Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Mon, Feb 19, 2018 at 10:00:39AM -0500, Suzanne Woolf wrote a message of 17 lines which said: > We’ve let the discussion continue because it’s been so active, but > we also haven’t forgotten we need to review and determine next steps > on this draft. I don't find anything about the

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Hi all, We’ve let the discussion continue because it’s been so active, but we also haven’t forgotten we need to review and determine next steps on this draft. Thanks for the lively discussion, and we’ll have followup shortly. Suzanne & Tim > On Jan 22, 2018, at 11:18 AM, Suzanne Woolf

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Andrew Sullivan wrote: > > …of the "admonition" (or whatever you want to call it). In effect, > the document requires special-casing of "localhost" as a label in > every searchlist context. The way nss-style resolvers work is to do exact match on /etc/hosts (which with

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Sat, Feb 10, 2018 at 08:21:14PM +, Warren Kumari wrote: > > Interestingly enough, Steve Sheng and I wrote just such a document a > number of years ago (around the time of the initial name-collisions > drama). Even though I'm 95% sure it included the phrase "tilting at > windmills" my

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Sat, Feb 10, 2018 at 9:21 PM, Joe Abley wrote: > Hi Warren, > > I think the advice is good, but I wonder what the practical effect of writing > it down would be. I doubt it would change any of the entrenched habits in > enterprise systems and networking in our remaining

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 10, 2018, at 16:27, Ted Lemon wrote: > Well, for example, when the DHC working group was considering the search list > option for DHCPv6, I argued that there should be no such option because > search lists are bad. My argument was rejected. Had the IETF officially

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Well, for example, when the DHC working group was considering the search list option for DHCPv6, I argued that there should be no such option because search lists are bad. My argument was rejected. Had the IETF officially deprecated searchlists prior to that, there would be no DHCPv6 search

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Hi Warren, I think the advice is good, but I wonder what the practical effect of writing it down would be. I doubt it would change any of the entrenched habits in enterprise systems and networking in our remaining lifetimes, for example, but perhaps I'm just being overly grumpy and am ignorant

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 10, 2018, at 3:21 PM, Warren Kumari wrote: > There are many things which would be safer, less complex, and safer if > search lists didn't exist -- would people be interested in discussing > the idea, or is it just too out there? I think there's not much to discuss.

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 9, 2018, at 5:55 PM, Andrew Sullivan wrote: > > Hi, > > On Tue, Feb 06, 2018 at 12:50:18AM -0500, Ted Lemon wrote: >> That's pretty clear. This document is not forbidding the appearance of >> such names in the DNS, nor the resolution of such names. >> > >

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Hi, On Tue, Feb 06, 2018 at 12:50:18AM -0500, Ted Lemon wrote: > That's pretty clear. This document is not forbidding the appearance of such > names in the DNS, nor the resolution of such names. > Instead, it is wanting to have its cake and eat it too. Because… > >Note, however, that

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 6, 2018, at 12:39 AM, Lanlan Pan wrote: > I mean that in 5.2.  'localhost' labels in subdomains > , > localhost.example.com . => localhost. ( > equal to ban

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Ted Lemon 于2018年2月6日周二 下午1:17写道： > On Feb 5, 2018, at 11:58 PM, Lanlan Pan wrote: > > If we decide to ban localhost.example, > > > Nobody is proposing that we ban localhost.example. > Sorry for my poor english. I mean that in *5.2. 'localhost' labels in

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 5, 2018, at 11:58 PM, Lanlan Pan wrote: > If we decide to ban localhost.example, Nobody is proposing that we ban localhost.example. > 1) how many security accidents have caused by this "localhost.example", is it > a serious security problem with low attack cost ?

