1 Document: draft-cheshire-dnsext-multicastdns-04.txt Stuart Cheshire 2 Category: Standards Track Apple Computer, Inc. 3 Expires 14th August 2004 Marc Krochmal 4 Apple Computer, Inc. 5 14th February 2004 6 7 Multicast DNS 8 9 <draft-cheshire-dnsext-multicastdns-04.txt> 10 11 12 Status of this Memo 13 14 This document is an Internet-Draft and is in full conformance with 15 all provisions of Section 10 of RFC2026. Internet-Drafts are 16 working documents of the Internet Engineering Task Force (IETF), 17 its areas, and its working groups. Note that other groups may 18 also distribute working documents as Internet-Drafts. 19 20 Internet-Drafts are draft documents valid for a maximum of six 21 months and may be updated, replaced, or obsoleted by other documents 22 at any time. It is inappropriate to use Internet-Drafts as 23 reference material or to cite them other than as "work in progress." 24 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 27 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html 30 31 Distribution of this memo is unlimited. 32 33 34 Abstract 35 36 As networked devices become smaller, more portable, and more 37 ubiquitous, the ability to operate with less configured 38 infrastructure is increasingly important. In particular, the ability 39 to look up DNS resource record data types (including, but not limited 40 to, host names) in the absence of a conventional managed DNS server, 41 is becoming essential. 42 43 Multicast DNS (mDNS) provides the ability to do DNS-like operations 44 on the local link in the absense of any conventional unicast DNS 45 server. In addition, mDNS designates a portion of the DNS namespace 46 to be free for local use, without the need to pay any annual fee, and 47 without the need to set up delegations or otherwise configure a 48 conventional DNS server to answer for those names. 49 50 The primary benefits of mDNS names are that (i) they require little 51 or no administration or configuration to set them up, (ii) they work 52 when no infrastructure is present, and (iii) they work during 53 infrastructure failures. 54 55 56 57 58 Expires 14th August 2004 Cheshire & Krochmal [Page 1] 59 61 Internet Draft Multicast DNS 14th February 2004 62 63 64 Table of Contents 65 66 1. Introduction...................................................3 67 2. Conventions and Terminology Used in this Document..............4 68 3. Multicast DNS Names............................................4 69 4. IP TTL Checks..................................................8 70 5. Reverse Address Mapping........................................8 71 6. Querying.......................................................9 72 7. Duplicate Suppression.........................................13 73 8. Responding....................................................15 74 9. Probing and Announcing on Startup.............................17 75 10. Conflict Resolution...........................................21 76 11. Special Characteristics of Multicast DNS Domains..............23 77 12. Multicast DNS for Service Discovery...........................24 78 13. Resource Record TTL Values and Cache Coherency................25 79 14. Enabling and Disabling Multicast DNS..........................30 80 15. Considerations for Multiple Interfaces........................30 81 16. Multicast DNS and Power Management............................31 82 17. Multicast DNS Character Set...................................32 83 18. Multicast DNS Message Size....................................33 84 19. Multicast DNS Message Format..................................33 85 20. Choice of UDP Port Number.....................................36 86 21. Summary of Differences Between Multicast DNS and Unicast DNS..37 87 22. Benefits of Multicast Responses...............................38 88 23. IPv6 Considerations...........................................39 89 24. Security Considerations.......................................40 90 25. IANA Considerations...........................................41 91 26. Acknowledgements..............................................41 92 27. Copyright.....................................................41 93 28. Normative References..........................................42 94 29. Informative References........................................42 95 30. Author's Addresses............................................43 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 Expires 14th August 2004 Cheshire & Krochmal [Page 2] 118 120 Internet Draft Multicast DNS 14th February 2004 121 122 123 1. Introduction 124 125 When reading this document, familiarity with the concepts of Zero 126 Configuration Networking [ZC] and automatic link-local addressing 127 [v4LL] [RFC 2462] is helpful. 128 129 This document proposes no change to the structure of DNS messages, 130 and no new operation codes, response codes, or resource record types. 131 This document simply discusses what needs to happen if DNS clients 132 start sending DNS queries to a multicast address, and how a 133 collection of hosts can cooperate to collectively answer those 134 queries in a useful manner. 135 136 There has been discussion of how much burden Multicast DNS might 137 impose on a network. It should be remembered that whenever IPv4 hosts 138 communicate, they broadcast ARP packets on the network on a regular 139 basis, and this is not disastrous. The approximate amount of 140 multicast traffic generated by hosts making conventional use of 141 Multicast DNS is anticipated to be roughly the same order of 142 magnitude as the amount of broadcast ARP traffic those hosts already 143 generate. 144 145 New applications making new use of Multicast DNS capabilities for 146 unconventional purposes may generate more traffic. If some of those 147 new applications are "chatty", then work will be needed to help them 148 become less chatty. When performing any analysis, it is important to 149 make a distinction between the application behavior and the 150 underlying protocol behavior. If a chatty application uses UDP, that 151 doesn't mean that UDP is chatty, or that IP is chatty, or that 152 Ethernet is chatty. What it means is that the application is chatty. 153 The same applies to any future applications that may decide to layer 154 increasing portions of their functionality over Multicast DNS. 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 Expires 14th August 2004 Cheshire & Krochmal [Page 3] 177 179 Internet Draft Multicast DNS 14th February 2004 180 181 182 2. Conventions and Terminology Used in this Document 183 184 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 185 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 186 document are to be interpreted as described in "Key words for use in 187 RFCs to Indicate Requirement Levels" [RFC 2119]. 188 189 This document uses the term "host name" in the strict sense to mean a 190 fully qualified domain name that has an address record. It does not 191 use the term "host name" in the commonly used but incorrect sense to 192 mean just the first DNS label of a host's fully qualified domain 193 name. 194 195 A DNS (or mDNS) packet contains an IP TTL in the IP header, which 196 is effectively a hop-count limit for the packet, to guard against 197 routing loops. Each Resource Record also contains a TTL, which is 198 the number of seconds for which the Resource Record may be cached. 199 200 In any place where there may be potential confusion between these two 201 types of TTL, the term "IP TTL" is used to refer to the IP header TTL 202 (hop limit), and the term "RR TTL" is used to refer to the Resource 203 Record TTL (cache lifetime). 204 205 When this document uses the term "Multicast DNS", it should be taken 206 to mean: Clients performing DNS-like queries for DNS-like resource 207 records by sending DNS-like UDP query and response packets over IP 208 Multicast to UDP port 5353." 209 210 211 3. Multicast DNS Names 212 213 This document proposes that the DNS top-level domain ".local." be 214 designated a special domain with special semantics, namely that any 215 fully-qualified name ending in ".local." is link-local, and names 216 within this domain are meaningful only on the link where they 217 originate. This is analogous to IPv4 addresses in the 169.254/16 218 prefix, which are link-local and meaningful only on the link where 219 they originate. 220 221 Any DNS query for a name ending with ".local." MUST be sent 222 to the mDNS multicast address (224.0.0.251 or its IPv6 equivalent 223 FF02::FB). 224 225 It is unimportant whether a name ending with ".local." occurred 226 because the user explicitly typed in a fully qualified domain name 227 ending in ".local.", or because the user entered an unqualified 228 domain name and the host software appended the suffix ".local." 229 because that suffix appears in the user's search list. The ".local." 230 suffix could appear in the search list because the user manually 231 configured it, or because it was received in a DHCP option, or via 232 any other valid mechanism for configuring the DNS search list. In 233 234 235 Expires 14th August 2004 Cheshire & Krochmal [Page 4] 236 238 Internet Draft Multicast DNS 14th February 2004 239 240 241 this respect the ".local." suffix is treated no differently to any 242 other search domain that might appear in the DNS search list. 243 244 DNS queries for names that do not end with ".local." MAY be sent to 245 the mDNS multicast address, if no other conventional DNS server is 246 available. This can allow hosts on the same link to continue 247 communicating using each other's globally unique DNS names during 248 network outages which disrupt communication with the greater 249 Internet. When resolving global names via local multicast, it is even 250 more important to use DNSSEC or other security mechanisms to ensure 251 that the response is trustworthy. Resolving global names via local 252 multicast is a contentious issue, and this document does not discuss 253 it in detail, instead concentrating on the issue of resolving local 254 names using DNS packets sent to a multicast address. 255 256 A host which belongs to an organization or individual who has control 257 over some portion of the DNS namespace can be assigned a globally 258 unique name within that portion of the DNS namespace, for example, 259 "cheshire.apple.com." For those of us who have this luxury, this 260 works very well. However, the majority of home customers do not have 261 easy access to any portion of the global DNS namespace within which 262 they have the authority to create names as they wish. This leaves the 263 majority of home computers effectively anonymous for practical 264 purposes. 265 266 To remedy this problem, this document allows any computer user to 267 elect to give their computers link-local Multicast DNS host names of 268 the form: "single-dns-label.local." For example, my Titanium 269 PowerBook laptop computer answers to the name "sctibook.local." Any 270 computer user is granted the authority to name their computer this 271 way, providing that the chosen host name is not already in use on 272 that link. Having named their computer this way, the user has the 273 authority to continue using that name until such time as a name 274 conflict occurs on the link which is not resolved in the user's 275 favour. If this happens, the computer (or its human user) SHOULD 276 cease using the name, and may choose to attempt to allocate a new 277 unique name for use on that link. Like law suits over global DNS 278 names, these conflicts are expected to be relatively rare for people 279 who choose reasonably imaginative names, but it is still important 280 to have a mechanism in place to handle them when they happen. 281 282 The point made in the previous paragraph is very important and bears 283 repeating. It is easy for those of us in the IETF community who run 284 our own name servers at home to forget that the majority of computer 285 users do not run their own name server and have no easy way to create 286 their own host names. When these users wish to transfer files between 287 two laptop computers, they are frequently reduced to typing in 288 dotted-decimal IP addresses because they simply have no other way for 289 one host to refer to the other by name. This is a sorry state of 290 affairs. What is worse, most users don't even bother trying to use 291 292 293 294 Expires 14th August 2004 Cheshire & Krochmal [Page 5] 295 297 Internet Draft Multicast DNS 14th February 2004 298 299 300 dotted-decimal IP addresses. Most users still move data between 301 machines by copying it onto a floppy disk or similar removable media. 302 303 In a world of gigabit Ethernet and ubiquitous wireless networking it 304 is a sad indictment of the networking community that the preferred 305 communication medium for most computer users is still the floppy 306 disk. 307 308 Allowing ad-hoc allocation of single-label names in a single flat 309 ".local." namespace may seem to invite chaos. However, operational 310 experience with AppleTalk NBP names [NBP], which on any given link 311 are also effectively single-label names in a flat namespace, shows 312 that in practice name collisions happen extremely rarely and are not 313 a problem. Groups of computer users from disparate organizations 314 bring Macintosh laptop computers to events such as IETF Meetings, the 315 Mac Hack conference, the Apple World Wide Developer Conference, etc., 316 and complaints at these events about users suffering conflicts and 317 being forced to rename their machines have never been an issue. 