In message <alpine.OSX.2.11.1609271717330.72382@xxxxxx>, "John R Levine" writes: > > I'm probably not explaining myself well so I'll give an example. In the setup > > above, let's say you've set 127.0.1.1 to be your local DNS server, meaning > > that you might expect the following commands to work: > > $ dig mysite.localhost > > mysite.localhost IN A 127.0.0.1 > > > > $ dig myothersite.localhost > > myothersite.localhost IN A 127.200.200.200 > > > > But, under this proposal wouldn't dig be obliged to refuse to forward the > > request onto 127.0.1.1? How does dig (or your browser or any other resolving > > API) know the difference between a bog standard caching DNS server and a > > local DNS server that has explicitly been set up to route local lookups? > > I don't see why. You're allowed to use common sense when interpreting > RFCs, and the message here is clearly that if you want to interoperate you > do not send queries for *.localhost out of your computer. The twisty way > my or your internal DNS setup works is out of scope. > > Regards, > John Levine, johnl@xxxxxxxxx, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly Well we really should ensure that there is a break in the DNSSEC chain of trust between the root zone and the localhost zone. i.e. a insecure delegation for localhost gets added to the root zone pointing back to the root servers or another set of servers. At least this is only changing how localhost is handled in the special names registry rather than attempting to add it. http://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml I would just be asking for IANA to be creating the delegation described above and for DNS recursive server vendors to be adding a default localhost zone with SOA, NS, A and AAAA records at the zone apex if none is otherwise configured in a manner similar to RFC 6303. The following will be consistent with RFC 6303. localhost. 0 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800 localhost. 0 IN NS localhost. localhost. 0 IN A 127.0.0.1 localhost. 0 IN AAAA ::1 One could also just do a "empty" zone. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx