draft-ietf-dnsext-mdns-24.txt   draft-ietf-dnsext-mdns-25.txt 
DNSEXT Working Group Levon Esibov DNSEXT Working Group Levon Esibov
INTERNET-DRAFT Bernard Aboba INTERNET-DRAFT Bernard Aboba
Category: Standards Track Dave Thaler Category: Standards Track Dave Thaler
<draft-ietf-dnsext-mdns-24.txt> Microsoft <draft-ietf-dnsext-mdns-25.txt> Microsoft
27 September 2003 20 November 2003
Linklocal Multicast Name Resolution (LLMNR) Linklocal Multicast Name Resolution (LLMNR)
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC 2026. provisions of Section 10 of RFC 2026.
Internet-Drafts are working documents of the Internet Engineering Task Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other groups Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts. may also distribute working documents as Internet-Drafts.
skipping to change at page 2, line 5 skipping to change at page 1, line 42
Abstract Abstract
Today, with the rise of home networking, there are an increasing number Today, with the rise of home networking, there are an increasing number
of ad-hoc networks operating without a Domain Name System (DNS) server. of ad-hoc networks operating without a Domain Name System (DNS) server.
In order to allow name resolution in such environments, Link-Local In order to allow name resolution in such environments, Link-Local
Multicast Name Resolution (LLMNR) is proposed. LLMNR supports all Multicast Name Resolution (LLMNR) is proposed. LLMNR supports all
current and future DNS formats, types and classes, while operating on a current and future DNS formats, types and classes, while operating on a
separate port from DNS, and with a distinct resolver cache. separate port from DNS, and with a distinct resolver cache.
The goal of LLMNR is to enable name resolution in scenarios in which
conventional DNS name resolution is not possible. Since LLMNR only
operates on the local link, it cannot be considered a substitute for
DNS.
Table of Contents Table of Contents
1. Introduction .......................................... 3 1. Introduction .......................................... 3
1.1 Requirements .................................... 3 1.1 Requirements .................................... 4
1.2 Terminology ..................................... 4 1.2 Terminology ..................................... 4
2. Name resolution using LLMNR ........................... 4 2. Name resolution using LLMNR ........................... 4
2.1 Sender behavior ................................. 4 2.1 Sender behavior ................................. 5
2.2 Responder behavior .............................. 5 2.2 Responder behavior .............................. 5
2.3 Unicast queries ................................. 6 2.3 Unicast queries ................................. 7
2.4 Addressing ...................................... 7 2.4 Addressing ...................................... 8
2.5 Off-link detection .............................. 7 2.5 Off-link detection .............................. 8
2.6 Retransmissions ................................. 8 2.6 Retransmissions ................................. 9
2.7 DNS TTL ......................................... 9 2.7 DNS TTL ......................................... 9
2.8 Use of the authority and additional sections .... 9 2.8 Use of the authority and additional sections .... 10
3. Usage model ........................................... 9 3. Usage model ........................................... 10
3.1 Unqualified names ............................... 10 3.1 Responder responsibility ....................... 11
3.2 LLMNR configuration ............................. 11 3.2 LLMNR configuration ............................. 11
4. Conflict resolution ................................... 12 4. Conflict resolution ................................... 13
4.1 Considerations for multiple interfaces .......... 13 4.1 Considerations for multiple interfaces .......... 14
4.2 API issues ...................................... 15 4.2 API issues ...................................... 15
5. Security considerations ............................... 15 5. Security considerations ............................... 16
5.1 Scope restriction ............................... 16 5.1 Scope restriction ............................... 16
5.2 Usage restriction ............................... 17 5.2 Usage restriction ............................... 17
5.3 Cache and port separation ....................... 17 5.3 Cache and port separation ....................... 18
5.4 Authentication .................................. 18 5.4 Authentication .................................. 18
6. IANA considerations ................................... 18 6. IANA considerations ................................... 18
7. References ............................................ 18 7. References ............................................ 19
7.1 Normative References ............................ 18 7.1 Normative References ............................ 19
7.2 Informative References .......................... 19 7.2 Informative References .......................... 19
Acknowledgments .............................................. 20 Acknowledgments .............................................. 20
Authors' Addresses ........................................... 20 Authors' Addresses ........................................... 21
Intellectual Property Statement .............................. 21 Intellectual Property Statement .............................. 21
Full Copyright Statement ..................................... 21 Full Copyright Statement ..................................... 22
1. Introduction 1. Introduction
This document discusses Link Local Multicast Name Resolution (LLMNR), This document discusses Link Local Multicast Name Resolution (LLMNR),
which operates on a separate port from the Domain Name System (DNS), which operates on a separate port from the Domain Name System (DNS),
with a distinct resolver cache, but does not change the format of DNS with a distinct resolver cache, but does not change the format of DNS
packets. LLMNR supports all current and future DNS formats, types and packets. LLMNR supports all current and future DNS formats, types and
classes. However, since LLMNR only operates on the local link, it classes.
cannot be considered a substitute for DNS.
The goal of LLMNR is to enable name resolution in scenarios in which The goal of LLMNR is to enable name resolution in scenarios in which
conventional DNS name resolution is not possible. These include conventional DNS name resolution is not possible. These include
scenarios in which hosts are not configured with the address of a DNS scenarios in which hosts are not configured with the address of a DNS
server, where configured DNS servers do not reply to a query, or where server, where configured DNS servers do not reply to a query, or where
they respond with errors, as described in Section 3. they respond with errors, as described in Section 2. Since LLMNR only
operates on the local link, it cannot be considered a substitute for
DNS.
LLMNR usage MAY be configured manually or automatically on a per
interface basis. By default, LLMNR Responders SHOULD be enabled on all
interfaces, at all times.
LLMNR queries are sent to and received on port TBD. Link-scope LLMNR queries are sent to and received on port TBD. Link-scope
multicast addresses are used to prevent propagation of LLMNR traffic multicast addresses are used to prevent propagation of LLMNR traffic
across routers, potentially flooding the network; for details, see across routers, potentially flooding the network; for details, see
Section 2.4. LLMNR queries can also be sent to a unicast address, as Section 2.4. LLMNR queries can also be sent to a unicast address, as
described in Section 2.3. described in Section 2.3.
Propagation of LLMNR packets on the local link is considered sufficient Propagation of LLMNR packets on the local link is considered sufficient
to enable name resolution in small networks. The assumption is that if to enable name resolution in small networks. The assumption is that if
a network has a gateway, then the network is able to provide DNS server a network has a gateway, then the network is able to provide DNS server
skipping to change at page 4, line 4 skipping to change at page 4, line 9
name resolution. name resolution.
Service discovery in general, as well as discovery of DNS servers using Service discovery in general, as well as discovery of DNS servers using
LLMNR in particular, is outside of the scope of this document, as is LLMNR in particular, is outside of the scope of this document, as is
name resolution over non-multicast capable media. name resolution over non-multicast capable media.
1.1. Requirements 1.1. Requirements
In this document, several words are used to signify the requirements of In this document, several words are used to signify the requirements of
the specification. These words are often capitalized. The key words the specification. These words are often capitalized. The key words
"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD
NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in [RFC2119]. interpreted as described in [RFC2119].
1.2. Terminology 1.2. Terminology
This document assumes familiarity with DNS terminology defined in
[RFC1035]. Other terminology used in this document includes:
Responder A host that listens to LLMNR queries, and responds to those Responder A host that listens to LLMNR queries, and responds to those
for which it is authoritative. for which it is authoritative.
Sender A host that sends an LLMNR query. Typically a host is Sender A host that sends an LLMNR query. Typically a host is
configured as both a sender and a responder. However, a host configured as both a sender and a responder. However, a host
may be configured as a sender, but not a responder or as a may be configured as a sender, but not a responder or as a
responder, but not a sender. responder, but not a sender.
Routable address Routable address
An address other than a Link-Local address. This includes An address other than a Link-Local address. This includes
globally routable addresses, as well as private addresses. globally routable addresses, as well as private addresses.
2. Name resolution using LLMNR 2. Name resolution using LLMNR
LLMNR is a peer-to-peer name resolution protocol that is not intended as
a replacement for DNS. LLMNR usage MAY be configured manually or
automatically on a per interface basis. By default, LLMNR Responders
SHOULD be enabled on all interfaces, at all times.
An LLMNR sender may send a request for any name. However, by default,
LLMNR requests SHOULD be sent only when one of the following conditions
are met:
[1] No manual or automatic DNS configuration has been performed.
If an interface has been configured with DNS server address(es),
then LLMNR SHOULD NOT be used as the primary name resolution
mechanism on that interface, although it MAY be used as a name
resolution mechanism of last resort.
