[dnssd] Comments on draft-ietf-dnssd-hybrid-00

Tom Pusateri <pusateri@bangj.com> Thu, 13 November 2014 22:11 UTC

Return-Path: <pusateri@bangj.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id CA9B71ADFC7 for <dnssd@ietfa.amsl.com>; Thu, 13 Nov 2014 14:11:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.438
X-Spam-Status: No, score=-0.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_35=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id nu1e5N_zVTWy for <dnssd@ietfa.amsl.com>; Thu, 13 Nov 2014 14:11:00 -0800 (PST)
Received: from oj.bangj.com (amt0.gin.ntt.net []) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E961B1ADFCB for <dnssd@ietf.org>; Thu, 13 Nov 2014 14:10:59 -0800 (PST)
Received: from dhcp-a274.meeting.ietf.org (dhcp-a274.meeting.ietf.org []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id E353A12EA for <dnssd@ietf.org>; Thu, 13 Nov 2014 17:08:24 -0500 (EST)
From: Tom Pusateri <pusateri@bangj.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <FAA17412-EFE7-4DCB-8FE0-2C81FE6A9566@bangj.com>
Date: Thu, 13 Nov 2014 12:10:55 -1000
To: dnssd@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/CmkyqW4NJwPujzVokiFX9dF8z-w
Subject: [dnssd] Comments on draft-ietf-dnssd-hybrid-00
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 22:11:04 -0000

Thanks for the new draft. The updates did a good job of clarifying some areas.

There were two issues I brought up on the list regarding the previous Hybrid Proxy draft that weren't addressed in this update.

1. The Hybrid Proxy needs to respond with an SOA record for LLQ Discovery. A mention of this plus including recommendations for SOA response values would be very helpful.

Here are the values I'm using:

Serial: number of seconds since the epoch (Since this value can change more than 99 times per day, current conventions for the serial number don't work.)
Expire: 24 hours
Refresh: this is probably meaningless in the context of the proxy but I'll use 2 hours
Retry: this is also probably meaningless but I'll use 30 minutes
Min TTL: the default negative TTL [RFC 2308] could be used in the context of the proxy but this isn't clear because the NSEC records are impossible to proxy for since we don't know all of the records. I'll use 30 minutes.

2. In section 3.4, it describes the translation of certain record types that may be required by the hybrid proxy.

A unicast query is received by the proxy for _domain._udp.Building 1.example.com. and a query is sent for _domain._udp.local. to the appropriate interface and this response is received:

q: 1, tc: 0, qd: 0, an: 1, ns: 0, ar: 3, rcode: No Error
hypd:   rname: _domain._udp.local., rrtype: SRV, rrclass: 1, rrset: 0, ttl: 120, data: foo.local.
hypd:   rname: foo.local., rrtype: AAAA, rrclass: 1, rrset: 1, ttl: 120, data: fe80::2a37:37ff:fe40:4462
hypd:   rname: foo.local., rrtype: A, rrclass: 1, rrset: 1, ttl: 120, data:
hypd:   rname: foo.local., rrtype: NSEC, rrclass: 1, rrset: 1, ttl: 120, data: foo.local. A AAAA

This response contains a link-local IPv6 address which should be filtered before the unicast response is generated.

Specific mention of rewriting the NSEC bitmap of records present to remove the AAAA bit could be added to section 3.4 as another example of necessary data translation.

RFC 6762, Section 6.1 states that the Next Domain Name in the RDATA section is the record's name and name compression is allowed. RFC 3845 which defines NSEC says name compression is not allowed and the Next Domain Name is the next name in lexicographical order.

But since there is no way for the proxy to know all of the records in the subdomain since they are discovered dynamically, the NSEC record should probably just be filtered altogether and never translated.

Filtering of NSEC records is not mentioned in this draft.