diff options
| author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
|---|---|---|
| committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
| commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
| tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc8764.txt | |
| parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) | |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc8764.txt')
| -rw-r--r-- | doc/rfc/rfc8764.txt | 1075 |
1 files changed, 1075 insertions, 0 deletions
diff --git a/doc/rfc/rfc8764.txt b/doc/rfc/rfc8764.txt new file mode 100644 index 0000000..c6ca430 --- /dev/null +++ b/doc/rfc/rfc8764.txt @@ -0,0 +1,1075 @@ + + + + +Independent Submission S. Cheshire +Request for Comments: 8764 M. Krochmal +Category: Informational Apple Inc. +ISSN: 2070-1721 June 2020 + + + Apple's DNS Long-Lived Queries Protocol + +Abstract + + Apple's DNS Long-Lived Queries (LLQ) is a mechanism for extending the + DNS protocol to support change notification, thus allowing clients to + learn about changes to DNS data without polling the server. From + 2005 onwards, LLQ was implemented in Apple products including Mac OS + X, Bonjour for Windows, and AirPort wireless base stations. In 2020, + the LLQ protocol was superseded by the IETF Standards Track RFC 8765, + "DNS Push Notifications", which builds on experience gained with the + LLQ protocol to create a superior replacement. + + The existing LLQ protocol deployed and used from 2005 to 2020 is + documented here to give background regarding the operational + experience that informed the development of DNS Push Notifications, + and to help facilitate a smooth transition from LLQ to DNS Push + Notifications. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This is a contribution to the RFC Series, independently of any other + RFC stream. The RFC Editor has chosen to publish this document at + its discretion and makes no statement about its value for + implementation or deployment. Documents approved for publication by + the RFC Editor are not candidates for any level of Internet Standard; + see Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc8764. + +Copyright Notice + + Copyright (c) 2020 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. + +Table of Contents + + 1. Introduction + 1.1. Transition to DNS Push Notifications + 2. Conventions and Terminology Used in This Document + 3. Mechanisms + 3.1. Assigned Numbers + 3.2. Opt-RR Format + 4. LLQ Address and Port Identification + 5. LLQ Setup + 5.1. Setup Message Retransmission + 5.2. LLQ Setup Four-Way Handshake + 5.2.1. Setup Request + 5.2.2. Setup Challenge + 5.2.3. Challenge Response + 5.2.4. ACK + Answers + 5.3. Resource Record TTLs + 6. Event Responses + 6.1. Add Events + 6.2. Remove Events + 6.3. Gratuitous Response Acknowledgments + 7. LLQ Lease-Life Expiration + 7.1. Refresh Request + 7.2. LLQ Refresh Acknowledgment + 8. Security Considerations + 8.1. Server DoS + 8.2. Client Packet Storms + 8.3. Spoofing + 9. IANA Considerations + 10. References + 10.1. Normative References + 10.2. Informative References + Appendix A. Problems with the LLQ Protocol + Acknowledgments + Authors' Addresses + +1. Introduction + + In dynamic environments, DNS-based Service Discovery [RFC6763] + benefits significantly from clients being able to learn about changes + to DNS information via a mechanism that is both more timely and more + efficient than simple polling. Such a mechanism enables "live + browses" that (a) learn when a new instance of a service appears, (b) + learn when an existing service instance disappears from the network, + and (c) allows clients to monitor status changes to a service + instance (e.g., printer ink levels). Multicast DNS [RFC6762] + supports this natively. When a device on the network publishes or + deletes Multicast DNS records, these changes are multicast to other + hosts on the network. Those hosts deliver the change notifications + to interested clients (applications running on that host). Hosts + also send occasional queries to the network, in case gratuitous + announcements are not received due to packet loss, and to detect + records lost due to their publishers crashing or having become + disconnected from the network. + + This document defines an Apple extension to unicast DNS that enables + a client to issue long-lived queries that allow a unicast DNS server + to notify clients about changes to DNS data. This is a more scalable + and practical solution than can be achieved by polling of the name + server, because a low polling rate could leave the client with stale + information, while a high polling rate would have an adverse impact + on the network and server. + + The mechanism defined in this document is now being replaced by DNS + Push Notifications [RFC8765] as explained in Section 1.1. + + +1.1. Transition to DNS Push Notifications + + The LLQ protocol enjoyed over a decade of useful operation, enabling + timely live updates for the service discovery user interface in + Apple's Back to My Mac [RFC6281] service. + + However, some problems were discovered, as described in Appendix A. + This operational experience with LLQ informed the design of its IETF + Standards Track successor, DNS Push Notifications [RFC8765]. Since + no further work is being done on the LLQ protocol, this LLQ + specification will not be updated to remedy these problems. + + All existing LLQ implementations are RECOMMENDED to migrate to using + DNS Push Notifications instead. + + Existing LLQ servers are RECOMMENDED to implement and support DNS + Push Notifications so that clients can begin migrating to the newer + protocol. + + Existing LLQ clients are RECOMMENDED to query for the + "_dns-push-tls._tcp.<zone>" SRV record first, and then only if DNS + Push Notifications fail, fall back to query for + "_dns-llq._udp.<zone>" instead. Use of the "_dns-llq._udp.<zone>" + SRV record is described in Section 4. + + This will cause clients to prefer the newer protocol when possible. + It is RECOMMENDED that clients always attempt DNS Push Notifications + first for every new request, and only if that fails, then fall back + to using LLQ. Clients SHOULD NOT record that a given server only + speaks LLQ and subsequently default to LLQ for that server, since + server software gets updated and even a server that speaks only LLQ + today may be updated to support DNS Push Notifications tomorrow. + + New client and server implementations are RECOMMENDED to support only + DNS Push Notifications. + +2. Conventions and Terminology Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + +3. Mechanisms + + DNS Long-Lived Queries (LLQ) are implemented using the standard DNS + message format [RFC1035] in conjunction with an EDNS(0) OPT pseudo-RR + [RFC6891] with a new OPTION-CODE and OPTION-DATA format specified + here. Encoding the LLQ request in an OPT pseudo-RR allows for + implementation of LLQ with minimal modification to a name server's + front end. If a DNS query containing an LLQ option is sent to a + server that does not implement LLQ, a server that complies with the + EDNS(0) specification [RFC6891] will silently ignore the unrecognized + option and answer the request as a normal DNS query without + establishing any long-lived state and without returning an LLQ option + in its response. If a DNS query containing an LLQ option is sent to + a server that does not implement EDNS(0) at all, the server may + silently ignore the EDNS(0) OPT pseudo-RR or it may return a nonzero + RCODE. However, in practice, this issue is mostly theoretical, since + having a zone's _dns-llq._udp.<zone> SRV record target a host that + does not implement LLQ is a configuration error. + + Note that this protocol is designed for data set sizes of a few dozen + resource records at most and change rates no more than once every 10 + seconds on average. Data sets that frequently exceed a single IP + packet, or that experience a rapid change rate, may have undesirable + performance implications. + +3.1. Assigned Numbers + + This section describes constants used in this document. + + EDNS(0) OPTION-CODE (recorded with IANA): + + LLQ 1 + + LLQ-PORT 5352 (recorded with IANA) + + LLQ Opcodes (specific to this LLQ EDNS(0) Option): + + LLQ-SETUP 1 + LLQ-REFRESH 2 + LLQ-EVENT 3 + + LLQ Error Codes (specific to this LLQ EDNS(0) Option): + + NO-ERROR 0 + SERV-FULL 1 + STATIC 2 + FORMAT-ERR 3 + NO-SUCH-LLQ 4 + BAD-VERS 5 + UNKNOWN-ERR 6 + +3.2. Opt-RR Format + + As required by the EDNS(0) specification [RFC6891], all OPT + pseudo-RRs used in LLQs are formatted as follows: + + +------------+--------------+-------------------------+ + | Field Name | Field Type | Description | + +============+==============+=========================+ + | NAME | domain name | MUST be 0 (root domain) | + +------------+--------------+-------------------------+ + | TYPE | u_int16_t | OPT (41) | + +------------+--------------+-------------------------+ + | CLASS | u_int16_t | 0* | + +------------+--------------+-------------------------+ + | TTL | u_int32_t | 0 | + +------------+--------------+-------------------------+ + | RDLEN | u_int16_t | length of all RDATA | + +------------+--------------+-------------------------+ + | RDATA | octet stream | (see below) | + +------------+--------------+-------------------------+ + + Table 1: OPT-RRs Used in LLQs + + * The CLASS field indicates, as per the EDNS(0) specification + [RFC6891], the sender's UDP payload size. However, clients and + servers are not required to determine their reassembly buffer size, + path MTU, etc., to support LLQ. Thus, the sender of an LLQ Request + or Response MAY set the CLASS field to 0. The recipient MUST ignore + the class field if it is set to 0. + + The RDATA of an EDNS(0) OPT pseudo-RR consists of zero or more + options of the form { OPTION-CODE, OPTION-LENGTH, OPTION-DATA } + packed together, with the RDLEN field set accordingly to indicate the + total size. An LLQ OPTION is illustrated below. An EDNS(0) OPT + pseudo-RR may contain zero or more LLQ OPTIONS in addition to zero or + more other EDNS(0) options. + + +---------------+------------+-------------------------------------+ + | Field Name | Field Type | Description | + +===============+============+=====================================+ + | OPTION-CODE | u_int16_t | LLQ (1) | + +---------------+------------+-------------------------------------+ + | OPTION-LENGTH | u_int16_t | Length of following fields (18) | + +---------------+------------+-------------------------------------+ + | LLQ-VERSION | u_int16_t | Version of LLQ protocol implemented | + +---------------+------------+-------------------------------------+ + | LLQ-OPCODE | u_int16_t | Identifies LLQ operation | + +---------------+------------+-------------------------------------+ + | LLQ-ERROR | u_int16_t | Identifies LLQ errors | + +---------------+------------+-------------------------------------+ + | LLQ-ID | u_int64_t | Identifier for an LLQ | + +---------------+------------+-------------------------------------+ + | LLQ-LEASE | u_int32_t | Requested or granted life of LLQ, | + | | | in seconds | + +---------------+------------+-------------------------------------+ + + Table 2: LLQ OPTION + + The size and meaning of the OPTION-CODE and OPTION-LENGTH fields are + as described in the EDNS(0) specification [RFC6891]. The remainder + of the fields comprise the OPTION-DATA of the EDNS(0) LLQ OPTION. + Since for LLQ the OPTION-DATA is a fixed size, in EDNS(0) LLQ OPTIONS + the OPTION-LENGTH field always has the value 18. + + In keeping with Internet convention, all multi-byte numeric + quantities (u_int16_t, u_int32_t, and u_int64_t) are represented in + big endian byte order (most significant byte first). + +4. LLQ Address and Port Identification + + The client requires a mechanism to determine to which server it + should send LLQ operations. + + Additionally, some firewalls block direct communication with a name + server on port 53 to avoid spoof responses. However, this direct + communication is necessary for LLQs. Thus, servers MAY listen for + LLQs on a different port (typically 5352). Clients, therefore, also + need a mechanism to determine to which port to send LLQ operations. + + The client determines the server responsible for a given LLQ much as + a client determines to which server to send a DNS dynamic update. + The client begins by sending a standard DNS query for the name of the + LLQ, with type SOA. If the record exists, then the server MUST + answer with that SOA record in the Answer section. If a record of + type SOA with the LLQ name does not exist, then the server SHOULD + include an SOA record for that name's zone in the Authority section. + For example, a query for "_ftp._tcp.example.com" with type SOA, when + there is no SOA record with that name, might return an SOA record + named "example.com" in the Authority section. If the named SOA + record does not exist and the server fails to include the enclosing + SOA record in the Authority section, the client strips the leading + label from the name and tries again, repeating until an answer is + received. + + This iterative zone apex discovery algorithm is described in more + detail in the DNS Push Notifications specification [RFC8765]. + + Upon learning the zone apex (SOA), the client then constructs and + sends an SRV query for the name, "_dns-llq._udp.<zone>", + e.g., "_dns-llq._udp.example.com". + + An authoritative server for a zone implementing LLQ MUST answer with + an SRV record [RFC2782] for this name. The SRV RDATA is as follows: + + +----------+------------------------------------------------------+ + | PRIORITY | typically 0 | + +----------+------------------------------------------------------+ + | WEIGHT | typically 0 | + +----------+------------------------------------------------------+ + | PORT | typically 53 or 5352 | + +----------+------------------------------------------------------+ + | TARGET | name of server providing LLQs for the requested zone | + +----------+------------------------------------------------------+ + + Table 3: SRV RDATA + + The server SHOULD include the address record(s) for the target host + in the Additional section of the response. + + If the server does not include the target host's address record(s) in + the Additional section, the client SHOULD query explicitly for the + address record(s) with the name of the SRV target. + + The client MUST send all LLQ requests, refreshes, and acknowledgments + to the name server specified in the SRV target, at the address + contained in the address record for that target. Note that the + queries described in this section (including those for SOA and SRV + records) MAY be sent to an intermediate DNS recursive resolver -- + they need not be sent directly to the name server. + + If, on issuing the SRV query, the client receives a negative response + indicating that the SRV record does not exist, the client SHOULD + conclude that the zone does not support LLQ. The client then SHOULD + NOT send an LLQ request for the desired name, instead utilizing the + behavior for LLQ-unaware servers described in Section 5, "LLQ Setup". + + Servers should send all messages to the source address and port of + the LLQ setup message received from the client. + +5. LLQ Setup + + An LLQ is initiated by a client and is completed via a four-way + handshake. This handshake provides resilience to packet loss, + demonstrates client reachability, and reduces denial-of-service + attack opportunities (see Section 8, "Security Considerations"). + +5.1. Setup Message Retransmission + + LLQ Setup Requests and Responses sent by the client SHOULD be + retransmitted if no acknowledgments are received. The client SHOULD + retry up to two more times (for a total of 3 attempts) before + considering the server down or unreachable. The client MUST wait at + least 2 seconds before the first retransmission and 4 seconds between + the first and second retransmissions. The client SHOULD listen for a + response for at least 8 seconds after the 3rd attempt before + considering the server down or unreachable. Upon determining a + server to be down, a client MAY periodically attempt to re-initiate + an LLQ setup at a rate of not more than once per hour. + + Servers MUST NOT retransmit acknowledgments that do not generate + responses from the client. Retransmission in setup is client driven, + freeing servers from maintaining timers for incomplete LLQ setups. + If servers receive duplicate messages from clients (perhaps due to + the loss of the server's responses mid-flight), the server MUST + resend its reply (possibly modifying the LLQ-LEASE as described in + Section 5.2.4, "ACK + Answers"). + + Servers MUST NOT garbage collect LLQs that fail to complete the four- + way handshake until the initially granted LLQ-LEASE has elapsed. + +5.2. LLQ Setup Four-Way Handshake + + The four phases of the handshake include: + + 1) Setup Request client to server, identifies LLQ(s) + requested + + 2) Setup Challenge server to client, provides unique + identifiers for successful requested LLQs, + and error(s) for unsuccessful requested + LLQs. + + 3) Challenge Response client to server, echoes identifier(s), + demonstrating client's reachability and + willingness to participate + + 4) ACK + Answers server to client, confirms setup and + provides initial answers + +5.2.1. Setup Request + + A request for an LLQ is formatted like a standard DNS query but with + an OPT pseudo-RR containing LLQ metadata in its Additional section. + LLQ Setup Requests are identified by the LLQ-SETUP opcode and a + zero-valued LLQ-ID. + + The request MAY contain multiple questions to set up multiple LLQs. + A Setup Request consisting of multiple questions MUST contain + multiple LLQ OPTIONS, one per question, with the LLQ OPTIONS in the + same order as the questions they correspond to (i.e., the first LLQ + OPTION corresponds to the first question, the second LLQ OPTION + corresponds to the second question, etc.). If requesting multiple + LLQs, clients SHOULD request the same LLQ-LEASE for each LLQ. + Requests over UDP MUST NOT contain multiple questions if doing so + would cause the message to exceed a single IP packet. + + A client MUST NOT request multiple identical LLQs (i.e., containing + the same qname/type/class) from the same source IP address and port. + This requirement is to avoid unnecessary load on servers. In the + case of multiple independent client implementations that may run on + the same device without knowledge of each other, it is allowable if + they by chance send LLQ requests for the same qname/type/class. + These independent implementations on the same client will be using + different source ports. Likewise, to the server, multiple + independent clients behind the same NAT gateway will appear as if + they were multiple independent clients using different ports on the + same host, and this is also allowable. + + The query MUST NOT be for record type ANY (255), class ANY (255), or + class NONE (0). + + +---------------+------------+---------------------------------+ + | Field Name | Field Type | Description | + +===============+============+=================================+ + | OPTION-CODE | u_int16_t | LLQ (1) | + +---------------+------------+---------------------------------+ + | OPTION-LENGTH | u_int16_t | Length of following fields (18) | + +---------------+------------+---------------------------------+ + | LLQ-VERSION | u_int16_t | Version of LLQ protocol | + | | | implemented by requester (1) | + +---------------+------------+---------------------------------+ + | LLQ-OPCODE | u_int16_t | LLQ-SETUP (1) | + +---------------+------------+---------------------------------+ + | LLQ-ERROR | u_int16_t | NO-ERROR (0) | + +---------------+------------+---------------------------------+ + | LLQ-ID | u_int64_t | 0 | + +---------------+------------+---------------------------------+ + | LLQ-LEASE | u_int32_t | Desired life of LLQ request | + +---------------+------------+---------------------------------+ + + Table 4: Setup Request LLQ OPTION Format + + The Setup Request LLQ OPTION MUST be repeated once for each + additional query in the Question section. + +5.2.2. Setup Challenge + + Upon receiving an LLQ Setup Request, a server implementing LLQs will + send a Setup Challenge to the requester (client). An LLQ Setup + Challenge is a DNS response, with the DNS message ID matching that of + the Setup Request, and with all questions contained in the Setup + Request present in the Question section of the response. + Additionally, the challenge contains a single OPT pseudo-RR with an + LLQ OPTION for each LLQ request, indicating the success or failure of + each request. The LLQ OPTIONS MUST be in the same order as the + questions they correspond to. Note that in a Setup Request + containing multiple questions, some LLQs may succeed while others may + fail. + + +---------------+------------+---------------------------------+ + | Field Name | Field Type | Description | + +===============+============+=================================+ + | OPTION-CODE | u_int16_t | LLQ (1) | + +---------------+------------+---------------------------------+ + | OPTION-LENGTH | u_int16_t | Length of following fields (18) | + +---------------+------------+---------------------------------+ + | LLQ-VERSION | u_int16_t | Version of LLQ protocol | + | | | implemented in server (1) | + +---------------+------------+---------------------------------+ + | LLQ-OPCODE | u_int16_t | LLQ-SETUP (1) | + +---------------+------------+---------------------------------+ + | LLQ-ERROR | u_int16_t | [As Appropriate] | + +---------------+------------+---------------------------------+ + | LLQ-ID | u_int64_t | [As Appropriate] | + +---------------+------------+---------------------------------+ + | LLQ-LEASE | u_int32_t | [As Appropriate] | + +---------------+------------+---------------------------------+ + + Table 5: Setup Challenge LLQ OPTION Format + + The Setup Challenge LLQ OPTION MUST be repeated once for each query + in the Questions section of the Setup Challenge. Further details for + LLQ-ERROR, LLQ-ID and LLQ-LEASE are given below. + + LLQ-ERROR: + + NO-ERROR: The LLQ Setup Request was successful. + + FORMAT-ERR: The LLQ was improperly formatted. Note that if + the rest of the DNS message is properly + formatted, the DNS header error code MUST NOT + include a format error code, since to do so + would cause ambiguity between the case where a + client sends a valid LLQ Setup Request to a + server that does not understand LLQ and the case + where a client sends a malformed LLQ Setup + Request to a server that does understand LLQ. + + SERV-FULL: The server cannot grant the LLQ request because + it is overloaded or the request exceeds the + server's rate limit (see Section 8, Security + Considerations). Upon returning this error, the + server MUST include in the LLQ-LEASE field a + time interval, in seconds, after which the + client may retry the LLQ Setup. + + STATIC: The data for this name and type is not expected + to change frequently, and the server, therefore, + does not support the requested LLQ. The client + MUST honor the resource record TTLs returned and + MUST NOT poll sooner than indicated by those + TTLs, nor should it retry the LLQ Setup for this + name and type. + + BAD-VERS: The protocol version specified in the client's + Setup Request is not supported by the server. + + UNKNOWN-ERR: The LLQ was not granted for some other reason + not covered by the preceding error code values. + + LLQ-ID: On success, a random number generated by the server + that is unique on the server for the requested + name/type/class. The LLQ-ID SHOULD be an + unpredictable random number. A possible method of + allocating LLQ-IDs with minimal bookkeeping would + be to store the time, in seconds since the Epoch, + in the high 32 bits of the field, and a + cryptographically generated 32-bit random integer + in the low 32 bits. + + On error, the LLQ-ID is set to 0. + + LLQ-LEASE: On success, the actual life of the LLQ, in seconds. + Value may be greater