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Ted Lemon 于2018年2月6日周二 上午12:52写道： > On Feb 5, 2018, at 1:51 AM, Mark Andrews wrote: > > No it is not! The browser knows where the name came from. > > > Walk me through it. How does the browser know where the name came from? > we can return NXDOMAIN for

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 5, 2018, at 3:28 AM, Matthew Kerwin wrote: > > It can be handy, though. "http://dev01/ " or "http://dev02/ > " is much easier to type. "password123" is easier to type (and remember!) than "rtuzb2tZ6xbsg", too. :) The way to make

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 5, 2018, at 1:51 AM, Mark Andrews wrote: > No it is not! The browser knows where the name came from. Walk me through it. How does the browser know where the name came from? ___ DNSOP mailing list DNSOP@ietf.org

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On 5 Feb. 2018 16:52, "Mark Andrews" wrote: > On 5 Feb 2018, at 5:10 pm, Ted Lemon wrote: > > On Feb 5, 2018, at 12:18 AM, Mark Andrews wrote: >> The original problem is that HTTP doesn’t specify that names learn across the >> wire, including

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

> On 5 Feb 2018, at 5:10 pm, Ted Lemon wrote: > > On Feb 5, 2018, at 12:18 AM, Mark Andrews wrote: >> The original problem is that HTTP doesn’t specify that names learn across the >> wire, including from on disk html files, need to be treated as absolute >>

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 5, 2018, at 12:18 AM, Mark Andrews wrote: > The original problem is that HTTP doesn’t specify that names learn across the > wire, including from on disk html files, need to be treated as absolute names. > This is HTTP’s mess due to allowing relative names in what is

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

> On 5 Feb 2018, at 3:20 pm, Ted Lemon wrote: > > On Feb 4, 2018, at 9:49 PM, Mark Andrews wrote: >> We may as well ban www.example because that can return 127.0.0.1 as well. :-) > > www.example.com is never presumed to be local. And localhost.example.com

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 4, 2018, at 9:49 PM, Mark Andrews wrote: > We may as well ban www.example because that can return 127.0.0.1 as well. :-) www.example.com is never presumed to be local. ___ DNSOP mailing list

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

> On 4 Feb 2018, at 2:31 pm, Lanlan Pan wrote: > > > > Mark Andrews 于2018年2月3日周六 上午4:11写道： > The problem is that search lists are being applied when “localhost” is being > entered into name lookup APIs and is being matched against localhost.example > which

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Mark Andrews 于2018年2月3日周六 上午4:11写道： > The problem is that search lists are being applied when “localhost” is > being entered into name lookup APIs and is being matched against > localhost.example which isn’t expected to to a address on the current > machine and that the search

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

The problem is that search lists are being applied when “localhost” is being entered into name lookup APIs and is being matched against localhost.example which isn’t expected to to a address on the current machine and that the search list may be auto constructed or come from a untrusted

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Thu, Feb 1, 2018 at 4:26 PM, Ted Lemon wrote: > On Feb 1, 2018, at 2:48 PM, Andrew Sullivan > wrote: > > As a general principle, when what the RFC says to do is not the right > thing to do, the solution is to update the RFC, not to ignore the

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Thu, Feb 01, 2018 at 08:46:01PM -0500, Joe Abley wrote: > > Can we take a brief pause to acknowledge that "the DNS" as a phrase is highly > ambiguous Yes. > and think about whether we mean the protocol, I mean this and > any particular installation or the namespace (and if so, which one,

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 1, 2018, at 8:57 PM, Joe Abley wrote: > Which distinction? I think I listed at least four degrees of freedom. Good point. Possibly that is where the disconnect is. ___ DNSOP mailing list DNSOP@ietf.org

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

> On Feb 1, 2018, at 21:03, Ted Lemon wrote: > >> On Feb 1, 2018, at 7:46 PM, Joe Abley wrote: >> Can we take a brief pause to acknowledge that "the DNS" as a phrase is >> highly ambiguous and think about whether we mean the protocol, any >> particular

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 1, 2018, at 7:46 PM, Joe Abley wrote: > Can we take a brief pause to acknowledge that "the DNS" as a phrase is highly > ambiguous and think about whether we mean the protocol, any particular > implementation, any particular installation or the namespace (and if so, >

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

> On Feb 1, 2018, at 20:27, Ted Lemon wrote: > >> On Feb 1, 2018, at 3:41 PM, Andrew Sullivan wrote: >> I think that this is an example of attempting to >> do so: to make a name that already appears today in the DNS >> (localhost) go away. > > Okay,

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Ted Lemon wrote: On Feb 1, 2018, at 3:41 PM, Andrew Sullivan > wrote: I think that this is an example of attempting to do so: to make a name that already appears today in the DNS (localhost) go away. Okay, but this simply isn't true.

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

> On 2 Feb 2018, at 12:27 pm, Ted Lemon wrote: > > On Feb 1, 2018, at 3:41 PM, Andrew Sullivan wrote: >> I think that this is an example of attempting to >> do so: to make a name that already appears today in the DNS >> (localhost) go away. > > Okay,

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 1, 2018, at 3:41 PM, Andrew Sullivan wrote: > I think that this is an example of attempting to > do so: to make a name that already appears today in the DNS > (localhost) go away. Okay, but this simply isn't true. I think you actually responded to the dig

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

> On 2 Feb 2018, at 8:50 am, Wes Hardaker wrote: > > Andrew Sullivan writes: > >> But of course, there _is_ a name "localhost" in the DNS. >> It's already defined, in the RFCs, to this effect. > > You can probably have your cake and eat it too

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Andrew Sullivan writes: > But of course, there _is_ a name "localhost" in the DNS. > It's already defined, in the RFCs, to this effect. You can probably have your cake and eat it too by saying "sure, hypothetically it exists in the DNS because it's magically reserved in

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Hi, On Thu, Feb 01, 2018 at 03:26:40PM -0600, Ted Lemon wrote: > > As for why I responded to this and not to the formal review, the answer is > that the formal review was a bit overwhelming. You made a lot of assertions > of fact that didn't sound like fact to me—they sounded like

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 1, 2018, at 2:48 PM, Andrew Sullivan wrote: >> As a general principle, when what the RFC says to do is not the right thing >> to do, the solution is to update the RFC, not to ignore the problem. > > I strongly agree with this (as I think or anyway hope you know)

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Thu, Feb 01, 2018 at 11:45:26AM -0600, Ted Lemon wrote: > > As a general principle, when what the RFC says to do is not the right thing > to do, the solution is to update the RFC, not to ignore the problem. I strongly agree with this (as I think or anyway hope you know), and if my response

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Paul Vixie wrote: > Tony Finch wrote: > > > > if you are asking an authoritative-only server then you get REFUSED or > > not depending on whether the QNAME is in an authoritative zone. > > that's what this group has reached consensus on in recent months, yes. to me > that's a

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Feb 1, 2018, at 11:26 AM, Andrew Sullivan wrote: > It has the notable advantage that it's what the RFC says to do. As a general principle, when what the RFC says to do is not the right thing to do, the solution is to update the RFC, not to ignore the problem. So a

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Andrew Sullivan wrote: On Wed, Jan 31, 2018 at 04:15:07PM +, Viktor Dukhovni wrote: return NXDomain is likely the best option for now. The other alternative is to actually serve the expected data: localhost. IN A 127.0.0.1 localhost. IN ::1 but I don't think that'd be

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Thu, Feb 01, 2018 at 09:11:37AM -0800, Paul Vixie wrote: > > That's not entirely true - if you are asking an authoritative-only server > > then you get REFUSED or not depending on whether the QNAME is in an > > authoritative zone. > > that's what this group has reached consensus on in recent

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Wed, Jan 31, 2018 at 04:15:07PM +, Viktor Dukhovni wrote: > return NXDomain is likely the best option for now. The other > alternative is to actually serve the expected data: > > localhost. IN A 127.0.0.1 > localhost. IN ::1 > > but I don't think that'd be better. It has

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Tony Finch wrote: Paul Vixie wrote: Ray Bellis wrote: Won't that cause the resolver to cycle through every root server letter hoping for one that doesn't give that answer? yes. that's what REFUSED is taken to mean, and also, why we never use it for data-dependent

