Re: [DNSOP] Status of "let localhost be localhost"?

"John Levine" <johnl@taugh.com> Sat, 05 August 2017 21:01 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C930131F1A for <dnsop@ietfa.amsl.com>; Sat, 5 Aug 2017 14:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id odxCeG2U4-sR for <dnsop@ietfa.amsl.com>; Sat, 5 Aug 2017 14:01:41 -0700 (PDT)
Received: from miucha.iecc.com (w6.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06B38131F21 for <dnsop@ietf.org>; Sat, 5 Aug 2017 14:01:40 -0700 (PDT)
Received: (qmail 53395 invoked from network); 5 Aug 2017 21:01:39 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 5 Aug 2017 21:01:39 -0000
Date: 5 Aug 2017 21:01:17 -0000
Message-ID: <20170805210117.1123.qmail@ary.lan>
From: "John Levine" <johnl@taugh.com>
To: dnsop@ietf.org
Cc: matt@conundrum.com
In-Reply-To: <CAAiTEH9=RNDrUmSOs8Rg2Ea4+as9pg=j5jnU6Y=nc8A4Z1aPog@mail.gmail.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/t6snyvP_MHE7b7PsC0k84LL1J6s>
Subject: Re: [DNSOP] Status of "let localhost be localhost"?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Aug 2017 21:01:43 -0000

In article <CAAiTEH9=RNDrUmSOs8Rg2Ea4+as9pg=j5jnU6Y=nc8A4Z1aPog@mail.gmail.com>; you write:
>In the case where 'localhost' is being passed to DNS resolution software, a
>validating stub (for example inside a web browser) needs a way to know that
>the 'localhost' TLD should be treated as insecure.  In that case, the only
>way to accomplish that is ...

 ... by having the stub or cache treat localhost as a special case.

I use unbound as my cache which as far as I know has always done that.
Are there caches that don't?  Are there validating stubs that don't?

My reading of this draft is that if you don't treat localhost as a
special case already, it's time to get with the program.  

R's,
John

> with an insecure delegation at the root.