Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Tony Finch <dot@dotat.at> Thu, 25 January 2018 15:56 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4931212E896 for <dnsop@ietfa.amsl.com>; Thu, 25 Jan 2018 07:56:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.219
X-Spam-Level:
X-Spam-Status: No, score=-4.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UrPo4iZQh-OW for <dnsop@ietfa.amsl.com>; Thu, 25 Jan 2018 07:56:50 -0800 (PST)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F0B912E88D for <dnsop@ietf.org>; Thu, 25 Jan 2018 07:56:50 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:54336) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1eejtP-00102n-dk (Exim 4.90) (return-path <dot@dotat.at>); Thu, 25 Jan 2018 15:56:47 +0000
Date: Thu, 25 Jan 2018 15:56:47 +0000
From: Tony Finch <dot@dotat.at>
To: Bob Harold <rharolde@umich.edu>
cc: Suzanne Woolf <suzworldwide@gmail.com>, IETF DNSOP WG <dnsop@ietf.org>
In-Reply-To: <CA+nkc8A91gbqRqR_he4KqCgpfWXf3J-uuU6J2DZjSjfg=QAZjw@mail.gmail.com>
Message-ID: <alpine.DEB.2.11.1801251532530.5022@grey.csi.cam.ac.uk>
References: <9DCE2F63-EE37-4865-B9D6-6B79BBE05593@gmail.com> <CA+nkc8A91gbqRqR_he4KqCgpfWXf3J-uuU6J2DZjSjfg=QAZjw@mail.gmail.com>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/depfA_mV3TXrkZa--V7DzLgSroc>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2018 15:56:52 -0000

Bob Harold <rharolde@umich.edu> wrote:

> My concerns:
> Do we need to make sure stub resolvers get updated before we update DNS, to
> avoid breaking things?
> Do we know what current stub resolvers do?

Based on a few stats I gathered in September, stub resolvers already
handle localhost themselves. More details at
https://www.ietf.org/mail-archive/web/dnsop/current/msg20968.html

Regarding the draft, I have looked through it and I have one suggestion:

The second paragraph of section 5.2 (security considerations - localhost
labels in subdomains) should be beefed up. Localhost entries in subdomains
are risky so they should be discouraged - I wrote about why we deleted
ours at
http://news.uis.cam.ac.uk/articles/2017/09/01/deleting-localhost-entries-from-the-cam-ac-uk-dns-zone

I think it's misleading to say "could affect their resolution in
practice". It would be more accurate to say "in theory" because in
practice, localhost queries are already absorbed by /etc/hosts (or
equivalent) before the search list gets a look in.

So I suggest the following replacement for the second paragrph of section 5.2:

   In theory, the admonition against searchlist usage could affect their
   resolution, as discussed in Section 3; in practice, stub resolvers
   already handle queries for "localhost" as specified in this memo.

   Although localhost entries were encouraged by RFC 1537, that suggestion
   was removed from its successor RFC 1912. They are now discouraged
   because they can be used to subvert security restrictions such as the
   web browser same origin policy, especially on multi-user systems
   [http://seclists.org/bugtraq/2008/Jan/270].

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Irish Sea: Southwest veering northwest 5 to 7. Moderate or rough. Showers.
Good.