Managing localhost
Tony Finch
dot at dotat.at
Fri Jun 25 21:02:11 UTC 2021
Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
> On 6/21/21 11:00 AM, Tony Finch wrote:
> > That advice is out of date: nowadays you should not put any localhost
> > entries in the DNS, because it can cause problems for web browser security.
> > Modern software should suppress queries for localhost so they never reach
> > the DNS.
>
> If I'm understanding the problem correctly, it seems to come down to anything
> involving localhost /except/ fully qualified localhost.(implicit null).
Correct.
As I mentioned in the blog post (link repeated below), I did some data
collection to verify that dropping the localhost subdomains would be safe:
answer, yes, there were basically no localhost queries.
I used to have a bunch of zones related to special-use domain names and IP
addresses, but after BIND 9.12 added support for DNSSEC-based NXDOMAIN
synthesis, I deleted them all. This means that (strictly speaking) my
servers don't conform to RFC 6761's requirements for localhost, but (a) I
can say that it is BIND's bug rather than mine, and (b) it doesn't matter
anyway because the query traffic is negligible.
> > https://www.dns.cam.ac.uk/news/2017-09-01-localhost.html
> > https://datatracker.ietf.org/doc/html/rfc6761#section-6.3
Tony.
--
f.anthony.n.finch <dot at dotat.at> https://dotat.at/
Faeroes: Variable 2 to 4, becoming southwest 5 to 7. Slight or
moderate, becoming moderate or rough. Occasional rain later. Good,
occasionally moderate later.
More information about the bind-users
mailing list