Re: [DNSOP] Status of "let localhost be localhost"?

"John Levine" <> Sat, 05 August 2017 21:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2C930131F1A for <>; Sat, 5 Aug 2017 14:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id odxCeG2U4-sR for <>; Sat, 5 Aug 2017 14:01:41 -0700 (PDT)
Received: from ( [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 06B38131F21 for <>; Sat, 5 Aug 2017 14:01:40 -0700 (PDT)
Received: (qmail 53395 invoked from network); 5 Aug 2017 21:01:39 -0000
Received: from unknown ( by with QMQP; 5 Aug 2017 21:01:39 -0000
Date: Sat, 05 Aug 2017 21:01:17 -0000
Message-ID: <20170805210117.1123.qmail@ary.lan>
From: John Levine <>
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Status of "let localhost be localhost"?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 05 Aug 2017 21:01:43 -0000

In article <> you write:
>In the case where 'localhost' is being passed to DNS resolution software, a
>validating stub (for example inside a web browser) needs a way to know that
>the 'localhost' TLD should be treated as insecure.  In that case, the only
>way to accomplish that is ...

 ... by having the stub or cache treat localhost as a special case.

I use unbound as my cache which as far as I know has always done that.
Are there caches that don't?  Are there validating stubs that don't?

My reading of this draft is that if you don't treat localhost as a
special case already, it's time to get with the program.  


> with an insecure delegation at the root.