Bind 9 and IBM AIX 4.3.3 IP V6 reverse loopback resolution

Mark_Andrews at isc.org Mark_Andrews at isc.org
Sat Jan 11 04:15:57 UTC 2003 

> in comp.protocols.dns.bind i read:
> 
> >> localhost *is* the name of that machine.  one might argue that it is merel
> y
> >> one of it's names and not as specific as (one of) the other(s), but it is
> >> it's name.
> >
> >	"localhost." does not (officially) exist in the global DNS.
> >	"localhost." MAY exist on *your* machine but when giving
> >	advice it is much better not to make the assumption that
> >	it exists.  I don't have a "localhost." zone, I use localhost
> >	entries in the zones listed in the search list to allow
> >	"localhost" to resolve.
> 
> so, `localhost.' is a ubiquitous name that is used on every machine with
> any ip ability, and for which we make other accommodations in dns software,
> including a ptr to `localhost.' in virtually every example of a minimally
> complete configuration, yet this name shouldn't actually be used -- have i
> that right?

	Yes.  It shouldn't be used for a nameserver name.  It's
	ambigious.  It shouldn't be used for the same reason that
	you shouldn't publish RFC 1918 addresses in the public
	internet.

>  so both or files must change, yes?  after all having a ptr to
> localhost. inspires (and invokes!) queries for that name.  (if it doesn't
> on your systems then you've managed to avoid having a `paranoid' peer
> address checking mode enabled in all your resolvers and/or clients.)

	'paranoid' peer address checking mode uses the results of
	gethostbyaddr() (or equivalent).  gethostbyname returns
	"localhost" (not "localhost.").  gethostbyname("localhost")
	invokes the search list.

	This following is enough to satisfy every 'paranoid' peer
	address checking implementation I've seen.

	resolv.conf:
	nameserver a.b.c.d
	search dv.isc.org

	1.0.0.127.in-addr.arpa. IN PTR localhost.
	localhost.dv.isc.org. IN A 127.0.0.1

	It is also faster than walking the search list then trying the
	name as is which then results in a query for "localhost.".

> >	Queries for "localhost." form a significant part of the root
> >	servers load.
> 
> not from any of my servers, ever.  i asked why there was no localhost zone
> way back when, no answer was forthcoming then, but that didn't stop me from
> doing what was obviously necessary.

	I didn't say from your servers.  I'm more worried about people
	not doing everything right which results in the root servers
	being pumbled with bogus queries.  Using nameservers other than
	"localhost." reduces the impact of these mis-configurations.
	
	If you use "localhost." the you MUST has a "localhost." zone.
	You may get this right but a very large percentage of people
	won't get this right.

	This is damage minimisation.

	Mark
> 
> -- 
> bringing you boring signatures for 17 years
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list