than, less than, or equal to + the value requested by the client, as per the + server administrator's policy. The server MAY + discard the LLQ after this LLQ-LEASE expires unless + the LLQ has been renewed by the client (see + Section 7, "LLQ Lease-Life Expiration"). The + server MUST NOT generate events (see Section 6, + "Event Responses") for expired LLQs. + + On SERV-FULL error, LLQ-LEASE MUST be set to a time + interval, in seconds, after which the client may + retry the LLQ Setup. + + On other errors, the LLQ-LEASE MUST be set to 0. + +5.2.3. Challenge Response + + Upon issuing a Setup Request, a client listens for a Setup Challenge + (Section 5.2.2) retransmitting the Setup Request as necessary + (Section 5.1). After receiving a successful Setup Challenge, the + client SHOULD send a Challenge Response to the server. This + Challenge Response is a DNS request with questions as in the Setup + Request and Setup Challenge, and a single OPT pseudo-RR in the + Additional section, with the LLQ OPTIONS corresponding to the LLQ + OPTIONS contained in the Setup Challenge (i.e., echoing, for each LLQ + OPTION, the random LLQ-ID and the granted LLQ-LEASE). If the + Challenge Response contains multiple questions, the first question + MUST correspond to the first LLQ OPTION, etc. + + If the Setup Request for a particular LLQ fails with a STATIC error, + the client MUST NOT poll the server for that LLQ. The client SHOULD + honor the resource record TTLs contained in the response. + + If a Setup Request fails with a SERV-FULL error, the client MAY retry + the LLQ Setup Request (Section 5.2.1) after the time indicated in the + LLQ-LEASE field. + + If the Setup Request fails with an error other than STATIC or + SERV-FULL, or the server is determined not to support LLQ (i.e., the + client receives a DNS response with a nonzero RCODE, or a DNS + response containing no LLQ option), the client MAY poll the server + periodically with standard DNS queries, inferring Add and Remove + Events (see Section 6, "Event Responses") by comparing answers to + these queries. The client SHOULD NOT poll more than once every 15 + minutes for a given query. The client MUST NOT poll if it receives a + STATIC error code in the acknowledgment. + +5.2.4. ACK + Answers + + Upon receiving a correct Challenge Response, a server MUST return an + acknowledgment, completing the LLQ setup, and provide all current + answers to the question(s). + + To acknowledge a successful Challenge Response, i.e., a Challenge + Response in which the LLQ-ID and LLQ-LEASE echoed by the client match + the values issued by the server, the server MUST send a DNS response + containing all available answers to the question(s) contained in the + original Setup Request, along with all additional resource records + appropriate for those answers in the Additional section. The + Additional section also contains LLQ OPTIONS formatted as follows: + + +---------------+------------+---------------------------------+ + | Field Name | Field Type | Description | + +===============+============+=================================+ + | OPTION-CODE | u_int16_t | LLQ (1) | + +---------------+------------+---------------------------------+ + | OPTION-LENGTH | u_int16_t | Length of following fields (18) | + +---------------+------------+---------------------------------+ + | LLQ-VERSION | u_int16_t | Version of LLQ protocol | + | | | implemented in server (1) | + +---------------+------------+---------------------------------+ + | LLQ-OPCODE | u_int16_t | LLQ-SETUP (1) | + +---------------+------------+---------------------------------+ + | LLQ-ERROR | u_int16_t | NO-ERROR (0) | + +---------------+------------+---------------------------------+ + | LLQ-ID | u_int64_t | Originally granted ID, echoed | + | | | in client's Response | + +---------------+------------+---------------------------------+ + | LLQ-LEASE | u_int32_t | Remaining life of LLQ, in | + | | | seconds | + +---------------+------------+---------------------------------+ + + Table 6: Successful ACK + Answers LLQ OPTION Format + + If there is a significant delay in receiving a Challenge Response, or + multiple Challenge Responses are issued (possibly because they were + lost en route to the client, causing the client to resend the + Challenge Response), the server MAY decrement the LLQ-LEASE by the + time elapsed since the Setup Challenge was initially issued. + + If the setup is completed over UDP and all initially available + answers to the question(s), additional records, and the OPT pseudo-RR + do not fit in a single IP packet, some or all additional records + (excluding the OPT pseudo-RR) MUST be omitted. If, after omission of + all additional records, the answers still do not fit in a single + message, answers MUST be removed until the message fits in a single + IP packet. These answers not delivered in the ACK + Answers MUST be + delivered without undue delay to the client via Add Events + (Section 6, "Event Responses"). + +5.3. Resource Record TTLs + + The TTLs of resource records contained in answers to successful LLQs + SHOULD be ignored by the client. The client MAY cache LLQ answers + until the client receives a gratuitous announcement (see Section 6, + "Event Responses") indicating that the answer to the LLQ has changed. + The client SHOULD NOT cache answers after the LLQs LLQ-LEASE expires + without being refreshed (see Section 7, "LLQ Lease-Life Expiration"). + If an LLQ request fails, the client SHOULD NOT cache answers for a + period longer than the client's polling interval. + + Note that resource records intended specifically to be transmitted + via LLQs (e.g., DNS-based Service Discovery resource records) may + have unusually short TTLs. This is because it is assumed that the + records may change frequently, and that a client's cache coherence + will be maintained via the LLQ and gratuitous responses. Short TTLs + prevent stale information from residing in intermediate DNS recursive + resolvers that are not LLQ aware. + + TTLs of resource