On Thu, Apr 03, 2008 at 12:19:27PM +0200, Antoin Verschuren wrote: > http://seclists.org/bugtraq/2008/Jan/0270.html > that states that localhost entries in zones should be discouraged.
if I follow this correctly, the risk is for "localhost.example.org" to enable anyone on the same host as the victim to "steal" cookies destined for "*.example.org". This reminds me of what Yngve has been pointing us at repeatedly and that is the cookie mechanism makes brave assumptions about the DNS. > I know that localhost entries were encouraged in RFC 1537 but that one > is obsolted by RFC 1912 which doesn't say anything anymore about > localhost entries, so no encouragement nor disencouragement. RFC 1912 is quiet about localhost entries in random forward zones, but different from RFC 1537 it recommends setting up a "localhost" TLD on ones local recursive name server. So, if memory serves, there were two schools of thought: one saying that forward and reverse should be immediately consistent and the other trying to rely upon the search path for resolution of the "localhost" token. Other alternatives include mapping this name by other means than the DNS, likely /etc/hosts on members of the Unix family. > I think that if localhost entries in zones should be discouraged, it > should come from the consensus of this WG. Independent of this, the "localhost" issue might need some attention because it is related to other work on our plate, namely mixed v4/v6 search path issues as well as topics discussed recently: the "localhost" TLD is special in the sense that it is actually reserved by RFC 2606 but neither delegated nor mapped to anything in real life. Back then there was some discussion about recommending an A RR for this name in the public DNS. At that time, not all root servers responded NXDOMAIN, either. -Peter _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop