Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

The Call For Adoption ended some time ago, and I spent some time reading the comments. There is consensus to adopt this, *but* there is also a enough of an concern that some of the issues raised be addressed. We'll want to make sure all issues are addressed. tim On Tue, Oct 10, 2017 at 5:12

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On 9.10.2017 22:20, Jacob Hoffman-Andrews wrote: > On 10/09/2017 01:16 PM, Warren Kumari wrote: >> So, that's my (new) views, and the thread seemed to have stalled. I >> believe that the security implications of having localhost queries >> leak into the DNS is bad, and there is significant

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On 10/09/2017 01:16 PM, Warren Kumari wrote: > So, that's my (new) views, and the thread seemed to have stalled. I > believe that the security implications of having localhost queries > leak into the DNS is bad, and there is significant evidence that this > is happening. I get that there is no

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

[ Top-post - replying midway through because this seemed like the most related email :-) ] So, I've been noodling over this for quite a while, and I've refined my views -- the more I think about it, the more I think that "querying the DNS for localhost (or .localhost) is an error " -- and that

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

>From a W3C perspective, and for the further specification of components of the web security model, it would be helpful to have this behavior of the loopback interface specified. I support adoption and will be willing to review text. Thanks, --Wendy On 09/06/2017 10:00 AM, tjw ietf wrote: >

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

> This starts a formal Call for Adoption for > draft-west-let-localhost-be-localhost > > The draft is available here: > > > Please review this draft to see if you think it is suitable for > adoption by DNSOP, and comments

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

Hi John, On 13 Sep 2017, at 18:33, John Levine wrote: I would settle for SHOULD NOT. Can you elaborate on the debugging? There is something strange going on with my remote server, and I use localhost.mydomain so a little debugging server on my own computer can steal state and see whats going

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

no only localhost.example.com : http://seclists.org/bugtraq/2008/Jan/270 if xxx.example.com is NXDOMAIN , there is similar risk cause by the "nxdomain redirect" recursive dns (they return a hijack A RR ). CA SSO (siteminder) may be a solution. localhost. seems a new special-use TLD, like arpa.

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

You've made your position clear, thanks. On Sep 13, 2017 20:54, "Mark Andrews" wrote: > > In message <714677ea-e3c8-4145-825c-5ba8eabd0...@fugue.com>, Ted Lemon > writes: > > > > On Sep 13, 2017, at 1:19 PM, John Levine wrote: > > > I concur with Mark that while

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

In message <714677ea-e3c8-4145-825c-5ba8eabd0...@fugue.com>, Ted Lemon writes: > > On Sep 13, 2017, at 1:19 PM, John Levine wrote: > > I concur with Mark that while localhost. is a problem, > > .localhost is not. I've occasionally used that hack to pass > > traffice to various

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On Sep 13, 2017, at 1:19 PM, John Levine wrote: > I concur with Mark that while localhost. is a problem, > .localhost is not. I've occasionally used that hack to pass > traffice to various servers running on 127/8 addresses other than > 127.0.0.1. So we should expose end-users

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On Sep 13, 2017, at 12:46 PM, Matthew Pounsett wrote: > I thought the goal was to ensure that localhost names map to loopback. No. If that were the goal, we might well be proposing using DNS to provide that information. The goal is to make localhost less of an attack

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

Tony Finch writes: > From my brief look at a small amount of traffic, localhost queries are > basically all handled inside the stub, so it is de facto as you > describe. Just as an FYI data point: On April 12th (a DITL day) B-root received just shy of a million packets with

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

In article <20170913030645.946e88551...@rock.dv.isc.org> you write: >> When we look at edge cases like this, it's tempting to be swept away by >> the futility of trying to close every gap. But it's still worth closing >> the ones we can close. Trying to outlaw localhost.* is hopeless. But >>

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On 12 September 2017 at 20:14, Ted Lemon wrote: > On Sep 12, 2017, at 11:06 PM, Mark Andrews wrote: > > Oh sorry you can't use SRV with localhost to assign a port to this > protocol THAT HAS NO DEFAULT PORT and only a NAME. Is this what you > REALLY want to do?

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

In article <153c19cc-3120-466a-a158-a9833a2d1...@powerdns.com> you write: >> I agree that localhost. pointing to loopback is generally asking >> for trouble, but I am not at this point sufficiently confident that it >> is never ever a good idea to say MUST NOT rather than SHOULD NOT. I >> can for

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

Hello John, On 13 Sep 2017, at 4:15, John Levine wrote: In article <63da2e77-8507-4f25-8684-14eabf9a5...@powerdns.com> you write: Since we are doing a draft/RFC on what localhost is and is not, I suggest we put some text in there banning (MUST NOT) the practice of having localhost entries (at

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On Sep 12, 2017, at 11:06 PM, Mark Andrews wrote: > Oh sorry you can't use SRV with localhost to assign a port to this > protocol THAT HAS NO DEFAULT PORT and only a NAME. Is this what you > REALLY want to do? Yes. ___ DNSOP mailing

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

In message <26e56255-6169-4626-95e8-a9d6a2d5e...@fugue.com>, Ted Lemon writes: > On Sep 12, 2017, at 10:15 PM, John Levine wrote: > > Believe it or not, there are real non-loopback localhost domain names, > > like localhost.reddit.com . > > > > I

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On Sep 12, 2017, at 10:15 PM, John Levine wrote: > Believe it or not, there are real non-loopback localhost domain names, > like localhost.reddit.com . > > I agree that localhost. pointing to loopback is generally asking > for trouble, but I am not

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

In article <63da2e77-8507-4f25-8684-14eabf9a5...@powerdns.com> you write: >Since we are doing a draft/RFC on what localhost is and is not, I >suggest we put some text in there banning (MUST NOT) the practice of >having localhost entries (at least those pointing to 127.0.0.1/::1?) in >auth

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

Tony Finch wrote: Paul Vixie wrote: > ... Your localhost records (like the ones I deleted from cam.ac.uk last week) are troublesome for the web browser same origin security policy: they can lead to vulnerabilites when your websites are accessed from multi-user machines and

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

In article you write: >I think that this boils down to: It is an error to send a query for >localhost (or anything under localhost) to the DNS. The main reason >for this (at least from my reading of the thread) is a security

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

In message , "John R Levine" writes: > >>> When something shouldn't work, it shouldn't work. > >> > >> I agree but this is a tangent. The draft is about localhost. or maybe mething>.localhost. It's not about localhost.. > > > > The problem with this

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

When something shouldn't work, it shouldn't work. I agree but this is a tangent. The draft is about localhost. or maybe .localhost. It's not about localhost.. The problem with this clarification is that in practice "localhost." is almost always spelt "localhost". Well, OK, but I hope we

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On 12 Sep 2017, at 13:11, John R Levine wrote: >> https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00#section-4.1 >> >> When something shouldn't work, it shouldn't work. > > I agree but this is a tangent. The draft is about localhost. or maybe > .localhost. It's

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00#section-4.1 When something shouldn't work, it shouldn't work. I agree but this is a tangent. The draft is about localhost. or maybe .localhost. It's not about localhost.. Regards, John Levine, jo...@taugh.com, Taughannock

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On Tue, Sep 12, 2017 at 8:54 AM, Tony Finch wrote: > Paul Vixie wrote: > > > > while i've generally included a localhost.$ORIGIN A RR in zones that > appear in > > my stub resolver search lists, in order that "localhost" be found, > > I agree with the rest of

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

Paul Vixie wrote: > > while i've generally included a localhost.$ORIGIN A RR in zones that appear in > my stub resolver search lists, in order that "localhost" be found, I agree with the rest of your message but I want to highlight this bit because it is directly related to the

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

Tony Finch wrote: Wes Hardaker wrote: Instead, localhost is a operating system convention, a /etc/hosts name, an NIS name, or one of the other things that is able to resolve that name. But the DNS is not where that resolution comes from. I think this makes sense, but

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

Hello, On 6 Sep 2017, at 16:00, tjw ietf wrote: When the idea of having a Call for Adoption for this document came up, we thought long and hard about this one. However, the comments from the working group focused this document to address the specific issue of the local hostname. This

