Network Working Group B. Aboba Request for Comments: 4795 D. Thaler Category: Informational L. Esibov Microsoft Corporation January 2007
Network Working Group B. Aboba Request for Comments: 4795 D. Thaler Category: Informational L. Esibov Microsoft Corporation January 2007
Link-Local Multicast Name Resolution (LLMNR)
链路本地多播名称解析(LLMNR)
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
IESG Note
IESG注释
This document was originally intended for advancement as a Proposed Standard, but the IETF did not achieve consensus on the approach. The document has had significant review and input. At time of publication, early versions were implemented and deployed.
本文件最初旨在作为提议的标准进行改进,但IETF并未就此方法达成共识。该文件进行了重要的审查和输入。在发布时,已经实现并部署了早期版本。
Abstract
摘要
The goal of Link-Local Multicast Name Resolution (LLMNR) is to enable name resolution in scenarios in which conventional DNS name resolution is not possible. LLMNR supports all current and future DNS formats, types, and classes, while operating on a separate port from DNS, and with a distinct resolver cache. Since LLMNR only operates on the local link, it cannot be considered a substitute for DNS.
链路本地多播名称解析(LLMNR)的目标是在传统DNS名称解析不可能的情况下启用名称解析。LLMNR支持所有当前和将来的DNS格式、类型和类,同时在与DNS不同的端口上操作,并具有不同的解析器缓存。由于LLMNR仅在本地链路上运行,因此不能将其视为DNS的替代品。
Table of Contents
目录
1. Introduction ....................................................3 1.1. Requirements ...............................................3 1.2. Terminology ................................................4 2. Name Resolution Using LLMNR .....................................4 2.1. LLMNR Packet Format ........................................5 2.1.1. LLMNR Header Format .................................5 2.2. Sender Behavior ............................................8 2.3. Responder Behavior .........................................9 2.4. Unicast Queries and Responses .............................11 2.5. "Off-Link" Detection ......................................11 2.6. Responder Responsibilities ................................12 2.7. Retransmission and Jitter .................................13 2.8. RR TTL ....................................................14 2.9. Use of the Authority and Additional Sections ..............14 3. Usage Model ....................................................15 3.1. LLMNR Configuration .......................................17 4. Conflict Resolution ............................................18 4.1. Uniqueness Verification ...................................19 4.2. Conflict Detection and Defense ............................20 4.3. Considerations for Multiple Interfaces ....................21 4.4. API Issues ................................................22 5. Security Considerations ........................................23 5.1. Denial of Service .........................................23 5.2. Spoofing ..................................................24 5.3. Authentication ............................................25 5.4. Cache and Port Separation .................................25 6. IANA Considerations ............................................26 7. Constants ......................................................26 8. References .....................................................27 8.1. Normative References ......................................27 8.2. Informative References ....................................27 9. Acknowledgments ................................................29
1. Introduction ....................................................3 1.1. Requirements ...............................................3 1.2. Terminology ................................................4 2. Name Resolution Using LLMNR .....................................4 2.1. LLMNR Packet Format ........................................5 2.1.1. LLMNR Header Format .................................5 2.2. Sender Behavior ............................................8 2.3. Responder Behavior .........................................9 2.4. Unicast Queries and Responses .............................11 2.5. "Off-Link" Detection ......................................11 2.6. Responder Responsibilities ................................12 2.7. Retransmission and Jitter .................................13 2.8. RR TTL ....................................................14 2.9. Use of the Authority and Additional Sections ..............14 3. Usage Model ....................................................15 3.1. LLMNR Configuration .......................................17 4. Conflict Resolution ............................................18 4.1. Uniqueness Verification ...................................19 4.2. Conflict Detection and Defense ............................20 4.3. Considerations for Multiple Interfaces ....................21 4.4. API Issues ................................................22 5. Security Considerations ........................................23 5.1. Denial of Service .........................................23 5.2. Spoofing ..................................................24 5.3. Authentication ............................................25 5.4. Cache and Port Separation .................................25 6. IANA Considerations ............................................26 7. Constants ......................................................26 8. References .....................................................27 8.1. Normative References ......................................27 8.2. Informative References ....................................27 9. Acknowledgments ................................................29
This document discusses Link-Local Multicast Name Resolution (LLMNR), which is based on the DNS packet format and supports all current and future DNS formats, types, and classes. LLMNR operates on a separate port from the Domain Name System (DNS), with a distinct resolver cache.
本文档讨论链路本地多播名称解析(LLMNR),它基于DNS数据包格式,支持所有当前和未来的DNS格式、类型和类。LLMNR在独立于域名系统(DNS)的端口上运行,具有不同的解析器缓存。
Since LLMNR only operates on the local link, it cannot be considered a substitute for DNS. Link-scope multicast addresses are used to prevent propagation of LLMNR traffic across routers, potentially flooding the network. LLMNR queries can also be sent to a unicast address, as described in Section 2.4.
由于LLMNR仅在本地链路上运行,因此不能将其视为DNS的替代品。链路作用域多播地址用于防止LLMNR流量跨路由器传播,从而潜在地淹没网络。LLMNR查询也可以发送到单播地址,如第2.4节所述。
Propagation of LLMNR packets on the local link is considered sufficient to enable name resolution in small networks. In such networks, if a network has a gateway, then typically the network is able to provide DNS server configuration. Configuration issues are discussed in Section 3.1.
本地链路上LLMNR数据包的传播被认为足以在小型网络中实现名称解析。在此类网络中,如果网络具有网关,则通常网络能够提供DNS服务器配置。第3.1节讨论了配置问题。
In the future, it may be desirable to consider use of multicast name resolution with multicast scopes beyond the link-scope. This could occur if LLMNR deployment is successful, the need arises for multicast name resolution beyond the link-scope, or multicast routing becomes ubiquitous. For example, expanded support for multicast name resolution might be required for mobile ad-hoc networks.
在未来,可能需要考虑在链路范围之外使用多播范围的多播名称解析的使用。如果LLMNR部署成功,需要在链路范围之外解析多播名称,或者多播路由变得无处不在,则可能发生这种情况。例如,移动自组织网络可能需要扩展对多播名称解析的支持。
Once we have experience in LLMNR deployment in terms of administrative issues, usability, and impact on the network, it will be possible to reevaluate which multicast scopes are appropriate for use with multicast name resolution. IPv4 administratively scoped multicast usage is specified in "Administratively Scoped IP Multicast" [RFC2365].
一旦我们有了LLMNR部署方面的管理问题、可用性和对网络的影响方面的经验,就有可能重新评估哪些多播作用域适合用于多播名称解析。IPv4管理范围的多播使用在“管理范围的IP多播”[RFC2365]中指定。
Service discovery in general, as well as discovery of DNS servers using LLMNR in particular, is outside the scope of this document, as is name resolution over non-multicast capable media.
一般来说,服务发现以及使用LLMNR发现DNS服务器不在本文档的范围内,非多播媒体上的名称解析也不在本文档的范围内。
In this document, several words are used to signify the requirements of the specification. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
在本文件中,使用了几个词来表示规范的要求。本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
This document assumes familiarity with DNS terminology defined in [RFC1035]. Other terminology used in this document includes:
本文档假设您熟悉[RFC1035]中定义的DNS术语。本文件中使用的其他术语包括:
Routable Address An address other than a link-local address. This includes globally routable addresses, as well as private addresses.
可路由地址链路本地地址以外的地址。这包括全局可路由地址以及专用地址。
Reachable An LLMNR responder considers one of its addresses reachable over a link if it will respond to an Address Resolution Protocol (ARP) or Neighbor Discovery query for that address received on that link.
可到达如果LLMNR响应程序将响应地址解析协议(ARP)或在该链路上接收到的地址的邻居发现查询,则LLMNR响应程序认为其地址之一可通过链路到达。
Responder A host that listens to LLMNR queries, and responds to those for which it is authoritative.
响应程序侦听LLMNR查询并响应其权威查询的主机。
Sender A host that sends an LLMNR query.
发送方发送LLMNR查询的主机。
UNIQUE There are some scenarios when multiple responders may respond to the same query. There are other scenarios when only one responder may respond to a query. Names for which only a single responder is anticipated are referred to as UNIQUE. Name uniqueness is configured on the responder, and therefore uniqueness verification is the responder's responsibility.
在某些情况下,多个响应者可能会响应同一查询。在其他情况下,只有一个响应者可以响应查询。预期只有一个响应者的名称称为唯一。名称唯一性是在响应程序上配置的,因此唯一性验证是响应程序的责任。
LLMNR queries are sent to and received on port 5355. The IPv4 link-scope multicast address a given responder listens to, and to which a sender sends queries, is 224.0.0.252. The IPv6 link-scope multicast address a given responder listens to, and to which a sender sends all queries, is FF02:0:0:0:0:0:1:3.
LLMNR查询发送到端口5355并在端口5355上接收。给定响应程序侦听并向其发送查询的IPv4链路作用域多播地址为224.0.0.252。给定响应程序侦听并向其发送所有查询的IPv6链路作用域多播地址为FF02:0:0:0:0:0:1:3。
Typically, a host is configured as both an LLMNR sender and a responder. A host MAY be configured as a sender, but not a responder. However, a host configured as a responder MUST act as a sender, if only to verify the uniqueness of names as described in Section 4. This document does not specify how names are chosen or configured. This may occur via any mechanism, including DHCPv4 [RFC2131] or DHCPv6 [RFC3315].
通常,主机被配置为LLMNR发送方和响应方。主机可以配置为发送方,但不能配置为响应方。但是,配置为响应者的主机必须充当发送者,如果只是为了验证名称的唯一性,如第4节所述。本文档未指定如何选择或配置名称。这可能通过任何机制发生,包括DHCPv4[RFC2131]或DHCPv6[RFC3315]。
A typical sequence of events for LLMNR usage is as follows:
LLMNR使用的典型事件序列如下:
(a) An LLMNR sender sends an LLMNR query to the link-scope multicast address(es), unless a unicast query is indicated, as specified in Section 2.4.
(a) LLMNR发送方向链路作用域多播地址发送一个LLMNR查询,除非按照第2.4节的规定指示了单播查询。
(b) A responder responds to this query only if it is authoritative for the name in the query. A responder responds to a multicast query by sending a unicast UDP response to the sender. Unicast queries are responded to as indicated in Section 2.4.
(b) 只有当响应者对查询中的名称具有权威性时,响应者才会响应此查询。响应者通过向发送者发送单播UDP响应来响应多播查询。如第2.4节所示,对单播查询进行响应。
(c) Upon reception of the response, the sender processes it.
(c) 接收到响应后,发送方将对其进行处理。
The sections that follow provide further details on sender and responder behavior.
以下各节提供了有关发送者和响应者行为的更多详细信息。
LLMNR is based on the DNS packet format defined in [RFC1035] Section 4 for both queries and responses. LLMNR implementations SHOULD send UDP queries and responses only as large as are known to be permissible without causing fragmentation. When in doubt, a maximum packet size of 512 octets SHOULD be used. LLMNR implementations MUST accept UDP queries and responses as large as the smaller of the link MTU or 9194 octets (Ethernet jumbo frame size of 9KB (9216) minus 22 octets for the header, VLAN tag and Cyclic Redundancy Check (CRC)).
LLMNR基于[RFC1035]第4节中为查询和响应定义的DNS数据包格式。LLMNR实现应发送UDP查询和响应,其大小应与已知允许的大小相同,且不会导致碎片。如有疑问,应使用512个八位字节的最大数据包大小。LLMNR实现必须接受与链路MTU或9194个八位字节(9KB(9216)的以太网巨型帧大小减去22个八位字节的报头、VLAN标记和循环冗余校验(CRC))中较小者一样大的UDP查询和响应。
LLMNR queries and responses utilize the DNS header format defined in [RFC1035] with exceptions noted below:
LLMNR查询和响应使用[RFC1035]中定义的DNS报头格式,以下有例外情况:
1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode | C|TC| T| Z| Z| Z| Z| RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode | C|TC| T| Z| Z| Z| Z| RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
where:
哪里:
ID A 16-bit identifier assigned by the program that generates any kind of query. This identifier is copied from the query to the response and can be used by the sender to match responses to outstanding queries. The ID field in a query SHOULD be set to a pseudo-random value. For advice on generation of pseudo-random values, please consult [RFC4086].
ID由生成任何类型查询的程序分配的16位标识符。此标识符从查询复制到响应,发送方可以使用它将响应与未完成的查询进行匹配。查询中的ID字段应设置为伪随机值。有关生成伪随机值的建议,请参考[RFC4086]。
QR Query/Response. A 1-bit field, which, if set, indicates that the message is an LLMNR response; if clear, then the message is an LLMNR query.
QR查询/响应。一个1位字段,如果设置该字段,则表示该消息是LLMNR响应;如果清除,则消息是LLMNR查询。
OPCODE A 4-bit field that specifies the kind of query in this message. This value is set by the originator of a query and copied into the response. This specification defines the behavior of standard queries and responses (opcode value of zero). Future specifications may define the use of other opcodes with LLMNR. LLMNR senders and responders MUST support standard queries (opcode value of zero). LLMNR queries with unsupported OPCODE values MUST be silently discarded by responders.
操作码指定此消息中查询类型的4位字段。该值由查询的发起人设置并复制到响应中。本规范定义了标准查询和响应的行为(操作码值为零)。未来的规范可能会定义其他操作码与LLMNR的使用。LLMNR发送方和响应方必须支持标准查询(操作码值为零)。具有不受支持的操作码值的LLMNR查询必须由响应者以静默方式放弃。
C Conflict. When set within a query, the 'C'onflict bit indicates that a sender has received multiple LLMNR responses to this query. In an LLMNR response, if the name is considered UNIQUE, then the 'C' bit is clear; otherwise, it is set. LLMNR senders do not retransmit queries with the 'C' bit set. Responders MUST NOT respond to LLMNR queries with the 'C' bit set, but may start the uniqueness verification process, as described in Section 4.2.
C冲突。在查询中设置时,“C”onflict位表示发送方已收到对此查询的多个LLMNR响应。在LLMNR响应中,如果名称被认为是唯一的,则“C”位是明确的;否则,它将被设置。LLMNR发送方不会重新传输设置了“C”位的查询。响应者不得使用“C”位集响应LLMNR查询,但可以启动唯一性验证过程,如第4.2节所述。
TC TrunCation. The 'TC' bit specifies that this message was truncated due to length greater than that permitted on the transmission channel. The 'TC' bit MUST NOT be set in an LLMNR query and, if set, is ignored by an LLMNR responder. If the 'TC' bit is set in an LLMNR response, then the sender SHOULD resend the LLMNR query over TCP using the unicast address of the responder as the destination address. If the sender receives a response to the TCP query, then it SHOULD discard the UDP response with the TC bit set. See [RFC2181] and Section 2.4 of this specification for further discussion of the 'TC' bit.
TC截断。“TC”位指定由于长度大于传输通道上允许的长度,此消息被截断。“TC”位不能在LLMNR查询中设置,如果设置,LLMNR响应程序将忽略该位。如果在LLMNR响应中设置了“TC”位,则发送方应使用响应方的单播地址作为目标地址,通过TCP重新发送LLMNR查询。如果发送方接收到对TCP查询的响应,则应丢弃设置了TC位的UDP响应。有关“TC”位的进一步讨论,请参见[RFC2181]和本规范第2.4节。
T Tentative. The 'T'entative bit is set in a response if the responder is authoritative for the name, but has not yet verified the uniqueness of the name. A responder MUST ignore the 'T' bit in a query, if set. A response with the 'T' bit
这不是试探性的。如果响应程序对名称具有权威性,但尚未验证名称的唯一性,则在响应中设置“T”表示位。响应程序必须忽略查询中的“T”位(如果已设置)。带有“T”位的响应
set is silently discarded by the sender, except if it is a uniqueness query, in which case, a conflict has been detected and a responder MUST resolve the conflict as described in Section 4.1.
除非是唯一性查询,否则发送方会自动放弃集合,在这种情况下,已检测到冲突,响应方必须按照第4.1节中的说明解决冲突。
Z Reserved for future use. Implementations of this specification MUST set these bits to zero in both queries and responses. If these bits are set in a LLMNR query or response, implementations of this specification MUST ignore them. Since reserved bits could conceivably be used for different purposes than in DNS, implementers are advised not to enable processing of these bits in an LLMNR implementation starting from a DNS code base.
Z保留供将来使用。此规范的实现必须在查询和响应中将这些位设置为零。如果在LLMNR查询或响应中设置了这些位,则此规范的实现必须忽略它们。由于可以想象保留比特可用于不同于DNS中的目的,因此建议实现者不要在LLMNR实现中从DNS代码基开始对这些比特进行处理。
RCODE Response code. This 4-bit field is set as part of LLMNR responses. In an LLMNR query, the sender MUST set RCODE to zero; the responder ignores the RCODE and assumes it to be zero. The response to a multicast LLMNR query MUST have RCODE set to zero. A sender MUST silently discard an LLMNR response with a non-zero RCODE sent in response to a multicast query.
RCODE响应代码。此4位字段设置为LLMNR响应的一部分。在LLMNR查询中,发送方必须将RCODE设置为零;响应程序忽略RCODE并假定它为零。对多播LLMNR查询的响应必须将RCODE设置为零。发送方必须静默地放弃LLMNR响应,该响应包含响应多播查询而发送的非零RCODE。
If an LLMNR responder is authoritative for the name in a multicast query, but an error is encountered, the responder SHOULD send an LLMNR response with an RCODE of zero, no RRs in the answer section, and the TC bit set. This will cause the query to be resent using TCP, and allow the inclusion of a non-zero RCODE in the response to the TCP query. Responding with the TC bit set is preferable to not sending a response, since it enables errors to be diagnosed. This may be required, for example, when an LLMNR query includes a TSIG RR in the additional section, and the responder encounters a problem that requires returning a non-zero RCODE. TSIG error conditions defined in [RFC2845] include a TSIG RR in an unacceptable position (RCODE=1) or a TSIG RR that does not validate (RCODE=9 with TSIG ERROR 17 (BADKEY) or 16 (BADSIG)).
如果LLMNR响应程序对多播查询中的名称具有权威性,但遇到错误,则响应程序应发送RCODE为零的LLMNR响应,应答部分中没有RRs,并且设置了TC位。这将导致使用TCP重新发送查询,并允许在对TCP查询的响应中包含非零RCODE。使用TC位集进行响应比不发送响应更可取,因为它可以诊断错误。例如,当LLMNR查询在附加部分中包含TSIG RR,并且响应程序遇到需要返回非零RCODE的问题时,可能需要这样做。[RFC2845]中定义的TSIG错误条件包括位于不可接受位置的TSIG RR(RCODE=1)或未验证的TSIG RR(RCODE=9,TSIG错误17(BADKEY)或16(BADSIG))。
Since LLMNR responders only respond to LLMNR queries for names for which they are authoritative, LLMNR responders MUST NOT respond with an RCODE of 3; instead, they should not respond at all.
由于LLMNR响应者仅对其具有权威性的名称的LLMNR查询进行响应,因此LLMNR响应者不得使用RCODE 3进行响应;相反,他们根本不应该回应。
LLMNR implementations MUST support EDNS0 [RFC2671] and extended RCODE values.
LLMNR实现必须支持EDNS0[RFC2671]和扩展RCODE值。
QDCOUNT An unsigned 16-bit integer specifying the number of entries in the question section. A sender MUST place only one question into the question section of an LLMNR query. LLMNR responders MUST silently discard LLMNR queries with QDCOUNT not equal to one. LLMNR senders MUST silently discard LLMNR responses with QDCOUNT not equal to one.
QDCOUNT一个无符号16位整数,指定问题部分中的条目数。发件人只能在LLMNR查询的问题部分中放置一个问题。LLMNR响应程序必须以静默方式放弃QDCOUNT不等于1的LLMNR查询。LLMNR发送方必须以静默方式放弃QDCOUNT不等于1的LLMNR响应。
ANCOUNT An unsigned 16-bit integer specifying the number of resource records in the answer section. LLMNR responders MUST silently discard LLMNR queries with ANCOUNT not equal to zero.
计数一个无符号16位整数,指定应答部分中的资源记录数。LLMNR响应程序必须静默地放弃ANCOUNT不等于零的LLMNR查询。
NSCOUNT An unsigned 16-bit integer specifying the number of name server resource records in the authority records section. Authority record section processing is described in Section 2.9. LLMNR responders MUST silently discard LLMNR queries with NSCOUNT not equal to zero.
NSCOUNT一个无符号16位整数,指定授权记录部分中名称服务器资源记录的数量。第2.9节描述了权限记录章节处理。LLMNR响应程序必须静默放弃NSCOUNT不等于零的LLMNR查询。
ARCOUNT An unsigned 16-bit integer specifying the number of resource records in the additional records section. Additional record section processing is described in Section 2.9.
ARCOUNT一个无符号16位整数,指定附加记录部分中的资源记录数。第2.9节描述了附加记录段处理。
A sender MAY send an LLMNR query for any legal resource record type (e.g., A, AAAA, PTR, SRV) to the link-scope multicast address. As described in Section 2.4, a sender MAY also send a unicast query.
可以将资源发送到任意一个多播地址(MNAA,一个合法的多播范围,一个合法的多播记录)。如第2.4节所述,发送方也可以发送单播查询。
The sender MUST anticipate receiving no responses to some LLMNR queries, in the event that no responders are available within the link-scope. If no response is received, a resolver treats it as a response that the name does not exist (RCODE=3 is returned). A sender can handle duplicate responses by discarding responses with a source IP address and ID field that duplicate a response already received.
如果链接范围内没有可用的响应者,发送方必须预期不会收到对某些LLMNR查询的响应。返回的名称=解析程序不存在,则将其视为响应。发送方可以通过丢弃源IP地址和ID字段与已收到的响应重复的响应来处理重复的响应。
When multiple valid LLMNR responses are received with the 'C' bit set, they SHOULD be concatenated and treated in the same manner that multiple RRs received from the same DNS server would be. However, responses with the 'C' bit set SHOULD NOT be concatenated with responses with the 'C' bit clear; instead, only the responses with the 'C' bit set SHOULD be returned. If valid LLMNR response(s) are received along with error response(s), then the error responses are silently discarded.
当使用“C”位集接收到多个有效LLMNR响应时,应将它们串联起来,并以与从同一DNS服务器接收的多个RRs相同的方式进行处理。但是,设置了“C”位的响应不应与清除了“C”位的响应串联在一起;相反,只应返回设置了“C”位的响应。如果接收到有效的LLMNR响应和错误响应,则错误响应将被自动丢弃。
Since the responder may order the RRs in the response so as to indicate preference, the sender SHOULD preserve ordering in the response to the querying application.
由于响应者可以在响应中对RRs进行排序以指示偏好,因此发送者应该在对查询应用程序的响应中保持排序。
An LLMNR response MUST be sent to the sender via unicast.
LLMNR响应必须通过单播发送给发送方。
Upon configuring an IP address, responders typically will synthesize corresponding A, AAAA and PTR RRs so as to be able to respond to LLMNR queries for these RRs. An SOA RR is synthesized only when a responder has another RR in addition to the SOA RR; the SOA RR MUST NOT be the only RR that a responder has. However, in general, whether RRs are manually or automatically created is an implementation decision.
配置IP地址后,响应者通常会合成相应的A、AAAA和PTR RRs,以便能够响应这些RRs的LLMNR查询。只有当响应者除了SOA RR之外还有另一个RR时,才会合成SOA RR;SOA RR不能是响应者拥有的唯一RR。然而,一般来说,RRs是手动创建还是自动创建是一项实施决策。
For example, a host configured to have computer name "host1" and to be a member of the "example.com" domain, with IPv4 address 192.0.2.1 and IPv6 address 2001:0DB8::1:2:3:FF:FE:4:5:6, might be authoritative for the following records:
例如,配置为计算机名为“host1”并且是“example.com”域成员的主机(IPv4地址为192.0.2.1,IPv6地址为2001:0DB8::1:2:3:FF:FE:4:5:6)可能对以下记录具有权威性:
host1. IN A 192.0.2.1 IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
host1. IN A 192.0.2.1 IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
host1.example.com. IN A 192.0.2.1 IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
host1.example.com. IN A 192.0.2.1 IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
1.2.0.192.in-addr.arpa. IN PTR host1. IN PTR host1.example.com.
1.2.0.192.in-addr.arpa。在PTR主机1中。在PTR host1.example.com中。
6.0.5.0.4.0.E.F.F.F.3.0.2.0.1.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2. ip6.arpa IN PTR host1. (line split for formatting reasons) IN PTR host1.example.com.
6.0.5.0.4.0.E.F.F.3.0.2.0.1.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2。PTR主机1中的ip6.arpa。(由于格式原因而拆分行)在PTR host1.example.com中。
An LLMNR responder might be further manually configured with the name of a local mail server with an MX RR included in the "host1." and "host1.example.com." records.
LLMNR响应程序可以进一步手动配置为本地邮件服务器的名称,MX RR包含在“host1.”和“host1.example.com.”记录中。
In responding to queries:
在回答询问时:
(a) Responders MUST listen on UDP port 5355 on the link-scope multicast address(es) defined in Section 2, and on TCP port 5355 on the unicast address(es) that could be set as the source address(es) when the responder responds to the LLMNR query.
(a) 响应者必须在UDP端口5355上侦听第2节中定义的链路作用域多播地址,在TCP端口5355上侦听单播地址,当响应者响应LLMNR查询时,单播地址可以设置为源地址。
(b) Responders MUST direct responses to the port from which the query was sent. When queries are received via TCP, this is an inherent part of the transport protocol. For queries received by UDP, the responder MUST take note of the source port and use that as the destination port in the response. Responses MUST always be sent from the port to which they were directed.
(b) 响应者必须将响应定向到发送查询的端口。当通过TCP接收查询时,这是传输协议的固有部分。请注意,UDP查询必须在源端口和响应端口中使用该端口。响应必须始终从指向的端口发送。
(c) Responders MUST respond to LLMNR queries for names and addresses for which they are authoritative. This applies to both forward and reverse lookups, with the exception of queries with the 'C' bit set, which do not elicit a response.
(c) 响应者必须响应LLMNR查询,以获取其具有权威性的名称和地址。这适用于正向和反向查找,但设置了“C”位的查询除外,它不会引发响应。
(d) Responders MUST NOT respond to LLMNR queries for names for which they are not authoritative.
(d) 响应者不得对其不具有权威性的名称响应LLMNR查询。
(e) Responders MUST NOT respond using data from the LLMNR or DNS resolver cache.
(e) 响应程序不得使用LLMNR或DNS解析程序缓存中的数据进行响应。
(f) If a responder is authoritative for a name, it MUST respond with RCODE=0 and an empty answer section, if the type of query does not match an RR that the responder has.
(f) 如果响应者对名称具有权威性,则如果查询类型与响应者拥有的RR不匹配,则必须使用RCODE=0和空的应答部分进行响应。
As an example, a host configured to respond to LLMNR queries for the name "foo.example.com." is authoritative for the name "foo.example.com.". On receiving an LLMNR query for an A RR with the name "foo.example.com.", the host authoritatively responds with an A RR(s) that contain IP address(es) in the RDATA of the resource record. If the responder has an AAAA RR, but no A RR, and an A RR query is received, the responder would respond with RCODE=0 and an empty answer section.
例如,配置为响应名称为“foo.example.com.”的LLMNR查询的主机是名称为“foo.example.com.”的权威主机。当接收到一个名为“foo.example.com”的A RR的LLMNR查询时,主机会以一个A RR(在资源记录的RDATA中包含IP地址)进行授权响应。如果响应者有AAAA RR,但没有RR,并且接收到一个A RR查询,则响应者将使用RCODE=0和一个空的应答部分进行响应。
In conventional DNS terminology, a DNS server authoritative for a zone is authoritative for all the domain names under the zone apex except for the branches delegated into separate zones. Contrary to conventional DNS terminology, an LLMNR responder is authoritative only for the zone apex.
在传统DNS术语中,对区域具有权威性的DNS服务器对区域顶点下的所有域名具有权威性,但委派到单独区域的分支除外。与传统DNS术语相反,LLMNR响应程序仅对区域顶点具有权威性。
For example, the host "foo.example.com." is not authoritative for the name "child.foo.example.com." unless the host is configured with multiple names, including "foo.example.com." and "child.foo.example.com.". As a result, "foo.example.com." cannot respond to an LLMNR query for "child.foo.example.com." with RCODE=3 (authoritative name error). The purpose of limiting the name authority scope of a responder is to prevent complications that could be caused by coexistence of two or more hosts with the names representing child and parent (or grandparent) nodes in the DNS tree, for example, "foo.example.com." and "child.foo.example.com.".
例如,主机“foo.example.com.”对于名称“child.foo.example.com.”不是权威的,除非主机配置了多个名称,包括“foo.example.com.”和“child.foo.example.com.”。因此,“foo.example.com.”无法响应RCODE=3的“child.foo.example.com.”LLMNR查询(权威名称错误)。限制响应程序的名称权限范围的目的是防止由于两个或多个主机共存而导致的复杂情况,这些主机的名称代表DNS树中的子节点和父节点(或祖父母节点),例如“foo.example.com.”和“child.foo.example.com.”。
Without the restriction on authority, an LLMNR query for an A resource record for the name "child.foo.example.com." would result in two authoritative responses: RCODE=3 (authoritative name error) received from "foo.example.com.", and a requested A record from "child.foo.example.com.". To prevent this ambiguity, LLMNR-enabled hosts could perform a dynamic update of the parent (or grandparent) zone with a delegation to a child zone; for example, a host
在没有权限限制的情况下,对名为“child.foo.example.com.”的A资源记录的LLMNR查询将导致两个权威响应:从“foo.example.com.”接收的RCODE=3(权威名称错误),以及从“child.foo.example.com.”请求的A记录。为了避免这种模糊性,启用LLMNR的主机可以执行父(或祖父母)区域的动态更新,并将其委派给子区域;例如,主机
"child.foo.example.com." could send a dynamic update for the NS and glue A record to "foo.example.com.". However, this approach significantly complicates implementation of LLMNR and would not be acceptable for lightweight hosts.
“child.foo.example.com.”可以发送NS的动态更新,并将记录粘贴到“foo.example.com.”。然而,这种方法大大使LLMNR的实现复杂化,对于轻量级主机来说是不可接受的。
Unicast queries SHOULD be sent when:
应在以下情况下发送单播查询:
(a) A sender repeats a query after it received a response with the TC bit set to the previous LLMNR multicast query, or
(a) 发送方在收到TC位设置为前一个LLMNR多播查询的响应后重复查询,或
(b) The sender queries for a PTR RR of a fully formed IP address within the "in-addr.arpa" or "ip6.arpa" zones.
(b) 发送方在“in addr.arpa”或“ip6.arpa”区域内查询完整格式IP地址的PTR RR。
Unicast LLMNR queries MUST be done using TCP and the responses MUST be sent using the same TCP connection as the query. Senders MUST support sending TCP queries, and responders MUST support listening for TCP queries. If the sender of a TCP query receives a response to that query not using TCP, the response MUST be silently discarded.
单播LLMNR查询必须使用TCP完成,并且必须使用与查询相同的TCP连接发送响应。发送方必须支持发送TCP查询,响应方必须支持侦听TCP查询。如果TCP查询的发送方接收到对该查询的响应而未使用TCP,则必须以静默方式放弃该响应。
Unicast UDP queries MUST be silently discarded.
必须以静默方式放弃单播UDP查询。
A unicast PTR RR query for an off-link address will not elicit a response, but instead, an ICMP Time to Live (TTL) or Hop Limit exceeded message will be received. An implementation receiving an ICMP message in response to a TCP connection setup attempt can return immediately, treating this as a response that no such name exists (RCODE=3 is returned). An implementation that cannot process ICMP messages MAY send multicast UDP queries for PTR RRs. Since TCP implementations will not retransmit prior to RTOmin, a considerable period will elapse before TCP retransmits multiple times, resulting in a long timeout for TCP PTR RR queries sent to an off-link destination.
对于断开链路地址的单播PTR RR查询不会引发响应,而是会收到ICMP生存时间(TTL)或超出跃点限制的消息。为响应TCP连接设置尝试而接收ICMP消息的实现可以立即返回,并将其视为不存在此类名称的响应(返回RCODE=3)。无法处理ICMP消息的实现可能会发送PTR RRs的多播UDP查询。由于TCP实现不会在RTOmin之前重新传输,因此在TCP多次重新传输之前需要相当长的一段时间,从而导致发送到断开链接的目的地的TCP PTR RR查询超时很长。
A sender MUST select a source address for LLMNR queries that is assigned on the interface on which the query is sent. The destination address of an LLMNR query MUST be a link-scope multicast address or a unicast address.
发送方必须为LLMNR查询选择源地址,该地址在发送查询的接口上分配。LLMNR查询的目标地址必须是链路作用域多播地址或单播地址。
A responder MUST select a source address for responses that is assigned on the interface on which the query was received. The destination address of an LLMNR response MUST be a unicast address.
响应者必须为在接收查询的接口上分配的响应选择源地址。LLMNR响应的目标地址必须是单播地址。
On receiving an LLMNR query, the responder MUST check whether it was sent to an LLMNR multicast addresses defined in Section 2. If it was sent to another multicast address, then the query MUST be silently discarded.
在收到LLMNR查询时,响应者必须检查该查询是否发送到第2节中定义的LLMNR多播地址。如果该查询被发送到另一个多播地址,则必须以静默方式放弃该查询。
Section 2.4 discusses use of TCP for LLMNR queries and responses. In composing an LLMNR query using TCP, the sender MUST set the Hop Limit field in the IPv6 header and the TTL field in the IPv4 header of the response to one (1). The responder SHOULD set the TTL or Hop Limit settings on the TCP listen socket to one (1) so that SYN-ACK packets will have TTL (IPv4) or Hop Limit (IPv6) set to one (1). This prevents an incoming connection from off-link since the sender will not receive a SYN-ACK from the responder.
第2.4节讨论了在LLMNR查询和响应中使用TCP。在使用TCP编写LLMNR查询时,发送方必须将响应的IPv6标头中的跃点限制字段和IPv4标头中的TTL字段设置为一(1)。响应程序应将TCP侦听套接字上的TTL或跃点限制设置设置为一(1),以便SYN-ACK数据包将TTL(IPv4)或跃点限制(IPv6)设置为一(1)。这可以防止来自断开链接的传入连接,因为发送方不会从响应方接收SYN-ACK。
For UDP queries and responses, the Hop Limit field in the IPv6 header and the TTL field in the IPV4 header MAY be set to any value. However, it is RECOMMENDED that the value 255 be used for compatibility with early implementations of [RFC3927].
