localhost name lookup

Emmanuel Fusté manu.fuste at gmail.com
Wed Jan 15 10:41:36 UTC 2025 

Le 15/01/2025 à 05:59, Nick Tait via bind-users a écrit :
> On 15/01/2025 10:47, Emmanuel Fusté wrote:
>>> If so, does the ISC ship a db.local with a wildcard - eg.
>>>    --- cut here ---
>>> @       IN      NS      localhost.
>>> @       IN      A       127.0.0.1
>>> @       IN      AAAA    ::1
>>>
>>> *       IN      A       127.0.0.1
>>>          IN      AAAA    ::1
>>>    --- cut here ---
>>>
>>> to answer for any .localhost name?
>> Don't please. See RFC6761 
>
> From RFC 6761:
>
>     6.3.  Domain Name Reservation Considerations for "localhost."
>
>        The domain "localhost." *and any names falling within
>     ".localhost."*
>        are special in the following ways:
>     ...
>        4.  Caching DNS servers SHOULD recognize localhost names as special
>            and SHOULD NOT attempt to look up NS records for them, or
>            otherwise query authoritative DNS servers in an attempt to
>            resolve localhost names.  Instead, caching DNS servers SHOULD,
>            for all such address queries, generate an immediate positive
>            response giving the IP loopback address, and for all other
>     query
>            types, generate an immediate negative response.  This is to
>     avoid
>            unnecessary load on the root name servers and other name
>     servers.
>
>        5.  Authoritative DNS servers SHOULD recognize localhost names as
>            special and handle them as described above for caching DNS
>            servers.
>
> To me this seems like a pretty clear endorsement for inclusion of the 
> wildcard entry "*.localhost." in db.local?
>
> Nick.
>
I think we should avoid opening the Pandora's box with *.localhost.
The "avoid unnecessary load on the root name servers and other name 
servers" goal is already reached without it.
Any names under .localhost are nonsense even if not prohibited/allowed 
by the RFC.
It fix/deserve nothing. In an ideal world, localhost would be in the 
bind default empty-zone list, and localhost hierarchy handled at the 
upper layer by the resolver libs/apis, not the servers.

And as personal biased opinion : DNS wildcards are evil and should have 
not existed in the first place. So I prefer to avoid them anyway.

But you could disagree.

Regards,
Emmanuel.

More information about the bind-users mailing list