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Wed, Jan 31, 2018 at 10:04:03AM +, Ray Bellis wrote: > > Won't that cause the resolver to cycle through every root server letter > hoping for one that doesn't give that answer? It might, yes. But that's a poor reason to give an authoritative answer that a name which does exist instead

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On 01/02/2018 14:41, Tony Finch wrote: > That's not entirely true - if you are asking an authoritative-only server > then you get REFUSED or not depending on whether the QNAME is in an > authoritative zone. Right, but the resolver behaviour is to assume that that server is a lame delegation,

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Paul Vixie wrote: > Ray Bellis wrote: > > > > Won't that cause the resolver to cycle through every root server letter > > hoping for one that doesn't give that answer? > > yes. that's what REFUSED is taken to mean, and also, why we never use it for > data-dependent conditions.

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Ray Bellis wrote: On 30/01/2018 18:59, Andrew Sullivan wrote: Because of that same section, also, signing the answer should also not be controversial because the answer is static. My preference, however, would be for the root servers to REFUSE to answer such queries. Won't that cause the

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Wed, Jan 31, 2018 at 10:04:03AM +, Ray Bellis wrote: > On 30/01/2018 18:59, Andrew Sullivan wrote: > > > Because of that same section, also, signing the answer should also not > > be controversial because the answer is static. My preference, > > however, would be for the root servers to

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On 30/01/2018 18:59, Andrew Sullivan wrote: > Because of that same section, also, signing the answer should also not > be controversial because the answer is static. My preference, > however, would be for the root servers to REFUSE to answer such > queries. Won't that cause the resolver to

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Tue, Jan 30, 2018 at 11:39:31AM -0600, Ted Lemon wrote: > > It is possible to produce a signed answer, because the domain doesn't exist I think I was arguing yesterday that that is in fact not true. The domain (name) does exist, and it is defined in RFC 6761 precisely to be special. In

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Jan 30, 2018, at 9:44 AM, Bob Harold wrote: > I would prefer to extend that to the root, and have a DNSSEC signed answer, > although I realize that is difficult, and would accept the draft without it. > But we should give some guidance for DNSSEC queries - do we give a

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Mon, Jan 29, 2018 at 12:42 PM, Paul Vixie wrote: > chiming in for the hum: > > Andrew Sullivan wrote: > >> Dear colleagues, >> >> On Mon, Jan 22, 2018 at 11:18:08AM -0500, Suzanne Woolf wrote: >> >>> Hi all, >>> >>> This is the opening of the Working Group Last Call for "Let

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

chiming in for the hum: Andrew Sullivan wrote: Dear colleagues, On Mon, Jan 22, 2018 at 11:18:08AM -0500, Suzanne Woolf wrote: Hi all, This is the opening of the Working Group Last Call for "Let 'localhost' be localhost”

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Fri, Jan 26, 2018 at 05:32:33PM +0100, Petr Špaček wrote: > I personally agree with the doc, it makes sense to me, and I do not > believe that its wording prevent anyone from adding knobs they want. > Software in the end will do whatever its developers wanted, which might > include knob to

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Jan 29, 2018, at 10:53 AM, dnsop-requ...@ietf.org wrote: > To add more to this, Unbound by default returns 127.0.0.1, and so does > Knot Resolver, because both decided to respect > https://tools.ietf.org/html/rfc6761#section-6.3 > > This is a security hole, and again, purpose of NXDOMAIN is

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Dear colleagues, On Mon, Jan 22, 2018 at 11:18:08AM -0500, Suzanne Woolf wrote: > Hi all, > > This is the opening of the Working Group Last Call for "Let 'localhost' be > localhost” > (https://www.ietf.org/id/draft-ietf-dnsop-let-localhost-be-localhost-02.txt). > I have read this document.

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On 27.1.2018 18:56, Warren Kumari wrote: > On Fri, Jan 26, 2018 at 6:03 PM, Viktor Dukhovni > wrote: >> On Fri, Jan 26, 2018 at 02:24:26PM -0600, Ted Lemon wrote: >> Disagreed, with respect to recursive resolvers, because the requirement is neither necessary nor

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Fri, Jan 26, 2018 at 06:02:00PM -0600, Ted Lemon wrote: > On Jan 26, 2018, at 5:03 PM, Viktor Dukhovni wrote: > > Multiple participants in this discussion have pointed out that such > > queries are rare. > > Sigh. Yes, such queries are rare. The things that make

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

> On 27 Jan 2018, at 11:02 am, Ted Lemon wrote: > > On Jan 26, 2018, at 5:03 PM, Viktor Dukhovni wrote: >> Multiple participants in this discussion have pointed out that such >> queries are rare. > > Sigh. Yes, such queries are rare. The things

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Fri, Jan 26, 2018 at 6:03 PM, Viktor Dukhovni wrote: > On Fri, Jan 26, 2018 at 02:24:26PM -0600, Ted Lemon wrote: > >> > Disagreed, with respect to recursive resolvers, because the >> > requirement is neither necessary nor sufficient to achieve the >> > stated security

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Jan 26, 2018, at 5:03 PM, Viktor Dukhovni wrote: > Multiple participants in this discussion have pointed out that such > queries are rare. Sigh. Yes, such queries are rare. The things that make those queries are the things that are vulnerable. That such queries

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Fri, Jan 26, 2018 at 02:24:26PM -0600, Ted Lemon wrote: > > Disagreed, with respect to recursive resolvers, because the > > requirement is neither necessary nor sufficient to achieve the > > stated security goals, is not required for interoperability, and > > is in conflict with existing uses

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

At Fri, 26 Jan 2018 14:24:10 -0500, Ted Lemon wrote: > > IMO, however, that doesn't mean we can casually use the fact to > > silence objections when the requirement level might actually be too > > strong. In my understanding and also according to my experiences, > > MUST

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Jan 26, 2018, at 2:16 PM, Viktor Dukhovni wrote: > Disagreed, with respect to recursive resolvers, because the > requirement is neither necessary nor sufficient to achieve the > stated security goals, is not required for interoperability, and > is in conflict with

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Fri, Jan 26, 2018 at 02:40:43PM -0500, Ted Lemon wrote: > On Jan 26, 2018, at 2:27 PM, 神明達哉 wrote: > > It's not clear to me, and either way I believe the draft should be > > clearer on these points (see also my latest response to Petr. If the > > intent of the draft is to

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Viktor Dukhovni wrote: ... If the intent is to require special handling of "localhost" in the platform's name to address lookup library (getaddrinfo(), gethostbyname(), ...), then the draft should say so, instead of talking about stub resolvers, which are only the DNS component of the

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Ted Lemon wrote: On Jan 26, 2018, at 2:27 PM, 神明達哉 > wrote: It's not clear to me, and either way I believe the draft should be clearer on these points (see also my latest response to Petr. If the intent of the draft is to prohibit any user

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Fri, Jan 26, 2018 at 08:22:18AM -0800, 神明達哉 wrote: > Hmm, that's different from my interpretation of the draft. According > to my usual interpretation of IETF docs, I would interpret these from > Section 3: > >3. Name resolution APIs and libraries MUST recognize localhost names >

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Jan 26, 2018, at 2:27 PM, 神明達哉 wrote: > It's not clear to me, and either way I believe the draft should be > clearer on these points (see also my latest response to Petr. If the > intent of the draft is to prohibit any user customization, it should > explicitly say so

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

At Thu, 25 Jan 2018 20:22:36 +, Tony Finch wrote: > > Could you be more specific about it? It may be a minority > > implementation, but I thought traditional stub resolver > > implementations in BSD variants systems (getaddrinfo/gethostbyname > > with the backend of

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

At Fri, 26 Jan 2018 17:32:33 +0100, Petr Špaček wrote: > > as these are requirements without a user-configurable knob. If the > > actual intent was just to specify the default behavior with a > > configurable knob, I'd expect SHOULD-variants are used in cases like > > these.

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

I think the following should be amended: 5. Authoritative DNS servers MUST respond to queries for localhost names with NXDOMAIN. Instead: 5. Authoritative DNS servers MUST respond to queries for localhost names with their usual response for an non-authoritative zone (e.g.

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Viktor Dukhovni wrote: > > I don't see any mention of "localhost" in libresolv sources. The places to look are in /etc/nsswitch.conf (hosts: files dns) and /etc/hosts (the localhost lines). > What is true is that they generally append the default domain suffix to >

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On 26.1.2018 18:00, Jaap Akkerhuis wrote: > Petr Špaček writes: > > > > > > > An example: RFC 4033 clearly states what should be done if result of > > validation is "Bogus". Nonetheless, Unbound has "val-permissive-mode: > > yes" which enables admin to pass bogus answers. > > > Note

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

"Hack" is an expression of praise where I learned it. But it implies that you are using something outside of it's design envelope, which you are. I don't want to get into a long back and forth on this. I think I understand your objection. I don't think it's a valid objection. But it's up to the

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Petr Špaček writes: > > > An example: RFC 4033 clearly states what should be done if result of > validation is "Bogus". Nonetheless, Unbound has "val-permissive-mode: > yes" which enables admin to pass bogus answers. > Note that the default setting is "val-permissive-mode: no". It is

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On 26.1.2018 17:22, 神明達哉 wrote: > At Fri, 26 Jan 2018 12:47:29 +0100, > Petr Špaček wrote: > >>> I myself don't have a particular opinion on whether to send it to the >>> IESG, but I don't think it's ready for it based on my understanding of >>> the WG discussion so far. In

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

At Fri, 26 Jan 2018 12:47:29 +0100, Petr Špaček wrote: > > I myself don't have a particular opinion on whether to send it to the > > IESG, but I don't think it's ready for it based on my understanding of > > the WG discussion so far. In particular, I don't think I saw a wg >

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Thu, Jan 25, 2018 at 10:18:01PM -0500, Ted Lemon wrote: > On Jan 25, 2018, at 8:37 PM, Viktor Dukhovni wrote: > > I showed examples, of uses of "localhost". Some use the TLD itself > > for the usual local IPs, others employ subdomains of "localhost" > > as a sensibly

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

> Recursive DNS servers are required to return "NXDOMAIN" when queried for localhost names Why not just let Root return NXDOMAIN for "localhost. / *.localhost.", but also require this on recursive ? (anyway, recursive's data is from authoritative, in theory) For latency, reduce queries, or ...

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On 25.1.2018 20:23, 神明達哉 wrote: > At Mon, 22 Jan 2018 11:18:08 -0500, > Suzanne Woolf wrote: > >> Please focus feedback on: Is this draft ready to go to the IESG for >> approval as an RFC? If not, can you suggest specific changes it >> needs? > > I myself don't have a

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Paul Vixie: no resolver should be sending single-label names in DNS requests, period. ... if RD-bit is set. single-label queries to root-servers are the valid exception? today I checked our data for queries to localhost. As expected they do happen but very rare. So I wouldn't expect

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Thu, Jan 25, 2018 at 08:17:17PM -0500, Ted Lemon wrote: > On Jan 25, 2018, at 7:48 PM, Viktor Dukhovni wrote: > > See my other upstream message quoted below. There are deployed > > uses of local "localhost" zones, and a mandate to break them is > > not well motivated

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Jan 25, 2018, at 3:35 PM, Viktor Dukhovni wrote: > In summary, existing "localhost" zones are fine and should not come > into a violation of a new RFC. Secondly, returning the expected > address records at each opportunity to do so, without punting > the problem

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Thu, Jan 25, 2018 at 01:02:27PM -0500, Ted Lemon wrote: > On Jan 25, 2018, at 12:54 PM, Viktor Dukhovni wrote: > > I'm fine with recursive resolvers not *forwarding* > > "localhost.", but forbidding local answers is I think taking it > > too far and counter-productive.