对于UDP查询和响应,IPv6标头中的跃点限制字段和IPV4标头中的TTL字段可以设置为任何值。但是,建议使用值255与[RFC3927]的早期实现兼容。
Implementation note:
实施说明:
In the sockets API for IPv4 [POSIX], the IP_TTL and IP_MULTICAST_TTL socket options are used to set the TTL of outgoing unicast and multicast packets. The IP_RECVTTL socket option is available on some platforms to retrieve the IPv4 TTL of received packets with recvmsg(). [RFC3542] specifies similar options for setting and retrieving the IPv6 Hop Limit.
在IPv4[POSIX]的套接字API中,IP_TTL和IP_MULTICAST_TTL套接字选项用于设置传出单播和多播数据包的TTL。IP_RECVTTL socket选项在某些平台上可用,用于使用recvmsg()检索接收数据包的IPv4 TTL。[RFC3542]指定用于设置和检索IPv6跃点限制的类似选项。
It is the responsibility of the responder to ensure that RRs returned in LLMNR responses MUST only include values that are valid on the local interface, such as IPv4 or IPv6 addresses valid on the local link or names defended using the mechanism described in Section 4. IPv4 Link-Local addresses are defined in [RFC3927]. IPv6 Link-Local addresses are defined in [RFC4291]. In particular:
响应者有责任确保LLMNR响应中返回的RRs必须仅包含在本地接口上有效的值,如在本地链路上有效的IPv4或IPv6地址,或使用第4节中描述的机制保护的名称。IPv4链路本地地址在[RFC3927]中定义。IPv6链路本地地址在[RFC4291]中定义。特别地:
(a) If a link-scope IPv6 address is returned in a AAAA RR, that address MUST be valid on the local link over which LLMNR is used.
(a) 如果在AAAA RR中返回链路作用域IPv6地址,则该地址必须在使用LLMNR的本地链路上有效。
(b) If an IPv4 address is returned, it MUST be reachable through the link over which LLMNR is used.
(b) 如果返回IPv4地址,则必须可以通过使用LLMNR的链路访问该地址。
(c) If a name is returned (for example in a CNAME, MX, or SRV RR), the name MUST be resolvable on the local link over which LLMNR is used.
(c) 如果返回名称(例如在CNAME、MX或SRV RR中),则该名称必须可在使用LLMNR的本地链路上解析。
Where multiple addresses represent valid responses to a query, the order in which the addresses are returned is as follows:
如果多个地址表示对查询的有效响应,则返回地址的顺序如下:
(d) If the source address of the query is a link-scope address, then the responder SHOULD include a link-scope address first in the response, if available.
(d) 如果查询的源地址是链接作用域地址,则响应程序应首先在响应中包含链接作用域地址(如果可用)。
(e) If the source address of the query is a routable address, then the responder MUST include a routable address first in the response, if available.
(e) 如果查询的源地址是可路由地址,则响应程序必须首先在响应中包含可路由地址(如果可用)。
An LLMNR sender uses the timeout interval LLMNR_TIMEOUT to determine when to retransmit an LLMNR query. An LLMNR sender SHOULD either estimate the LLMNR_TIMEOUT for each interface or set a reasonably high initial timeout. Suggested constants are described in Section 7.
LLMNR发送方使用超时间隔LLMNR\U timeout来确定何时重新传输LLMNR查询。LLMNR发送方应该估计每个接口的LLMNR_超时,或者设置一个合理的高初始超时。第7节介绍了建议的常数。
If an LLMNR query sent over UDP is not resolved within LLMNR_TIMEOUT, then a sender SHOULD repeat the transmission of the query in order to ensure that it was received by a host capable of responding to it. An LLMNR query SHOULD NOT be sent more than three times.
如果通过UDP发送的LLMNR查询未在LLMNR_超时内解析,则发送方应重复传输该查询,以确保能够响应该查询的主机收到该查询。LLMNR查询的发送次数不应超过三次。
Where LLMNR queries are sent using TCP, retransmission is handled by the transport layer. Queries with the 'C' bit set MUST be sent using multicast UDP and MUST NOT be retransmitted.
在使用TCP发送LLMNR查询的情况下,重传由传输层处理。具有“C”位集的查询必须使用多播UDP发送,并且不得重新传输。
An LLMNR sender cannot know in advance if a query sent using multicast will receive no response, one response, or more than one response. An LLMNR sender MUST wait for LLMNR_TIMEOUT if no response has been received, or if it is necessary to collect all potential responses, such as if a uniqueness verification query is being made. Otherwise, an LLMNR sender SHOULD consider a multicast query answered after the first response is received, if that response has the 'C' bit clear.
LLMNR发送方无法提前知道使用多播发送的查询是否将接收不到响应、一个响应或多个响应。如果没有收到响应,或者需要收集所有可能的响应,例如正在进行唯一性验证查询,则LLMNR发送方必须等待LLMNR_超时。否则,LLMNR发送方应考虑在收到第一响应后应答的多播查询,如果该响应具有“C”位清除。
However, if the first response has the 'C' bit set, then the sender SHOULD wait for LLMNR_TIMEOUT + JITTER_INTERVAL in order to collect all possible responses. When multiple valid answers are received, they may first be concatenated, and then treated in the same manner that multiple RRs received from the same DNS server would. A unicast query sender considers the query answered after the first response is received.
但是,如果第一个响应设置了“C”位,则发送方应等待LLMNR_超时+抖动_间隔,以便收集所有可能的响应。当接收到多个有效应答时,可以首先将它们连接起来,然后以与从同一DNS服务器接收到的多个RRs相同的方式进行处理。单播查询发送方在收到第一个响应后考虑已应答的查询。
Since it is possible for a response with the 'C' bit clear to be followed by a response with the 'C' bit set, an LLMNR sender SHOULD be prepared to process additional responses for the purposes of conflict detection, even after it has considered a query answered.
由于清除了“C”位的响应之后可能会出现设置了“C”位的响应,因此LLMNR发送方应准备处理额外的响应,以便进行冲突检测,即使在考虑已回答的查询之后也是如此。
In order to avoid synchronization, the transmission of each LLMNR query and response SHOULD be delayed by a time randomly selected from the interval 0 to JITTER_INTERVAL. This delay MAY be avoided by responders responding with names that they have previously determined to be UNIQUE (see Section 4 for details).
为了避免同步,每个LLMNR查询和响应的传输应延迟一段时间,该时间从间隔0到间隔u随机选择。通过响应者使用其先前确定为唯一的名称进行响应,可以避免这种延迟(有关详细信息,请参阅第4节)。
The responder should insert a pre-configured TTL value in the records returned in an LLMNR response. A default value of 30 seconds is RECOMMENDED. In highly dynamic environments (such as mobile ad-hoc networks), the TTL value may need to be reduced.
响应程序应在LLMNR响应中返回的记录中插入预配置的TTL值。建议默认值为30秒。在高度动态的环境中(如移动自组织网络),可能需要降低TTL值。
Due to the TTL minimalization necessary when caching an RRset, all TTLs in an RRset MUST be set to the same value.
由于缓存RRset时需要最小化TTL,因此RRset中的所有TTL必须设置为相同的值。
Unlike the DNS, LLMNR is a peer-to-peer protocol and does not have a concept of delegation. In LLMNR, the NS resource record type may be stored and queried for like any other type, but it has no special delegation semantics as it does in the DNS. Responders MAY have NS records associated with the names for which they are authoritative, but they SHOULD NOT include these NS records in the authority sections of responses.
与DNS不同,LLMNR是一种对等协议,没有委托的概念。在LLMNR中,NS资源记录类型可以像任何其他类型一样进行存储和查询,但它不像在DNS中那样具有特殊的委托语义。响应者可能有与其权威名称相关联的NS记录,但不应将这些NS记录包含在响应的权威部分中。
Responders SHOULD insert an SOA record into the authority section of a negative response, to facilitate negative caching as specified in [RFC2308]. The TTL of this record is set from the minimum of the MINIMUM field of the SOA record and the TTL of the SOA itself, and indicates how long a resolver may cache the negative answer. The owner name of the SOA record (MNAME) MUST be set to the query name. The RNAME, SERIAL, REFRESH, RETRY, and EXPIRE values MUST be ignored by senders. Negative responses without SOA records SHOULD NOT be cached.
响应者应将SOA记录插入负面响应的授权部分,以便于按照[RFC2308]中的规定进行负面缓存。此记录的TTL是根据SOA记录的最小字段的最小值和SOA本身的TTL设置的,并指示解析程序可以缓存否定答案的时间。SOA记录的所有者名称(MNAME)必须设置为查询名称。发件人必须忽略RNAME、SERIAL、REFRESH、RETRY和EXPIRE值。不应缓存没有SOA记录的否定响应。
In LLMNR, the additional section is primarily intended for use by EDNS0, TSIG, and SIG(0). As a result, unless the 'C' bit is set, senders MAY only include pseudo RR-types in the additional section of a query; unless the 'C' bit is set, responders MUST ignore the additional section of queries containing other RR types.
在LLMNR中,附加部分主要用于EDNS0、TSIG和SIG(0)。因此,除非设置了“C”位,否则发送方只能在查询的附加部分中包含伪RR类型;除非设置了“C”位,否则响应程序必须忽略包含其他RR类型的查询的附加部分。
In queries where the 'C' bit is set, the sender SHOULD include the conflicting RRs in the additional section. Since conflict notifications are advisory, responders SHOULD log information from the additional section, but otherwise MUST ignore the additional section.
在设置了“C”位的查询中,发送方应在附加部分中包含冲突的RRs。由于冲突通知是建议性的,响应者应记录附加部分的信息,否则必须忽略附加部分。
Senders MUST NOT cache RRs from the authority or additional section of a response as answers, though they may be used for other purposes, such as negative caching.
发件人不得将来自授权机构或响应的附加部分的RRs缓存为应答,尽管它们可能用于其他目的,如负面缓存。
By default, an LLMNR sender SHOULD send LLMNR queries only for single-label names. Stub resolvers supporting both DNS and LLMNR SHOULD avoid sending DNS queries for single-label names, in order to reduce unnecessary DNS queries. An LLMNR sender SHOULD NOT be enabled to send a query for any name, except where security mechanisms (described in Section 5.3) can be utilized. An LLMNR query SHOULD only be sent for the originally requested name; a searchlist is not used to form additional LLMNR queries.
默认情况下,LLMNR发送方应仅发送单个标签名称的LLMNR查询。同时支持DNS和LLMNR的存根解析程序应避免发送单个标签名称的DNS查询,以减少不必要的DNS查询。不应允许LLMNR发送方发送任何名称的查询,除非可以使用安全机制(如第5.3节所述)。LLMNR查询应仅针对最初请求的名称发送;搜索列表不用于形成其他LLMNR查询。
LLMNR is a peer-to-peer name resolution protocol that is not intended as a replacement for DNS; rather, it enables name resolution in scenarios in which conventional DNS name resolution is not possible. Where LLMNR security is not enabled as described in Section 5.3, if LLMNR is given higher priority than DNS among the enabled name resolution mechanisms, this would allow the LLMNR cache, once poisoned, to take precedence over the DNS cache. As a result, use of LLMNR as a primary name resolution mechanism is NOT RECOMMENDED.
LLMNR是一种点对点名称解析协议,不打算替代DNS;相反,它在传统DNS名称解析不可能的情况下启用名称解析。如果未按照第5.3节所述启用LLMNR安全性,则在启用的名称解析机制中,如果LLMNR的优先级高于DNS,这将允许LLMNR缓存在中毒后优先于DNS缓存。因此,不建议将LLMNR用作主要名称解析机制。
Instead, it is recommended that LLMNR be utilized as a secondary name resolution mechanism, for use in situations where hosts are not configured with the address of a DNS server, where the DNS server is unavailable or unreachable, where there is no DNS server authoritative for the name of a host, or where the authoritative DNS server does not have the desired RRs.
