[dnssd] Review of draft-ietf-dnssd-hybrid-00
Tom Pusateri <pusateri@bangj.com> Fri, 10 April 2015 21:14 UTC
Return-Path: <pusateri@bangj.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D23B91A8A0E for <dnssd@ietfa.amsl.com>; Fri, 10 Apr 2015 14:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.038
X-Spam-Level:
X-Spam-Status: No, score=-3.038 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x-pMg0jwr-v6 for <dnssd@ietfa.amsl.com>; Fri, 10 Apr 2015 14:14:25 -0700 (PDT)
Received: from oj.bangj.com (amt0.gin.ntt.net [129.250.11.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8E0C1A8A0B for <dnssd@ietf.org>; Fri, 10 Apr 2015 14:14:25 -0700 (PDT)
Received: from [192.168.200.14] (67.20.128.85.dyn-e120.pool.hargray.net [67.20.128.85]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 5522B186E8 for <dnssd@ietf.org>; Fri, 10 Apr 2015 17:14:05 -0400 (EDT)
From: Tom Pusateri <pusateri@bangj.com>
X-Pgp-Agent: GPGMail 2.5b6
Content-Type: multipart/signed; boundary="Apple-Mail=_EE3CED0E-212F-44B0-9107-AC16B8A7FC6E"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Date: Fri, 10 Apr 2015 17:14:25 -0400
Message-Id: <D3BDB6F2-C288-4C35-98F0-B545043F9659@bangj.com>
To: dnssd@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/a1eAnObKtaOjg7ju6-aOEZyRWfg>
Subject: [dnssd] Review of draft-ietf-dnssd-hybrid-00
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2015 21:14:29 -0000
I thought before a new version was released, I would go ahead and do another detailed review of the hybrid proxy draft. Abstract 2nd paragraph ====================== "Performing DNS-Based Service Discovery using purely Unicast DNS is more efficient” I’m sure it is more efficient in some ways and not as efficient in other ways. Also, it obviously depends on the underlying link layer and the transport protocol and security layers. I don’t think a general statement of unicast being more efficient than multicast is possible. Introduction 3rd paragraph ========================== Similarly, "since even on a single link multicast traffic is expensive”. Again, it is expensive in some ways and more efficient in other ways. Section 2 3rd paragraph ======================= There is a pointer to [802.5] with no matching reference. Add http://xml2rfc.ietf.org/public/rfc/bibxml2/reference.IEEE.802-5.1995.xml Section 3 1st paragraph ======================= After describing in the previous section what is meant by “on the same link”, Section 3 says unicast DNS domain names are assigned to "each physical link”. The word physical should be removed. Another way to say this may to use “each IP subnet” which could be included in section 2 as well. Section 3 2nd paragraph ======================= "This Hybrid Proxy function could be performed by a router on that link, or, with appropriate VLAN configuration, a single Hybrid Proxy could have a logical presence on, and serve as the Hybrid Proxy for, many links” This wording is a little awkward and makes it seem as though multiple VLANs are required for a Hybrid Proxy to serve many links. Section 3.2 =========== The acronym LDH (Letter, Digit, Hyphen) is not defined or referenced anywhere. A reference to Section 2.2 of RFC 5890 should be included. Section 3.3 2nd paragraph ========================= The example IP addresses should use documentation IPv4 address ranges as specified in RFC 5737. Section 3.3 4th paragraph ========================= "(In the Apple "/usr/include/dns_sd.h" APIs, using ForceMulticast indicates that the DNSServiceQueryRecord() call should perform the query using Multicast DNS.)” The significance of this reference is not apparent. Section 3.4.1 2nd paragraph =========================== needs updating for DNS Push Notifications Section 3.4.2 ============= Since hybrid proxies can never know all of the possible records in the subdomain, it is not possible to build NSEC next record relations. Therefore, all NSEC records learned over mDNS (typically in the Additional Section) should be filtered in unicast DNS responses sent by the hybrid proxy. Section 3.4.3 4th paragraph =========================== "violations optional” should be "violations are optional" Section 3.5 2nd paragraph ========================= needs updating for DNS Push Notifications Section 3.5.1 ============= If the hybrid proxy implements LLQ or DNS Push, it should advertise its own SRV records for LLQ and/or DNS Push through mDNS on the shared IP subnet. Section 3.5 5th paragraph, 2nd bullet ===================================== "No LLQ option; at least one answer in cache: Send response right away to minimize delay. (Reasoning: Given RRSet TTL harmonisation, if the proxy has one Multicast DNS answer in its cache, it can reasonably assume that it has all of them.)” Because of Probing (section 8.1) and Announcing (section 8.3) in RFC 6762, isn’t it possible that a hybrid proxy could have one answer in its cache but not all answers? Section 4.2 2nd paragraph ========================= needs updating for DNS Push Notifications Section 4.3 =========== Since stitching together multiple .local domains isn’t specified, it seems premature to say it’s not implemented, both in the same paragraph. Section 5 1st paragraph ======================= "For this reason, each physical link may have *two* unrelated ".local." zones, one for IPv4 and one for IPv6.” The word “physical” is used again here but I would prefer to see IP subnet or just link without the “physical” since you defined what link meant. Section 5 2nd paragraph ======================= Although this section doesn’t specifically say so, it seems to be saying do not use the same subdomain name for IPv4 and IPv6 on the same link. Since we want to encourage IPv6 proliferation and yet it will be difficult to withdraw IPv4, I would rather say it is assumed that if you assign the same subdomain name to both IPv4 and IPv6 subnets on the same link, you are assuming that the clients on the link can handle this scenario. If you have IPv4-only hosts or IPv6-only hosts, then assign different names to prevent learning about services that you won’t be able to reach. This leaves the choice up to the administrator. Section 6.1 =========== "If greater security is desired, then the Hybrid Proxy mechanism should not be used, and something with stronger security should be used instead, such as authenticated secure DNS Update” It would seem that there are other ways to provide greater security with the hybrid proxy including DNSSEC record signatures of the service records, as an example, and so the hybrid proxy could still be used if greater security is desired. Section 6.2 =========== "The privacy of this information may be protected using techniques like firewalls and split-view DNS, as are customarily used today to protect the privacy of corporate DNS information.” The hybrid proxy could also only provide sensitive records to authenticated users. But this is a general DNS problem and not a problem specific to the hybrid proxy. A reference to the work in DPRIVE that outlines DNS privacy issues might be appropriate: draft-ietf-dprive-problem-statement-04 Section 6.3 =========== "Multicast traffic is expensive” I would like this to either say "Multicast traffic can be expensive” or “Multicast DNS is expensive”. Multicast traffic is not always expensive. Also, since multicast can mean link-layer multicast, link-local IP multicast, or routed IP multicast, the document should be more specific here and with other uses of multicast. "For Wi-Fi links the Multicast DNS subsystem SHOULD NOT issue more than 20 Multicast DNS query packets per second.” On a campus with lots of unicast queries, this number seems arbitrary. Is there some justification or maybe a rule of thumb here? Missing ======= The hybrid proxy should respond to SOA requests for the subdomain in order for LLQ and DNS Push discovery to work correctly. However, if there are multiple hybrid proxies providing answers for the same IP subnet, only one of them can be the SOA and so a method is needed for coordination between the proxies. As mentioned above in 3.5.1, multiple hybrid proxies can discover each other if they implement LLQ or DNS Push and so the one with the lowest IP address could be the SOA or some similar tie-breaking mechanism without having to configure a priority that has to be exchanged. Other ===== If no DNS server is present (like in a home network), but there are multiple IP subnets connected to the home gateway, and only mDNS queries are made on each subnet, is this scenario covered by the hybrid proxy? Or is this just a form of mDNS translation that is not currently documented by any IETF standard?
- [dnssd] Review of draft-ietf-dnssd-hybrid-00 Tom Pusateri
- Re: [dnssd] Review of draft-ietf-dnssd-hybrid-00 Albrecht, Harald
- Re: [dnssd] Review of draft-ietf-dnssd-hybrid-00 Tom Pusateri