318 319 Enforcing uniqueness of host names (i.e. the names of DNS address 320 records mapping names to IP addresses) is probably desirable in the 321 common case, but this document does not mandate that. It is 322 permissible for a collection of coordinated hosts to agree to 323 maintain multiple DNS address records with the same name, possibly 324 for load balancing or fault-tolerance reasons. This document does not 325 take a position on whether that is sensible. It is important that 326 both modes of operation are supported. The Multicast DNS protocol 327 allows hosts to verify and maintain unique names for resource records 328 where that behaviour is desired, and it also allows hosts to maintain 329 multiple resource records with a single shared name where that 330 behaviour is desired. This consideration applies to all resource 331 records, not just address records (host names). In summary: It is 332 required that the protocol have the ability to detect and handle name 333 conflicts, but it is not required that this ability be used for every 334 record. 335 336 337 3.1 Governing Standards Body 338 339 Note that this use of the ".local." suffix falls under IETF 340 jurisdiction, not ICANN jurisdiction. DNS is an IETF network 341 protocol, governed by protocol rules defined by the IETF. These IETF 342 protocol rules dictate character set, maximum name length, packet 343 format, etc. ICANN determines additional rules that apply when the 344 IETF's DNS protocol is used on the public Internet. In contrast, 345 private uses of the DNS protocol on isolated private networks are not 346 governed by ICANN. Since this proposed change is a change to the core 347 DNS protocol rules, it affects everyone, not just those machines 348 using the ICANN-governed Internet. Hence this change falls into the 349 category of an IETF protocol rule, not an ICANN usage rule. 350 351 352 353 Expires 14th August 2004 Cheshire & Krochmal [Page 6] 354 356 Internet Draft Multicast DNS 14th February 2004 357 358 359 3.2 Private DNS Namespaces 360 361 Note also that the special treatment of names ending in ".local." has 362 been implemented in Macintosh computers since the days of Mac OS 9, 363 and continues today in Mac OS X. There are also implementations for 364 Linux and other platforms [dotlocal]. Operators setting up private 365 internal networks ("intranets") are advised that their lives may be 366 easier if they avoid using the suffix ".local." in names in their 367 private internal DNS server. Alternative possibilities include: 368 369 .intranet 370 .internal 371 .private 372 .corp 373 .home 374 375 Another alternative naming scheme, advocated by Professor D. J. 376 Bernstein, is to use a numerical suffix, such as ".6." [djbdl]. 377 378 379 3.3 Maximum Multicast DNS Name Length 380 381 RFC 1034 says: 382 383 "the total number of octets that represent a domain name (i.e., 384 the sum of all label octets and label lengths) is limited to 255." 385 386 This text implies that the final root label at the end of every name 387 is included in this count (a name can't be represented without it), 388 but the text does not explicitly state that. Implementations of 389 Multicast DNS MUST include the label length byte of the final root 390 label at the end of every name when enforcing the rule that no name 391 may be longer than 255 bytes. For example, the length of the name 392 "apple.com." is considered to be 11, which is the number of bytes it 393 takes to represent that name in a packet without using name 394 compression: 395 396 ------------------------------------------------------ 397 | 0x05 | a | p | p | l | e | 0x03 | c | o | m | 0x00 | 398 ------------------------------------------------------ 399 400 401 402 403 404 405 406 407 408 409 410 411 412 Expires 14th August 2004 Cheshire & Krochmal [Page 7] 413 415 Internet Draft Multicast DNS 14th February 2004 416 417 418 4. IP TTL Checks 419 420 All Multicast DNS responses (including responses sent via unicast) 421 MUST be sent with IP TTL set to 255. 422 423 A host sending Multicast DNS queries to a link-local destination 424 address (including the 224.0.0.251 link-local multicast address) MUST 425 verify that the IP TTL in response packets is 255, and silently 426 discard any response packets where the IP TTL is not 255. Without 427 this check, it could be possible for remote rogue hosts to send 428 spoof answer packets (perhaps unicast to the victim host) which the 429 receiving machine could misinterpret as having originated on the 430 local link. 431 432 The authors have heard complaints that some older network stack 433 implementations do not implement the IP_RECVTTL socket option 434 (or equivalent API) for obtaining the IP TTL of received packets. 435 This is unfortunate, and these old network stacks would benefit 436 from adding this API support so that they may benefit from this 437 enhanced protection against spoof packets arriving from off-link. 438 439 Note that Multicast DNS Responders SHOULD NOT discard queries with 440 TTLs other than 255. There may be valid future applications of 441 Multicast DNS where hosts issue unicast queries directed at Multicast 442 DNS Responders more than one hop away, if Multicast DNS Responders 443 were to discard queries where the TTL is not 255, they would not 444 answer these queries. 445 446 447 5. Reverse Address Mapping 448 449 Like ".local.", the IPv4 and IPv6 reverse-mapping domains are also 450 defined to be link-local. 451 452 Any DNS query for a name ending with "254.169.in-addr.arpa." MUST 453 be sent to the mDNS multicast address 224.0.0.251. Since names under 454 this domain correspond to IPv4 link-local addresses, it is logical 455 that the local link is the best place to find information pertaining 456 to those names. As an optimization, these queries MAY be first 457 unicast directly to the address in question, but if this query is not 458 answered, the query MUST also be sent via multicast, to accommodate 459 the case where the machine in question is not answering for itself 460 (for example, because it is currently sleeping). 461 462 Likewise, any DNS query for a name ending with "0.8.e.f.ip6.arpa." 463 MUST be sent to the IPv6 mDNS link-local multicast address FF02::FB, 464 with or without an optional initial query unicast directly to the 465 address in question. 466 467 468 469 470 471 Expires 14th August 2004 Cheshire & Krochmal [Page 8] 472 474 Internet Draft Multicast DNS 14th February 2004 475 476 477 6. Querying 478 479 There are three kinds of Multicast DNS Queries, one-shot queries of 480 the kind made by today's conventional DNS clients, one-shot queries 481 accumulating multiple responses made by multicast-aware DNS clients, 482 and continuous ongoing Multicast DNS Queries used by IP network 483 browser software. 484 485 A Multicast DNS Responder that is offering records that are intended 486 to be unique on the local link MUST also implement a Multicast DNS 487 Querier so that it can first verify the uniqueness of those records 488 before it begins answering queries for them. 489 490 491 6.1 One-Shot Queries 492 493 An unsophisticated DNS client may simply send its DNS queries 494 blindly to the 224.0.0.251 multicast address, without necessarily 495 even being aware what a multicast address is. 496 497 Such an unsophisticated DNS client may not get ideal behaviour. Such 498 a client may simply take the first response it receives and fail to 499 wait to see if there are more, but in many instances this may not be 500 a serious problem. If a user types "http://stu.local." into their Web 501 browser and gets to see the page they were hoping for, then the 502 protocol has met the user's needs in this case. 503 504 505 6.2 One-Shot Queries, Accumulating Multiple Responses 506 507 A more sophisticated DNS client should understand that Multicast DNS 508 is not exactly the same as unicast DNS, and should modify its 509 behaviour in some simple ways. 510 511 As described above, there are some cases, such as looking up the 512 address associated with a unique host name, where a single response 513 is sufficient, and moreover may be all that is expected. However, 514 there are other DNS queries where more than one response is 515 possible, and for these queries a more sophisticated Multicast DNS 516 client should include the ability to wait for an appropriate period 517 of time to collect multiple responses. 518 519 A naive DNS client retransmits its query only so long as it has 520 received no response. A more sophisticated Multicast DNS client is 521 aware that having received one response is not necessarily an 522 indication that it might not receive others, and has the ability to 523 retransmit its query an appropriate number of times at appropriate 524 intervals until it is satisfied with the collection of responses it 525 has gathered. 526 527 528 529 530 Expires 14th August 2004 Cheshire & Krochmal [Page 9] 531 533 Internet Draft Multicast DNS 14th February 2004 534 535 536 A more sophisticated Multicast DNS client that is retransmitting 537 a query for which it has already received some responses, MUST 538 implement Known Answer Suppression, as described below in Section 539 7.1. This indicates to responders who have already replied that their 540 responses have been received, and they don't need to send them again 541 in response to this repeated query. In addition, the interval between 542 the first two queries MUST be at least one second, and the 543 intervals between subsequent queries MUST double. 544 545 546 6.3 Continuous Querying 547 548 In One-Shot Queries, with either a single or multiple responses, 549 the underlying assumption is that the transaction begins when the 550 application issues a query, and ends when all the desired responses 551 have been received. There is another type of operation which is more 552 akin to continuous monitoring. 553 554 Macintosh users are accustomed to opening the "Chooser" window, 555 selecting a desired printer, and then closing the Chooser window. 556 However, when the desired printer does not appear in the list, the 557 user will typically leave the "Chooser" window open while they go and 558 check to verify that the printer is plugged in, powered on, connected 559 to the Ethernet, etc. While the user jiggles the wires, hits the 560 Ethernet hub, and so forth, they keep an eye on the Chooser window, 561 and when the printer name appears, they know they have fixed whatever 562 the problem was. This can be a useful and intuitive troubleshooting 563 technique, but a user who goes home for the weekend leaving the 564 Chooser window open places a non-trivial burden on the network. 565 566 With continuous querying, multiple queries are sent over a long 567 period of time, until the user terminates the operation. It is 568 important that an IP network browser window displaying live 569 information from the network using Multicast DNS, if left running for 570 an extended period of time, should generate significantly less 571 multicast traffic on the network than the old AppleTalk Chooser. 572 Therefore, the interval between the first two queries MUST be at 573 least one second, the intervals between subsequent queries MUST 574 double, and the querier MUST implement Known Answer Suppression, as 575 described below in Section 7.1. 576 577 When a Multicast DNS Querier receives an answer, the answer contains 578 a TTL value that indicates for how many seconds this answer is valid. 579 After this interval has passed, the answer will no longer be valid 580 and should be deleted from the cache. Before this time is reached, a 581 Multicast DNS Querier with an ongoing interest in that record SHOULD 582 re-issue its query to determine whether the record is still valid, 583 and if so update its expiry time. 584 585 586 587 588 589 Expires 14th August 2004 Cheshire & Krochmal [Page 10] 590 592 Internet Draft Multicast DNS 14th February 2004 593 594 595 To perform this cache maintenance, a Multicast DNS Querier should 596 plan to issue a query at 80% of the record lifetime, and then if no 597 answer is received, at 85%, 90% and 95%. If an answer is received, 598 then the remaining TTL is reset to the value given in the answer, and 599 this process repeats for as long as the Multicast DNS Querier has an 600 ongoing interest in the record. If after four queries no answer is 601 received, the record is deleted when it reaches 100% of its lifetime. 602 603 To avoid the case where multiple Multicast DNS Queriers on a network 604 all issue their queries simultaneously, a random variation of 2% of 605 the record TTL should be added, so that queries are scheduled to be 606 performed at 80-82%, 85-87%, 90-92% and then 95-97% of the TTL. 607 608 609 6.4 Multiple Questions per Query 610 611 Multicast DNS allows a querier to place multiple questions in the 612 question section of a single Multicast DNS query packet. 613 614 The semantics of a Multicast DNS query packet containing multiple 615 questions is identical to a series of individual DNS query packets 616 containing one question each. Combining multiple questions into a 617 single packet is purely an efficiency optimization, and has no other 618 semantic significance. 619 620 A useful technique for adaptively combining multiple questions into a 621 single query is to use a Nagle-style algorithm: When a client issues 622 its first question, a Query packet is immediately built and sent, 623 without delay. If the client then continues issuing a rapid series of 624 questions they are held until either the first query receives at 625 least one answer, or 100ms has passed, or there are enough questions 626 to fill the question section of a Multicast DNS query packet. At this 627 time, all the held questions are placed into a Multicast DNS query 628 packet and sent. 629 630 631 6.5 Questions Requesting Unicast Responses 632 633 Sending Multicast DNS responses via multicast has the benefit that 634 all the other hosts on the network get to see those responses, and 635 can keep their caches up to date, and detect conflicting responses. 636 637 However, there are situations where all the other hosts on the 638 network don't need to see every response. One example is a laptop 639 computer waking from sleep. At that instant it is a brand new 640 participant on a new network. Its Multicast DNS cache is empty, and 641 it has no knowledge of its surroundings. It may have a significant 642 number of queries that it wants answered right away to discover 643 information about its new surroundings and present that information 644 to the user. As a new participant on the network, it has no idea 645 whether the exact same questions may have been asked and answered 646 647 648 Expires 14th August 2004 Cheshire & Krochmal [Page 11] 649 651 Internet Draft Multicast DNS 14th February 2004 652 653 654 just seconds ago. In this case, trigging a large sudden flood of 655 multicast responses may impose an unreasonable burden on the network. 656 To avoid this, the Multicast DNS Querier SHOULD set the top bit in 657 the class field of its DNS question(s), to indicate that it is 658 willing to accept unicast responses instead of the usual multicast 659 responses. These questions requesting unicast responses are referred 660 to as "QU" questions, to distinguish them from the more usual 661 questions requesting multicast responses ("QM" questions). 662 663 When retransmitting a question more than once, the 'unicast response' 664 bit SHOULD be set only for the first question of the series. After 665 the first question has received its responses, the querier should 666 have a large known-answer list (see "Known Answer Suppression" below) 667 so that subsequent queries should elicit few, if any, further 668 responses. Reverting to multicast responses as soon as possible is 669 important because of the benefits that multicast responses provide 670 (see "Benefits of Multicast Responses" below). 671 672 When receiving a question with the 'unicast response' bit set, a 673 responder SHOULD usually respond with a unicast packet directed back 674 to the querier. If the responder has not multicast that record 675 recently (within one quarter of its TTL), then the responder SHOULD 676 instead multicast the response so as to keep all the peer caches up 677 to date, and to permit passive conflict detection. 678 679 680 6.6 Suppressing Initial Query 681 682 If a query is issued for which there already exist one or more 683 records in the local cache, and those record(s) were received with 684 the cache flush bit set, indicating that they form a unique RRSet, 685 then the host SHOULD suppress its initial "QU" query, and proceed to 686 issue a "QM" query. To avoid the situation where a group of hosts 687 are synchronized by some external event and all perform the same 688 query simultaneously, a host suppressing its initial "QU" query 689 SHOULD impose a random delay from 500-1000ms before transmitting its 690 first "QM" query for this question. This means that when the first 691 host (selected randomly by this algorithm) transmits its "QM" query, 692 all the other hosts that were about to transmit the same query can 693 suppress their superfluous query, as described in "Duplicate 694 Question Suppression" below. 695 696 697 698 699 700 701 702 703 704 705 706 707 Expires 14th August 2004 Cheshire & Krochmal [Page 12] 708 710 Internet Draft Multicast DNS 14th February 2004 711 712 713 7. Duplicate Suppression 714 715 A variety of techniques are used to reduce the amount of redundant 716 traffic on the network. 717 718 719 7.1 Known Answer Suppression 720 721 When a Multicast DNS Querier sends a query to which it already knows 722 some answers, it populates the Answer Section of the DNS message with 723 those answers. 724 725 A Multicast DNS Responder SHOULD NOT answer a Multicast DNS Query if 726 the answer it would give is already included in the Answer Section 727 with an RR TTL at least half the correct value. If the RR TTL of the 728 answer as given in the Answer Section is less than half of the true 729 RR TTL as known by the Multicast DNS Responder, the responder MUST 730 send an answer so as to update the Querier's cache before the record 731 becomes in danger of expiration. 732 733 Because a Multicast DNS Responder will respond if the remaining TTL 734 given in the known answer list is less than half the true TTL, it is 735 superfluous for the Querier to include such records in the known 736 answer list. Therefore a Multicast DNS Querier SHOULD NOT include 737 records in the known answer list whose remaining TTL is less than 738 half their original TTL. Doing so would simply consume space in the 739 packet without achieving the goal of suppressing responses, and would 740 therefore be a pointless waste of network bandwidth. 741 742 A Multicast DNS Querier MUST NOT cache resource records observed in 743 the Known Answer Section of other Multicast DNS Queries. The Answer 744 Section of Multicast DNS Queries is not authoritative. By placing 745 information in the Answer Section of a Multicast DNS Query the 746 querier is stating that it *believes* the information to be true. 747 It is not asserting that the information *is* true. Some of those 748 records may have come from other hosts that are no longer on the 749 network. Propagating that stale information to other Multicast DNS 750 Queriers on the network would not be helpful. 751 752 753 7.2 Multi-Packet Known Answer Suppression 754 755 Sometimes a Multicast DNS Querier will already have too many answers 756 to fit in the Known Answer section of its query packets. In this 757 case, it should issue a Multicast DNS Query containing a question and 758 as many Known Answer records as will fit. It should then set the TC 759 (Truncated) bit in the header before sending the Query. It should 760 then immediately follow the packet with another query containing no 761 questions, and as many more Known Answer records as will fit. If 762 there are still too many records remaining to fit in the packet, it 763 764 765 766 Expires 14th August 2004 Cheshire & Krochmal [Page 13] 767 769 Internet Draft Multicast DNS 14th February 2004 770 771 772 again sets the TC bit and continues until all the Known Answer 773 records have been sent. 774 775 A Multicast DNS Responder seeing a Multicast DNS Query with the TC 776 bit set defers its response for a time period randomly selected in 777 the interval 20-120ms. This gives the Multicast DNS Querier time to 778 send additional Known Answer packets before the Responder responds. 779 If the Responder sees any of its answers listed in the Known Answer 780 lists of subsequent packets from the querying host, it should delete 781 that answer from the list of answers it is planning to give, provided 782 that no other host on the network is also waiting to receive the same 783 answer record. 784 785 786 7.3 Duplicate Question Suppression 787 788 If a host is planning to send a query, and it sees another host on 789 the network send a query containing the same question, and the Known 790 Answer section of that query does not contain any records which this 791 host would not also put in its own Known Answer section, then this 792 host should treat its own query as having been sent. When multiple 793 clients on the network are querying for the same resource records, 794 there is no need for them to all be repeatedly asking the same 795 question. 796 797 798 7.4 Duplicate Answer Suppression 799 800 If a host is planning to send an answer, and it sees another host on 801 the network send a response packet containing the same answer record, 802 and the TTL in that record is not less than the TTL this host would 803 have given, then this host should treat its own answer as having been 804 sent. When multiple responders on the network have the same data, 805 there is no need for all of them to respond. 806 807 This feature is particularly useful when multiple Sleep Proxy Servers 808 are deployed (see Section 16. "Multicast DNS and Power Management"). 809 In the future it is possible that every general-purpose OS (Mac, 810 Windows, Linux, etc.) will implement Sleep Proxy Service as a matter 811 of course. In this case there could be a large number of Sleep Proxy 812 Servers on any given network, which is good for reliability and 813 fault-tolerance, but would be bad for the network if every Sleep 814 Proxy Server were to answer every query. 815 816 817 818 819 820 821 822 823 824 825 Expires 14th August 2004 Cheshire & Krochmal [Page 14] 826 828 Internet Draft Multicast DNS 14th February 2004 829 830 831 8. Responding 832 833 A Multicast DNS Responder MUST only respond when it has a positive 834 non-null response to send. Error responses must never be sent. The 835 non-existence of any name in a Multicast DNS Domain is ascertained by 836 the failure of any machine to respond to the Multicast DNS query, not 837 by NXDOMAIN errors. 838 839 Multicast DNS Responses MUST NOT contain any questions in the 840 Question Section. Any questions in the Question Section of a received 841 Multicast DNS Response MUST be silently ignored. Multicast DNS 842 Queriers receiving Multicast DNS Responses do not care what question 843 elicited the response; they care only that the information in the 844 response is true and accurate. 845 846 A Multicast DNS Responder on Ethernet [IEEE802] and similar shared 847 multiple access networks SHOULD delay its responses by a random 848 amount of time selected with uniform random distribution in the range 849 20-120ms. If multiple Multicast DNS Responders were all to respond 850 immediately to a particular query, a collision would be virtually 851 guaranteed. By imposing a small random delay, the number of 852 collisions is dramatically reduced. 120ms is a short enough time that 853 it is almost imperceptible to a human user, but long enough to 854 significantly reduce the risk of Ethernet collisions. On a full-sized 855 Ethernet using the maximum cable lengths allowed and the maximum 856 number of repeaters allowed, an Ethernet frame is vulnerable to 857 collisions during the transmission of its first 256 bits. On 10Mb/s 858 Ethernet, this equates to a vulnerable time window of 25.6us. 859 860 In the case where a Multicast DNS Responder has good reason to 861 believe that it will be the only responder on the link with a 862 positive non-null response, it SHOULD NOT impose the random delay 863 before responding, and SHOULD normally generate its response within 864 10ms. To do this safely, it MUST have previously verified that the 865 requested name, type and class in the DNS query are unique on this 866 link. Responding immediately without delay is appropriate for things 867 like looking up the address record for a particular host name, when 868 the host name has been previously verified unique. Responding 869 immediately without delay is *not* appropriate for things like 870 looking up PTR records used for DNS Service Discovery [DNS-SD], where 871 a large number of responses may be anticipated. 872 873 Except when a unicast reply has been explicitly requested via the 874 "unicast reply" bit, Multicast DNS Responses MUST be sent to UDP port 875 5353 (the well-known port assigned to mDNS) on the 224.0.0.251 876 multicast address (or its IPv6 equivalent FF02::FB). Operating in a 877 Zeroconf environment requires constant vigilance. Just because a name 878 has been previously verified unique does not mean it will continue to 879 be so indefinitely. By allowing all Multicast DNS Responders to 880 constantly monitor their peers' responses, conflicts arising out of 881 network topology changes can be promptly detected and resolved. 882 883 884 Expires 14th August 2004 Cheshire & Krochmal [Page 15] 885 887 Internet Draft Multicast DNS 14th February 2004 888 889 890 Sending all responses by multicast also facilitates opportunistic 891 caching by other hosts on the network. 892 893 To protect the network against excessive packet flooding due to 894 software bugs or malicious attack, a Multicast DNS Responder MUST NOT 895 multicast a given record on a given interface if it has previously 896 multicast that record on that interface within the last second. A 897 legitimate client on the network should have seen the previous 898 transmission and cached it. A client that did not receive and cache 899 the previous transmission will retry its request and receive a 900 subsequent response. Under no circumstances is there any legitimate 901 reason for a Multicast DNS Responder to multicast a given record more 902 than once per second on any given interface. 903 904 905 8.1 Legacy Unicast Responses 906 907 If the source UDP port in a received Multicast DNS Query is not port 908 5353, this indicates that the client originating the query is a 909 simple client that does not fully implement all of Multicast DNS. In 910 this case, the Multicast DNS Responder MUST send a UDP response 911 directly back to the client, via unicast, to the query packet's 912 source IP address and port. This unicast response MUST be a 913 conventional unicast response as would be generated by a conventional 914 unicast DNS server; for example, it must repeat the query ID and the 915 question given in the query packet. 916 917 The resource record TTL given in a unicast response SHOULD NOT be 918 greater than ten seconds, even if the true TTL of the Multicast DNS 919 resource record is higher. This is because Multicast DNS Responders 920 that fully participate in the protocol use the cache coherency 921 mechanisms described in Section 13 to update and invalidate stale 922 data. Were unicast responses sent to legacy clients to use the same 923 high TTLs, these legacy clients, which do not implement these cache 924 coherency mechanisms, could retain stale cached resource record data 925 long after it is no longer valid. 926 927 Having sent this unicast response, if the Responder has not sent this 928 record in any multicast response recently, it SHOULD schedule the 929 record to be sent via multicast as well, to facilitate passive 930 conflict detection. "Recently" in this context means "if the time 931 since the record was last sent via multicast is less than one quarter 932 of the record's TTL". 933 934 935 936 937 938 939 940 941 942 943 Expires 14th August 2004 Cheshire & Krochmal [Page 16] 944 946 Internet Draft Multicast DNS 14th February 2004 947 948 949 8.2 Multi-Question Queries 950 951 Multicast DNS Responders MUST correctly handle DNS query packets 952 containing more than one question, by answering any or all of the 953 questions to which they have answers. Any answers generated 954 in response to query packets containing more than one question 955 MUST be randomly delayed in the range 20-120ms, as described above. 956 957 958 8.3 Response Aggregation 959 960 Having delayed one or more multicast responses by 20-120ms as 961 described above in Section 8 "Responding", a Multicast DNS Responder 962 SHOULD, for the sake of network efficiency, aggregate as many of its 963 pending responses as possible into a single Multicast DNS response 964 packet. 965 966 967 9. Probing and Announcing on Startup 968 969 Typically a Multicast DNS Responder should have, at the very least, 970 address records for all of its active interfaces. Creating and 971 advertising an HINFO record on each interface as well can be useful 972 to network administrators. 973 974 Whenever a Multicast DNS Responder starts up, wakes up from sleep, 975 receives an indication of an Ethernet "Link Change" event, or has any 976 other reason to believe that its network connectivity may have 977 changed in some relevant way, it MUST perform the two startup steps 978 below. 979 980 981 9.1 Probing 982 983 The first startup step is that for all those resource records that a 984 Multicast DNS Responder desires to be unique on the local link, it 985 MUST send a Multicast DNS Query asking for those resource records, to 986 see if any of them are already in use. The primary example of this is 987 its address record which maps its unique host name to its unique IP 988 address. All Probe Queries SHOULD be done using the desired resource 989 record name and query type T_ANY (255), to elicit answers for all 990 types of records with that name. This allows a single question to be 991 used in place of several questions, which is more efficient on the 992 network. It also allows a host to verify exclusive ownership of a 993 name, which is desirable in most cases. It would be confusing, for 994 example, if one host owned the "A" record for "myhost.local.", but a 995 different host owned the HINFO record for that name. 996 997 The ability to place more than one question in a Multicast DNS Query 998 is useful here, because it can allow a host to use a single packet 999 for all of its resource records instead of needing a separate packet 1000 1001 1002 Expires 14th August 2004 Cheshire & Krochmal [Page 17] 1003 1005 Internet Draft Multicast DNS 14th February 2004 1006 1007 1008 for each. For example, a host can simultaneously probe for uniqueness 1009 of its "A" record and all its SRV records [DNS-SD] in the same query 1010 packet. 1011 1012 When ready to send its mDNS probe packet(s) the host should first 1013 wait for a short random delay time, uniformly distributed in the 1014 range 0-250ms. This random delay is to guard against the case where a 1015 group of devices are powered on simultaneously, or a group of devices 1016 are connected to an Ethernet hub which is then powered on, or some 1017 other external event happens that might cause a group of hosts to all 1018 send synchronized probes. 1019 1020 250ms after the first query the host should send a second, then 1021 250ms after that a third. If, by 250ms after the third probe, no 1022 conflicting Multicast DNS responses have been received, the host may 1023 move to the next step, announcing. 1024 1025 If any conflicting Multicast DNS responses are received, then the 1026 probing host MUST defer to the existing host, and must choose new 1027 names for some or all of its resource records as appropriate, to 1028 avoid conflict with pre-existing hosts on the network. In the case 1029 of a host probing using query type T_ANY as recommended above, any 1030 answer containing a record with that name, of any type, MUST be 1031 considered a conflicting response and handled accordingly. 1032 1033 If ten failures occur within any ten-second period, then the host 1034 MUST wait at least five seconds before each successive additional 1035 probe attempt. This is to help ensure that in the event of software 1036 bugs or other unanticipated problems, errant hosts do not flood the 1037 network with a continuous stream of multicast traffic. For very 1038 simple devices, a valid way to comply with this requirement is to 1039 always wait five seconds after any failed probe attempt. 1040 1041 1042 9.2 Simultaneous Probe Tie-Breaking 1043 1044 The astute reader will observe that there is a race condition 1045 inherent in the previous description. If two hosts are probing for 1046 the same name simultaneously, neither will receive any response to 1047 the probe, and the hosts could incorrectly conclude that they may 1048 both proceed to use the name. To break this symmetry, each host 1049 populates the Authority Section of its queries with records giving 1050 the rdata that it would be proposing to use, should its probing be 1051 successful. The Authority Section is being used here in a way 1052 analogous to the Update section of a DNS Update packet [RFC 2136]. 1053 1054 When a host that is probing for a record sees another host issue a 1055 query for the same record, it consults the Authority Section of that 1056 query. If it finds any resource record there which answers the query, 1057 then it compares the data of that resource record with its own 1058 tentative data. The lexicographically later data wins. This means 1059 1060 1061 Expires 14th August 2004 Cheshire & Krochmal [Page 18] 1062 1064 Internet Draft Multicast DNS 14th February 2004 1065 1066 1067 that if the host finds that its own data is lexicographically later, 1068 it simply ignores the other host's probe. If the host finds that its 1069 own data is lexicographically earlier, then it treats this exactly 1070 as if it had received a positive answer to its query, and concludes 1071 that it may not use the desired name. 1072 1073 The determination of 'lexicographically later' is performed by first 1074 comparing the record class, then the record type, then raw comparison 1075 of the binary content of the rdata without regard for meaning or 1076 structure. If the record classes differ, then the numerically greater 1077 class is considered 'lexicographically later'. Otherwise, if the 1078 record types differ, then the numerically greater type is considered 1079 'lexicographically later'. If the type and class both match then the 1080 rdata is compared. 1081 1082 In the case of resource records containing rdata that is subject to 1083 name compression, the names must be uncompressed before comparison. 1084 (The details of how a particular name is compressed is an artifact of 1085 how and where the record is written into the DNS message; it is not 1086 an intrinsic property of the resource record itself.) 1087 1088 The bytes of the raw uncompressed rdata are compared in turn, 1089 interpreting the bytes as eight-bit UNSIGNED values, until a byte 1090 is found whose value is greater than that of its counterpart (in 1091 which case the rdata whose byte has the greater value is deemed 1092 lexicographically later) or one of the resource records runs out 1093 of rdata (in which case the resource record which still has 1094 remaining data first is deemed lexicographically later). 1095 1096 The following is an example of a conflict: 1097 1098 sctibook.local. A 196.254.100.200 1099 sctibook.local. A 196.254.200.100 1100 1101 In this case 196.254.200.100 is lexicographically later, so it is 1102 deemed the winner. 1103 1104 Note that it is vital that the bytes are interpreted as UNSIGNED 1105 values, or the wrong outcome may result. In the example above, if 1106 the byte with value 200 had been incorrectly interpreted as a 1107 signed value then it would be interpreted as value -56, and the 1108 wrong address record would be deemed the winner. 1109 1110 1111 9.3 Announcing 1112 1113 The second startup step is that the Multicast DNS Responder MUST send 1114 a gratuitous Multicast DNS Response containing, in the Answer 1115 Section, all of its resource records. If there are too many resource 1116 records to fit in a single packet, multiple packets should be used. 1117 1118 1119 1120 Expires 14th August 2004 Cheshire & Krochmal [Page 19] 1121 1123 Internet Draft Multicast DNS 14th February 2004 1124 1125 1126 In the case of shared records (e.g. the PTR records used by DNS 1127 Service Discovery [DNS-SD]), the records are simply placed as-is 1128 into the answer section of the DNS Response. 1129 1130 In the case of records that have been verified to be unique in the 1131 previous step, they are placed into the answer section of the DNS 1132 Response with the most significant bit of the rrclass set to one. The 1133 most significant bit of the rrclass is the mDNS "cache flush" bit and 1134 is discussed in more detail below in Section 13.3 "Announcements to 1135 Flush Outdated Cache Entries". 1136 1137 The Multicast DNS Responder MUST send at least two gratuitous 1138 responses, one second apart. A Responder MAY send up to ten 1139 gratuitous Responses, providing that the interval between gratuitous 1140 responses doubles with every response sent. 1141 1142 A Multicast DNS Responder SHOULD NOT continue sending gratuitous 1143 Responses for longer than the TTL of the record. The purpose of 1144 announcing new records via gratuitous Responses is to ensure that 1145 peer caches are up to date. After a time interval equal to the TTL of 1146 the record has passed, it is very likely that old stale copies of 1147 that record in peer caches will have expired naturally, so subsequent 1148 announcements serve little purpose. 1149 1150 Whenever a Multicast DNS Responder receives any Multicast DNS 1151 response (gratuitous or otherwise) containing a conflicting resource 1152 record, the conflict MUST be resolved as described below in "Conflict 1153 Resolution". 1154 1155 A Multicast DNS Responder MUST NOT send announcements in the absence 1156 of information that its network connectivity may have changed in some 1157 relevant way. In particular, a Multicast DNS Responder MUST NOT send 1158 regular periodic announcements as a matter of course. 1159 1160 1161 9.4 Updating 1162 1163 At any time, if the rdata of any of a host's Multicast DNS records 1164 changes, the host MUST repeat the Announcing step described above to 1165 update neighbouring caches. For example, if any of a host's IP 1166 addresses change, it must re-announce those address records. 1167 1168 A host may update the contents of any of its records at any time, 1169 though a host SHOULD NOT update records more frequently than ten 1170 times per minute. Frequent rapid updates impose a burden on the 1171 network. If a host has information to disseminate which changes more 1172 frequently than ten times per minute, then Multicast DNS may not be 1173 the appropriate protocol to disseminate that information. 1174 1175 1176 1177 1178 1179 Expires 14th August 2004 Cheshire & Krochmal [Page 20] 1180 1182 Internet Draft Multicast DNS 14th February 2004 1183 1184 1185 10. Conflict Resolution 1186 1187 A conflict occurs when two resource records with the same name, type 1188 and class have inconsistent rdata. What may be considered 1189 inconsistent is context sensitive, except that resource records with 1190 identical rdata are never considered inconsistent, even if they 1191 originate from different hosts. A common example of a resource record 1192 type that is intended to be unique, not shared between hosts, is the 1193 address record that maps a host's name to its IP address. Should a 1194 host witness another host announce an address record with the same 1195 name but a different IP address, then that is considered 1196 inconsistent, and that address record is considered to be in 1197 conflict. 1198 1199 Whenever a Multicast DNS Responder receives any Multicast DNS 1200 response (gratuitous or otherwise) containing a conflicting resource 1201 record, the Multicast DNS Responder MUST immediately reset that 1202 record to probing state, and go through the startup steps described 1203 above in Section 9. "Probing and Announcing on Startup". The 1204 protocol used in the Probing phase will determine a winner and a 1205 loser, and the loser must cease using the name, and reconfigure. 1206 1207 It is very important that any host that observes an apparent conflict 1208 MUST take action. In the case of two hosts using the same host name, 1209 where one has been configured to require a unique host name and the 1210 other has not, the one that has not been configured to require a 1211 unique host name will not perceive any conflict, and will not take 1212 any action. By reverting to Probing state, the host that desires a 1213 unique host name will go through the necessary steps to ensure that a 1214 unique host is obtained. 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 Expires 14th August 2004 Cheshire & Krochmal [Page 21] 1239 1241 Internet Draft Multicast DNS 14th February 2004 1242 1243 1244 The recommended course of action after probing and failing is as 1245 follows: 1246 1247 o Programmatically change the resource record name in an attempt to 1248 find a new name that is unique. This could be done by adding some 1249 further identifying information (e.g. the model name of the 1250 hardware) if it is not already present in the name, appending the 1251 digit "2" to the name, or incrementing a number at the end of the 1252 name if one is already present. 