DNSEXT Working Group Levon Esibov INTERNET-DRAFT Bernard Aboba Category: Standards Track Dave Thaler Microsoft 21 August 2002 Linklocal Multicast Name Resolution (LLMNR) This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract Today, with the rise of home networking, there are an increasing number of ad-hoc networks operating without a DNS server. In order to allow name resolution in such environments, Link-Local Multicast Name Resolution (LLMNR) is proposed. LLMNR supports all current and future DNS formats, types and classes, while operating on a separate port from DNS, and with a distinct resolver cache. Esibov, Aboba & Thaler Standards Track [Page 1] INTERNET-DRAFT LLMNR 21 August 2002 Table of Contents 1. Introduction .......................................... 3 1.1 Requirements .................................... 3 1.2 Terminology ..................................... 3 2. Name resolution using LLMNR ........................... 3 2.1 Sender behavior ................................. 4 2.2 Responder behavior .............................. 5 2.3 Addressing ...................................... 6 2.4 TTL ............................................. 7 2.5 No/multiple responses ........................... 7 3. Usage model ........................................... 8 3.1 LLMNR configuration ............................. 8 4. Sequence of events .................................... 10 5. Conflict resolution ................................... 10 5.1 Considerations for multiple interfaces .......... 12 5.2 API issues ...................................... 14 6. Security considerations ............................... 14 6.1 Scope restriction ............................... 15 6.2 Usage restriction ............................... 15 6.3 Cache and port separation ....................... 16 6.4 Authentication .................................. 16 7. IANA considerations ................................... 16 8. Normative References .................................. 17 9. Informative References ................................ 17 Acknowledgments .............................................. 18 Authors' Addresses ........................................... 18 Intellectual Property Statement .............................. 19 Full Copyright Statement ..................................... 19 Esibov, Aboba & Thaler Standards Track [Page 2] INTERNET-DRAFT LLMNR 21 August 2002 1. Introduction This document discusses Link-Local Multicast Name Resolution (LLMNR), which operates on a separate port from DNS, with a distinct resolver cache, but does not change the format of DNS packets. LLMNR supports all current and future DNS formats, types and classes. The goal of LLMNR is to enable name resolution in scenarios in which conventional DNS name resolution is not possible. These include scenarios in which hosts are not configured with the address of a DNS server. Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is possible for a dual stack host to be configured with the address of a DNS server for IPv4, while remaining unconfigured with a DNS server suitable for use with IPv6. Since automatic IPv6 DNS configuration mechanisms such as [DHCPv6DNS] and [DNSDisc] are not yet widely deployed, such "partially configuration" may be common in the short term. However, in the long term, IPv6 DNS configuration will become more common so that LLMNR will typically be restricted to adhoc networks in which neither IPv4 nor IPv6 DNS servers are configured. Service discovery in general, as well as discovery of DNS servers using LLMNR in particular is outside of the scope of this document, as is name resolution over non-multicast capable media. 1.1. Requirements In this document, the key words "MAY", "MUST, "MUST NOT", "OPTIONAL", "RECOMMENDED", "SHOULD", and "SHOULD NOT", are to be interpreted as described in [RFC2119]. 1.2. Terminology Responder A host that listens to (but not necessarily responds to) a LLMNR query is called "responder". Sender A host that sends an LLMNR query. The same host may be configured as a "sender", but not a "responder" and vice versa, i.e. as a "responder", but not a "sender". 2. Name resolution using LLMNR While operating on a different port with a distinct resolver cache, LLMNR makes no change to the current format of DNS packets. LLMNR queries are sent to and received on port 5353 using a LINKLOCAL address as specified in "Administratively Scoped IP Multicast" [RFC2365] Esibov, Aboba & Thaler Standards Track [Page 3] INTERNET-DRAFT LLMNR 21 August 2002 for IPv4 and the "solicited name" LINKLOCAL multicast addresses for IPv6, and using a unicast addresses in a few scenarios described below in Section 3. The LLMNR LINKLOCAL address to be used for IPv4 is 224.0.0.251. LINKLOCAL addresses are used to prevent propagation of LLMNR traffic across routers, potentially flooding the network. Propagation of LLMNR packets on the local link is considered sufficient to enable name resolution in small networks. The assumption is that if a network has a home gateway, then the network either has a DNS server or the home gateway can function as a DNS proxy. By implementing DHCPv4 as well as a DNS proxy and dynamic DNS, home gateways can provide name resolution for the names of IPv4 hosts on the local network. For small IPv6 networks, equivalent functionality can be provided by a home gateway implementing DHCPv6 for DNS configuration [DHCPv6DNS], as well as a DNS proxy supporting AAAA RRs and dynamic DNS, providing name resolution for the names of IPv6 hosts on the local network. This should be adequate as long as home gateways implementing DNS configuration also support dynamic DNS in some form. If the home gateway only supports DNS discovery [DNSDisc] but not DHCPv6 DNS configuration [DHCPv6DNS] or dynamic client update, then resolution of the names of IPv6 hosts on the local link will not be possible. Since IPv6 DNS discovery will configure the DNS server address, LLMNR will not be enabled by default. Yet without gateway support for client dynamic update or DHCPv6, dynamic DNS will not be enabled. In the future, LLMNR may be defined to support greater than LINKLOCAL multicast scope. This would occur if LLMNR deployment is successful, the assumption that LLMNR is not needed on multiple links proves incorrect, and multicast routing becomes ubiquitous. For example, it is not clear that this assumption will be valid in large adhoc networking scenarios. Once we have experience in LLMNR deployment in terms of administrative issues, usability and impact on the network it will be possible reevaluate which multicast scopes are appropriate for use with multicast name resolution mechanisms. 2.1. Sender behavior A sender sends an LLMNR query for any legal Type of resource record (e.g. A, PTR, etc.) to the LINKLOCAL address. Notice that in some scenarios described below in Section 3 a sender may also send a unicast query. The RD (Recursion Desired) bit MUST NOT be set. If a responder receives a query with the header containing RD set bit, the responder MUST ignore the RD bit. Esibov, Aboba & Thaler Standards Track [Page 4] INTERNET-DRAFT LLMNR 21 August 2002 The IPv6 LINKLOCAL address a given responder listens to, and to which a sender sends, is a link-local multicast address formed as follows: The name of the resource record in question is expressed in its canonical form (see [RFC2535], section 8.1), which is uncompressed with all alphabetic characters in lower case. The first label of the FQDN in the query is then hashed using the MD5 algorithm, described in [RFC1321]. The first 32 bits of the resultant 128-bit hash is then appended to the prefix FF02:0:0:0:0:2::/96 to yield the 128-bit "solicited name multicast address". (Note: this procedure is intended to be the same as that specified in section 3 of "IPv6 Node Information Queries" [NodeInfo]). A responder that listens for queries for multiple names will necessarily listen to multiple of these solicited name multicast addresses. If the LLMNR query is not resolved during a limited amount of time (LLMNR_TIMEOUT), then a sender MAY repeat the transmission of a query in order to assure themselves that the query has been received by a host capable of responding to the query. The default value for LLMNR_TIMEOUT is 1 second. Repetition MUST NOT be attempted more than 3 times and SHOULD NOT be repeated more often than once per second to reduce unnecessary network traffic. The delay between attempts should be randomized so as to avoid synchronization effects. 2.2. Responder behavior A responder listens on port 5353 on the LINKLOCAL address and on the unicast address(es) that could be set as the source address(es) when the responder responds to the LLMNR query. The host configured as a "responder" MUST act as a sender by using LLMNR dynamic update requests to verify the uniqueness of names as described in Section 5. Responders MUST NOT respond to LLMNR queries for names they are not authoritative for. Responders SHOULD respond to LLMNR queries for names and addresses they are authoritative for. This applies to both forward and reverse lookups. As an example, assume that computer "host.example.com." is authoritative for the domain "host.example.com.". On receiving a LLMNR A resource record query for the name "host.example.com." the host responds with A record(s) that contain IP address(es) in the RDATA of the resource record. In conventional DNS terminology a DNS server authoritative for a zone is authoritative for all the domain names under the