draft-ietf-dnsext-mdns-13.txt   draft-ietf-dnsext-mdns-14.txt 
DNSEXT Working Group Levon Esibov DNSEXT Working Group Levon Esibov
INTERNET-DRAFT Bernard Aboba INTERNET-DRAFT Bernard Aboba
Category: Standards Track Dave Thaler Category: Standards Track Dave Thaler
<draft-ietf-dnsext-mdns-13.txt> Microsoft <draft-ietf-dnsext-mdns-14.txt> Microsoft
4 November 2002 22 March 2003
Linklocal Multicast Name Resolution (LLMNR) Linklocal Multicast Name Resolution (LLMNR)
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC 2026. provisions of Section 10 of RFC 2026.
Internet-Drafts are working documents of the Internet Engineering Task Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other groups Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts. may also distribute working documents as Internet-Drafts.
skipping to change at page 1, line 31 skipping to change at page 1, line 31
or to cite them other than as "work in progress." or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract Abstract
Today, with the rise of home networking, there are an increasing number Today, with the rise of home networking, there are an increasing number
of ad-hoc networks operating without a DNS server. In order to allow of ad-hoc networks operating without a DNS server. In order to allow
name resolution in such environments, Link-Local Multicast Name name resolution in such environments, Link-Local Multicast Name
Resolution (LLMNR) is proposed. LLMNR supports all current and future Resolution (LLMNR) is proposed. LLMNR supports all current and future
DNS formats, types and classes, while operating on a separate port from DNS formats, types and classes, while operating on a separate port from
DNS, and with a distinct resolver cache. DNS, and with a distinct resolver cache.
Table of Contents Table of Contents
1. Introduction .......................................... 3 1. Introduction .......................................... 3
1.1 Requirements .................................... 3 1.1 Requirements .................................... 4
1.2 Terminology ..................................... 3 1.2 Terminology ..................................... 4
2. Name resolution using LLMNR ........................... 4 2. Name resolution using LLMNR ........................... 4
2.1 Sender behavior ................................. 4 2.1 Sender behavior ................................. 5
2.2 Responder behavior .............................. 5 2.2 Responder behavior .............................. 5
2.3 Addressing ...................................... 7 2.3 Unicast queries ................................. 7
2.4 TTL ............................................. 7 2.4 Addressing ...................................... 7
2.5 No/multiple responses ........................... 7 2.5 TTL ............................................. 7
2.6 Retransmissions ................................. 8
2.7 DNS TTL ......................................... 8
3. Usage model ........................................... 8 3. Usage model ........................................... 8
3.1 LLMNR configuration ............................. 9 3.1 Unqualified names ............................... 9
4. Sequence of events .................................... 10 3.2 LLMNR configuration ............................. 9
5. Conflict resolution ................................... 10 4. Conflict resolution ................................... 11
5.1 Considerations for multiple interfaces .......... 12 4.1 Considerations for multiple interfaces .......... 13
5.2 API issues ...................................... 14 4.2 API issues ...................................... 14
6. Security considerations ............................... 14 5. Security considerations ............................... 14
6.1 Scope restriction ............................... 14 5.1 Scope restriction ............................... 15
6.2 Usage restriction ............................... 15 5.2 Usage restriction ............................... 15
6.3 Cache and port separation ....................... 16 5.3 Cache and port separation ....................... 16
6.4 Authentication .................................. 16 5.4 Authentication .................................. 16
7. IANA considerations ................................... 16 6. IANA considerations ................................... 17
8. Normative References .................................. 16 7. Normative References .................................. 17
9. Informative References ................................ 17 8. Informative References ................................ 17
Acknowledgments .............................................. 18 Acknowledgments .............................................. 18
Authors' Addresses ........................................... 18 Authors' Addresses ........................................... 19
Intellectual Property Statement .............................. 19 Intellectual Property Statement .............................. 19
Full Copyright Statement ..................................... 19 Full Copyright Statement ..................................... 20
1. Introduction 1. Introduction
This document discusses Link-Local Multicast Name Resolution (LLMNR), This document discusses Link-Local Multicast Name Resolution (LLMNR),
which operates on a separate port from DNS, with a distinct resolver which operates on a separate port from DNS, with a distinct resolver
cache, but does not change the format of DNS packets. LLMNR supports all cache, but does not change the format of DNS packets. LLMNR supports all
current and future DNS formats, types and classes. current and future DNS formats, types and classes. However, since LLMNR
only operates on the local link, it cannot be considered a substitute
for DNS.
The goal of LLMNR is to enable name resolution in scenarios in which The goal of LLMNR is to enable name resolution in scenarios in which
conventional DNS name resolution is not possible. These include conventional DNS name resolution is not possible. These include
scenarios in which hosts are not configured with the address of a DNS scenarios in which hosts are not configured with the address of a DNS
server, where configured DNS servers do not reply to a query, or where server, where configured DNS servers do not reply to a query, or where
they respond with RCODE set to NXRRSET. they respond with errors, as described in Section 3.
Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is
possible for a dual stack host to be configured with the address of a
DNS server over IPv4, while remaining unconfigured with a DNS server
suitable for use over IPv6. In these situations, a dual stack host will
send AAAA queries to the configured DNS server over IPv4. However, an
IPv6-only host will not be able to resolve names.
Since automatic IPv6 DNS configuration mechanisms such as [DHCPv6DNS]
and [DNSDisc] are not yet widely deployed, and not all DNS servers
support IPv6, "partial configuration" may be common in the short term,
and LLMNR may prove useful in enabling linklocal name resolution over
IPv6. However, in the long term, IPv6 DNS configuration, and DNS support
over IPv6 will become more common so that LLMNR usage will typically be
restricted to adhoc networks in which neither IPv4 nor IPv6 DNS servers
are configured, situations in which DNS servers do not respond to
queries, or where they respond with RCODE set to NXRRSET.
Service discovery in general, as well as discovery of DNS servers using
LLMNR in particular is outside of the scope of this document, as is name
resolution over non-multicast capable media.
1.1. Requirements
In this document, the key words "MAY", "MUST, "MUST NOT", "OPTIONAL",
"RECOMMENDED", "SHOULD", and "SHOULD NOT", are to be interpreted as
described in [RFC2119].
1.2. Terminology
Responder A host that listens to LLMNR queries, and responds to
those for which it is authoritative is called
"responder".
Sender A host that sends an LLMNR query. Typically a host is
configured as both a sender and a responder, but a host
may be configured as a "sender", but not a "responder" or
a "responder" but not a "sender".
2. Name resolution using LLMNR
While operating on a different port with a distinct resolver cache,
LLMNR makes no change to the current format of DNS packets.
LLMNR queries are sent to and received on port TBD using a LINKLOCAL LLMNR queries are sent to and received on port TBD using a LINKLOCAL
address as specified in "Administratively Scoped IP Multicast" [RFC2365] address as specified in "Administratively Scoped IP Multicast" [RFC2365]
for IPv4 and the "solicited name" LINKLOCAL multicast addresses for for IPv4. The LLMNR LINKLOCAL address to be used for IPv4 is
IPv6, and using a unicast addresses in a few scenarios described below 224.0.0.251. For IPv6, the "solicited name" LINKLOCAL multicast
in Section 3. The LLMNR LINKLOCAL address to be used for IPv4 is addresses are used for A/AAAA queries, and a separate multicast address
224.0.0.251. LINKLOCAL addresses are used to prevent propagation of TBD for all other queries. LINKLOCAL multicast addresses are used to
LLMNR traffic across routers, potentially flooding the network. prevent propagation of LLMNR traffic across routers, potentially
flooding the network; for details, see Section 2.4. In circumstances
described in Section 2.3, LLMNR queries can also be sent to a unicast
address.
Propagation of LLMNR packets on the local link is considered sufficient Propagation of LLMNR packets on the local link is considered sufficient
to enable name resolution in small networks. The assumption is that if a to enable name resolution in small networks. The assumption is that if a
network has a home gateway, then the network either has a DNS server or network has a home gateway, then the network either has a DNS server or
the home gateway can function as a DNS proxy. By implementing DHCPv4 as the home gateway can function as a DNS proxy. By implementing DHCPv4 as
well as a DNS proxy and dynamic DNS, home gateways can provide name well as a DNS proxy and dynamic DNS, home gateways can provide name
resolution for the names of hosts over IPv4 on the local network. resolution for the names of hosts over IPv4 on the local network.
For small IPv6 networks, equivalent functionality can be provided by a For small IPv6 networks, equivalent functionality can be provided by a
home gateway implementing DHCPv6 for DNS configuration [DHCPv6DNS], as home gateway implementing DHCPv6 for DNS configuration [DHCPv6DNS], as
skipping to change at page 4, line 47 skipping to change at page 4, line 10
the assumption that LLMNR is not needed on multiple links proves the assumption that LLMNR is not needed on multiple links proves
incorrect, and multicast routing becomes ubiquitous. For example, it is incorrect, and multicast routing becomes ubiquitous. For example, it is
not clear that this assumption will be valid in large adhoc networking not clear that this assumption will be valid in large adhoc networking
scenarios. scenarios.
Once we have experience in LLMNR deployment in terms of administrative Once we have experience in LLMNR deployment in terms of administrative
issues, usability and impact on the network it will be possible issues, usability and impact on the network it will be possible
reevaluate which multicast scopes are appropriate for use with multicast reevaluate which multicast scopes are appropriate for use with multicast
name resolution mechanisms. name resolution mechanisms.
2.1. Sender behavior Service discovery in general, as well as discovery of DNS servers using
LLMNR in particular is outside of the scope of this document, as is name
resolution over non-multicast capable media.
A sender sends an LLMNR query for any legal Type of resource record 1.1. Requirements
(e.g. A, PTR, etc.) to the LINKLOCAL address. Notice that in some
scenarios described below in Section 3 a sender may also send a unicast
query. The RD (Recursion Desired) bit MUST NOT be set. If a responder In this document, several words are used to signify the requirements of
receives a query with the header containing RD set bit, the responder the specification. These words are often capitalized. The key words
MUST ignore the RD bit. "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD
NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in [RFC2119].
The IPv6 LINKLOCAL address a given responder listens to, and to which a 1.2. Terminology
sender sends, is a link-local multicast address formed as follows: The
name of the resource record in question is expressed in its canonical
form (see [RFC2535], section 8.1), which is uncompressed with all
alphabetic characters in lower case. The first label of the FQDN in the
query is then hashed using the MD5 algorithm, described in [RFC1321].
The first 32 bits of the resultant 128-bit hash is then appended to the
prefix FF02:0:0:0:0:2::/96 to yield the 128-bit "solicited name
multicast address". (Note: this procedure is intended to be the same as
that specified in section 3 of "IPv6 Node Information Queries"
[NodeInfo]). A responder that listens for queries for multiple names
will necessarily listen to multiple of these solicited name multicast
addresses.
If the LLMNR query is not resolved during a limited amount of time Responder A host that listens to LLMNR queries, and responds to
(LLMNR_TIMEOUT), then a sender MAY repeat the transmission of a query in those for which it is authoritative.
order to assure themselves that the query has been received by a host
capable of responding to the query. The default value for LLMNR_TIMEOUT
is 1 second. Since a sender cannot know beforehand whether it will
receive no response, one response, or more than one response to a query,
it SHOULD wait for LLMNR_TIMEOUT in order to collect all possible
responses, rather than considering the query answered after the first
response is received.
Repetition MUST NOT be attempted more than 3 times and SHOULD NOT be Sender A host that sends an LLMNR query. Typically a host is
repeated more often than once per second to reduce unnecessary network configured as both a sender and a responder. However, a
traffic. The delay between attempts should be randomized so as to avoid host may be configured as a sender, but not a responder
synchronization effects. or as a responder, but not a sender.
Routable address
An address other than a linklocal address. This includes
site local and globally routable addresses, as well as
private addresses.
2. Name resolution using LLMNR
The sequence of events for LLMNR usage is as follows:
[1] If a sender needs to resolve a query for a name "host.example.com",
then it sends a LLMNR query to the LINKLOCAL multicast address.
[2] A responder responds to this query only if it is authoritative
for the domain name "host.example.com". The responder sends
a response to the sender via unicast over UDP.
[3] Upon the reception of the response, the sender verifies that the Hop
Limit field in IPv6 header or TTL field in IPv4 header (depending on
the protocol used) of the response is set to 255. The sender then
verifies compliance with the addressing requirements for IPv4,
described in [IPV4Link], and IPv6, described in [RFC2373]. If these
conditions are met, then the sender uses and caches the returned
response. If not, then the sender ignores the response and continues
waiting for the response.
Further details of sender and responder behavior are provided in the
sections that follow.
2.1. Sender behavior
A sender sends an LLMNR query for any legal Type of resource record
(e.g. A, PTR, etc.) to the LINKLOCAL multicast address. An LLMNR sender
MAY send requests for any name.
Under conditions described in Section 2.3, a sender may also send a
unicast query. The RD (Recursion Desired) bit MUST NOT be set. If a
responder receives a query with the header containing RD set bit, the
responder MUST ignore the RD bit.
The sender MUST anticipate receiving no replies to some LLMNR queries,
in the event that no responders are available within the linklocal
multicast scope, or in the event that no positive non-null responses
exist for the transmitted query. If no positive response is received, a
resolver treats it as a response that no records of the specified type
and class for the specified name exist (that is, it is treated the same
as a response with RCODE=0 and an empty answer section).
2.2. Responder behavior 2.2. Responder behavior
A responder listens on port TBD on the LINKLOCAL address and on the A responder listens on port TBD on the LINKLOCAL multicast address(es)
unicast address(es) that could be set as the source address(es) when the and on the unicast address(es) that could be set as the source
responder responds to the LLMNR query. The host configured as a address(es) when the responder responds to the LLMNR query. The host
"responder" MUST act as a sender by using LLMNR dynamic update requests configured as a responder MUST act as a sender to verify the uniqueness
to verify the uniqueness of names as described in Section 5. of names as described in Section 4.
Responders MUST NOT respond to LLMNR queries for names they are not Responders MUST NOT respond to LLMNR queries for names they are not
authoritative for. Responders SHOULD respond to LLMNR queries for names authoritative for. Responders SHOULD respond to LLMNR queries for names
and addresses they are authoritative for. This applies to both forward and addresses they are authoritative for. This applies to both forward
and reverse lookups. and reverse lookups.
As an example, assume that computer "host.example.com." is authoritative As an example, a computer "host.example.com." configured to respond to
for the domain "host.example.com.". On receiving a LLMNR A resource the LLMNR queries is authoritative for the name "host.example.com.". On
receiving an LLMNR A/AAAA resource record query for the name
record query for the name "host.example.com." the host responds with A "host.example.com." the host authoritatively responds with A/AAAA
record(s) that contain IP address(es) in the RDATA of the resource record(s) that contain IP address(es) in the RDATA of the resource
record. record.
If a responder is authoritative for a name, it MAY respond with RCODE=0
and an empty answer section, if the type of query does not match a RR
owned by the responder. For example, if the host has a AAAA RR, but no
A RR, and an A RR query is received, the host would respond with RCODE=0
and an empty answer section.
If a DNS server is running on a host that supports LLMNR, the DNS server
MUST respond to LLMNR queries only for the RRSets owned by the host on
which the server is running, but MUST NOT respond for other records for
which the server is authoritative.
