Let 'localhost' be localhost.
draft-west-let-localhost-be-localhost-01

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
Author Mike West
Last updated 2016-09-27
Replaced by draft-ietf-dnsop-let-localhost-be-localhost
RFC stream (None)
Formats
txt htmlized pdf bibtex bibxml
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
Email authors IPR References Referenced by Nits Search email archive
draft-west-let-localhost-be-localhost-01 
HTTPbis                                                          M. West
Internet-Draft                                               Google, Inc
Updates: 6761 (if approved)                           September 27, 2016
Intended status: Standards Track
Expires: March 31, 2017

                     Let 'localhost' be localhost.
                draft-west-let-localhost-be-localhost-01

Abstract

   This document updates RFC6761 by requiring that the domain
   "localhost." and any names falling within ".localhost." resolve to
   loopback addresses.  This would allow other specifications to join
   regular users in drawing the common-sense conclusions that
   "localhost" means "localhost", and doesn't resolve to somewhere else
   on the network.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 31, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

West                     Expires March 31, 2017                 [Page 1]
Internet-Draft         let-localhost-be-localhost         September 2016

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology and notation  . . . . . . . . . . . . . . . . . .   2
   3.  Recommendations . . . . . . . . . . . . . . . . . . . . . . .   2
   4.  Implementation Considerations . . . . . . . . . . . . . . . .   3
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
     5.2.  Informative References  . . . . . . . . . . . . . . . . .   4
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   4
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   4

1.  Introduction

   Section 6.3 of [RFC6761] invites developers to "assume that IPv4 and
   IPv6 address queries for localhost names will always resolve to the
   respective IP loopback address".  That suggestion, unfortunately,
   doesn't match reality.  Client software is empowered to send
   localhost names to DNS resolvers, and resolvers are empowered to
   return unexpected results in various cases.  This has several
   impacts.

   One of the clearest is that the [SECURE-CONTEXTS] specification
   declines to treat "localhost" as "secure enough", as it might not
   actually be the "localhost" that developers are expecting.  This
   exclusion has (rightly) surprised some developers.

   This document suggests that we should resolve the confusion by
   requiring that DNS resolution work the way that users expect:
   "localhost" is "localhost", and not something other than loopback.

2.  Terminology and notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Recommendations

   This document updates Section 6.3 of [RFC6761] in the following ways:

   1.  Item #3 is changed to read as follows:

       Name resolution APIs and libraries MUST recognize localhost names
       as special, and MUST always return an IP loopback address for

West                     Expires March 31, 2017                 [Page 2]
Internet-Draft         let-localhost-be-localhost         September 2016

       address queries and negative responses for all other query types.
       Name resolution APIs MUST NOT send queries for localhost names to
       their configured caching DNS server(s).

   2.  Item #4 is changed to read as follows:

       Caching DNS servers MUST recognize localhost names as special,
       and MUST NOT attempt to look up NS records for them, or otherwise
       query authoritative DNS servers in an attempt to resolve
       localhost names.  Instead, caching DNS servers MUST generate an
       immediate negative response.

   3.  Item #5 is changed to replace "SHOULD" with "MUST":

       Authoritative DNS servers MUST recognize localhost names as
       special and handle them as described above for caching DNS
       servers.

   4.  Item #7 is changed to remove "probably" from the last sentence:

       DNS Registries/Registrars MUST NOT grant requests to register
       localhost names in the normal way to any person or entity.
       Localhost names are defined by protocol specification and fall
       outside the set of names available for allocation by registries/
       registrars.  Attempting to allocate a localhost name as if it
       were a normal DNS domain name will not work as desired, for
       reasons 2, 3, 4, and 5 above.

4.  Implementation Considerations

   This change would make developers sad if they map domain names like
   'server1.localhost' to something other than a loopback address.
   There are likely other situations in which it might create unexpected
   behaviors.

5.  References

5.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC6761]  Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
              RFC 6761, DOI 10.17487/RFC6761, February 2013,
              <http://www.rfc-editor.org/info/rfc6761>.

West                     Expires March 31, 2017                 [Page 3]
Internet-Draft         let-localhost-be-localhost         September 2016

5.2.  Informative References

   [SECURE-CONTEXTS]
              West, M., "Secure Contexts", n.d.,
              <http://w3c.github.io/webappsec-secure-contexts/>.

Appendix A.  Acknowledgements

   Ryan Sleevi and Emily Stark informed me about the strange state of
   'localhost' resolution.  Erik Nygren poked me to take another look at
   the set of decisions we made in [SECURE-CONTEXTS] around
   "localhost."; this document is the result.

Author's Address

   Mike West
   Google, Inc

   Email: mkwst@google.com
   URI:   https://mikewest.org/

West                     Expires March 31, 2017                 [Page 4]