Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Ted Lemon <> Sat, 27 January 2018 00:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C1BBE12D778 for <>; Fri, 26 Jan 2018 16:02:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id d0AN50unkQ_l for <>; Fri, 26 Jan 2018 16:02:06 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4DF3C127735 for <>; Fri, 26 Jan 2018 16:02:06 -0800 (PST)
Received: by with SMTP id t78so1433579oih.4 for <>; Fri, 26 Jan 2018 16:02:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=Kp4U0boP/Wo2RsJ5qSyiGNoGzY8jepuvXDnhED9JH6M=; b=nqOwyo8kto6f/L4cf8uEmtsehYzxJIOq+x9cPVwIJAkYIS7gJqF57VjrQ/Uc5q5P05 hpYQRRvwFWfdaw7yglBjRzQQ233srwcbuKOe6MOUe//fjsfVyR6lj0lSqjWb3qVlDIvI 8f+//GcYSPNhakLj5XCqUxm/QU0HxAGk/RYlM0PcC+PN3saCjKx2GFwiJj2N0KpPdM8j R7eZ5Ia8u8ocePH6SneZapi/T5JlQdSH1KtUxzxDRbBzLEDKa56fnK5I/dMefGou/Vqa L66D+CI9o4b3EYFWWEWdFSXiZg8hEqdoK+Jnoj3jH7DnXEgQ3qi+1SsNzGyOU3EQyYsB nxzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=Kp4U0boP/Wo2RsJ5qSyiGNoGzY8jepuvXDnhED9JH6M=; b=sa4b+C4KHtoJtjriMPVko2qPe6uod8Pnbi9Ct55IYAzIKicRI2blOKcM43mUeak8sN 6c+YbtVHECRx25tivh3x4ScwROXBo79uSQbRLmYkvV1mfIpzOOItfsC5PQaRRt79Ild2 prQGlpNjzNeOBYqoTWh01LGy7SlpnjlB+2i5FVL6KeVIHwvXLfSdVIKNESdrg8CjF9cQ nKFxYVCeHEsz2XzL7X2+VnISKop9ruj85vSLwk8I5sPdgpWjtM0gWaSC+s+pKoe7sUHR j0L4sZmkwvEHT77StwXxm6I1F48noBmaGP1U9xJAk6jhCHCHjHy0Bv2NYfRWRlpYQZoe vgOg==
X-Gm-Message-State: AKwxytczJirYCW22BcFOwA/cqUxojcdQu6gQT1asShnDXTyoTcTdtBF/ l1zkWbSmoGpYu1JljDLmTpn4LiFfgsQ=
X-Google-Smtp-Source: AH8x225g/MDNxXGckw39SYIwSCkBXaX17O5070WRQ3uJb2RsZdg+rcpuo5FXoPiajbyaLSWyk7ofNQ==
X-Received: by with SMTP id l194mr1651813oig.164.1517011325363; Fri, 26 Jan 2018 16:02:05 -0800 (PST)
Received: from ?IPv6:2605:6000:e94d:3900:612f:eb3b:5b89:72af? ([2605:6000:e94d:3900:612f:eb3b:5b89:72af]) by with ESMTPSA id h16sm4661469otd.73.2018. for <> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Jan 2018 16:02:04 -0800 (PST)
From: Ted Lemon <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_66EE915E-AB3D-472C-AF7A-6BA7E45CBEA0"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Fri, 26 Jan 2018 18:02:00 -0600
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Message-Id: <>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 27 Jan 2018 00:02:09 -0000

On Jan 26, 2018, at 5:03 PM, Viktor Dukhovni <> wrote:
> Multiple participants in this discussion have pointed out that such
> queries are rare.

Sigh.   Yes, such queries are rare.   The things that make those queries are the things that are vulnerable.   That such queries are rare is further evidence that responding to them when they come with NXDOMAIN is a safe choice to make.

> And, we must not forget that, absent local
> overrides, the iterative resolvers are *already* returning NXDomain,
> because the authoritative data from the root returns NXDomain.

That's a good point, of course.   However, I think we heard in the discussion prior to adoption that this is not in fact the default behavior for all recursive resolvers.

> Yes.  Keep the MUST for the platform library.  Downgrade the MUST for
> the iterative resolver to a SHOULD (absent local data), and either
> exempt DNSSEC or explain why "bogus" local NXDomain is better than
> a cacheable validated NXDomain from the roots.

How about if it says "SHOULD" but explains what the exception is, and strongly advocates the position that only when that exception is applicable should this be treated as optional behavior.

I would say that the exception is "when answering queries for the local host" or something, but I don't understand the intricacies of your use case sufficiently to know what would satisfy it.   I thought I understood your use case to be the case where the stub resolver is on the same host as the recursive resolver, but I may have misunderstood.

The case I'm trying to exclude is the one where the recursive resolver is answering queries for hosts other than, well, localhost.