Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Matthew Kerwin <> Mon, 05 February 2018 08:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CBA75129C59 for <>; Mon, 5 Feb 2018 00:28:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.149
X-Spam-Status: No, score=-2.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PucKtHHBAK1j for <>; Mon, 5 Feb 2018 00:28:16 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C0D77129C56 for <>; Mon, 5 Feb 2018 00:28:15 -0800 (PST)
Received: by with SMTP id i144so8792029ita.3 for <>; Mon, 05 Feb 2018 00:28:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=UJZtEbA6PqVPwA5+r7zHNvG3fZjFt2IKL1bO3AEo7Fs=; b=A1F6QBOomEUNcCocJlMrKzlllrdikHImNZkXuNBTelCd95CcmA5PJQ4RahLBFbkFm4 Oah0yLUIpH4hR92jGggqWOrjufK/IQh3vTh4GSgh9LGI0tv7zaLv14Or7KCjPaPFWCI7 +18++RX/NgHxSUZAlcD0bGxeg/vVpqwJG4kg6tBi14XoEjykmmieMR1Iy036ToB0aWIM 7W1L+Hr0/hJUvPdEQST97l99vHkn6wl82pnmdScQIbCkImPD5wcVHDtqThwvC43DXjD1 /46Iu6IdpTMzfgr4R1NPxkwiGHwYr2OHwmsBJUaLqiuQ3luLrAFyYwhhNtMBsxj9NgKn efYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=UJZtEbA6PqVPwA5+r7zHNvG3fZjFt2IKL1bO3AEo7Fs=; b=UbXpnONs1AMD/9b9kk4BuTwvi6vBCp/7S8KhSDRNRnhosUQhVDIoPWNd9q9RTmJ7pW /szTKVcJS6V0n+3BvpSEPDmeV7i8kdTDWf2d4NRDTpgc9jJaT2IBZlU7kcTqnLqdExPp boOr9j4NpsejoMTHxQUHxJqId0k2kgrSUFDu+DuwbMy9UAhA8SRB0Sj7oeQEP4aXi5Aj srQ3OtFO+6B6Z/kEaI9hsXnz4FTyuZHkSKqMYd/7+2hflFfQcBGb3otSsFp1CNz3QG12 BFSRnrtMD7kvLyZNpIYyCfAf0K8XPN4EJbDRKeJ+P4N9WKi70Eq+AHuaWhEj5wTvklOG AlBg==
X-Gm-Message-State: AKwxytfeiK1FEFk7cYDgxZqIp7j5x9WX9v5G6jvM1omQNajUfDz3qZUZ LFIbHTc+uw64PPxhGGFUJpD6dT4KNTdHuadvRnU=
X-Google-Smtp-Source: AH8x227lRBd5Nrau5VurK4uWULTUqHNCmu0WwX0DzFTDj4HtC1hWx5U3uTqFqcE8BLpQmaT+iGh7naN8Pwqumn7j55M=
X-Received: by with SMTP id d8mr54794388itc.79.1517819295082; Mon, 05 Feb 2018 00:28:15 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 5 Feb 2018 00:28:14 -0800 (PST)
Received: by with HTTP; Mon, 5 Feb 2018 00:28:14 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Matthew Kerwin <>
Date: Mon, 5 Feb 2018 18:28:14 +1000
X-Google-Sender-Auth: OWB6ZmjgXDHbwV_oz_haKnR3p64
Message-ID: <>
To: Mark Andrews <>
Cc: Ted Lemon <>, Lanlan Pan <>, dnsop <>
Content-Type: multipart/alternative; boundary="001a113f75b2eaad54056472d73e"
Archived-At: <>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 05 Feb 2018 08:28:19 -0000

On 5 Feb. 2018 16:52, "Mark Andrews" <> wrote:

> On 5 Feb 2018, at 5:10 pm, Ted Lemon <> wrote:
> On Feb 5, 2018, at 12:18 AM, Mark Andrews <> wrote:
>> The original problem is that HTTP doesn’t specify that names learn
across the
>> wire, including from on disk html files, need to be treated as absolute
>> This is HTTP’s mess due to allowing relative names in what is
transmitted over
>> the wire.  This should be sent back to HTTP say FIX YOUR INSECURE
> That's totally orthogonal to the question we are considering.

No it is not! The browser knows where the name came from.

If HTTP treated ALL NAMES AS ABSOLUTE then href="http://localhost/" would
in EXACTLY ONE possible lookup in the DNS, /etc/hosts, NIS(YP), LDAP etc.
Similarly href=““ won’t resolve to when run by a employee of

HTTP is a security nightmare because it is specified that those names may
not be
absolute.  Fix that security hole and there is no need to touch this draft
the reason it was brought up.

In fact it is specified that they may not be DNS names at all.  However...

RFC 3986, on which HTTP relies for the 'host' part of its URIs, says to use
"http://localhost./" for an absolute FQDN.  So it's actually the users'

But catching it somewhere convenient seems a hell of a lot less problematic
than trying to fix the users.  And catching it in DNS seems a lot less
problematic than rewriting RFC 3986 (or rewriting HTTP to not use that part
of 3986).

>   It's also nonsense.   How does HTTP, a protocol, know the source of an
IP address that it's been given by the name resolution API?   Does the API
even give you a way to tell?   What you mean is that the implementation
should know the difference.  This is what the document is doing.   It's
saying that the API should never look this name up in the DNS.

SMTP all names are absolute. You call the name API’s with searching
The implementation is broken is search is enabled.

And if it's broken, it currently fails open. This proposal makes it fail

HTTP names may be relative. You don’t call the name API’s with searching
and you get a security mess as a result.


It can be handy, though. "http://dev01/" or "http://dev02/" is much easier
to type.

>> The second bugtraq issue is also HTTP’s insecure security model that
>> take into account that addresses have scopes.  Again that is for HTTP to
> HTTP should certainly be smart about scopes, and I would argue that
"machine scope" is not a scope in which connections should be assumed to be
trustworthy, so indeed in a sense that you are right.
> But the reason for wanting the DNS to not return answers for localhost is
that implementations may get this wrong, and if they do we want it to fail
safe.   So again, your premise is valid, but doesn't apply.

Just fix the browsers.  IT IS NOT THE DNS’S JOB TO FIX UP HTTP’S MESS
and in doing so BREAK OTHER THINGS!!!!!!!!!!!!

> As for search lists, I think it's reasonable to say that search lists,
which are not part of the DNS protocol, should not be applied to the bare
label 'localhost.'   If the document said that DNS servers should treat
FQDNs containing the label 'localhost' specially other than when it is the
top-level label, that would be wrong.   But it doesn't say that.   It just
specifies the handling of localhost with respect to searchlists, and what
it says is correct and important.   If I can supply you a search list and
use that to trick you into connecting to a remote service rather than a
local one, that's a significant attack surface.

Search lists should not be applied to any name learnt over the wire.

What about the name I type in the address bar?

Matthew Kerwin