 21 skipping to change at page 14, line 30
EMail: bernarda@microsoft.com EMail: bernarda@microsoft.com
Dave Thaler Dave Thaler
Microsoft Corporation Microsoft Corporation
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
Phone: +1 (425) 703-8835 Phone: +1 (425) 703-8835
EMail: dthaler@microsoft.com EMail: dthaler@microsoft.com
10. References Intellectual Property Statement
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Meyer, D., "Administratively Scoped IP Multicast", BCP 23, RFC
2365, July 1998.
[3] Aboba, B., "The Mini-DHCP Server", Internet draft (work in
progress), draft-aboba-dhc-mini-01.txt, April 2000.
[4] Mockapetris, P., "Domain Names - Implementation and Specification",
RFC 1035, November 1987.
[5] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES",
RFC 1034, November 1987.
11. Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to pertain intellectual property or other rights that might be claimed to pertain
to the implementation or use of the technology described in this to the implementation or use of the technology described in this
document or the extent to which any license under such rights might or document or the extent to which any license under such rights might or
might not be available; neither does it represent that it has made any might not be available; neither does it represent that it has made any
effort to identify any such rights. Information on the IETF's effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and standards- procedures with respect to rights in standards-track and standards-
related documentation can be found in BCP-11. Copies of claims of related documentation can be found in BCP-11. Copies of claims of
rights made available for publication and any assurances of licenses to rights made available for publication and any assurances of licenses to
skipping to change at page 9, line 11 skipping to change at page 15, line 5
license or permission for the use of such proprietary rights by license or permission for the use of such proprietary rights by
implementors or users of this specification can be obtained from the implementors or users of this specification can be obtained from the
IETF Secretariat. IETF Secretariat.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary rights copyrights, patents or patent applications, or other proprietary rights
which may cover technology that may be required to practice this which may cover technology that may be required to practice this
standard. Please address the information to the IETF Executive standard. Please address the information to the IETF Executive
Director. Director.
12. Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved. Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it or others, and derivative works that comment on or otherwise explain it or
assist in its implementation may be prepared, copied, published and assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind, distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are included provided that the above copyright notice and this paragraph are included
on all such copies and derivative works. However, this document itself on all such copies and derivative works. However, this document itself
may not be modified in any way, such as by removing the copyright notice may not be modified in any way, such as by removing the copyright notice
or references to the Internet Society or other Internet organizations, or references to the Internet Society or other Internet organizations,
except as needed for the purpose of developing Internet standards in except as needed for the purpose of developing Internet standards in
which case the procedures for copyrights defined in the Internet which case the procedures for copyrights defined in the Internet
Standards process must be followed, or as required to translate it into Standards process must be followed, or as required to translate it into
languages other than English. The limited permissions granted above are languages other than English. The limited permissions granted above are
perpetual and will not be revoked by the Internet Society or its perpetual and will not be revoked by the Internet Society or its
successors or assigns. This document and the information contained successors or assigns. This document and the information contained
herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
13. Expiration Date Expiration Date
This memo is filed as <draft-ietf-dnsext-mdns-00.txt>, and expires This memo is filed as <draft-ietf-dnsext-mdns-01.txt>, and expires
May 16, 2001. January 15, 2002.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/