zone root except for the branches delegated into separate zones. Contrary to conventional DNS terminology, an LLMNR responder is authoritative only for the zone root. Esibov, Aboba & Thaler Standards Track [Page 5] INTERNET-DRAFT LLMNR 21 August 2002 For example the host "host.example.com." is not authoritative for the name "child.host.example.com." unless the host is configured with multiple names, including "host.example.com." and "child.host.example.com.". As a result, "host" cannot reply to a query for "child" with NXDOMAIN. The purpose of limiting the name authority scope of a responder is to prevent complications that could be caused by coexistence of two or more hosts with the names representing child and parent (or grandparent) nodes in the DNS tree, for example, "host.example.com." and "child.host.example.com.". In this example (unless this limitation is introduced) a LLMNR query for an A record for the name "child.host.example.com." would result in two authoritative responses: name error received from "host.example.com.", and a requested A record - from "child.host.example.com.". To prevent this ambiguity, LLMNR enabled hosts could perform a dynamic update of the parent (or grandparent) zone with a delegation to a child zone. In this example a host "child.host.example.com." would send a dynamic update for the NS and glue A record to "host.example.com.", but this approach significantly complicates implementation of LLMNR and would not be acceptable for lightweight hosts. A response to a LLMNR query is composed in exactly the same manner as a response to the unicast DNS query as specified in [RFC1035]. Responders MUST never respond using cached data, and the AA (Authoritative Answer) bit MUST be set. The response is sent to the sender via unicast. A response to an LLMNR query MUST have RCODE set to zero. Responses with RCODE set to zero are referred to in this document as "positively resolved". LLMNR responders may respond only to queries which they can resolve positively. If a TC (truncation) bit is set in the response, then the sender MAY use the response if it contains all necessary information, or the sender MAY discard the response and resend the query over TCP or using EDNS0 with larger window using the unicast address of the responder. The RA (Recursion Available) bit in the header of the response MUST NOT be set. Even if the RA bit is set in the response header, the sender MUST ignore it. 2.3. Addressing For IPv4 LINKLOCAL addressing, section 2.4 of "Dynamic Configuration of IPv4 Link-Local Addresses" [IPV4Link] lays out the rules with respect to source address selection, TTL settings, and acceptable source/destination address combinations. IPv6 is described in [RFC2460]; IPv6 LINKLOCAL addressing is described in [RFC2373]. LLMNR queries and responses MUST obey the rules laid out in these documents. Esibov, Aboba & Thaler Standards Track [Page 6] INTERNET-DRAFT LLMNR 21 August 2002 In composing an LLMNR response, the responder MUST set the Hop Limit field in the IPv6 header and the TTL field in IPv4 header of the LLMNR response to 255. The sender MUST verify that the Hop Limit field in IPv6 header and TTL field in IPv4 header of each response to the LLMNR query is set to 255. If it is not, then sender MUST ignore the response. Implementation note: In the sockets API for IPv4, the IP_TTL and IP_MULTICAST_TTL socket options are used to specify the TTL of outgoing unicast and multicast packets. The IP_RECVTTL socket option is available on some platforms to receive the IPv4 TTL of received packets with recvmsg(). [RFC2292] specifies similar options for specifying and receiving the IPv6 Hop Limit. 2.4. TTL The responder should use a pre-configured TTL value in the records returned in the LLMNR query response. Due to the TTL minimalization necessary when caching an RRset, all TTLs in an RRset MUST be set to the same value. In the additional and authority section of the response the responder includes the same records as a DNS server would insert in the response to the unicast DNS query. 2.5. No/multiple responses The sender MUST anticipate receiving no replies to some LLMNR queries, in the event that no responders are available within the linklocal multicast scope, or in the event that no positive non-null responses exist for the transmitted query. If no positive response is received, a resolver treats it as a response that no records of the specified type and class for the specified name exist (NXRRSET). Since the responder MUST NOT respond to queries for names it is not authoritative for, a responder MUST NOT respond to an A, A6 or AAAA RR query with an NXRRSET. However, if the host has a AAAA RR, but no MX RR, and an MX RR query is received, the host would respond as follows: RCODE: NOERROR Answer: Authority: SOA for zone. Additional: Empty. The sender MUST anticipate receiving multiple replies to the same LLMNR query, in the event that several LLMNR enabled computers receive the query and respond with valid answers. When this occurs, the responses MAY first be concatenated, and then treated in the same manner that multiple RRs received from the same DNS server would, ordinarily. Esibov, Aboba & Thaler Standards Track [Page 7] INTERNET-DRAFT LLMNR 21 August 2002 However, after receiving an initial response, the sender is not required to wait for LLMNR_TIMEOUT for additional responses. 3. Usage model The same host may be configured as a "sender", but not a "responder" and vice versa (as a "responder", but not "sender"). However, a host configured as a "responder" MUST at least use a "sender's" capability to send LLMNR dynamic update requests to verify the uniqueness of the names, as described in Section 5. An LLMNR "sender" MAY multicast requests for any name. If that name is not qualified and does not end in a trailing dot, for the purposes of LLMNR, the implicit search order is as follows: [1] Request the name with the current domain appended. [2] Request just the name. This is the behavior suggested by [RFC1536]. LLMNR uses this technique to resolve unqualified host names. The same host MAY use LLMNR queries for the resolution of unqualified host names, and conventional DNS queries for resolution of other DNS names. If a DNS server is running on a host that supports LLMNR, the DNS server MUST respond to LLMNR queries only for the RRSets owned by the host on which the server is running, but MUST NOT respond for other records for which the server is authoritative. A sender MUST NOT send a unicast LLMNR query except when: a. A sender repeats a query after it received a response to the previous LLMNR query with the TC bit set, or b. The sender's LLMNR cache contains an NS resource record that enables the sender to send a query directly to the hosts authoritative for the name in the query. A responder with a name "host.example.com." configured to respond to the LLMNR queries is authoritative for the name "host.example.com.". For example, when a responder with the name "host.example.com." receives an A type LLMNR query for the name "host.example.com." it authoritatively responds to the query. 3.1. LLMNR configuration LLMNR usage can be configured manually or automatically. On interfaces where no manual or automatic DNS configuration has been performed for a given protocol (IPv4 or IPv6), LLMNR SHOULD be enabled for that protocol. Esibov, Aboba & Thaler Standards Track [Page 8] INTERNET-DRAFT LLMNR 21 August 2002 For IPv6, the stateless DNS discovery mechanisms described in "IPv6 Stateless DNS Discovery" [DNSDisc] or "Using DHCPv6 for DNS Configuration in Hosts" [DHCPv6DNS] can be used to discover whether LLMNR should be enabled or disabled on a per-interface basis. Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to configure LLMNR on an interface. The LLMNR Enable Option, described in [LLMNREnable], can be used to explicitly enable or disable use of LLMNR on an interface. The LLMNR Enable Option does not determine whether or in which order DNS itself is used for name resolution. The order in which various name resolution mechanisms should be used can be specified using the Name Service Search Option for DHCP, [RFC2937]. Note that it is possible for LLMNR to be enabled for use with IPv6 at the same time it is disabled for IPv4, and vice versa. For example, a home gateway may implement a DNS proxy and DHCPv4, but not DHCPv6 for DNS configuration [DHCPv6DNS] or stateless DNS discovery [DNSDisc]. In such a circumstance, IPv6 hosts will not be configured with a DNS server. Where DHCPv6 is not supported, the DNS proxy within the home gateway will not be able to dynamically register names learned via DHCPv6. As a result, unless the DNS proxy supports client dynamic update, it will not be able to respond to AAAA RR queries for local names sent over IPv4 or IPv6, preventing IPv6 hosts from resolving the names of other IPv6 hosts on the local link. In this situation, LLMNR enables resolution of dynamic names, and it will be enabled for use with IPv6, even though it is disabled for use with IPv4. 