On Jan 29, 2018, at 10:53 AM, dnsop-requ...@ietf.org wrote:
> To add more to this, Unbound by default returns 127.0.0.1, and so does > Knot Resolver, because both decided to respect > https://tools.ietf.org/html/rfc6761#section-6.3 > > This is a security hole, and again, purpose of NXDOMAIN is to make it > fail safe instead of keeping insecure stub implementations doing what > they did up until now. By short-circuiting the lookup as early as possible these resovers avoid sending the query upstream. Thus eliminating part of the security exposure further upstream away from the user's device. Serving local data for "localhost" is NOT the security hole, it is an incomplete fix, and a secure one when the resolver is responding to loopback clients. The hole is in the platform's libraries, and that is the proper primary focus of the draft, not recursive resolvers, nor even stub resolvers (the DNS portion of the platform name resolution libraries). If you want to remove the band-aid, that is properly a SHOULD, not a MUST. It is not required for interoperability, nor does it address the security issue, [e.g. the next resolver in the forwarding chain may still return 127.0.0.1, or as likely or more the user will just stop using "localhost", and hard-code IPv4: 127.0.0.1]. -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
