Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
The Internet Technology

ICANN Proposes Creating .INTERNAL Domain (theregister.com) 76

The Internet Corporation for Assigned Names and Numbers (ICANN) has proposed creating a new top-level domain (TLD) and never allowing it to be delegated in the global domain name system (DNS) root. From a report: The proposed TLD is .INTERNAL and, as the name implies, it's intended for internal use only. The idea is that .INTERNAL could take on the same role as the 192.168.x.x IPv4 bloc -- available for internal use but never plumbed into DNS or other infrastructure that would enable it to be accessed from the open internet.

ICANN's Security and Stability Advisory Committee (SSAC) advised the development of such a TLD in 2020. It noted at the time that "many enterprises and device vendors make ad hoc use of TLDs that are not present in the root zone when they intend the name for private use only. This usage is uncoordinated and can cause harm to Internet users" -- in part by forcing DNS servers to handle, and reject, queries for domains only used internally. DNS, however, can't prevent internal use of ad hoc TLDs. So the SSAC recommended creation of a TLD that would be explicitly reserved for internal use.

This discussion has been archived. No new comments can be posted.

ICANN Proposes Creating .INTERNAL Domain

Comments Filter:
  • by St.Creed ( 853824 ) on Tuesday January 30, 2024 @09:42AM (#64200386)

    A good idea, and not exactly controversial IMHO. Go do it :)

    • by Midnight Thunder ( 17205 ) on Tuesday January 30, 2024 @09:51AM (#64200430) Homepage Journal

      A good idea, and not exactly controversial IMHO. Go do it :)

      Yup and one of their better ideas, especially amongst the huge range of bullshit TLDs they’ve allowed to be created in the last few years.

    • Why can't was just use .local instead?

      A lot of Windows domains of a certain age are already using that TLD.

      • by Anonymous Coward

        Why can't was just use .local instead?
        A lot of Windows domains of a certain age are already using that TLD.

        For the same reason we can't use .internal

        ICANN informally stated .local will never be put in the root servers and is "reserved"
        Then they recalled that reservation and made it "special"
        Then it was issued to IANA for use by multicast name autodiscovery protocols (mdns)

        Now, because it isn't reserved and officially assigned, it IS in the root servers, although lacking any records.

        Instead of an "NXDOMAIN" response, a proper DNS server should return "NOERROR"

        The fact that Microsoft officially dictated it as safe

      • by Junta ( 36770 ) on Tuesday January 30, 2024 @11:20AM (#64200730)

        .local pretty much means (to the extent it can mean anything) a name to be resolved by local ad-hoc resolver, like mDNS. So it can't be used as an island of central DNS because it will step all over resolvers that steer .local over to an mDNS stack.

      • by Calydor ( 739835 )

        Because .internal suggests it's anywhere within a corporate network, while .local suggests it's your specific office building.

      • by AmiMoJo ( 196126 ) on Tuesday January 30, 2024 @12:36PM (#64200984) Homepage Journal

        You answered your own question. .local is already widely in use, and many of those installations won't meet the requirements for .internal. Better to pick something relatively unused, so that deployments can start from scratch and ensure they stick to whatever rules ICANN comes up with.

      • .local resolution happens on link-local level, meaning it doesn't cross router boundaries (unless explicitly configured), and happens over mdns, not over the network DNS server.
        rfc6762 -- https://www.rfc-editor.org/rfc... [rfc-editor.org]

        • That's the Apple Bonjour / Avahi protocol. Notice the date on that RFC, and then tell me the earliest use of .local for LAN-only DNS services. (Hint: Microsoft was using it long before Apple.)

          The correct solution was to never give Apple's Bonjour full authority over a TLD. I personally had to redo a few windows domains entirely because of the sudden passage of that RFC.
          • While yes, you're right, common usage should have been taken into account during the IANA allocation; tough luck... Someone (MS?) should have come forward to register it for that use case instead of cowboying it.

      • Because the international standards committees up and decided that only Apple's Bonjour (Avahi for Linux users) protocol was allowed to use it, despite over a decade of use by other networks and protocols. (Such as my old Windows Server textbook's recommendations.) With no replacement given.