3.1.1. Consistency of configuration It is possible that DNS servers and/or DNS configuration mechanisms will go in and out of service. In these circumstances, it is possible for hosts within an administrative domain to be inconsistent in their DNS configuration. For example, where DHCP is used for configuring DNS servers, one or more DHCP servers can go down. As a result, hosts configured prior to the outage will be configured with a DNS server, while hosts configured after the outage will use LLMNR. When the DHCP server comes back online, it is desirable that unconfigured hosts obtain their configuration from it. Alternatively, it is possible for the DNS configuration mechanism to continue functioning while the configured DNS servers fail. In this circumstance, it may be desirable for administrators to be able to reconfigure hosts to utilize alternative DNS servers. In order to minimize inconsistencies, the following practices are recommended: Esibov, Aboba & Thaler Standards Track [Page 9] INTERNET-DRAFT LLMNR 21 August 2002 Periodic retry Unless unconfigured hosts periodically retry configuration, an outage in the DNS configuration mechanism will result in hosts continuing to use LLMNR even once the outage is repaired. Since LLMNR only enables linklocal name resolution, this represents an unnecessary degradation in capabilities. As a result, it is recommended that hosts without a configured DNS server periodically attempt to obtain DNS configuration. The recommended default retry interval is 30 seconds. DNS failover For security reasons, by default LLMNR is not enabled for the resolution of FQDNs where a DNS server has been configured. This implies that where a DNS server has been configured, LLMNR will not be used by default for resolution of FQDNs, even in the event that all configured DNS servers fail. In this circumstance, it may desirable for hosts to retry DNS configuration, so as to discover alternative DNS servers, if they are available. If the configuration mechanism does not respond, hosts MAY enable LLMNR. However, if the configuration mechanism merely configures non- functioning DNS servers, this is not sufficient reason to enable default LLMNR usage, without an explicit indication that LLMNR usage is desired. 4. Sequence of events The sequence of events for LLMNR usage is as follows: 1. If a sender needs to resolve a query for a name "host.example.com", then it sends a LLMNR query to the LINKLOCAL multicast address. 2. A responder responds to this query only if it is authoritative for the domain name "host.example.com". The responder sends a response to the sender via unicast over UDP. 3. Upon the reception of the response, the sender verifies that the Hop Limit field in IPv6 header or TTL field in IPv4 header (depending on the protocol used) of the response is set to 255. The sender then verifies compliance with the addressing requirements for IPv4, described in [IPV4Link], and IPv6, described in [RFC2373]. If these conditions are met, then the sender uses and caches the returned response. If not, then the sender ignores the response and continues waiting for the response. 5. Conflict resolution There are some scenarios when multiple responders MAY respond to the same query. There are other scenarios when only one responder may Esibov, Aboba & Thaler Standards Track [Page 10] INTERNET-DRAFT LLMNR 21 August 2002 respond to a query. Resource records for which the latter queries are submitted are referred as UNIQUE throughout this document. The uniqueness of a resource record depends on a nature of the name in the query and type of the query. For example it is expected that: - multiple hosts may respond to a query for a SRV type record - multiple hosts may respond to a query for an A type record for a cluster name (assigned to multiple hosts in the cluster) - only a single host may respond to a query for an A type record for a hostname. Every responder that responds to a LLMNR query and/or dynamic update request AND includes a UNIQUE record in the response: 1. MUST verify that there is no other host within the scope of the LLMNR query propagation that can return a resource record for the same name, type and class. 2. MUST NOT include a UNIQUE resource record in the response without having verified its uniqueness. Where a host is configured to respond to LLMNR queries on more than one interface, the host MUST verify resource record uniqueness on each interface for each UNIQUE resource record that could be used on that interface. To accomplish this, the host MUST send a dynamic LLMNR update request for each new UNIQUE resource record. Format of the dynamic LLMNR update request is identical to the format of the dynamic DNS update request specified in [RFC2136]. Uniqueness verification is carried out when the host: - starts up or - is configured to respond to the LLMNR queries on some interface or - is configured to respond to the LLMNR queries using additional UNIQUE resource records. Below we describe the data to be specified in the dynamic update request: Header section contains values according to [RFC2136]. Zone section The zone name in the zone section MUST be set to the name of the UNIQUE record. The zone type in the zone section MUST be set to SOA. The zone class in the zone section MUST be set to the class of the UNIQUE record. Prerequisite section This section MUST contain a record set whose semantics are Esibov, Aboba & Thaler Standards Track [Page 11] INTERNET-DRAFT LLMNR 21 August 2002 described in [RFC2136], Section 2.4.3 "RRset Does Not Exist", requesting that RRs with the NAME and TYPE of the UNIQUE record do not exist. Update section This section MUST be left empty. Additional section This section is set according to [RFC2136]. When a host that owns a UNIQUE record receives a dynamic update request that requests that the UNIQUE resource record set does not exist, the host MUST respond via unicast with the YXRRSET error, according to the rules described in Section 3 of [RFC2136]. After the client receives an YXRRSET response to its dynamic update request stating that a UNIQUE resource record does not exist, the host MUST check whether the response arrived on another interface. If this is the case, then the client can use the UNIQUE resource record in response to LLMNR queries and dynamic update requests. If not, then it MUST NOT use the UNIQUE resource record in response to LLMNR queries and dynamic update requests. Note that this name conflict detection mechanism doesn't prevent name conflicts when previously partitioned segments are connected by a bridge. In such a situation, name conflicts are detected when a sender receives more than one response to its LLMNR query. In this case, the sender sends the first response that it received to all responders that responded to this query except the first one, using unicast. A host that receives a query response containing a UNIQUE resource record that it owns, even if it didn't send such a query, MUST verify that no other host within the LLMNR scope is authoritative for the same name, using the dynamic LLMNR update request mechanism described above. Based on the result, the host detects whether there is a name conflict and acts as described above. 5.1. Considerations for Multiple Interfaces A multi-homed host may elect to configure LLMNR on only one of its active interfaces. In many situations this will be adequate. However, should a host wish to configure LLMNR on more than one of its active interfaces, there are some additional precautions it MUST take. Implementers who are not planning to support LLMNR on multiple interfaces simultaneously may skip this section. A multi-homed host checks the uniqueness of UNIQUE records as described in Section 5. The situation is illustrated in figure 1 below: Esibov, Aboba & Thaler Standards Track [Page 12] INTERNET-DRAFT LLMNR 21 August 2002 ---------- ---------- | | | | [A] [myhost] [myhost] Figure 1. LINKLOCAL name conflict In this situation, the multi-homed myhost will probe for, and defend, its host name on both interfaces. A conflict will be detected on one interface, but not the other. The multi-homed myhost will not be able to respond with a host RR for "myhost" on the interface on the right (see Figure 1). The multi-homed host may, however, be configured to use the "myhost" name on the interface on the left. Since names are only unique per-link, hosts on different links could be using the same name. If an LLMNR client sends requests over multiple interfaces, and receives replies from more than one, the result returned to the client is defined by the implementation. The situation is illustrated in figure 2 below. ---------- ---------- | | | | [A] [myhost] [A] Figure 2. Off-segment name conflict If host myhost is configured to use LLMNR on both interfaces, it will send LLMNR queries on both interfaces. When host myhost sends a query for the host RR for name "A" it will receive a response from hosts on both interfaces. Host myhost will then forward a response from the first responder to the second responder, who will attempt to verify the uniqueness of host RR for its name, but will not discover a conflict, since the conflicting host resides on a different link. Therefore it will continue using its name. Esibov, Aboba & Thaler Standards Track [Page 13] INTERNET-DRAFT LLMNR 21 August 2002 Indeed, host myhost cannot distinguish between the situation shown in Figure 2, and that shown in Figure 3 where no conflict exists: [A] | | ----- ----- | | [myhost] Figure 3. Multiple paths to same host This illustrates that the proposed name conflict resolution mechanism does not support detection or resolution of conflicts between hosts on different links. This problem can also occur with unicast DNS when a multi-homed host is connected to two different networks with separated name spaces. It is not the intent of this document to address the issue of uniqueness of names within DNS. 5.2. API issues [RFC2553] provides an API which can partially solve the name ambiguity problem for applications written to use this API, since the sockaddr_in6 structure exposes the scope within which each scoped address exists, and this structure can be used for both IPv4 (using v4-mapped IPv6 addresses) and IPv6 addresses. Following the example in Figure 2, an application on 'myhost' issues the request getaddrinfo("A", ...) with ai_family=AF_INET6 and ai_flags=AI_ALL|AI_V4MAPPED. LLMNR requests will be sent from both interfaces and the resolver library will return a list containing multiple addrinfo structures, each with an associated sockaddr_in6 structure. This list will thus contain the IPv4 and IPv6 addresses of both hosts responding to the name 'A'. Link-local addresses will have a sin6_scope_id value that disambiguates which interface is used to reach the address. Of course, to the application, Figures 2 and 3 are still indistinguishable, but this API allows the application to communicate successfully with any address in the list. 6. Security Considerations LLMNR is by nature a peer to peer name resolution protocol, for use in situations when a DNS server is not configured. It is therefore inherently more vulnerable than DNS, since existing DNS security mechanisms are difficult to apply to LLMNR and an attacker only needs to be misconfigured to answer an LLMNR query with incorrect information. In order to address the security vulnerabilities, the following mechanisms are contemplated: Esibov, Aboba & Thaler Standards Track [Page 14] INTERNET-DRAFT LLMNR 21 August 2002 [1] Scope restrictions. [2] Usage restrictions. [3] Cache and port separation. [4] Authentication. These techniques are described in the following sections. 6.1. Scope restriction With LLMNR it is possible that hosts will allocate conflicting names for a period of time, or that attackers will attempt to deny service to other hosts by allocating the same name. Such attacks also allow hosts to receive packets destined for other hosts. In the absence of authentication, LLMNR reduces the exposure to such threats by ignoring LLMNR query response packets received from off-link senders. In all received responses, the Hop Limit field in IPv6 and the TTL field in IPv4 are verified to contain 255, the maximum legal value. Since routers decrement the Hop Limit on all packets they forward, received packets containing a Hop Limit of 255 must have originated from a neighbor. While restricting ignoring packets received from off-link senders reduces the level of vulnerability, it does not eliminate it. There are scenarios such as public "hotspots" where attackers can be present on the same link. These threats are most serious in wireless networks such as 802.11, since attackers on a wired network will require physical access to the home network, while wireless attackers may reside outside the home. Link-layer security can be of assistance against these threats if it is available. 6.2. Usage restriction As noted in Section 3.1, LLMNR is intended for usage in scenarios where a DNS server is not configured. If an interface has been configured for a given protocol via any automatic configuration mechanism which is able to supply DNS configuration information, then LLMNR SHOULD NOT be used on that interface for that protocol unless it has been explicitly enabled, whether via that mechanism or any other. This ensures that upgraded hosts do not change their default behavior, without requiring the source of the configuration information to be simultaneously updated. This implies that on the interface, the host will neither listen on the LINKLOCAL multicast address, nor will it send queries to that address. Esibov, Aboba & Thaler Standards Track [Page 15] INTERNET-DRAFT LLMNR 21 August 2002 Violation of this guideline can significantly increases security vulnerabilities. For example, if an LLMNR query were to be sent whenever a DNS server did not respond in a timely way, then an attacker could execute a denial of service attack on the DNS server(s) and then poison the LLMNR cache by responding to the resulting LLMNR queries with incorrect information. The vulnerability would be even greater if LLMNR is given higher priority than DNS among the enabled name resolution mechanisms. In such a configuration, a denial of service attack on the DNS server would not be necessary in order to poison the LLMNR cache, since LLMNR queries would be sent even when the DNS server is available. In addition, the LLMNR cache, once poisoned, would take precedence over the DNS cache, eliminating the benefits of cache separation. As a result, LLMNR is best thought of as a name resolution mechanism of last resort, useful only in situations where a DNS server is not configured. Where resilience against DNS server failure is desired, configuration of additional DNS servers or DNS server clustering is recommended; LLMNR is not an appropriate "failsafe" mechanism. 6.3. Cache and port separation In order to prevent responses to LLMNR queries from polluting the DNS cache, LLMNR implementations MUST use a distinct, isolated cache for LLMNR. The use of separate caches is most effective when LLMNR is used as a name resolution mechanism of last resort, since the this minimizes the opportunities for poisoning the LLMNR cache, and decreases reliance on it. LLMNR operates on a separate port (5353) from DNS, reducing the likelihood that a DNS server will unintentionally respond to an LLMNR query. 6.4. Authentication LLMNR does not require use of DNSSEC, and as a result, responses to LLMNR queries MAY NOT be authenticated. If authentication is desired, and a pre-arranged security configuration is possible, then IPsec ESP with a null-transform MAY be used to authenticate LLMNR responses. In a small network without a certificate authority, this can be most easily accomplished through configuration of a group pre-shared key for trusted hosts. 7. IANA Considerations This specification does not create any new name spaces for IANA administration. Since it uses a port (5353) and link scope multicast Esibov, Aboba & Thaler Standards Track [Page 16] INTERNET-DRAFT LLMNR 21 August 2002 IPv4 address (224.0.0.251) previously allocated for use with LLMNR, no additional IANA allocations are required. 8. Normative References [RFC1035] Mockapetris, P., "Domain Names - Implementation and Specification", RFC 1035, November 1987. [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., Bound, J., "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136, April 1997. [RFC2365] Meyer, D., "Administratively Scoped IP Multicast", BCP 23, RFC 2365, July 1998. [RFC2373] Hinden, R., Deering, S., "IP Version 6 Addressing Architecture", RFC 2373, July 1998. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC 2535, March 1999. [IPV4Link] Cheshire, S., Aboba, B., "Dynamic Configuration of IPv4 Link-Local Addresses", Internet draft (work in progress), draft-ietf-zeroconf-ipv4-linklocal-05.txt, November 2001. [LLMNREnable] Guttman, E., "DHCP LLMNR Enable Option", Internet draft (work in progress), draft-guttman-mdns-enable-02.txt, April 2002. 9. Informative References [RFC1536] Kumar, A., et. al. "DNS Implementation Errors and Suggested Fixes", RFC 1536, October 1993. [RFC2292] Stevens, W., Thomas, M., "Advanced Sockets API for IPv6", RFC 2292, February 1998. [RFC2434] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, Esibov, Aboba & Thaler Standards Track [Page 17] INTERNET-DRAFT LLMNR 21 August 2002 October 1998. [RFC2553] Gilligan, R., Thomson, S., Bound, J., Stevens, W., "Basic Socket Interface Extensions for IPv6", RFC 2553, March 1999. [RFC2937] Smith, C., "The Name Service Search Option for DHCP", RFC 2937, September 2000. [DHCPv6DNS] Droms, R., Narten, T., and Aboba, B. "Using DHCPv6 for DNS Configuration in Hosts", draft-droms-dnsconfig- dhcpv6-01.txt, Internet draft (work in progress), March 2002. [DNSDisc] Thaler, D., Hagino, I., "IPv6 Stateless DNS Discovery", Internet draft (work in progress), draft-ietf-ipngwg-dns- discovery-03.txt, November 2001. [NodeInfo] Crawford, Matt, "IPv6 Node Information Queries", Internet draft (work in progress), draft-ietf-ipn-gwg-icmp-name- lookups-08.txt, July 2001. Acknowledgments This work builds upon original work done on multicast DNS by Bill Manning and Bill Woodcock. Bill Manning's work was funded under DARPA grant #F30602-99-1-0523. The authors gratefully acknowledge their contribution to the current specification. Constructive input has also been received from Mark Andrews, Stuart Cheshire, Robert Elz, Rob Austein, James Gilroy, Olafur Gudmundsson, Erik Guttman, Myron Hattig, Thomas Narten, Erik Nordmark, Sander Van-Valkenburg, Tomohide Nagashima and Brian Zill. Authors' Addresses Levon Esibov Microsoft Corporation One Microsoft Way Redmond, WA 98052 EMail: levone@microsoft.com Bernard Aboba Microsoft Corporation One Microsoft Way Redmond, WA 98052 Phone: +1 425 706 6605 Esibov, Aboba & Thaler Standards Track [Page 18] INTERNET-DRAFT LLMNR 21 August 2002 EMail: bernarda@microsoft.com Dave Thaler Microsoft Corporation One Microsoft Way Redmond, WA 98052 Phone: +1 425 703 8835 EMail: dthaler@microsoft.com Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards- related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its Esibov, Aboba & Thaler Standards Track [Page 19] INTERNET-DRAFT LLMNR 21 August 2002 successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." Expiration Date This memo is filed as , and expires February 22, 2003. Esibov, Aboba & Thaler Standards Track [Page 20]