[2] DNS servers do not respond.
[3] DNS servers respond to a query with RCODE=3
(Authoritative Name Error) or RCODE=0, and an empty
answer section.
A typical sequence of events for LLMNR usage is as follows: A typical sequence of events for LLMNR usage is as follows:
[1] A sender needs to resolve a query for a name "host.example.com", [1] DNS servers are not configured or do not respond to a
so it sends an LLMNR query to the link-scope multicast address(es) query, or respond with RCODE=3, or RCODE=0 and an empty
defined in Section 2.4. answer section.
[2] A responder responds to this query only if it is authoritative [2] An LLMNR sender sends an LLMNR query to the link-scope multicast
for the domain name "host.example.com". The responder sends address(es) defined in Section 2.4, unless a unicast query is
a response to the sender via unicast over UDP. indicated. A sender SHOULD send LLMNR queries for PTR RRs
via unicast, as specified in Section 2.3.
[3] Upon the reception of the response, the sender performs the checks [3] A responder responds to this query only if it is authoritative
for the domain name in the query. A responder responds to a
multicast query by sending a unicast UDP response to the sender.
Unicast queries are responded to as indicated in Section 2.3.
[4] Upon the reception of the response, the sender performs the checks
described in Section 2.5. If these conditions are met, then the described in Section 2.5. If these conditions are met, then the
sender uses and caches the returned response. If not, then the sender uses and caches the returned response. If not, then the
sender ignores the response and continues waiting for the response. sender ignores the response and continues waiting for the response.
Further details of sender and responder behavior are provided in the Further details of sender and responder behavior are provided in the
sections that follow. sections that follow.
2.1. Sender behavior 2.1. Sender behavior
A sender sends an LLMNR query for any legal resource record type (e.g. A sender sends an LLMNR query for any legal resource record type (e.g.
A/AAAA, SRV, PTR, etc.) to the link-scope multicast address. As A/AAAA, SRV, PTR, etc.) to the link-scope multicast address. As
described in Section 2.3, a sender may also send a unicast query. described in Section 2.3, a sender may also send a unicast query.
Section 3 describes the circumstances in which LLMNR queries may be Sections 2 and 3 describe the circumstances in which LLMNR queries may
sent. be sent.
The RD (Recursion Desired) bit MUST NOT be set in a query. If a The RD (Recursion Desired) bit MUST NOT be set in a query. If a
responder receives a query with the header containing RD set bit, the responder receives a query with the header containing RD set bit, the
responder MUST ignore the RD bit. responder MUST ignore the RD bit.
The sender MUST anticipate receiving no replies to some LLMNR queries, The sender MUST anticipate receiving no replies to some LLMNR queries,
in the event that no responders are available within the link-scope or in the event that no responders are available within the link-scope or
in the event no positive non-null responses exist for the transmitted in the event no positive non-null responses exist for the transmitted
query. If no positive response is received, a resolver treats it as a query. If no positive response is received, a resolver treats it as a
response that no records of the specified type and class exist for the response that no records of the specified type and class exist for the
specified name (it is treated the same as a response with RCODE=0 and an specified name (it is treated the same as a response with RCODE=0 and an
empty answer section). empty answer section).
skipping to change at page 5, line 29 skipping to change at page 6, line 15
unicast address(es) that could be set as the source address(es) when the unicast address(es) that could be set as the source address(es) when the
responder responds to the LLMNR query. A host configured as a responder responder responds to the LLMNR query. A host configured as a responder
MUST act as a sender to verify the uniqueness of names as described in MUST act as a sender to verify the uniqueness of names as described in
Section 4. Section 4.
Responders MUST NOT respond to LLMNR queries for names they are not Responders MUST NOT respond to LLMNR queries for names they are not
authoritative for. Responders SHOULD respond to LLMNR queries for names authoritative for. Responders SHOULD respond to LLMNR queries for names
and addresses they are authoritative for. This applies to both forward and addresses they are authoritative for. This applies to both forward
and reverse lookups. and reverse lookups.
As an example, a computer "host.example.com." configured to respond to As an example, a computer "foo.example.com." configured to respond to
LLMNR queries is authoritative for the name "host.example.com.". On LLMNR queries is authoritative for the name "foo.example.com.". On
receiving an LLMNR A/AAAA resource record query for the name receiving an LLMNR A/AAAA resource record query for the name
"host.example.com." the host authoritatively responds with A/AAAA "foo.example.com." the host authoritatively responds with A/AAAA
record(s) that contain IP address(es) in the RDATA of the resource record(s) that contain IP address(es) in the RDATA of the resource
record. record.
If a responder is authoritative for a name, it MAY respond with RCODE=0 If a responder is authoritative for a name, it MAY respond with RCODE=0
and an empty answer section, if the type of query does not match a RR and an empty answer section, if the type of query does not match a RR
owned by the responder. For example, if the host has a AAAA RR, but no owned by the responder. For example, if the responder has a AAAA RR,
A RR, and an A RR query is received, the host would respond with RCODE=0 but no A RR, and an A RR query is received, the responder would respond
and an empty answer section. with RCODE=0 and an empty answer section.
If a DNS server is running on a host that supports LLMNR, the DNS server If a DNS server is running on a host that supports LLMNR, the DNS server
MUST respond to LLMNR queries only for the RRSets owned by the host on MUST respond to LLMNR queries only for the RRSets relating to the host
which the server is running, but MUST NOT respond for other records for on which the server is running, but MUST NOT respond for other records
which the server is authoritative. for which the server is authoritative.
In conventional DNS terminology a DNS server authoritative for a zone is In conventional DNS terminology a DNS server authoritative for a zone is
authoritative for all the domain names under the zone root except for authoritative for all the domain names under the zone root except for
the branches delegated into separate zones. Contrary to conventional the branches delegated into separate zones. Contrary to conventional
DNS terminology, an LLMNR responder is authoritative only for the zone DNS terminology, an LLMNR responder is authoritative only for the zone
root. root.
For example the host "host.example.com." is not authoritative for the For example the host "foo.example.com." is not authoritative for the
name "child.host.example.com." unless the host is configured with name "child.foo.example.com." unless the host is configured with
multiple names, including "host.example.com." and multiple names, including "foo.example.com." and
"child.host.example.com.". As a result, "host" cannot reply to a query "child.foo.example.com.". As a result, "foo.example.com." cannot reply
for "child" with NXDOMAIN. The purpose of limiting the name authority to a query for "child.foo.example.com." with RCODE=3 (authoritative name
scope of a responder is to prevent complications that could be caused by error). The purpose of limiting the name authority scope of a responder
coexistence of two or more hosts with the names representing child and is to prevent complications that could be caused by coexistence of two
parent (or grandparent) nodes in the DNS tree, for example, or more hosts with the names representing child and parent (or
"host.example.com." and "child.host.example.com.". grandparent) nodes in the DNS tree, for example, "foo.example.com." and
"child.foo.example.com.".
In this example (unless this limitation is introduced) an LLMNR query In this example (unless this limitation is introduced) an LLMNR query
for an A resource record for the name "child.host.example.com." would for an A resource record for the name "child.foo.example.com." would
result in two authoritative responses: a name error received from result in two authoritative responses: RCODE=3 (authoritative name
"host.example.com.", and a requested A record - from
"child.host.example.com.". To prevent this ambiguity, LLMNR enabled error) received from "foo.example.com.", and a requested A record - from
"child.foo.example.com.". To prevent this ambiguity, LLMNR enabled
hosts could perform a dynamic update of the parent (or grandparent) zone hosts could perform a dynamic update of the parent (or grandparent) zone
with a delegation to a child zone. In this example a host with a delegation to a child zone. In this example a host
"child.host.example.com." would send a dynamic update for the NS and "child.foo.example.com." would send a dynamic update for the NS and glue
glue A record to "host.example.com.", but this approach significantly A record to "foo.example.com.", but this approach significantly
complicates implementation of LLMNR and would not be acceptable for complicates implementation of LLMNR and would not be acceptable for
lightweight hosts. lightweight hosts.
A response to a LLMNR query is composed in exactly the same manner as a A response to a LLMNR query is composed in exactly the same manner as a
response to the unicast DNS query as specified in [RFC1035]. Responders response to the unicast DNS query as specified in [RFC1035]. Responders
MUST NOT respond using cached data, and the AA (Authoritative Answer) MUST NOT respond using cached data, and the AA (Authoritative Answer)
bit MUST be set. The response is sent to the sender via unicast. A bit MUST be set. The response is sent to the sender via unicast. A
response to an LLMNR query MUST have RCODE set to zero. Responses with response to an LLMNR query MUST have RCODE set to zero. Responses with
RCODE set to zero are referred to in this document as "positively RCODE set to zero are referred to in this document as "positively
resolved". LLMNR responders may respond only to queries which they can resolved". LLMNR responders may respond only to queries which they can
skipping to change at page 7, line 9 skipping to change at page 7, line 44
the response if it contains all necessary information, or the sender MAY the response if it contains all necessary information, or the sender MAY
discard the response and resend the query over TCP using the unicast discard the response and resend the query over TCP using the unicast
address of the responder. The RA (Recursion Available) bit in the address of the responder. The RA (Recursion Available) bit in the
header of the response MUST NOT be set. If the RA bit is set in the header of the response MUST NOT be set. If the RA bit is set in the
response header, the sender MUST ignore the RA bit. response header, the sender MUST ignore the RA bit.
Unicast LLMNR queries SHOULD be sent using TCP. Responses to TCP Unicast LLMNR queries SHOULD be sent using TCP. Responses to TCP
unicast LLMNR queries MUST be sent using TCP, using the same connection unicast LLMNR queries MUST be sent using TCP, using the same connection
as the query. If the sender of a TCP query receives a response not as the query. If the sender of a TCP query receives a response not
using TCP, the response MUST be silently discarded. Unicast UDP queries using TCP, the response MUST be silently discarded. Unicast UDP queries
MAY be responded to with an empty answer section and the TC bit set, so MAY be responded to with a UDP response containing an empty answer
as to require the sender to resend the query using TCP. Senders MUST section and the TC bit set, so as to require the sender to resend the
support sending TCP queries, and Responders MUST support listening for query using TCP. Senders MUST support sending TCP queries, and
TCP queries. The Responder SHOULD set the TTL or Hop Limit settings on Responders MUST support listening for TCP queries. The Responder SHOULD
the TCP listen socket to one (1) so that SYN-ACK packets will have TTL set the TTL or Hop Limit settings on the TCP listen socket to one (1) so
(IPv4) or Hop Limit (IPv6) set to one (1). This prevents an incoming that SYN-ACK packets will have TTL (IPv4) or Hop Limit (IPv6) set to one
connection from off-link since the Sender will not receive a SYN-ACK (1). This prevents an incoming connection from off-link since the
from the Responder. Sender will not receive a SYN-ACK from the Responder.
If an ICMP "Time Exceeded" message is received in response to a unicast If an ICMP "Time Exceeded" message is received in response to a unicast
UDP query, or if TCP connection setup cannot be completed in order to UDP query, or if TCP connection setup cannot be completed in order to
send a unicast TCP query, this is treated as a response that no records send a unicast TCP query, this is treated as a response that no records
of the specified type and class exist for the specified name (it is of the specified type and class exist for the specified name (it is
treated the same as a response with RCODE=0 and an empty answer treated the same as a response with RCODE=0 and an empty answer
section). The UDP sender receiving an ICMP "Time Exceeded" message section). The UDP sender receiving an ICMP "Time Exceeded" message
SHOULD verify that the ICMP error payload contains a valid LLMNR query SHOULD verify that the ICMP error payload contains a valid LLMNR query
packet, which matches a query that is currently in progress, so as to packet, which matches a query that is currently in progress, so as to
guard against a potential Denial of Service (DoS) attack. If a match guard against a potential Denial of Service (DoS) attack. If a match
skipping to change at page 9, line 46 skipping to change at page 10, line 34
query name. query name.
Responders SHOULD NOT perform DNS additional section processing. Responders SHOULD NOT perform DNS additional section processing.
Senders MUST NOT cache RRs from the authority or additional section of a Senders MUST NOT cache RRs from the authority or additional section of a
response as answers, though they may be used for other purposes such as response as answers, though they may be used for other purposes such as
negative caching. negative caching.
3. Usage model 3. Usage model
LLMNR is a peer-to-peer name resolution protocol that is not intended as Since LLMNR is a secondary name resolution mechanism, its usage is in
a replacement for DNS. By default, LLMNR requests SHOULD be sent only part determined by the behavior of DNS implementations. This document
when no manual or automatic DNS configuration has been performed, when does not specify any changes to DNS resolver behavior, such as
DNS servers do not respond, or when they respond to a query with RCODE=3 searchlist processing or retransmission/failover policy. However,
(Authoritative Name Error) or RCODE=0, and an empty answer section. An robust DNS resolver implementations are more likely to avoid unnecessary
LLMNR sender may send a request for any name. LLMNR queries.
