IETF Logo Mail Archive

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Ted Lemon <mellon@fugue.com> Tue, 30 January 2018 17:39 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B7A712EC89 for <dnsop@ietfa.amsl.com>; Tue, 30 Jan 2018 09:39:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QyktMsNMmcnP for <dnsop@ietfa.amsl.com>; Tue, 30 Jan 2018 09:39:34 -0800 (PST)
Received: from mail-ot0-x234.google.com (mail-ot0-x234.google.com [IPv6:2607:f8b0:4003:c0f::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C508B12D867 for <dnsop@ietf.org>; Tue, 30 Jan 2018 09:39:34 -0800 (PST)
Received: by mail-ot0-x234.google.com with SMTP id j45so8315110ota.2 for <dnsop@ietf.org>; Tue, 30 Jan 2018 09:39:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=QOc2FaNKgq8Ccu1h8ehBZwhBO1PmW0ho1DnvbLDeJzk=; b=2G08y5SPZyz7Tz6pKm69BG5hNiy5WWI5s+rIS1xsdWuQURdBmV9GkWICPvHodiIw/t njwFgLG2quxUtpq9qZVZLMyg0eTZIVnhRcPIlf8rkEVssWv8mbFMoD2epCxWEInizqrW R4RWKtQTV5i+4ERBFEE+lbwapiAp4rWyVlwXBcevGq2Xl4d3d+SB58Dp7EHBTEjDwzTA 4xtN/fa0oEepW+95DmFxuUu0csYupIjjtkGKv1JIr4dF+Kj4AWsi3JgvxaL+t4fIOrzN 9mstzGHk+rh24O79dAhVaZxOt71OmSJK+cUgUf0YMceUQC0425IXb33pLJ5s6Sb3+f5l 097w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=QOc2FaNKgq8Ccu1h8ehBZwhBO1PmW0ho1DnvbLDeJzk=; b=SVnRgKulA9mwO2vpI8ovsYbZq6somenSuj9Nl+mUu/bQ+hcwtFL12AtBUTKGGdWkoA /0eQvhsqifAYG/FhLpjbKPD2tJXV3gjWrBpyUaZP6HOsw4VNBE2TgAt8RBGypWRZx8u9 vUBkxzMJy8qSl/Xk9Mb65g5jEh43CVl5weMbEAwKWlGLzdVJ6NSm3tHOe2NQL2S8x8iB VkUX3QX0AUxEyrJbN8jLB8l6MxfwEkUjQZlGkZMnw2jraxXCbVTFazUBjhllwgAA8gT5 rsThiV/ykN6uvjxJMvmfXh+yWectZEpBEzr7XZY+nRcSY7a3PT/npeVvgTCuIeqB1MmJ Fu+A==
X-Gm-Message-State: AKwxytettJzpVSV8qPAWw20a3oR+XizGCOYwKFZVaNUno5sM9Wvx5fcM cXk+QfZn/S77WbKlOp8KrOFLjg==
X-Google-Smtp-Source: AH8x226jZ25kbJeBUCjgHKcspZVJxUP5ga9oACUH9EgRWlDRXUIFY/RI8FpO/BFcBXK4nT2bHgWfSQ==
X-Received: by 10.157.8.73 with SMTP id 67mr6313945oty.319.1517333973893; Tue, 30 Jan 2018 09:39:33 -0800 (PST)
Received: from cavall.lan (cpe-72-182-58-35.austin.res.rr.com. [72.182.58.35]) by smtp.gmail.com with ESMTPSA id p64sm7695718oif.42.2018.01.30.09.39.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Jan 2018 09:39:33 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <AE634FC4-0EAF-4F54-8860-61E41284F873@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2E71C455-0572-4B74-92CD-619CBE87ABDC"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Tue, 30 Jan 2018 11:39:31 -0600
In-Reply-To: <CA+nkc8D7tne5SxGOUhvJqstmDa=1=RmvcHQte1byAab5dUd5sQ@mail.gmail.com>
Cc: Paul Vixie <paul@redbarn.org>, IETF DNSOP WG <dnsop@ietf.org>
To: Bob Harold <rharolde@umich.edu>
References: <9DCE2F63-EE37-4865-B9D6-6B79BBE05593@gmail.com> <20180129155112.GC16545@mx4.yitter.info> <5A6F5CF1.4080706@redbarn.org> <CA+nkc8D7tne5SxGOUhvJqstmDa=1=RmvcHQte1byAab5dUd5sQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xJJDR97Kb4zfGLDuid965rB4ygA>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2018 17:39:38 -0000

On Jan 30, 2018, at 9:44 AM, Bob Harold <rharolde@umich.edu> wrote:
> I would prefer to extend that to the root, and have a DNSSEC signed answer, although I realize that is difficult, and would accept the draft without it.  But we should give some guidance for DNSSEC queries - do we give a bogus response with the IP's, or a validated answer of NXDOMAIN ?

It is possible to produce a signed answer, because the domain doesn't exist: if you query the root and ask for a signed response, you should get one.   This response can be cached locally and returned to stub resolvers that ask for a signed response.

cavall% dig @a.root-servers.net localhost

; <<>> DiG 9.10.1b1 <<>> @a.root-servers.net localhost
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19121
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;localhost.			IN	A

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2018013001 1800 900 604800 86400

;; Query time: 1539 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Jan 30 11:37:13 CST 2018
;; MSG SIZE  rcvd: 113

versus:

cavall% dig +dnssec @a.root-servers.net localhost

; <<>> DiG 9.10.1b1 <<>> +dnssec @a.root-servers.net localhost
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29683
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;localhost.			IN	A

;; AUTHORITY SECTION:
loans.			86400	IN	NSEC	locker. NS DS RRSIG NSEC
loans.			86400	IN	RRSIG	NSEC 8 1 86400 20180212150000 20180130140000 41824 . UZH9Nl/4FLq3t5xOJvrFQzaBf5sktHJHTyHzfTCQSHGR8/0ViSlZ1FGB eac/wM4QXmDtuHaLI89zTHzsp6Bv2vVz09y/tUVgBfU4UcvkNOnSuToW fXQaB6MPlqktp9lw0ZHAk4dyOyeBz6MhI+S6BCsY978Yk5kySi/S8kuz 0p5Bc1qUWJYi3xkFUMB1PQe3OCS031ZnM1de+tjcma2EJQgNFScdJbfH 68adi2BQvdhHz0wMTjpItTWTPIEwv11KKi19SzZKEBxQPHRlNC2fVSlV bwg863ubm4lxmPEH6bdpsspKJObWYU8qC3E3KSXK6+ooBzyAVzI5ERRc yoz9zA==
.			86400	IN	NSEC	aaa. NS SOA RRSIG NSEC DNSKEY
.			86400	IN	RRSIG	NSEC 8 0 86400 20180212150000 20180130140000 41824 . e/KqZevslC6QTFyDkwWKN5XUAgTLdUiJcoQhuDKcm1H7jgXOb+FMfvbM /TrFMT+AheiN0pjN3evOrY9H0NN/4SBdrnEtPt1JV37GaQXwK3jEbB48 fLq/zKhmA1vvZY4lalToPYB1R7V4CHW7UIPbMX5HWeP178xmR0Dtc5y/ XI9gNpErCI4MkPoWEpMg4kOyBUtvOT02epRUbTrWovEM5TZkUiMLqGR1 lN09u5ARSOd06jTEhP4PtFvnzqbFMMlYWDl8P5wLzkUEDptsP2GZbFj0 kYEwvjVtihY9lwlY9Hl9r7xy4ucBNqVcZFnrnjEWxuo1vdUd0+3EjujR BplRcw==
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2018013001 1800 900 604800 86400
.			86400	IN	RRSIG	SOA 8 0 86400 20180212150000 20180130140000 41824 . cQULD+MOdwm2zcCes3LXD6buPnAZpfJZRU7zT7GtM4XWx+uQjfWAotkt gG6CuTzp2UvL2tqKcbHsNg7KjXycYv20OK6IBmu0/QGsSsw7hSmqUZar B1OR5oQEGJ7v+uH326YIhPyjdqJiTiZ8ka/1tVdt2vYKOSg8qVGkvSgM 72LjFAKKHVYr9GHIAqIo4ZhcnjOpP+ql33Q7MgzkS/rYhPMCmaS4TvOu ClF/YF+QxhcxSuyZLNH3TtRi+wGQpxu9bEHCd1qnuOnWNO1Kkh69zhNi NIrqkS2NE/vRkRn5QLeFKe8UCr2u4UM1tmAk9xmVtZu01M01/+WIm0tf WIt3UA==

;; Query time: 80 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Jan 30 11:38:00 CST 2018
;; MSG SIZE  rcvd: 1030

v2.23.0 | Report a Bug | By Email