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

Wes Hardaker wrote: > > Specifically, we have multiple naming systems already, and I'd argue > that localhost actually isn't in the DNS naming system. There is no > authoritative source for it. In fact, DNSSEC proves this. > > Instead, localhost is a operating system

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

"John Levine" writes: > It seems to me that if someone has enough programming skill to write a > DNSSEC verifier for her cache or stub resolver, she has enough skill > to treat localhost as a special case. I've been trying to figure out for a few days now how to insert my

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On Thu, Sep 7, 2017 at 10:17 PM, Ted Lemon wrote: > The discussion had covered the failure mode problem. There is substantial > agreement that it's better for a stub that issues a query for localhost to > fail than to succeed. You seem to disagree. > I wonder if this is simply

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

In article <20170907045934.c194b8483...@rock.dv.isc.org> you write: > >In message >, Ted Lemon writes: >> Mark, I really don't think this is a human rights issue. Is there something >> that will break for you if the secure denial

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

Do you know of protocols that use SRV to localhost in practice? Anyway, this is like the question of whether to trust IP addresses when using rsh. Remember rsh? There's a reason we don't use it anymore, even though it was definitely useful. Localhost over DNS is analogous. On Sep 7, 2017 10:28

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

In message , Ted Lemon writes: > The discussion had covered the failure mode problem. There is substantial > agreement that it's better for a stub that issues a query for localhost to > fail than to succeed. You seem to

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

The discussion had covered the failure mode problem. There is substantial agreement that it's better for a stub that issues a query for localhost to fail than to succeed. You seem to disagree. You haven't stated a reason for disagreeing—instead you've vigorously asserted that this is true. It's

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On Sep 7, 2017, at 12:59 AM, Mark Andrews wrote: > I shouldn't BE FORCED to hard code special LOCALHOST rules into DNS > tools. Lookups should "just work" like they did before the root > zone was signed. Because...? ___ DNSOP mailing

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

In message , Ted Lemon writes: > > Mark, I really don't think this is a human rights issue. Is there something > that will break for you if the secure denial of existence is left in place? I shouldn't BE FORCED to hard code

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

Mark, I really don't think this is a human rights issue. Is there something that will break for you if the secure denial of existence is left in place? On Sep 7, 2017 12:17 AM, "Mark Andrews" wrote: > > In message

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

In message

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

I support adopting this draft. On 09/06/2017 07:00 AM, tjw ietf wrote: > When the idea of having a Call for Adoption for this document came up, > we thought long and hard about this one. However, the comments from > the working group focused this document to address the specific issue > of the

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On Wed, Sep 6, 2017 at 10:35 AM, Ted Lemon wrote: > On Sep 6, 2017, at 10:33 AM, tjw ietf wrote: > > Thanks. The document still waffles, but it 'waffles less' than it did > initially. But Mike is committed to working that and any other issue which > may

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

I am strongly in support of the WG adopting this draft. It will allow applications to deliver a better developer experience and higher security. As Ted notes, there is a possibility of breakage. If something on a host is relying on an external resolver to provide localhost resolution in

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

On Sep 6, 2017, at 10:33 AM, tjw ietf wrote: > Thanks. The document still waffles, but it 'waffles less' than it did > initially. But Mike is committed to working that and any other issue which > may arise. The question I really have is not whether Mike is willing—he's

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

Ted Thanks. The document still waffles, but it 'waffles less' than it did initially. But Mike is committed to working that and any other issue which may arise. tim On Wed, Sep 6, 2017 at 10:29 AM, Ted Lemon wrote: > The document as written still waffles between insecure

Re: [DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

The document as written still waffles between insecure delegation and secure denial of existence. I think that if the document were published with the recommendation of an insecure delegation, this would be actively harmful. If it's published with the secure denial of existence, it would

[DNSOP] DNSOP Call for Adoption - draft-west-let-localhost-be-localhost

When the idea of having a Call for Adoption for this document came up, we thought long and hard about this one. However, the comments from the working group focused this document to address the specific issue of the local hostname. This starts a formal Call for Adoption for