IETF Logo Mail Archive

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Warren Kumari <warren@kumari.net> Sat, 27 January 2018 17:57 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D4AA126B7E for <dnsop@ietfa.amsl.com>; Sat, 27 Jan 2018 09:57:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PDStYy_gYRHA for <dnsop@ietfa.amsl.com>; Sat, 27 Jan 2018 09:57:07 -0800 (PST)
Received: from mail-wr0-x22c.google.com (mail-wr0-x22c.google.com [IPv6:2a00:1450:400c:c0c::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B69B6126B6D for <dnsop@ietf.org>; Sat, 27 Jan 2018 09:57:06 -0800 (PST)
Received: by mail-wr0-x22c.google.com with SMTP id 16so3092933wry.12 for <dnsop@ietf.org>; Sat, 27 Jan 2018 09:57:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=2iZOr5xovqexNrmXLkDkoBtXGzZfgYncDvlio/eKriA=; b=zkY+/LeM8KLjO09p99mH/1a+nmoEVEPhXjeIFqAILPxlRlKZOlAgqgjAKkeJ3iy9tJ TaEZ9gBZOriLw0zOmQNL5ziIZluMC4V4utr00WQLxnTkDKlU9RDdLXZOBk6qmBuN8ry2 YhztM/tGvwIYR76vsV59dvdQBtfM2YQTORTi06gVZlSLNKcoYVs4WUEKKmtJTqhn+j6c A7Gcu1VYq6qGYTqYCle5qEqEXc8gKPpq1LnDzMdmD5l+6V7vnfGYdrBQM/3brJnxILEw qWCBQS2DoSlY8hX+RjZK2Frcst3xYb1XeKa2O/hWKjKxhJeoufdE5P6PoREyqEFPioJ5 W/Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=2iZOr5xovqexNrmXLkDkoBtXGzZfgYncDvlio/eKriA=; b=C6E904DreTX8A19O3D99iwbTZZkqr12GD9trmd5aZP8tgobv4QlKEVcnKjqayqrCcn KSQZSAKISwCLiqKvaGTm2Dbhsijqlss5v1TDUSqdCdlR7Sv8wfd7OfsdOrJQE/A+jUgR y3A8clyJKwQY7QLAwAQKTKQtdKOZ0dr4bXx2KAvRHbVs/qo/bBhqZNkANvom66xvd2Mq U7UiPFJFN//gZpgOmt+T/46kqWwxSoX7qU4recsSeu0oTeqDwtwRRxiKNFovPcXYdK+W GNL/pwrI/2Ajgvt5LURuLSpw1Rly26qoSVC0olAI4VYOGrUoEreMcgzeA2IrheDKr+ml oIzQ==
X-Gm-Message-State: AKwxytcs7d6gdmdVT4emuQaGZLN4mdVLLzaziHhRZGtNxJzag+/dSEUe tzr5Pj6b/I7emb+I7z+WRAqKdNWxz7ODOJNpDiIvU/n3aNM=
X-Google-Smtp-Source: AH8x2245M7cBEP1N135fRItrvO56DNLDvgZWBdYw/PTBtcnL16aODDjZ5xqgWC17mFFLE4w8njyH8fk/tiLyHgTEMGk=
X-Received: by 10.223.208.203 with SMTP id z11mr15245992wrh.109.1517075824538; Sat, 27 Jan 2018 09:57:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.152.181 with HTTP; Sat, 27 Jan 2018 09:56:23 -0800 (PST)
In-Reply-To: <20180126230343.GL3322@mournblade.imrryr.org>
References: <CANV=THh6bOxd_UW=TuLonWzz0KyGapkGWpMiNuu54W=45gFAvg@mail.gmail.com> <20180124205620.GZ3322@mournblade.imrryr.org> <alpine.DEB.2.11.1801251558440.5022@grey.csi.cam.ac.uk> <CAJE_bqf+GqYGFRAsXbBPymQLXoJRs_AxvVHhtcMJF1LEvTL7sQ@mail.gmail.com> <77B805CC-E8FE-4B09-A261-C5CB13707EE4@dotat.at> <CAJE_bqdCZ_vj2nncvEVpYunVmE=xxAiXqrzhu8BGxnSsLjy+3Q@mail.gmail.com> <37A9F504-A8BE-4F47-AAE9-AF2458206F03@fugue.com> <20180126201613.GK3322@mournblade.imrryr.org> <B17E9259-BC28-4861-8102-B716685C75B3@fugue.com> <20180126230343.GL3322@mournblade.imrryr.org>
From: Warren Kumari <warren@kumari.net>
Date: Sat, 27 Jan 2018 12:56:23 -0500
Message-ID: <CAHw9_i+dM+MeMVt+et0t-xU-SKxK0nB_XSuPqP1DngmSTuYTqQ@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bCRK0YFZG1COlEeF1VVbifuBis8>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jan 2018 17:57:09 -0000

On Fri, Jan 26, 2018 at 6:03 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> On Fri, Jan 26, 2018 at 02:24:26PM -0600, Ted Lemon wrote:
>
>> > Disagreed, with respect to recursive resolvers, because the
>> > requirement is neither necessary nor sufficient to achieve the
>> > stated security goals, is not required for interoperability, and
>> > is in conflict with existing uses of local data for localhost.
>>
>> The point of the requirement is that it breaks stacks that use DNS to look
>> up localhost.
>
> Multiple participants in this discussion have pointed out that such
> queries are rare.

