> On Thu, Apr 03, 2008 at 12:19:27PM +0200, Antoin Verschuren wrote: > > > http://seclists.org/bugtraq/2008/Jan/0270.html > > that states that localhost entries in zones should be discouraged. > > if I follow this correctly, the risk is for "localhost.example.org" to enable > anyone on the same host as the victim to "steal" cookies destined for > "*.example.org". This reminds me of what Yngve has been pointing us at repea > tedly > and that is the cookie mechanism makes brave assumptions about the DNS. > > > I know that localhost entries were encouraged in RFC 1537 but that one > > is obsolted by RFC 1912 which doesn't say anything anymore about > > localhost entries, so no encouragement nor disencouragement. > > RFC 1912 is quiet about localhost entries in random forward zones, but > different from RFC 1537 it recommends setting up a "localhost" TLD on ones > local recursive name server. So, if memory serves, there were two schools > of thought: one saying that forward and reverse should be immediately > consistent and the other trying to rely upon the search path for > resolution of the "localhost" token. Other alternatives include > mapping this name by other means than the DNS, likely /etc/hosts on > members of the Unix family. > > > I think that if localhost entries in zones should be discouraged, it > > should come from the consensus of this WG. > > Independent of this, the "localhost" issue might need some attention because > it is related to other work on our plate, namely mixed v4/v6 search path > issues as well as topics discussed recently: the "localhost" TLD is special > in the sense that it is actually reserved by RFC 2606 but neither delegated > nor mapped to anything in real life. Back then there was some discussion > about recommending an A RR for this name in the public DNS. At that time, > not all root servers responded NXDOMAIN, either. > > -Peter > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
Additionally "localhost" is the only hold over from single label hostnames. Everything else got qualified, initially by .ARPA then by other suffixes. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop