Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Andrew Sullivan <ajs@anvilwalrusden.com> Tue, 30 January 2018 18:59 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E441412F28A for <dnsop@ietfa.amsl.com>; Tue, 30 Jan 2018 10:59:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=ecTalYiS; dkim=pass (1024-bit key) header.d=yitter.info header.b=JLIR+mvs
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MNPuw4GQo9wu for <dnsop@ietfa.amsl.com>; Tue, 30 Jan 2018 10:59:53 -0800 (PST)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 145F112F26D for <dnsop@ietf.org>; Tue, 30 Jan 2018 10:59:52 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id 6464ABE072 for <dnsop@ietf.org>; Tue, 30 Jan 2018 18:59:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1517338762; bh=oEAetZKVU3DEpccb4C9cfazf984fzVDihvpj+dUoxBc=; h=Date:From:To:Subject:References:In-Reply-To:From; b=ecTalYiSAx8ZRUiJwa0v0GR7PlNCuGDZDXgXlhhOhz5QsUw1nEVejfz94zK4JfJfi B1zg6wimX3TxIvfepWFcvS1D3LhJT2vWoUY+EkE58+eNsjrn+ymwKa053Rbb6HV6Ns QZ4GUhMf4aXu/5dG86NFSatIQF7dKdafoggxzrTo=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Oottq-XHxWW for <dnsop@ietf.org>; Tue, 30 Jan 2018 18:59:21 +0000 (UTC)
Date: Tue, 30 Jan 2018 13:59:19 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1517338761; bh=oEAetZKVU3DEpccb4C9cfazf984fzVDihvpj+dUoxBc=; h=Date:From:To:Subject:References:In-Reply-To:From; b=JLIR+mvsVbBpoL8i5/Qov289vpdTSoY2YQdLzBYb3YDZjZhRpx48O1769odABWSDh v9/c6CWmEkQgyUI7Gyzxeu23ZNn7VZpaeiw8yJO/yJZxBFgozz5FIh+YRmQaAHpIHh Faf20U0xe88lBK6Z+lE4d0F2L1Z+JQZoTc9hNoME=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20180130185919.GJ19193@mx4.yitter.info>
References: <9DCE2F63-EE37-4865-B9D6-6B79BBE05593@gmail.com> <20180129155112.GC16545@mx4.yitter.info> <5A6F5CF1.4080706@redbarn.org> <CA+nkc8D7tne5SxGOUhvJqstmDa=1=RmvcHQte1byAab5dUd5sQ@mail.gmail.com> <AE634FC4-0EAF-4F54-8860-61E41284F873@fugue.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <AE634FC4-0EAF-4F54-8860-61E41284F873@fugue.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KfaBhhjTZaRp8A6oLEkmV68tKmg>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2018 18:59:55 -0000

On Tue, Jan 30, 2018 at 11:39:31AM -0600, Ted Lemon wrote:
> 
> It is possible to produce a signed answer, because the domain doesn't exist

I think I was arguing yesterday that that is in fact not true.  The
domain (name) does exist, and it is defined in RFC 6761 precisely to
be special.  In addition,

> 
> cavall% dig @a.root-servers.net localhost
> 
> ; <<>> DiG 9.10.1b1 <<>> @a.root-servers.net localhost
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19121
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available

That answer from the root is contrary to RFC 6761 section 6.3 item 5
and maybe 6.  

Because of that same section, also, signing the answer should also not
be controversial because the answer is static.  My preference,
however, would be for the root servers to REFUSE to answer such
queries.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com