        TL;DR: I'm not holding my breath. Those standards mean nothing if a big enough player wants to fuck with them.
    • by tlhIngan ( 30335 )

      The controversy is because there are already plenty of other TLDs in use, so it's kind of late in happening.

      After all, we have .local which is what is used by mDNS, and many other sites have .private or other things.

      To suddenly suggest .internal would be quite late, as well as potentially causing confusion with the .int TLD (.int for international bodies - like nato.int)

    • So's just using a subdomain of the network's parent domain...
  • by Junta ( 36770 ) on Tuesday January 30, 2024 @09:43AM (#64200394)

    This has been an issue for seems like an eternity.

    • It really hasn't.

      Views / split DNS have been a thing for a long time.

      Someone who wants internal-only DNS just sets up the Views / split. Not that hard, assuming you aren't stupid enough to use PowerDNS.

      host.internal.myco.com

      If you want INTERNAL records, then you by design don't want them to be publicly accessible, so you don't WANT or need a TLD so you can host them externally.

  • by L-One-L-One ( 173461 ) on Tuesday January 30, 2024 @09:47AM (#64200408)

    There's already a widely used domain for this purpose: home.arpa

    https://datatracker.ietf.org/d... [ietf.org]

    Why reinvent the wheel? Just because ".internal" is easier to remember?

    • There's already a widely used domain for this purpose: home.arpa

      https://datatracker.ietf.org/d... [ietf.org]

      Why reinvent the wheel? Just because ".internal" is easier to remember?

      The .internal TLD is certainly easier to remember and more meaningful in an English language context. I am not sure .arpa is meaningful to most people and thus harder to remember?

      • by DarkOx ( 621550 ) on Tuesday January 30, 2024 @10:05AM (#64200500) Journal

        because home.arpa is specifically designated for 'residential' networks.

        It might be appropriate to use it in some quasi commercial situations like an apartment complex or dormitory; but you should not be using it as an internal domain for an enterprise. .local has the same issue, even if it is widely misused, it is supposed to be for names associated with local-link addresses and some types of broadcast and multicast traffic. If you are hitting severs on a different subnet with a .local address - technically speaking your Network Admin is doing it wrong.

    • Maybe it's MS-only, but isn't every on-prem DC set up with a .local domain?

      • Maybe it's MS-only, but isn't every on-prem DC set up with a .local domain?

        This is what I think too. Why reinvent the wheel?

      • Many used .local before it was reserved, but now it's the TLD for mDNS, so any other use of it will collide with that.

        • While mDNS does use .local, mDNS is a protocol for intranet, and it secured the .local domain from being registered in public internet forever. I don't think it is strictly impossible for mDNS and local DNS to share the .local domain (and why would one need to run both in the same intranet anyway?)
        • localhost.localdomain used to be the default FQDN for several Linux distro installers....

    • by laughingskeptic ( 1004414 ) on Tuesday January 30, 2024 @10:17AM (#64200570)
      home.arpa is really meant to be "THE" domain"; .internal" is meant to be the root of possibly multiple domains on the inside of a network.

      This is so overdue. I had an employer whose idiot IT group just made up a 3 letter domain with the ".com" on it for internal use without grabbing the actual domain. Then some trio of dentists with those last initials started a practice and we learned we had been leaking our internal DNS queries for years. They could have used anything that wasn't a TLD at the time like "companyname.companyname" that would have been trademark protected, but they chose ".com" I never understood it. This is a realm where the lack of any sort of best practice led to a bunch of hair-brained worst practices. We shouldn't need this, but we do.
  • You can create your own arbitrarily-named internal domains and always have been able to do so.

    I just use my normal domain name. The internal addresses aren't published to my external dns. The external addresses are also reflected in my internal DNS records. This is not hard or even complicated.

    With that said, it's not going to hurt anything, so OK? But why bother?

    • Re:Not needed (Score:5, Insightful)

      by Cyrano de Maniac ( 60961 ) on Tuesday January 30, 2024 @10:15AM (#64200558)

      With that said, it's not going to hurt anything, so OK? But why bother?

      Just so that there's a TLD that's guaranteed to never be made available globally. Many other TLDs can be presumed to work in such a manner in practice, but it's good to have one that's actually guaranteed by rule to have that characteristic.