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Thu, Jan 25, 2018 at 04:03:08PM +, Tony Finch wrote: > > I am not nearly so enthusiastic about an important component of > > the draft. Specifically, I'd like to suggest that while the > > requirement for recursive resolvers to return NXDOMAIN for "localhost." > > is well-intentioned, it

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

> On 25 Jan 2018, at 18:36, 神明達哉 wrote: > > Could you be more specific about it? It may be a minority > implementation, but I thought traditional stub resolver > implementations in BSD variants systems (getaddrinfo/gethostbyname > with the backend of libresolv) didn't

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

<suzworldw...@gmail.com> Cc: dnsop <dnsop@ietf.org> Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02 At Mon, 22 Jan 2018 11:18:08 -0500, Suzanne Woolf <suzworldw...@gmail.com> wrote: > Please focus feedback on: Is this draft ready to go to the IESG for

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

At Mon, 22 Jan 2018 11:18:08 -0500, Suzanne Woolf wrote: > Please focus feedback on: Is this draft ready to go to the IESG for > approval as an RFC? If not, can you suggest specific changes it > needs? I myself don't have a particular opinion on whether to send it to the

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

At Thu, 25 Jan 2018 16:03:08 +, Tony Finch wrote: > > I am not nearly so enthusiastic about an important component of > > the draft. Specifically, I'd like to suggest that while the > > requirement for recursive resolvers to return NXDOMAIN for "localhost." > > is

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Jan 25, 2018, at 12:54 PM, Viktor Dukhovni wrote: > I'm fine with recursive resolvers not *forwarding* > "localhost.", but forbidding local answers is I think taking it > too far and counter-productive. Can you talk about why you think this is important? I ask because

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Wed, Jan 24, 2018 at 05:50:26PM -0800, Paul Vixie wrote: > Mark Andrews wrote: > > > On 25 Jan 2018, at 8:38 am, Paul Vixie wrote: > > > > > > viktor, i don't disagree with your goals, but i have a proposal as to > > > method. > > > > > > no resolver should be sending

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

On Fri, Jan 26, 2018 at 12:19:00AM +1100, Mark Andrews wrote: > > RFC 6303 says that we should have empty domain for it, but this part is > > confusing: > > The recommendation to serve an empty zone 127.IN-ADDR.ARPA is not an > > attempt to discourage any practice to provide a PTR RR for > >

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Viktor Dukhovni wrote: > > I am not nearly so enthusiastic about an important component of > the draft. Specifically, I'd like to suggest that while the > requirement for recursive resolvers to return NXDOMAIN for "localhost." > is well-intentioned, it will prove

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Bob Harold wrote: > My concerns: > Do we need to make sure stub resolvers get updated before we update DNS, to > avoid breaking things? > Do we know what current stub resolvers do? Based on a few stats I gathered in September, stub resolvers already handle localhost

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

> On 25 Jan 2018, at 9:48 pm, Petr Špaček wrote: > > Oh, wait, I just realized one question: > > What about reverse zones for "localhost" addresses specified in > https://tools.ietf.org/html/rfc6303#section-4.2 > https://tools.ietf.org/html/rfc6303#section-4.3 > > It seems

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Oh, wait, I just realized one question: What about reverse zones for "localhost" addresses specified in https://tools.ietf.org/html/rfc6303#section-4.2 https://tools.ietf.org/html/rfc6303#section-4.3 It seems to me that it should be handled in similar way, i.e. answered with NXDOMAIN. RFC 6303

Re: [DNSOP] WGLC for draft-ietf-dnsop-let-localhost-be-localhost-02

Joe Abley wrote: Hey Paul, There is an awful lot of entrenched practice (including every corporate environment I've ever worked) where a search list and single-label hostnames are either a convenient short-cut or an absolute requirement, like it or not. The collateral damage that would result

  1   2   >