On Mon, Jan 29, 2018 at 12:42 PM, Paul Vixie <[email protected]> wrote:
> chiming in for the hum: > > Andrew Sullivan wrote: > >> Dear colleagues, >> >> On Mon, Jan 22, 2018 at 11:18:08AM -0500, Suzanne Woolf wrote: >> >>> Hi all, >>> >>> This is the opening of the Working Group Last Call for "Let 'localhost' >>> be localhost” (https://www.ietf.org/id/draft >>> -ietf-dnsop-let-localhost-be-localhost-02.txt). >>> >>> >> I have read this document. >> >> ... >> >> I am really very troubled by the idea that any DNS server should >> return RCODE 3 to a query for "localhost". (This is items 4 and 5 in >> section 3.) This is not even wrong: the name _does_ exist, and indeed >> any server on the Internet would know that (since it would itself >> serve the answer _to_ itself of what localhost means; whether it >> should serve it to anyone else might be a different question, but it >> certainly should not respond with RCODE 3). >> >> ... >> >> I am sorry that cannot support advancing the draft in its current >> state. >> > > likewise. i'd prefer this to be crafted as operating system api guidance, > along the lines of RFC 1535. i can't agree to on-the-wire changes along the > lines described here. > > -- > P Vixie > > The document recommends "defense in depth" or multiple layers - asking both applications and the operating system to return the correct answer (the IP Address in IPv4, IPv6, and any future). I think that should be extended to DNS Resolvers, at a minimum. I would prefer to extend that to the root, and have a DNSSEC signed answer, although I realize that is difficult, and would accept the draft without it. But we should give some guidance for DNSSEC queries - do we give a bogus response with the IP's, or a validated answer of NXDOMAIN ? -- Bob Harold
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
