localhost entries in zones, was Re: Domain Not Resolving

Reindl Harald h.reindl at thelounge.net
Tue Nov 21 15:53:50 UTC 2017

Am 21.11.2017 um 15:27 schrieb Tony Finch:
> Reindl Harald <h.reindl at thelounge.net> wrote:
>> Am 21.11.2017 um 14:42 schrieb G.W. Haywood via bind-users:
>>> The address for localhost ( should be in /etc/hosts,
>>> not in your zone file, and very probably it already is
>> that part is not true
>> https://tools.ietf.org/html/rfc1537 says:
>> Note that all domains that contain hosts should have a "localhost" A record in
>> them
> That advice is no longer a good idea. "localhost" in the DNS can lead to
> problems with the web browser same-origin security policy.
> http://seclists.org/bugtraq/2008/Jan/270

interesting - but however "administrators often mistakenly drop the 
trailing dot" is nonsense because "Note that all domains that contain 
hosts should have a localhost A record" says exactly that

from that webpage:

It's a common and sensible practice to install records of the form
"localhost. IN A" into nameserver configurations, bizarrely
however, administrators often mistakenly drop the trailing dot,
introducing an interesting variation of Cross-Site Scripting (XSS) I
call Same-Site Scripting

More information about the bind-users mailing list