On Jan 25, 2018, at 8:37 PM, Viktor Dukhovni <[email protected]> wrote: > I showed examples, of uses of "localhost". Some use the TLD itself > for the usual local IPs, others employ subdomains of "localhost" > as a sensibly convenient place to park "for my eyes only" local > DNS data. These examples are not exhaustive.
That's not what I'm getting at. What I'm getting at is that you are a consenting adult, and you are using localhost as a hack. What you are doing is not the right way to do the hack—it's the expedient way to do the hack. The right way to do the hack is with a real domain name. You could for example use .homenet or something like it to address the problem. Localhost is just a convenient top-level domain that you know you can safely use. If it were the case that some end user who is not a consenting adult were going to have a problem as a result of this text, then I think that would be something we'd need to consider. But in this case there's no problem. If you want to do the hack, do the hack. It's a hack. It wasn't kosher to begin with, and this doesn't make it any less kosher. > I also note that the draft does not adequately discuss what to do > with queries with the DO bit set[1]. Presumably a forged NXDOMAIN > without appropriate root-zone NSEC records may not be adequate in > that case. It probably (my opionion) makes more sense to obtain, > and cache the NSEC and RRSIG records from the root servers, than > to return a "bogus" reply. The draft already addresses the DNSSEC use case. What is the failure mode that you are concerned about here? What would go wrong?
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
