Subject: re: localhost security hole
To: matthew green <>
From: Todd Vierling <>
List: tech-security
Date: 06/29/2003 00:59:24
On Sun, 29 Jun 2003, matthew green wrote:

:    : that doesn't matter.  that will only be looked for if "localhost" by
:    : itself is not found.
:    ...and even that case can be cared for by using "root@localhost." (note
:    trailing dot, which tells the resolver that search domains must not be
:    used).
: except that the address "root@localhost." is invalid.

s/is invalid/may require adding "localhost." to the local-host-names list/

I haven't functionally tried this yet.  It's supposed to be valid per RFC
address resolution rules, if assuming (as this thread does) that the *fully
qualified* domain name "localhost" resolves to

-- Todd Vierling <>