> On 5 Feb 2018, at 3:20 pm, Ted Lemon <mel...@fugue.com> wrote: > > On Feb 4, 2018, at 9:49 PM, Mark Andrews <ma...@isc.org> wrote: >> We may as well ban www.example because that can return 127.0.0.1 as well. :-) > > www.example.com is never presumed to be local.
And localhost.example.com isn’t local either. The problem is that either of them can be a non-global scope address. The original problem is that HTTP doesn’t specify that names learn across the wire, including from on disk html files, need to be treated as absolute names. This is HTTP’s mess due to allowing relative names in what is transmitted over the wire. This should be sent back to HTTP say FIX YOUR INSECURE PROTOCOL. The second bugtraq issue is also HTTP’s insecure security model that doesn’t take into account that addresses have scopes. Again that is for HTTP to fix. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop