Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

Ted Lemon <> Wed, 13 September 2017 02:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EEBE313352A for <>; Tue, 12 Sep 2017 19:45:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FBZ8PMyRjBuM for <>; Tue, 12 Sep 2017 19:45:30 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DBBB013343C for <>; Tue, 12 Sep 2017 19:45:29 -0700 (PDT)
Received: by with SMTP id s18so27835599qta.3 for <>; Tue, 12 Sep 2017 19:45:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=EiKwzrM5cOFyQ1GtmPNcZlCmO3nfxtbQbyiOd81ea/c=; b=kfYsbe6Ei0K+wU9jRzQl6NCP5M9FsssgFXWe9bCrX5e+2LJXrMkPguXykJSr/rXmBW y1ROPvBW+fCIvGPJNSqgX1cz39on4HQXnITNxxxC0R1yLvL5mzfK74J/x+I9jY2eAlJX miDV8RRpbhtT6ihdZS2kJJzVc8sOhgVOVm7l7njIc4naHleavSGqotMk4fDSXQRIYcto 0lyit3R9kDbjIUnBTHYgmHHglONEZ8DcCJZY6gICVaWJuyRTjICNF4DPxTn/e8R/wlue GuHzUNDHV1gwmiaE+476WxE6HRiEuUeeOCd1TJljlw2EBFx6imLClAUbGNwZxiG9JGNq N2mA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=EiKwzrM5cOFyQ1GtmPNcZlCmO3nfxtbQbyiOd81ea/c=; b=BJccYajeWc5Qb/hJ6lkgcGPdLL31wCb3kwuYDl1k1VgwmVKExuTi9USxC1lGcKVqnw RKT/BCSgTd5BDqcYgGrmCcftQOcE6M6h9iyOdznTUA5xBEnJhNXj6912JrZII+KstfQJ G9k4yDEHEahympAhKc6IBE6FdAgwpTrxVknkS8TfOBUIY/GqoZrB65KVk8iOEswCRgyp y/4HT4vQPNHA//4b/1hPlRkd2HuBsegtyQPYGWra//WH7EQs+rRo/U48j7m8oeo+m2Gs FJ77Cyd8t0SCN8FsDq5TMX6Afhb2VY5NPs55fAYl72Gp1FFOjd5cuUd7WzjO76lNvDbu sE1g==
X-Gm-Message-State: AHPjjUgp9IXg380nf+Z5X9Em4LEJXlowj5IJfoiFTDTDEThvKqGqEeZm J31WGWwiAl3howo27ksVCw==
X-Google-Smtp-Source: AOwi7QCYFn8OC8/ftt8geS1ADYhKBVpxcP6BGslpPhYawiP5ulyqIXDCy5cb+jg8YkxiALHe1O/xOQ==
X-Received: by with SMTP id n53mr13094760qtc.140.1505270728760; Tue, 12 Sep 2017 19:45:28 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id m29sm7910163qtk.58.2017. for <> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Sep 2017 19:45:27 -0700 (PDT)
From: Ted Lemon <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0B99641B-8F74-432D-9E93-8452D755ADB8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 12 Sep 2017 22:45:26 -0400
References: <20170913021529.2540.qmail@ary.lan>
To: dnsop WG <>
In-Reply-To: <20170913021529.2540.qmail@ary.lan>
Message-Id: <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Sep 2017 02:45:36 -0000

On Sep 12, 2017, at 10:15 PM, John Levine <> wrote:
> Believe it or not, there are real non-loopback localhost domain names,
> like <>.
> I agree that localhost.<foo> pointing to loopback is generally asking
> for trouble, but I am not at this point sufficiently confident that it
> is never ever a good idea to say MUST NOT rather than SHOULD NOT.  I
> can for example imagine ways that might make some kinds of debugging
> easier.

When we look at edge cases like this, it's tempting to be swept away by the futility of trying to close every gap.   But it's still worth closing the ones we can close.   Trying to outlaw localhost.* is hopeless.  But outlawing *.localhost is certainly valid and viable, and as DNSSEC adoption increases, more and more it will be the case that we actually need do nothing to break it.   "localhost" + search list still fails unsafe.

This is just another reason to outlaw search lists.   I can't think what use case search lists address that's worth the security vulnerability they create.   The fact that hosts routinely use search lists provided by DHCP is something that just astonishes me, but even user-configured search lists serve no useful purpose to anyone but the statistically negligible set of geeks who actually type in domain names and yet haven't become paranoid enough to realize that search lists are bad yet.   There is no downside to deprecating them.

(Should someone reading this be one of those network operators who still puts search lists to some use inside of their firewall, please do not tell us about it.   I do not want to be the cause of your users being hacked.)