For example, go to the OpenID demo page:
And try to validate some of these:
http://localhost-fortest.danga.com/ (resolves to localhost)
http://kumquat.s8n.me.uk/ (resolves to 192.168.2.1)
The paranoid useragent will slap 'em all down. Including if people did a valid webserver which redirected to a hostname which resolved to a CNAME which resolved to an internal address... with every step of the CNAMEs and addresses being checked.
I wonder what PHP's default "filename can be a URL" does about this problem. But PHP cares so much about security, I guess. :-)