Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

[Warren Kumari <warren@kumari.net>]

On Thu, Sep 7, 2017 at 10:17 PM, Ted Lemon <mellon@fugue.com> wrote:
> The discussion had covered the failure mode problem. There is substantial
> agreement that it's better for a stub that issues a query for localhost to
> fail than to succeed. You seem to disagree.
>

I wonder if this is simply people talking past each other, and a lack
of agreement on what the behavior we actually want is.
When I first read the document, and at the beginning of this thread I
firmly believed that we would want an insecure delegation from the
root, but after more discussion on what we want the behavior of
'localhost' to be I've been convinced otherwise.

I think that this boils down to: It is an error to send a query for
localhost (or anything under localhost) to the DNS. The main reason
for this (at least from my reading of the thread) is a security
argument -- you want to be completely sure that 'localhost' will
always be 127.0.0.1 / ::1 / some local equivalent, and this is not a
guarantee we can expect from the DNS[0]. Because of this it is better
the have queries that accidentally *do* leak into the DNS get a
failure (NXDOMAIN) - this avoids having (security important) cases
work fine until there is an attacker.

Is this a reasonable summary? Perhaps once we agree if *is* the
behavior we want we'll have an easier time deciding exactly how...

W
[0]: Without at least DNSSEC, everyone validating, and a trusted
entity running a localhost zone.

> You haven't stated a reason for disagreeing—instead you've vigorously
> asserted that this is true. It's fine for you to do this, but if you were to
> get your way, that would be exactly the bad outcome I want to avoid.
>
> So if there really is a problem here, it would be good for you to make it
> clear. Your stated desire to preserve flexibility makes sense to me, but it
> doesn't contradict the reason already given for not providing that
> flexibility.
>
> Is there some other reason why this is important to you, or is that it?
>
> On Sep 7, 2017 8:06 PM, "Mark Andrews" <marka@isc.org> wrote:
>>
>>
>> In message <BFAECDAF-8F4B-4C8D-AB7E-1615BD54EF93@fugue.com>, Ted Lemon
>> writes:
>> >
>> > On Sep 7, 2017, at 12:59 AM, Mark Andrews <marka@isc.org> wrote:
>> > > I shouldn't BE FORCED to hard code special LOCALHOST rules into DNS
>> > > tools.  Lookups should "just work" like they did before the root
>> > > zone was signed.
>> >
>> > Because...?
>>
>> Because there are things you can do with localhost as a DNS zone
>> that you can't do with /etc/hosts, NIS, etc. as they are limited
>> to addresses only.
>>
>> Localhost should work just like home.arpa.  The tools we use shouldn't
>> need special knowledge.  Special knowledge means EVERYTHING needs
>> to be tested to see if it works with localhost as well and regular
>> names.  That testing will get missed.  If it doesn't get missed it
>> costs more money.  Workarounds for different behavior increases the
>> probability of bugs being introduced as there will be seperate code
>> paths.
>>
>> If I want to add a local trust anchor for localhost I will then
>> need additional code to disable the workaround for the fact the
>> root doesn't have a insecure delegation.
>>
>> Mark
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf