Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

[Matthew Kerwin <matthew@kerwin.net.au>]

On 5 Feb. 2018 16:52, "Mark Andrews" <marka@isc.org> wrote:


> On 5 Feb 2018, at 5:10 pm, Ted Lemon <mellon@fugue.com> wrote:
>
> On Feb 5, 2018, at 12:18 AM, Mark Andrews <marka@isc.org> wrote:
>> The original problem is that HTTP doesn’t specify that names learn
across the
>> wire, including from on disk html files, need to be treated as absolute
names.
>> This is HTTP’s mess due to allowing relative names in what is
transmitted over
>> the wire.  This should be sent back to HTTP say FIX YOUR INSECURE
PROTOCOL.
>
> That's totally orthogonal to the question we are considering.

No it is not! The browser knows where the name came from.

If HTTP treated ALL NAMES AS ABSOLUTE then href="http://localhost/" would
result
in EXACTLY ONE possible lookup in the DNS, /etc/hosts, NIS(YP), LDAP etc.
Similarly href=“http://some.partially.complete.name/“ won’t resolve to
some.partially.complete.name.example.com when run by a employee of
example.com.

HTTP is a security nightmare because it is specified that those names may
not be
absolute.  Fix that security hole and there is no need to touch this draft
for
the reason it was brought up.


In fact it is specified that they may not be DNS names at all.  However...

RFC 3986, on which HTTP relies for the 'host' part of its URIs, says to use
"http://localhost./" for an absolute FQDN.  So it's actually the users'
problem.

But catching it somewhere convenient seems a hell of a lot less problematic
than trying to fix the users.  And catching it in DNS seems a lot less
problematic than rewriting RFC 3986 (or rewriting HTTP to not use that part
of 3986).


>   It's also nonsense.   How does HTTP, a protocol, know the source of an
IP address that it's been given by the name resolution API?   Does the API
even give you a way to tell?   What you mean is that the implementation
should know the difference.  This is what the document is doing.   It's
saying that the API should never look this name up in the DNS.

SMTP all names are absolute. You call the name API’s with searching
disabled.
The implementation is broken is search is enabled.


And if it's broken, it currently fails open. This proposal makes it fail
closed.


HTTP names may be relative. You don’t call the name API’s with searching
disabled
and you get a security mess as a result.

STOP SEARCHING!!!!  IT IS NOT NEEDED.


It can be handy, though. "http://dev01/" or "http://dev02/" is much easier
to type.


>> The second bugtraq issue is also HTTP’s insecure security model that
doesn’t
>> take into account that addresses have scopes.  Again that is for HTTP to
fix.
>
> HTTP should certainly be smart about scopes, and I would argue that
"machine scope" is not a scope in which connections should be assumed to be
trustworthy, so indeed in a sense that you are right.
>
> But the reason for wanting the DNS to not return answers for localhost is
that implementations may get this wrong, and if they do we want it to fail
safe.   So again, your premise is valid, but doesn't apply.

Just fix the browsers.  IT IS NOT THE DNS’S JOB TO FIX UP HTTP’S MESS
and in doing so BREAK OTHER THINGS!!!!!!!!!!!!


> As for search lists, I think it's reasonable to say that search lists,
which are not part of the DNS protocol, should not be applied to the bare
label 'localhost.'   If the document said that DNS servers should treat
FQDNs containing the label 'localhost' specially other than when it is the
top-level label, that would be wrong.   But it doesn't say that.   It just
specifies the handling of localhost with respect to searchlists, and what
it says is correct and important.   If I can supply you a search list and
use that to trick you into connecting to a remote service rather than a
local one, that's a significant attack surface.

Search lists should not be applied to any name learnt over the wire.


What about the name I type in the address bar?

Cheers
-- 
Matthew Kerwin