In message <26e56255-6169-4626-95e8-a9d6a2d5e...@fugue.com>, Ted Lemon writes: > On Sep 12, 2017, at 10:15 PM, John Levine <jo...@taugh.com> wrote: > > Believe it or not, there are real non-loopback localhost domain names, > > like localhost.reddit.com <http://localhost.reddit.com/>. > > > > I agree that localhost.<foo> pointing to loopback is generally asking > > for trouble, but I am not at this point sufficiently confident that it > > is never ever a good idea to say MUST NOT rather than SHOULD NOT. I > > can for example imagine ways that might make some kinds of debugging > > easier. > > When we look at edge cases like this, it's tempting to be swept away by > the futility of trying to close every gap. But it's still worth closing > the ones we can close. Trying to outlaw localhost.* is hopeless. But > outlawing *.localhost is certainly valid and viable, and as DNSSEC > adoption increases, more and more it will be the case that we actually > need do nothing to break it. "localhost" + search list still fails > unsafe.
Why would we want to outlaw *.localhost? Just because it is inconvient for the IAB and ICANN that they didn't address this issue correctly years ago. Oh sorry you can't use SRV with localhost to assign a port to this protocol THAT HAS NO DEFAULT PORT and only a NAME. Is this what you REALLY want to do? > This is just another reason to outlaw search lists. I can't think what > use case search lists address that's worth the security vulnerability > they create. The fact that hosts routinely use search lists provided by > DHCP is something that just astonishes me, but even user-configured > search lists serve no useful purpose to anyone but the statistically > negligible set of geeks who actually type in domain names and yet haven't > become paranoid enough to realize that search lists are bad yet. There > is no downside to deprecating them. > > (Should someone reading this be one of those network operators who still > puts search lists to some use inside of their firewall, please do not > tell us about it. I do not want to be the cause of your users being > hacked.) -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
