Re: [DNSOP] Localhost entries in zones

Mon, 14 Apr 2008 18:31:03 -0700 

> On Thu, Apr 03, 2008 at 12:19:27PM +0200, Antoin Verschuren wrote:
> 
> > http://seclists.org/bugtraq/2008/Jan/0270.html
> > that states that localhost entries in zones should be discouraged.
> 
> if I follow this correctly, the risk is for "localhost.example.org" to enable
> anyone on the same host as the victim to "steal" cookies destined for
> "*.example.org".  This reminds me of what Yngve has been pointing us at repea
> tedly
> and that is the cookie mechanism makes brave assumptions about the DNS.
> 
> > I know that localhost entries were encouraged in RFC 1537 but that one
> > is obsolted by RFC 1912 which doesn't say anything anymore about
> > localhost entries, so no encouragement nor disencouragement.
> 
> RFC 1912 is quiet about localhost entries in random forward zones, but
> different from RFC 1537 it recommends setting up a "localhost" TLD on ones
> local recursive name server.  So, if memory serves, there were two schools
> of thought: one saying that forward and reverse should be immediately
> consistent and the other trying to rely upon the search path for
> resolution of the "localhost" token.  Other alternatives include
> mapping this name by other means than the DNS, likely /etc/hosts on
> members of the Unix family.
> 
> > I think that if localhost entries in zones should be discouraged, it
> > should come from the consensus of this WG.
> 
> Independent of this, the "localhost" issue might need some attention because
> it is related to other work on our plate, namely mixed v4/v6 search path
> issues as well as topics discussed recently: the "localhost" TLD is special
> in the sense that it is actually reserved by RFC 2606 but neither delegated
> nor mapped to anything in real life.  Back then there was some discussion
> about recommending an A RR for this name in the public DNS.  At that time,
> not all root servers responded NXDOMAIN, either.
> 
> -Peter
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

        Additionally "localhost" is the only hold over from single
        label hostnames.  Everything else got qualified, initially
        by .ARPA then by other suffixes.

        Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to