Re: [DNSOP] Status of "let localhost be localhost"?

Jacob Hoffman-Andrews <jsha@eff.org> Tue, 01 August 2017 18:59 UTC

Return-Path: <jsha@eff.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0965129AB2 for <dnsop@ietfa.amsl.com>; Tue, 1 Aug 2017 11:59:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qr1I-Eqmo805 for <dnsop@ietfa.amsl.com>; Tue, 1 Aug 2017 11:59:43 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38E141322AF for <dnsop@ietf.org>; Tue, 1 Aug 2017 11:59:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=9XwZQpCaZxmSJIdPhaX8P1f5cICO9SagFCXr2pRJhL8=; b=G6kzaYe+nCWOnGJmOfIrLXrmfsvKIzRom0V2T5/Me/ceaQ/m8ph22rMBlGoTUWk9Le9YnvwMXr3F/CXoOqzPgTuhMVXS9V1V4qUeI/mf2itwSCh68tTtbaGV8TTlaQsYdS8cxp8kkqY8uoKeDsX7S/wcPw5q+VWTTr1eCfblEfw=;
Received: ; Tue, 01 Aug 2017 11:59:41 -0700
To: dnsop@ietf.org
References: <05e469cf-1325-89fc-4a81-661f8647e869@eff.org> <CAKXHy=ctB=LZkX9j=8-Jy0NkTAs2tAesa4gmFhfp94O5=9U4TA@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <1dbb47a4-c6e2-97d2-a1d7-ce6c65a4042a@eff.org>
Date: Tue, 1 Aug 2017 11:59:42 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CAKXHy=ctB=LZkX9j=8-Jy0NkTAs2tAesa4gmFhfp94O5=9U4TA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/deLJBatISz-U7944lkTTPlNiW8E>
Subject: Re: [DNSOP] Status of "let localhost be localhost"?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 18:59:44 -0000

On 08/01/2017 03:48 AM, Mike West wrote:
> The only open issue I know of is some discussion in the thread at
> https://www.ietf.org/mail-archive/web/dnsop/current/msg18690.html that I
> need help synthesizing into the draft. I don't know enough about the
> subtleties here to have a strong opinion, and I'm happy to accept the
> consensus of the group.

Reading back through this thread, it seems like the concerns were about
how to represent the  ".localhost" TLD in the root zone, or how to use
DNSSEC to express that the root zone will not speak for ".localhost".
However, I think we don't need either. This draft attempts to codify the
idea that queries for "localhost" or "foo.localhost" should never leave
the local system, and so it doesn't matter what the root zone says about
".localhost".

I would even take it a step further: It would be a mistake to add any
records for ".localhost" to the root zone, because it would mask
implementation errors. If a local resolver accidentally allows a query
for "foo.localhost" to hit the wire, it should result in an error.

IMHO, the document is good as it stands.