In conventional DNS terminology a DNS server authoritative for a zone is In conventional DNS terminology a DNS server authoritative for a zone is
authoritative for all the domain names under the zone root except for authoritative for all the domain names under the zone root except for
the branches delegated into separate zones. Contrary to conventional DNS the branches delegated into separate zones. Contrary to conventional DNS
terminology, an LLMNR responder is authoritative only for the zone root. terminology, an LLMNR responder is authoritative only for the zone root.
For example the host "host.example.com." is not authoritative for the For example the host "host.example.com." is not authoritative for the
name "child.host.example.com." unless the host is configured with name "child.host.example.com." unless the host is configured with
multiple names, including "host.example.com." and multiple names, including "host.example.com." and
"child.host.example.com.". As a result, "host" cannot reply to a query "child.host.example.com.". As a result, "host" cannot reply to a query
for "child" with NXDOMAIN. The purpose of limiting the name authority for "child" with NXDOMAIN. The purpose of limiting the name authority
scope of a responder is to prevent complications that could be caused by scope of a responder is to prevent complications that could be caused by
coexistence of two or more hosts with the names representing child and coexistence of two or more hosts with the names representing child and
parent (or grandparent) nodes in the DNS tree, for example, parent (or grandparent) nodes in the DNS tree, for example,
"host.example.com." and "child.host.example.com.". "host.example.com." and "child.host.example.com.".
In this example (unless this limitation is introduced) a LLMNR query for In this example (unless this limitation is introduced) an LLMNR query
an A record for the name "child.host.example.com." would result in two for an A record for the name "child.host.example.com." would result in
authoritative responses: name error received from "host.example.com.", two authoritative responses: a name error received from
and a requested A record - from "child.host.example.com.". To prevent "host.example.com.", and a requested A record - from
this ambiguity, LLMNR enabled hosts could perform a dynamic update of "child.host.example.com.". To prevent this ambiguity, LLMNR enabled
the parent (or grandparent) zone with a delegation to a child zone. In hosts could perform a dynamic update of the parent (or grandparent) zone
this example a host "child.host.example.com." would send a dynamic with a delegation to a child zone. In this example a host
update for the NS and glue A record to "host.example.com.", but this "child.host.example.com." would send a dynamic update for the NS and
approach significantly complicates implementation of LLMNR and would not glue A record to "host.example.com.", but this approach significantly
be acceptable for lightweight hosts. complicates implementation of LLMNR and would not be acceptable for
lightweight hosts.
A response to a LLMNR query is composed in exactly the same manner as a A response to a LLMNR query is composed in exactly the same manner as a
response to the unicast DNS query as specified in [RFC1035]. Responders response to the unicast DNS query as specified in [RFC1035]. Responders
MUST never respond using cached data, and the AA (Authoritative Answer) MUST NOT respond using cached data, and the AA (Authoritative Answer)
bit MUST be set. The response is sent to the sender via unicast. A bit MUST be set. The response is sent to the sender via unicast. A
response to an LLMNR query MUST have RCODE set to zero. Responses with response to an LLMNR query MUST have RCODE set to zero. Responses with
RCODE set to zero are referred to in this document as "positively RCODE set to zero are referred to in this document as "positively
resolved". LLMNR responders may respond only to queries which they can resolved". LLMNR responders may respond only to queries which they can
resolve positively. resolve positively.
2.3. Unicast queries
A sender MUST NOT send a unicast LLMNR query except when:
a. A sender repeats a query after it received a response
to the previous LLMNR query with the TC bit set, or
b. The sender's LLMNR cache contains an NS resource record that
enables the sender to send a query directly to the hosts
authoritative for the name in the query.
If a TC (truncation) bit is set in the response, then the sender MAY use If a TC (truncation) bit is set in the response, then the sender MAY use
the response if it contains all necessary information, or the sender MAY the response if it contains all necessary information, or the sender MAY
discard the response and resend the query over TCP or using EDNS0 with discard the response and resend the query over TCP or using EDNS0 with
larger window using the unicast address of the responder. The RA larger window using the unicast address of the responder. The RA
(Recursion Available) bit in the header of the response MUST NOT be set. (Recursion Available) bit in the header of the response MUST NOT be set.
Even if the RA bit is set in the response header, the sender MUST ignore If the RA bit is set in the response header, the sender MUST ignore it.
it.
2.3. Addressing 2.4. Addressing
The IPv4 LINKLOCAL multicast address a given responder listens to, and
to which a sender sends all queries, is 224.0.0.251. The IPv6 LINKLOCAL
multicast address a given responder listens to, and to which a sender
sends A/AAAA queries, is formed as follows: The name of the resource
record in question is expressed in its canonical form (see [RFC2535],
section 8.1), which is uncompressed with all alphabetic characters in
lower case.
The first label of the FQDN in the query is then hashed using the MD5
algorithm, described in [RFC1321]. The first 32 bits of the resultant
128-bit hash is then appended to the prefix FF02:0:0:0:0:2::/96 to yield
the 128-bit "solicited name multicast address". (Note: this procedure
is intended to be the same as that specified in section 3 of "IPv6 Node
Information Queries" [NodeInfo]). A responder that listens for queries
for multiple names with different first labels will necessarily listen
to multiple of these solicited name multicast addresses.
For IPv4 LINKLOCAL addressing, section 2.4 of "Dynamic Configuration of For IPv4 LINKLOCAL addressing, section 2.4 of "Dynamic Configuration of
IPv4 Link-Local Addresses" [IPV4Link] lays out the rules with respect to IPv4 Link-Local Addresses" [IPV4Link] lays out the rules with respect to
source address selection, TTL settings, and acceptable source address selection, TTL settings, and acceptable
source/destination address combinations. IPv6 is described in [RFC2460]; source/destination address combinations. IPv6 is described in [RFC2460];
IPv6 LINKLOCAL addressing is described in [RFC2373]. LLMNR queries and IPv6 LINKLOCAL addressing is described in [RFC2373]. LLMNR queries and
responses MUST obey the rules laid out in these documents. responses MUST obey the rules laid out in these documents.
2.5. TTL
In composing an LLMNR response, the responder MUST set the Hop Limit In composing an LLMNR response, the responder MUST set the Hop Limit
field in the IPv6 header and the TTL field in IPv4 header of the LLMNR field in the IPv6 header and the TTL field in IPv4 header of the LLMNR
response to 255. The sender MUST verify that the Hop Limit field in IPv6 response to 255. The sender MUST verify that the Hop Limit field in IPv6
header and TTL field in IPv4 header of each response to the LLMNR query header and TTL field in IPv4 header of each response to the LLMNR query
is set to 255. If it is not, then sender MUST ignore the response. is set to 255. If it is not, then sender MUST ignore the response.
Implementation note: Implementation note:
In the sockets API for IPv4, the IP_TTL and IP_MULTICAST_TTL socket In the sockets API for IPv4, the IP_TTL and IP_MULTICAST_TTL socket
options are used to specify the TTL of outgoing unicast and multicast options are used to set the TTL of outgoing unicast and multicast
packets. The IP_RECVTTL socket option is available on some platforms packets. The IP_RECVTTL socket option is available on some platforms
to receive the IPv4 TTL of received packets with recvmsg(). [RFC2292] to retrieve the IPv4 TTL of received packets with recvmsg().
specifies similar options for specifying and receiving the IPv6 Hop [RFC2292] specifies similar options for setting and retrieving the
Limit. IPv6 Hop Limit.
2.4. TTL 2.6. Retransmissions
In order to avoid synchronization, LLMNR queries and responses are
delayed by a time uniformly distributed between 0 and 200 ms.
If the LLMNR query is not resolved within the timeout interval
(LLMNR_TIMEOUT), then a sender MAY repeat the transmission of a query in
order to assure themselves that the query has been received by a host
capable of responding to the query. Since a sender cannot know
beforehand whether it will receive no response, one response, or more
than one response to a query, it SHOULD wait for LLMNR_TIMEOUT in order
to collect all possible responses, rather than considering the query
answered after the first response is received.
