DNSOP M. West Internet-Draft Google, Inc Updates: 6761 (if approved) August 31, 2017 Intended status: Standards Track Expires: March 4, 2018 Let 'localhost' be localhost. draft-west-let-localhost-be-localhost-06 Abstract This document updates RFC6761 with the goal of ensuring that "localhost" can be safely relied upon as a name for the local host's loopback interface. To that end, stub resolvers are required to resolve localhost names to loopback addresses. Recursive DNS servers are required to return "NXDOMAIN" when queried for localhost names, making non-conformant stub resolvers more likely to fail and produce problem reports that result in updates. Together, these requirements would allow applications and specifications to join regular users in drawing the common-sense conclusions that "localhost" means "localhost", and doesn't resolve to somewhere else on the network. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 4, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. West Expires March 4, 2018 [Page 1]
Internet-Draft let-localhost-be-localhost August 2017 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology and notation . . . . . . . . . . . . . . . . . . 4 3. The "localhost." Special-Use Domain Name . . . . . . . . . . 4 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 4.1. Domain Name Reservation Considerations . . . . . . . . . 5 4.2. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.2.1. Option 1: Explicit delegation . . . . . . . . . . . . 5 4.2.2. Option 2: Implicit failure . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5.1. Applications are encouraged to resolve localhost names themselves. . . . . . . . . . . . . . . . . . . . . . . . 6 6. Implementation Considerations . . . . . . . . . . . . . . . . 6 6.1. Non-DNS usage of localhost names . . . . . . . . . . . . 6 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 7.2. Informative References . . . . . . . . . . . . . . . . . 7 Appendix A. Changes from RFC 6761 . . . . . . . . . . . . . . . 8 Appendix B. Changes in this draft . . . . . . . . . . . . . . . 8 B.1. draft-west-let-localhost-be-localhost-06 . . . . . . . . 8 B.2. draft-west-let-localhost-be-localhost-05 . . . . . . . . 8 B.3. draft-west-let-localhost-be-localhost-04 . . . . . . . . 8 B.4. draft-west-let-localhost-be-localhost-03 . . . . . . . . 9 B.5. draft-west-let-localhost-be-localhost-02 . . . . . . . . 9 B.6. draft-west-let-localhost-be-localhost-01 . . . . . . . . 9 B.7. draft-west-let-localhost-be-localhost-00 . . . . . . . . 9 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction The "127.0.0.0/8" IPv4 address block and "::1/128" IPv6 address block are reserved as loopback addresses. Traffic to this block is assured to remain within a single host, and can not legitimately appear on any network anywhere. This turns out to be a very useful property in a number of circumstances; useful enough to label explicitly and interoperably as "localhost". [RFC1537] suggests that this special- West Expires March 4, 2018 [Page 2]
Internet-Draft let-localhost-be-localhost August 2017 use top-level domain name has been implicitly mapped to loopback addresses for decades at this point, and that [RFC6761]'s assertion that developers may "assume that IPv4 and IPv6 address queries for localhost names will always resolve to the respective IP loopback address" is well-founded. Unfortunately, the rest of that latter document's requirements undercut the assumption it suggests. Client software is empowered to send localhost names to DNS servers, and resolvers are empowered to return unexpectedly non-loopback results. This divide between theory and practice has a few impacts: First, the lack of confidence that "localhost" actually resolves to the loopback interface encourages application developers to hard-code IP addresses like "127.0.0.1" in order to obtain certainty regarding routing. This causes problems in the transition from IPv4 to IPv6 (see problem 8 in [I-D.ietf-sunset4-gapanalysis]). Second, HTTP user agents sometimes distinguish certain contexts as "secure"-enough to make certain features available. Given the certainty that "127.0.0.1" cannot be maliciously manipulated or monitored, [SECURE-CONTEXTS] treats it as such a context. Since "localhost" might not actually map to the loopback address, that document declines to give it the same treatment. This exclusion has (rightly) surprised some developers, and exacerbates the risks of hard-coded IP addresses by giving developers positive encouragement to use an explicit loopback address rather than a localhost name. This document updates [RFC6761]'s recommendations regarding "localhost" by requiring that name resolution APIs and libraries themselves return a loopback address when queried for localhost names, bypassing lookup via recursive and authoritative DNS servers entirely. In addition, recursive and authoritative DNS servers are required to return "NXDOMAIN" for such queries. This increases the likelihood that non-conformant stub resolvers will not go undetected. Note that this does not have the result that such resolvers will fail safe--it just makes it more likely that they will be detected and fixed, since they will fail in the presence of conforming name servers. These changes are not sufficient to ensure that "localhost" can be assumed to actually refer to an address on the local machine. This document therefore further requires that applications that wish to make that assumption handle the name "localhost" specially. West Expires March 4, 2018 [Page 3]
Internet-Draft let-localhost-be-localhost August 2017 2. Terminology and notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. IPv4 loopback addresses are registered in Table 4 of Section 2.2.2 of [RFC6890] as "127.0.0.0/8". IPv6 loopback addresses are registered in Table 17 of Section 2.2.3 of [RFC6890] as "::1/128". The domain "localhost.", and any names falling within ".localhost.", are known as "localhost names". 3. The "localhost." Special-Use Domain Name Localhost names are special in the following ways: 1. Users are free to use localhost names as they would any other domain names. Users may assume that IPv4 and IPv6 address queries for localhost names will always resolve to the respective IP loopback address. 2. Application software MAY recognize localhost names as special, or MAY pass them to name resolution APIs as they would for other domain names. If application software wishes to make security decisions based upon the assumption that localhost names resolve to loopback addresses (e.g. if it wishes to ensure that a context meets the requirements laid out in [SECURE-CONTEXTS]), then it MUST directly translate localhost names to a loopback address, and MUST NOT rely upon name resolution APIs to do so. Application software MUST NOT use a searchlist to resolve a localhost name. That is, even if DHCP's domain search option [RFC3397] is used to specify a searchlist of "example.com" for a given network, the name "localhost" will not be resolved as "localhost.example.com", and "subdomain.localhost" will not be resolved as "subdomain.localhost.example.com". 3. Name resolution APIs and libraries MUST recognize localhost names as special, and MUST always return an appropriate IP loopback address for IPv4 and IPv6 address queries and negative responses for all other query types. Name resolution APIs MUST NOT send queries for localhost names to their configured recursive DNS server(s). West Expires March 4, 2018 [Page 4]
Internet-Draft let-localhost-be-localhost August 2017 As for application software, name resolution APIs and libraries MUST NOT use a searchlist to resolve a localhost name. 4. (Caching) recursive DNS servers MUST respond to queries for localhost names with NXDOMAIN. 5. Authoritative DNS servers MUST respond to queries for localhost names with NXDOMAIN. 6. DNS server operators SHOULD be aware that the effective RDATA for localhost names is defined by protocol specification and cannot be modified by local configuration. 7. DNS Registries/Registrars MUST NOT grant requests to register localhost names in the normal way to any person or entity. Localhost names are defined by protocol specification and fall outside the set of names available for allocation by registries/ registrars. Attempting to allocate a localhost name as if it were a normal DNS domain name will not work as desired, for reasons 2, 3, 4, and 5 above. 4. IANA Considerations IANA is requested to update the "localhost." registration in the registry of Special-Use Domain Names [RFC6761] to reference the domain name reservations considerations section of this document. 4.1. Domain Name Reservation Considerations This document requests that IANA update the "localhost." registration in the registry of Special-Use Domain Names [RFC6761] to reference the domain name reservation considerations defined in Section 3. 4.2. DNSSEC (Ed note: The following options seem reasonable. I personally prefer the latter, but could be convinced that the former is reasonable if that's the way the working group's concensus trends.) 4.2.1. Option 1: Explicit delegation The ".localhost" TLD is already assigned to IANA, as per [RFC2606]. This document requests that a DNSSEC insecure delegation (that is, a delegation with no DS records) be inserted into the root-zone, delegated to "blackhole-[12].iana.org". This request for an insecure delegation relies on the rationale spelled out in section 4 of [I-D.wkumari-dnsop-internal], which West Expires March 4, 2018 [Page 5]
Internet-Draft let-localhost-be-localhost August 2017 discusses the DNSSEC considerations for the ".internal" TLD. The same considerations apply to this document's discussion of localhost names. 4.2.2. Option 2: Implicit failure The ".localhost" TLD is already assigned to IANA, as per [RFC2606], but does not have an entry in the DNSSEC root-zone. This means that the root will return an NXDOMAIN response along with NSEC records constituting a secure denial of existence if queried. That's consistent with the requirements to return NXDOMAIN that are laid out in Section 3. 