On Thu, Jan 25, 2018 at 04:03:08PM +0000, Tony Finch wrote: > > I am not nearly so enthusiastic about an important component of > > the draft. Specifically, I'd like to suggest that while the > > requirement for recursive resolvers to return NXDOMAIN for "localhost." > > is well-intentioned, it will prove counter-productive to the > > motivating goals of this draft. > > This is a legitimate worry, but it's based on incorrect information. > > Stub resolvers already sink localhost queries themselves - they don't rely > on their recursive servers.
I don't see any mention of "localhost" in libresolv sources. What is true is that they generally append the default domain suffix to "localhost", and some support a "no_tld_query" option that AFAIK is off by default. > Recursive servers frequently do not implement the localhost requirement in > RFC 6761 - for example, BIND does not. That's fine, but I've configured plenty of recursive resolvers that are authoritative for the "localhost" zone. I don't why the draft should forbid resolvers from serving such zones. > So in practice this draft is only a small tweak to current practice. To be clear, I support requiring a short-circuit in stub resolvers. My objection is to requiring NXDOMAIN from recursive resolvers. They should not forward "localhost." lookups, but they should be able to serve local answers for this zone. The motivation of the draft is to make "localhost" behave more predictably. Having resolvers provide the boilerplate replies as a last resort is as much or more compatible with that goal than mandating that they return NXDOMAIN. Note also that there may be a "localhost" zone with other data for sub-domains of "localhost". I've often used for private MX records on an MTA: example.com.localhost. IN MX 0 mx1.example.com.localhost. example.com.localhost. IN MX 0 mx2.example.com.localhost. mx1.example.com.localhost. IN A 192.0.2.1 mx2.example.com.localhost. IN A 192.0.2.2 with a transport entry: example.com relay:example.com.localhost With localhost having local sub-domains, NXDomain is NOT an option, though one might return NoData, it makes more sense to complete the zone with: @ IN NS localhost. @ IN A 127.0.0.1 @ IN AAAA ::1 Note, for example, that the SMTP client in the Postfix MTA performs DNS lookups with the RES_DEFNAMES and RES_DNSRCH options unset (in order to avoid unwanted search path application to MX hostnames obtained from DNS). Furthermore, for similar reasons, nexthop resolution is by default exclusively via DNS, not getaddrinfo(3). Consider that administrators may configure transport entries with "localhost" as the nexthop domain, and you now get queries for "localhost" sent to the local iterative resolver. (Most Postfix administrators use "smtp:[127.0.0.1]" instead). Based on this draft, Postfix should probably special-case "localhost" internally, but that's not currently the case, and if some users choose to implement a localhost zone in their iterative resolver there's nothing wrong with that. -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop