Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 28 January 2018 22:37 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DA7412702E for <dnsop@ietfa.amsl.com>; Sun, 28 Jan 2018 14:37:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmSiIUjT9iM7 for <dnsop@ietfa.amsl.com>; Sun, 28 Jan 2018 14:37:41 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4EAD12F2AB for <dnsop@ietf.org>; Sun, 28 Jan 2018 14:37:40 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 69F247A330A; Sun, 28 Jan 2018 22:37:39 +0000 (UTC)
Date: Sun, 28 Jan 2018 22:37:39 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <20180128223739.GN3322@mournblade.imrryr.org>
Reply-To: dnsop@ietf.org
References: <20180124205620.GZ3322@mournblade.imrryr.org> <alpine.DEB.2.11.1801251558440.5022@grey.csi.cam.ac.uk> <CAJE_bqf+GqYGFRAsXbBPymQLXoJRs_AxvVHhtcMJF1LEvTL7sQ@mail.gmail.com> <77B805CC-E8FE-4B09-A261-C5CB13707EE4@dotat.at> <CAJE_bqdCZ_vj2nncvEVpYunVmE=xxAiXqrzhu8BGxnSsLjy+3Q@mail.gmail.com> <37A9F504-A8BE-4F47-AAE9-AF2458206F03@fugue.com> <20180126201613.GK3322@mournblade.imrryr.org> <B17E9259-BC28-4861-8102-B716685C75B3@fugue.com> <20180126230343.GL3322@mournblade.imrryr.org> <D567DE88-9B92-4E82-97AD-743C36D26B70@fugue.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHw9_i+dM+MeMVt+et0t-xU-SKxK0nB_XSuPqP1DngmSTuYTqQ@mail.gmail.com> <D567DE88-9B92-4E82-97AD-743C36D26B70@fugue.com>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/s8YlXa8CeVqRzgP3DzpE4M0FVq4>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Jan 2018 22:37:43 -0000
On Fri, Jan 26, 2018 at 06:02:00PM -0600, Ted Lemon wrote: > On Jan 26, 2018, at 5:03 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > Multiple participants in this discussion have pointed out that such > > queries are rare. > > Sigh. Yes, such queries are rare. The things that make those queries > are the things that are vulnerable. That such queries are rare is further > evidence that responding to them when they come with NXDOMAIN is a safe > choice to make. Protecting the residual cases is already covered by the draft's requirement on the platform's resolution library to short-circuit "localhost". There is no need to impose a mandate to break these cases on the recursive resolver. > > And, we must not forget that, absent local > > overrides, the iterative resolvers are *already* returning NXDomain, > > because the authoritative data from the root returns NXDomain. > > That's a good point, of course. However, I think we heard in the > discussion prior to adoption that this is not in fact the default behavior > for all recursive resolvers. Once more, *absent local overrides*, all resolvers are already returning NXDomain. Many resolvers don't have local overrides, some do. > > Yes. Keep the MUST for the platform library. Downgrade the MUST for > > the iterative resolver to a SHOULD (absent local data), and either > > exempt DNSSEC or explain why "bogus" local NXDomain is better than > > a cacheable validated NXDomain from the roots. > > How about if it says "SHOULD" but explains what the exception is, and > strongly advocates the position that only when that exception is applicable > should this be treated as optional behavior. Sure. The main exception is when the resolver is serving only loopback clients. And I am not opposed to text that discourages "shared" recursive resolvers from serving local data for "localhost". What remains then beyond recommending NXDomain for non-DNSSEC queries, is a well-reasoned recommendation for what to do with DNSSEC queries (DO bit). My recommendation, as mentioned a few times upthread, is to cache and serve the root zone's validated NXDomain. > I would say that the exception is "when answering queries for the local > host" or something, but I don't understand the intricacies of your use > case sufficiently to know what would satisfy it. I thought I understood > your use case to be the case where the stub resolver is on the same host > as the recursive resolver, but I may have misunderstood. "Whitelisting" loopback resolvers is largely sufficient, provided that the language is changed from MUST to SHOULD. On Sat, Jan 27, 2018 at 12:56:23PM -0500, Warren Kumari wrote: > > And, we must not forget that, absent local > > overrides, the iterative resolvers are *already* returning NXDomain, > > because the authoritative data from the root returns NXDomain. > > ... do they? Definitely, *absent local overrides"*. > Google Public DNS: > $ dig +dnssec localhost @8.8.8.8 > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62555 Google has no such overrides. And yet, localhost queries continue, so NXDomain responses are not proving to be an effective motivation to short-circuit the issue upstream. > Verisign Public DNS: > $ dig +dnssec localhost @64.6.64.6 > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8025 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > ;; ANSWER SECTION: > localhost. 10687 IN A 127.0.0.1 > > Quad9: > $ dig +dnssec localhost @9.9.9.9 > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22677 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > ;; ANSWER SECTION: > localhost. 86170 IN A 127.0.0.1 > > OpenDNS: > dig +dnssec localhost @208.67.222.222 > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14156 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > ;; ANSWER SECTION: > localhost. 604800 IN A 127.0.0.1 Verisign, Quad9 and OpenDNS do have the traditional "local overrides". Perhaps when they become aware of this draft, they'll drop the override zone, or perhaps they'll leave the short-circuit decision to the platform library maintainers. Time will tell. In summary I see the following actions to move this forward: - Encourage (SHOULD) recursive resolvers to not serve local data for localhost, except perhaps when the resolver is a loopback only resolver. - Encourage (SHOULD) recursive resolvers that don't have local data for localhost to short-circuit insecure (no DO bit) localhost A/AAAA queries with NXDomain without forwarding these upstream to the roots. - Suggest that rather than returning "bogus" NXDomain responses, secure (DO bit set) queries should get secure NXDomain responses (thus forwarded to the root servers and cached). -- Viktor.
- [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-b… Jeff Hodges
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Paul Vixie
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Mark Andrews
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Paul Vixie
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Joe Abley
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Paul Vixie
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Tony Finch
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… 神明達哉
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Tony Finch
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… A. Schulze
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Tony Finch
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Tony Finch
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… 神明達哉
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Paul Vixie
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Ted Lemon
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Warren Kumari
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Mark Andrews
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Petr Špaček
- Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localho… Viktor Dukhovni