Discovery Proxy for Multicast DNS-Based Service Discovery
draft-ietf-dnssd-hybrid-10

This was a DISCUSS, but I have changed to NoObj because I couldn't justify to myself which criteria covered it. I've changed to NoObj, but please address it...

Original DISCUSS point:
----
This is (IMO) easily addressed -- I like the document, this DISCUSS is simply to improve it and help prevent foot-shooting. I'd be a YES or NoObj once addressed.

There are a number of places where the non-LDH names may be configured on a "normal" DNS server. An example of this is in Section 5.2.1.  Domain Enumeration via Unicast Queries:
"db._dns-sd._udp.example.com.   PTR   Building 1.example.com."

Putting this in a zonefile and trying to hand it to e.g BIND makes things sad:
dns_rdata_fromtext: example.com:18: near '1.example.com.': extra input text
zone example.com/IN: loading from master file example.com failed: extra input text
zone example.com/IN: not loaded due to errors.

Another example is in Section 5.3.  Delegated Subdomain for LDH Host Names
"For example, a Discovery Proxy could have the two subdomains "Building 1.example.com" and "bldg1.example.com" delegated to it."

I think that the document needs to do a better job of explaining that you cannot just include non-LDH in a zonefile without escaping -- Section 5.1. (Format) of RFC1035 may be a good pointer.  It may even be a good idea to repeat this (or at least mention the case) whenever there is an example  - readers are likely to just cut and paste without reading the full document, leading to unexpected failures (and then gnashing of teeth on forums)
------


Please also see Joel's OpsDir review - it is relevant.

Questions:
Section 3 - Conventions and Terminology Used in this Document
 "A set of hosts is considered to be "on the same link" if: ..."
  I'd suggest "For the purposes of this document a set of hosts..." -- it feels a bit dangerous to be defining what being on a link is more globally, and this probably misses some corner cases and / or conflicts with some other definition.

Section 5.1.  Delegated Subdomain for Service Discovery Records
"In the parent domain, NS records are used to delegate ownership of each defined link name (e.g., "Building 1.example.com")" - can you please provide a pointer here to (I think!) Section 5.5.4.  No Text Encoding Translation? 

Section 5.2.1.  Domain Enumeration via Unicast Queries
"The "b" ("browse") records tell the client device the list of browsing domains to display for the user to select from and the "db" ("default browse") record tells the client device which domain in that list should be selected by default."
What if b.[...] contains "foo" and "bar", and db.[...] contains "baz" (i.e the default browse is not in b)? Should "baz" be automagically added to b, or should it be ignored? The decision is likely implemented on the client, but I think worth noting here - I could see a lazy admin relying on the former and then later getting bitten if this changes.

Section 5.4.  Delegated Subdomain for Reverse Mapping
"For example, in the "/usr/include/dns_sd.h" APIs (available on macOS, iOS, Bonjour for Windows, Linux and Android), ..."
Is the API really at /usr/include/dns_sd.h" on Windows? (No idea, and I'm not inclined to go find a Windows box to test, but it sounded wrong so I flagged it!)


Section 5.5.2.  Suppressing Unusable Records
I don't really understand the "MUST NOT" when a Proxy can determine if there are multiple address realms - I get why this is desirable, but if it is important enough to require a MUST NOT, then surely it should be a requirement that all proxies are able to do this (AFAICT, though manual config)? Also, if this is MUST NOT for v4, why is it only SHOULD NOT for v6 ULAs? (please educate me).

Section 5.5.3.  NSEC and NSEC3 queries
"Since a Discovery Proxy only knows what names exist on the local link by issuing queries for them, ..." (specifically the "only")
This may be a nit, but couldn't a DP also know that a name exists because a device advertised it? 

Nits:
Section 5.2.2.  Domain Enumeration via Multicast Queries
"Since a Discovery Proxy exists on many, if not all, the links in an enterprise, it offers an additional way to provide Domain Enumeration data for clients."
I think that this should be "many, if not all, *of* the links ..." -- but I'm not sure.

Thanks for addressing my DISCUSS and comments.

This is a well written document. I have a few clarifying questions which I think will improve the document.

In 5.3:

   To accomodate this difference in allowable characters, a Discovery
   Proxy SHOULD support having two separate subdomains delegated to it
   for each link it serves, one whose name is allowed to contain
   arbitrary Net-Unicode text [RFC5198], and a second more constrained
   subdomain whose name is restricted to contain only letters, digits,
   and hyphens, to be used for host name records (names of 'A' and

Am I correct that Punicode encoded A-Labels are still valid here? It would be good to say so.

   'AAAA' address records).

5.5.4.  No Text Encoding Translation

   A Discovery Proxy does no translation between text encodings.
   Specifically, a Discovery Proxy does no translation between Punycode

Punycode needs an Informative reference.

   and UTF-8,

Substantive comments:

I support Warren's almost-discuss about non-LDH characters.

Editorial Comments:

- Abstract: It would be helpful to say this document defines a proxy in the abstract.

-3: The draft contains multiple instances of lower-case "should". If that is intentional, please consider using the boilerplate from 8174.

   Discovery, a compromise is needed that combines the ease-of-use of
   Multicast DNS with the efficiency and scalability of Unicast DNS.
A diagram would help here.



   one or more others that should be included in the list of automatic
   browsing domains for legacy clients.
It might be clearer to point out that these are defined in 6763.



   types do and do not exist just the specific name queried, and no
   others.
Nit: I think you mean "for just the"



      queries, and allow some time for responses to arrive.
      DNS TTLs in responses are capped to at most ten seconds.
Is this text normative?



   generate authoritative signed data from the local Multicast DNS
   responses it receives.  Off-line signing not applicable to Discovery
   Proxy.
"is not applicable"?



10.  Intelectual Property Rights

   Apple has submitted an IPR disclosure concerning the technique
Nit: "intellectual"



   A mechanism to 'stitch' together multiple ".local." zones so that
   they appear as one.  Such a stitching mechanism will be specified in
   a future companion document.  This stitching mechanism addresses the
Not a sentence.

I might be missing it, but I don't see a response to the concern raised by the SecDir reviewer and I am interested to see how the points can be addressed in this draft:
https://mailarchive.ietf.org/arch/msg/secdir/LUereu5JMsOJrfbIT0TFMBdmRlw

Thank you.

Thanks for doing this work (and of course resolving Discusses :-) ...