Re: [DNSOP] Status of "let localhost be localhost"?
Warren Kumari <warren@kumari.net> Wed, 16 August 2017 21:42 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26900132743 for <dnsop@ietfa.amsl.com>; Wed, 16 Aug 2017 14:42:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tam3PvLo50AZ for <dnsop@ietfa.amsl.com>; Wed, 16 Aug 2017 14:42:44 -0700 (PDT)
Received: from mail-wr0-x22f.google.com (mail-wr0-x22f.google.com [IPv6:2a00:1450:400c:c0c::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20F75132744 for <dnsop@ietf.org>; Wed, 16 Aug 2017 14:42:41 -0700 (PDT)
Received: by mail-wr0-x22f.google.com with SMTP id x43so27708601wrb.3 for <dnsop@ietf.org>; Wed, 16 Aug 2017 14:42:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=QL3NGVOB6+JZ3ukxMkukBF9jEY+KnmO5ms9/toR+m6I=; b=Nf1tw/1RkjBDQ3cqDpVNKtNlcCmT/5iWpcudokJwlcQmMTLrJZTWTpfmDIJE/AO0fp y4eZjs+D92SkdxRMcnGSroxhKPA+zZf72A4NNuLw+hmOyvLW6v+zzlGTvsoebLdf/peu ykdDf/j4JEx1JfC8B6ypfcvKSY30CW0IvSWcbCXm5b7rvQ8lr/TaOSTuJokcxEfIvgt4 iD7ZnGlp4NpyIi8tHAv0Qz1m98Ds3XzE1GsDMaExz39K2AoswxDVe3Nvbu9q9APnokDS OoZb7TWsWKvZBN/OVHOVZZurbQOCG+nrp7LyljFdY3Z1z+TyQlcaWJ8bnWK2UvyvPNri weqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=QL3NGVOB6+JZ3ukxMkukBF9jEY+KnmO5ms9/toR+m6I=; b=ntwBlSTkLFEaRPH2K5diWjGtSeDn6ZIrdLZ/y6n2CvVlfPlvk+VWg1loaU0UmOaQa0 2XWjIi5Pa5dausOZ/fnHHWhHDEjiU92Zasy/OzFNeTh15TTx62ciEmhVaZv3iwK+tjyo Th+YjgB/lqqwKUmUWSvr/yfMa9IiTKzCCQnu82qYoFAoRNSIbOna5QTzlEZFqs/XIarN WJfwDd49YpAjcJ0nToPNBtsavRdyeKVwcPLIGVH4IvcZ05blHa5VettiENFxvO4ErBG2 0ncNAdcBonq99Br40pz9OFkK2TC0a6hFEsmhG9TEiRBk254BAEhW9ISSTh6ro7lL5qzJ s5bg==
X-Gm-Message-State: AHYfb5hKWVFcvAPte89jqZdaiBPYvJnnDA+7auAvj5NLCCaBwh6nJ+UU ti8z6D13iBVQn+a5vKqyOryjE7WhehqB
X-Received: by 10.223.176.5 with SMTP id f5mr1873356wra.194.1502919759468; Wed, 16 Aug 2017 14:42:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.164.135 with HTTP; Wed, 16 Aug 2017 14:41:58 -0700 (PDT)
In-Reply-To: <20170802180221.n7ezh5yzr5cuxklz@mycre.ws>
References: <05e469cf-1325-89fc-4a81-661f8647e869@eff.org> <CAKXHy=ctB=LZkX9j=8-Jy0NkTAs2tAesa4gmFhfp94O5=9U4TA@mail.gmail.com> <1dbb47a4-c6e2-97d2-a1d7-ce6c65a4042a@eff.org> <CACfw2hiX7U74n9+defcYiD7jLKZeLhtLM6WP5YM_WuAoA8ecYQ@mail.gmail.com> <CAL02cgRg6k7=b7berKr9J+9aL8PTS81nJ_yXQO8QTYqgiqXSbg@mail.gmail.com> <6B25B24C-4C80-4A04-BF27-2306F4A77EF6@fugue.com> <CAL02cgQ2z9Fze-Q2QWQ=+PHJEO_S3bTaq1fPJ6XSEwFUQ=ftvw@mail.gmail.com> <CAKXHy=eV0OBW+S308rdiHZ523foOgxYNB3i07RkeFJiTjMYQEQ@mail.gmail.com> <D9568E51-3C48-4BA3-9797-3F7756E857C9@fugue.com> <20170802180221.n7ezh5yzr5cuxklz@mycre.ws>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 16 Aug 2017 17:41:58 -0400
Message-ID: <CAHw9_i+VBBDKUMN7oWGaT0Ub1Ovjp=wN+gkY-U9WUhpxEsYmZw@mail.gmail.com>
To: Robert Edmonds <edmonds@mycre.ws>
Cc: Ted Lemon <mellon@fugue.com>, Richard Barnes <rlb@ipv.sx>, Mike West <mkwst@google.com>, william manning <chinese.apricot@gmail.com>, dnsop <dnsop@ietf.org>, Jacob Hoffman-Andrews <jsha@eff.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/k9Rec7WuLCLjLBb5hI7kynAxf3U>
Subject: Re: [DNSOP] Status of "let localhost be localhost"?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 21:42:46 -0000
On Wed, Aug 2, 2017 at 2:02 PM, Robert Edmonds <edmonds@mycre.ws> wrote: > Ted Lemon wrote: >> But we are arguing that "localhost" should be treated specially by every piece of software that looks at it, when its default meaning is "look up localhost in the DNS and connect to one of the addresses that you get in response." > > RFC 6761 §6.3 already says that "localhost" should be treated specially > by pretty much every piece of software that looks at it. But especially: > > 2. Application software MAY recognize localhost names as special, or > MAY pass them to name resolution APIs as they would for other > domain names. > > 3. Name resolution APIs and libraries SHOULD recognize localhost > names as special and SHOULD always return the IP loopback address > for address queries and negative responses for all other query > types. Name resolution APIs SHOULD NOT send queries for > localhost names to their configured caching DNS server(s). > > (In practice, "localhost" already does get treated specially, especially > by operating systems that place a "Name Service Switch" or similar > component in front of the DNS stub resolver. Yup, you would think so -- unfortunately, this seems less true than we'd expect (or hope!) Around 0.3% of responses from Google Public DNS are for "localhost". As an honest DNSSEC-validating resolver, Google Public DNS returns NXDOMAIN for queries of localhost. (and all its subdomains). If you ask with DO set, it returns the root NSEC records proving there is no such domain (yes, this disagrees with the SHOULD in 6.3.4 of RFC6761). As with many things in the DNS, the real world is messier than we'd -- I would have hoped that most systems would be answering locally for queries for localhost, and never asking the DNS, but this turns out not to be as true as we would have liked. I think that this supports the case for the localhost document; this behavior should be firmed up. It also exposes the fact that an application naively resolving "localhost" and trusting the answer (for security purposes) is not currently safe. W > If you put > "http://localhost/" into your browser bar, you shouldn't see a DNS query > for "localhost" leave your machine.) > > Doesn't "Application software MAY recognize localhost names as special" > already give more than enough permission for browser developers to treat > "localhost" (and any subdomain of "localhost") specially, for instance > by hardcoding the names to a loopback address, or filtering the result > from the system's name resolver to verify that only a loopback address > is used? Or only allowing the "Secure Context" flag to be set when the > localhost name resolves to a loopback address. > > draft-west-let-localhost-be-localhost-03 upgrades the requirements in > RFC 6761 §6.3 to make them much stricter, for all applications, > converting SHOULDs to MUSTs, etc. So we're not arguing about whether > localhost "should" be treated specially, but whether it MUST be treated > specially, by all applications. Can the W3C not impose stricter > requirements on browser developers even if 6761 doesn't impose mandatory > treatment for "localhost"? > > Maybe a smaller addition to RFC 6761 §6.3 would be sufficient for the > W3C? Something like: > > Application software specifications MAY require that application > software recognize localhost names as special. > > But that seems weird because it's arguably just a specific case of > requirement #2. > > -- > Robert Edmonds > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] Status of "let localhost be localhost"? Jacob Hoffman-Andrews
- Re: [DNSOP] Status of "let localhost be localhost… Mike West
- Re: [DNSOP] Status of "let localhost be localhost… Jacob Hoffman-Andrews
- Re: [DNSOP] Status of "let localhost be localhost… Mark Andrews
- Re: [DNSOP] Status of "let localhost be localhost… Mike West
