IETF Logo Mail Archive

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Ted Lemon <mellon@fugue.com> Sat, 10 February 2018 21:28 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D07E312DA6A for <dnsop@ietfa.amsl.com>; Sat, 10 Feb 2018 13:28:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BauxQZOFvjOs for <dnsop@ietfa.amsl.com>; Sat, 10 Feb 2018 13:28:29 -0800 (PST)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C362312706D for <dnsop@ietf.org>; Sat, 10 Feb 2018 13:28:28 -0800 (PST)
Received: by mail-it0-x22b.google.com with SMTP id k131so2585047ith.4 for <dnsop@ietf.org>; Sat, 10 Feb 2018 13:28:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CsTwImtxyK7f4aNd5OQKJIyO4s8vv/uxhbgKZOFWZME=; b=RlM7FhQsRo1mHN80xwvhT4Q9Md80/u0XZznXUx6GkR4jnYoX1Ukc0R1IIp9u+6bzG7 LF3IDvLOu0nCl77/MwHyxMLEGNKDzeVxw271b9RO2anWSg7F93/ipCgI218/Ka9tbI5x aoBeAL48eVKWq7lv0L9etgSma6EeK6R8bUHnpHgCoXLdmyYBPdJf8/AVCyRtfIGBEDQ9 MF3ld/ka/4kMJ7T9+nEMEjYTMalJIJR9vnoLtXnkTfpdYSvCoe2B+8ohsthqvKwJZrBA wR1vdaHeoXoKOUKr9x4MDW9EXVZhlYMBanDPxdUJGcwfIfhargPY7YCrWmshWC5rGcUS vikw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CsTwImtxyK7f4aNd5OQKJIyO4s8vv/uxhbgKZOFWZME=; b=BiMkVlSyGxwcPb9ksy9+bLjseFXbOSQmT2ltHcnL676X82KKzBXVVSDgvtAk6DC4yo yXVeeQF9bdX6KQAd8UIm3iqdYKJ0PRR9V8/TF++zRf88uagnCdxwombDh7cjapm9+1y7 Cuk9otLPBq4fXMxAs75DW38K4fHD6+pj6CV4/9MBGyMJGw6v3WX7I5CCUUubBBmf05EI SGiyu0lQ0f4jBRGfk+L6vhV+gcA9QV/rJ5/BgCE740Wtp//DneCdwAl6VYwylIezKtyz XRTP1opUIJdoJaAwcH3A6Uc0m7hS0jShN2D0xCGebfXuBQpAvg0DzPcrbQzWkUhwgCdS pRlw==
X-Gm-Message-State: APf1xPBz0IpYxWWLIwOnl23XAVNSsUjHKX0MsttTwWvgCJ9VfDLln7NL +GY7hiR2UhG6JFjZnbnRFEeEMEdBoRjHtKqX81DBew==
X-Google-Smtp-Source: AH8x226Wx9pVbjdYcvrdS0YaEeKpDA0X7t/TQAMiG6Ujj3TOWi8KLPfBF3+fenQfmFHIOb02pV2FGCL/E1b6+/6wTJc=
X-Received: by 10.36.67.147 with SMTP id s141mr7208itb.13.1518298107863; Sat, 10 Feb 2018 13:28:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.241.202 with HTTP; Sat, 10 Feb 2018 13:27:47 -0800 (PST)
In-Reply-To: <78DB0408-9870-4855-936A-3C4774B2CDE7@hopcount.ca>
References: <2B1DC084-C6EA-41DA-9029-5E230874FCBE@isc.org> <29F25C57-31D1-4A07-875D-16E7612DB993@fugue.com> <E4C5AA7E-E9C1-4E53-ABE0-676A9B7B3269@isc.org> <618D31E1-8EC7-4F75-BD97-31D42CB1E681@fugue.com> <40992CF7-5740-43ED-8B78-8D8A9B50A15C@isc.org> <F28D0F1D-416E-4016-8A5A-95173FFFAA4E@fugue.com> <CANLjSvVd+vj8M+vBOokfpOL1fmq2iU9JAhSCd6eY_aoE1p5SMQ@mail.gmail.com> <97783B49-11C9-47F1-8F73-3D909C9B4DC4@fugue.com> <CANLjSvUV1RPR8nhLXCEL0WT9=2Lqb+4STh+7gSRPvv_Mmf-NTA@mail.gmail.com> <698033B2-09A6-4E66-82AD-04906D4DEA1B@fugue.com> <20180209225508.GC974@mx4.yitter.info> <CAHw9_i+OhMckTx5rniXTJJHXZXHtHt8wYO2XU9_kCmdW+nswfg@mail.gmail.com> <78DB0408-9870-4855-936A-3C4774B2CDE7@hopcount.ca>
From: Ted Lemon <mellon@fugue.com>
Date: Sat, 10 Feb 2018 16:27:47 -0500
Message-ID: <CAPt1N1=LkcZjKNuThgbFFzBmHsLNVKoEjH3iNp3ev+=652DWcQ@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: Warren Kumari <warren@kumari.net>, dnsop <dnsop@ietf.org>, Andrew Sullivan <ajs@anvilwalrusden.com>
Content-Type: multipart/alternative; boundary="001a113f78c06202140564e253a5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bwRcmHU0_obIdjNW1vnYkb6WGzA>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Feb 2018 21:28:32 -0000

Well, for example, when the DHC working group was considering the search
list option for DHCPv6, I argued that there should be no such option
because search lists are bad.   My argument was rejected.   Had the IETF
officially deprecated searchlists prior to that, there would be no DHCPv6
search option, and that attack surface would not exist.

