Re: [DNSOP] Status of "let localhost be localhost"?

Matthew Pounsett <matt@conundrum.com> Wed, 02 August 2017 19:09 UTC

Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 538D9131D37 for <dnsop@ietfa.amsl.com>; Wed, 2 Aug 2017 12:09:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsIkLgLNu0rd for <dnsop@ietfa.amsl.com>; Wed, 2 Aug 2017 12:09:38 -0700 (PDT)
Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3B5C131C82 for <dnsop@ietf.org>; Wed, 2 Aug 2017 12:09:37 -0700 (PDT)
Received: by mail-vk0-x229.google.com with SMTP id x10so21589510vkd.0 for <dnsop@ietf.org>; Wed, 02 Aug 2017 12:09:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Zepk+uVnPxT/krz3r7HhS3Sccp0CuoqIXsb9sfIgtkE=; b=HT7kX8Dy9EqAknhJtQJAk9hByckhy6dxkTaVGzTud+lHHtTLaA0rkOehmfmvt1N3FV dkJLqgJjIIpH+2LlSH0Soc47qQTQRrJH3MFBPbZ9j7JBUkUP1/turwOrPp5rcRKxA3Nl a5EPHiq/ZjuziFgjikzDmMjai6Y0/P3+syD0Y2+hBESkCRP4u5m48f/4ZsLM6bmIO7WX CPrIcy0cxRooH0Wy3nNMf3YP1IsF2Gs/eqZEAjX0mBGNekvGjNgiYSIVc7Ue+SJVne5n u0ryhoQOxyE4ZgSaLfsyEq461SAwzKgqosNQjpaPtc1zNu3lvcwgYodHH020BsHBaprQ EwTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Zepk+uVnPxT/krz3r7HhS3Sccp0CuoqIXsb9sfIgtkE=; b=kY49K4tGWNY+AiAxHDW3hmR/0Xvw8hDN1SkZYNYtxotw/TFhx1zQvsu6NNWv5/m0W4 0JLYQNK1z1cAxufrG9MK1Y/Kz51p/ameiQHl5yr5WzLGFbW1rbEZd+FB+cm8sd5GmoT3 ye9mytrz5eNYhA7dBQccN9ZUbevcIBmmwxAEQgRlPfdwr9Gz2Hs8b/FPaJ/f9R+pAL6G zrDA8X686SR8jCTIn1nO2Ane+UQ3SiYo7YNFoVO7P35+WBMIcPwzC2AQb7IjMAAiMN5q QOzgV4LivW9gkUiLipASNbeAAbSpv2c8xDu1nsKe1UWOPqXbB7o3vTrtzPEewJQaqyV3 BTHw==
X-Gm-Message-State: AIVw110pPU+XpF0+m/1WpAdGAFqQ44fFENx6QJTaee4A7P6LWrhUEkiM WSkmMjIImIsmXQsYvh1FAHKYTvwELP/Ngef3kw==
X-Received: by 10.31.0.69 with SMTP id 66mr15559889vka.96.1501700976426; Wed, 02 Aug 2017 12:09:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.84.14 with HTTP; Wed, 2 Aug 2017 12:09:35 -0700 (PDT)
In-Reply-To: <121adcc6-55c5-4f90-2797-999f3f1f1ef8@eff.org>
References: <05e469cf-1325-89fc-4a81-661f8647e869@eff.org> <CAKXHy=ctB=LZkX9j=8-Jy0NkTAs2tAesa4gmFhfp94O5=9U4TA@mail.gmail.com> <1dbb47a4-c6e2-97d2-a1d7-ce6c65a4042a@eff.org> <20170802012345.2CE2680BCC5E@rock.dv.isc.org> <121adcc6-55c5-4f90-2797-999f3f1f1ef8@eff.org>
From: Matthew Pounsett <matt@conundrum.com>
Date: Wed, 2 Aug 2017 15:09:35 -0400
Message-ID: <CAAiTEH9=RNDrUmSOs8Rg2Ea4+as9pg=j5jnU6Y=nc8A4Z1aPog@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Cc: Mark Andrews <marka@isc.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a113da99a42710f0555ca0127"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dWWWJFi3pttISA9-lg-Q7m1oQpU>
Subject: Re: [DNSOP] Status of "let localhost be localhost"?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2017 19:09:39 -0000

On 2 August 2017 at 13:24, Jacob Hoffman-Andrews <jsha@eff.org> wrote:

> On 08/01/2017 06:23 PM, Mark Andrews wrote:
> > The query for foo.localhost doesn't need to hit-the-wire for this
> > to be a issue.  Ask your self why RFC 6303, Security section has
> >
> >    As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
> >    namespaces, the zones listed above will need to be delegated as
> >    insecure delegations, or be within insecure zones.  This will
> >    allow DNSSEC validation to succeed for queries in these spaces
> >    despite not being answered from the delegated servers.
> >
> > or draft-ietf-homenet-dot-10 is doing the same thing for "home.arpa".
>
> RFC 6303 says "as DNSSEC is deployed within...". There's no plan to
> deploy DNSSEC within .localhost, because it doesn't make sense there;
> all resolutions should be handled locally.
>

6303 is talking about what to do with DNS zones for RFC1918 and other
local-scope address space when their global-scope parent zones are signed.
The correct rephrasing of that quote which would apply to .localhost is "as
DNSSEC is deployed within the root namespace..."  An event which is long
past.

In the case where 'localhost' is being passed to DNS resolution software, a
validating stub (for example inside a web browser) needs a way to know that
the 'localhost' TLD should be treated as insecure.  In that case, the only
way to accomplish that is with an insecure delegation at the root.