Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Fri, Jan 26, 2018 at 12:19:00AM +1100, Mark Andrews wrote:

> > RFC 6303 says that we should have empty domain for it, but this part is
> > confusing:
> >   The recommendation to serve an empty zone 127.IN-ADDR.ARPA is not an
> >   attempt to discourage any practice to provide a PTR RR for
> >   1.0.0.127.IN-ADDR.ARPA locally.
> > 
> > PTR is DNS-specific term, so I'm not sure if it is clumsy expression for
> > "stub should hardcode the answer" or something else.
> 
> No. It says if there isn’t a zone configured then return NXDOMAIN rather than
> recurse to the in-addr.arpa servers. That is different to always /just return
> NXDOMAIN.
> 
> All the zones listed in RFC 6303 can be overridden locally. The point of RFC 6303
> is to stop traffic going to the public server if the zones are not otherwise
> configured locally.

And this precisely where I take issue with the current draft.  It
mandates NXDOMAIN without admitting the possibility of a local
override.  I'm fine with recursive resolvers not *forwarding*
"localhost.", but forbidding local answers is I think taking it
too far and counter-productive.  If a resolver has a working
"localhost." zone that serves the expected loopback answers, it
should be free to reply with those.

Indeed I would go further, and recommend that resolvers add such
local overrides if not present, and answer accordingly.  Sure, it
would also be great if stub resolvers never asked, but just in case
they do, there's no need to punish them, that's rarely effective.

-- 
	Viktor.