On Sat, Feb 10, 2018 at 4:21 PM, Joe Abley <jabley@hopcount.ca> wrote:

> Hi Warren,
>
> I think the advice is good, but I wonder what the practical effect of
> writing it down would be. I doubt it would change any of the entrenched
> habits in enterprise systems and networking in our remaining lifetimes, for
> example, but perhaps I'm just being overly grumpy and am ignorant of some
> important dynamic that would change for the better.
>
> On the other hand if the goal is simply to try and ensure that future work
> product of the IETF doesn't depend on search list processing, perhaps
> that's worth writing down? If we are the intended audience and the
> document's purpose is to document a consensus decision, perhaps that's a
> reason to work on it.
>
>
> Joe
>
> > On Feb 10, 2018, at 15:21, Warren Kumari <warren@kumari.net> wrote:
> >
> >> On Fri, Feb 9, 2018 at 10:55 PM, Andrew Sullivan <
> ajs@anvilwalrusden.com> wrote:
> >> Hi,
> >>
> >>> On Tue, Feb 06, 2018 at 12:50:18AM -0500, Ted Lemon wrote:
> >>> That's pretty clear.   This document is not forbidding the appearance
> of such names in the DNS, nor the resolution of such names.
> >>>
> >>
> >> Instead, it is wanting to have its cake and eat it too.  Because…
> >>
> >>>
> >>>   Note, however, that the admonition against searchlist usage could
> >>>   affect their resolution in practice, as discussed in Section 3
> >>
> >> …of the "admonition" (or whatever you want to call it).  In effect,
> >> the document requires special-casing of "localhost" as a label in
> >> every searchlist context.
> >>
> >> If the goal is to say, "The search list is evil, and should not be
> >> used," then say that.
> >
> > <with no hats at all>
> > Interestingly enough, Steve Sheng and I wrote just such a document a
> > number of years ago (around the time of the initial name-collisions
> > drama). Even though I'm 95% sure it included the phrase "tilting at
> > windmills" my search foo fails me at the moment... but it basically
> > deprecated search list processing in the DNS.
> > There are many things which would be safer, less complex, and safer if
> > search lists didn't exist -- would people be interested in discussing
> > the idea, or is it just too out there?
> > </hats>
> >
> >
> >> Otherwise, what this document is _really_ doing
> >> is altering STD13's search list processing, to include special-casing
> >> of down-tree names.
> >> I think that is the case despite this bit:
> >>
> >>>       Application software MUST NOT use a searchlist to resolve a
> >>>       localhost name.  That is, even if DHCP's domain search option
> >>>       [RFC3397 <https://tools.ietf.org/html/rfc3397>] is used to
> >>>       specify a searchlist of "example.com" for a given network,
> >>>       the name "localhost" will not be resolved as
> >>>       "localhost.example.com." but as "localhost.", and
> >>>       "subdomain.localhost" will not be resolved as
> >>>       "subdomain.localhost.example.com." but as
> >>>       "subdomain.localhost.".
> >>
> >> The reason I think that is because of the earlier part:
> >>
> >>   2.  Application software MAY recognize localhost names as special, or
> >>       MAY pass them to name resolution APIs as they would for other
> >>       domain names.
> >>
> >> If you can just pass this to a resolution API, then it's actually the
> >> resolution API that needs to know to handle the search list rules
> >> according to this new specification (this part of the specification
> >> does not say that you can only use the API if you can tell the API not
> >> to use search lists, &c).
> >>
> >> I really do sympathise with the goal of the document, but I think it
> >> is making a bigger change than it seems to understand.  And anyway, I
> >> don't understand how the original 6761 text is the wrong approach:
> >> given that it isn't even being followed on the Internet today, there's
> >> no reason to suppose that this alternative approach is going to make
> >> things any better.
> >>
> >> Best regards,
> >>
> >> A
> >>
> >> --
> >> Andrew Sullivan
> >> ajs@anvilwalrusden.com
> >>
> >> _______________________________________________
> >> DNSOP mailing list
> >> DNSOP@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dnsop
> >
> >
> >
> > --
> > I don't think the execution is relevant when it was obviously a bad
> > idea in the first place.
> > This is like putting rabid weasels in your pants, and later expressing
> > regret at having chosen those particular rabid weasels and that pair
> > of pants.
> >   ---maf
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email