Re: [DNSOP] "let-localhost-be-localhost".
"John R Levine" <johnl@taugh.com> Wed, 23 November 2016 14:40 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7188A129E49 for <dnsop@ietfa.amsl.com>; Wed, 23 Nov 2016 06:40:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=dk4aDZcT; dkim=pass (1536-bit key) header.d=taugh.com header.b=oAu+Fw7i
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6kxCODmO_NVh for <dnsop@ietfa.amsl.com>; Wed, 23 Nov 2016 06:40:40 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F6B2129E34 for <dnsop@ietf.org>; Wed, 23 Nov 2016 06:40:40 -0800 (PST)
Received: (qmail 344 invoked from network); 23 Nov 2016 14:40:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=157.5835aa6a.k1611; bh=1W++RBvwU1cp2qMbsNXixVJicXMwjsz8QBD6WRZDwOA=; b=dk4aDZcTRIRUchLZ4TWAqZJqssnqaRkOlhLxzOF1xlFvTXL4sQGyw8rFiFibRptDeKwFF63CMu0byupb+Td6LN/BNcKubcyRDW4cEE3tr+WZzzv51xEZP8aUQ4UvI+7TkLSWsTNqHHQaIh4V+JG4LIQQw5jVzWbjwHcRjuL0tGZWrYOB4A3XkHBQwF/fxt2E6wrmoz5QEusEFoj84nghbYLCDz9hv6sP1MrXeUPM5Q4zu842Lg5ZWKuBD2YBW3nI
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=157.5835aa6a.k1611; bh=1W++RBvwU1cp2qMbsNXixVJicXMwjsz8QBD6WRZDwOA=; b=oAu+Fw7iuwYC9ivNJzJYSTM0DEbiuCq2AX4jpYQH8bxLSuuokoI9bQ9NxMRiRxZipt0+WzVpPFXLtL2mv2qXVr14TuVItLyT177wgU3RpZNvFJmHoMYjG965l64KtKkc9bQYVxYqDoxTCEfNHNz+pAQhmPLIPaPPi8SAJ+4KHSp7mGLUUhQwJ9dZZwNLkLYkmb6NTqZebD962VmI2liJ0yJ8cxbFNA0xHraYaqJxkIM5ALFhYNtRcdtGP3pCi3hB
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 23 Nov 2016 14:40:42 -0000
Date: Wed, 23 Nov 2016 09:40:50 -0500
Message-ID: <alpine.OSX.2.11.1611230927210.33696@ary.local>
From: John R Levine <johnl@taugh.com>
To: Mike West <mkwst@google.com>
In-Reply-To: <CAKXHy=dxGLW0fE45vHHEhDgY_ocjZoKQE-Q_ZCg-dLvtH248vw@mail.gmail.com>
References: <CAKXHy=dxGLW0fE45vHHEhDgY_ocjZoKQE-Q_ZCg-dLvtH248vw@mail.gmail.com>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zl2L5qo2aeOZCFTgBLGz4IzWsY0>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] "let-localhost-be-localhost".
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2016 14:40:42 -0000
> Judging by the existing thread, opinions abound. I admit that I'm not > fluent enough in the intricacies of DNSSEC to judge the merits of Mark's > objection. I believe the assertion in > https://www.ietf.org/mail-archive/web/sunset4/current/msg00456.html that > more nuance is required, and I'm happy to do more work to address those > concerns, but I'll need y'all's guidance to do so. :) I'd say Mark's objection is reasonable but not necessarily a deal breaker. As he points out, the two existing special top level .local and .onion are supposed to be resolved without using the DNS, by mDNS and TOR respectively. For .localhost, depending on the implementation it might or might not use the DNS, which is why DNSSEC matters. The problem is that the DNSSEC solution here is kind of complicated. What you'd want is an opt-out signature in the root, showing that there might be an insecure delegation to .localhost, but the root is signed with NSEC and there's only opt-out in NSEC3. Technically it's not complicated to change from NSEC to NSEC3, but any change to the way the root is managed is a big deal since the consequences of screwing it up are so large. On the third hand, .localhost has been special forever and this draft essentially codifies what we've assumed all along, so if we approve it things are no worse and arguably better than they are now. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [DNSOP] "let-localhost-be-localhost". Mike West
- Re: [DNSOP] "let-localhost-be-localhost". John R Levine
- Re: [DNSOP] "let-localhost-be-localhost". Philip Homburg
- Re: [DNSOP] "let-localhost-be-localhost". John R Levine
- Re: [DNSOP] "let-localhost-be-localhost". Philip Homburg
- Re: [DNSOP] "let-localhost-be-localhost". John Levine
- Re: [DNSOP] "let-localhost-be-localhost". Mark Andrews