Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
Tony Finch <dot@dotat.at> Thu, 25 January 2018 15:56 UTC
Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4931212E896 for <dnsop@ietfa.amsl.com>; Thu, 25 Jan 2018 07:56:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.219
X-Spam-Level:
X-Spam-Status: No, score=-4.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UrPo4iZQh-OW for <dnsop@ietfa.amsl.com>; Thu, 25 Jan 2018 07:56:50 -0800 (PST)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F0B912E88D for <dnsop@ietf.org>; Thu, 25 Jan 2018 07:56:50 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:54336) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1eejtP-00102n-dk (Exim 4.90) (return-path <dot@dotat.at>); Thu, 25 Jan 2018 15:56:47 +0000
Date: Thu, 25 Jan 2018 15:56:47 +0000
From: Tony Finch <dot@dotat.at>
To: Bob Harold <rharolde@umich.edu>
cc: Suzanne Woolf <suzworldwide@gmail.com>, IETF DNSOP WG <dnsop@ietf.org>
In-Reply-To: <CA+nkc8A91gbqRqR_he4KqCgpfWXf3J-uuU6J2DZjSjfg=QAZjw@mail.gmail.com>
Message-ID: <alpine.DEB.2.11.1801251532530.5022@grey.csi.cam.ac.uk>
References: <9DCE2F63-EE37-4865-B9D6-6B79BBE05593@gmail.com> <CA+nkc8A91gbqRqR_he4KqCgpfWXf3J-uuU6J2DZjSjfg=QAZjw@mail.gmail.com>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/depfA_mV3TXrkZa--V7DzLgSroc>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2018 15:56:52 -0000
Bob Harold <rharolde@umich.edu> wrote: > My concerns: > Do we need to make sure stub resolvers get updated before we update DNS, to > avoid breaking things? > Do we know what current stub resolvers do? Based on a few stats I gathered in September, stub resolvers already handle localhost themselves. More details at https://www.ietf.org/mail-archive/web/dnsop/current/msg20968.html Regarding the draft, I have looked through it and I have one suggestion: The second paragraph of section 5.2 (security considerations - localhost labels in subdomains) should be beefed up. Localhost entries in subdomains are risky so they should be discouraged - I wrote about why we deleted ours at http://news.uis.cam.ac.uk/articles/2017/09/01/deleting-localhost-entries-from-the-cam-ac-uk-dns-zone I think it's misleading to say "could affect their resolution in practice". It would be more accurate to say "in theory" because in practice, localhost queries are already absorbed by /etc/hosts (or equivalent) before the search list gets a look in. So I suggest the following replacement for the second paragrph of section 5.2: In theory, the admonition against searchlist usage could affect their resolution, as discussed in Section 3; in practice, stub resolvers already handle queries for "localhost" as specified in this memo. Although localhost entries were encouraged by RFC 1537, that suggestion was removed from its successor RFC 1912. They are now discouraged because they can be used to subvert security restrictions such as the web browser same origin policy, especially on multi-user systems [http://seclists.org/bugtraq/2008/Jan/270]. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode Irish Sea: Southwest veering northwest 5 to 7. Moderate or rough. Showers. Good.
- [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-b… Suzanne Woolf
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Bob Harold
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Paul Vixie
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Petr Špaček
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Petr Špaček
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Mark Andrews
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Tony Finch
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… 神明達哉
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Darcy Kevin (FCA)
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Petr Špaček
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Lanlan Pan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Jaap Akkerhuis
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… 神明達哉
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Petr Špaček
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Petr Špaček
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… 神明達哉
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Paul Vixie
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… 神明達哉
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Andrew Sullivan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Andrew Sullivan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Paul Vixie
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Bob Harold
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Andrew Sullivan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ray Bellis
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Paul Vixie
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Tony Finch
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ray Bellis
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Paul Vixie
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Andrew Sullivan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Andrew Sullivan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Andrew Sullivan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Paul Vixie
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Tony Finch
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Andrew Sullivan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Andrew Sullivan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Wes Hardaker
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Mark Andrews
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Mark Andrews
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Paul Vixie
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Joe Abley
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Joe Abley
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Andrew Sullivan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Bob Harold
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Mark Andrews
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Lanlan Pan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Mark Andrews
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Mark Andrews
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Mark Andrews
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Matthew Kerwin
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Lanlan Pan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Lanlan Pan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Andrew Sullivan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Warren Kumari
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Joe Abley
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Joe Abley
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Warren Kumari
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Andrew Sullivan
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Åke Nordin
- [DNSOP] Search lists revisited (Was: WGLC for dra… Stephane Bortzmeyer
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Tony Finch
- Re: [DNSOP] Search lists revisited (Was: WGLC for… Paul Vixie
- Re: [DNSOP] Search lists revisited (Was: WGLC for… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Suzanne Woolf
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Stephane Bortzmeyer