Re: [DNSOP] Status of "let localhost be localhost"?

Joe Abley <jabley@hopcount.ca> Wed, 02 August 2017 13:34 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A5061320D2 for <dnsop@ietfa.amsl.com>; Wed, 2 Aug 2017 06:34:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YHa41kh-p2_f for <dnsop@ietfa.amsl.com>; Wed, 2 Aug 2017 06:34:19 -0700 (PDT)
Received: from mail-wr0-x22e.google.com (mail-wr0-x22e.google.com [IPv6:2a00:1450:400c:c0c::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBA5B1320AC for <dnsop@ietf.org>; Wed, 2 Aug 2017 06:34:18 -0700 (PDT)
Received: by mail-wr0-x22e.google.com with SMTP id 12so18886742wrb.1 for <dnsop@ietf.org>; Wed, 02 Aug 2017 06:34:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=TAJ4NVMnKOM9o5LIfc0/tpWrk/CJnukhzcXH6qZYh1c=; b=QzpaGu+r4STVTb7yOJx2pcgJeg1E9htPoJUcsR6qXNsoI7onsujTY7cuN7eyDNc1RD gPCR31uoPvX6WthXCsmFyOGCPlvE4ruMPlPzdQS0Ju4h3Dmoo2FAyKK/2Mk/QzR+nXCm vI4mQWSk4k14SCnJtpLgiMHlI/Y75jNvaf+1Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=TAJ4NVMnKOM9o5LIfc0/tpWrk/CJnukhzcXH6qZYh1c=; b=CTiMz86OQ9jkOEs0RpaG/U1/pWCYUZyH1GAs/YGYgSAvh+r5LIjBAxeqhW6MFshjRG GuB1cBgZGiVRXs6oLO1/+4SW5eZqvnVGFqYmP0yTluaE3DgBbq7r+INrwvAOBsUMmC/q jFaLa7gXxQv0isCOWUPRZ2vxTTlA1xUIAM0ZFY3V3vhkMt6mct2gLNT9QgnglP0txkUN PXO9yDFRjC6O2xK6rsaDKEE04IWzxSbHpOdPUko3MHUuc5Z/h27zjpQkBT5Hh4Yzag3N gvaKVDuKzGE/4qtNye27TE5lqbA4dJCfN6jCKDkA3ERiGAFTjwkc9vZ/VyArjUOyvWk1 Wq4Q==
X-Gm-Message-State: AIVw111kuZDb5vawW8ynV6vuud7Z+u9OrsbA8ja+ksu/5esEv7q/5fST z396+r2qKiVMit9P
X-Received: by 10.223.161.19 with SMTP id o19mr20319129wro.235.1501680857175; Wed, 02 Aug 2017 06:34:17 -0700 (PDT)
Received: from [10.0.1.189] (host86-148-234-108.range86-148.btcentralplus.com. [86.148.234.108]) by smtp.gmail.com with ESMTPSA id l29sm20018849wre.46.2017.08.02.06.34.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Aug 2017 06:34:16 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-E1A79475-1FD3-4D02-9FBD-7240745FB488
Mime-Version: 1.0 (1.0)
From: Joe Abley <jabley@hopcount.ca>
X-Mailer: iPad Mail (14G60)
In-Reply-To: <CAKXHy=e48CqjPPj-kXu34ptqSipgvJDRkVjHRwwDezCKvepFtQ@mail.gmail.com>
Date: Wed, 2 Aug 2017 14:34:15 +0100
Cc: Mark Andrews <marka@isc.org>, dnsop WG <dnsop@ietf.org>, Jacob Hoffman-Andrews <jsha@eff.org>
Content-Transfer-Encoding: 7bit
Message-Id: <7019539A-48B1-4FA2-801D-20A78D85B339@hopcount.ca>
References: <05e469cf-1325-89fc-4a81-661f8647e869@eff.org> <CAKXHy=ctB=LZkX9j=8-Jy0NkTAs2tAesa4gmFhfp94O5=9U4TA@mail.gmail.com> <1dbb47a4-c6e2-97d2-a1d7-ce6c65a4042a@eff.org> <20170802012345.2CE2680BCC5E@rock.dv.isc.org> <CAKXHy=e48CqjPPj-kXu34ptqSipgvJDRkVjHRwwDezCKvepFtQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wLcfjHaUR8jyGpTesags7PkJ3B4>
Subject: Re: [DNSOP] Status of "let localhost be localhost"?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2017 13:34:20 -0000

Hi Mike,

On Aug 2, 2017, at 09:54, Mike West <mkwst@google.com> wrote:

> What would you like to see in the document in order to address this concern? A requirement that a `localhost` zone be created and delegated as an insecure delegation, using some of the language from the draft above (e.g. "This delegation MUST NOT be signed, MUST NOT include a DS record, and MUST point to one or more black hole servers, for example 'blackhole-1.iana.org.' and 'blackhole-2.iana.org.'.")?

Any such delegation would be lame, and is a bad idea just for that reason. There's no foolproof way to add or drop zones hosted on the whole AS112 server ssystem due to the lack of coordination between AS112 node operators -- despite the good communication between many such operators, there's no good way to tell what nodes you don't know about.

If you really wanted to sink queries in the top-level domain LOCALHOST a better approach would to use DNAME (see RFC 7535). But note that I'm not expressing an opinion on whether that's a good idea, either philosophically or practically, in this specific example.


Joe