Discovery Proxy for Multicast DNS-Based Service Discovery
Summary: Has a DISCUSS. Has enough positions to pass once DISCUSS positions are resolved.
Adam Roach Discuss
First, I'd like to say thanks for your work on this document. I find this work exciting, and hope to see it widely deployed in the short term. I do have one major concern that I believe rises to the level of a DISCUSS, although I believe it should be trivial to fix. The reason I believe it to be a barrier to publication is that it makes a broad architectural statement that has implications for all application protocols; which, beyond being outside the remit of the working group per its charter, I seriously doubt received the level of cross-area review appropriate for its scope. The statement of concern is in section 5.5.5: As is the case with NAT ALGs, protocol designers are advised to avoid communicating names and addresses in nonstandard locations, because those "hidden" names and addresses are at risk of not being translated when necessary, resulting in operational failures. I would expect this statement, if evaluated by the IETF community at large, to be extremely controversial: it implies application-layer protocol designs that provide neither confidentiality nor integrity protection for protocol parameters. Architecturally, it's important to distinguish between NAT ALGs, which are not a party to the security context of the protocols they carry, and DNS discovery proxies, which are. This makes the guidance in here appropriate in the context of DNS-SD records, while being problematic in the broader NAT ALG case cited. I would find no problem with a narrowly-scoped statement that pertains to DNS usage in particular, although I wonder whether designers of DNS TXT record usage in the future are likely to become aware of such guidance.
Minor nit: section five's "four DNS subdomains" seems to be predicated on network designs that always assign segments with netmasks evenly divisible by either 8 bits (IPv4) or 4 bits (IPv6). I don't think this is frequently the case any more (e.g., my home network is split into /17 segments, and I have to assume most enterprise deployments are more complex than my house). I believe the reverse delegation records should be described as "one or more per segment." Substantial comment: the text in section 5.4 seems to assume that all addresses on a segment will *either* correspond to mDNS-discovered addresses, *or* to addresses provisioned in a traditional DNS server. If this is the assumption (and a limitation baked into the design), I think it should be documented. If there's some clever work-around that allows both kinds of addresses to be on a single segment, it would be great to describe that in here instead. Question: Section 5.6, bullet one (starting "Not using LLQ or Push Notification; no answer in cache") calls for the proxy to return a unicast result as soon as the first valid mDNS response is received. Unless I've misunderstood something, this means that (for example) a query for "_ipp._tcp" on an empty cache will simply return only the single fastest-to-respond printer to the querying client. Was the tradeoff of "faster response but for only one device" explicitly discussed by the WG? Minor suggestion: Section 5.6, bullet three (starting "Using LLQ or Push Notification; at least one answer in cache") -- this bullet is the only one that is not explicit about whether an mDNS query should be performed by the proxy. I think the intention that it is *not* (due to the RRSet TTL harmonization discussed above), but it would probably help implementors out if you explicitly repeated that no mDNS queries are performed. Major issue: Section 10 needs to be removed. See https://tools.ietf.org/html/rfc8179#section-10
Terry Manderson Yes
Alia Atlas No Objection
Deborah Brungard No Objection
Ben Campbell No Objection
Substantive comments: I support Warren's almost-discuss about non-LDH characters. Editorial Comments: - Abstract: It would be helpful to say this document defines a proxy in the abstract. -3: The draft contains multiple instances of lower-case "should". If that is intentional, please consider using the boilerplate from 8174.
Alissa Cooper No Objection
Spencer Dawkins No Objection
Thanks for doing this work (and of course resolving Discusses :-) ...
