Bob Harold <rharo...@umich.edu> wrote: > My concerns: > Do we need to make sure stub resolvers get updated before we update DNS, to > avoid breaking things? > Do we know what current stub resolvers do?
Based on a few stats I gathered in September, stub resolvers already handle localhost themselves. More details at https://www.ietf.org/mail-archive/web/dnsop/current/msg20968.html Regarding the draft, I have looked through it and I have one suggestion: The second paragraph of section 5.2 (security considerations - localhost labels in subdomains) should be beefed up. Localhost entries in subdomains are risky so they should be discouraged - I wrote about why we deleted ours at http://news.uis.cam.ac.uk/articles/2017/09/01/deleting-localhost-entries-from-the-cam-ac-uk-dns-zone I think it's misleading to say "could affect their resolution in practice". It would be more accurate to say "in theory" because in practice, localhost queries are already absorbed by /etc/hosts (or equivalent) before the search list gets a look in. So I suggest the following replacement for the second paragrph of section 5.2: In theory, the admonition against searchlist usage could affect their resolution, as discussed in Section 3; in practice, stub resolvers already handle queries for "localhost" as specified in this memo. Although localhost entries were encouraged by RFC 1537, that suggestion was removed from its successor RFC 1912. They are now discouraged because they can be used to subvert security restrictions such as the web browser same origin policy, especially on multi-user systems [http://seclists.org/bugtraq/2008/Jan/270]. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Irish Sea: Southwest veering northwest 5 to 7. Moderate or rough. Showers. Good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