As noted in [DNSPerf], even when DNS servers are configured, a As noted in [DNSPerf], even when DNS servers are configured, a
significant fraction of DNS queries do not receive a response, or result significant fraction of DNS queries do not receive a response, or result
in negative responses due to missing inverse mappings or NS records that in negative responses due to missing inverse mappings or NS records that
point to nonexistent or inappropriate hosts. Given this, support for point to nonexistent or inappropriate hosts. This has the potential to
LLMNR as a secondary name resolution mechanism has the potential to result in a large number of unnecessary LLMNR queries.
result in a large number of inappropriate queries without the following
additional restrictions:
[1] If a DNS query does not receive a response, prior to falling [RFC1536] describes common DNS implementation errors and fixes. If the
back to LLMNR, the query SHOULD be retransmitted at least proposed fixes are implemented, unnecessary LLMNR queries will be
once. reduced substantially, and so implementation of [RFC1536] is
recommended.
[2] A sender SHOULD send LLMNR queries for PTR RRs For example, [RFC1536] Section 1 describes issues with retransmission
via unicast, as specified in Section 2.3.
and recommends implementation of a retransmission policy based on round
trip estimates, with exponential backoff. [RFC1536] Section 4 describes
issues with failover, and recommends that resolvers try another server
when they don't receive a response to a query. These policies are
likely to avoid unnecessary LLMNR queries.
[RFC1536] Section 3 describes zero answer bugs, which if addressed will
also reduce unnecessary LLMNR queries.
[RFC1536] Section 6 describes name error bugs and recommended searchlist
processing that will reduce unnecessary RCODE=3 (authoritative name)
errors, thereby also reducing unnecessary LLMNR queries.
3.1. Responder responsibilities
It is the responsibility of the responder to ensure that RRs returned in It is the responsibility of the responder to ensure that RRs returned in
LLMNR responses MUST only include values that are valid on the local LLMNR responses MUST only include values that are valid on the local
interface, such as IPv4 or IPv6 addresses valid on the local link or interface, such as IPv4 or IPv6 addresses valid on the local link or
names defended using the mechanism described in Section 4. In names defended using the mechanism described in Section 4. In
particular: particular:
[1] If a link-scope IPv6 address is returned in a AAAA RR, that [1] If a link-scope IPv6 address is returned in a AAAA RR, that
address MUST be valid on the local link over which LLMNR is address MUST be valid on the local link over which LLMNR is
used. used.
skipping to change at page 10, line 40 skipping to change at page 11, line 40
[2] If an IPv4 address is returned, it MUST be reachable through [2] If an IPv4 address is returned, it MUST be reachable through
the link over which LLMNR is used. the link over which LLMNR is used.
[3] If a name is returned (for example in a CNAME, MX [3] If a name is returned (for example in a CNAME, MX
or SRV RR), the name MUST be valid on the local interface. or SRV RR), the name MUST be valid on the local interface.
Routable addresses MUST be included first in the response, if available. Routable addresses MUST be included first in the response, if available.
This encourages use of routable address(es) for establishment of new This encourages use of routable address(es) for establishment of new
connections. connections.
3.1. Unqualified names
If a name is not qualified, for the purposes of LLMNR the implicit
search order is as follows:
[1] Request the name with the current domain appended.
[2] Request the name with the root domain (".") appended.
This is the behavior suggested by [RFC1536].
3.2. LLMNR configuration 3.2. LLMNR configuration
LLMNR usage MAY be configured manually or automatically on a per
interface basis. By default, LLMNR Responders SHOULD be enabled on all
interfaces, at all times.
Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is
possible for a dual stack host to be configured with the address of a possible for a dual stack host to be configured with the address of a
DNS server over IPv4, while remaining unconfigured with a DNS server DNS server over IPv4, while remaining unconfigured with a DNS server
suitable for use over IPv6. suitable for use over IPv6.
