Grant Taylor via bind-users <bind-users@lists.isc.org> wrote: > On 6/21/21 11:00 AM, Tony Finch wrote: > > That advice is out of date: nowadays you should not put any localhost > > entries in the DNS, because it can cause problems for web browser security. > > Modern software should suppress queries for localhost so they never reach > > the DNS. > > If I'm understanding the problem correctly, it seems to come down to anything > involving localhost /except/ fully qualified localhost.(implicit null).
Correct. As I mentioned in the blog post (link repeated below), I did some data collection to verify that dropping the localhost subdomains would be safe: answer, yes, there were basically no localhost queries. I used to have a bunch of zones related to special-use domain names and IP addresses, but after BIND 9.12 added support for DNSSEC-based NXDOMAIN synthesis, I deleted them all. This means that (strictly speaking) my servers don't conform to RFC 6761's requirements for localhost, but (a) I can say that it is BIND's bug rather than mine, and (b) it doesn't matter anyway because the query traffic is negligible. > > https://www.dns.cam.ac.uk/news/2017-09-01-localhost.html > > https://datatracker.ietf.org/doc/html/rfc6761#section-6.3 Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ Faeroes: Variable 2 to 4, becoming southwest 5 to 7. Slight or moderate, becoming moderate or rough. Occasional rain later. Good, occasionally moderate later. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users