    • by Dwedit ( 232252 )

      The downside to using a real domain is the chance of a misconfigured system making everything public instead of keeping it internal.
      The downside to using an arbitrary domain is that someone could register the top-level domain, and then we're back to the possible misconfigured case again.

      • The downside to using a real domain is the chance of a misconfigured system making everything public instead of keeping it internal.

        I solve that by having totally separate servers which do not communicate. Nobody can access my internal DNS server, it's not routed externally, and I'm not expecting anything to propagate between them. It does mean I have to make some changes in two places, but no big deal there.

        • If you sever all your server's wired connections, disconnect power and pour them in to a 50 ton block of concrete they'll be even more secure. Useless, but secure.

    • by DarkOx ( 621550 )

      I agree, and I think this is the 'best practice' have an internal namespace that exists inside the scope of a public namespace you own. However you accomplish that.

      I think there is probably something to be said for have a separate sub scope for things that are not provided as public DNS responses. I like to do something like
      private.example.com., or corp.example.com., etc so there is some clarity of expectation around what should resolve in which context but otherwise yes this is the way. .internal does not

      • No. I don't want to have to pay rent for an internal domain name that will never be resolved publicly.

        Using DNS on an internal network should never be pay to play. Doing so anyway just sets a bad precedent: "Subscribe to yet another thing or we'll break your internal network." It's a protection racket and should be stopped.
        • by DarkOx ( 621550 )

          I am speaking the context of an organization; that probably has or will wish to have some public presence at some point, or simply has an interest in domain-squatting anyway so as to prevent others from being confused with them.

          Your attitude also fails to address the real challenges around certificates ( a racket sure but one we pretty well have to deal with ) and real risks if you have a larger number of users around name conflicts where they may unintentially send sensitive information to a different host

  • I assumed this already had the same function: https://en.wikipedia.org/wiki/... [wikipedia.org]
  • Many, many internal domains have .int or .internal or something similar as TLD. All they had to do was never give them out as their 'special' TLDs. The whole concept of 'special' TLD seems a bit overkill and moves the problem of assigning 'domains' from the registrar to ICANN as now everyone is trying to register .google, .microsoft and .mycompany.

    • .int is a valid public domain name, stand for international [wikipedia.org]. Organizations that succeed in acquiring that are rare but they exist.

      So no, please don't use .int as "internal domain". I still think .local is a better de-facto choice.

  • Stop creating new top-level domains, then we won't have to worry about it.

    • by Zak3056 ( 69287 )

      Stop creating new top-level domains, then we won't have to worry about it.

      Yes, but then how will we reap millions (billions?) in fees from companies that need to register name.everytld to prevent malicious third parties from registering them?

  • My company uses different DNS zones so on-site users can resolve internal hostnames, and off-site users either get a public-facing IP (because we use NAT internally) for some approved external facing resources, or it just doesn't resolve. I suspect we do create a lot of failed resolutions, even from our own users who forget to connect VPN for internal-only resources. I can sort of understand the rationale behind this, however, I also can't help but think of this is a bit of a money grab.
    • A so called two-faced (or split-brained) resolver. Nothing really uncommon. IIRC even had its own template zonefile and named.conf in in BIND9's offficial doc (and probably previous versioms), I think it even has it's own chapter in one of the official DNS-related RFCs.
      • Usually just 'split DNS' with zones.

        But, yeah, configure your devops to include/exclude addresses for machines, often different depending on who's asking.

        But apparently Windows NT locks you in to the initial setup name forever so if the name becomes valid or a domain expires you might be screwed.

  • As the quote from SSAC states "many enterprises and device vendors make ad hoc use of TLDs". This is just ICANN just asking nicely for vendors to clean up their act. With the proliferation of IoT and other network devices it makes sense that they be pre-configured to a known local/internal domain. Most people have no idea nor do they care what the hostname for their toaster is.
  • Would not put it past them if in a few years from now they changed their mind and decided to auction off the TLD to the highest bidder anyway.

  • Why not just designate the .local TLD for this purpose? Microsoft taught this in the MCSE courses way back in the 'beginning'.

