In article <cahw9_ijl-lc84gnmtoerm2oupvrmxkjoygeume9k77rwoe4...@mail.gmail.com> you write: >I think that this boils down to: It is an error to send a query for >localhost (or anything under localhost) to the DNS. The main reason >for this (at least from my reading of the thread) is a security >argument -- you want to be completely sure that 'localhost' will >always be 127.0.0.1 / ::1 / some local equivalent, and this is not a >guarantee we can expect from the DNS[0]. Because of this it is better >the have queries that accidentally *do* leak into the DNS get a >failure (NXDOMAIN) - this avoids having (security important) cases >work fine until there is an attacker. > >Is this a reasonable summary? Perhaps once we agree if *is* the >behavior we want we'll have an easier time deciding exactly how...
Sounds right to me. With respect to Tim's suggestion that we invent localhost-we-really-mean-it-this-time, the existing localhost isn't going away, and it is my impression that more often than not software already does what this draft suggests. R's, John _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