1253 1254 o Probe again, and repeat until a unique name is found. 1255 1256 o Record this newly chosen name in persistent storage so that the 1257 device will use the same name the next time it is power-cycled. 1258 1259 o Display a message to the user or operator informing them of the 1260 name change. For example: 1261 1262 The name "Bob's Music" is in use by another iTunes music 1263 server on the network. Your music has been renamed to 1264 "Bob's Music (G4 Cube)". If you want to change this name, 1265 use [describe appropriate menu item or preference dialog]. 1266 1267 How the user or operator is informed depends on context. A desktop 1268 computer with a screen might put up a dialog box. A headless server 1269 in the closet may write a message to a log file, or use whatever 1270 mechanism (email, SNMP trap, etc.) it uses to inform the 1271 administrator of other error conditions. On the other hand a headless 1272 server in the closet may not inform the user at all -- if the user 1273 cares, they will notice the name has changed, and connect to the 1274 server in the usual way (e.g. via Web Browser) to configure a new 1275 name. 1276 1277 The examples in this section focus on address records (i.e. host 1278 names), but the same considerations apply to all resource records 1279 where uniqueness (or maintenance of some other defined constraint) is 1280 desired. 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 Expires 14th August 2004 Cheshire & Krochmal [Page 22] 1298 1300 Internet Draft Multicast DNS 14th February 2004 1301 1302 1303 11. Special Characteristics of Multicast DNS Domains 1304 1305 Unlike conventional DNS names, names that end in ".local.", 1306 "254.169.in-addr.arpa." or "0.8.e.f.ip6.arpa." have only local 1307 significance. Conventional DNS seeks to provide a single unified 1308 namespace, where a given DNS query yields the same answer no matter 1309 where on the planet it is performed or to which recursive DNS server 1310 the query is sent. (However, split views, firewalls, intranets and 1311 the like have somewhat interfered with this goal of DNS representing 1312 a single universal truth.) In contrast, each IP link has its own 1313 private ".local.", "254.169.in-addr.arpa." and "0.8.e.f.ip6.arpa." 1314 namespaces, and the answer to any query for a name within those 1315 domains depends on where that query is asked. 1316 1317 Multicast DNS Domains are not delegated from their parent domain via 1318 use of NS records. There are no NS records anywhere in Multicast DNS 1319 Domains. Instead, all Multicast DNS Domains are delegated to the IP 1320 addresses 224.0.0.251 and FF02::FB by virtue of the individual 1321 organizations producing DNS client software deciding how to handle 1322 those names. It would be extremely valuable for the industry if this 1323 special handling were ratified and recorded by IANA, since otherwise 1324 the special handling provided by each vendor is likely to be 1325 inconsistent. 1326 1327 The IPv4 name server for a Multicast DNS Domain is 224.0.0.251. The 1328 IPv6 name server for a Multicast DNS Domain is FF02::FB. These are 1329 multicast addresses; therefore they identify not a single host but a 1330 collection of hosts, working in cooperation to maintain some 1331 reasonable facsimile of a competently managed DNS zone. Conceptually 1332 a Multicast DNS Domain is a single DNS zone, however its server is 1333 implemented as a distributed process running on a cluster of loosely 1334 cooperating CPUs rather than as a single process running on a single 1335 CPU. 1336 1337 No delegation is performed within Multicast DNS Domains. Because the 1338 cluster of loosely coordinated CPUs is cooperating to administer a 1339 single zone, delegation is neither necessary nor desirable. Just 1340 because a particular host on the network may answer queries for a 1341 particular record type with the name "example.local." does not imply 1342 anything about whether that host will answer for the name 1343 "child.example.local.", or indeed for other record types with the 1344 name "example.local." 1345 1346 Multicast DNS Zones have no SOA record. A conventional DNS zone's 1347 SOA record contains information such as the email address of the zone 1348 administrator and the monotonically increasing serial number of the 1349 last zone modification. There is no single human administrator for 1350 any given Multicast DNS Zone, so there is no email address. Because 1351 the hosts managing any given Multicast DNS Zone are only loosely 1352 coordinated, there is no readily available monotonically increasing 1353 serial number to determine whether or not the zone contents have 1354 1355 1356 Expires 14th August 2004 Cheshire & Krochmal [Page 23] 1357 1359 Internet Draft Multicast DNS 14th February 2004 1360 1361 1362 changed. A host holding part of the shared zone could crash or be 1363 disconnected from the network at any time without informing the other 1364 hosts. There is no reliable way to provide a zone serial number that 1365 would, whenever such a crash or disconnection occurred, immediately 1366 change to indicate that the contents of the shared zone had changed. 1367 1368 Zone transfers are not possible for any Multicast DNS Zone. 1369 1370 1371 12. Multicast DNS for Service Discovery 1372 1373 This document does not describe using Multicast DNS for network 1374 browsing or service discovery. However, the mechanisms this document 1375 describes are compatible with (and support) the browsing and service 1376 discovery mechanisms proposed in "DNS-Based Service Discovery" 1377 [DNS-SD]. 1378 1379 This document places few limitations on what DNS record types may be 1380 looked up using local multicast. One particular kind of Multicast DNS 1381 query that might be useful is a query for the SRV record named 1382 "_domain._udp.local.", yielding the port number and IP address of a 1383 conventional DNS server willing to perform general recursive DNS 1384 lookups. This could solve a particular problem facing the IPv6 1385 community, which is that IPv6 is able to self-configure almost all of 1386 the information it needs to operate [RFC 2462], except for the 1387 address of the DNS server. Bringing in all of the mechanisms of DHCP 1388 just for that one little additional piece of information is not an 1389 attractive solution. Using DNS-format messages and DNS-format 1390 resource records to find the address of the DNS server has an elegant 1391 self-sufficiency about it. Any host that needs to know the address of 1392 the DNS server must already have code to generate and parse DNS 1393 packets, so using that same code and those same packets to find the 1394 DNS server in the first place is a simple self-reliant solution that 1395 avoids taking external dependencies on other protocols. 1396 1397 1398 13. Resource Record TTL Values and Cache Coherency 1399 1400 The recommended TTL value for Multicast DNS resource records is 1401 120 minutes. 1402 1403 A client with an active outstanding query will issue a query packet 1404 when one or more of the resource record(s) in its cache is (are) 80% 1405 of the way to expiry. If the TTL on those records is 120 minutes, 1406 this ongoing cache maintenance process yields a steady-state query 1407 rate of one query every 96 minutes. 1408 1409 Any distributed cache needs a cache coherency protocol. If Multicast 1410 DNS resource records follow the recommendation and have a TTL of 120 1411 minutes, that means that stale data could persist in the system for 1412 up to two hours. Making the default TTL significantly lower would 1413 1414 1415 Expires 14th August 2004 Cheshire & Krochmal [Page 24] 1416 1418 Internet Draft Multicast DNS 14th February 2004 1419 1420 1421 reduce the lifetime of stale data, but would produce too much extra 1422 traffic on the network. Various techniques are available to minimize 1423 the impact of such stale data. 1424 1425 1426 13.1 Cooperating Multicast DNS Responders 1427 1428 If a Multicast DNS Responder ("A") observes some other Multicast DNS 1429 Responder ("B") send a Multicast DNS Response packet containing a 1430 resource record with the same name type and class as one of A's 1431 resource records, but different rdata, then: 1432 1433 o If A's resource record is intended to be a shared resource record, 1434 then this is no conflict, and no action is required. 1435 1436 o If A's resource record is intended to be a unique resource record 1437 then this is a conflict and MUST be handled as described in Section 1438 10 "Conflict Resolution". 1439 1440 If a Multicast DNS Responder ("A") observes some other Multicast DNS 1441 Responder ("B") send a Multicast DNS Response packet containing a 1442 resource record with the same name type and class as one of A's 1443 resource records, and identical rdata, then: 1444 1445 o If the TTL of B's resource record given in the packet is at least 1446 half the true TTL from A's point of view, then no action is 1447 required. 1448 1449 o If the TTL of B's resource record given in the packet is less than 1450 half the true TTL from A's point of view, then A MUST mark its 1451 record to be announced via multicast. Clients receiving the record 1452 from B would use the TTL given by B, and hence may delete the 1453 record sooner than A expects. By sending its own multicast response 1454 correcting the TTL, A ensures that the record will be retained for 1455 the desired time. 1456 1457 These rules allow multiple Multicast DNS Responders to offer the same 1458 data on the network (perhaps for fault tolerance reasons) without 1459 conflicting with each other. 1460 1461 1462 13.2 Goodbye Packets 1463 1464 In the case where a host knows that certain resource record data is 1465 about to become invalid (for example when the host is undergoing a 1466 clean shutdown) the host SHOULD send a gratuitous announcement mDNS 1467 response packet, giving the same resource record name, type, class 1468 and rdata, but an RR TTL of zero. This has the effect of updating the 1469 TTL stored in neighbouring hosts' cache entries to zero, causing that 1470 cache entry to be promptly deleted. 1471 1472 1473 1474 Expires 14th August 2004 Cheshire & Krochmal [Page 25] 1475 1477 Internet Draft Multicast DNS 14th February 2004 1478 1479 1480 Clients receiving a Multicast DNS Response with a TTL of zero SHOULD 1481 NOT immediately delete the record from the cache, but instead record 1482 a TTL of 1 and then delete the record one second later. In the case 1483 of multiple Multicast DNS Responders on the network described in 1484 Section 13.1 above, if one of the Responders shuts down and 1485 incorrectly sends goodbye packets for its records, it gives the other 1486 cooperating Responders one second to send out their own response to 1487 "rescue" the records before they expire and are deleted. 1488 1489 Generally speaking, it is more important to send goodbye packets for 1490 shared records than unique records. A given shared record name (such 1491 as a PTR record used for DNS Service Discovery [DNS-SD]) by its 1492 nature often has many representatives from many different hosts, and 1493 tends to be the subject of long-lived ongoing queries. Those 1494 long-lived queries are often concerned not just about being informed 1495 when records appear, but also about being informed if those records 1496 vanish again. In contrast, a unique record set (such as an SRV 1497 record, or a host address record), by its nature, often has far fewer 1498 members than a shared record set, and is usually the subject of 1499 one-shot queries which simply retrieve the data and then cease 1500 querying once they have the answer they are seeking. Therefore, 1501 sending a goodbye packet for a unique record set is likely to offer 1502 less benefit, because it is likely at any given moment that no one 1503 has an active query running for that record set. One example where 1504 goodbye packets for SRV and address records are useful is when 1505 transferring control to a Sleep Proxy Server (see Section 16. 1506 "Multicast DNS and Power Management"). 1507 1508 1509 13.3 Announcements to Flush Outdated Cache Entries 1510 1511 Whenever a host has a resource record with potentially new data (e.g. 1512 after rebooting, waking from sleep, connecting to a new network link, 1513 changing IP address, etc.), the host MUST send a series of gratuitous 1514 announcements to update cache entries in its neighbour hosts. In 1515 these gratuitous announcements, if the record is one that is intended 1516 to be unique, the host sets the most significant bit of the rrclass 1517 field of the resource record. This bit, the "cache flush" bit, tells 1518 neighbouring hosts that this is not a shared record type. Instead of 1519 merging this new record additively into the cache in addition to any 1520 previous records with the same name, type and class, all old records 1521 with that name, type and class that were received more than one 1522 second ago are declared invalid, and marked to expire from the cache 1523 in one second. 1524 1525 The semantics of the cache flush bit are as follows: Normally when a 1526 resource record appears in the answer section of the DNS Response, it 1527 means, "This is an assertion that this information is true." When a 1528 resource record appears in the answer section of the DNS Response 1529 with the "cache flush" bit set, it means, "This is an assertion that 1530 this information is the truth and the whole truth, and anything you 1531 1532 1533 Expires 14th August 2004 Cheshire & Krochmal [Page 26] 1534 1536 Internet Draft Multicast DNS 14th February 2004 1537 1538 1539 may have heard more than a second ago regarding records of this 1540 name/type/class is no longer valid". 