Re: [DNSOP] Status of "let localhost be localhost"?

Richard Barnes <rlb@ipv.sx> Wed, 02 August 2017 12:40 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB16313207C for <dnsop@ietfa.amsl.com>; Wed, 2 Aug 2017 05:40:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2kB1qabVv03l for <dnsop@ietfa.amsl.com>; Wed, 2 Aug 2017 05:40:34 -0700 (PDT)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41B52132070 for <dnsop@ietf.org>; Wed, 2 Aug 2017 05:40:34 -0700 (PDT)
Received: by mail-wm0-x22f.google.com with SMTP id m85so40444699wma.0 for <dnsop@ietf.org>; Wed, 02 Aug 2017 05:40:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PyQ9dJBzl39Y0bE+wPm6gLPRLAFrqh2VMnok0Kw+680=; b=AiM45TqFZ/caHzNKtS8f7bRHZ8u6mQtdMsvaLeIQp/rYuCWcQkMN9pj93U5YD4bk7j Tg/Lr/TTEj8O/L7RCI1M7NL6hAhUbHQ/vZ/amqDWSTFrIniyA1abWDpJNcMaQMAv1sOU PAGSZWZ3GDTUABxQ4uBLzmvkPPCPJf7DuQ+9WDZvhcLr6TdZYLT61Moi3WtBcCYDv80G zFd5xdCdc1dKDGAWj+8mTbu2xfKwyHceYXp37DTwrfzqlr4CUK9miIhZTho6QpWybM5Y e9Mz707CV1FgOOj0sVSLs+tb2R9al85xpMYDfC+gsKoSKx5ZeBuRpmfXix1fhjNcT5wd P2sg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PyQ9dJBzl39Y0bE+wPm6gLPRLAFrqh2VMnok0Kw+680=; b=JA4LVZIvhUCArl0iVYu+ZDDtbU7woyJAK0utAgt90WqmvQ8/bo3V71TP6V6OmXgSzI aPnOHz/+3eUkbdXEfQ7PIi1Qcf/PLk2TOCoFu+Nwr2ObbWVVSv09CcF/URIGbjwHfjV2 VRX6gWaiGZfQT7pD7vXbmgVJPyd/oiI1Uc2MubvTah96c8eaqO3gnVppIhuIF2uM0BK9 +BfAxtE/uKQEZjJ+kiN4vcUkiz8yUbkyDQo9YFiTubkJpEmp2QOmZjpZvzwh2RvoNOqN thF1w33CcTr8U0xx4PUqspHpFgxWLkOzA/GqJc9EdjC2kEUbFOWKmsLfwlMzHLFoLW9m 0Xyw==
X-Gm-Message-State: AIVw110vsh9axmbaDtrisg0QnnPpdTQ8G4xoyXZXID1X122m1zCkDLkH wmx8lyiU2DtBjGqbL8D2g8KRCDlMm+Qc
X-Received: by 10.28.27.69 with SMTP id b66mr3952978wmb.11.1501677632557; Wed, 02 Aug 2017 05:40:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.225.5 with HTTP; Wed, 2 Aug 2017 05:40:32 -0700 (PDT)
In-Reply-To: <CACfw2hiX7U74n9+defcYiD7jLKZeLhtLM6WP5YM_WuAoA8ecYQ@mail.gmail.com>
References: <05e469cf-1325-89fc-4a81-661f8647e869@eff.org> <CAKXHy=ctB=LZkX9j=8-Jy0NkTAs2tAesa4gmFhfp94O5=9U4TA@mail.gmail.com> <1dbb47a4-c6e2-97d2-a1d7-ce6c65a4042a@eff.org> <CACfw2hiX7U74n9+defcYiD7jLKZeLhtLM6WP5YM_WuAoA8ecYQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 2 Aug 2017 08:40:32 -0400
Message-ID: <CAL02cgRg6k7=b7berKr9J+9aL8PTS81nJ_yXQO8QTYqgiqXSbg@mail.gmail.com>
To: william manning <chinese.apricot@gmail.com>
Cc: Jacob Hoffman-Andrews <jsha@eff.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a114b2950db2caa0555c49152"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UqyBj1izM_BTpHGW5nOAHLDcPGA>
Subject: Re: [DNSOP] Status of "let localhost be localhost"?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2017 12:40:37 -0000

On Wed, Aug 2, 2017 at 6:39 AM, william manning <chinese.apricot@gmail.com>
wrote:

> localhost is just a string, like www or mail or supralingua.  A DNS
> operator may
> chose to map any given string to any given IP address.  restricting  ::1
>  so that it never leaves
> the host is pretty straight forward.  if I map localhost to
> 3ffe::53:dead:beef and NOT ::1 in my
> systems, why should you care?
>

The underlying need here is that application software would like to make
use of the fact that it is connecting to "localhost" (vs. other domain
names) to make security decisions based on whether traffic is going to
leave the host.  So if the network layer remaps localhost to something
other than a loopback interface without telling the applications, then
you're going to have security problems.

The point of this document is to avoid this disconnect by discouraging the
sorts of remappings you're talking about.

--Richard



> if you are concerned that completion logic is broken in resolvers and the
> string "localhost" is not
> appended to the domain, then you really are asking for the root servers to
> backstop the query with
> an entry for localhost.  and for the first 20 years of the DNS, there was
> an entry for localhost. in
> many of the root servers.  it was phased out for several reasons, two key
> ones were DNSSEC and
> the fact that most resolvers had corrected their broken completion logic.
> There is no good reason to bring it back for special processing.  It's
> just a string.
>
> /Wm
>
> On Tue, Aug 1, 2017 at 11:59 AM, Jacob Hoffman-Andrews <jsha@eff.org>
> wrote:
>
>> On 08/01/2017 03:48 AM, Mike West wrote:
>> > The only open issue I know of is some discussion in the thread at
>> > https://www.ietf.org/mail-archive/web/dnsop/current/msg18690.html that
>> I
>> > need help synthesizing into the draft. I don't know enough about the
>> > subtleties here to have a strong opinion, and I'm happy to accept the
>> > consensus of the group.
>>
>> Reading back through this thread, it seems like the concerns were about
>> how to represent the  ".localhost" TLD in the root zone, or how to use
>> DNSSEC to express that the root zone will not speak for ".localhost".
>> However, I think we don't need either. This draft attempts to codify the
>> idea that queries for "localhost" or "foo.localhost" should never leave
>> the local system, and so it doesn't matter what the root zone says about
>> ".localhost".
>>
>> I would even take it a step further: It would be a mistake to add any
>> records for ".localhost" to the root zone, because it would mask
>> implementation errors. If a local resolver accidentally allows a query
>> for "foo.localhost" to hit the wire, it should result in an error.
>>
>> IMHO, the document is good as it stands.
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>