content-type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-RT-Original-Encoding: utf-8 Content-Length: 3583 Currently bind supports automatic empty zones (only) for reverse address zones in private IPv4 and reserved IPv6 spaces. It doesn't do other special-use zone handling specified in several RFCs. http://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml The other "special-use" zones (as of today) are: example. example.com. example.net. example.org. invalid. local. localhost. onion. test. It seems to me that most of the missing special handling can be implemented by adding automatic empty zones. While the query volumes are probably nothing like the RFC1918 in-addr.arpa mess, RFC 6761 encourages similar special handling for most of these zones. full .localhost compliance would require some special case code. Quick analysis: 6761 6.5: indicates that the *example* names should be resolved normally -- IANA does provide stub web pages (but not stubs for other well-known services such as ftp or smtp). No change for them. 6761 6.2: .test is similar to 1918 zones; should return NXDOMAIN unless locally configured. auto-empty would do this. 6761 6.4.4, .5, .6: .invalid should unconditionally return NXDOMAIN; one isn't supposed to be able to locally configure. Auto-empty would return NXDOMAIN, but would allow local configuration. Quick NXDOMAIN is an improvement. I don't think it's worth a special case to prohibit local config. NB: Resolvers are allowed to filter .invalid names, so illegal use of the domain is already unpredictable. 6762 22.4, .5: .local is used by mdns named should not get queries from compliant resolvers. NXDOMAIN should be generated for .local, as a resolver that is unaware of mDNS might query named. .5 says that an authoritative server MAY respond "for testing or other specialized uses." So an automatic .local zone in named would meet the requirements. 6761 6.3.4, .5, .6: .localhost - is supposed to return a loopback address for a/aaaa queries (127.0.0.1/::1), and a negative response for all other query types. That's not done by named today. Some people create zone files for localhost (which also answer - at least - SOA and NS). It is not allowed to modify .localhost by local configuration. Some violate the RFC, e.g. for VPN or RDP with foo.localhost mapping to 127.0.0.. Some resolvers rely on hosts.txt to intercept localhost before it gets to named. An automatic empty zone wouldn't make things worse, but would get a quicker NXDOMAIN. With no localhost zone configured, the root servers return NXDOMAIN. However, adding the localhost special case logic to return loopback addresses would be a good idea. Rather than code, this could be an automatic "non-empty" zone. This would make it easy to add corresponding PTR entries for localhost in the auto zones for 127.in-addr.arpa and 1.0...0.ip6.arpa. The PTRs aren't specified in an RFC, but would be consistent with resolver behaviors. 7686 2.4, .5: .onion "MUST" return NDXOMAIN (since named doesn't support TOR); automatic empty zone would do that. Since new "special use" names pop up once in a while, perhaps an 'enable empty-zone "arbitrary-zone-name"' directive would be useful. This would allow rapid reaction by operator when they show up, and might be useful in local circumstances. (e.g. example. -- note that automatic zones are identified in the stats channel, and management software can treat them differently.) -- Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.