IETF Logo Mail Archive

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 28 January 2018 22:37 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DA7412702E for <dnsop@ietfa.amsl.com>; Sun, 28 Jan 2018 14:37:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmSiIUjT9iM7 for <dnsop@ietfa.amsl.com>; Sun, 28 Jan 2018 14:37:41 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4EAD12F2AB for <dnsop@ietf.org>; Sun, 28 Jan 2018 14:37:40 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 69F247A330A; Sun, 28 Jan 2018 22:37:39 +0000 (UTC)
Date: Sun, 28 Jan 2018 22:37:39 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <20180128223739.GN3322@mournblade.imrryr.org>
Reply-To: dnsop@ietf.org
References: <20180124205620.GZ3322@mournblade.imrryr.org> <alpine.DEB.2.11.1801251558440.5022@grey.csi.cam.ac.uk> <CAJE_bqf+GqYGFRAsXbBPymQLXoJRs_AxvVHhtcMJF1LEvTL7sQ@mail.gmail.com> <77B805CC-E8FE-4B09-A261-C5CB13707EE4@dotat.at> <CAJE_bqdCZ_vj2nncvEVpYunVmE=xxAiXqrzhu8BGxnSsLjy+3Q@mail.gmail.com> <37A9F504-A8BE-4F47-AAE9-AF2458206F03@fugue.com> <20180126201613.GK3322@mournblade.imrryr.org> <B17E9259-BC28-4861-8102-B716685C75B3@fugue.com> <20180126230343.GL3322@mournblade.imrryr.org> <D567DE88-9B92-4E82-97AD-743C36D26B70@fugue.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHw9_i+dM+MeMVt+et0t-xU-SKxK0nB_XSuPqP1DngmSTuYTqQ@mail.gmail.com> <D567DE88-9B92-4E82-97AD-743C36D26B70@fugue.com>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/s8YlXa8CeVqRzgP3DzpE4M0FVq4>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Jan 2018 22:37:43 -0000

On Fri, Jan 26, 2018 at 06:02:00PM -0600, Ted Lemon wrote:

> On Jan 26, 2018, at 5:03 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> > Multiple participants in this discussion have pointed out that such
> > queries are rare.
> 
> Sigh.   Yes, such queries are rare.   The things that make those queries
> are the things that are vulnerable.   That such queries are rare is further
> evidence that responding to them when they come with NXDOMAIN is a safe
> choice to make.

Protecting the residual cases is already covered by the draft's
requirement on the platform's resolution library to short-circuit
"localhost".  There is no need to impose a mandate to break these
cases on the recursive resolver.

> > And, we must not forget that, absent local
> > overrides, the iterative resolvers are *already* returning NXDomain,
> > because the authoritative data from the root returns NXDomain.
> 
> That's a good point, of course.   However, I think we heard in the
> discussion prior to adoption that this is not in fact the default behavior
> for all recursive resolvers.

Once more, *absent local overrides*, all resolvers are already
returning NXDomain.  Many resolvers don't have local overrides,
some do.

> > Yes.  Keep the MUST for the platform library.  Downgrade the MUST for
> > the iterative resolver to a SHOULD (absent local data), and either
> > exempt DNSSEC or explain why "bogus" local NXDomain is better than
> > a cacheable validated NXDomain from the roots.
> 
> How about if it says "SHOULD" but explains what the exception is, and
> strongly advocates the position that only when that exception is applicable
> should this be treated as optional behavior.

Sure.  The main exception is when the resolver is serving only
loopback clients.  And I am not opposed to text that discourages
"shared" recursive resolvers from serving local data for "localhost".

What remains then beyond recommending NXDomain for non-DNSSEC queries,
is a well-reasoned recommendation for what to do with DNSSEC queries
(DO bit).  My recommendation, as mentioned a few times upthread, is
to cache and serve the root zone's validated NXDomain.

> I would say that the exception is "when answering queries for the local
> host" or something, but I don't understand the intricacies of your use
> case sufficiently to know what would satisfy it.   I thought I understood
> your use case to be the case where the stub resolver is on the same host
> as the recursive resolver, but I may have misunderstood.

"Whitelisting" loopback resolvers is largely sufficient, provided that
the language is changed from MUST to SHOULD.

On Sat, Jan 27, 2018 at 12:56:23PM -0500, Warren Kumari wrote:

> >  And, we must not forget that, absent local
> > overrides, the iterative resolvers are *already* returning NXDomain,
> > because the authoritative data from the root returns NXDomain.
> 
> ... do they?

Definitely, *absent local overrides"*.

> Google Public DNS:
> $ dig  +dnssec localhost @8.8.8.8
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62555

Google has no such overrides.  And yet, localhost queries continue,
so NXDomain responses are not proving to be an effective motivation
to short-circuit the issue upstream.

> Verisign Public DNS:
> $ dig +dnssec localhost @64.6.64.6
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8025
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; ANSWER SECTION:
> localhost. 10687 IN A 127.0.0.1
>
> Quad9:
> $ dig +dnssec localhost @9.9.9.9
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22677
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; ANSWER SECTION:
> localhost. 86170 IN A 127.0.0.1
>
> OpenDNS:
> dig +dnssec localhost @208.67.222.222
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14156
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; ANSWER SECTION:
> localhost. 604800 IN A 127.0.0.1

Verisign, Quad9 and OpenDNS do have the traditional "local overrides".

Perhaps when they become aware of this draft, they'll drop the
override zone, or perhaps they'll leave the short-circuit decision
to the platform library maintainers.  Time will tell.

In summary I see the following actions to move this forward:

    - Encourage (SHOULD) recursive resolvers to not serve local
      data for localhost, except perhaps when the resolver is a
      loopback only resolver.

    - Encourage (SHOULD) recursive resolvers that don't have local
      data for localhost to short-circuit insecure (no DO bit) localhost
      A/AAAA queries with NXDomain without forwarding these upstream
      to the roots.

    - Suggest that rather than returning "bogus" NXDomain responses,
      secure (DO bit set) queries should get secure NXDomain
      responses (thus forwarded to the root servers and cached).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email