draft-ietf-dnsext-mdns-33.txt

bind 9.3结合mysql数据库

INTERNET-DRAFT                    LLMNR                     18 July 2004


   Due to the TTL minimalization necessary when caching an RRset, all
   TTLs in an RRset MUST be set to the same value.

2.9.  Use of the authority and additional sections

   Unlike the DNS, LLMNR is a peer-to-peer protocol and does not have a
   concept of delegation.  In LLMNR, the NS resource record type may be
   stored and queried for like any other type, but it has no special
   delegation semantics as it does in the DNS.  Responders MAY have NS
   records associated with the names for which they are authoritative,
   but they SHOULD NOT include these NS records in the authority
   sections of responses.

   Responders SHOULD insert an SOA record into the authority section of
   a negative response, to facilitate negative caching as specified in
   [RFC2308].  The owner name of this SOA record MUST be equal to the
   query name.

   Responders SHOULD NOT perform DNS additional section processing,
   except as required for EDNS0 and DNSSEC.

   Senders MUST NOT cache RRs from the authority or additional section
   of a response as answers, though they may be used for other purposes
   such as negative caching.

3.  Usage model

   Since LLMNR is a secondary name resolution mechanism, its usage is in
   part determined by the behavior of DNS implementations.  This
   document does not specify any changes to DNS resolver behavior, such
   as searchlist processing or retransmission/failover policy.  However,
   robust DNS resolver implementations are more likely to avoid
   unnecessary LLMNR queries.

   As noted in [DNSPerf], even when DNS servers are configured, a
   significant fraction of DNS queries do not receive a response, or
   result in negative responses due to missing inverse mappings or NS
   records that point to nonexistent or inappropriate hosts.  This has
   the potential to result in a large number of unnecessary LLMNR
   queries.

   [RFC1536] describes common DNS implementation errors and fixes.  If
   the proposed fixes are implemented, unnecessary LLMNR queries will be
   reduced substantially, and so implementation of [RFC1536] is
   recommended.

   For example, [RFC1536] Section 1 describes issues with retransmission
   and recommends implementation of a retransmission policy based on



Esibov, Aboba & Thaler       Standards Track                   [Page 14]





INTERNET-DRAFT                    LLMNR                     18 July 2004


   round trip estimates, with exponential backoff.  [RFC1536] Section 4
   describes issues with failover, and recommends that resolvers try
   another server when they don't receive a response to a query.  These
   policies are likely to avoid unnecessary LLMNR queries.

   [RFC1536] Section 3 describes zero answer bugs, which if addressed
   will also reduce unnecessary LLMNR queries.

   [RFC1536] Section 6 describes name error bugs and recommended
   searchlist processing that will reduce unnecessary RCODE=3
   (authoritative name) errors, thereby also reducing unnecessary LLMNR
   queries.

3.1.  LLMNR configuration

   Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is
   possible for a dual stack host to be configured with the address of a
   DNS server over IPv4, while remaining unconfigured with a DNS server
   suitable for use over IPv6.

   In these situations, a dual stack host will send AAAA queries to the
   configured DNS server over IPv4.  However, an IPv6-only host
   unconfigured with a DNS server suitable for use over IPv6 will be
   unable to resolve names using DNS.  Automatic IPv6 DNS configuration
   mechanisms (such as [RFC3315] and [DNSDisc]) are not yet widely
   deployed, and not all DNS servers support IPv6. Therefore lack of
   IPv6 DNS configuration may be a common problem in the short term, and
   LLMNR may prove useful in enabling linklocal name resolution over
   IPv6.

   Where a DHCPv4 server is available but not a DHCPv6 server [RFC3315],
   IPv6-only hosts may not be configured with a DNS server.  Where there
   is no DNS server authoritative for the name of a host or the
   authoritative DNS server does not support dynamic client update over
   IPv6 or DHCPv6-based dynamic update, then an IPv6-only host will not
   be able to do DNS dynamic update, and other hosts will not be able to
   resolve its name.

   For example, if the configured DNS server responds to AAAA RR queries
   sent over IPv4 or IPv6 with an authoritative name error (RCODE=3),
   then it will not be possible to resolve the names of IPv6-only hosts.
   In this situation, LLMNR over IPv6 can be used for local name
   resolution.

   Similarly, if a DHCPv4 server is available providing DNS server
   configuration, and DNS server(s) exist which are authoritative for
   the A RRs of local hosts and support either dynamic client update
   over IPv4 or DHCPv4-based dynamic update, then the names of local



Esibov, Aboba & Thaler       Standards Track                   [Page 15]





INTERNET-DRAFT                    LLMNR                     18 July 2004


   IPv4 hosts can be resolved over IPv4 without LLMNR.  However,  if no
   DNS server is authoritative for the names of local hosts, or the
   authoritative DNS server(s) do not support dynamic update, then LLMNR
   enables linklocal name resolution over IPv4.

   Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to
   configure LLMNR on an interface.  The LLMNR Enable Option, described
   in [LLMNREnable], can be used to explicitly enable or disable use of
   LLMNR on an interface.  The LLMNR Enable Option does not determine
   whether or in which order DNS itself is used for name resolution.
   The order in which various name resolution mechanisms should be used
   can be specified using the Name Service Search Option (NSSO) for DHCP
   [RFC2937], using the LLMNR Enable Option code carried in the NSSO
   data.

   It is possible that DNS configuration mechanisms will go in and out
   of service.  In these circumstances, it is possible for hosts within
   an administrative domain to be inconsistent in their DNS
   configuration.

   For example, where DHCP is used for configuring DNS servers, one or
   more DHCP servers can fail.  As a result, hosts configured prior to
   the outage will be configured with a DNS server, while hosts
   configured after the outage will not.  Alternatively, it is possible
   for the DNS configuration mechanism to continue functioning while
   configured DNS servers fail.

   Unless unconfigured hosts periodically retry configuration, an outage
   in the DNS configuration mechanism will result in hosts continuing to
   use LLMNR even once the outage is repaired.  Since LLMNR only enables
   linklocal name resolution, this represents an unnecessary degradation
   in capabilities.  As a result, it is recommended that hosts without a
   configured DNS server periodically attempt to obtain DNS
   configuration.  For example, where DHCP is used for DNS
   configuration, [RFC2131] recommends a maximum retry interval of 64
   seconds.  In the absence of other guidance, a default retry interval
   of one (1) minute is RECOMMENDED.

4.  Conflict resolution

   The sender MUST anticipate receiving multiple replies to the same
   LLMNR query, in the event that several LLMNR enabled computers
   receive the query and respond with valid answers.  When this occurs,
   the responses may first be concatenated, and then treated in the same
   manner that multiple RRs received from the same DNS server would; the
   sender perceives no inherent conflict in the receipt of multiple
   responses.




Esibov, Aboba & Thaler       Standards Track                   [Page 16]





INTERNET-DRAFT                    LLMNR                     18 July 2004


   There are some scenarios when multiple responders MAY respond to the
   same query.  There are other scenarios when only one responder MAY
   respond to a query.  Resource records for which the latter queries
   are submitted are referred as UNIQUE throughout this document.  The
   uniqueness of a resource record depends on a nature of the name in
   the query and type of the query.  For example it is expected that:

      - multiple hosts may respond to a query for an SRV type record
      - multiple hosts may respond to a query for an A or AAAA type
        record for a cluster name (assigned to multiple hosts in
        the cluster)
      - only a single host may respond to a query for an A or AAAA
        type record for a name.

   Every responder that responds to an LLMNR query AND includes a UNIQUE
   record in the response:

   [1]  MUST verify that there is no other host within the
        scope of the LLMNR query propagation that can return
        a resource record for the same name, type and class.

   [2]  MUST NOT include a UNIQUE resource record in the
        response without having verified its uniqueness.

   Where a host is configured to issue LLMNR queries on more than one
   interface, each interface should have its own independent LLMNR
   cache.  For each UNIQUE resource record in a given interface's
   configuration, the host MUST verify resource record uniqueness on
   that interface.  To accomplish this, the host MUST send an LLMNR
   query for each UNIQUE resource record.

   By default, a host SHOULD be configured to behave as though all RRs
   are UNIQUE.  Uniqueness verification is carried out when the host:

     - starts up or is rebooted
     - wakes from sleep (if the network interface was inactive during sleep)
     - is configured to respond to the LLMNR queries on an interface
       enabled for transmission and reception of IP traffic
     - is configured to respond to the LLMNR queries using additional
       UNIQUE resource records
     - detects that an interface is connected and is usable
       (e.g. an IEEE 802 hardware link-state change indicating
       that a cable was attached or completion of authentication
       (and if needed, association) with a wireless base station
       or adhoc network

   When a host that has a UNIQUE record receives an LLMNR query for that
   record, the host MUST respond.  After the client receives a response,



Esibov, Aboba & Thaler       Standards Track                   [Page 17]





INTERNET-DRAFT                    LLMNR                     18 July 2004


   it MUST check whether the response arrived on an interface different
   from the one on which the query was sent.  If the response arrives on
   a different interface, the client can use the UNIQUE resource record
   in response to LLMNR queries.  If not, then it MUST NOT use the
   UNIQUE resource record in response to LLMNR queries.

