Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Bob Harold <rharolde@umich.edu> Fri, 02 February 2018 18:26 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F16A126BF6 for <dnsop@ietfa.amsl.com>; Fri, 2 Feb 2018 10:26:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QvRBNsoktHji for <dnsop@ietfa.amsl.com>; Fri, 2 Feb 2018 10:25:57 -0800 (PST)
Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48B0C1252BA for <dnsop@ietf.org>; Fri, 2 Feb 2018 10:25:57 -0800 (PST)
Received: by mail-lf0-x234.google.com with SMTP id 63so32809937lfv.4 for <dnsop@ietf.org>; Fri, 02 Feb 2018 10:25:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1Inq2wPixHLbMrLa3aZQrm/zUw1oSeJSYsMYYUsu3+I=; b=N7r02Q1RvaqEeyed08Vvl43SlMUjbcJPMNdT4Y3cW4bbYTFVz8oyo5p+tVWZEIlnNJ K6MSUBw8Og9pE8sHAMK79UrlGWPINKLMPFjt7KWXLQ7W12UIhUKchiJ15k8/CBAxfyrA IZqWAyK3Z4hjr5Gpw2mvyjZS8pd6M2FbNreiAMi0NGnaAlImFLOBcu9YeunVlbduxjH/ 0Ysw5gaNb7wnUmu2tHjepEeI/Bt5ibMsp1yR1pbDzlxfFi6VhtnYdiemt/3usF9LjBKR ZezrUZFKC96dvJOmVubbEonQlIfsdX/CX/IDZrr0iaT6aW//we5c5e/+P+Tjg0HVAelF /cqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1Inq2wPixHLbMrLa3aZQrm/zUw1oSeJSYsMYYUsu3+I=; b=aUtNaKycbUZnaoIyXl3XGRmwmQO24pmIuoZnPp4MTekX2AnAknHz4nmYPEyfHQn/bi G3ZBrT0oTV0mMMd6jmg/j9avhde6wvov2t5DYCH5QqInojjVnk64KK856FeI1+us1Plc QGsXbkrcVWekNfDz/hjCs4gb+J/Z33EzuwE+4io3ZIj4ooeEWqfsLkl8yrunts5bSbMB dE9KlfQOSMwtyJVvvI5ZnAI+5e8Sww+J4BEoC2Ut17XjlDmGmY2BPj++dD6zuQjlaTVq 9TuzElM7qIeIsEWnsnDoMbbPiHJ3JVDsyvBxEGH3b3Kv6F+b01JWp43dI9pmEPu34+6b ZI5g==
X-Gm-Message-State: AKwxytfz4yacGbt2LhLDAeWFUzz3h9w8sfF01998pI+xirSfxOzzXEoo rkiXq8dlf0vuMUcrF/DZNBjR30Ts8UpgcxExt/llFQ==
X-Google-Smtp-Source: AH8x226CUHYXR+g8J9iilhuwHs5h0U1MIQfbrHsHUDFX78GF0tl2H5Ct+ulenDkBT8TlD/GqIQR//H/EEU7zVrXh0nI=
X-Received: by 10.25.235.86 with SMTP id j83mr26254776lfh.20.1517595955495; Fri, 02 Feb 2018 10:25:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.46.84.21 with HTTP; Fri, 2 Feb 2018 10:25:54 -0800 (PST)
In-Reply-To: <777C7B4A-A8D6-4E14-9DBF-360B6BDF4A95@fugue.com>
References: <9DCE2F63-EE37-4865-B9D6-6B79BBE05593@gmail.com> <20180129155112.GC16545@mx4.yitter.info> <5A6F5CF1.4080706@redbarn.org> <CA+nkc8D7tne5SxGOUhvJqstmDa=1=RmvcHQte1byAab5dUd5sQ@mail.gmail.com> <AE634FC4-0EAF-4F54-8860-61E41284F873@fugue.com> <20180130185919.GJ19193@mx4.yitter.info> <3b57a486-df8e-ca57-ab89-c167cea0dcc9@bellis.me.uk> <20180131161507.GP3322@mournblade.imrryr.org> <20180201172644.GD26453@mx4.yitter.info> <1D7693F7-000C-451A-8F7A-45B94366240F@fugue.com> <20180201204833.GA27125@mx4.yitter.info> <777C7B4A-A8D6-4E14-9DBF-360B6BDF4A95@fugue.com>
From: Bob Harold <rharolde@umich.edu>
Date: Fri, 2 Feb 2018 13:25:54 -0500
Message-ID: <CA+nkc8D_JUaWhW8eZ3KuMKJsyVd1ddMtFLhk5Tne1oH2eEHhZg@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Andrew Sullivan <ajs@anvilwalrusden.com>, IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a113cc4d2d722fd05643ed7b9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2739CV5IKB52dopugHYNervXiVY>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2018 18:26:00 -0000

On Thu, Feb 1, 2018 at 4:26 PM, Ted Lemon <mellon@fugue.com> wrote:

> On Feb 1, 2018, at 2:48 PM, Andrew Sullivan <ajs@anvilwalrusden.com>
> wrote:
>
> As a general principle, when what the RFC says to do is not the right
> thing to do, the solution is to update the RFC, not to ignore the problem.
>
>
> I strongly agree with this (as I think or anyway hope you know)
>
>
> Yes, I will admit I was a bit surprised that you put it that way, although
> as you say, your position is more clear in your formal review of the
> document.
>
> As for why I responded to this and not to the formal review, the answer is
> that the formal review was a bit overwhelming.  You made a lot of
> assertions of fact that didn't sound like fact to me—they sounded like
> strongly-held opinion.   You are a much more experienced DNS expert than I
> am, so for me to argue you away from those opinions is a tall order—I don't
> think you've really expressed the underlying belief that is the keystone to
> the whole edifice.
>
> The problem I have is that to me it's dead obvious that the name hierarchy
> and the set of names in the DNS are not the same thing.   We've had that
> discussion before.   We even published a document about it, which hasn't
> quite made its way out of the RFC editor queue yet.   It seems to me that
> it is demonstrably the case that these two sets are disjoint.
>
> But you explain your reasoning on the basis that clearly they are the same
> set, and *that* they are the same set is left unexamined.   So if we were
> to succeed in understanding why we disagree on this point, it would be
> necessary to dig down into that.
>
> Having seen you give keynotes at the plenary, I know that you are deeply
> concerned about computer security.   The reason that I am in favor of the
> behavior I'm propounding is that I think it closes a small security gap
> through which a truck might some day be driven, to our woe.   So to me, the
> need to leave that gap, which I admit is small, open, seems inconsistent
> with what I know of you.
>
> So clearly you value this idea that localhost is a name that exists in the
> DNS, even though it doesn't exist in the DNS.   It might be fruitful to
> explore that further.   It might also be a waste of time.   I don't
> honestly know.   But that is, I think, the key to our disagreement.
>


Could someone explain the security problem?  If it really is bigger than
the problems that will be caused by changing resolvers to answer with
NXDOMAIN, then you might convince me.

-- 
Bob Harold