Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

[Mark Andrews <marka@isc.org>]

> On 5 Feb 2018, at 5:10 pm, Ted Lemon <mellon@fugue.com> wrote:
> 
> On Feb 5, 2018, at 12:18 AM, Mark Andrews <marka@isc.org> wrote:
>> The original problem is that HTTP doesn’t specify that names learn across the
>> wire, including from on disk html files, need to be treated as absolute names.
>> This is HTTP’s mess due to allowing relative names in what is transmitted over
>> the wire.  This should be sent back to HTTP say FIX YOUR INSECURE PROTOCOL.
> 
> That's totally orthogonal to the question we are considering.

No it is not! The browser knows where the name came from.

If HTTP treated ALL NAMES AS ABSOLUTE then href="http://localhost/" would result
in EXACTLY ONE possible lookup in the DNS, /etc/hosts, NIS(YP), LDAP etc.  Similarly href=“http://some.partially.complete.name/“ won’t resolve to
some.partially.complete.name.example.com when run by a employee of example.com.

HTTP is a security nightmare because it is specified that those names may not be
absolute.  Fix that security hole and there is no need to touch this draft for
the reason it was brought up.

>   It's also nonsense.   How does HTTP, a protocol, know the source of an IP address that it's been given by the name resolution API?   Does the API even give you a way to tell?   What you mean is that the implementation should know the difference.  This is what the document is doing.   It's saying that the API should never look this name up in the DNS.

SMTP all names are absolute. You call the name API’s with searching disabled.
The implementation is broken is search is enabled.

HTTP names may be relative. You don’t call the name API’s with searching disabled
and you get a security mess as a result.

STOP SEARCHING!!!!  IT IS NOT NEEDED.

>> The second bugtraq issue is also HTTP’s insecure security model that doesn’t
>> take into account that addresses have scopes.  Again that is for HTTP to fix.
> 
> HTTP should certainly be smart about scopes, and I would argue that "machine scope" is not a scope in which connections should be assumed to be trustworthy, so indeed in a sense that you are right.
> 
> But the reason for wanting the DNS to not return answers for localhost is that implementations may get this wrong, and if they do we want it to fail safe.   So again, your premise is valid, but doesn't apply.

Just fix the browsers.  IT IS NOT THE DNS’S JOB TO FIX UP HTTP’S MESS
and in doing so BREAK OTHER THINGS!!!!!!!!!!!!

> As for search lists, I think it's reasonable to say that search lists, which are not part of the DNS protocol, should not be applied to the bare label 'localhost.'   If the document said that DNS servers should treat FQDNs containing the label 'localhost' specially other than when it is the top-level label, that would be wrong.   But it doesn't say that.   It just specifies the handling of localhost with respect to searchlists, and what it says is correct and important.   If I can supply you a search list and use that to trick you into connecting to a remote service rather than a local one, that's a significant attack surface.

Search lists should not be applied to any name learnt over the wire.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org