IETF Logo Mail Archive

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Mark Andrews <marka@isc.org> Sun, 28 January 2018 22:26 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A23F12EC95 for <dnsop@ietfa.amsl.com>; Sun, 28 Jan 2018 14:26:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bJ9u_hZQAdJc for <dnsop@ietfa.amsl.com>; Sun, 28 Jan 2018 14:26:51 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7285712ECCE for <dnsop@ietf.org>; Sun, 28 Jan 2018 14:26:51 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id E70DC3AB004; Sun, 28 Jan 2018 22:26:47 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id C47CB16003C; Sun, 28 Jan 2018 22:26:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 8A4CF160080; Sun, 28 Jan 2018 22:26:47 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id PNbG164YfhZe; Sun, 28 Jan 2018 22:26:47 +0000 (UTC)
Received: from [172.30.42.90] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id C837D16003C; Sun, 28 Jan 2018 22:26:46 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <D567DE88-9B92-4E82-97AD-743C36D26B70@fugue.com>
Date: Mon, 29 Jan 2018 09:26:44 +1100
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <4E649104-80C7-47B8-A013-C7952AD433A3@isc.org>
References: <CANV=THh6bOxd_UW=TuLonWzz0KyGapkGWpMiNuu54W=45gFAvg@mail.gmail.com> <20180124205620.GZ3322@mournblade.imrryr.org> <alpine.DEB.2.11.1801251558440.5022@grey.csi.cam.ac.uk> <CAJE_bqf+GqYGFRAsXbBPymQLXoJRs_AxvVHhtcMJF1LEvTL7sQ@mail.gmail.com> <77B805CC-E8FE-4B09-A261-C5CB13707EE4@dotat.at> <CAJE_bqdCZ_vj2nncvEVpYunVmE=xxAiXqrzhu8BGxnSsLjy+3Q@mail.gmail.com> <37A9F504-A8BE-4F47-AAE9-AF2458206F03@fugue.com> <20180126201613.GK3322@mournblade.imrryr.org> <B17E9259-BC28-4861-8102-B716685C75B3@fugue.com> <20180126230343.GL3322@mournblade.imrryr.org> <D567DE88-9B92-4E82-97AD-743C36D26B70@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IRQPSaBLg6e67HsheVpBUauSz0k>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Jan 2018 22:26:53 -0000

> On 27 Jan 2018, at 11:02 am, Ted Lemon <mellon@fugue.com> wrote:
> 
> On Jan 26, 2018, at 5:03 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
>> Multiple participants in this discussion have pointed out that such
>> queries are rare.
> 
> Sigh.   Yes, such queries are rare.   The things that make those queries are the things that are vulnerable.   That such queries are rare is further evidence that responding to them when they come with NXDOMAIN is a safe choice to make.

Actually NXDOMAIN is the WRONG choice to make.  NXDOMAIN is driven by not
wanting to engage with ICANN and sort out the fact that the TLD is scoped for
local use and to deal with all the side effects of that come with that especially
when DNSSEC is in use.

10.IN-ADDR.ARPA is scoped for local use and a insecure delegation to a otherwise
empty zone works fine for it.  This is NO TECHNICAL REASON TO RETURN NXDOMAIN!

>> And, we must not forget that, absent local
>> overrides, the iterative resolvers are *already* returning NXDomain,
>> because the authoritative data from the root returns NXDomain.
> 
> That's a good point, of course.   However, I think we heard in the discussion prior to adoption that this is not in fact the default behavior for all recursive resolvers.

Local resolvers can return NODATA just as easily as NXDOMAIN by default and
that with a insecure delegation is perfectly fine.

>> Yes.  Keep the MUST for the platform library.  Downgrade the MUST for
>> the iterative resolver to a SHOULD (absent local data), and either
>> exempt DNSSEC or explain why "bogus" local NXDomain is better than
>> a cacheable validated NXDomain from the roots.
> 
> How about if it says "SHOULD" but explains what the exception is, and strongly advocates the position that only when that exception is applicable should this be treated as optional behavior.
> 
> I would say that the exception is "when answering queries for the local host" or something, but I don't understand the intricacies of your use case sufficiently to know what would satisfy it.   I thought I understood your use case to be the case where the stub resolver is on the same host as the recursive resolver, but I may have misunderstood.
> 
> The case I'm trying to exclude is the one where the recursive resolver is answering queries for hosts other than, well, localhost.
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email