Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Mark Andrews <marka@isc.org> Thu, 01 February 2018 22:39 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6792B12F290 for <dnsop@ietfa.amsl.com>; Thu, 1 Feb 2018 14:39:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ubSc9O_dJh0U for <dnsop@ietfa.amsl.com>; Thu, 1 Feb 2018 14:39:45 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86C5212F299 for <dnsop@ietf.org>; Thu, 1 Feb 2018 14:39:43 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id D02883AB06D; Thu, 1 Feb 2018 22:39:40 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id ACD3E16005B; Thu, 1 Feb 2018 22:39:40 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 890C9160092; Thu, 1 Feb 2018 22:39:40 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id KOxkADt_V_-s; Thu, 1 Feb 2018 22:39:40 +0000 (UTC)
Received: from [172.30.42.90] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 80B8716005B; Thu, 1 Feb 2018 22:39:39 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <ybla7wsbcr0.fsf@wu.hardakers.net>
Date: Fri, 2 Feb 2018 09:39:36 +1100
Cc: Andrew Sullivan <ajs@anvilwalrusden.com>, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A599E00D-AE5C-4465-9F7A-1BE37FA68865@isc.org>
References: <9DCE2F63-EE37-4865-B9D6-6B79BBE05593@gmail.com> <20180129155112.GC16545@mx4.yitter.info> <5A6F5CF1.4080706@redbarn.org> <CA+nkc8D7tne5SxGOUhvJqstmDa=1=RmvcHQte1byAab5dUd5sQ@mail.gmail.com> <AE634FC4-0EAF-4F54-8860-61E41284F873@fugue.com> <20180130185919.GJ19193@mx4.yitter.info> <3b57a486-df8e-ca57-ab89-c167cea0dcc9@bellis.me.uk> <20180131161507.GP3322@mournblade.imrryr.org> <20180201172644.GD26453@mx4.yitter.info> <1D7693F7-000C-451A-8F7A-45B94366240F@fugue.com> <20180201204833.GA27125@mx4.yitter.info> <ybla7wsbcr0.fsf@wu.hardakers.net>
To: Wes Hardaker <wjhns1@hardakers.net>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/oAuwnksYmySsoCE0G9S0hKhbxw0>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2018 22:39:49 -0000

> On 2 Feb 2018, at 8:50 am, Wes Hardaker <wjhns1@hardakers.net> wrote:
> 
> Andrew Sullivan <ajs@anvilwalrusden.com> writes:
> 
>> But of course, there _is_ a name "localhost" in the DNS.
>> It's already defined, in the RFCs, to this effect.
> 
> You can probably have your cake and eat it too by saying "sure,
> hypothetically it exists in the DNS because it's magically reserved in
> an RFC; but there is no data for it so any queries for it for any type
> will always return 'does not exist'".  See!  Problem solved!

> Returning anything other than NXDOMAIN and NSEC* for it is crazy,
> because the reality is that the name does not exist in the root zone
> data (and should not exist).  Let's not start adding special exceptions.

Actually the name SHOULD exist in the public root zone as a insecure
delegation to a empty zone (SOA and NS records only) so that DNSSEC works
without special processing for those that wish to support using the DNS
to resolve localhost.  This should have been done when the root zone was
initially signed.

Unsigned NOERROR NODATA for localhost/A and localhost/AAAA is a perfectly
fine answer from the global DNS.  This is ZERO NEED for NXDOMAIN to be
returned from the global DNS for those lookups. There is zero NEED for those
answers to be signed.  The global DNS doesn’t know what address should be
returned for local host.  It doesn’t have to be 127.0.0.1 or ::1.  The choice
of address is a local decision.  I’ve had localhost in a chroot virtual host
be 127.0.0.2 so that processed running in that chroot virtual host talked to
their own instance of localhost.

> We could do something crazy like "return NXDOMAIN" and don't set the
> AA bit, because the DNS is not authoritative for that domain (and
> others, like .onion).  But I'm not sure that helps anyone, and adds
> unneeded complexity to an already too complex code base.

Onion is not localhost.  .onion is a protocol switch.  .localhost isn’t
a protocol switch.  There is NOTHING wrong with returning A and AAAA records
for .localhost from the local DNS resolver.  If you NEED to support types
other that A and AAAA you MUST run a local resolver to do this as there IS
NO OTHER MECHANISM TO DO THAT!

I have no problem with hostnames lookup API’s not looking for A and AAAA records
for localhost in the DNS.  I have big problems with taking it any further than
that.  

Mark

> -- 
> Wes Hardaker
> USC/ISI
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org