On Sep 12, 2017, at 10:15 PM, John Levine <[email protected]> wrote: > Believe it or not, there are real non-loopback localhost domain names, > like localhost.reddit.com <http://localhost.reddit.com/>. > > I agree that localhost.<foo> pointing to loopback is generally asking > for trouble, but I am not at this point sufficiently confident that it > is never ever a good idea to say MUST NOT rather than SHOULD NOT. I > can for example imagine ways that might make some kinds of debugging > easier.
When we look at edge cases like this, it's tempting to be swept away by the futility of trying to close every gap. But it's still worth closing the ones we can close. Trying to outlaw localhost.* is hopeless. But outlawing *.localhost is certainly valid and viable, and as DNSSEC adoption increases, more and more it will be the case that we actually need do nothing to break it. "localhost" + search list still fails unsafe. This is just another reason to outlaw search lists. I can't think what use case search lists address that's worth the security vulnerability they create. The fact that hosts routinely use search lists provided by DHCP is something that just astonishes me, but even user-configured search lists serve no useful purpose to anyone but the statistically negligible set of geeks who actually type in domain names and yet haven't become paranoid enough to realize that search lists are bad yet. There is no downside to deprecating them. (Should someone reading this be one of those network operators who still puts search lists to some use inside of their firewall, please do not tell us about it. I do not want to be the cause of your users being hacked.)
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