LLMNR implementations SHOULD dynamically estimate the timeout value
(LLMNR_TIMEOUT) on a per-interface basis, using the algorithms described
in [RFC2988], with a minimum timeout value of 300 ms.
Repetition SHOULD NOT be attempted more than 3 times and SHOULD NOT be
repeated more often than once per second to reduce unnecessary network
traffic.
2.7. DNS TTL
The responder should use a pre-configured TTL value in the records The responder should use a pre-configured TTL value in the records
returned in the LLMNR query response. Due to the TTL minimalization returned in the LLMNR query response. Due to the TTL minimalization
necessary when caching an RRset, all TTLs in an RRset MUST be set to the necessary when caching an RRset, all TTLs in an RRset MUST be set to the
same value. In the additional and authority section of the response the same value. In the additional and authority section of the response the
responder includes the same records as a DNS server would insert in the responder includes the same records as a DNS server would insert in the
response to the unicast DNS query. response to the unicast DNS query.
2.5. No/multiple responses 3. Usage model
The sender MUST anticipate receiving no replies to some LLMNR queries,
in the event that no responders are available within the linklocal
multicast scope, or in the event that no positive non-null responses
exist for the transmitted query. If no positive response is received, a
resolver treats it as a response that no records of the specified type
and class for the specified name exist (NXRRSET).
While the responder MUST NOT respond to queries for names it is not LLMNR is a peer-to-peer name resolution protocol that is not intended as
authoritative for, a responder MAY respond to a query for the name it is a replacement for DNS. By default, LLMNR requests SHOULD be sent only
authoritative for, even if the type of query does not match a RR owned
by the responder, with RCODE set to NXRRSET. For example, if the host
has a AAAA RR, but no A RR, and an A RR query is received, the host
would respond with an RCODE set to NXRRSET.
The sender MUST anticipate receiving multiple replies to the same LLMNR when no manual or automatic DNS configuration has been performed, when
query, in the event that several LLMNR enabled computers receive the DNS servers do not respond, or when they respond to a query with RCODE=3
query and respond with valid answers. When this occurs, the responses (Authoritative Name Error) or RCODE=0, and an empty answer section.
MAY first be concatenated, and then treated in the same manner that
multiple RRs received from the same DNS server would, ordinarily.
3. Usage model As noted in [DNSPerf], even when DNS servers are configured, a
significant fraction of DNS queries do not receive a response, or result
in a negative responses due to missing inverse mappings or NS records
that point to nonexistent or inappropriate hosts. Given this, support
for LLMNR as a secondary name resolution mechanism has the potential to
result in a large number of inappropriate queries without the following
additional restrictions:
A host may be configured as a "sender", but not a "responder" or as a [1] If a DNS query does not receive a response, prior to falling
"responder", but not a "sender". However, a host configured as a back to LLMNR, a DNS query SHOULD be retransmitted at least
"responder" MUST at least use a "sender's" capability to send LLMNR once.
dynamic update requests to verify the uniqueness of the names, as
described in Section 5. An LLMNR "sender" MAY multicast requests for any
name. If that name is not qualified and does not end in a trailing dot,
for the purposes of LLMNR, the implicit search order is as follows:
[1] Request the name with the current domain appended. [2] A sender SHOULD send LLMNR queries only for names that are
[2] Request just the name. either unqualified or exist within the default domain.
This is the behavior suggested by [RFC1536]. LLMNR uses this technique [3] A responder with both linklocal and routable addresses
to resolve unqualified host names. The same host MAY use LLMNR queries MUST respond to LLMNR queries for A/AAAA RRs only with
for the resolution of unqualified host names, and conventional DNS routable address(es). This encourages use of routable
queries for resolution of other DNS names. address(es) for establishment of new connections.
If a DNS server is running on a host that supports LLMNR, the DNS server 3.1. Unqualified names
MUST respond to LLMNR queries only for the RRSets owned by the host on
which the server is running, but MUST NOT respond for other records for
which the server is authoritative.
A sender MUST NOT send a unicast LLMNR query except when: The same host MAY use LLMNR queries for the resolution of unqualified
host names, and conventional DNS queries for resolution of other DNS
names.
a. A sender repeats a query after it received a response If a name is not qualified and does not end in a trailing dot, for the
to the previous LLMNR query with the TC bit set, or purposes of LLMNR, the implicit search order is as follows:
b. The sender's LLMNR cache contains an NS resource record that [1] Request the name with the current domain appended.
enables the sender to send a query directly to the hosts [2] Request just the name.
authoritative for the name in the query.
A responder with a name "host.example.com." configured to respond to the This is the behavior suggested by [RFC1536]. LLMNR uses this technique
LLMNR queries is authoritative for the name "host.example.com.". For to resolve unqualified host names.
example, when a responder with the name "host.example.com." receives an
A type LLMNR query for the name "host.example.com." it authoritatively
responds to the query.
3.1. LLMNR configuration 3.2. LLMNR configuration
LLMNR usage MAY be configured manually or automatically on a per LLMNR usage MAY be configured manually or automatically on a per
interface basis. By default, LLMNR responders SHOULD be enabled on all interface basis. By default, LLMNR responders SHOULD be enabled on all
interfaces, at all times.
interfaces, at all times. By default, LLMNR requests SHOULD be sent Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is
only when no manual or automatic DNS configuration has been performed, possible for a dual stack host to be configured with the address of a
when DNS servers do not respond, or when they respond to a query with an DNS server over IPv4, while remaining unconfigured with a DNS server
RCODE set to NXRRSET.
suitable for use over IPv6. In these situations, a dual stack host will
send AAAA queries to the configured DNS server over IPv4.
However, an IPv6-only host unconfigured with a DNS server suitable for
use over IPv6 will be unable to resolve names using DNS. Since
automatic IPv6 DNS configuration mechanisms such as [DHCPv6DNS] and
[DNSDisc] are not yet widely deployed, and not all DNS servers support
IPv6, lack of IPv6 DNS configuration may be a common problem in the
short term, and LLMNR may prove useful in enabling linklocal name
resolution over IPv6.
For example, a home gateway may implement a DNS proxy and DHCPv4, but
not DHCPv6 for DNS configuration [DHCPv6DNS] or [DNSDisc]. In such a
circumstance, IPv6-only hosts will not be configured with a DNS server.
Where the DNS proxy does not support dynamic client update over IPv6 or
DHCPv6-based dynamic update of the DNS proxy, the home gateway will not
be able to dynamically register the names of IPv6 hosts. As a result,
the DNS proxy will respond to AAAA RR queries sent over IPv4 or IPv6
with an authoritative name error (RCODE=3). This prevents hosts from
resolving the names of IPv6-only hosts on the local link. In this
situation, LLMNR over IPv6 can be used for resolution of dynamic names.
Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to
configure LLMNR on an interface. The LLMNR Enable Option, described in configure LLMNR on an interface. The LLMNR Enable Option, described in
[LLMNREnable], can be used to explicitly enable or disable use of LLMNR [LLMNREnable], can be used to explicitly enable or disable use of LLMNR
on an interface. The LLMNR Enable Option does not determine whether or on an interface. The LLMNR Enable Option does not determine whether or
in which order DNS itself is used for name resolution. The order in in which order DNS itself is used for name resolution. The order in
which various name resolution mechanisms should be used can be specified which various name resolution mechanisms should be used can be specified
using the Name Service Search Option for DHCP, [RFC2937]. using the Name Service Search Option for DHCP [RFC2937].
A home gateway may implement a DNS proxy and DHCPv4, but not DHCPv6 for
DNS configuration [DHCPv6DNS]. In such a circumstance, IPv6-only hosts
will not be configured with a DNS server. Where the DNS proxy does not
support dynamic client update over IPv6 or DHCPv6-based dynamic update
of the DNS proxy, the home gateway will not be able to dynamically
register the names of IPv6 hosts. As a result, the DNS proxy will
respond to AAAA RR queries sent over IPv4 or IPv6 with an RCODE of
NXRRSET. This prevents hosts from resolving the names of IPv6-only
hosts on the local link. In this situation, LLMNR over IPv6 can be used
for resolution of dynamic names.
3.1.1. Consistency of configuration 3.2.1. Configuration consistency
It is possible that DNS servers and/or DNS configuration mechanisms will It is possible that DNS configuration mechanisms will go in and out of
go in and out of service. In these circumstances, it is possible for service. In these circumstances, it is possible for hosts within an
hosts within an administrative domain to be inconsistent in their DNS administrative domain to be inconsistent in their DNS configuration.
configuration.
For example, where DHCP is used for configuring DNS servers, one or more For example, where DHCP is used for configuring DNS servers, one or more
DHCP servers can go down. As a result, hosts configured prior to the DHCP servers can go down. As a result, hosts configured prior to the
outage will be configured with a DNS server, while hosts configured outage will be configured with a DNS server, while hosts configured
after the outage will not. after the outage will not. Alternatively, it is possible for the DNS
configuration mechanism to continue functioning while configured DNS
Alternatively, it is possible for the DNS configuration mechanism to servers fail.
continue functioning while configured DNS servers fail.
In order to minimize inconsistencies, the following practices are
recommended:
Periodic retry
Unless unconfigured hosts periodically retry configuration, an
outage in the DNS configuration mechanism will result in hosts
continuing to prefer LLMNR even once the outage is repaired. Since
LLMNR only enables linklocal name resolution, this represents an
unnecessary degradation in capabilities. As a result, it is
recommended that hosts without a configured DNS server periodically
attempt to obtain DNS configuration. A default retry interval of
two (2) minutes is recommended.
DNS failover
By default, LLMNR queries are not sent unless DNS is not
configured, configured DNS servers have not responded, or respond
with an RCODE of NXRRSET. However, where all configured DNS
servers fail, LLMNR queries will be sent.
4. Sequence of events
The sequence of events for LLMNR usage is as follows:
1. If a sender needs to resolve a query for a name "host.example.com", Unless unconfigured hosts periodically retry configuration, an outage in
then it sends a LLMNR query to the LINKLOCAL multicast address. the DNS configuration mechanism will result in hosts continuing to
prefer LLMNR even once the outage is repaired. Since LLMNR only enables
linklocal name resolution, this represents an unnecessary degradation in
capabilities. As a result, it is recommended that hosts without a
2. A responder responds to this query only if it is authoritative configured DNS server periodically attempt to obtain DNS configuration.
for the domain name "host.example.com". The responder sends A default retry interval of two (2) minutes is recommended.
a response to the sender via unicast over UDP.
3. Upon the reception of the response, the sender verifies that the Hop 4. Conflict resolution
Limit field in IPv6 header or TTL field in IPv4 header (depending on
the protocol used) of the response is set to 255. The sender then
verifies compliance with the addressing requirements for IPv4,
described in [IPV4Link], and IPv6, described in [RFC2373]. If these
conditions are met, then the sender uses and caches the returned
response. If not, then the sender ignores the response and continues
waiting for the response.
5. Conflict resolution The sender MUST anticipate receiving multiple replies to the same LLMNR
query, in the event that several LLMNR enabled computers receive the
query and respond with valid answers. When this occurs, the responses
MAY first be concatenated, and then treated in the same manner that
multiple RRs received from the same DNS server would, ordinarily.
There are some scenarios when multiple responders MAY respond to the There are some scenarios when multiple responders MAY respond to the
same query. There are other scenarios when only one responder may same query. There are other scenarios when only one responder may
respond to a query. Resource records for which the latter queries are respond to a query. Resource records for which the latter queries are
submitted are referred as UNIQUE throughout this document. The submitted are referred as UNIQUE throughout this document. The
uniqueness of a resource record depends on a nature of the name in the uniqueness of a resource record depends on a nature of the name in the
query and type of the query. For example it is expected that: query and type of the query. For example it is expected that:
- multiple hosts may respond to a query for an SRV type record - multiple hosts may respond to a query for an SRV type record
- multiple hosts may respond to a query for an A or AAAA type record for a - multiple hosts may respond to a query for an A or AAAA type record for a
skipping to change at page 11, line 16 skipping to change at page 11, line 43
LLMNR query propagation that can return a resource record LLMNR query propagation that can return a resource record
for the same name, type and class. for the same name, type and class.
2. MUST NOT include a UNIQUE resource record in the 2. MUST NOT include a UNIQUE resource record in the
response without having verified its uniqueness. response without having verified its uniqueness.
Where a host is configured to respond to LLMNR queries on more than one Where a host is configured to respond to LLMNR queries on more than one
interface, each interface should have its own independent LLMNR cache. interface, each interface should have its own independent LLMNR cache.
For each UNIQUE resource record in a given interface's cache, the host For each UNIQUE resource record in a given interface's cache, the host
MUST verify resource record uniqueness on that interface. To accomplish MUST verify resource record uniqueness on that interface. To accomplish
this, the host MUST send a dynamic LLMNR update request for each new this, the host MUST send a dynamic LLMNR update request for each new
UNIQUE resource record. Format of the dynamic LLMNR update request is UNIQUE resource record. The format of the dynamic LLMNR update request
identical to the format of the dynamic DNS update request specified in is identical that specified in [RFC2136]. By default, a host SHOULD be
[RFC2136]. Uniqueness verification is carried out when the host: configured to behave as though all RRs are UNIQUE. Uniqueness
verification is carried out when the host:
- starts up or - starts up or
- is configured to respond to the LLMNR queries on some interface or - is configured to respond to the LLMNR queries on an interface or
- is configured to respond to the LLMNR queries using additional - is configured to respond to the LLMNR queries using additional
UNIQUE resource records. UNIQUE resource records.
Below we describe the data to be specified in the dynamic update The data to be specified in the dynamic update request is as follows:
request:
Header section Header section
contains values according to [RFC2136]. contains values according to [RFC2136].
Zone section Zone section
The zone name in the zone section MUST be set to the name of the The zone name in the zone section MUST be set to the name of the
UNIQUE record. The zone type in the zone section MUST be set to UNIQUE record. The zone type in the zone section MUST be set to
SOA. The zone class in the zone section MUST be set to the class of SOA. The zone class in the zone section MUST be set to the class of
the UNIQUE record. the UNIQUE record.
Prerequisite section Prerequisite section
This section MUST contain a record set whose semantics are This section MUST contain a record set whose semantics are
described in [RFC2136], Section 2.4.3 "RRset Does Not Exist", described in [RFC2136], Section 2.4.3 "RRset Does Not Exist"
requesting that RRs with the NAME and TYPE of the UNIQUE record do (NXRRSET), requesting that RRs with the NAME and TYPE of the UNIQUE
not exist. record do not exist.
Update section Update section
This section MUST be left empty. This section MUST be left empty.
Additional section Additional section
This section is set according to [RFC2136]. This section is set according to [RFC2136].
When a host that owns a UNIQUE record receives a dynamic update request When a host that owns a UNIQUE record receives a dynamic update request
that requests that the UNIQUE resource record set does not exist, the that requests that the UNIQUE resource record set does not exist, the
host MUST respond via unicast with the YXRRSET error, according to the host MUST respond via unicast with the YXRRSET error, according to the
skipping to change at page 12, line 16 skipping to change at page 12, line 44
request stating that a UNIQUE resource record does not exist, the host request stating that a UNIQUE resource record does not exist, the host
MUST check whether the response arrived on another interface. If this is MUST check whether the response arrived on another interface. If this is
the case, then the client can use the UNIQUE resource record in response the case, then the client can use the UNIQUE resource record in response
to LLMNR queries and dynamic update requests. If not, then it MUST NOT to LLMNR queries and dynamic update requests. If not, then it MUST NOT
use the UNIQUE resource record in response to LLMNR queries and dynamic use the UNIQUE resource record in response to LLMNR queries and dynamic
update requests. update requests.
Note that this name conflict detection mechanism doesn't prevent name Note that this name conflict detection mechanism doesn't prevent name
conflicts when previously partitioned segments are connected by a conflicts when previously partitioned segments are connected by a
bridge. In such a situation, name conflicts are detected when a sender bridge. In such a situation, name conflicts are detected when a sender
receives more than one response to its LLMNR query. In this case, the receives more than one response to its LLMNR query.
sender sends the first response that it received to all responders that
responded to this query except the first one, using unicast. A host that
receives a query response containing a UNIQUE resource record that it
owns, even if it didn't send such a query, MUST verify that no other
host within the LLMNR scope is authoritative for the same name, using
the dynamic LLMNR update request mechanism described above.
Based on the result, the host detects whether there is a name conflict In this case, the sender sends the first response that it received to
and acts as described above. all responders that responded to this query except the first one, using
unicast. A host that receives a query response containing a UNIQUE
resource record that it owns, even if it didn't send such a query, MUST
verify that no other host within the LLMNR scope is authoritative for
the same name, using the dynamic LLMNR update request mechanism
described above. Based on the result, the host detects whether there is
5.1. Considerations for Multiple Interfaces a name conflict and acts as described above.
4.1. Considerations for Multiple Interfaces
A multi-homed host may elect to configure LLMNR on only one of its A multi-homed host may elect to configure LLMNR on only one of its
active interfaces. In many situations this will be adequate. However, active interfaces. In many situations this will be adequate. However,
should a host wish to configure LLMNR on more than one of its active should a host wish to configure LLMNR on more than one of its active
interfaces, there are some additional precautions it MUST take. interfaces, there are some additional precautions it MUST take.
Implementers who are not planning to support LLMNR on multiple Implementers who are not planning to support LLMNR on multiple
interfaces simultaneously may skip this section. interfaces simultaneously may skip this section.
A multi-homed host checks the uniqueness of UNIQUE records as described A multi-homed host checks the uniqueness of UNIQUE records as described
in Section 5. The situation is illustrated in figure 1 below: in Section 4. The situation is illustrated in figure 1.
---------- ---------- ---------- ----------
| | | | | | | |
[A] [myhost] [myhost] [A] [myhost] [myhost]
Figure 1. LINKLOCAL name conflict Figure 1. LINKLOCAL name conflict
In this situation, the multi-homed myhost will probe for, and defend, In this situation, the multi-homed myhost will probe for, and defend,
its host name on both interfaces. A conflict will be detected on one its host name on both interfaces. A conflict will be detected on one
interface, but not the other. The multi-homed myhost will not be able to interface, but not the other. The multi-homed myhost will not be able to
respond with a host RR for "myhost" on the interface on the right (see respond with a host RR for "myhost" on the interface on the right (see
Figure 1). The multi-homed host may, however, be configured to use the Figure 1). The multi-homed host may, however, be configured to use the
"myhost" name on the interface on the left. "myhost" name on the interface on the left.
Since names are only unique per-link, hosts on different links could be Since names are only unique per-link, hosts on different links could be
using the same name. If an LLMNR client sends requests over multiple using the same name. If an LLMNR client sends requests over multiple
interfaces, and receives replies from more than one, the result returned interfaces, and receives replies from more than one, the result returned
to the client is defined by the implementation. The situation is to the client is defined by the implementation. The situation is
illustrated in figure 2 below. illustrated in figure 2.
---------- ---------- ---------- ----------
| | | | | | | |
[A] [myhost] [A] [A] [myhost] [A]
Figure 2. Off-segment name conflict Figure 2. Off-segment name conflict
If host myhost is configured to use LLMNR on both interfaces, it will If host myhost is configured to use LLMNR on both interfaces, it will
send LLMNR queries on both interfaces. When host myhost sends a query send LLMNR queries on both interfaces. When host myhost sends a query
for the host RR for name "A" it will receive a response from hosts on for the host RR for name "A" it will receive a response from hosts on
skipping to change at page 13, line 25 skipping to change at page 14, line 4
Figure 2. Off-segment name conflict Figure 2. Off-segment name conflict
If host myhost is configured to use LLMNR on both interfaces, it will If host myhost is configured to use LLMNR on both interfaces, it will
send LLMNR queries on both interfaces. When host myhost sends a query send LLMNR queries on both interfaces. When host myhost sends a query
for the host RR for name "A" it will receive a response from hosts on for the host RR for name "A" it will receive a response from hosts on
both interfaces. both interfaces.
Host myhost will then forward a response from the first responder to the Host myhost will then forward a response from the first responder to the
second responder, who will attempt to verify the uniqueness of host RR second responder, who will attempt to verify the uniqueness of host RR
for its name, but will not discover a conflict, since the conflicting for its name, but will not discover a conflict, since the conflicting
host resides on a different link. Therefore it will continue using its host resides on a different link. Therefore it will continue using its
name. name.
Indeed, host myhost cannot distinguish between the situation shown in Indeed, host myhost cannot distinguish between the situation shown in
Figure 2, and that shown in Figure 3 where no conflict exists: Figure 2, and that shown in Figure 3 where no conflict exists.
[A] [A]
| | | |
----- ----- ----- -----
| | | |
[myhost] [myhost]
Figure 3. Multiple paths to same host Figure 3. Multiple paths to same host
This illustrates that the proposed name conflict resolution mechanism This illustrates that the proposed name conflict resolution mechanism
does not support detection or resolution of conflicts between hosts on does not support detection or resolution of conflicts between hosts on
different links. This problem can also occur with unicast DNS when a different links. This problem can also occur with unicast DNS when a
multi-homed host is connected to two different networks with separated multi-homed host is connected to two different networks with separated
name spaces. It is not the intent of this document to address the issue name spaces. It is not the intent of this document to address the issue
of uniqueness of names within DNS. of uniqueness of names within DNS.
5.2. API issues 4.2. API issues
[RFC2553] provides an API which can partially solve the name ambiguity [RFC2553] provides an API which can partially solve the name ambiguity
problem for applications written to use this API, since the sockaddr_in6 problem for applications written to use this API, since the sockaddr_in6
structure exposes the scope within which each scoped address exists, and structure exposes the scope within which each scoped address exists, and
this structure can be used for both IPv4 (using v4-mapped IPv6 this structure can be used for both IPv4 (using v4-mapped IPv6
addresses) and IPv6 addresses. addresses) and IPv6 addresses.
Following the example in Figure 2, an application on 'myhost' issues the Following the example in Figure 2, an application on 'myhost' issues the
request getaddrinfo("A", ...) with ai_family=AF_INET6 and request getaddrinfo("A", ...) with ai_family=AF_INET6 and
ai_flags=AI_ALL|AI_V4MAPPED. LLMNR requests will be sent from both ai_flags=AI_ALL|AI_V4MAPPED. LLMNR requests will be sent from both
interfaces and the resolver library will return a list containing interfaces and the resolver library will return a list containing
multiple addrinfo structures, each with an associated sockaddr_in6 multiple addrinfo structures, each with an associated sockaddr_in6
structure. This list will thus contain the IPv4 and IPv6 addresses of structure. This list will thus contain the IPv4 and IPv6 addresses of
both hosts responding to the name 'A'. Link-local addresses will have a both hosts responding to the name 'A'. Link-local addresses will have a
sin6_scope_id value that disambiguates which interface is used to reach sin6_scope_id value that disambiguates which interface is used to reach
skipping to change at page 14, line 19 skipping to change at page 14, line 46
ai_flags=AI_ALL|AI_V4MAPPED. LLMNR requests will be sent from both ai_flags=AI_ALL|AI_V4MAPPED. LLMNR requests will be sent from both
interfaces and the resolver library will return a list containing interfaces and the resolver library will return a list containing
multiple addrinfo structures, each with an associated sockaddr_in6 multiple addrinfo structures, each with an associated sockaddr_in6
structure. This list will thus contain the IPv4 and IPv6 addresses of structure. This list will thus contain the IPv4 and IPv6 addresses of
both hosts responding to the name 'A'. Link-local addresses will have a both hosts responding to the name 'A'. Link-local addresses will have a
sin6_scope_id value that disambiguates which interface is used to reach sin6_scope_id value that disambiguates which interface is used to reach
the address. Of course, to the application, Figures 2 and 3 are still the address. Of course, to the application, Figures 2 and 3 are still
indistinguishable, but this API allows the application to communicate indistinguishable, but this API allows the application to communicate
successfully with any address in the list. successfully with any address in the list.
6. Security Considerations 5. Security Considerations
LLMNR is by nature a peer to peer name resolution protocol. It is LLMNR is by nature a peer to peer name resolution protocol. It is
therefore inherently more vulnerable than DNS, since existing DNS therefore inherently more vulnerable than DNS, since existing DNS
security mechanisms are difficult to apply to LLMNR and an attacker only security mechanisms are difficult to apply to LLMNR and an attacker only
needs to be misconfigured to answer an LLMNR query with incorrect needs to be misconfigured to answer an LLMNR query with incorrect
information. information.
In order to address the security vulnerabilities, the following In order to address the security vulnerabilities, the following
mechanisms are contemplated: mechanisms are contemplated:
[1] Scope restrictions. [1] Scope restrictions.
[2] Usage restrictions. [2] Usage restrictions.
[3] Cache and port separation. [3] Cache and port separation.
[4] Authentication. [4] Authentication.
These techniques are described in the following sections. These techniques are described in the following sections.
6.1. Scope restriction 5.1. Scope restriction
With LLMNR it is possible that hosts will allocate conflicting names for With LLMNR it is possible that hosts will allocate conflicting names for
a period of time, or that attackers will attempt to deny service to a period of time, or that attackers will attempt to deny service to
other hosts by allocating the same name. Such attacks also allow hosts other hosts by allocating the same name. Such attacks also allow hosts
to receive packets destined for other hosts. to receive packets destined for other hosts.
In the absence of authentication, LLMNR reduces the exposure to such In the absence of authentication, LLMNR reduces the exposure to such
threats by ignoring LLMNR query response packets received from off-link threats by ignoring LLMNR query response packets received from off-link
senders. In all received responses, the Hop Limit field in IPv6 and the senders. In all received responses, the Hop Limit field in IPv6 and the
TTL field in IPv4 are verified to contain 255, the maximum legal value. TTL field in IPv4 are verified to contain 255, the maximum legal value.
skipping to change at page 15, line 16 skipping to change at page 15, line 42
While restricting ignoring packets received from off-link senders While restricting ignoring packets received from off-link senders
reduces the level of vulnerability, it does not eliminate it. There are reduces the level of vulnerability, it does not eliminate it. There are
scenarios such as public "hotspots" where attackers can be present on scenarios such as public "hotspots" where attackers can be present on
the same link. These threats are most serious in wireless networks such the same link. These threats are most serious in wireless networks such
as 802.11, since attackers on a wired network will require physical as 802.11, since attackers on a wired network will require physical
access to the home network, while wireless attackers may reside outside access to the home network, while wireless attackers may reside outside
the home. Link-layer security can be of assistance against these the home. Link-layer security can be of assistance against these
threats if it is available. threats if it is available.
6.2. Usage restriction 5.2. Usage restriction
As noted in Section 3.1, LLMNR is intended for usage in scenarios where As noted in Section 3, LLMNR is intended for usage in a limited set of
a DNS server is not configured, DNS servers do not respond to queries or scenarios.
respond with RCODE set to NXRRSET. If an interface has been configured
via any automatic configuration mechanism which is able to supply DNS If an interface has been configured via any automatic configuration
configuration information, then LLMNR MUST NOT be used as the primary mechanism which is able to supply DNS configuration information, then
name resolution mechanism on that interface, although it MAY be used as LLMNR SHOULD NOT be used as the primary name resolution mechanism on
a secondary mechanism when DNS servers do not respond to queries, or that interface, although it MAY be used as a secondary mechanism.
respond with RCODE set to NXRRSET.
Note: enabling LLMNR for use in situations where a DNS server has been Note: enabling LLMNR for use in situations where a DNS server has been
configured will result in upgraded hosts changing their default behavior configured will result in upgraded hosts changing their default behavior
without a simultaneous update to configuration information. Where this without a simultaneous update to configuration information. Where this
is considered undesirable, LLMNR SHOULD NOT be enabled by default, so is considered undesirable, LLMNR SHOULD NOT be enabled by default, so
that hosts will neither listen on the LINKLOCAL multicast address, nor that hosts will neither listen on the LINKLOCAL multicast address, nor
will it send queries to that address. will it send queries to that address.
Use of LLMNR as a secondary name resolution mechanism increases security Use of LLMNR as a secondary name resolution mechanism increases security
vulnerabilities. For example, if an LLMNR query is sent whenever a DNS vulnerabilities. For example, if an LLMNR query is sent whenever a DNS
skipping to change at page 16, line 5 skipping to change at page 16, line 28
The vulnerability is more serious if LLMNR is given higher priority than The vulnerability is more serious if LLMNR is given higher priority than
DNS among the enabled name resolution mechanisms. In such a DNS among the enabled name resolution mechanisms. In such a
configuration, a denial of service attack on the DNS server would not be configuration, a denial of service attack on the DNS server would not be
necessary in order to poison the LLMNR cache, since LLMNR queries would necessary in order to poison the LLMNR cache, since LLMNR queries would
be sent even when the DNS server is available. In addition, the LLMNR be sent even when the DNS server is available. In addition, the LLMNR
cache, once poisoned, would take precedence over the DNS cache, cache, once poisoned, would take precedence over the DNS cache,
eliminating the benefits of cache separation. As a result, LLMNR is best eliminating the benefits of cache separation. As a result, LLMNR is best
thought of as a secondary name resolution mechanism. thought of as a secondary name resolution mechanism.
6.3. Cache and port separation 5.3. Cache and port separation
In order to prevent responses to LLMNR queries from polluting the DNS In order to prevent responses to LLMNR queries from polluting the DNS
cache, LLMNR implementations MUST use a distinct, isolated cache for cache, LLMNR implementations MUST use a distinct, isolated cache for
LLMNR on each interface. The use of separate caches is most effective LLMNR on each interface. The use of separate caches is most effective
when LLMNR is used as a name resolution mechanism of last resort, since when LLMNR is used as a name resolution mechanism of last resort, since
the this minimizes the opportunities for poisoning the LLMNR cache, and the this minimizes the opportunities for poisoning the LLMNR cache, and
decreases reliance on it. decreases reliance on it.
LLMNR operates on a separate port from DNS, reducing the likelihood that LLMNR operates on a separate port from DNS, reducing the likelihood that
a DNS server will unintentionally respond to an LLMNR query. a DNS server will unintentionally respond to an LLMNR query.
6.4. Authentication 5.4. Authentication
LLMNR does not require use of DNSSEC, and as a result, responses to LLMNR does not require use of DNSSEC, and as a result, responses to
LLMNR queries MAY NOT be authenticated. If authentication is desired, LLMNR queries MAY NOT be authenticated. If authentication is desired,
and a pre-arranged security configuration is possible, then IPsec ESP and a pre-arranged security configuration is possible, then IPsec ESP
with a null-transform MAY be used to authenticate LLMNR responses. In a with a null-transform MAY be used to authenticate LLMNR responses. In a
small network without a certificate authority, this can be most easily small network without a certificate authority, this can be most easily
accomplished through configuration of a group pre-shared key for trusted accomplished through configuration of a group pre-shared key for trusted
hosts. hosts.
7. IANA Considerations 6. IANA Considerations
This specification does not create any new name spaces for IANA This specification does not create any new name spaces for IANA
administration. LLMNR requires allocation of a port. LLMNR utilizes a administration. LLMNR requires allocation of a port for both TCP and
link scope multicast IPv4 address (224.0.0.251) that has been previously UDP. LLMNR utilizes a link scope multicast IPv4 address (224.0.0.251)
allocated to LLMNR by IANA. that has been previously allocated to LLMNR by IANA. It also requires
allocation of a link scope multicast IPv6 address, for use with queries
of types other than A/AAAA.
8. Normative References 7. Normative References
[RFC1035] Mockapetris, P., "Domain Names - Implementation and [RFC1035] Mockapetris, P., "Domain Names - Implementation and
Specification", RFC 1035, November 1987. Specification", RFC 1035, November 1987.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992. April 1992.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
skipping to change at page 17, line 14 skipping to change at page 17, line 41
[RFC2373] Hinden, R., Deering, S., "IP Version 6 Addressing [RFC2373] Hinden, R., Deering, S., "IP Version 6 Addressing
Architecture", RFC 2373, July 1998. Architecture", RFC 2373, July 1998.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998. (IPv6) Specification", RFC 2460, December 1998.
[RFC2535] Eastlake, D., "Domain Name System Security Extensions", [RFC2535] Eastlake, D., "Domain Name System Security Extensions",
RFC 2535, March 1999. RFC 2535, March 1999.
[IPV4Link] Cheshire, S., Aboba, B., "Dynamic Configuration of IPv4 [RFC2988] Paxson, V., Allman, M., "Computing TCP's Retransmission
Link-Local Addresses", Internet draft (work in progress), Timer", RFC 2988, November 2000.
draft-ietf-zeroconf-ipv4-linklocal-05.txt, November 2001.
[LLMNREnable] Guttman, E., "DHCP LLMNR Enable Option", Internet draft [IPV4Link] Cheshire, S., Aboba, B.,Guttman, E., "Dynamic
(work in progress), draft-guttman-mdns-enable-02.txt, Configuration of IPv4 Link-Local Addresses", Internet
April 2002. draft (work in progress), draft-ietf-zeroconf-
ipv4-linklocal-07.txt, August 2002.
9. Informative References 8. Informative References
[RFC1536] Kumar, A., et. al. "DNS Implementation Errors and [RFC1536] Kumar, A., et. al. "DNS Implementation Errors and
Suggested Fixes", RFC 1536, October 1993. Suggested Fixes", RFC 1536, October 1993.
[RFC2292] Stevens, W., Thomas, M., "Advanced Sockets API for IPv6", [RFC2292] Stevens, W., Thomas, M., "Advanced Sockets API for IPv6",
RFC 2292, February 1998. RFC 2292, February 1998.
[RFC2434] Alvestrand, H. and T. Narten, "Guidelines for Writing an [RFC2434] Alvestrand, H. and T. Narten, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 2434, IANA Considerations Section in RFCs", BCP 26, RFC 2434,
October 1998. October 1998.
[RFC2553] Gilligan, R., Thomson, S., Bound, J., Stevens, W., "Basic [RFC2553] Gilligan, R., Thomson, S., Bound, J., Stevens, W., "Basic
Socket Interface Extensions for IPv6", RFC 2553, March Socket Interface Extensions for IPv6", RFC 2553, March
1999. 1999.
[RFC2937] Smith, C., "The Name Service Search Option for DHCP", RFC [RFC2937] Smith, C., "The Name Service Search Option for DHCP", RFC
2937, September 2000. 2937, September 2000.
[DHCPv6DNS] Droms, R., Narten, T., and Aboba, B. "Using DHCPv6 for [DHCPv6DNS] Droms, R., "A Guide to Implementing Stateless DHCPv6
DNS Configuration in Hosts", draft-droms-dnsconfig- Service", Internet draft (work in progress), draft-droms-
dhcpv6-01.txt, Internet draft (work in progress), March dhcpv6-stateless-guide-01.txt, October 2002.
2002.
[DNSDisc] Thaler, D., Hagino, I., "IPv6 Stateless DNS Discovery", [DNSPerf] Jung, J., et al., "DNS Performance and the Effectiveness
Internet draft (work in progress), draft-ietf-ipngwg-dns- of Caching", IEEE/ACM Transactions on Networking, Volume
discovery-03.txt, November 2001. 10, Number 5, pp. 589, October 2002.
[NodeInfo] Crawford, Matt, "IPv6 Node Information Queries", Internet [DNSDisc] Durand, A., Hagino, I., Thaler, D., "Well known site
local unicast addresses to communicate with recursive DNS
servers", Internet draft (work in progress), draft-ietf-
ipv6-dns-discovery-07.txt, October 2002.
[LLMNREnable] Guttman, E., "DHCP LLMNR Enable Option", Internet draft
(work in progress), draft-guttman-mdns-enable-02.txt,
April 2002.
[NodeInfo] Crawford, M., "IPv6 Node Information Queries", Internet
draft (work in progress), draft-ietf-ipn-gwg-icmp-name- draft (work in progress), draft-ietf-ipn-gwg-icmp-name-
lookups-08.txt, July 2001. lookups-09.txt, May 2002.
Acknowledgments Acknowledgments
This work builds upon original work done on multicast DNS by Bill This work builds upon original work done on multicast DNS by Bill
Manning and Bill Woodcock. Bill Manning's work was funded under DARPA Manning and Bill Woodcock. Bill Manning's work was funded under DARPA
grant #F30602-99-1-0523. The authors gratefully acknowledge their grant #F30602-99-1-0523. The authors gratefully acknowledge their
contribution to the current specification. Constructive input has also contribution to the current specification. Constructive input has also
been received from Mark Andrews, Stuart Cheshire, Robert Elz, Rob been received from Mark Andrews, Stuart Cheshire, Robert Elz, Rob
Austein, James Gilroy, Olafur Gudmundsson, Erik Guttman, Myron Hattig, Austein, James Gilroy, Olafur Gudmundsson, Erik Guttman, Myron Hattig,
Thomas Narten, Erik Nordmark, Sander Van-Valkenburg, Tomohide Nagashima, Thomas Narten, Erik Nordmark, Sander Van-Valkenburg, Tomohide Nagashima,
skipping to change at page 19, line 29 skipping to change at page 20, line 7
IETF Secretariat. IETF Secretariat.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary rights copyrights, patents or patent applications, or other proprietary rights
which may cover technology that may be required to practice this which may cover technology that may be required to practice this
standard. Please address the information to the IETF Executive standard. Please address the information to the IETF Executive
Director. Director.
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it or others, and derivative works that comment on or otherwise explain it or
assist in its implementation may be prepared, copied, published and assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind, distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are included provided that the above copyright notice and this paragraph are included
on all such copies and derivative works. However, this document itself on all such copies and derivative works. However, this document itself
may not be modified in any way, such as by removing the copyright notice may not be modified in any way, such as by removing the copyright notice
or references to the Internet Society or other Internet organizations, or references to the Internet Society or other Internet organizations,
except as needed for the purpose of developing Internet standards in except as needed for the purpose of developing Internet standards in
which case the procedures for copyrights defined in the Internet which case the procedures for copyrights defined in the Internet
skipping to change at page 20, line 7 skipping to change at page 20, line 30
perpetual and will not be revoked by the Internet Society or its perpetual and will not be revoked by the Internet Society or its
successors or assigns. This document and the information contained successors or assigns. This document and the information contained
herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
Expiration Date Expiration Date
This memo is filed as <draft-ietf-dnsext-mdns-13.txt>, and expires May This memo is filed as <draft-ietf-dnsext-mdns-14.txt>, and expires
22, 2003. October 22, 2003.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/