    It's still stupid. If you want to use a private domain, learn how or have your DNS server configured to do so. This is pollution.

    Oh wait, yeah, some bad actor would try to register the .local TLD and both break this and create a huge security hole. Fixing something that requires further understanding of DSN than many organizations have or care to. If you wanna do something, you ought

    • by EvilSS ( 557649 )
      Because some genius at Apple* decided back in 2013 that .local should be used for multicast DNS: https://www.rfc-editor.org/rfc... [rfc-editor.org]

      So as far as ICANN is concerned, .local is already being used for something else.

      *check the RFC authors
      • Well, MCSE trainers were bandying about the ,.local TLD as a clever hack in 1993, and my best efforts to teach DNS to the instructor I was saddled with proved fruitless. He was not having it. Nearly every other student in the class however was coming out of the Novell world. like I was, and at the next user group meeting we not only refuted it, we proved it at lab. Didn't matter until one of my clients hired on another firm with multiple MCSEs, you know, for redundancy, and they went bonkers over my registe

  • I'm generally opposed to this idea.

    "Internal" stuff is only internal today. Tomorrow will be different. Set the expectation that you should buy a domain and use it, even for internal stuff. If it's for some IOT kit or a home wifi router/nat device, isn't that why .local exists?

    Over in Microsoft land we have a bunch of customers that did .corp or .internal domains and now they can't get certificates and they fight with UPN mismatches. Please no. This *feels* like it invites that again.

    • You cannot buy a domain, only rent it.

    • by EvilSS ( 557649 )
      Microsoft: "Use .local"

      Microsoft rolls out 365

      Microsoft: "WTF why are you using .local?! You have to have routable UPNs for your users, use split DNS with a routeable domain"

      Gee thanks MS. Can I bill you for all the Excedrin this has caused me to consume?
  • by The Cat ( 19816 )

    I can already create an "internal" domain name inside a non-routable network. Why would they need to be registered with the routable DNS system?

    I'm sorry. Do these people think we don't understand computers or something?

  • I thought that the .private TLD was reserved for this purpose long before the proliferation of TLDs. I can not find that right now.
    I know of at least one company that used .int for the internal domain name that is intended to be not reachable from the outside, even though .int was intended to be for international. So they registered and used mycompanyname.com externally, and use mycompanyname.int internally.

  • Doesn't this have significant overlap with RFC6762 After all that created `.local` for mDNS usage.
  • I believe this is a good idea. I'm having to work through a mess right now, split horizon dns. Microsoft actually has a good recommendation on this. Purchase your domain name e.g. corp.com. Then create a sub domain e.g. internal.corp.com . All internal records go into this internal sub domain. I have seen so many messes created in dns using split horizon.
    • by Chalex ( 71702 )

      Microsoft telling everyone to use .local is partly what made this mess to begin with.

      • by tatroc ( 6301818 )
        https://learn.microsoft.com/en... [microsoft.com] It seems they have updated their documents regarding this. Bullet points from link. -If the organization has an internet presence, use names that are relative to the registered internet DNS domain name. For example, if you've registered the internet DNS domain name contoso.com, use a DNS domain name such as corp.contoso.com for the intranet domain name. -Avoid a generic name such as domain.localhost. This is because another company that you merge with in the future might
  • I'm not sure I see the demand, frankly. While, yes, it's a sensible extension, I can also see it being widely abused.

    We've already got the ability to use existing TLDs in a local-only or internal-only context. Many organizations will use some variation of a local/internal/lan/officename.domain.tld prefix with a public wildcard certificate for this purpose. Then, people can reach internal resources from anywhere (with or without the use of secondary DNS and/or VPN) without additional hoops to jump through -

  • the word "INTERNAL" is longer than some IPv4 addresses. I'm not sure tacking that onto the end of everything is any easier.
    The alternative has been to make everything internal under *.corp.mycompany.com. Which is even longer of course, but easy to set up.

  • Are the semantics of .internal different from those of .test as described in RFC 6761 [ietf.org]?

  • I claim penis.INTERNAL as a porn site!

  • I can't wait to see how .internal SSL certificate policy will work.
  • Would have been nicer if it was a little shorter...

Genius is ten percent inspiration and fifty percent capital gains.

Working...