> On 2 Feb 2018, at 8:50 am, Wes Hardaker <[email protected]> wrote: > > Andrew Sullivan <[email protected]> writes: > >> But of course, there _is_ a name "localhost" in the DNS. >> It's already defined, in the RFCs, to this effect. > > You can probably have your cake and eat it too by saying "sure, > hypothetically it exists in the DNS because it's magically reserved in > an RFC; but there is no data for it so any queries for it for any type > will always return 'does not exist'". See! Problem solved!
> Returning anything other than NXDOMAIN and NSEC* for it is crazy, > because the reality is that the name does not exist in the root zone > data (and should not exist). Let's not start adding special exceptions. Actually the name SHOULD exist in the public root zone as a insecure delegation to a empty zone (SOA and NS records only) so that DNSSEC works without special processing for those that wish to support using the DNS to resolve localhost. This should have been done when the root zone was initially signed. Unsigned NOERROR NODATA for localhost/A and localhost/AAAA is a perfectly fine answer from the global DNS. This is ZERO NEED for NXDOMAIN to be returned from the global DNS for those lookups. There is zero NEED for those answers to be signed. The global DNS doesn’t know what address should be returned for local host. It doesn’t have to be 127.0.0.1 or ::1. The choice of address is a local decision. I’ve had localhost in a chroot virtual host be 127.0.0.2 so that processed running in that chroot virtual host talked to their own instance of localhost. > We could do something crazy like "return NXDOMAIN" and don't set the > AA bit, because the DNS is not authoritative for that domain (and > others, like .onion). But I'm not sure that helps anyone, and adds > unneeded complexity to an already too complex code base. Onion is not localhost. .onion is a protocol switch. .localhost isn’t a protocol switch. There is NOTHING wrong with returning A and AAAA records for .localhost from the local DNS resolver. If you NEED to support types other that A and AAAA you MUST run a local resolver to do this as there IS NO OTHER MECHANISM TO DO THAT! I have no problem with hostnames lookup API’s not looking for A and AAAA records for localhost in the DNS. I have big problems with taking it any further than that. Mark > -- > Wes Hardaker > USC/ISI > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