<no hats>

I've somewhat lost track of which exactly "such queries" are
('localhost', '*.localhost', with or without DO bit, etc), and what we
are considering as "rare", but, as mentioned in
https://mailarchive.ietf.org/arch/msg/dnsop/k9Rec7WuLCLjLBb5hI7kynAxf3U
:
'Around 0.3% of responses from Google Public DNS are for "localhost".'

If I opened a packet of M&Ms[0] and <0.3% of them were green I'd call
green M&Ms rare, but if 0.3% of people who went swimming got eaten by
sharks I'd likely not call shark attacks rare :-p



>  And, we must not forget that, absent local
> overrides, the iterative resolvers are *already* returning NXDomain,
> because the authoritative data from the root returns NXDomain.


... do they?

Google Public DNS:
$ dig  +dnssec localhost @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62555
;; AUTHORITY SECTION:
. 64929 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2018012700
1800 900 604800 86400
. 64929 IN RRSIG SOA 8 0 86400 20180209050000 20180127040000 41824 .
i1JPur/fqut5...==


Verisign Public DNS:
$ dig +dnssec localhost @64.6.64.6
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8025
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
localhost. 10687 IN A 127.0.0.1


Quad9:
$ dig +dnssec localhost @9.9.9.9
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22677
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
localhost. 86170 IN A 127.0.0.1


OpenDNS:
dig +dnssec localhost @208.67.222.222
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14156
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
localhost. 604800 IN A 127.0.0.1


My local BIND instance:
# dig +dnssec localhost @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62183
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;localhost.                     IN      A

;; AUTHORITY SECTION:
.                       10800   IN      SOA     a.root-servers.net.
nstld.verisign-grs.com. 2018012700 1800 900 604800 86400
.                       10800   IN      RRSIG   SOA 8 0 86400
20180209050000 20180127040000 41824 . i1JPur/fqut5jJ...


(above examples edited for readability. No queries were harmed in the
making of this).

I'm not really sure anymore who's point I'm making here, but I
disagree that localhost queries hitting the DNS is rare, and that
iterative resolvers already return NXD - some do, and some don't.

W
</no hats>


[0]: For non-Americans, M&Ms are kind of like Rowntree (now Nestlé)
Smarties[0], but much less tasty.
[1]: For American readers, Rowntree Smarties are like much much better
M&M's, and *nothing* like the US Smarties (which are mainly sugar,
citric acid and calcium stearate, but always taste like chalk to
me...).
We'll be in London soon, you should really give them a try...


>
> So what you seem to be asking for is to *require* implementations
> that currently serve local data with the expected loopback addresses
> (and don't forward towards the root) to stop doing as configured and
> return NXDomain.  Despite the explicitly configured "knobs" that turn
> on this non-default behaviour.
>
> I claim that this is too big a hammer for too small a nail.  There
> is simply no need to do this.  A clear requirement to short-circuit
> localhost name -> address resolution *before* it gets to the resolver
> is quite sufficient.  I'm breathlessly enthusiastic for this part
> of the draft. :-)
>
>> If you think there's no risk to applications that rely on
>> this, obviously it's not worth doing.   The reason I'm being such a stickler
>> about this is that we have beaucoup experience over the past two decades
>> that if there is an attack surface, somebody will come up with an attack.
>> It's better to fail safe than fail unsafe.   If apps are breaking all over
>> the place because they use DNS to look up localhost, then we all win in
>> the long run.
>
> Reports from the field seem to indicate that this is largely a
> non-problem, and perhaps the maintainers of glibc and the like will
> pay attention to this specification and ensure correct localhost
> resolution without asking even the (e.g. glibc) DNS stub resolver,
> let alone an upstream recursive resolver.
>
>> That said, I absolutely do not want to deprive you of the ability to do
>> your hack.   I just don't think that the current text does that.
>
> The MUST says otherwise, and if we don't mean that, then we should
> not say so.
>
>> If the way the stack accomplishes the MUST is to have some code in
>> nsswitch.conf that does the right thing, I think that follows the MUST.
>
> It follows the MUST for the part I am breathlessly enthusiastic about,
> the requirements on the hostname -> address resolution library.  No
> problems with that at all.  My objection all along is with the MUST
> at the recursive resolver.
>
>> The reason I drilled down into your use case is that I don't think there's
>> ever going to be a time when Christos disables this behavior.   So I don't
>> think this text is going to actually create an inconvenience for you.
>
> I'm fine with MUST NOT FORWARD, except when the DO bit is set in
> the query, in which case I'm inclined to say that a validated
> NXDomain from the root is better than a bogus NXDomain, and
> is still (or more) secure.
>
>> Is there a way we can change what the text says so that it's sufficiently
>> emphatic to make me happy, and sufficiently open to make you [not] unhappy?
>
> Yes.  Keep the MUST for the platform library.  Downgrade the MUST for
> the iterative resolver to a SHOULD (absent local data), and either
> exempt DNSSEC or explain why "bogus" local NXDomain is better than
> a cacheable validated NXDomain from the roots.
>
> --
>         Viktor.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email