Re: [DNSOP] Status of "let localhost be localhost"?

Mark Andrews <marka@isc.org> Fri, 18 August 2017 00:36 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 400661323D4 for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 17:36:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rLJ4HIEfq0bi for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 17:36:57 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CCE013269A for <dnsop@ietf.org>; Thu, 17 Aug 2017 17:36:57 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 894AA349314; Fri, 18 Aug 2017 00:36:54 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 624E4160042; Fri, 18 Aug 2017 00:36:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 51803160070; Fri, 18 Aug 2017 00:36:54 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id AhVCgLfZr-xW; Fri, 18 Aug 2017 00:36:54 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 05D14160042; Fri, 18 Aug 2017 00:36:54 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 07F2782B0AFE; Fri, 18 Aug 2017 10:36:52 +1000 (AEST)
To: "John Levine" <johnl@taugh.com>
Cc: dnsop@ietf.org, mkwst@google.com
From: Mark Andrews <marka@isc.org>
References: <20170817150106.5492.qmail@ary.lan>
In-reply-to: Your message of "17 Aug 2017 15:01:06 +0000." <20170817150106.5492.qmail@ary.lan>
Date: Fri, 18 Aug 2017 10:36:51 +1000
Message-Id: <20170818003652.07F2782B0AFE@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/k5kqQMezT0C5BTTCC2YoOuaqHkQ>
Subject: Re: [DNSOP] Status of "let localhost be localhost"?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 00:36:59 -0000

In message <20170817150106.5492.qmail@ary.lan>an>, "John Levine" writes:
> In article <CAKXHy=chbyfempMDtk-tJMkzDL3oeOdJdyujxuK2-qH4E5Hp_w@mail.gmail.co
> m> you write:
> >2.  I know I don't have enough expertise in this area to make an informed
> >decision, and smart folks on this thread and elsewhere have told me that an
> >insecure delegation would be better than status-quo. I added
> >https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-05#section
> -4.2
> >to the document on that basis.
> 
> The problem with asking for an insecure root delegation is that the
> IETF has no process for putting anything in the root.  In principle we
> could work something out with ICANN, but that process would take
> somewhere between a very very long time and forever.  It is likely to
> be hijacked by other people who also want special treatment for their
> pet TLDs which is why my estimate would be closer to forever.

Well start now.  'localhost' was special before DNS, DNSSEC and
ICANN came into existence.  This is completing work that should
have been done at the time the root zone was signed.

> So my inclination would be to say that localhost lookups that reach
> the root will get a secure NXDOMAIN, which one could take as a hint
> that it's time to update the stubs and caches that let the query leak.

Insecure NOERROR NODATA for A and AAAA are fine.  Secure NOERROR NODATA
for DS is what is needed.
 
> We don't have to work this out now, we can adopt the document and
> figure out what to fix later.
> 
> R's,
> John
> 
> PS: For anyone who was going to say what about .ARPA, it was in the
> root a long time before ICANN existed.
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org