Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

[Ted Lemon <mellon@fugue.com>]

Do you know of protocols that use SRV to localhost in practice?

Anyway, this is like the question of whether to trust IP addresses when
using rsh. Remember rsh?  There's a reason we don't use it anymore, even
though it was definitely useful.

Localhost over DNS is analogous.

On Sep 7, 2017 10:28 PM, "Mark Andrews" <marka@isc.org> wrote:

>
> In message <CAPt1N1kKNRU+mF-JVti_CKS25+7g5BFH8Yko53-VKgZqVreZuQ@mail.
> gmail.com>
> , Ted Lemon writes:
> > The discussion had covered the failure mode problem. There is substantial
> > agreement that it's better for a stub that issues a query for localhost
> to
> > fail than to succeed. You seem to disagree.
>
> There are lots of people that don't want to deal with ICANN politics
> and that is clouding their technical judgements.
>
> > You haven't stated a reason for disagreeing—instead you've vigorously
> > asserted that this is true. It's fine for you to do this, but if you were
> > to get your way, that would be exactly the bad outcome I want to avoid.
>
> So you want to break EVERY protocol that uses SRV to localhost.  I
> stated clearly that there is stuff that you can do with DNS that
> you can't do with /etc/hosts, NIS, etc.  One shouldn't have to
> itemise everything that will be broken because full functionality
> is not being provided.
>
> > So if there really is a problem here, it would be good for you to make it
> > clear. Your stated desire to preserve flexibility makes sense to me, but
> it
> > doesn't contradict the reason already given for *not *providing that
> > flexibility.
> >
> > Is there some *other* reason why this is important to you, or is that it?
> >
> > On Sep 7, 2017 8:06 PM, "Mark Andrews" <marka@isc.org> wrote:
> >
> > >
> > > In message <BFAECDAF-8F4B-4C8D-AB7E-1615BD54EF93@fugue.com>, Ted Lemon
> > > writes:
> > > >
> > > > On Sep 7, 2017, at 12:59 AM, Mark Andrews <marka@isc.org> wrote:
> > > > > I shouldn't BE FORCED to hard code special LOCALHOST rules into DNS
> > > > > tools.  Lookups should "just work" like they did before the root
> > > > > zone was signed.
> > > >
> > > > Because...?
> > >
> > > Because there are things you can do with localhost as a DNS zone
> > > that you can't do with /etc/hosts, NIS, etc. as they are limited
> > > to addresses only.
> > >
> > > Localhost should work just like home.arpa.  The tools we use shouldn't
> > > need special knowledge.  Special knowledge means EVERYTHING needs
> > > to be tested to see if it works with localhost as well and regular
> > > names.  That testing will get missed.  If it doesn't get missed it
> > > costs more money.  Workarounds for different behavior increases the
> > > probability of bugs being introduced as there will be seperate code
> > > paths.
> > >
> > > If I want to add a local trust anchor for localhost I will then
> > > need additional code to disable the workaround for the fact the
> > > root doesn't have a insecure delegation.
> > >
> > > Mark
> > > --
> > > Mark Andrews, ISC
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> > >
> >
> > --94eb2c05f4ca9dd1520558a42ee2
> > Content-Type: text/html; charset="UTF-8"
> > Content-Transfer-Encoding: quoted-printable
> >
> > <div dir=3D"auto">The discussion had covered the failure mode problem.
> Ther=
> > e is substantial agreement that it&#39;s better for a stub that issues a
> qu=
> > ery for localhost to fail than to succeed. You seem to disagree.<div
> dir=3D=
> > "auto"><br></div><div dir=3D"auto">You haven&#39;t stated a reason for
> disa=
> > greeing=E2=80=94instead you&#39;ve vigorously asserted that this is
> true. I=
> > t&#39;s fine for you to do this, but if you were to get your way, that
> woul=
> > d be exactly the bad outcome I want to avoid.=C2=A0</div><div
> dir=3D"auto">=
> > <br></div><div dir=3D"auto">So if there really is a problem here, it
> would =
> > be good for you to make it clear. Your stated desire to preserve
> flexibilit=
> > y makes sense to me, but it doesn&#39;t contradict the reason already
> given=
> >  for <i>not </i>providing that flexibility.=C2=A0</div><div
> dir=3D"auto"><b=
> > r></div><div dir=3D"auto">Is there some <i>other</i> reason why this is
> imp=
> > ortant to you, or is that it?</div></div><div
> class=3D"gmail_extra"><br><di=
> > v class=3D"gmail_quote">On Sep 7, 2017 8:06 PM, &quot;Mark Andrews&quot;
> &l=
> > t;<a href=3D"mailto:marka@isc.org">marka@isc.org</a>&gt; wrote:<br
> type=3D"=
> > attribution"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
> .8ex;b=
> > order-left:1px #ccc solid;padding-left:1ex"><br>
> > In message &lt;<a href=3D"mailto:BFAECDAF-8F4B-
> 4C8D-AB7E-1615BD54EF93@fugue=
> > .com">BFAECDAF-8F4B-4C8D-AB7E-<wbr>1615BD54EF93@fugue.com</a>&gt;, Ted
> Lemo=
> > n writes:<br>
> > &gt;<br>
> > &gt; On Sep 7, 2017, at 12:59 AM, Mark Andrews &lt;<a href=3D"mailto:
> marka@=
> > isc.org">marka@isc.org</a>&gt; wrote:<br>
> > &gt; &gt; I shouldn&#39;t BE FORCED to hard code special LOCALHOST rules
> in=
> > to DNS<br>
> > &gt; &gt; tools.=C2=A0 Lookups should &quot;just work&quot; like they
> did b=
> > efore the root<br>
> > &gt; &gt; zone was signed.<br>
> > &gt;<br>
> > &gt; Because...?<br>
> > <br>
> > Because there are things you can do with localhost as a DNS zone<br>
> > that you can&#39;t do with /etc/hosts, NIS, etc. as they are limited<br>
> > to addresses only.<br>
> > <br>
> > Localhost should work just like home.arpa.=C2=A0 The tools we use
> shouldn&#=
> > 39;t<br>
> > need special knowledge.=C2=A0 Special knowledge means EVERYTHING
> needs<br>
> > to be tested to see if it works with localhost as well and regular<br>
> > names.=C2=A0 That testing will get missed.=C2=A0 If it doesn&#39;t get
> miss=
> > ed it<br>
> > costs more money.=C2=A0 Workarounds for different behavior increases
> the<br=
> > >
> > probability of bugs being introduced as there will be seperate code<br>
> > paths.<br>
> > <br>
> > If I want to add a local trust anchor for localhost I will then<br>
> > need additional code to disable the workaround for the fact the<br>
> > root doesn&#39;t have a insecure delegation.<br>
> > <br>
> > Mark<br>
> > --<br>
> > Mark Andrews, ISC<br>
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > PHONE: <a href=3D"tel:%2B61%202%209871%204742"
> value=3D"+61298714742">+61 2=
> >  9871 4742</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
> =C2=
> > =A0INTERNET: <a href=3D"mailto:marka@isc.org">marka@isc.org</a><br>
> > </blockquote></div></div>
> >
> > --94eb2c05f4ca9dd1520558a42ee2--
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
>