Suresh Krishnan No Objection
Warren Kumari (was Discuss) No Objection
This was a DISCUSS, but I have changed to NoObj because I couldn't justify to myself which criteria covered it. I've changed to NoObj, but please address it... Original DISCUSS point: ---- This is (IMO) easily addressed -- I like the document, this DISCUSS is simply to improve it and help prevent foot-shooting. I'd be a YES or NoObj once addressed. There are a number of places where the non-LDH names may be configured on a "normal" DNS server. An example of this is in Section 5.2.1. Domain Enumeration via Unicast Queries: "db._dns-sd._udp.example.com. PTR Building 1.example.com." Putting this in a zonefile and trying to hand it to e.g BIND makes things sad: dns_rdata_fromtext: example.com:18: near '1.example.com.': extra input text zone example.com/IN: loading from master file example.com failed: extra input text zone example.com/IN: not loaded due to errors. Another example is in Section 5.3. Delegated Subdomain for LDH Host Names "For example, a Discovery Proxy could have the two subdomains "Building 1.example.com" and "bldg1.example.com" delegated to it." I think that the document needs to do a better job of explaining that you cannot just include non-LDH in a zonefile without escaping -- Section 5.1. (Format) of RFC1035 may be a good pointer. It may even be a good idea to repeat this (or at least mention the case) whenever there is an example - readers are likely to just cut and paste without reading the full document, leading to unexpected failures (and then gnashing of teeth on forums) ------ Please also see Joel's OpsDir review - it is relevant. Questions: Section 3 - Conventions and Terminology Used in this Document "A set of hosts is considered to be "on the same link" if: ..." I'd suggest "For the purposes of this document a set of hosts..." -- it feels a bit dangerous to be defining what being on a link is more globally, and this probably misses some corner cases and / or conflicts with some other definition. Section 5.1. Delegated Subdomain for Service Discovery Records "In the parent domain, NS records are used to delegate ownership of each defined link name (e.g., "Building 1.example.com")" - can you please provide a pointer here to (I think!) Section 5.5.4. No Text Encoding Translation? Section 5.2.1. Domain Enumeration via Unicast Queries "The "b" ("browse") records tell the client device the list of browsing domains to display for the user to select from and the "db" ("default browse") record tells the client device which domain in that list should be selected by default." What if b.[...] contains "foo" and "bar", and db.[...] contains "baz" (i.e the default browse is not in b)? Should "baz" be automagically added to b, or should it be ignored? The decision is likely implemented on the client, but I think worth noting here - I could see a lazy admin relying on the former and then later getting bitten if this changes. Section 5.4. Delegated Subdomain for Reverse Mapping "For example, in the "/usr/include/dns_sd.h" APIs (available on macOS, iOS, Bonjour for Windows, Linux and Android), ..." Is the API really at /usr/include/dns_sd.h" on Windows? (No idea, and I'm not inclined to go find a Windows box to test, but it sounded wrong so I flagged it!) Section 5.5.2. Suppressing Unusable Records I don't really understand the "MUST NOT" when a Proxy can determine if there are multiple address realms - I get why this is desirable, but if it is important enough to require a MUST NOT, then surely it should be a requirement that all proxies are able to do this (AFAICT, though manual config)? Also, if this is MUST NOT for v4, why is it only SHOULD NOT for v6 ULAs? (please educate me). Section 5.5.3. NSEC and NSEC3 queries "Since a Discovery Proxy only knows what names exist on the local link by issuing queries for them, ..." (specifically the "only") This may be a nit, but couldn't a DP also know that a name exists because a device advertised it? Nits: Section 5.2.2. Domain Enumeration via Multicast Queries "Since a Discovery Proxy exists on many, if not all, the links in an enterprise, it offers an additional way to provide Domain Enumeration data for clients." I think that this should be "many, if not all, *of* the links ..." -- but I'm not sure.
Alexey Melnikov No Objection
This is a well written document. I have a few clarifying questions which I think will improve the document. In 5.3: To accomodate this difference in allowable characters, a Discovery Proxy SHOULD support having two separate subdomains delegated to it for each link it serves, one whose name is allowed to contain arbitrary Net-Unicode text [RFC5198], and a second more constrained subdomain whose name is restricted to contain only letters, digits, and hyphens, to be used for host name records (names of 'A' and Am I correct that Punicode encoded A-Labels are still valid here? It would be good to say so. 'AAAA' address records). 5.5.4. No Text Encoding Translation A Discovery Proxy does no translation between text encodings. Specifically, a Discovery Proxy does no translation between Punycode Punycode needs an Informative reference. and UTF-8,
Kathleen Moriarty No Objection
I might be missing it, but I don't see a response to the concern raised by the SecDir reviewer and I am interested to see how the points can be addressed in this draft: https://mailarchive.ietf.org/arch/msg/secdir/LUereu5JMsOJrfbIT0TFMBdmRlw Thank you.
Eric Rescorla No Objection
Discovery, a compromise is needed that combines the ease-of-use of Multicast DNS with the efficiency and scalability of Unicast DNS. A diagram would help here. one or more others that should be included in the list of automatic browsing domains for legacy clients. It might be clearer to point out that these are defined in 6763. types do and do not exist just the specific name queried, and no others. Nit: I think you mean "for just the" queries, and allow some time for responses to arrive. DNS TTLs in responses are capped to at most ten seconds. Is this text normative? generate authoritative signed data from the local Multicast DNS responses it receives. Off-line signing not applicable to Discovery Proxy. "is not applicable"? 10. Intelectual Property Rights Apple has submitted an IPR disclosure concerning the technique Nit: "intellectual" A mechanism to 'stitch' together multiple ".local." zones so that they appear as one. Such a stitching mechanism will be specified in a future companion document. This stitching mechanism addresses the Not a sentence.