The problem is that search lists are being applied when “localhost” is being 
entered into name lookup APIs and is being matched against localhost.example 
which isn’t expected to  to a address on the current machine and that the 
search list may be auto constructed or come from a untrusted source.

There is also a small risk that hotspots will return something other than a 
local address if a address lookup for .localhost is made. 

This is all in the context of processing  urls.

Localhost is the last remanent of the pre hierarchical host scheme. 

The risks are eliminated if the name APIs use local lookup sources in those 

Then you have legacy clients. As long as the servers for the namespace on the 
public Internet don’t return A or AAAA records for localhost the issue is 
addressed there.

You then have the recursive server where you would like it, by default, return 
a answer without contacting the root servers.  The only safe way to do that is 
to have it serve a empty zone for localhost.  As this zone isn’t linked into 
the global DNSSEC chain of trust the root zone needed a insecure delegation for 

Mark Andrews

> On 3 Feb 2018, at 05:25, Bob Harold <> wrote:
>> On Thu, Feb 1, 2018 at 4:26 PM, Ted Lemon <> wrote:
>> On Feb 1, 2018, at 2:48 PM, Andrew Sullivan <> wrote:
>>>> As a general principle, when what the RFC says to do is not the right 
>>>> thing to do, the solution is to update the RFC, not to ignore the problem.
>>> I strongly agree with this (as I think or anyway hope you know)
>> Yes, I will admit I was a bit surprised that you put it that way, although 
>> as you say, your position is more clear in your formal review of the 
>> document.
>> As for why I responded to this and not to the formal review, the answer is 
>> that the formal review was a bit overwhelming.  You made a lot of assertions 
>> of fact that didn't sound like fact to me—they sounded like strongly-held 
>> opinion.   You are a much more experienced DNS expert than I am, so for me 
>> to argue you away from those opinions is a tall order—I don't think you've 
>> really expressed the underlying belief that is the keystone to the whole 
>> edifice.
>> The problem I have is that to me it's dead obvious that the name hierarchy 
>> and the set of names in the DNS are not the same thing.   We've had that 
>> discussion before.   We even published a document about it, which hasn't 
>> quite made its way out of the RFC editor queue yet.   It seems to me that it 
>> is demonstrably the case that these two sets are disjoint.
>> But you explain your reasoning on the basis that clearly they are the same 
>> set, and that they are the same set is left unexamined.   So if we were to 
>> succeed in understanding why we disagree on this point, it would be 
>> necessary to dig down into that.
>> Having seen you give keynotes at the plenary, I know that you are deeply 
>> concerned about computer security.   The reason that I am in favor of the 
>> behavior I'm propounding is that I think it closes a small security gap 
>> through which a truck might some day be driven, to our woe.   So to me, the 
>> need to leave that gap, which I admit is small, open, seems inconsistent 
>> with what I know of you.
>> So clearly you value this idea that localhost is a name that exists in the 
>> DNS, even though it doesn't exist in the DNS.   It might be fruitful to 
>> explore that further.   It might also be a waste of time.   I don't honestly 
>> know.   But that is, I think, the key to our disagreement.
> Could someone explain the security problem?  If it really is bigger than the 
> problems that will be caused by changing resolvers to answer with NXDOMAIN, 
> then you might convince me.  
> -- 
> Bob Harold
> _______________________________________________
> DNSOP mailing list
DNSOP mailing list

Reply via email to