localhoast A record?
Hello - I've adopted a number of zones and most of them contain localhost in a 127.0.0.1 records. I'm curious what current RFC standards state and what the community considers best practice. RFC1537 states that zones should contain a localhost record, but it seems that practice was obsoleted by RFC1912. Is anyone aware of negative consequences with leaving such records in place, perhaps a XSS vulnerability? I'm itching to remove the records but thought I'd check to see if there was a legacy use case. Regards, Mitchell ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: localhoast A record?
On Fri, Mar 21, 2014 at 8:50 AM, Mitchell Kuch mi...@basejp.com wrote: Hello - I've adopted a number of zones and most of them contain localhost in a 127.0.0.1 records. I'm curious what current RFC standards state and what the community considers best practice. RFC1537 states that zones should contain a localhost record, but it seems that practice was obsoleted by RFC1912. Is anyone aware of negative consequences with leaving such records in place, perhaps a XSS vulnerability? I'm itching to remove the records but thought I'd check to see if there was a legacy use case. I would take a look at the query logs for the zones in question. You might be surprised at how many queries are being made by systems that are applying a suffix from the search list because of the lack of of an entry for localhost in the hosts file or the mishandling thereof. Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding HMAC-SHA256 and RSASHA512 key generation algorithm in dnssec-keygen
Hello Evan, Evan Hunt e...@isc.org writes: On Thu, Mar 06, 2014 at 11:34:45AM +0100, Carsten Strotmann wrote: there could be a hard-link from a name like tsig-keygen to dnssec-keygen which changes the type of key created to -n HOST. That would not require any change to the existing interface. Just an idea. I'm not suggesting to change the existing interface, as it will break existing stuff. FYI, the tsig-keygen command is now available in 9.10.0b2. (Published to the FTP site, should be on the web site shortly.) Nice, thank you. I will test it. -- Carsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: localhoast A record?
On 3/21/2014 9:03 AM, Casey Deccio wrote: On Fri, Mar 21, 2014 at 8:50 AM, Mitchell Kuch mi...@basejp.com mailto:mi...@basejp.com wrote: Hello - I've adopted a number of zones and most of them contain localhost in a 127.0.0.1 records. I'm curious what current RFC standards state and what the community considers best practice. RFC1537 states that zones should contain a localhost record, but it seems that practice was obsoleted by RFC1912. Is anyone aware of negative consequences with leaving such records in place, perhaps a XSS vulnerability? I'm itching to remove the records but thought I'd check to see if there was a legacy use case. I would take a look at the query logs for the zones in question. You might be surprised at how many queries are being made by systems that are applying a suffix from the search list because of the lack of of an entry for localhost in the hosts file or the mishandling thereof. I wouldn't be surprised by any quantity or variety of harebrained queries that clients make, but that doesn't mean I'm going to add entries for all that garbage in an attempt to make those clients happier. As far as I'm concerned, localhost falls into the same it's being looked up but shouldn't be category, and I do not add it as a matter of course. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: localhoast A record?
On 21-03-14 14:03, Casey Deccio wrote: I've adopted a number of zones and most of them contain localhost in a 127.0.0.1 records. I'm curious what current RFC standards state and what the community considers best practice. I would take a look at the query logs for the zones in question. You might be surprised at how many queries are being made by systems that are applying a suffix from the search list because of the lack of of an entry for localhost in the hosts file or the mishandling thereof. To me, an NXDOMAIN-reply seems better than an answer with an A-record to 127.0.0.1 (because that won't be an incentive to fix an apparently broken situation). My advice: forget about localhost entries in your zone files, unless it concerns a special situation, such as domains that are part of your search-list. You may want to consider adding it in such a case (although I don't do so). But if you do, don't forget to add an -record for ::1 as well ;-) Regards, -- Marco smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: localhoast A record?
The only remotely valid use case that I have found was the default DNS monitoring rule for OpenNMS and other monitoring applications. Such a shame. On Fri, Mar 21, 2014 at 12:09 PM, Marco Davids (SIDN) marco.dav...@sidn.nl wrote: To me, an NXDOMAIN-reply seems better On Fri, Mar 21, 2014 at 8:50 AM, Mitchell Kuch mi...@basejp.com wrote: Hello - I've adopted a number of zones and most of them contain localhost in a 127.0.0.1 records. I'm curious what current RFC standards state and what the community considers best practice. RFC1537 states that zones should contain a localhost record, but it seems that practice was obsoleted by RFC1912. Is anyone aware of negative consequences with leaving such records in place, perhaps a XSS vulnerability? I'm itching to remove the records but thought I'd check to see if there was a legacy use case. Regards, Mitchell ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: localhoast A record?
On Mar 21 2014, Marco Davids (SIDN) wrote: On 21-03-14 14:03, Casey Deccio wrote: I've adopted a number of zones and most of them contain localhost in a 127.0.0.1 records. I'm curious what current RFC standards state and what the community considers best practice. I would take a look at the query logs for the zones in question. You might be surprised at how many queries are being made by systems that are applying a suffix from the search list because of the lack of of an entry for localhost in the hosts file or the mishandling thereof. To me, an NXDOMAIN-reply seems better than an answer with an A-record to 127.0.0.1 (because that won't be an incentive to fix an apparently broken situation). But in the context of search lists an NXDOMAIN will just make the resolver go on to try the next entry. So in the case of search lists automatically generated from a domain entry, if localhost.astrology.cam.ac.uk doesn't exist, localhost.cam.ac.uk will be tried, and then localhost.ac.uk ... My advice: forget about localhost entries in your zone files, unless it concerns a special situation, such as domains that are part of your search-list. Ah, but whose search lists? The resolvers using a particular recursive nameserver may have many different variants. You may want to consider adding it in such a case (although I don't do so). But if you do, don't forget to add an -record for ::1 as well ;-) We used to create lots of localhost.[subdomain].cam.ac.uk records, even to the extent of adding an record just for those institutions that had IPv6 enabled on their networks. But we have pretty much given up doing that for new subdomains. It still seems to me potentially useful to keep localhost.cam.ac.uk itself, to terminate the probable iteration described above before it goes any further. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: localhoast A record?
Hi Chris, At 11:18 21-03-2014, Chris Thompson wrote: We used to create lots of localhost.[subdomain].cam.ac.uk records, even to the extent of adding an record just for those institutions that had IPv6 enabled on their networks. But we have pretty much given up doing that for new subdomains. It still seems to me potentially useful to keep localhost.cam.ac.uk itself, to terminate the probable iteration described above before it goes any further. It can be used to exploit web application vulnerabilities. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