1541 1542 To accommodate the case where the set of records from one host 1543 constituting a single unique RRSet is too large to fit in a single 1544 packet, only cache records that are more than one second old are 1545 flushed. This allows the announcing host to generate a quick burst of 1546 packets back-to-back on the wire containing all the members 1547 of the RRSet. When receiving records with the "cache flush" bit set, 1548 all records older than one second are marked to be deleted one second 1549 in the future. One second after the end of the little packet burst, 1550 any records not represented within that packet burst will then be 1551 expired from all peer caches. 1552 1553 Any time a host sends a response packet containing some members of a 1554 unique RRSet, it SHOULD send the entire RRSet, preferably in a single 1555 packet, or if the entire RRSet will not fit in a single packet, in a 1556 quick burst of packets sent as close together as possible. The host 1557 SHOULD set the cache flush bit on all members of the unique RRSet. 1558 In the event that for some reason the host chooses not to send the 1559 entire unique RRSet in a single packet or a rapid packet burst, 1560 it MUST NOT set the cache flush bit on any of those records. 1561 1562 The reason for waiting one second before deleting stale records from 1563 the cache is to accommodate bridged networks. For example, a host's 1564 address record announcement on a wireless interface may be bridged 1565 onto a wired Ethernet, and cause that same host's Ethernet address 1566 records to be flushed from peer caches. The one-second delay gives 1567 the host the chance to see its own announcement arrive on the wired 1568 Ethernet, and immediately re-announce its Ethernet address records 1569 so that both sets remain valid and live in peer caches. 1570 1571 These rules apply regardless of *why* the response packet is being 1572 generated. They apply to startup announcements as described in 1573 Section 9.3, and to responses generated as a result of receiving 1574 query packets. 1575 1576 The "cache flush" bit is only set in Multicast DNS responses sent to 1577 UDP port 5353. The "cache flush" bit MUST NOT be set in any resource 1578 records in a response packet sent in legacy unicast responses to UDP 1579 ports other than 5353. 1580 1581 The "cache flush" bit MUST NOT be set in any resource records in the 1582 known-answer list of any query packet. 1583 1584 The "cache flush" bit MUST NOT ever be set in any shared resource 1585 record. To do so would cause all the other shared versions of this 1586 resource record with different rdata from different Responders to be 1587 immediately deleted from all the caches on the network. 1588 1589 1590 1591 1592 Expires 14th August 2004 Cheshire & Krochmal [Page 27] 1593 1595 Internet Draft Multicast DNS 14th February 2004 1596 1597 1598 Note that the "cache flush" bit is NOT part of the resource record 1599 class. The "cache flush" bit is the most significant bit of the 1600 second 16-bit word of a resource record in an mDNS packet (the field 1601 conventionally referred to as the rrclass field), and the actual 1602 resource record class is the least-significant fifteen bits of this 1603 field. There is no mDNS resource record class 0x8001. The value 1604 0x8001 in the rrclass field of a resource record in an mDNS response 1605 packet indicates a resource record with class 1, with the "cache 1606 flush" bit set. When receiving a resource record with the "cache 1607 flush" bit set, implementations should take care to mask off that bit 1608 before storing the resource record in memory. 1609 1610 1611 13.4 Cache Flush on Topology change 1612 1613 If the hardware on a given host is able to indicate physical changes 1614 of connectivity, then when the hardware indicates such a change, the 1615 host should take this information into account in its mDNS cache 1616 management strategy. For example, a host may choose to immediately 1617 flush all cache records received on a particular interface when that 1618 cable is disconnected. Alternatively, a host may choose to adjust the 1619 remaining TTL on all those records to a few seconds so that if the 1620 cable is not reconnected quickly, those records will expire from the 1621 cache. 1622 1623 Likewise, when a host reboots, or wakes from sleep, or undergoes some 1624 other similar discontinuous state change, the cache management 1625 strategy should take that information into account. 1626 1627 1628 13.5 Cache Flush on Failure Indication 1629 1630 Sometimes a cache record can be determined to be stale when a client 1631 attempts to use the rdata it contains, and finds that rdata to be 1632 incorrect. 1633 1634 For example, the rdata in an address record can be determined to be 1635 incorrect if attempts to contact that host fail, either because 1636 ARP/ND requests for that address go unanswered (for an address on a 1637 local subnet) or because a router returns an ICMP "Host Unreachable" 1638 error (for an address on a remote subnet). 1639 1640 The rdata in an SRV record can be determined to be incorrect if 1641 attempts to communicate with the indicated service at the host and 1642 port number indicated are not successful. 1643 1644 The rdata in a DNS-SD PTR record can be determined to be incorrect if 1645 attempts to look up the SRV record it references are not successful. 1646 1647 In any such case, the software implementing the mDNS resource record 1648 cache should provide a mechanism so that clients detecting stale 1649 rdata can inform the cache. 1650 1651 Expires 14th August 2004 Cheshire & Krochmal [Page 28] 1652 1654 Internet Draft Multicast DNS 14th February 2004 1655 1656 1657 When the cache receives this hint that it should reconfirm some 1658 record, it MUST issue two or more queries for the resource record in 1659 question. If no response is received in a reasonable amount of time, 1660 then, even though its TTL may indicate that it is not yet due to 1661 expire, that record SHOULD be promptly flushed from the cache. 1662 1663 The end result of this is that if a printer suffers a sudden power 1664 failure or other abrupt disconnection from the network, its name may 1665 continue to appear in DNS-SD browser lists displayed on users' 1666 screens. Eventually that entry will expire from the cache naturally, 1667 but if a user tries to access the printer before that happens, the 1668 failure to successfully contact the printer will trigger the more 1669 hasty demise of its cache entries. This is a sensible trade-off 1670 between good user-experience and good network efficiency. If we were 1671 to insist that printers should disappear from the printer list within 1672 30 seconds of becoming unavailable, for all failure modes, the only 1673 way to achieve this would be for the client to poll the printer at 1674 least every 30 seconds, or for the printer to announce its presence 1675 at least every 30 seconds, both of which would be an unreasonable 1676 burden on most networks. 1677 1678 1679 13.6 Passive Observation of Failures 1680 1681 A host observes the multicast queries issued by the other hosts on 1682 the network. One of the major benefits of also sending responses 1683 using multicast is that it allows all hosts to see the responses (or 1684 lack thereof) to those queries. 1685 1686 If a host sees queries, for which a record in its cache would be 1687 expected to be given as an answer in a multicast response, but no 1688 such answer is seen, then the host may take this as an indication 1689 that the record may no longer be valid. 1690 1691 After seeing two or more of these queries, and seeing no multicast 1692 response containing the expected answer within a reasonable amount of 1693 time, then even though its TTL may indicate that it is not yet due to 1694 expire, that record MAY be flushed from the cache. The host SHOULD 1695 NOT perform its own queries to re-confirm that the record is truly 1696 gone. If every host on a large network were to do this, it would 1697 cause a lot of unnecessary multicast traffic. If host A sends 1698 multicast queries that remain unanswered, then there is no reason to 1699 suppose that host B or any other host is likely to be any more 1700 successful. 1701 1702 The previous section, "Cache Flush on Failure Indication", describes 1703 a situation where a user trying to print discovers that the printer 1704 is no longer available. By implementing the passive observation 1705 described here, when one user fails to contact the printer, all hosts 1706 on the network observe that failure and update their caches 1707 accordingly. 1708 1709 1710 Expires 14th August 2004 Cheshire & Krochmal [Page 29] 1711 1713 Internet Draft Multicast DNS 14th February 2004 1714 1715 1716 14. Enabling and Disabling Multicast DNS 1717 1718 The option to fail-over to Multicast DNS for names not ending in 1719 ".local." SHOULD be a user-configured option, and SHOULD 1720 be disabled by default because of the possible security issues 1721 related to unintended local resolution of apparently global names. 1722 1723 The option to lookup unqualified (relative) names by appending 1724 ".local." (or not) is controlled by whether ".local." appears 1725 (or not) in the client's DNS search list. 1726 1727 No special control is needed for enabling and disabling Multicast DNS 1728 for names explicitly ending with ".local." as entered by the user. 1729 The user doesn't need a way to disable Multicast DNS for names ending 1730 with ".local.", because if the user doesn't want to use Multicast 1731 DNS, they can achieve this by simply not using those names. If a user 1732 *does* enter a name ending in ".local.", then we can safely assume 1733 the user's intention was probably that it should work. Having user 1734 configuration options that can be (intentionally or unintentionally) 1735 set so that local names don't work is just one more way of 1736 frustrating the user's ability to perform the tasks they want, 1737 perpetuating the view that, "IP networking is too complicated to 1738 configure and too hard to use." This in turn perpetuates the 1739 continued use of protocols like AppleTalk. If we want to retire 1740 AppleTalk, NetBIOS, etc., we need to offer users equivalent IP 1741 functionality that they can rely on to, "always work, like 1742 AppleTalk." A little Multicast DNS traffic may be a burden on the 1743 network, but it is an insignificant burden compared to continued 1744 widespread use of AppleTalk. 1745 1746 1747 15. Considerations for Multiple Interfaces 1748 1749 A host should defend its host name (FQDN) on all active interfaces on 1750 which it is answering Multicast DNS queries. 1751 1752 In the event of a name conflict on *any* interface, a host should 1753 configure a new host name, if it wishes to maintain uniqueness of its 1754 host name. 1755 1756 When answering a Multicast DNS query, a multi-homed host with a 1757 link-local address (or addresses) should take care to ensure that 1758 any address going out in a Multicast DNS response is valid for use 1759 on the interface on which the response is going out. 1760 1761 Just as the same link-local IP address may validly be in use 1762 simultaneously on different links by different hosts, the same 1763 link-local host name may validly be in use simultaneously on 1764 different links, and this is not an error. A multi-homed host with 1765 connections to two different links may be able to communicate with 1766 two different hosts that are validly using the same name. While this 1767 1768 1769 Expires 14th August 2004 Cheshire & Krochmal [Page 30] 1770 1772 Internet Draft Multicast DNS 14th February 2004 1773 1774 1775 kind of name duplication should be rare, it means that a host that 1776 wants to fully support this case needs network programming APIs that 1777 allow applications to specify on what interface to perform a 1778 link-local Multicast DNS query, and to discover on what interface a 1779 Multicast DNS response was received. 1780 1781 1782 16. Multicast DNS and Power Management 1783 1784 Many modern network devices have the ability to go into a low-power 1785 mode where only a small part of the Ethernet hardware remains 1786 powered, and the device can be woken up by sending a specially 1787 formatted Ethernet frame which the device's power-management hardware 1788 recognizes. 1789 1790 To make use of this in conjunction with Multicast DNS, the device 1791 first uses DNS-SD to determine if Sleep Proxy Service is available on 1792 the local network. In some networks there may be more than one piece 1793 of hardware implementing Sleep Proxy Service, for fault-tolerance 1794 reasons. 1795 1796 If the device finds the network has Sleep Proxy Service, the device 1797 transmits two or more gratuitous mDNS announcements setting the TTL 1798 of its relevant resource records to zero, to delete them from 1799 neighbouring caches. The relevant resource records include address 1800 records and SRV records, and other resource records as may apply to a 1801 particular device. The device then communicates all of its remaining 1802 active records, plus the names, types and classes of the deleted 1803 records, to the Sleep Proxy Service(s), along with a copy of the 1804 specific "magic packet" required to wake the device up. 1805 1806 When a Sleep Proxy Service sees an mDNS query for one of the 1807 device's active records (e.g. a DNS-SD PTR record), it answers on 1808 behalf of the device without waking it up. When a Sleep Proxy Service 1809 sees an mDNS query for one of the device's deleted resource 1810 records, it deduces that some client on the network needs to make an 1811 active connection to the device, and sends the specified "magic 1812 packet" to wake the device up. The device then wakes up, reactivates 1813 its deleted resource records, and re-announces them to the network. 