records included in the Additional section of an LLQ + response (which do not directly answer the LLQ) SHOULD be honored by + the client. + +6. Event Responses + + When a change ("event") occurs to a name server's zone, the server + MUST check if the new or deleted resource records answer any LLQs. + If so, the changes MUST be communicated to the LLQ requesters in the + form of a gratuitous DNS response sent to the client, with the + relevant question(s) in the Question section, and the corresponding + answers in the Answer section. The response also includes an OPT + pseudo-RR in the Additional section. This OPT pseudo-RR contains, in + its RDATA, an LLQ OPTION for each LLQ being answered in the message. + Each LLQ OPTION must include the LLQ-ID. This reduces the potential + for spoof events being sent to a client. + + +---------------+------------+---------------------------------+ + | Field Name | Field Type | Description | + +===============+============+=================================+ + | OPTION-CODE | u_int16_t | LLQ (1) | + +---------------+------------+---------------------------------+ + | OPTION-LENGTH | u_int16_t | Length of following fields (18) | + +---------------+------------+---------------------------------+ + | LLQ-VERSION | u_int16_t | Version of LLQ protocol | + | | | implemented in server (1) | + +---------------+------------+---------------------------------+ + | LLQ-OPCODE | u_int16_t | LLQ-EVENT (3) | + +---------------+------------+---------------------------------+ + | LLQ-ERROR | u_int16_t | NO-ERROR (0) | + +---------------+------------+---------------------------------+ + | LLQ-ID | u_int64_t | [As Appropriate] | + +---------------+------------+---------------------------------+ + | LLQ-LEASE | u_int32_t | 0 | + +---------------+------------+---------------------------------+ + + Table 7: Event Response LLQ OPTION Format + + Gratuitous responses for a single LLQ MAY be batched such that + multiple changes are communicated in a single message. Responses + MUST NOT be batched if this would cause a message that would + otherwise fit in a single IP packet to be truncated. While responses + MAY be deferred to provide opportunities for batching, responses + SHOULD NOT be delayed, for purposes of batching, for more than 30 + seconds, as this would cause an unacceptable latency for the client. + + After sending a gratuitous response, the server MUST listen for an + acknowledgment from the client. If the client does not respond, the + server MUST resend the response. The server MUST resend two times + (for a total of 3 transmissions), after which the server MUST + consider the client to be unreachable and delete its LLQ. The server + MUST listen for 2 seconds before resending the response, 4 more + seconds before resending again, and must wait an additional 8 seconds + after the 3rd transmission before terminating the LLQ. + + The DNS message header of the response SHOULD include an + unpredictable random number in the DNS message ID field, which is to + be echoed in the client's acknowledgment. + +6.1. Add Events + + Add Events occur when a new resource record appears, usually as the + result of a dynamic update [RFC2136], that answers an LLQ. This + record must be sent in the Answer section of the event to the client. + Records that normally accompany this record in responses MAY be + included in the Additional section as per truncation restrictions + described above. + +6.2. Remove Events + + Remove Events occur when a resource record previously sent to a + client, either in an initial response or in an Add Event, becomes + invalid (normally as a result of being removed via a dynamic update). + The deleted resource record is sent in the Answer section of the + event to the client. The resource record TTL is set to -1, + indicating that the record has been removed. + +6.3. Gratuitous Response Acknowledgments + + Upon receiving a gratuitous response ("event"), the client MUST send + an acknowledgment to the server. This acknowledgment is a DNS + response echoing the OPT pseudo-RR contained in the event, with the + message ID of the gratuitous response echoed in the message header. + The acknowledgment MUST be sent to the source IP address and port + from which the event originated. + +7. LLQ Lease-Life Expiration + +7.1. Refresh Request + + If the client desires to maintain the LLQ beyond the duration + specified in the LLQ-LEASE field of the ACK + Answers + (Section 5.2.4), the client MUST send a Refresh Request. A Refresh + Request is identical to an LLQ Challenge Response (Section 5.2.3) but + with the LLQ-OPCODE set to LLQ-REFRESH. Unlike a Challenge Response, + a Refresh Request returns no answers. + + The client SHOULD refresh an LLQ when 80% of its LLQ-LEASE has + elapsed. + + As a means of reducing network traffic, when constructing refresh + messages the client SHOULD include all LLQs established with a given + server, even those not yet close to expiration. However, at least + one LLQ MUST have elapsed at least 80% of its original LLQ-LEASE. + The client MUST NOT include additional LLQs if doing so would cause + the message to no longer fit in a single IP packet. In this case, + the LLQs furthest from expiration should be omitted such that the + message fits in a single IP packet. (These LLQs SHOULD be refreshed + in a separate message when 80% of one or more of their lease lives + have elapsed.) When refreshing multiple LLQs simultaneously, the + message contains multiple questions and a single OPT pseudo-RR with + multiple LLQ OPTIONS, one per question, with the LLQ OPTIONS in the + same order as the questions they correspond to. + + The client SHOULD specify the original LLQ-LEASE granted in the LLQ + response as the desired LLQ-LEASE in the Refresh Request. If + refreshing multiple LLQs simultaneously, the client SHOULD request + the same LLQ-LEASE for all LLQs being refreshed (with the exception + of termination requests; see below). + + To terminate an LLQ prior to its scheduled expiration (for instance, + when the client terminates a DNS-based Service Discovery browse + operation or when a client is about to go to sleep or shut down), the + client specifies an LLQ-LEASE value of 0. + + The client MUST listen for an acknowledgment from the server. The + client MAY retry up to two more times (for a total of 3 attempts) + before considering the server down or unreachable. The client MUST + NOT retry a first time before 90% of the LLQ-LEASE has expired and + MUST NOT retry again before 95% of the LLQ-LEASE has expired. If the + server is determined to be down, the client MAY periodically attempt + to re-establish the LLQ via an LLQ Setup Request message. The client + MUST NOT attempt the LLQ Setup Request more than once per hour. + +7.2. LLQ Refresh Acknowledgment + + Upon receiving an LLQ Refresh message, a server MUST send an + acknowledgment of the Refresh. This acknowledgment is formatted like + the "ACK + Answers" message described in Section 5.2.4, but with the + following variations: + + * It contains no answers. + + * The LLQ-OPCODE is set to LLQ-REFRESH. + + * NO-SUCH-LLQ MUST be returned as an error code if the client + attempts to refresh an expired or non-existent LLQ (as determined + by the LLQ-ID in the request). + + * The LLQ-ID in the acknowledgment is set to the LLQ-ID in the + request. + +8. Security Considerations + + In datagram-based protocols (i.e., protocols running over UDP, or + directly over IP, or similar), servers may be susceptible to denial- + of-service (DoS) attacks, and clients may be subjected to packet + storms. Carefully designed mechanisms are needed to limit potential + for these attacks. + + Note: This section contains no new protocol elements -- it serves + only to explain the rationale behind protocol elements described + above as they relate to security. + +8.1. Server DoS + + LLQs require that servers be stateful, maintaining entries for each + LLQ over a potentially long period of time. If unbounded in + quantity, these entries may overload the server. By returning + SERV-FULL in Setup Challenges, the server may limit the maximum + number of LLQs it maintains. Additionally, the server may return + SERV-FULL to limit the number of LLQs requested for a single name and + type, or by a single client. This throttling may be in the form of a + hard limit, or, preferably, by token-bucket rate limiting. Such rate + limiting should occur rarely in normal use and is intended to prevent + DoS attacks -- thus, it is not built into the protocol explicitly but + is instead implemented at the discretion of an administrator via the + SERV-FULL error and the LLQ-LEASE field to indicate a retry time to + the client. + +8.2. Client Packet Storms + + In addition to protecting the server from DoS attacks, the LLQ + protocol limits the ability of a malicious host to cause the server + to flood a client with packets. This is achieved via the four-way + handshake upon setup, demonstrating reachability and willingness of + the client to participate, and by requiring that gratuitous responses + be ACK'd by the client. + + Additionally, rate limiting by LLQ client address, as described in + Section 8.1, serves to limit the number of packets that can be + delivered to an unsuspecting client. + +8.3. Spoofing + + A large random ID greatly reduces the risk of an off-path attacker + sending spoof packets to the client (containing spoof events) or to + the server (containing phony requests or refreshes). + +9. IANA Considerations + + The EDNS(0) OPTION CODE 1 has already been assigned for this DNS + extension. IANA has updated the record in the "DNS EDNS0 Option + Codes (OPT)" registry from "On-hold" to "Optional" and has set the + reference to this document. + + TCP and UDP ports 5352 have already been assigned for LLQ. IANA has + added a reference to this document. + +10. References + +10.1. Normative References + + [RFC1035] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, + November 1987, <https://www.rfc-editor.org/info/rfc1035>. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <https://www.rfc-editor.org/info/rfc2119>. + + [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for + specifying the location of services (DNS SRV)", RFC 2782, + DOI 10.17487/RFC2782, February 2000, + <https://www.rfc-editor.org/info/rfc2782>. + + [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms + for DNS (EDNS(0))", STD 75, RFC 6891, + DOI 10.17487/RFC6891, April 2013, + <https://www.rfc-editor.org/info/rfc6891>. + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, <https://www.rfc-editor.org/info/rfc8174>. + + [RFC8765] Pusateri, T. and S. Cheshire, "DNS Push Notifications", + RFC 8765, DOI 10.17487/RFC8765, June 2020, + <https://www.rfc-editor.org/info/rfc8765>. + +10.2. Informative References + + [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound, + "Dynamic Updates in the Domain Name System (DNS UPDATE)", + RFC 2136, DOI 10.17487/RFC2136, April 1997, + <https://www.rfc-editor.org/info/rfc2136>. + + [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address + Translation (NAT) Behavioral Requirements for Unicast + UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January + 2007, <https://www.rfc-editor.org/info/rfc4787>. + + [RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks", + RFC 4953, DOI 10.17487/RFC4953, July 2007, + <https://www.rfc-editor.org/info/rfc4953>. + + [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. + Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, + RFC 5382, DOI 10.17487/RFC5382, October 2008, + <https://www.rfc-editor.org/info/rfc5382>. + + [RFC6281] Cheshire, S., Zhu, Z., Wakikawa, R., and L. Zhang, + "Understanding Apple's Back to My Mac (BTMM) Service", + RFC 6281, DOI 10.17487/RFC6281, June 2011, + <https://www.rfc-editor.org/info/rfc6281>. + + [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, + DOI 10.17487/RFC6762, February 2013, + <https://www.rfc-editor.org/info/rfc6762>. + + [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service + Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, + <https://www.rfc-editor.org/info/rfc6763>. + + [RFC6886] Cheshire, S. and M. Krochmal, "NAT Port Mapping Protocol + (NAT-PMP)", RFC 6886, DOI 10.17487/RFC6886, April 2013, + <https://www.rfc-editor.org/info/rfc6886>. + + [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and + P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, + DOI 10.17487/RFC6887, April 2013, + <https://www.rfc-editor.org/info/rfc6887>. + + [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, + S., and K. Naito, "Updates to Network Address Translation + (NAT) Behavioral Requirements", BCP 127, RFC 7857, + DOI 10.17487/RFC7857, April 2016, + <https://www.rfc-editor.org/info/rfc7857>. + + [RFC8490] Bellis, R., Cheshire, S., Dickinson, J., Dickinson, S., + Lemon, T., and T. Pusateri, "DNS Stateful Operations", + RFC 8490, DOI 10.17487/RFC8490, March 2019, + <https://www.rfc-editor.org/info/rfc8490>. + + [SYN] Eddy, W., "Defenses Against TCP SYN Flooding Attacks", + Volume 9, Number 4, The Internet Protocol Journal, Cisco + Systems, December 2006, + <https://www.cisco.com/web/about/ac123/ac147/ + archived_issues/ipj_9-4/ipj_9-4.pdf>. + +Appendix A. Problems with the LLQ Protocol + + In the course of using LLQ since 2005, some problems were discovered. + Since no further work is being done on the LLQ protocol, this LLQ + specification will not be updated to remedy these problems. + + LLQ's IETF Standards Track successor, "DNS Push Notifications" + [RFC8765], does not suffer from these problems, so all existing LLQ + implementations are RECOMMENDED to migrate to using DNS Push + Notifications, and all new implementations are RECOMMENDED to + implement DNS Push Notifications instead of LLQ. + + Known problems with LLQ are documented here as a cautionary tale + about the challenges of building an application protocol directly + using datagrams (like IP or UDP) without the benefit of a mature and + thoroughly reviewed intervening transport layer (such as TCP or + QUIC). + + An LLQ "Setup Challenge" message from server to client is identical + to an LLQ "ACK + Answers" message from server to client when there + are no current answers for the query. If there is packet loss, + retransmission, and duplication in the network, then a duplicated + "Setup Challenge" message arriving late at the client would look like + an "ACK + Answers" message with no answers, causing the client to + clear its cache of any records matching the query. + + Section 5.1 of this LLQ specification states, "Servers MUST NOT + garbage collect LLQs that fail to complete the four-way handshake + until the initially granted LLQ-LEASE has elapsed." This is probably + a mistake since it exposes LLQ servers to an easy resource-exhaustion + denial-of-service attack. LLQ's replacement, DNS Push Notifications + [RFC8765], is built using DNS Stateful Operations [RFC8490], which + uses TLS over TCP; a benefit of building on TCP is that there are + already established industry best practices to guard against SYN + flooding and similar attacks [SYN] [RFC4953]. + + The attempts here to pack multiple questions into a single UDP/IP + packet for efficiency are awkward and lead to error-prone programming + to deal with cases where some requests in a packet succeed and other + requests in the same packet fail. Fully specifying the correct + handling in all possible cases would be a lot of work to document, a + lot of work to implement, and even more work to thoroughly test. DNS + Push Notifications [RFC8765] avoids this problem by using an + underlying stream protocol (TLS/TCP) to deal with packing small + multiple messages into larger IP packets for efficiency. + + In some cases, initial LLQ answers are delivered in the "ACK + + Answers" message, and in other cases, such as when all the initial + answers will not fit in a single IP packet, some of the initial + answers are delivered in a subsequent "Add Event" message. Having + two different ways to accomplish the same thing increases the + possibility for programming errors. DNS Push Notifications [RFC8765] + corrects this error by having only one single consistent way to + deliver results. + + LLQ is built using UDP, and because UDP has no standardized way of + indicating the start and end of a session, firewalls and NAT gateways + tend to be fairly aggressive about recycling UDP mappings that they + believe to be disused [RFC4787] [RFC5382] [RFC7857]. Using a high + keepalive traffic rate to maintain firewall or NAT mapping state + could remedy this but would largely defeat the purpose of using LLQ + in the first place, which is to provide efficient change notification + without wasteful polling. Because of this, existing LLQ clients use + the NAT Port Mapping Protocol (NAT-PMP) [RFC6886] and/or Port Control + Protocol (PCP) [RFC6887] to establish longer port mapping lifetimes. + This solves the problem but adds extra complexity and doesn't work + with firewalls and NAT gateways that don't support NAT-PMP or PCP. + By using TCP instead of UDP, the DNS Push Notifications protocol + benefits from better longevity of sessions through firewalls and NAT + gateways that don't support NAT-PMP or PCP. + +Acknowledgments + + The concepts described in this document were originally explored, + developed, and implemented with help from Chris Sharp and Roger + Pantos. + + Kiren Sekar made significant contributions to the first draft of this + document and he wrote much of the code for the implementation of LLQ + that shipped in Mac OS X 10.4 Tiger in April 2005. + + Thanks to Independent Stream Editor Adrian Farrel for his support and + assistance in the publication of this RFC. + +Authors' Addresses + + Stuart Cheshire + Apple Inc. + One Apple Park Way + Cupertino, CA 95014 + United States of America + + Phone: +1 (408) 996-1010 + Email: cheshire@apple.com + + + Marc Krochmal + Apple Inc. + One Apple Park Way + Cupertino, CA 95014 + United States of America + + Phone: +1 (408) 996-1010 + Email: marc@apple.com |