   The name conflict detection mechanism doesn't prevent name conflicts
   when previously partitioned segments are connected by a bridge. In
   order to minimize the chance of conflicts in such a situation, it is
   recommended that steps be taken to ensure name uniqueness. For
   example, the name could be chosen randomly from a large pool of
   potential names, or the name could be assigned via a process designed
   to guarantee uniqueness.

   When name conflicts are detected, they SHOULD be logged.  To detect
   duplicate use of a name, an administrator can use a name resolution
   utility which employs LLMNR and lists both responses and responders.
   This would allow an administrator to diagnose behavior and
   potentially to intervene and reconfigure LLMNR responders who should
   not be configured to respond to the same name.

4.1.  Considerations for Multiple Interfaces

   A multi-homed host may elect to configure LLMNR on only one of its
   active interfaces.  In many situations this will be adequate.
   However, should a host need to configure LLMNR on more than one of
   its active interfaces, there are some additional precautions it MUST
   take.  Implementers who are not planning to support LLMNR on multiple
   interfaces simultaneously may skip this section.

   A multi-homed host checks the uniqueness of UNIQUE records as
   described in Section 4.  The situation is illustrated in figure 1.

        ----------  ----------
         |      |    |      |
        [A]    [myhost]   [myhost]

      Figure 1.  Link-scope name conflict

   In this situation, the multi-homed myhost will probe for, and defend,
   its host name on both interfaces.  A conflict will be detected on one
   interface, but not the other.  The multi-homed myhost will not be
   able to respond with a host RR for "myhost" on the interface on the
   right (see Figure 1).  The multi-homed host may, however, be
   configured to use the "myhost" name on the interface on the left.

   Since names are only unique per-link, hosts on different links could
   be using the same name.  If an LLMNR client sends requests over



Esibov, Aboba & Thaler       Standards Track                   [Page 18]





INTERNET-DRAFT                    LLMNR                     18 July 2004


   multiple interfaces, and receives replies from more than one, the
   result returned to the client is defined by the implementation.  The
   situation is illustrated in figure 2.

        ----------  ----------
         |      |    |     |
        [A]    [myhost]   [A]


      Figure 2.  Off-segment name conflict

   If host myhost is configured to use LLMNR on both interfaces, it will
   send LLMNR queries on both interfaces.  When host myhost sends a
   query for the host RR for name "A" it will receive a response from
   hosts on both interfaces.

   Host myhost cannot distinguish between the situation shown in Figure
   2, and that shown in Figure 3 where no conflict exists.

                [A]
               |   |
           -----   -----
               |   |
              [myhost]

      Figure 3.  Multiple paths to same host

   This illustrates that the proposed name conflict resolution mechanism
   does not support detection or resolution of conflicts between hosts
   on different links.  This problem can also occur with unicast DNS
   when a multi-homed host is connected to two different networks with
   separated name spaces.  It is not the intent of this document to
   address the issue of uniqueness of names within DNS.

4.2.  API issues

   [RFC2553] provides an API which can partially solve the name
   ambiguity problem for applications written to use this API, since the
   sockaddr_in6 structure exposes the scope within which each scoped
   address exists, and this structure can be used for both IPv4 (using
   v4-mapped IPv6 addresses) and IPv6 addresses.

   Following the example in Figure 2, an application on 'myhost' issues
   the request getaddrinfo("A", ...) with ai_family=AF_INET6 and
   ai_flags=AI_ALL|AI_V4MAPPED.  LLMNR requests will be sent from both
   interfaces and the resolver library will return a list containing
   multiple addrinfo structures, each with an associated sockaddr_in6
   structure.  This list will thus contain the IPv4 and IPv6 addresses



Esibov, Aboba & Thaler       Standards Track                   [Page 19]





INTERNET-DRAFT                    LLMNR                     18 July 2004


   of both hosts responding to the name 'A'.  Link-local addresses will
   have a sin6_scope_id value that disambiguates which interface is used
   to reach the address.  Of course, to the application, Figures 2 and 3
   are still indistinguishable, but this API allows the application to
   communicate successfully with any address in the list.

5.  Security Considerations

   LLMNR is by nature a peer-to-peer name resolution protocol. It is
   therefore inherently more vulnerable than DNS, since existing DNS
   security mechanisms are difficult to apply to LLMNR. While tools
   exist to alllow an attacker to spoof a response to a DNS query,
   spoofing a response to an LLMNR query is easier since the query is
   sent to a link-scope multicast address, where every host on the
   logical link will be made aware of it.

   In order to address the security vulnerabilities, the following
   mechanisms are contemplated:

      [1]  Scope restrictions.
      [2]  Usage restrictions.
      [3]  Cache and port separation.
      [4]  Authentication.