相反,建议将LLMNR用作辅助名称解析机制,用于主机未配置DNS服务器地址、DNS服务器不可用或不可访问、没有DNS服务器授权主机名称的情况,或者权威DNS服务器没有所需的RRs。
When LLMNR is configured as a secondary name resolution mechanism, LLMNR queries SHOULD only be sent when all of the following conditions are met:
将LLMNR配置为辅助名称解析机制时,仅当满足以下所有条件时,才应发送LLMNR查询:
(1) No manual or automatic DNS configuration has been performed. If DNS server address(es) have been configured, a host SHOULD attempt to reach DNS servers over all protocols on which DNS server address(es) are configured, prior to sending LLMNR queries. For dual-stack hosts configured with DNS server address(es) for one protocol but not another, this implies that DNS queries SHOULD be sent over the protocol configured with a DNS server, prior to sending LLMNR queries.
(1) 未执行任何手动或自动DNS配置。如果已配置DNS服务器地址,则主机应在发送LLMNR查询之前,尝试通过配置DNS服务器地址的所有协议访问DNS服务器。对于为一个协议而不是另一个协议配置了DNS服务器地址的双堆栈主机,这意味着在发送LLMNR查询之前,应通过配置了DNS服务器的协议发送DNS查询。
(2) All attempts to resolve the name via DNS on all interfaces have failed after exhausting the searchlist. This can occur because DNS servers did not respond, or because they responded to DNS queries with RCODE=3 (Authoritative Name Error) or RCODE=0, and an empty answer section. Where a single resolver call generates DNS queries for A and AAAA RRs, an implementation MAY choose not to send LLMNR queries if any of the DNS queries is successful.
(2) 在耗尽搜索列表后,通过DNS在所有接口上解析名称的所有尝试均失败。这可能是因为DNS服务器没有响应,或者是因为它们响应DNS查询时使用RCODE=3(权威名称错误)或RCODE=0,并且回答部分为空。如果单个解析器调用为a和AAAA RRs生成DNS查询,则如果任何DNS查询成功,则实现可以选择不发送LLMNR查询。
Where LLMNR is used as a secondary name resolution mechanism, its usage is in part determined by the behavior of DNS resolver implementations; robust resolver implementations are more likely to avoid unnecessary LLMNR queries.
当LLMNR用作辅助名称解析机制时,其使用部分取决于DNS解析程序实现的行为;健壮的解析器实现更有可能避免不必要的LLMNR查询。
[RFC1536] describes common DNS implementation errors and fixes. If the proposed fixes are implemented, unnecessary LLMNR queries will be reduced substantially, so implementation of [RFC1536] is recommended.
[RFC1536]介绍常见DNS实施错误和修复。如果实施了建议的修复,不必要的LLMNR查询将大大减少,因此建议实施[RFC1536]。
For example, [RFC1536] Section 1 describes issues with retransmission and recommends implementation of a retransmission policy based on round trip estimates, with exponential back-off. [RFC1536] Section 4 describes issues with failover, and recommends that resolvers try another server when they don't receive a response to a query. These policies are likely to avoid unnecessary LLMNR queries.
例如,[RFC1536]第1节描述了重传问题,并建议基于往返估计实施重传策略,并采用指数退避。[RFC1536]第4节描述了故障切换问题,并建议冲突解决程序在没有收到查询响应时尝试其他服务器。这些策略可能会避免不必要的LLMNR查询。
[RFC1536] Section 3 describes zero answer bugs, which if addressed will also reduce unnecessary LLMNR queries.
[RFC1536]第3节描述了零回答错误,如果解决这些错误,还将减少不必要的LLMNR查询。
[RFC1536] Section 6 describes name error bugs and recommended searchlist processing that will reduce unnecessary RCODE=3 (authoritative name) errors, thereby also reducing unnecessary LLMNR queries.
[RFC1536]第6节描述了名称错误错误和建议的搜索列表处理,这些错误将减少不必要的RCODE=3(权威名称)错误,从而也减少不必要的LLMNR查询。
As noted in [DNSPerf], a significant fraction of DNS queries do not receive a response, or result in negative responses due to missing inverse mappings or NS records that point to nonexistent or inappropriate hosts. Therefore, a reduction in missing records can prevent many unnecessary LLMNR queries.
如[DNSPerf]中所述,相当一部分DNS查询未收到响应,或由于缺少指向不存在或不适当主机的反向映射或NS记录而导致负面响应。因此,减少丢失记录可以防止许多不必要的LLMNR查询。
LLMNR usage MAY be configured manually or automatically on a per-interface basis. By default, LLMNR responders SHOULD be enabled on all interfaces, at all times. Where this is considered undesirable, LLMNR SHOULD be disabled, so that hosts will neither listen on the link-scope multicast address, nor will they send queries to that address.
LLMNR的使用可根据每个接口手动或自动配置。默认情况下,应始终在所有接口上启用LLMNR响应程序。如果认为这是不可取的,则应禁用LLMNR,以便主机既不会侦听链路作用域多播地址,也不会向该地址发送查询。
Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to configure LLMNR on an interface. The LLMNR Enable Option, described in [LLMNREnable], can be used to explicitly enable or disable use of LLMNR on an interface. The LLMNR Enable Option does not determine whether, or in which order, DNS itself is used for name resolution. The order in which various name resolution mechanisms should be used can be specified using the Name Service Search Option (NSSO) for DHCP [RFC2937], using the LLMNR Enable Option code carried in the NSSO data.
在实现DHCPv4或DHCPv6的情况下,可以使用DHCP选项在接口上配置LLMNR。[LLMNREnable]中描述的LLMNR Enable选项可用于显式启用或禁用在接口上使用LLMNR。LLMNR Enable选项不确定DNS本身是否用于名称解析,或以何种顺序用于名称解析。可以使用DHCP[RFC2937]的名称服务搜索选项(NSSO),使用NSSO数据中携带的LLMNR Enable选项代码,指定各种名称解析机制的使用顺序。
In situations where LLMNR is configured as a secondary name resolution protocol on a dual-stack host, behavior will be governed by both IPv4 and IPv6 configuration mechanisms. Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is possible for a dual-stack host to be configured with the address of a DNS server over IPv4, while remaining unconfigured with a DNS server suitable for use over IPv6.
在双堆栈主机上将LLMNR配置为辅助名称解析协议的情况下,行为将由IPv4和IPv6配置机制控制。由于IPv4和IPv6利用不同的配置机制,因此双栈主机可以通过IPv4配置DNS服务器的地址,同时保持与适合通过IPv6使用的DNS服务器的未配置。
In these situations, a dual-stack host will send AAAA queries to the configured DNS server over IPv4. However, an IPv6-only host unconfigured with a DNS server suitable for use over IPv6 will be unable to resolve names using DNS. Automatic IPv6 DNS configuration mechanisms (such as [RFC3315] and [DNSDisc]) are not yet widely deployed, and not all DNS servers support IPv6. Therefore, lack of IPv6 DNS configuration may be a common problem in the short term, and LLMNR may prove useful in enabling link-local name resolution over IPv6.
在这些情况下,双堆栈主机将通过IPv4向配置的DNS服务器发送AAAA查询。但是,未配置适合通过IPv6使用的DNS服务器的仅IPv6主机将无法使用DNS解析名称。自动IPv6 DNS配置机制(如[RFC3315]和[DNSDisc])尚未广泛部署,并且并非所有DNS服务器都支持IPv6。因此,缺乏IPv6 DNS配置在短期内可能是一个常见问题,而LLMNR在支持IPv6上的链路本地名称解析方面可能很有用。
Where a DHCPv4 server is available but not a DHCPv6 server [RFC3315], IPv6-only hosts may not be configured with a DNS server. Where there is no DNS server authoritative for the name of a host or the authoritative DNS server does not support dynamic client update over IPv6 or DHCPv6-based dynamic update, then an IPv6-only host will not be able to do DNS dynamic update, and other hosts will not be able to resolve its name.
如果DHCPv4服务器可用,但DHCPv6服务器不可用[RFC3315],则仅IPv6主机不能配置DNS服务器。如果主机名没有权威DNS服务器,或者权威DNS服务器不支持通过IPv6或基于DHCPv6的动态更新进行动态客户端更新,则仅IPv6的主机将无法执行DNS动态更新,其他主机将无法解析其名称。
For example, if the configured DNS server responds to an AAAA RR query sent over IPv4 or IPv6 with an authoritative name error (RCODE=3) or RCODE=0 and an empty answer section, then an AAAA RR query sent using LLMNR over IPv6 may be successful in resolving the name of an IPv6-only host on the local link.
例如,如果配置的DNS服务器响应通过IPv4或IPv6发送的AAAA RR查询时出现权威名称错误(RCODE=3)或RCODE=0且回答部分为空,则通过IPv6使用LLMNR发送的AAAA RR查询可能成功解析本地链路上仅IPv6主机的名称。
Similarly, if a DHCPv4 server is available providing DNS server configuration, and DNS server(s) exist which are authoritative for the A RRs of local hosts and support either dynamic client update over IPv4 or DHCPv4-based dynamic update, then the names of local IPv4 hosts can be resolved over IPv4 without LLMNR. However, if no DNS server is authoritative for the names of local hosts, or the authoritative DNS server(s) do not support dynamic update, then LLMNR enables link-local name resolution over IPv4.
类似地,如果提供DNS服务器配置的DHCPv4服务器可用,并且存在对本地主机的a RRs具有权威性且支持IPv4上的动态客户端更新或基于DHCPv4的动态更新的DNS服务器,则可以通过IPv4解析本地IPv4主机的名称,而无需LLMNR。但是,如果没有DNS服务器对本地主机的名称具有权威性,或者权威DNS服务器不支持动态更新,则LLMNR将启用IPv4上的链路本地名称解析。
It is possible that DNS configuration mechanisms will go in and out of service. In these circumstances, it is possible for hosts within an administrative domain to be inconsistent in their DNS configuration.
DNS配置机制有可能进入或退出服务。在这些情况下,管理域中的主机的DNS配置可能不一致。
For example, where DHCP is used for configuring DNS servers, one or more DHCP servers can fail. As a result, hosts configured prior to the outage will be configured with a DNS server, while hosts configured after the outage will not. Alternatively, it is possible for the DNS configuration mechanism to continue functioning while configured DNS servers fail.
例如,当DHCP用于配置DNS服务器时,一个或多个DHCP服务器可能会出现故障。因此,停机前配置的主机将配置DNS服务器,而停机后配置的主机将不配置DNS服务器。或者,DNS配置机制可以在配置的DNS服务器出现故障时继续运行。
An outage in the DNS configuration mechanism may result in hosts continuing to use LLMNR even once the outage is repaired. Since LLMNR only enables link-local name resolution, this represents a degradation in capabilities. As a result, hosts without a configured DNS server may wish to periodically attempt to obtain DNS configuration if permitted by the configuration mechanism in use. In the absence of other guidance, a default retry interval of one (1) minute is RECOMMENDED.
DNS配置机制中的中断可能导致主机即使在中断修复后仍继续使用LLMNR。由于LLMNR仅启用链路本地名称解析,因此这表示性能下降。因此,如果使用的配置机制允许,没有配置DNS服务器的主机可能希望定期尝试获取DNS配置。如果没有其他指导,建议默认重试间隔为一(1)分钟。
By default, a responder SHOULD be configured to behave as though its name is UNIQUE on each interface on which LLMNR is enabled. However, it is also possible to configure multiple responders to be authoritative for the same name. For example, multiple responders MAY respond to a query for an A or AAAA type record for a cluster name (assigned to multiple hosts in the cluster).
默认情况下,应将响应程序配置为其名称在启用LLMNR的每个接口上都是唯一的。但是,也可以将多个响应程序配置为具有相同名称的权威性。例如,多个响应者可能会对集群名称(分配给集群中的多个主机)的a或AAAA类型记录的查询作出响应。
To detect duplicate use of a name, an administrator can use a name resolution utility that employs LLMNR and lists both responses and responders. This would allow an administrator to diagnose behavior and potentially intervene and reconfigure LLMNR responders that should not be configured to respond to the same name.
要检测名称的重复使用,管理员可以使用名称解析实用程序,该实用程序使用LLMNR并列出响应和响应者。这将允许管理员诊断行为,并可能干预和重新配置不应配置为响应相同名称的LLMNR响应程序。
Prior to sending an LLMNR response with the 'T' bit clear, a responder configured with a UNIQUE name MUST verify that there is no other host within the scope of LLMNR query propagation that is authoritative for the same name on that interface.
在发送清除“T”位的LLMNR响应之前,配置了唯一名称的响应程序必须验证LLMNR查询传播范围内没有其他主机对该接口上的相同名称具有权威性。
Once a responder has verified that its name is UNIQUE, if it receives an LLMNR query for that name with the 'C' bit clear, it MUST respond with the 'T' bit clear. Prior to verifying that its name is UNIQUE, a responder MUST set the 'T' bit in responses.
一旦响应程序验证其名称是唯一的,如果它收到一个LLMNR查询,该名称的“C”位清除,它必须以“T”位清除进行响应。在验证其名称是否唯一之前,响应程序必须在响应中设置“T”位。
Uniqueness verification is carried out when the host:
当主机:
- starts up or is rebooted
- 启动或重新启动
- wakes from sleep (if the network interface was inactive during sleep)
- 从睡眠中唤醒(如果网络接口在睡眠期间处于非活动状态)
- is configured to respond to LLMNR queries on an interface enabled for transmission and reception of IP traffic
- 配置为在启用IP通信传输和接收的接口上响应LLMNR查询
- is configured to respond to LLMNR queries using additional UNIQUE resource records
- 配置为使用其他唯一资源记录响应LLMNR查询
- verifies the acquisition of a new IP address and configuration on an interface
- 验证在接口上获取新IP地址和配置
To verify uniqueness, a responder MUST send an LLMNR query with the 'C' bit clear, over all protocols on which it responds to LLMNR queries (IPv4 and/or IPv6). It is RECOMMENDED that responders verify uniqueness of a name by sending a query for the name with type='ANY'.
要验证唯一性,响应程序必须通过其响应LLMNR查询的所有协议(IPv4和/或IPv6)发送一个清除“C”位的LLMNR查询。建议响应者通过发送类型为='ANY'的名称查询来验证名称的唯一性。
If no response is received, the sender retransmits the query, as specified in Section 2.7. If a response is received, the sender MUST check if the source address matches the address of any of its interfaces; if so, then the response is not considered a conflict, since it originates from the sender. To avoid triggering conflict detection, a responder that detects that it is connected to the same link on multiple interfaces SHOULD set the 'C' bit in responses.
如果没有收到响应,发送方将按照第2.7节的规定重新传输查询。如果收到响应,发送方必须检查源地址是否与其任何接口的地址匹配;如果是,则响应不被视为冲突,因为它来自发送方。为避免触发冲突检测,检测到它连接到多个接口上的同一链路的响应程序应在响应中设置“C”位。
If a response is received with the 'T' bit clear, the responder MUST NOT use the name in response to LLMNR queries received over any protocol (IPv4 or IPv6). If a response is received with the 'T' bit set, the responder MUST check if the source IP address in the response is lexicographically smaller than the source IP address in the query. If so, the responder MUST NOT use the name in response to LLMNR queries received over any protocol (IPv4 or IPv6). For the purpose of uniqueness verification, the contents of the answer section in a response is irrelevant.
如果接收到清除“T”位的响应,则响应程序不得使用该名称来响应通过任何协议(IPv4或IPv6)接收的LLMNR查询。如果接收到设置了“T”位的响应,则响应程序必须检查响应中的源IP地址是否在字典上小于查询中的源IP地址。如果是,响应者不得使用该名称来响应通过任何协议(IPv4或IPv6)接收的LLMNR查询。为了验证唯一性,响应中答案部分的内容是无关的。
Periodically carrying out uniqueness verification in an attempt to detect name conflicts is not necessary, wastes network bandwidth, and may actually be detrimental. For example, if network links are joined only briefly, and are separated again before any new communication is initiated, temporary conflicts are benign and no forced reconfiguration is required. LLMNR responders SHOULD NOT periodically attempt uniqueness verification.
为了检测名称冲突而定期执行唯一性验证是不必要的,它浪费了网络带宽,实际上可能是有害的。例如,如果网络链路只是短暂连接,并且在启动任何新通信之前再次分离,则临时冲突是良性的,不需要强制重新配置。LLMNR响应者不应定期尝试唯一性验证。
Hosts on disjoint network links may configure the same name for use with LLMNR. If these separate network links are later joined or bridged together, then there may be multiple hosts that are now on the same link, trying to use the same name.
不相交网络链路上的主机可以配置相同的名称以用于LLMNR。如果这些单独的网络链路后来连接或桥接在一起,则可能有多个主机现在位于同一链路上,试图使用相同的名称。
In order to enable ongoing detection of name conflicts, when an LLMNR sender receives multiple LLMNR responses to a query, it MUST check if the 'C' bit is clear in any of the responses. If so, the sender
为了能够持续检测名称冲突,当LLMNR发送方接收到查询的多个LLMNR响应时,它必须检查任何响应中的“C”位是否清除。如果是,发件人是谁
SHOULD send another query for the same name, type, and class, this time with the 'C' bit set, with the potentially conflicting resource records included in the additional section.
应该为相同的名称、类型和类发送另一个查询,这次设置了“C”位,在附加部分中包含潜在冲突的资源记录。
Queries with the 'C' bit set are considered advisory, and responders MUST verify the existence of a conflict before acting on it. A responder receiving a query with the 'C' bit set MUST NOT respond.
具有“C”位集的查询被视为咨询,响应者必须在对其采取行动之前验证冲突的存在。接收设置了“C”位的查询的响应程序不得响应。
If the query is for a UNIQUE name, then the responder MUST send its own query for the same name, type, and class, with the 'C' bit clear. If a response is received, the sender MUST check if the source address matches the address of any of its interfaces; if so, then the response is not considered a conflict, since it originates from the sender. To avoid triggering conflict detection, a responder that detects that it is connected to the same link on multiple interfaces SHOULD set the 'C' bit in responses.
如果查询是一个唯一的名称,那么响应程序必须发送自己的查询,以获得相同的名称、类型和类,并且清除“C”位。如果收到响应,发送方必须检查源地址是否与其任何接口的地址匹配;如果是,则响应不被视为冲突,因为它来自发送方。为避免触发冲突检测,检测到它连接到多个接口上的同一链路的响应程序应在响应中设置“C”位。
An LLMNR responder MUST NOT ignore conflicts once detected, and SHOULD log them. Upon detecting a conflict, an LLMNR responder MUST immediately stop using the conflicting name in response to LLMNR queries received over any supported protocol, if the source IP address in the response is lexicographically smaller than the source IP address in the uniqueness verification query.
LLMNR响应程序在检测到冲突后不得忽略冲突,应记录冲突。一旦检测到冲突,LLMNR响应程序必须立即停止使用冲突名称,以响应通过任何支持的协议接收的LLMNR查询,如果响应中的源IP地址在字典上小于唯一性验证查询中的源IP地址。
After stopping the use of a name, the responder MAY elect to configure a new name. However, since name reconfiguration may be disruptive, this is not required, and a responder may have been configured to respond to multiple names so that alternative names may already be available. A host that has stopped the use of a name may attempt uniqueness verification again after the expiration of the TTL of the conflicting response.
停止使用名称后,响应者可以选择配置新名称。但是,由于名称重新配置可能会造成中断,因此不需要进行此操作,并且可能已将响应程序配置为响应多个名称,以便替代名称可能已经可用。停止使用名称的主机可能会在冲突响应的TTL过期后再次尝试唯一性验证。
A multi-homed host may elect to configure LLMNR on only one of its active interfaces. In many situations, this will be adequate. However, should a host need to configure LLMNR on more than one of its active interfaces, there are some additional precautions it MUST take. Implementers who are not planning to support LLMNR on multiple interfaces simultaneously may skip this section.
多宿主主机可以选择仅在其一个活动接口上配置LLMNR。在许多情况下,这就足够了。但是,如果主机需要在其多个活动接口上配置LLMNR,则必须采取一些额外的预防措施。不打算同时在多个接口上支持LLMNR的实现者可以跳过本节。
Where a host is configured to issue LLMNR queries on more than one interface, each interface maintains its own independent LLMNR resolver cache, containing the responses to LLMNR queries.
如果主机配置为在多个接口上发出LLMNR查询,则每个接口都维护其自己的独立LLMNR解析器缓存,其中包含对LLMNR查询的响应。
A multi-homed host checks the uniqueness of UNIQUE records as described in Section 4. The situation is illustrated in Figure 1.
如第4节所述,多宿主主机检查唯一记录的唯一性。这种情况如图1所示。
---------- ---------- | | | | [A] [myhost] [myhost]
---------- ---------- | | | | [A] [myhost] [myhost]
Figure 1. Link-scope name conflict
图1。链接作用域名称冲突
In this situation, the multi-homed myhost will probe for, and defend, its host name on both interfaces. A conflict will be detected on one interface, but not the other. The multi-homed myhost will not be able to respond with a host RR for "myhost" on the interface on the right (see Figure 1). The multi-homed host may, however, be configured to use the "myhost" name on the interface on the left.
在这种情况下,多宿主myhost将在两个接口上探测并保护其主机名。将在一个接口上检测到冲突,但在另一个接口上检测不到冲突。多宿主myhost将无法在右侧界面上使用主机RR来响应“myhost”(参见图1)。但是,可以将多宿主主机配置为使用左侧界面上的“myhost”名称。
Since names are only unique per link, hosts on different links could be using the same name. If an LLMNR client sends queries over multiple interfaces, and receives responses from more than one, the result returned to the client is defined by the implementation. The situation is illustrated in Figure 2.
由于每个链接的名称都是唯一的,因此不同链接上的主机可以使用相同的名称。如果LLMNR客户端通过多个接口发送查询,并从多个接口接收响应,则返回给客户端的结果由实现定义。这种情况如图2所示。
---------- ---------- | | | | [A] [myhost] [A]
---------- ---------- | | | | [A] [myhost] [A]
Figure 2. Off-segment name conflict
图2。段外名称冲突
If host myhost is configured to use LLMNR on both interfaces, it will send LLMNR queries on both interfaces. When host myhost sends a query for the host RR for name "A", it will receive a response from hosts on both interfaces.
如果主机myhost配置为在两个接口上使用LLMNR,它将在两个接口上发送LLMNR查询。当主机myhost为主机RR发送名称“a”的查询时,它将从两个接口上的主机接收响应。
Host myhost cannot distinguish between the situation shown in Figure 2, and that shown in Figure 3, where no conflict exists.
HostMyHost无法区分图2所示的情况和图3所示的不存在冲突的情况。
[A] | | ----- ----- | | [myhost]
[A] | | ----- ----- | | [myhost]
Figure 3. Multiple paths to same host
图3。到同一主机的多条路径
This illustrates that the proposed name conflict-resolution mechanism does not support detection or resolution of conflicts between hosts on different links. This problem can also occur with DNS when a multi-homed host is connected to two different networks with separated name spaces. It is not the intent of this document to address the issue of uniqueness of names within DNS.
这说明建议的名称冲突解决机制不支持检测或解决不同链路上主机之间的冲突。当一个多宿主主机连接到两个具有分隔名称空间的不同网络时,DNS也会出现此问题。本文档的目的不是解决DNS中名称的唯一性问题。
[RFC3493] provides an API that can partially solve the name ambiguity problem for applications written to use this API, since the sockaddr_in6 structure exposes the scope within which each scoped address exists, and this structure can be used for both IPv4 (using v4-mapped IPv6 addresses) and IPv6 addresses.
[RFC3493]提供了一个API,可以部分解决为使用此API编写的应用程序的名称歧义问题,因为sockaddr_in6结构公开了每个作用域地址存在的作用域,并且此结构可用于IPv4(使用v4映射的IPv6地址)和IPv6地址。
Following the example in Figure 2, an application on 'myhost' issues the request getaddrinfo("A", ...) with ai_family=AF_INET6 and ai_flags=AI_ALL|AI_V4MAPPED. LLMNR queries will be sent from both interfaces, and the resolver library will return a list containing multiple addrinfo structures, each with an associated sockaddr_in6
按照图2中的示例,“myhost”上的应用程序发出请求getaddrinfo(“A”,…),其中ai_family=AF_INET6,ai_flags=ai_ALL | ai_V4MAPPED。将发送多个包含ADDRIN6和ADDRIN6结构的ADDRINF库,每个ADDRINF库都将包含一个ADDRIN6查询
structure. This list will thus contain the IPv4 and IPv6 addresses of both hosts responding to the name 'A'. Link-local addresses will have a sin6_scope_id value that disambiguates which interface is used to reach the address. Of course, to the application, Figures 2 and 3 are still indistinguishable, but this API allows the application to communicate successfully with any address in the list.
结构因此,此列表将包含响应名称“A”的两台主机的IPv4和IPv6地址。链路本地地址将有一个sin6_scope_id值,该值消除了用于访问地址的接口的歧义。当然,对于应用程序来说,图2和图3仍然无法区分,但此API允许应用程序与列表中的任何地址成功通信。
LLMNR is a peer-to-peer name resolution protocol designed for use on the local link. While LLMNR limits the vulnerability of responders to off-link senders, it is possible for an off-link responder to reach a sender.
LLMNR是一种设计用于本地链路的对等名称解析协议。虽然LLMNR将响应者的漏洞限制在断开链接的发送者身上,但断开链接的响应者有可能到达发送者。
In scenarios such as public "hotspots", attackers can be present on the same link. These threats are most serious in wireless networks, such as IEEE 802.11, since attackers on a wired network will require physical access to the network, while wireless attackers may mount attacks from a distance. Link-layer security, such as [IEEE-802.11i], can be of assistance against these threats if it is available.
在公共“热点”等场景中,攻击者可以出现在同一链路上。这些威胁在无线网络(如IEEE 802.11)中最为严重,因为有线网络上的攻击者需要对网络进行物理访问,而无线攻击者可能会远程发起攻击。链路层安全性,如[IEEE-802.11i],如果可用,可以帮助抵御这些威胁。
This section details security measures available to mitigate threats from on and off-link attackers.
本节详细介绍了可用于缓解链路上和链路外攻击者威胁的安全措施。
Attackers may take advantage of LLMNR conflict detection by allocating the same name, denying service to other LLMNR responders, and possibly allowing an attacker to receive packets destined for other hosts. By logging conflicts, LLMNR responders can provide forensic evidence of these attacks.
攻击者可以通过分配相同的名称、拒绝向其他LLMNR响应程序提供服务,以及可能允许攻击者接收发送给其他主机的数据包,从而利用LLMNR冲突检测。通过记录冲突,LLMNR响应者可以提供这些攻击的法医证据。
An attacker may spoof LLMNR queries from a victim's address in order to mount a denial of service attack. Responders setting the IPv6 Hop Limit or IPv4 TTL field to a value larger than one in an LLMNR UDP response may be able to reach the victim across the Internet.
攻击者可以从受害者的地址伪造LLMNR查询,以发起拒绝服务攻击。在LLMNR UDP响应中将IPv6跃点限制或IPv4 TTL字段设置为大于1的值的响应者可能能够通过Internet到达受害者。
While LLMNR responders only respond to queries for which they are authoritative, and LLMNR does not provide wildcard query support, an LLMNR response may be larger than the query, and an attacker can generate multiple responses to a query for a name used by multiple responders. A sender may protect itself against unsolicited responses by silently discarding them.
虽然LLMNR响应程序仅响应其具有权威性的查询,且LLMNR不提供通配符查询支持,但LLMNR响应可能大于查询,并且攻击者可以针对多个响应程序使用的名称对查询生成多个响应。发送方可以通过默默地丢弃未经请求的响应来保护自己。
LLMNR is designed to prevent reception of queries sent by an off-link attacker. LLMNR requires that responders receiving UDP queries check that they are sent to a link-scope multicast address. However, it is possible that some routers may not properly implement link-scope multicast, or that link-scope multicast addresses may leak into the multicast routing system. To prevent successful setup of TCP connections by an off-link sender, responders receiving a TCP SYN reply with a TCP SYN-ACK with TTL set to one (1).
LLMNR旨在防止接收断开链接的攻击者发送的查询。LLMNR要求接收UDP查询的响应程序检查它们是否发送到链路作用域多播地址。然而,一些路由器可能没有正确地实现链路作用域多播,或者链路作用域多播地址可能泄漏到多播路由系统中。为防止断开链路的发送方成功设置TCP连接,响应方接收TCP SYN应答,并将TTL设置为1(1),其中包含TCP SYN-ACK。
While it is difficult for an off-link attacker to send an LLMNR query to a responder, it is possible for an off-link attacker to spoof a response to a query (such as an A or AAAA query for a popular Internet host), and by using a TTL or Hop Limit field larger than one (1), for the forged response to reach the LLMNR sender. Since the forged response will only be accepted if it contains a matching ID field, choosing a pseudo-random ID field within queries provides some protection against off-link responders.
虽然断开链接的攻击者很难向响应者发送LLMNR查询,但断开链接的攻击者有可能伪造对查询的响应(例如针对流行Internet主机的a或AAAA查询),并通过使用大于一(1)的TTL或跃点限制字段,使伪造响应到达LLMNR发送者。由于伪造的响应只有在包含匹配的ID字段时才会被接受,因此在查询中选择伪随机ID字段可以提供一些针对断开链接响应者的保护。
When LLMNR is utilized as a secondary name resolution service, queries can be sent when DNS server(s) do not respond. An attacker can execute a denial of service attack on the DNS server(s), and then poison the LLMNR cache by responding to an LLMNR query with incorrect information. As noted in "Threat Analysis of the Domain Name System (DNS)" [RFC3833], these threats also exist with DNS, since DNS-response spoofing tools are available that can allow an attacker to respond to a query more quickly than a distant DNS server. However, while switched networks or link-layer security may make it difficult for an on-link attacker to snoop unicast DNS queries, multicast LLMNR queries are propagated to all hosts on the link, making it possible for an on-link attacker to spoof LLMNR responses without having to guess the value of the ID field in the query.
当LLMNR用作辅助名称解析服务时,可以在DNS服务器不响应时发送查询。攻击者可以在DNS服务器上执行拒绝服务攻击,然后通过使用错误信息响应LLMNR查询来毒害LLMNR缓存。如“域名系统(DNS)的威胁分析”(RFC3833)中所述,DNS也存在这些威胁,因为DNS响应欺骗工具可用,使攻击者能够比远程DNS服务器更快地响应查询。然而,虽然交换网络或链路层安全性可能使链路上的攻击者难以窥探单播DNS查询,但多播LLMNR查询会传播到链路上的所有主机,从而使链路上的攻击者能够欺骗LLMNR响应,而无需猜测查询中ID字段的值。
Since LLMNR queries are sent and responded to on the local link, an attacker will need to respond more quickly to provide its own response prior to arrival of the response from a legitimate responder. If an LLMNR query is sent for an off-link host, spoofing a response in a timely way is not difficult, since a legitimate response will never be received.
由于LLMNR查询是在本地链路上发送和响应的,因此攻击者需要更快地响应,以便在合法响应者的响应到达之前提供自己的响应。如果为断开链接的主机发送LLMNR查询,及时欺骗响应并不困难,因为永远不会收到合法响应。
This vulnerability can be reduced by limiting use of LLMNR to resolution of single-label names as described in Section 3, or by implementation of authentication (see Section 5.3).
如第3节所述,通过将LLMNR的使用限制为单个标签名称的解析,或通过实施身份验证(见第5.3节),可以减少此漏洞。
LLMNR is a peer-to-peer name resolution protocol and, as a result, is often deployed in situations where no trust model can be assumed. Where a pre-arranged security configuration is possible, the following security mechanisms may be used:
LLMNR是一种对等名称解析协议,因此通常部署在无法假设信任模型的情况下。如果可以进行预先安排的安全配置,则可以使用以下安全机制:
(a) LLMNR implementations MAY support TSIG [RFC2845] and/or SIG(0) [RFC2931] security mechanisms. "DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad Hoc Networks" [LLMNRSec] describes the use of TSIG to secure LLMNR, based on group keys. While group keys can be used to demonstrate membership in a group, they do not protect against forgery by an attacker that is a member of the group.
(a) LLMNR实现可能支持TSIG[RFC2845]和/或SIG(0)[RFC2931]安全机制。“基于IPv6移动自组织网络的安全多播DNS的DNS名称服务”[LLMNRSec]描述了基于组密钥使用TSIG保护LLMNR。虽然组密钥可用于证明组中的成员身份,但它们不能防止作为组成员的攻击者伪造。
(b) IPsec Encapsulating Security Payload (ESP) with a NULL encryption algorithm MAY be used to authenticate unicast LLMNR queries and responses, or LLMNR responses to multicast queries. In a small network without a certificate authority, this can be most easily accomplished through configuration of a group pre-shared key for trusted hosts. As with TSIG, this does not protect against forgery by an attacker with access to the group pre-shared key.
(b) 使用空加密算法封装安全有效负载(ESP)的IPsec可用于验证单播LLMNR查询和响应,或对多播查询的LLMNR响应。在没有证书颁发机构的小型网络中,这可以通过为受信任主机配置组预共享密钥来最容易地实现。与TSIG一样,这不能防止攻击者伪造组预共享密钥。
(c) LLMNR implementations MAY support DNSSEC [RFC4033]. In order to support DNSSEC, LLMNR implementations MAY be configured with trust anchors, or they MAY make use of keys obtained from DNS queries. Since LLMNR does not support "delegated trust" (CD or AD bits), LLMNR implementations cannot make use of DNSSEC unless they are DNSSEC-aware and support validation. Unlike approaches [a] or [b], DNSSEC permits a responder to demonstrate ownership of a name, not just membership within a trusted group. As a result, it enables protection against forgery.
(c) LLMNR实现可能支持DNSSEC[RFC4033]。为了支持DNSSEC,LLMNR实现可以配置信任锚,也可以使用从DNS查询获得的密钥。由于LLMNR不支持“委托信任”(CD或AD位),LLMNR实现不能使用DNSSEC,除非它们是DNSSEC感知的并支持验证。与方法[a]或[b]不同,DNSSEC允许响应者证明名称的所有权,而不仅仅是受信任组中的成员资格。因此,它可以防止伪造。
In order to prevent responses to LLMNR queries from polluting the DNS cache, LLMNR implementations MUST use a distinct, isolated cache for LLMNR on each interface. LLMNR operates on a separate port from DNS, reducing the likelihood that a DNS server will unintentionally respond to an LLMNR query.
