Re: [DNSOP] Status of "let localhost be localhost"?

Mark Andrews <marka@isc.org> Wed, 02 August 2017 01:23 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92101129A96 for <dnsop@ietfa.amsl.com>; Tue, 1 Aug 2017 18:23:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gM5e3-dh7MV for <dnsop@ietfa.amsl.com>; Tue, 1 Aug 2017 18:23:57 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CEE8126D46 for <dnsop@ietf.org>; Tue, 1 Aug 2017 18:23:57 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 408FF24AE0D; Wed, 2 Aug 2017 01:23:43 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 6FBDE160041; Wed, 2 Aug 2017 01:23:48 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 5598516004A; Wed, 2 Aug 2017 01:23:48 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 0Pk05Qt3pF7v; Wed, 2 Aug 2017 01:23:48 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 071DE160041; Wed, 2 Aug 2017 01:23:48 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 2CE2680BCC5E; Wed, 2 Aug 2017 11:23:45 +1000 (AEST)
To: Jacob Hoffman-Andrews <jsha@eff.org>
Cc: dnsop@ietf.org
From: Mark Andrews <marka@isc.org>
References: <05e469cf-1325-89fc-4a81-661f8647e869@eff.org> <CAKXHy=ctB=LZkX9j=8-Jy0NkTAs2tAesa4gmFhfp94O5=9U4TA@mail.gmail.com> <1dbb47a4-c6e2-97d2-a1d7-ce6c65a4042a@eff.org>
In-reply-to: Your message of "Tue, 01 Aug 2017 11:59:42 -0700." <1dbb47a4-c6e2-97d2-a1d7-ce6c65a4042a@eff.org>
Date: Wed, 02 Aug 2017 11:23:45 +1000
Message-Id: <20170802012345.2CE2680BCC5E@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lbbxP45-x_9hZI_kbIpBFIZKDDk>
Subject: Re: [DNSOP] Status of "let localhost be localhost"?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2017 01:23:59 -0000

In message <1dbb47a4-c6e2-97d2-a1d7-ce6c65a4042a@eff.org>rg>, Jacob Hoffman-Andrews writes:
> On 08/01/2017 03:48 AM, Mike West wrote:
> > The only open issue I know of is some discussion in the thread at
> > https://www.ietf.org/mail-archive/web/dnsop/current/msg18690.html that I
> > need help synthesizing into the draft. I don't know enough about the
> > subtleties here to have a strong opinion, and I'm happy to accept the
> > consensus of the group.
> 
> Reading back through this thread, it seems like the concerns were about
> how to represent the  ".localhost" TLD in the root zone, or how to use
> DNSSEC to express that the root zone will not speak for ".localhost".
> However, I think we don't need either. This draft attempts to codify the
> idea that queries for "localhost" or "foo.localhost" should never leave
> the local system, and so it doesn't matter what the root zone says about
> ".localhost".
> 
> I would even take it a step further: It would be a mistake to add any
> records for ".localhost" to the root zone, because it would mask
> implementation errors. If a local resolver accidentally allows a query
> for "foo.localhost" to hit the wire, it should result in an error.
> 
> IMHO, the document is good as it stands.

The query for foo.localhost doesn't need to hit-the-wire for this
to be a issue.  Ask your self why RFC 6303, Security section has

   As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
   namespaces, the zones listed above will need to be delegated as
   insecure delegations, or be within insecure zones.  This will
   allow DNSSEC validation to succeed for queries in these spaces
   despite not being answered from the delegated servers.

or draft-ietf-homenet-dot-10 is doing the same thing for "home.arpa".

We didn't add the requirement for insecure delegations for the fun
of it.  We added it so that the tools that validate will not break
when those names are being used.

The only difference between the names in the above documents and
.localhost is the size of the space where they are valid.  It is
restricted to the node rather than the site.

Mark

> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org