On Thu, Apr 03, 2008 at 12:19:27PM +0200, Antoin Verschuren wrote:

> http://seclists.org/bugtraq/2008/Jan/0270.html
> that states that localhost entries in zones should be discouraged.

if I follow this correctly, the risk is for "localhost.example.org" to enable
anyone on the same host as the victim to "steal" cookies destined for
"*.example.org".  This reminds me of what Yngve has been pointing us at 
repeatedly
and that is the cookie mechanism makes brave assumptions about the DNS.

> I know that localhost entries were encouraged in RFC 1537 but that one
> is obsolted by RFC 1912 which doesn't say anything anymore about
> localhost entries, so no encouragement nor disencouragement.

RFC 1912 is quiet about localhost entries in random forward zones, but
different from RFC 1537 it recommends setting up a "localhost" TLD on ones
local recursive name server.  So, if memory serves, there were two schools
of thought: one saying that forward and reverse should be immediately
consistent and the other trying to rely upon the search path for
resolution of the "localhost" token.  Other alternatives include
mapping this name by other means than the DNS, likely /etc/hosts on
members of the Unix family.

> I think that if localhost entries in zones should be discouraged, it
> should come from the consensus of this WG.

Independent of this, the "localhost" issue might need some attention because
it is related to other work on our plate, namely mixed v4/v6 search path
issues as well as topics discussed recently: the "localhost" TLD is special
in the sense that it is actually reserved by RFC 2606 but neither delegated
nor mapped to anything in real life.  Back then there was some discussion
about recommending an A RR for this name in the public DNS.  At that time,
not all root servers responded NXDOMAIN, either.

-Peter
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to