为了防止对LLMNR查询的响应污染DNS缓存,LLMNR实现必须在每个接口上为LLMNR使用不同的、隔离的缓存。LLMNR在与DNS不同的端口上运行,降低了DNS服务器无意中响应LLMNR查询的可能性。
If a DNS server is running on a host that supports LLMNR, the LLMNR responder on that host MUST respond to LLMNR queries only for the RRSets relating to the host on which the server is running, but MUST NOT respond for other records for which the DNS server is authoritative. DNS servers MUST NOT send LLMNR queries in order to resolve DNS queries.
如果DNS服务器在支持LLMNR的主机上运行,则该主机上的LLMNR响应程序必须仅响应与运行该服务器的主机相关的RRSET的LLMNR查询,但不得响应DNS服务器授权的其他记录。DNS服务器不得发送LLMNR查询以解析DNS查询。
This specification creates a new namespace: the LLMNR namespace.
该规范创建了一个新的名称空间:LLMNR名称空间。
In order to avoid creating any new administrative procedures, administration of the LLMNR namespace will piggyback on the administration of the DNS namespace.
为了避免创建任何新的管理过程,LLMNR命名空间的管理将依赖于DNS命名空间的管理。
The rights to use a fully qualified domain name (FQDN) within LLMNR are obtained by acquiring the rights to use that name within DNS. Those wishing to use an FQDN within LLMNR should first acquire the rights to use the corresponding FQDN within DNS. Using an FQDN within LLMNR without ownership of the corresponding name in DNS creates the possibility of conflict and therefore is discouraged.
在LLMNR中使用完全限定域名(FQDN)的权限是通过获取在DNS中使用该名称的权限获得的。希望在LLMNR中使用FQDN的用户应首先获得在DNS中使用相应FQDN的权限。在LLMNR中使用FQDN而不拥有DNS中相应名称的所有权可能会产生冲突,因此不鼓励使用FQDN。
LLMNR responders may self-allocate a name within the single-label namespace first defined in [RFC1001]. Since single-label names are not unique, no registration process is required.
LLMNR响应程序可以在[RFC1001]中首次定义的单个标签命名空间内自行分配名称。由于单个标签名称不是唯一的,因此不需要注册过程。
The following timing constants are used in this protocol; they are not intended to be user configurable.
本协议中使用了以下定时常数:;它们不是用户可配置的。
JITTER_INTERVAL 100 ms LLMNR_TIMEOUT 1 second (if set statically on all interfaces) 100 ms (IEEE 802 media, including IEEE 802.11)
抖动间隔100毫秒LLMNR\U超时1秒(如果在所有接口上静态设置)100毫秒(IEEE 802媒体,包括IEEE 802.11)
[RFC1001] NetBIOS Working Group in the Defense Advanced Research Projects Agency, Internet Activities Board, and End-to-End Services Task Force, "Protocol standard for a NetBIOS service on a TCP/UDP transport: Concepts and methods", STD 19, RFC 1001, March 1987.
[RFC1001]国防高级研究计划局、互联网活动委员会和端到端服务工作组的NetBIOS工作组,“TCP/UDP传输上NetBIOS服务的协议标准:概念和方法”,STD 19,RFC 10011987年3月。
[RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987.
[RFC1035]Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 1035,1987年11月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS Specification", RFC 2181, July 1997.
[RFC2181]Elz,R.和R.Bush,“DNS规范的澄清”,RFC 21811997年7月。
[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC 2308, March 1998.
[RFC2308]Andrews,M.,“DNS查询的反向缓存(DNS NCACHE)”,RFC 2308,1998年3月。
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, August 1999.
[RFC2671]Vixie,P.,“DNS的扩展机制(EDNS0)”,RFC 26711999年8月。
[RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B. Wellington, "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845, May 2000.
[RFC2845]Vixie,P.,Gudmundsson,O.,Eastlake 3rd,D.,和B.Wellington,“DNS秘密密钥交易认证(TSIG)”,RFC 28452000年5月。
[RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures ( SIG(0)s )", RFC 2931, September 2000.
[RFC2931]Eastlake 3rd,D.,“DNS请求和事务签名(SIG(0)s)”,RFC 29312000年9月。
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006.
[RFC4291]Hinden,R.和S.Deering,“IP版本6寻址体系结构”,RFC 42912006年2月。
[DNSPerf] Jung, J., et al., "DNS Performance and the Effectiveness of Caching", IEEE/ACM Transactions on Networking, Volume 10, Number 5, pp. 589, October 2002.
[DNSPerf]Jung,J.,等人,“DNS性能和缓存的有效性”,IEEE/ACM网络交易,第10卷,第5期,第589页,2002年10月。
[DNSDisc] Durand, A., Hagino, I., and D. Thaler, "Well known site local unicast addresses to communicate with recursive DNS servers", Work in Progress, October 2002.
[DNSDisc]Durand,A.,Hagino,I.,和D.Thaler,“与递归DNS服务器通信的著名站点本地单播地址”,正在进行的工作,2002年10月。
[IEEE-802.11i] Institute of Electrical and Electronics Engineers, "Supplement to Standard for Telecommunications and Information Exchange Between Systems - LAN/MAN Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Specification for Enhanced Security", IEEE 802.11i, July 2004.
[IEEE-802.11i]电气和电子工程师协会,“系统间电信和信息交换标准的补充-局域网/城域网特定要求-第11部分:无线局域网介质访问控制(MAC)和物理层(PHY)规范:增强安全规范”,IEEE 802.11i,2004年7月。
[LLMNREnable] Guttman, E., "DHCP LLMNR Enable Option", Work in Progress, April 2002.
[LLMNREnable]Guttman,E.,“DHCP LLMNR启用选项”,正在进行的工作,2002年4月。
[LLMNRSec] Jeong, J., Park, J. and H. Kim, "DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad Hoc Networks", ICACT 2004, Phoenix Park, Korea, February 9-11, 2004.
[LLMNRSec]Jeong,J.,Park,J.和H.Kim,“基于IPv6移动adhoc网络的安全多播DNS的DNS名称服务”,ICACT 2004,凤凰城公园,韩国,2004年2月9-11日。
[POSIX] IEEE Std. 1003.1-2001 Standard for Information Technology -- Portable Operating System Interface (POSIX). Open Group Technical Standard: Base Specifications, Issue 6, December 2001. ISO/IEC 9945:2002. http://www.opengroup.org/austin
[POSIX] IEEE Std. 1003.1-2001 Standard for Information Technology -- Portable Operating System Interface (POSIX). Open Group Technical Standard: Base Specifications, Issue 6, December 2001. ISO/IEC 9945:2002. http://www.opengroup.org/austin
[RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. Miller, "Common DNS Implementation Errors and Suggested Fixes", RFC 1536, October 1993.
[RFC1536]Kumar,A.,Postel,J.,Neuman,C.,Danzig,P.,和S.Miller,“常见DNS实现错误和建议修复”,RFC 1536,1993年10月。
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997.
[RFC2131]Droms,R.,“动态主机配置协议”,RFC21311997年3月。
[RFC2365] Meyer, D., "Administratively Scoped IP Multicast", BCP 23, RFC 2365, July 1998.
[RFC2365]Meyer,D.,“管理范围的IP多播”,BCP 23,RFC 2365,1998年7月。
[RFC2937] Smith, C., "The Name Service Search Option for DHCP", RFC 2937, September 2000.
[RFC2937]Smith,C.,“DHCP的名称服务搜索选项”,RFC 2937,2000年9月。
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3315]Droms,R.,Bound,J.,Volz,B.,Lemon,T.,Perkins,C.,和M.Carney,“IPv6的动态主机配置协议(DHCPv6)”,RFC3315,2003年7月。
[RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. Stevens, "Basic Socket Interface Extensions for IPv6", RFC 3493, February 2003.
[RFC3493]Gilligan,R.,Thomson,S.,Bound,J.,McCann,J.,和W.Stevens,“IPv6的基本套接字接口扩展”,RFC 3493,2003年2月。
[RFC3542] Stevens, W., Thomas, M., Nordmark, E., and T. Jinmei, "Advanced Sockets Application Program Interface (API) for IPv6", RFC 3542, May 2003.
[RFC3542]Stevens,W.,Thomas,M.,Nordmark,E.,和T.Jinmei,“IPv6的高级套接字应用程序接口(API)”,RFC 3542,2003年5月。
[RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name System (DNS)", RFC 3833, August 2004.
[RFC3833]Atkins,D.和R.Austein,“域名系统(DNS)的威胁分析”,RFC 38332004年8月。
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic Configuration of IPv4 Link-Local Addresses", RFC 3927, May 2005.
[RFC3927]Cheshire,S.,Aboba,B.和E.Guttman,“IPv4链路本地地址的动态配置”,RFC 3927,2005年5月。
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005.
[RFC4033]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全介绍和要求”,RFC 4033,2005年3月。
[RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.
[RFC4086]伊斯特莱克,D.,3,席勒,J.和S.克罗克,“安全的随机性要求”,BCP 106,RFC 4086,2005年6月。
This work builds upon original work done on multicast DNS by Bill Manning and Bill Woodcock. Bill Manning's work was funded under DARPA grant #F30602-99-1-0523. The authors gratefully acknowledge their contribution to the current specification. Constructive input has also been received from Mark Andrews, Rob Austein, Randy Bush, Stuart Cheshire, Ralph Droms, Robert Elz, James Gilroy, Olafur Gudmundsson, Andreas Gustafsson, Erik Guttman, Myron Hattig, Christian Huitema, Olaf Kolkman, Mika Liljeberg, Keith Moore, Tomohide Nagashima, Thomas Narten, Erik Nordmark, Markku Savela, Mike St. Johns, Sander van Valkenburg, and Brian Zill.
这项工作建立在Bill Manning和Bill Woodcock对多播DNS所做的原始工作的基础上。比尔·曼宁的工作由DARPA拨款#F30602-99-1-0523资助。作者非常感谢他们对当前规范的贡献。马克·安德鲁斯、罗伯·奥斯汀、兰迪·布什、斯图亚特·柴郡、拉尔夫·德罗姆斯、罗伯特·埃尔兹、詹姆斯·吉尔罗伊、奥拉弗尔·古德蒙德森、安德烈亚斯·古斯塔夫松、埃里克·古特曼、迈伦·哈蒂格、克里斯蒂安·惠特马、奥拉夫·科尔克曼、米卡·利耶贝格、基思·摩尔、长岛友德、托马斯·纳腾、埃里克·诺德马克、马克·萨维拉、,迈克·圣约翰、桑德·范·瓦尔肯堡和布赖恩·齐尔。
Authors' Addresses
作者地址
Bernard Aboba Microsoft Corporation One Microsoft Way Redmond, WA 98052
伯纳德·阿博巴(Bernard Aboba)微软公司华盛顿州雷德蒙微软大道一号,邮编:98052
Phone: +1 425 706 6605 EMail: bernarda@microsoft.com
Phone: +1 425 706 6605 EMail: bernarda@microsoft.com
Dave Thaler Microsoft Corporation One Microsoft Way Redmond, WA 98052
Dave Thaler微软公司华盛顿州雷德蒙微软大道一号,邮编:98052
Phone: +1 425 703 8835 EMail: dthaler@microsoft.com
Phone: +1 425 703 8835 EMail: dthaler@microsoft.com
Levon Esibov Microsoft Corporation One Microsoft Way Redmond, WA 98052
Levon Esibov微软公司华盛顿州雷德蒙微软大道一号,邮编:98052
EMail: levone@microsoft.com
EMail: levone@microsoft.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。