1814 The client waiting to connect sees the announcements, learns the 1815 current IP address and port number of the desired service on the 1816 device, and proceeds to connect to it. 1817 1818 The connecting client does not need to be aware of how Sleep Proxy 1819 Service works. Only devices that implement low power mode and wish to 1820 make use of Sleep Proxy Service need to be aware of how that protocol 1821 works. 1822 1823 The reason that a device using a Sleep Proxy Service should send more 1824 than one goodbye packet is that the wakeup message is caused by the 1825 Sleep Proxy Service seeing queries for the device's SRV and/or 1826 address records, and those queries are in turn caused by the records 1827 1828 Expires 14th August 2004 Cheshire & Krochmal [Page 31] 1829 1831 Internet Draft Multicast DNS 14th February 2004 1832 1833 1834 being absent from peer caches. If the records are not deleted from 1835 peer caches, then those peers may use the cached value directly 1836 without querying, and no wakeup message would be generated. 1837 1838 The full specification of mDNS / DNS-SD Sleep Proxy Service 1839 is described in another document [not yet published]. 1840 1841 1842 17. Multicast DNS Character Set 1843 1844 Unicast DNS has been plagued by the lack of any support for non-US 1845 characters. Indeed, conventional DNS is usually limited to just 1846 letters, digits and hyphens, with no spaces or other punctuation. 1847 Attempts to remedy this have made slow progress because of the need 1848 to accommodate old buggy legacy implementations. 1849 1850 Multicast DNS is a new protocol and doesn't (yet) have old buggy 1851 legacy implementations to constrain the design choices. Accordingly, 1852 it adopts the obvious simple solution: all names in Multicast DNS are 1853 encoded using UTF-8 [RFC 2279]. For names that are restricted to 1854 letters, digits and hyphens, the UTF-8 encoding is identical to the 1855 US-ASCII encoding, so this is entirely compatible with existing host 1856 names. For characters outside the US-ASCII range, UTF-8 encoding is 1857 used. 1858 1859 Multicast DNS implementations MUST NOT use any other encodings apart 1860 from UTF-8 (US-ASCII being considered a compatible subset of UTF-8). 1861 1862 This point bears repeating: There are various baroque representations 1863 of international text being proposed for Unicast DNS. None of these 1864 representations may be used in Multicast DNS packets. Any text being 1865 represented internally in some other representation MUST be converted 1866 to canonical UTF-8 before being placed in any Multicast DNS packet. 1867 1868 The simple rules for case-insensitivity in Unicast DNS also apply in 1869 Multicast DNS; that is to say, in name comparisons, the lower-case 1870 letters "a" to "z" match their upper-case equivalents "A" to "Z". 1871 Hence, if a client issues a query for an address record with the name 1872 "stuartcheshire.local", then a responder having an address record 1873 with the name "StuartCheshire.local" should issue a response. 1874 1875 No other automatic character equivalence is defined in Multicast DNS. 1876 For example, accented characters are not defined to be automatically 1877 equivalent to their unaccented counterparts. Where automatic 1878 equivalences are desired, this may be achieved through the use of 1879 programmatically-generated CNAME records. For example, if a responder 1880 has an address record for an accented name Y, and a client issues a 1881 query for a name X, where X is the same as Y with all the accents 1882 removed, then the responder may issue a response containing two 1883 resource records: A CNAME record "X CNAME Y", asserting that the 1884 requested name X (unaccented) is an alias for the true (accented) 1885 name Y, followed by the address record for Y. 1886 1887 Expires 14th August 2004 Cheshire & Krochmal [Page 32] 1888 1890 Internet Draft Multicast DNS 14th February 2004 1891 1892 1893 18. Multicast DNS Message Size 1894 1895 RFC 1035 restricts DNS Messages carried by UDP to no more than 512 1896 bytes (not counting the IP or UDP headers). For UDP packets carried 1897 over the wide-area Internet in 1987, this was appropriate. For 1898 link-local multicast packets on today's networks, there is no reason 1899 to retain this restriction. Given that the packets are by definition 1900 link-local, there are no Path MTU issues to consider. 1901 1902 Multicast DNS Messages carried by UDP may be up to the IP MTU of the 1903 physical interface, less the space required for the IP header (20 1904 bytes for IPv4; 40 bytes for IPv6) and the UDP header (8 bytes). 1905 1906 In the case of a single mDNS Resource Record which is too large to 1907 fit in a single MTU-sized multicast response packet, a Multicast DNS 1908 Responder SHOULD send the Resource Record alone, in a single IP 1909 datagram, sent using multiple IP fragments. Resource Records this 1910 large SHOULD be avoided, except in the very rare cases where they 1911 really are the appropriate solution to the problem at hand. 1912 Implementers should be aware that many simple devices do not 1913 re-assemble fragmented IP datagrams, so large Resource Records SHOULD 1914 only be used in specialized cases where the implementer knows that 1915 all receivers implement reassembly. 1916 1917 A Multicast DNS packet larger than the interface MTU, which is sent 1918 using fragments, MUST NOT contain more than one Resource Record. 1919 1920 Even when fragmentation is used, a Multicast DNS packet, including IP 1921 and UDP headers, MUST NOT exceed 9000 bytes. 1922 1923 1924 19. Multicast DNS Message Format 1925 1926 This section describes specific restrictions on the allowable 1927 values for the header fields of a Multicast DNS message. 1928 1929 19.1. ID (Query Identifier) 1930 1931 Multicast DNS clients SHOULD listen for gratuitous responses 1932 issued by hosts booting up (or waking up from sleep or otherwise 1933 joining the network). Since these gratuitous responses may contain a 1934 useful answer to a question for which the client is currently 1935 awaiting an answer, Multicast DNS clients SHOULD examine all received 1936 Multicast DNS response messages for useful answers, without regard to 1937 the contents of the ID field or the question section. In Multicast 1938 DNS, knowing which particular query message (if any) is responsible 1939 for eliciting a particular response message is less interesting than 1940 knowing whether the response message contains useful information. 1941 1942 Multicast DNS clients MAY cache any or all Multicast DNS response 1943 messages they receive, for possible future use, providing of course 1944 that normal TTL aging is performed on these cashed resource records. 1945 1946 Expires 14th August 2004 Cheshire & Krochmal [Page 33] 1947 1949 Internet Draft Multicast DNS 14th February 2004 1950 1951 1952 In multicast query messages, the Query ID SHOULD be set to zero on 1953 transmission. 1954 1955 In multicast responses, including gratuitous multicast responses, the 1956 Query ID MUST be set to zero on transmission, and MUST be ignored on 1957 reception. 1958 1959 In unicast response messages generated specifically in response to a 1960 particular (unicast or multicast) query, the Query ID MUST match the 1961 ID from the query message. 1962 1963 1964 19.2. QR (Query/Response) Bit 1965 1966 In query messages, MUST be zero. 1967 1968 In response messages, MUST be one. 1969 1970 1971 19.3. OPCODE 1972 1973 In both multicast query and multicast response messages, MUST be zero 1974 (only standard queries are currently supported over multicast, unless 1975 other queries are allowed by future IETF Standards Action). 1976 1977 1978 19.4. AA (Authoritative Answer) Bit 1979 1980 In query messages, the Authoritative Answer bit MUST be zero on 1981 transmission, and MUST be ignored on reception. 1982 1983 In response messages for Multicast Domains, the Authoritative Answer 1984 bit MUST be set to one (not setting this bit implies there's some 1985 other place where "better" information may be found) and MUST be 1986 ignored on reception. 1987 1988 1989 19.5. TC (Truncated) Bit 1990 1991 In query messages, if the TC bit is set, it means that additional 1992 Known Answer records may be following shortly. A responder MAY choose 1993 to record this fact, and wait for those additional Known Answer 1994 records, before deciding whether to respond. If the TC bit is clear, 1995 it means that the querying host has no additional Known Answers. 1996 1997 In multicast response messages, the TC bit MUST be zero on 1998 transmission, and MUST be ignored on reception. 1999 2000 In legacy unicast response messages, the TC bit has the same meaning 2001 as in conventional unicast DNS: it means that the response was too 2002 large to fit in a single packet, so the client SHOULD re-issue its 2003 query using TCP in order to receive the larger response. 2004 2005 Expires 14th August 2004 Cheshire & Krochmal [Page 34] 2006 2008 Internet Draft Multicast DNS 14th February 2004 2009 2010 2011 19.6. RD (Recursion Desired) Bit 2012 2013 In both multicast query and multicast response messages, the 2014 Recursion Desired bit SHOULD be zero on transmission, and MUST be 2015 ignored on reception. 2016 2017 2018 19.7. RA (Recursion Available) Bit 2019 2020 In both multicast query and multicast response messages, the 2021 Recursion Available bit MUST be zero on transmission, and MUST be 2022 ignored on reception. 2023 2024 2025 19.8. Z (Zero) Bit 2026 2027 In both query and response messages, the Zero bit MUST be zero on 2028 transmission, and MUST be ignored on reception. 2029 2030 2031 19.9. AD (Authentic Data) Bit [RFC 2535] 2032 2033 In query messages the Authentic Data bit MUST be zero on 2034 transmission, and MUST be ignored on reception. 2035 2036 In response messages, the Authentic Data bit MAY be set. Resolvers 2037 receiving response messages with the AD bit set MUST NOT trust the AD 2038 bit unless they trust the source of the message and either have a 2039 secure path to it or use DNS transaction security. 2040 2041 2042 19.10. CD (Checking Disabled) Bit [RFC 2535] 2043 2044 In query messages, a resolver willing to do cryptography SHOULD set 2045 the Checking Disabled bit to permit it to impose its own policies. 2046 2047 In response messages, the Checking Disabled bit MUST be zero on 2048 transmission, and MUST be ignored on reception. 2049 2050 2051 19.11. RCODE (Response Code) 2052 2053 In both multicast query and multicast response messages, the Response 2054 Code MUST be zero on transmission. Multicast DNS messages received 2055 with non-zero Response Codes MUST be silently ignored. 2056 2057 2058 2059 2060 2061 2062 2063 2064 Expires 14th August 2004 Cheshire & Krochmal [Page 35] 2065 2067 Internet Draft Multicast DNS 14th February 2004 2068 2069 2070 20. Choice of UDP Port Number 2071 2072 Arguments were made for and against using Multicast on UDP port 53. 2073 The final decision was to use UDP port 5353. Some of the arguments 2074 for and against are given below. 2075 2076 2077 20.1 Arguments for using UDP port 53: 2078 2079 * This is "just DNS", so it should be the same port. 2080 2081 * There is less work to be done updating old clients to do simple 2082 mDNS queries. Only the destination address need be changed. 2083 In some cases, this can be achieved without any code changes, 2084 just by adding the address 224.0.0.251 to a configuration file. 2085 2086 2087 20.2 Arguments for using a different port (UDP port 5353): 2088 2089 * This is not "just DNS". This is a DNS-like protocol, but different. 2090 2091 * Changing client code to use a different port number is not hard. 2092 2093 * Using the same port number makes it hard to run an mDNS Responder 2094 and a conventional unicast DNS server on the same machine. If a 2095 conventional unicast DNS server wishes to implement mDNS as well, 2096 it can still do that, by opening two sockets. Having two different 2097 port numbers is important to allow this flexibility. 2098 2099 * Some VPN software hijacks all outgoing traffic to port 53 and 2100 redirects it to a special DNS server set up to serve those VPN 2101 clients while they are connected to the corporate network. It is 2102 questionable whether this is the right thing to do, but it is 2103 common, and redirecting link-local multicast DNS packets to a 2104 remote server rarely produces any useful results. It does mean, for 2105 example, that the user becomes unable to access their local network 2106 printer sitting on their desk right next to their computer. Using 2107 a different UDP port eliminates this particular problem. 2108 2109 * On many operating systems, unprivileged clients may not send or 2110 receive packets on low-numbered ports. This means that any client 2111 sending or receiving mDNS packets on port 53 would have to run as 2112 "root", which is an undesirable security risk. Using a higher- 2113 numbered UDP port eliminates this particular problem. 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 Expires 14th August 2004 Cheshire & Krochmal [Page 36] 2124 2126 Internet Draft Multicast DNS 14th February 2004 2127 2128 2129 21. Summary of Differences Between Multicast DNS and Unicast DNS 2130 2131 The value of Multicast DNS is that it shares, as much as possible, 2132 the familiar APIs, naming syntax, resource record types, etc., of 2133 Unicast DNS. There are of course necessary differences by virtue of 2134 it using Multicast, and by virtue of it operating in a community of 2135 cooperating peers, rather than a precisely defined authoritarian 2136 hierarchy controlled by a strict chain of formal delegations from the 2137 top. These differences are listed below: 2138 2139 Multicast DNS... 2140 * uses multicast 2141 * uses UDP port 5353 instead of port 53 2142 * operates in well-defined parts of the DNS namespace 2143 * uses UTF-8, and only UTF-8, to encode resource record names 2144 * defines a clear limit on the maximum legal domain name (255 bytes) 2145 * allows larger UDP packets 2146 * allows more than one question in a query packet 2147 * uses the Answer Section of a query to list Known Answers 2148 * uses the TC bit in a query to indicate additional Known Answers 2149 * uses the Authority Section of a query for probe tie-breaking 2150 * ignores the Query ID field (except for generating legacy responses) 2151 * doesn't require the question to be repeated in the response packet 2152 * uses gratuitous responses to announce new records to the peer group 2153 * defines a "unicast response" bit in the rrclass of query questions 2154 * defines a "cache flush" bit in the rrclass of responses 2155 * uses DNS TTL 0 to indicate that a record has been deleted 2156 * uses IP TTL 255 to verify that answers originated on the local link 2157 * monitors queries to perform Duplicate Question Suppression 2158 * monitors responses to perform Duplicate Answer Suppression... 2159 * ... and Ongoing Conflict Detection 2160 * ... and Opportunistic Caching 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 Expires 14th August 2004 Cheshire & Krochmal [Page 37] 2183 2185 Internet Draft Multicast DNS 14th February 2004 2186 2187 2188 22. Benefits of Multicast Responses 2189 2190 Some people have argued that sending responses via multicast is 2191 inefficient on the network. In fact the benefits of using multicast 2192 responses result in a net lowering of overall multicast traffic, for 2193 a variety of reasons. 2194 2195 * One multicast response can update the cache on all machines on the 2196 network. If another machine later wants to issue the same query, it 2197 already has the answer in its cache, so it may not need to even 2198 transmit that multicast query on the network at all. 2199 2200 * When more than one machine has the same ongoing long-lived query 2201 running, every machine does not have to transmit its own 2202 independent query. When one machine transmits a query, all the 2203 other hosts see the answers, so they can suppress their own 2204 queries. 2205 2206 * When a host sees a multicast query, but does not see the 2207 corresponding multicast response, it can use this information to 2208 promptly delete stale data from its cache. To achieve the same 2209 level of user-interface quality and responsiveness without 2210 multicast responses would require lower cache lifetimes and more 2211 frequent network polling, resulting in a significantly higher 2212 packet rate. 2213 2214 * Multicast responses allow passive conflict detection. Without this 2215 ability, some other conflict detection mechanism would be needed, 2216 imposing its own additional burden on the network. 2217 2218 * When using delayed responses to reduce network collisions, clients 2219 need to maintain a list recording to whom each answer should be 2220 sent. The option of multicast responses allows clients with limited 2221 storage, which cannot store an arbitrarily long list of response 2222 addresses, to choose to fail-over to a single multicast response in 2223 place of multiple unicast respones, when appropriate. 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 Expires 14th August 2004 Cheshire & Krochmal [Page 38] 2242 2244 Internet Draft Multicast DNS 14th February 2004 2245 2246 2247 23. IPv6 Considerations 2248 2249 An IPv4-only host and an IPv6-only host behave as "ships that pass in 2250 the night". Even if they are on the same Ethernet, neither is aware 2251 of the other's traffic. For this reason, each physical link may have 2252 *two* unrelated ".local." zones, one for IPv4 and one for IPv6. 2253 Since for practical purposes, a group of IPv4-only hosts and a group 2254 of IPv6-only hosts on the same Ethernet act as if they were on two 2255 entirely separate Ethernet segments, it is unsurprising that their 2256 use of the ".local." zone should occur exactly as it would if 2257 they really were on two entirely separate Ethernet segments. 2258 2259 A dual-stack (v4/v6) host can participate in both ".local." 2260 zones, and should register its name(s) and perform its lookups both 2261 using IPv4 and IPv6. This enables it to reach, and be reached by, 2262 both IPv4-only and IPv6-only hosts. In effect this acts like a 2263 multi-homed host, with one connection to the logical "IPv4 Ethernet 2264 segment", and a connection to the logical "IPv6 Ethernet segment". 2265 2266 23.1 IPv6 Multicast Addresses by Hashing 2267 2268 Some discovery protocols use a range of multicast addresses, and 2269 determine the address to be used by a hash function of the name being 2270 sought. Queries are sent via multicast to the address as indicated by 2271 the hash function, and responses are returned to the querier via 2272 unicast. Particularly in IPv6, where multicast addresses are 2273 extremely plentiful, this approach is frequently advocated. 2274 2275 There are some problems with this: 2276 2277 * When a host has a large number of records with different names, the 2278 host may have to join a large number of multicast groups. This can 2279 place undue burden on the Ethernet hardware, which typically 2280 supports a limited number of multicast addresses efficiently. When 2281 this number is exceeded, the Ethernet hardware may have to resort 2282 to receiving all multicasts and passing them up to the host 2283 software for filtering, thereby defeating the point of using a 2284 multicast address range in the first place. 2285 2286 * Multiple questions cannot be placed in one packet if they don't all 2287 hash to the same multicast address. 2288 2289 * Duplicate Question Suppression doesn't work if queriers are not 2290 seeing each other's queries. 2291 2292 * Duplicate Answer Suppression doesn't work if responders are not 2293 seeing each other's responses. 2294 2295 * Opportunistic Caching doesn't work. 2296 2297 * Ongoing Conflict Detection doesn't work. 2298 2299 2300 Expires 14th August 2004 Cheshire & Krochmal [Page 39] 2301 2303 Internet Draft Multicast DNS 14th February 2004 2304 2305 2306 24. Security Considerations 2307 2308 The algorithm for detecting and resolving name conflicts is, by its 2309 very nature, an algorithm that assumes cooperating participants. Its 2310 purpose is to allow a group of hosts to arrive at a mutually disjoint 2311 set of host names and other DNS resource record names, in the absence 2312 of any central authority to coordinate this or mediate disputes. In 2313 the absence of any higher authority to resolve disputes, the only 2314 alternative is that the participants must work together cooperatively 2315 to arrive at a resolution. 2316 2317 In an environment where the participants are mutually antagonistic 2318 and unwilling to cooperate, other mechanisms are appropriate, like 2319 manually administered DNS. 2320 2321 In an environment where there is a group of cooperating participants, 2322 but there may be other antagonistic participants on the same physical 2323 link, the cooperating participants need to use IPSEC signatures 2324 and/or DNSSEC [RFC 2535] signatures so that they can distinguish mDNS 2325 messages from trusted participants (which they process as usual) from 2326 mDNS messages from untrusted participants (which they silently 2327 discard). 2328 2329 When DNS queries for *global* DNS names are sent to the mDNS 2330 multicast address (during network outages which disrupt communication 2331 with the greater Internet) it is *especially* important to use 2332 DNSSEC, because the user may have the impression that he or she is 2333 communicating with some authentic host, when in fact he or she is 2334 really communicating with some local host that is merely masquerading 2335 as that name. This is less critical for names ending with ".local.", 2336 because the user should be aware that those names have only local 2337 significance and no global authority is implied. 2338 2339 Most computer users neglect to type the trailing dot at the end of a 2340 fully qualified domain name, making it a relative domain name (e.g. 2341 "www.example.com"). In the event of network outage, attempts to 2342 positively resolve the name as entered will fail, resulting in 2343 application of the search list, including ".local.", if present. 2344 A malicious host could masquerade as "www.example.com" by answering 2345 the resulting Multicast DNS query for "www.example.com.local." 2346 To avoid this, a host MUST NOT append the search suffix 2347 ".local.", if present, to any relative (partially qualified) 2348 domain name containing two or more labels. Appending ".local." to 2349 single-label relative domain names is acceptable, since the user 2350 should have no expectation that a single-label domain name will 2351 resolve as-is. 2352 2353 2354 2355 2356 2357 2358 2359 Expires 14th August 2004 Cheshire & Krochmal [Page 40] 2360 2362 Internet Draft Multicast DNS 14th February 2004 2363 2364 2365 25. IANA Considerations 2366 2367 The IANA has allocated the IPv4 link-local multicast address 2368 224.0.0.251 for the use described in this document. 2369 2370 The IANA has allocated the IPv6 multicast address set FF0X::FB 2371 for the use described in this document. 2372 2373 When this document is published, IANA should designate a list 2374 of domains which are deemed to have only link-local significance, 2375 as described in this document. 2376 2377 No other IANA services are required by this document. 2378 2379 2380 26. Acknowledgements 2381 2382 The concepts described in this document have been explored and 2383 developed with help from Erik Guttman, Paul Vixie, Bill Woodcock, 2384 and others. 2385 2386 2387 27. Copyright 2388 2389 Copyright (C) The Internet Society January 2004. 2390 All Rights Reserved. 2391 2392 This document and translations of it may be copied and furnished to 2393 others, and derivative works that comment on or otherwise explain it 2394 or assist in its implementation may be prepared, copied, published 2395 and distributed, in whole or in part, without restriction of any 2396 kind, provided that the above copyright notice and this paragraph are 2397 included on all such copies and derivative works. However, this 2398 document itself may not be modified in any way, such as by removing 2399 the copyright notice or references to the Internet Society or other 2400 Internet organizations, except as needed for the purpose of 2401 developing Internet standards in which case the procedures for 2402 copyrights defined in the Internet Standards process must be 2403 followed, or as required to translate it into languages other than 2404 English. 2405 2406 The limited permissions granted above are perpetual and will not be 2407 revoked by the Internet Society or its successors or assigns. 2408 2409 This document and the information contained herein is provided on an 2410 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 2411 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 2412 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 2413 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 2414 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2415 2416 2417 2418 Expires 14th August 2004 Cheshire & Krochmal [Page 41] 2419 2421 Internet Draft Multicast DNS 14th February 2004 2422 2423 2424 28. Normative References 2425 2426 [RFC 1034] Mockapetris, P., "Domain Names - Concepts and 2427 Facilities", STD 13, RFC 1034, November 1987. 2428 2429 [RFC 1035] Mockapetris, P., "Domain Names - Implementation and 2430 Specifications", STD 13, RFC 1035, November 1987. 2431 2432 [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate 2433 Requirement Levels", RFC 2119, March 1997. 2434 2435 [RFC 2279] Yergeau, F., "UTF-8, a transformation format of ISO 2436 10646", RFC 2279, January 1998. 2437 2438 2439 29. Informative References 2440 2441 [dotlocal] <http://www.dotlocal.org/> 2442 2443 [djbdl] <http://cr.yp.to/djbdns/dot-local.html> 2444 2445 [DNS-SD] Cheshire, S., and M. Krochmal, "DNS-Based Service 2446 Discovery", Internet-Draft (work in progress), 2447 draft-cheshire-dnsext-dns-sd-02.txt, February 2004. 2448 2449 [IEEE802] IEEE Standards for Local and Metropolitan Area Networks: 2450 Overview and Architecture. 2451 Institute of Electrical and Electronic Engineers, 2452 IEEE Standard 802, 1990. 2453 2454 [NBP] Cheshire, S., and M. Krochmal, 2455 "Requirements for a Protocol to Replace AppleTalk NBP", 2456 Internet-Draft (work in progress), 2457 draft-cheshire-dnsext-nbp-03.txt, February 2004. 2458 2459 [RFC 2136] Vixie, P., et al., "Dynamic Updates in the Domain Name 2460 System (DNS UPDATE)", RFC 2136, April 1997. 2461 2462 [RFC 2462] S. Thomson and T. Narten, "IPv6 Stateless Address 2463 Autoconfiguration", RFC 2462, December 1998. 2464 2465 [RFC 2535] Eastlake, D., "Domain Name System Security Extensions", 2466 RFC 2535, March 1999. 2467 2468 [v4LL] Cheshire, S., B. Aboba, and E. Guttman, "Dynamic 2469 Configuration of IPv4 Link-Local Addresses", 2470 Internet-Draft (work in progress), 2471 draft-ietf-zeroconf-ipv4-linklocal-11.txt, January 2004. 2472 2473 [ZC] Williams, A., "Requirements for Automatic Configuration 2474 of IP Hosts", Internet-Draft (work in progress), 2475 draft-ietf-zeroconf-reqts-12.txt, September 2002. 2476 2477 Expires 14th August 2004 Cheshire & Krochmal [Page 42] 2478 2480 Internet Draft Multicast DNS 14th February 2004 2481 2482 2483 30. Author's Addresses 2484 2485 Stuart Cheshire 2486 Apple Computer, Inc. 2487 1 Infinite Loop 2488 Cupertino 2489 California 95014 2490 USA 2491 2492 Phone: +1 408 974 3207 2493 EMail: rfc (a] stuartcheshire.org 2494 2495 2496 Marc Krochmal 2497 Apple Computer, Inc. 2498 1 Infinite Loop 2499 Cupertino 2500 California 95014 2501 USA 2502 2503 Phone: +1 408 974 4368 2504 EMail: marc (a] apple.com 2505 2506 2507 2508 2509 2510 2511 2512 2513 2514 2515 2516 2517 2518 2519 2520 2521 2522 2523 2524 2525 2526 2527 2528 2529 2530 2531 2532 2533 2534 2535 2536 Expires 14th August 2004 Cheshire & Krochmal [Page 43]
