Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

[Andrew Sullivan <ajs@anvilwalrusden.com>]

On Thu, Feb 01, 2018 at 11:45:26AM -0600, Ted Lemon wrote:
> 
> As a general principle, when what the RFC says to do is not the right thing to do, the solution is to update the RFC, not to ignore the problem.

I strongly agree with this (as I think or anyway hope you know), and
if my response seemed to be an appeal to the mythical authority of the
RFC series then I apologise.  My intent was to point out, instead,
that RFC 6761 has a position about this, and it is quite clear and
also contrary to the behaviour of the root servers.  Since RFC 6761
has IETF consensus, I am not convinced that the response from the
roots is right.  Since an NXDOMAIN response causes the _very problem_
that the draft this thread is about is attempting to fix -- literally
by making the effect in question more ubiquitous -- it seems to me
that the burden of proof lies upon others.

> Your and Paul's responses to this seem to take the position that what matters is consistency.   We should not return NXDOMAIN, because localhost has meaning, and NXDOMAIN doesn't.   But this misunderstands what NXDOMAIN means.   What NXDOMAIN means is "there is no such name in the DNS."   It doesn't mean "there is no such name."
> 

But of course, there _is_ a name "localhost" in the DNS.  It's already
defined, in the RFCs, to this effect.  RFC 6761 defines
special-purpose domain names, not domain names that are outside the
DNS.  It so happens that this domain name _is_ in the DNS, precisely
because RFC 6761 recommends that it be so (unlike, for example, what
it says for .invalid or what RFC 6762 says for .local).  The point is
rather that localhost is a universal reference to the loopback
address.  Since it is a universal truth, it is true in the IN class,
and that means that any server on the Internet ought to know this.

> Returning REFUSED makes things worse.   Returning NXDOMAIN does not.

The goal in the draft is to make things break for the host making the
request, even though it should not have made that request.  Returning
REFUSED and returning NXDOMAIN both have that effect.  But returning
NXDOMAIN also breaks the semantics of DNS, which I think it worse.

> Second, there's no trust model for such a response.   The trust model for NXDOMAIN is clear, and we know how to do it.   The trust model for e.g. REFUSED is nonexistent.
> 

Nonsense.  The trust model for refused is, "You asked and were
denied."  Signable denial of service strikes me as possibly the most
abusable service on the Internet :)

> Whether we should place special requirements on recursive resolvers is certainly something that is up for debate.

RFC 6761 _already_ places such requirements, it seems to me.

> If you believe that the right response is not NXDOMAIN, your reason needs to be something more than "that's what the RFC says to do."
>

I believe I offered such reasons in rather more detail in a different
message (one to which you did not respond) where I reviewed the draft
at greater length.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com