Re: [DNSOP] Search lists revisited (Was: WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Paul Vixie <paul@redbarn.org> Mon, 12 February 2018 17:51 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE673126E3A for <dnsop@ietfa.amsl.com>; Mon, 12 Feb 2018 09:51:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PYG017miIkR5 for <dnsop@ietfa.amsl.com>; Mon, 12 Feb 2018 09:51:05 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D7D81201F2 for <dnsop@ietf.org>; Mon, 12 Feb 2018 09:51:05 -0800 (PST)
Received: from [192.168.1.11] (unknown [47.143.72.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 54D3E7594C for <dnsop@ietf.org>; Mon, 12 Feb 2018 17:51:03 +0000 (UTC)
Message-ID: <5A81D404.6010304@redbarn.org>
Date: Mon, 12 Feb 2018 09:51:00 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.22 (Windows/20171208)
MIME-Version: 1.0
To: dnsop <dnsop@ietf.org>
References: <40992CF7-5740-43ED-8B78-8D8A9B50A15C@isc.org> <F28D0F1D-416E-4016-8A5A-95173FFFAA4E@fugue.com> <CANLjSvVd+vj8M+vBOokfpOL1fmq2iU9JAhSCd6eY_aoE1p5SMQ@mail.gmail.com> <97783B49-11C9-47F1-8F73-3D909C9B4DC4@fugue.com> <CANLjSvUV1RPR8nhLXCEL0WT9=2Lqb+4STh+7gSRPvv_Mmf-NTA@mail.gmail.com> <698033B2-09A6-4E66-82AD-04906D4DEA1B@fugue.com> <20180209225508.GC974@mx4.yitter.info> <CAHw9_i+OhMckTx5rniXTJJHXZXHtHt8wYO2XU9_kCmdW+nswfg@mail.gmail.com> <78DB0408-9870-4855-936A-3C4774B2CDE7@hopcount.ca> <CAHw9_i+6BPECPByUDzMx07tX4zMSK5RZ5+HPiS67_vOVjjnzMQ@mail.gmail.com> <20180212111201.iogcwngobam44joh@nic.fr>
In-Reply-To: <20180212111201.iogcwngobam44joh@nic.fr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rgzPROR3YJNRiHUfe6e5oD6SBto>
Subject: Re: [DNSOP] Search lists revisited (Was: WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2018 17:51:07 -0000


Stephane Bortzmeyer wrote:
>> that might be a useful thing to do -- documenting the issues caused
>> by search lists [...] and that IETF technologies shouldn't rely on
>> them
>
> That's certainly a better proposal than the initial one (banning
> search lists).

there's a huge unspecified middle and edge of dns, which is the 
presentation layer. even with RFC 1535 for "ndots", there's nothing that 
tells an endpoint how to interpret unqualified or partially qualified 
names -- or how to display them. IDN made this lack of specification 
even more obvious by not outlawing the other glyphs that look like . or 
/. BIND was certainly wrong to use RFC 952 to determine what a 
"hostname" was and to apply that restriction to A/AAAA owners and 
MX/SRV/NS targets, but there was no better specification available.

> However, I wonder if it is really IETF business? It is a local
> decision, after all.

RFC's 1535 and 2292 show that endpoint behaviour, not just signaling, 
are in-scope. the IETF needs more work of this kind, since the norms 
everybody is violating (mostly without realizing it) turn out to be 
important to interoperability. that is, partially qualified names and 
unqualified names are a layering violation, not unlike putting an RFC 
1918 address into the FTP "PORT" verb.

paul mockapetris sometimes tells the story of how auto-completion was 
the motive for writing names with most-local on the left and 
most-distant on the right. my counter-observation is that when the DNS 
consisted of a dozen large sites each full of similarly named "hosts" 
that must have made more sense. now that most of the names most of us 
look up are not local and not of "hosts", the situation has reversed: 
auto-completion of .org.redbarn.www would be far easier to implement 
than of www.redbarn.org.

ted's arguments about the insecurity of "localhost" lookups are one tiny 
corner of this land-mass sized lack of presentation-layer specification. 
it turns out you should never put an unqualified name on the wire since 
the days when your RDNS did search list processing for you are long 
gone, and it turns out that "localhost" should never have search-list 
processing applied to it. those two "turns out that"'s add up to a hard 
requirement to implement localhost-to-address and address-to-localhost 
lookups in the presentation-layer side of the stub resolver, except, we 
don't define a presentation layer, so we can't.

-- 
P Vixie