On Fri, Jan 26, 2018 at 02:40:43PM -0500, Ted Lemon wrote:
> On Jan 26, 2018, at 2:27 PM, 神明達哉 <[email protected]> wrote:
> > It's not clear to me, and either way I believe the draft should be
> > clearer on these points (see also my latest response to Petr. If the
> > intent of the draft is to prohibit any user customization, it should
> > explicitly say so (with, IMO, some more explanation); if the intent is
> > to allow such customization, I believe we should actually loosen it to
> > SHOULDs).
That's also my position.
> There was no clear intent at the beginning when this was an individual
> submission, but the discussion on the individual submission and on the
> call for adoption seemed to show a fairly strong consensus that looking
> up localhost using DNS is a significant security vulnerability, so MUST
> is the right language.
Agreed when it comes to requiring a localhost short-circuit in the
platform's (and perhaps also application's) name lookup software
(to be reworded more clearly to refer to that, and not stub
resolvers).
Disagreed, with respect to recursive resolvers, because the
requirement is neither necessary nor sufficient to achieve the
stated security goals, is not required for interoperability, and
is in conflict with existing uses of local data for localhost.
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
