6 Global Discovery Server ToC Previous Next

6.2 Network Architectures ToC Previous Next

6.2.5 Domain Names and MulticastSubnets ToC Previous Next

The mDNS specification requires that fully qualified domain name be annouced on the network. If a Server is not configured with a fully qualified domain name then mDNS requires that the ‘local’ top level domain be appended to the domain names. The ‘local’ top level domain indicates that the domain can only be consided to be unique within the subnet where the domain name was used. This means Clients need to be be aware that URLs received from any LDS-ME other than the one on the Client’s machine could contain ‘local’ domains which are not reachable or will connect to a different machine with the same domain name that happens to be on the same subnet as the Client. It is recommended that Clients ignore all URLs with the ‘local’ top level domain unless they are returned from the LDS-ME running on the same machine.

System administrators can eliminate this problem by configuring a normal DNS with the fully qualilfied domain names for all machines which need to be accessed by Clients outside the MulticastSubnet.

Servers configured with fully qualified domain names should specify the fully qualified domain name in its ApplicationInstance Certificate. Servers shall not specify domains with the ‘local’ top level domain in their Certificate. Clients using a URL returned from an LDS-ME shall ignore the ‘local’ top level domain when checking the domain against the Server Certificate.

Note that domain name validation is a necessary but not sufficient check against rogue Servers or man-in-the-middle attacks when Server Certificates do not contain fully qualified domain names. The Certificate trust relationship established by administrators is the primary mechanism used to protect against these risks.

Previous Next