5. Security Considerations 5.1. Applications are encouraged to resolve localhost names themselves. Applications that attempt to use the local resolver to query "localhost" do not fail safely. If an attacker sets up a malicious DNS server which returns a non-loopback address when queried for localhost names, such applications will connect to that remote server assuming it is local. This risk drives the requirement that applications resolve localhost names themselves if they intend to make security decisions based on the assumption that localhost names resolve locally. There may be cases in which the target runtime environment can be safely assumed to do the right thing with localhost names. In this case, the requirement that the application resolve localhost names on its own may be safe to ignore, but only if all the requirements under point 2 of Section 3 are known to be followed by the resolver that is known to be present in the target environment. 6. Implementation Considerations 6.1. Non-DNS usage of localhost names Some application software differentiates between the hostname "localhost" and the IP address "127.0.0.1". MySQL, for example, uses a unix domain socket for the former, and a TCP connection to the loopback address for the latter. The constraints on name resolution APIs above do not preclude this kind of differentiation. 7. References West Expires March 4, 2018 [Page 6]
Internet-Draft let-localhost-be-localhost August 2017 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc- editor.org/info/rfc2119>. [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", RFC 6761, DOI 10.17487/RFC6761, February 2013, <https://www.rfc-editor.org/info/rfc6761>. [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, "Special-Purpose IP Address Registries", BCP 153, RFC 6890, DOI 10.17487/RFC6890, April 2013, <https://www.rfc-editor.org/info/rfc6890>. 7.2. Informative References [I-D.ietf-sunset4-gapanalysis] LIU, W., Xu, W., Zhou, C., Tsou, T., Perreault, S., Fan, P., Gu, R., Xie, C., and Y. Cheng, "Gap Analysis for IPv4 Sunset", draft-ietf-sunset4-gapanalysis-09 (work in progress), August 2017. [I-D.wkumari-dnsop-internal] Kumari, W., "The .internal TLD.", draft-wkumari-dnsop- internal-00 (work in progress), July 2017. [RFC1537] Beertema, P., "Common DNS Data File Configuration Errors", RFC 1537, DOI 10.17487/RFC1537, October 1993, <https://www.rfc-editor.org/info/rfc1537>. [RFC2606] Eastlake 3rd, D. and A. Panitz, "Reserved Top Level DNS Names", BCP 32, RFC 2606, DOI 10.17487/RFC2606, June 1999, <https://www.rfc-editor.org/info/rfc2606>. [RFC3397] Aboba, B. and S. Cheshire, "Dynamic Host Configuration Protocol (DHCP) Domain Search Option", RFC 3397, DOI 10.17487/RFC3397, November 2002, <https://www.rfc- editor.org/info/rfc3397>. [SECURE-CONTEXTS] West, M., "Secure Contexts", n.d., <http://w3c.github.io/webappsec-secure-contexts/>. West Expires March 4, 2018 [Page 7]
Internet-Draft let-localhost-be-localhost August 2017 Appendix A. Changes from RFC 6761 Section 3 updates the requirements in section 6.3 of [RFC6761] in a few substantive ways: 1. Application software and name resolution APIs and libraries are prohibited from using searchlists when resolving localhost names, and encouraged to bypass resolution APIs and libraries altogether if they intend to make security decisions based on the "localhost" name. 2. Name resolution APIs and libraries are required to resolve localhost names to loopback addresses, without sending the query on to caching DNS servers. 3. Caching and authoritative DNS servers are required to respond to resolution requests for localhost names with NXDOMAIN. Appendix B. Changes in this draft B.1. draft-west-let-localhost-be-localhost-06 o Incorporated Ted Lemon's further feedback from https://www.ietf.org/mail-archive/web/dnsop/current/msg20769.html o Explicitly waffling on DNSSEC. B.2. draft-west-let-localhost-be-localhost-05 o Updated obsolete references to RFC 5735 and 5156 in favor of [RFC6890]. o Clarify that non-caching recursive DNS servers are also addressed by #4 in Section 3. o Reformulating the abstract and introduction based on feedback like Ted Lemon's in https://www.ietf.org/mail- archive/web/dnsop/current/msg20757.html o Added a request that an insecure delegation for "localhost." be added to the root-zone. B.3. draft-west-let-localhost-be-localhost-04 o Restructured the draft as a stand-alone document, rather than as set of monkey-patches against [RFC6761]. West Expires March 4, 2018 [Page 8]
Internet-Draft let-localhost-be-localhost August 2017 B.4. draft-west-let-localhost-be-localhost-03 o Explicitly referenced [I-D.ietf-sunset4-gapanalysis]. o Added a prohibition against using searchlists to resolve localhost names. o Noted that MySQL has special behavior differentiating the connection mechanism used for "localhost" and "127.0.0.1". B.5. draft-west-let-localhost-be-localhost-02 o Pulled in definitions for IPv4 and IPv6 loopback addresses. B.6. draft-west-let-localhost-be-localhost-01 o Added a requirement that caching DNS servers MUST generate an immediate negative response. B.7. draft-west-let-localhost-be-localhost-00 First draft. Appendix C. Acknowledgements Ryan Sleevi and Emily Stark informed me about the strange state of localhost name resolution. Erik Nygren poked me to take another look at the set of decisions we made in [SECURE-CONTEXTS] around "localhost."; this document is the result. They, along with Warren Kumari, Ted Lemon, John Levine, Mark Andrews, and many other members of DNSOP offered substantive feedback that markedly improved the quality of this document. Author's Address Mike West Google, Inc Email: mkwst@google.com URI: https://mikewest.org/ West Expires March 4, 2018 [Page 9]