In these situations, a dual stack host will send AAAA queries to the In these situations, a dual stack host will send AAAA queries to the
configured DNS server over IPv4. However, an IPv6-only host configured DNS server over IPv4. However, an IPv6-only host
unconfigured with a DNS server suitable for use over IPv6 will be unable unconfigured with a DNS server suitable for use over IPv6 will be unable
to resolve names using DNS. Automatic IPv6 DNS configuration mechanisms to resolve names using DNS. Automatic IPv6 DNS configuration mechanisms
(such as [DHCPv6DNS] and [DNSDisc]) are not yet widely deployed, and not (such as [DHCPv6DNS] and [DNSDisc]) are not yet widely deployed, and not
skipping to change at page 12, line 47 skipping to change at page 13, line 30
respond to a query. Resource records for which the latter queries are respond to a query. Resource records for which the latter queries are
submitted are referred as UNIQUE throughout this document. The submitted are referred as UNIQUE throughout this document. The
uniqueness of a resource record depends on a nature of the name in the uniqueness of a resource record depends on a nature of the name in the
query and type of the query. For example it is expected that: query and type of the query. For example it is expected that:
- multiple hosts may respond to a query for an SRV type record - multiple hosts may respond to a query for an SRV type record
- multiple hosts may respond to a query for an A or AAAA type - multiple hosts may respond to a query for an A or AAAA type
record for a cluster name (assigned to multiple hosts in record for a cluster name (assigned to multiple hosts in
the cluster) the cluster)
- only a single host may respond to a query for an A or AAAA - only a single host may respond to a query for an A or AAAA
type record for a hostname. type record for a name.
Every responder that responds to an LLMNR query AND includes a UNIQUE Every responder that responds to an LLMNR query AND includes a UNIQUE
record in the response: record in the response:
1. MUST verify that there is no other host within the scope of the 1. MUST verify that there is no other host within the scope of the
LLMNR query propagation that can return a resource record LLMNR query propagation that can return a resource record
for the same name, type and class. for the same name, type and class.
2. MUST NOT include a UNIQUE resource record in the 2. MUST NOT include a UNIQUE resource record in the
response without having verified its uniqueness. response without having verified its uniqueness.
skipping to change at page 13, line 28 skipping to change at page 14, line 11
- starts up or is rebooted - starts up or is rebooted
- wakes from sleep (if the network interface was inactive during sleep) - wakes from sleep (if the network interface was inactive during sleep)
- is configured to respond to the LLMNR queries on an interface - is configured to respond to the LLMNR queries on an interface
enabled for transmission and reception of IP traffic enabled for transmission and reception of IP traffic
- is configured to respond to the LLMNR queries using additional - is configured to respond to the LLMNR queries using additional
UNIQUE resource records UNIQUE resource records
When a host that owns a UNIQUE record receives an LLMNR query for that When a host that owns a UNIQUE record receives an LLMNR query for that
record, the host MUST respond. After the client receives a response, it record, the host MUST respond. After the client receives a response, it
MUST check whether the response arrived on another interface. If this MUST check whether the response arrived on an interface different from
is the case, then the client can use the UNIQUE resource record in the one on which the query was sent. If the response arrives on a
different interface, the client can use the UNIQUE resource record in
response to LLMNR queries. If not, then it MUST NOT use the UNIQUE response to LLMNR queries. If not, then it MUST NOT use the UNIQUE
resource record in response to LLMNR queries. resource record in response to LLMNR queries.
The name conflict detection mechanism doesn't prevent name conflicts The name conflict detection mechanism doesn't prevent name conflicts
when previously partitioned segments are connected by a bridge. In order when previously partitioned segments are connected by a bridge. In order
to minimize the chance of conflicts in such a situation, it is to minimize the chance of conflicts in such a situation, it is
recommended that steps be taken to ensure hostname uniqueness. For recommended that steps be taken to ensure name uniqueness. For example,
example, the hostname could be chosen randomly from a large pool of the name could be chosen randomly from a large pool of potential names,
potential names, or the hostname could be assigned via a process or the name could be assigned via a process designed to guarantee
designed to guarantee uniqueness. uniqueness.
When name conflicts are detected, they SHOULD be logged. To detect When name conflicts are detected, they SHOULD be logged. To detect
duplicate use of a name, an administrator can use a name resolution duplicate use of a name, an administrator can use a name resolution
utility which employs LLMNR and lists both responses and responders. utility which employs LLMNR and lists both responses and responders.
This would allow an administrator to diagnose behavior and potentially This would allow an administrator to diagnose behavior and potentially
to intervene and reconfigure LLMNR responders who should not be to intervene and reconfigure LLMNR responders who should not be
configured to respond to the same name. configured to respond to the same name.
4.1. Considerations for Multiple Interfaces 4.1. Considerations for Multiple Interfaces
skipping to change at page 15, line 47 skipping to change at page 16, line 24
indistinguishable, but this API allows the application to communicate indistinguishable, but this API allows the application to communicate
successfully with any address in the list. successfully with any address in the list.
5. Security Considerations 5. Security Considerations
LLMNR is by nature a peer-to-peer name resolution protocol. It is LLMNR is by nature a peer-to-peer name resolution protocol. It is
therefore inherently more vulnerable than DNS, since existing DNS therefore inherently more vulnerable than DNS, since existing DNS
security mechanisms are difficult to apply to LLMNR. While tools exist security mechanisms are difficult to apply to LLMNR. While tools exist
to alllow an attacker to spoof a response to a DNS query, spoofing a to alllow an attacker to spoof a response to a DNS query, spoofing a
response to an LLMNR query is easier since the query is sent to a link- response to an LLMNR query is easier since the query is sent to a link-
scope multicast address, which can propagate to multiple switch ports. scope multicast address, where every host on the logical link will be
made aware of it.
In order to address the security vulnerabilities, the following In order to address the security vulnerabilities, the following
mechanisms are contemplated: mechanisms are contemplated:
[1] Scope restrictions. [1] Scope restrictions.
[2] Usage restrictions. [2] Usage restrictions.
[3] Cache and port separation. [3] Cache and port separation.
skipping to change at page 17, line 4 skipping to change at page 17, line 29
queries and responses, it does not eliminate it. For example, it is queries and responses, it does not eliminate it. For example, it is
possible for an attacker to spoof a response to a frequent query (such possible for an attacker to spoof a response to a frequent query (such
as an A/AAAA query for a popular Internet host), and by using a TTL or as an A/AAAA query for a popular Internet host), and by using a TTL or
Hop Limit field larger than one (1), for the forged response to reach Hop Limit field larger than one (1), for the forged response to reach
the LLMNR sender. There also are scenarios such as public "hotspots" the LLMNR sender. There also are scenarios such as public "hotspots"
where attackers can be present on the same link. where attackers can be present on the same link.
These threats are most serious in wireless networks such as 802.11, These threats are most serious in wireless networks such as 802.11,
since attackers on a wired network will require physical access to the since attackers on a wired network will require physical access to the
home network, while wireless attackers may reside outside the home. home network, while wireless attackers may reside outside the home.
Link-layer security can be of assistance against these threats if it is Link-layer security can be of assistance against these threats if it is
available. available.
5.2. Usage restriction 5.2. Usage restriction
As noted in Section 3, LLMNR is intended for usage in a limited set of As noted in Sections 2 and 3, LLMNR is intended for usage in a limited
scenarios. set of scenarios.
While LLMNR can be used to resolve any name, if an interface has been
configured with DNS server address(es), then LLMNR SHOULD NOT be used as
the primary name resolution mechanism on that interface, although it MAY
be used as a name resolution mechanism of last resort.
If an LLMNR query is sent whenever a DNS server does not respond in a If an LLMNR query is sent whenever a DNS server does not respond in a
timely way, then an attacker can poison the LLMNR cache by responding to timely way, then an attacker can poison the LLMNR cache by responding to
the query with incorrect information. To some extent, these the query with incorrect information. To some extent, these
vulnerabilities exist today, since DNS response spoofing tools are vulnerabilities exist today, since DNS response spoofing tools are
available that can allow an attacker to respond to a query more quickly available that can allow an attacker to respond to a query more quickly
than a distant DNS server. than a distant DNS server.
Since LLMNR queries are sent and responded to on the local-link, an Since LLMNR queries are sent and responded to on the local-link, an
attacker will need to respond more quickly to provide its own response attacker will need to respond more quickly to provide its own response
skipping to change at page 22, line 14 skipping to change at page 22, line 37
Open Issues Open Issues
Open issues with this specification are tracked on the following web Open issues with this specification are tracked on the following web
site: site:
http://www.drizzle.com/~aboba/DNSEXT/llmnrissues.html http://www.drizzle.com/~aboba/DNSEXT/llmnrissues.html
Expiration Date Expiration Date
This memo is filed as <draft-ietf-dnsext-mdns-24.txt>, and expires This memo is filed as <draft-ietf-dnsext-mdns-25.txt>, and expires May
February 22, 2004. 22, 2004.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/