Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Bob Harold <> Fri, 02 February 2018 18:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5F16A126BF6 for <>; Fri, 2 Feb 2018 10:26:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QvRBNsoktHji for <>; Fri, 2 Feb 2018 10:25:57 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 48B0C1252BA for <>; Fri, 2 Feb 2018 10:25:57 -0800 (PST)
Received: by with SMTP id 63so32809937lfv.4 for <>; Fri, 02 Feb 2018 10:25:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google-2016-06-03; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1Inq2wPixHLbMrLa3aZQrm/zUw1oSeJSYsMYYUsu3+I=; b=N7r02Q1RvaqEeyed08Vvl43SlMUjbcJPMNdT4Y3cW4bbYTFVz8oyo5p+tVWZEIlnNJ K6MSUBw8Og9pE8sHAMK79UrlGWPINKLMPFjt7KWXLQ7W12UIhUKchiJ15k8/CBAxfyrA IZqWAyK3Z4hjr5Gpw2mvyjZS8pd6M2FbNreiAMi0NGnaAlImFLOBcu9YeunVlbduxjH/ 0Ysw5gaNb7wnUmu2tHjepEeI/Bt5ibMsp1yR1pbDzlxfFi6VhtnYdiemt/3usF9LjBKR ZezrUZFKC96dvJOmVubbEonQlIfsdX/CX/IDZrr0iaT6aW//we5c5e/+P+Tjg0HVAelF /cqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1Inq2wPixHLbMrLa3aZQrm/zUw1oSeJSYsMYYUsu3+I=; b=aUtNaKycbUZnaoIyXl3XGRmwmQO24pmIuoZnPp4MTekX2AnAknHz4nmYPEyfHQn/bi G3ZBrT0oTV0mMMd6jmg/j9avhde6wvov2t5DYCH5QqInojjVnk64KK856FeI1+us1Plc QGsXbkrcVWekNfDz/hjCs4gb+J/Z33EzuwE+4io3ZIj4ooeEWqfsLkl8yrunts5bSbMB dE9KlfQOSMwtyJVvvI5ZnAI+5e8Sww+J4BEoC2Ut17XjlDmGmY2BPj++dD6zuQjlaTVq 9TuzElM7qIeIsEWnsnDoMbbPiHJ3JVDsyvBxEGH3b3Kv6F+b01JWp43dI9pmEPu34+6b ZI5g==
X-Gm-Message-State: AKwxytfz4yacGbt2LhLDAeWFUzz3h9w8sfF01998pI+xirSfxOzzXEoo rkiXq8dlf0vuMUcrF/DZNBjR30Ts8UpgcxExt/llFQ==
X-Google-Smtp-Source: AH8x226CUHYXR+g8J9iilhuwHs5h0U1MIQfbrHsHUDFX78GF0tl2H5Ct+ulenDkBT8TlD/GqIQR//H/EEU7zVrXh0nI=
X-Received: by with SMTP id j83mr26254776lfh.20.1517595955495; Fri, 02 Feb 2018 10:25:55 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Fri, 2 Feb 2018 10:25:54 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
From: Bob Harold <>
Date: Fri, 2 Feb 2018 13:25:54 -0500
Message-ID: <>
To: Ted Lemon <>
Cc: Andrew Sullivan <>, IETF DNSOP WG <>
Content-Type: multipart/alternative; boundary="001a113cc4d2d722fd05643ed7b9"
Archived-At: <>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Feb 2018 18:26:00 -0000

On Thu, Feb 1, 2018 at 4:26 PM, Ted Lemon <> wrote:

> On Feb 1, 2018, at 2:48 PM, Andrew Sullivan <>
> wrote:
> As a general principle, when what the RFC says to do is not the right
> thing to do, the solution is to update the RFC, not to ignore the problem.
> I strongly agree with this (as I think or anyway hope you know)
> Yes, I will admit I was a bit surprised that you put it that way, although
> as you say, your position is more clear in your formal review of the
> document.
> As for why I responded to this and not to the formal review, the answer is
> that the formal review was a bit overwhelming.  You made a lot of
> assertions of fact that didn't sound like fact to me—they sounded like
> strongly-held opinion.   You are a much more experienced DNS expert than I
> am, so for me to argue you away from those opinions is a tall order—I don't
> think you've really expressed the underlying belief that is the keystone to
> the whole edifice.
> The problem I have is that to me it's dead obvious that the name hierarchy
> and the set of names in the DNS are not the same thing.   We've had that
> discussion before.   We even published a document about it, which hasn't
> quite made its way out of the RFC editor queue yet.   It seems to me that
> it is demonstrably the case that these two sets are disjoint.
> But you explain your reasoning on the basis that clearly they are the same
> set, and *that* they are the same set is left unexamined.   So if we were
> to succeed in understanding why we disagree on this point, it would be
> necessary to dig down into that.
> Having seen you give keynotes at the plenary, I know that you are deeply
> concerned about computer security.   The reason that I am in favor of the
> behavior I'm propounding is that I think it closes a small security gap
> through which a truck might some day be driven, to our woe.   So to me, the
> need to leave that gap, which I admit is small, open, seems inconsistent
> with what I know of you.
> So clearly you value this idea that localhost is a name that exists in the
> DNS, even though it doesn't exist in the DNS.   It might be fruitful to
> explore that further.   It might also be a waste of time.   I don't
> honestly know.   But that is, I think, the key to our disagreement.

Could someone explain the security problem?  If it really is bigger than
the problems that will be caused by changing resolvers to answer with
NXDOMAIN, then you might convince me.

Bob Harold