Re: [DNSOP] Localhost - more reliable options?
Brian Dickson <brian.peter.dickson@gmail.com> Fri, 18 August 2017 01:54 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ACC313274F for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 18:54:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QbafuHcxM4YG for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 18:54:07 -0700 (PDT)
Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0071132409 for <dnsop@ietf.org>; Thu, 17 Aug 2017 18:54:07 -0700 (PDT)
Received: by mail-it0-x22f.google.com with SMTP id 76so1722509ith.0 for <dnsop@ietf.org>; Thu, 17 Aug 2017 18:54:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zmzYzZgLpjaSx8rlhFhfsqKLY149LPUEECGy7lbc2HU=; b=DCeUItxtYsrD1eBefWcvHDzSvS5jy3ZlKZHllmmBFjLHKZBWI3OdGCCoWIe8BGxr3k rdk2XwlpE6l2YuWLV4AMkN+PKQdxej0X219+EbqMQsLIWcu5+ZunfuXGxFkJSOkR1o7K HyZRi5yGE91m8zg8R2iKWcuR6xt1DOAEiMOVqHD/NTuvOYvyElZMmV49I6QOSXuL6ar0 rgAf5yuH9Vp3m/cikM1WQgmH3G7TpKtKaXFhSE5n6Ym5D/BOeBeFHz4HvCd5nl5BjER1 mfXOc3JuQYjTZUMYuBqN7lmHoqWkwMzKHknK7xc/+Ze5o5blsXOGsv6/ZrnOgjfHqM/s m6Wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zmzYzZgLpjaSx8rlhFhfsqKLY149LPUEECGy7lbc2HU=; b=GTTcyPjKLLbY8zdfcn1ex6GrAAgA1QNai8K6EVyu0pwWHeUyM+TShNy8v6SR4+Laye mIwiPenDUhwXSFYXVezDhIpFE0hE4DRpcHymlVdyKPYchIiuKEwfTRgk0ugxWX44hZ6x 560xasYg2o08eCYna2qA+fnJq67SDuyBLjd6NXEwrRlMtL3Bm/YmZdMhU+okK0dF/fl9 ADdk/XIhAT//22YjAtlWWmjOYuRROUD6GBDdE+6B9qQ0qOXG67vemcXrQTpRrSJJGbkk 97i3z8HC8Iy3V5eT+mxRqR1X76mbrFFPxNKMRwMkQH942l998Eo5Xjvbwxb0JGZtbTEU XUhA==
X-Gm-Message-State: AHYfb5joE0FCZiC264uEwPPuqux3mBu9o2vJsyxP/pq+aWeQwP/yZgJn 4JSF2TnFtId8T26dk2DJnUAYaAZhgQ==
X-Received: by 10.36.116.3 with SMTP id o3mr411230itc.62.1503021245951; Thu, 17 Aug 2017 18:54:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.107.71 with HTTP; Thu, 17 Aug 2017 18:54:05 -0700 (PDT)
In-Reply-To: <597FEBF7-7D11-4E50-9B79-63301914F75B@fugue.com>
References: <CAH1iCiqr_9Om-jwRq6mLABH3cZ1D0qptLHVUQ1YtZn0ViQM=Mw@mail.gmail.com> <597FEBF7-7D11-4E50-9B79-63301914F75B@fugue.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 17 Aug 2017 18:54:05 -0700
Message-ID: <CAH1iCip41ohOxKZdqEN-NOyRuv-d1knxuwR3LJNHOC+C6QJC3g@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a114aa4687474ff0556fd6757"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/z8G75hPzLQu0ogfmegYru8K6WXo>
Subject: Re: [DNSOP] Localhost - more reliable options?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 01:54:10 -0000
On Thu, Aug 17, 2017 at 6:28 PM, Ted Lemon <mellon@fugue.com> wrote: > El 17 ag 2017, a les 18:22, Brian Dickson <brian.peter.dickson@gmail.com> > va escriure: > > Sorry if this isn't as clear as I intended - basically, what I'm saying, > is that the answer might not even be an IP, protocol and port, but might > even be a "file:///" URI, for a named pipe, which avoids the whole IP > stack. > > > It's hard to see how this is going to help. What we are trying to do > here is bypass DNS; now you are asking us to go through DNS to get the name > of a local resource and contact it. So really you've just increased the > attack surface. > > If you're trying to use "localhost", that means you're using some kind of name resolution, whether it be DNS, /etc/hosts, NIS+, or anything else. I'm suggesting that by using DNS, you can take advantage of what DNS has to offer, which includes potentially DNSSEC. There is a bootstrap problem, in that the client might have to know something about its own name... In the use case, are you trying to bypass DNS because you don't trust it? That part isn't really clear. What are the assumptions that are being made, best case vs worst case, and which are known to be "guaranteed"? Is the server doing dynamic update to whoever its DNS authority is? Is DNSSEC an option (sometimes?) or not... etc. So, here's one model that might work. Put the "localhost" at the deepest part of the namespace, *below* the host name. I.e., if my name is fully.qualified.domain.name, then I "control" my own name and things below it, and do an update for " localhost.fully.qualified.domain.name". IFF that name exists, then the server is smart enough to be assumed to be listening on whatever IP address (v4 or v6) is registered, and the client can reasonably trust that. Using SRV at that point is maybe overkill, maybe not (depending on the trust model). Add DANE stuff if you really want to do some kind of validation, etc. Or use URI for getting off the IP stack, if "file:///" makes sense. I think someone should write up the problem statement, since it is possible that what you really want has nothing to do with localhost, and having the "let localhost" kind of presumes the solution before identifying the real problem... What are you actually trying to do, and why? Brian
- [DNSOP] Localhost - more reliable options? Brian Dickson
- Re: [DNSOP] Localhost - more reliable options? Ted Lemon
- Re: [DNSOP] Localhost - more reliable options? Brian Dickson
- Re: [DNSOP] Localhost - more reliable options? Ted Lemon
- Re: [DNSOP] Localhost - more reliable options? Brian Dickson
- Re: [DNSOP] Localhost - more reliable options? Ted Lemon
- Re: [DNSOP] Localhost - more reliable options? Richard Barnes