- Re: [DNSOP] Status of "let localhost be localhost… william manning
- Re: [DNSOP] Status of "let localhost be localhost… Richard Barnes
- Re: [DNSOP] Status of "let localhost be localhost… Ted Lemon
- Re: [DNSOP] Status of "let localhost be localhost… Richard Barnes
- Re: [DNSOP] Status of "let localhost be localhost… Mike West
- Re: [DNSOP] Status of "let localhost be localhost… Ted Lemon
- Re: [DNSOP] Status of "let localhost be localhost… Ted Lemon
- Re: [DNSOP] Status of "let localhost be localhost… Richard Barnes
- Re: [DNSOP] Status of "let localhost be localhost… Joe Abley
- Re: [DNSOP] Status of "let localhost be localhost… Richard Barnes
- Re: [DNSOP] Status of "let localhost be localhost… Mike West
- Re: [DNSOP] Status of "let localhost be localhost… Joe Abley
- Re: [DNSOP] Status of "let localhost be localhost… Richard Barnes
- Re: [DNSOP] Status of "let localhost be localhost… Tony Finch
- Re: [DNSOP] Status of "let localhost be localhost… Paul Vixie
- Re: [DNSOP] Status of "let localhost be localhost… Jacob Hoffman-Andrews
- Re: [DNSOP] Status of "let localhost be localhost… Robert Edmonds
- Re: [DNSOP] Status of "let localhost be localhost… Matthew Pounsett
- Re: [DNSOP] Status of "let localhost be localhost… Ted Lemon
- Re: [DNSOP] Status of "let localhost be localhost… Jacob Hoffman-Andrews
- Re: [DNSOP] Status of "let localhost be localhost… George Michaelson
- Re: [DNSOP] Status of "let localhost be localhost… Richard Barnes
- Re: [DNSOP] Status of "let localhost be localhost… Mark Andrews
- Re: [DNSOP] Status of "let localhost be localhost… Mike West
- Re: [DNSOP] Status of "let localhost be localhost… John Levine
- [DNSOP] Fwd: Status of "let localhost be localhos… william manning
- Re: [DNSOP] Status of "let localhost be localhost… Mike West
- Re: [DNSOP] Status of "let localhost be localhost… Erik Nygren
- Re: [DNSOP] Status of "let localhost be localhost… Stuart Cheshire
- Re: [DNSOP] Status of "let localhost be localhost… Ted Lemon
- Re: [DNSOP] Status of "let localhost be localhost… Robert Edmonds
- Re: [DNSOP] Status of "let localhost be localhost… Ray Bellis
- Re: [DNSOP] Status of "let localhost be localhost… Peter van Dijk
- Re: [DNSOP] Status of "let localhost be localhost… John Levine
- Re: [DNSOP] Status of "let localhost be localhost… Ted Lemon
- Re: [DNSOP] Status of "let localhost be localhost… Paul Hoffman
- Re: [DNSOP] Status of "let localhost be localhost… Richard Barnes
- Re: [DNSOP] Status of "let localhost be localhost… Paul Hoffman
- Re: [DNSOP] Status of "let localhost be localhost… Ted Lemon
- Re: [DNSOP] Status of "let localhost be localhost… Paul Vixie
- Re: [DNSOP] Status of "let localhost be localhost… Jacob Hoffman-Andrews
- Re: [DNSOP] Status of "let localhost be localhost… Tony Finch
- Re: [DNSOP] Status of "let localhost be localhost… Ted Lemon
- Re: [DNSOP] Status of "let localhost be localhost… Paul Hoffman
- Re: [DNSOP] Status of "let localhost be localhost… Tony Finch
- Re: [DNSOP] Status of "let localhost be localhost… Mike West
- Re: [DNSOP] Status of "let localhost be localhost… Ted Lemon
- Re: [DNSOP] Status of "let localhost be localhost… Mike West
- Re: [DNSOP] Status of "let localhost be localhost… Ted Lemon
- Re: [DNSOP] Status of "let localhost be localhost… Warren Kumari
- Re: [DNSOP] Status of "let localhost be localhost… John Levine
- Re: [DNSOP] Status of "let localhost be localhost… Mark Andrews
- Re: [DNSOP] Status of "let localhost be localhost… John R Levine