Re: [DNSOP] Status of "let localhost be localhost"?

"John Levine" <> Thu, 17 August 2017 15:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B11D4132153 for <>; Thu, 17 Aug 2017 08:01:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rgk9cK83Z8tQ for <>; Thu, 17 Aug 2017 08:01:29 -0700 (PDT)
Received: from ( [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ADBB51252BA for <>; Thu, 17 Aug 2017 08:01:29 -0700 (PDT)
Received: (qmail 50900 invoked from network); 17 Aug 2017 15:01:28 -0000
Received: from unknown ( by with QMQP; 17 Aug 2017 15:01:28 -0000
Date: 17 Aug 2017 15:01:06 -0000
Message-ID: <20170817150106.5492.qmail@ary.lan>
From: "John Levine" <>
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Status of "let localhost be localhost"?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 Aug 2017 15:01:32 -0000

In article <> you write:
>2.  I know I don't have enough expertise in this area to make an informed
>decision, and smart folks on this thread and elsewhere have told me that an
>insecure delegation would be better than status-quo. I added
>to the document on that basis.

The problem with asking for an insecure root delegation is that the
IETF has no process for putting anything in the root.  In principle we
could work something out with ICANN, but that process would take
somewhere between a very very long time and forever.  It is likely to
be hijacked by other people who also want special treatment for their
pet TLDs which is why my estimate would be closer to forever.

So my inclination would be to say that localhost lookups that reach
the root will get a secure NXDOMAIN, which one could take as a hint
that it's time to update the stubs and caches that let the query leak.

We don't have to work this out now, we can adopt the document and
figure out what to fix later.


PS: For anyone who was going to say what about .ARPA, it was in the
root a long time before ICANN existed.