Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost
Mark Andrews <marka@isc.org> Wed, 13 September 2017 03:06 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0715B1333FC for <dnsop@ietfa.amsl.com>; Tue, 12 Sep 2017 20:06:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QxhaOo_nfNhx for <dnsop@ietfa.amsl.com>; Tue, 12 Sep 2017 20:06:50 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2D7713292E for <dnsop@ietf.org>; Tue, 12 Sep 2017 20:06:50 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 07FAA34CEB1; Wed, 13 Sep 2017 03:06:48 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id DC64A160074; Wed, 13 Sep 2017 03:06:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C2D28160069; Wed, 13 Sep 2017 03:06:47 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 98M87peU9YUv; Wed, 13 Sep 2017 03:06:47 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 71C8116005C; Wed, 13 Sep 2017 03:06:47 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 946E8855120E; Wed, 13 Sep 2017 13:06:45 +1000 (AEST)
To: Ted Lemon <mellon@fugue.com>
Cc: dnsop WG <dnsop@ietf.org>
From: Mark Andrews <marka@isc.org>
References: <20170913021529.2540.qmail@ary.lan> <26E56255-6169-4626-95E8-A9D6A2D5EB39@fugue.com>
In-reply-to: Your message of "Tue, 12 Sep 2017 22:45:26 -0400." <26E56255-6169-4626-95E8-A9D6A2D5EB39@fugue.com>
Date: Wed, 13 Sep 2017 13:06:45 +1000
Message-Id: <20170913030645.946E8855120E@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZahbnzjwFND3gDVO_pD6Tpz3DIo>
Subject: Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 03:06:52 -0000
In message <26E56255-6169-4626-95E8-A9D6A2D5EB39@fugue.com>, Ted Lemon writes: > On Sep 12, 2017, at 10:15 PM, John Levine <johnl@taugh.com> wrote: > > Believe it or not, there are real non-loopback localhost domain names, > > like localhost.reddit.com <http://localhost.reddit.com/>. > > > > I agree that localhost.<foo> pointing to loopback is generally asking > > for trouble, but I am not at this point sufficiently confident that it > > is never ever a good idea to say MUST NOT rather than SHOULD NOT. I > > can for example imagine ways that might make some kinds of debugging > > easier. > > When we look at edge cases like this, it's tempting to be swept away by > the futility of trying to close every gap. But it's still worth closing > the ones we can close. Trying to outlaw localhost.* is hopeless. But > outlawing *.localhost is certainly valid and viable, and as DNSSEC > adoption increases, more and more it will be the case that we actually > need do nothing to break it. "localhost" + search list still fails > unsafe. Why would we want to outlaw *.localhost? Just because it is inconvient for the IAB and ICANN that they didn't address this issue correctly years ago. Oh sorry you can't use SRV with localhost to assign a port to this protocol THAT HAS NO DEFAULT PORT and only a NAME. Is this what you REALLY want to do? > This is just another reason to outlaw search lists. I can't think what > use case search lists address that's worth the security vulnerability > they create. The fact that hosts routinely use search lists provided by > DHCP is something that just astonishes me, but even user-configured > search lists serve no useful purpose to anyone but the statistically > negligible set of geeks who actually type in domain names and yet haven't > become paranoid enough to realize that search lists are bad yet. There > is no downside to deprecating them. > > (Should someone reading this be one of those network operators who still > puts search lists to some use inside of their firewall, please do not > tell us about it. I do not want to be the cause of your users being > hacked.) -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] DNSOP Call for Adoption - draft-west-let-… tjw ietf
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Richard Barnes
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… tjw ietf
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Tony Finch
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Warren Kumari
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Jacob Hoffman-Andrews
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Mark Andrews
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Mark Andrews
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Mark Andrews
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Mark Andrews
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… John Levine
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Warren Kumari
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… 神明達哉
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Wes Hardaker
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Tony Finch
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Peter van Dijk
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Paul Vixie
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Tony Finch
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Richard Barnes
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… John R Levine
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… John Levine
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Joe Abley
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… John R Levine
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Mark Andrews
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… John Levine
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Paul Vixie
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Mark Andrews
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Peter van Dijk
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… John Levine
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Matthew Pounsett
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… John Levine
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Wes Hardaker
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Mark Andrews
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Lanlan Pan
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Peter van Dijk
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… =JeffH
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Wendy Seltzer
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Warren Kumari
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Jacob Hoffman-Andrews
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… Petr Špaček
- Re: [DNSOP] DNSOP Call for Adoption - draft-west-… tjw ietf