As this proposal is in the name of consistency, is there an argument weshould be strict and explicitly define *which* loopback address DNS servers must return when queried?I was intentionally vague on that point, as one of the scenarios raised in https://github.com/w3c/webappsec-secure-contexts/issues/43 was a developer who was pointing `project1.localhost` to 127.0.0.1, and `project2.localhost` to 127.0.0.2 in /etc/hosts (and presumably had a server configured accordingly). It seems like that's a reasonable thing to support. Any loopback address is fine with me.
Sorry, my question was unclear - I was referring to point 3 about authoritative nameservers rather than local setups; I agree that locally developers should be allowed to use whatever local addresses they want. Anyway, that's been cleared up by fixing the typo so that's no longer an issue :)
On Tue, Sep 27, 2016 at 06:48:45PM -0000, John Levine wrote:
I use multiple IPv4 127/8 addresses all the time. For example, I run a funky local stunt DNS server on 127.0.1.1 and configure my local DNS cache to use it for a branch of the name tree. So yes, any loopback address will do. (We can save the question about a link-local IPv6 address on a loopback interface for later.)
Clearly this is a sensible and perfectly legal setup, however I worry that this proposal may interfere with it. If name resolution APIs are forbidden from forwarding localhost queries onto their DNS servers, how would they know that, in this case, the stunt DNS server *should* receive requests so it can route things to your preferred link local addresses?
I'm probably not explaining myself well so I'll give an example. In the setup above, let's say you've set 127.0.1.1 to be your local DNS server, meaning that you might expect the following commands to work: $ dig mysite.localhost
mysite.localhost IN A 127.0.0.1 $ dig myothersite.localhost myothersite.localhost IN A 127.200.200.200But, under this proposal wouldn't dig be obliged to refuse to forward the request onto 127.0.1.1? How does dig (or your browser or any other resolving API) know the difference between a bog standard caching DNS server and a local DNS server that has explicitly been set up to route local lookups?
It's possible that I'm overcomplicating matters, and dig would never actually refuse to forward on such a request, but my fear is that the writers of browsers may use such a proposal to simply hard code "localhost" to resolve to 127.0.0.1 and then clever local setups like these would end up breaking.
We could possibly add some kind of exemption in the case of local DNS servers, eg: Name Resolution APIs and Libraries SHOULD send queries for localhost names to their configured caching DNS server(s) if and only if such server is itself running on a link local address.
Emily -- Emily Shepherd Computer Science Graduate, MEng (Hons) W: https://emilyshepherd.me/ M: +44(0)7575 721 231
Attachment:
signature.asc
Description: PGP signature