ICANN Proposes Creating .INTERNAL Domain (theregister.com)
76
The Internet Corporation for Assigned Names and Numbers (ICANN) has proposed creating a new top-level domain (TLD) and never allowing it to be delegated in the global domain name system (DNS) root. From a report: The proposed TLD is .INTERNAL and, as the name implies, it's intended for internal use only. The idea is that .INTERNAL could take on the same role as the 192.168.x.x IPv4 bloc -- available for internal use but never plumbed into DNS or other infrastructure that would enable it to be accessed from the open internet.
ICANN's Security and Stability Advisory Committee (SSAC) advised the development of such a TLD in 2020. It noted at the time that "many enterprises and device vendors make ad hoc use of TLDs that are not present in the root zone when they intend the name for private use only. This usage is uncoordinated and can cause harm to Internet users" -- in part by forcing DNS servers to handle, and reject, queries for domains only used internally. DNS, however, can't prevent internal use of ad hoc TLDs. So the SSAC recommended creation of a TLD that would be explicitly reserved for internal use.
ICANN's Security and Stability Advisory Committee (SSAC) advised the development of such a TLD in 2020. It noted at the time that "many enterprises and device vendors make ad hoc use of TLDs that are not present in the root zone when they intend the name for private use only. This usage is uncoordinated and can cause harm to Internet users" -- in part by forcing DNS servers to handle, and reject, queries for domains only used internally. DNS, however, can't prevent internal use of ad hoc TLDs. So the SSAC recommended creation of a TLD that would be explicitly reserved for internal use.
Sounds like a good idea (Score:3)
A good idea, and not exactly controversial IMHO. Go do it :)
Re:Sounds like a good idea (Score:5, Insightful)
A good idea, and not exactly controversial IMHO. Go do it :)
Yup and one of their better ideas, especially amongst the huge range of bullshit TLDs they’ve allowed to be created in the last few years.
Re: (Score:3)
Why can't was just use .local instead?
A lot of Windows domains of a certain age are already using that TLD.
Re: (Score:1)
Why can't was just use .local instead?
A lot of Windows domains of a certain age are already using that TLD.
For the same reason we can't use .internal
ICANN informally stated .local will never be put in the root servers and is "reserved"
Then they recalled that reservation and made it "special"
Then it was issued to IANA for use by multicast name autodiscovery protocols (mdns)
Now, because it isn't reserved and officially assigned, it IS in the root servers, although lacking any records.
Instead of an "NXDOMAIN" response, a proper DNS server should return "NOERROR"
The fact that Microsoft officially dictated it as safe
Re:Sounds like a good idea (Score:4, Informative)
.local pretty much means (to the extent it can mean anything) a name to be resolved by local ad-hoc resolver, like mDNS. So it can't be used as an island of central DNS because it will step all over resolvers that steer .local over to an mDNS stack.
Re: (Score:2)
Because .internal suggests it's anywhere within a corporate network, while .local suggests it's your specific office building.
Re:Sounds like a good idea (Score:4, Informative)
You answered your own question. .local is already widely in use, and many of those installations won't meet the requirements for .internal. Better to pick something relatively unused, so that deployments can start from scratch and ensure they stick to whatever rules ICANN comes up with.
Re: (Score:2)
.local resolution happens on link-local level, meaning it doesn't cross router boundaries (unless explicitly configured), and happens over mdns, not over the network DNS server.
rfc6762 -- https://www.rfc-editor.org/rfc... [rfc-editor.org]
Re: (Score:2)
The correct solution was to never give Apple's Bonjour full authority over a TLD. I personally had to redo a few windows domains entirely because of the sudden passage of that RFC.
Re: (Score:2)
While yes, you're right, common usage should have been taken into account during the IANA allocation; tough luck... Someone (MS?) should have come forward to register it for that use case instead of cowboying it.
Re: (Score:2)
TL;DR: I'm not holding my breath. Those standards mean nothing if a big enough player wants to fuck with them.
Re: (Score:3)
The controversy is because there are already plenty of other TLDs in use, so it's kind of late in happening.
After all, we have .local which is what is used by mDNS, and many other sites have .private or other things.
To suddenly suggest .internal would be quite late, as well as potentially causing confusion with the .int TLD (.int for international bodies - like nato.int)
Re: (Score:2)
Long long long overdue... (Score:3)
This has been an issue for seems like an eternity.
Re: (Score:2)
It really hasn't.
Views / split DNS have been a thing for a long time.
Someone who wants internal-only DNS just sets up the Views / split. Not that hard, assuming you aren't stupid enough to use PowerDNS.
host.internal.myco.com
If you want INTERNAL records, then you by design don't want them to be publicly accessible, so you don't WANT or need a TLD so you can host them externally.
There's already home.arpa for this purpose. (Score:3)
There's already a widely used domain for this purpose: home.arpa
https://datatracker.ietf.org/d... [ietf.org]
Why reinvent the wheel? Just because ".internal" is easier to remember?
Re: (Score:2)
There's already a widely used domain for this purpose: home.arpa
https://datatracker.ietf.org/d... [ietf.org]
Why reinvent the wheel? Just because ".internal" is easier to remember?
The .internal TLD is certainly easier to remember and more meaningful in an English language context. I am not sure .arpa is meaningful to most people and thus harder to remember?
Re:There's already home.arpa for this purpose. (Score:5, Interesting)
because home.arpa is specifically designated for 'residential' networks.
It might be appropriate to use it in some quasi commercial situations like an apartment complex or dormitory; but you should not be using it as an internal domain for an enterprise. .local has the same issue, even if it is widely misused, it is supposed to be for names associated with local-link addresses and some types of broadcast and multicast traffic. If you are hitting severs on a different subnet with a .local address - technically speaking your Network Admin is doing it wrong.
Re: (Score:3)
Maybe it's MS-only, but isn't every on-prem DC set up with a .local domain?
Re: (Score:2)
Maybe it's MS-only, but isn't every on-prem DC set up with a .local domain?
This is what I think too. Why reinvent the wheel?
Re: (Score:3)
Many used .local before it was reserved, but now it's the TLD for mDNS, so any other use of it will collide with that.
Re: (Score:2)
Re: (Score:2)
localhost.localdomain used to be the default FQDN for several Linux distro installers....
Re:There's already home.arpa for this purpose. (Score:4, Informative)
This is so overdue. I had an employer whose idiot IT group just made up a 3 letter domain with the ".com" on it for internal use without grabbing the actual domain. Then some trio of dentists with those last initials started a practice and we learned we had been leaking our internal DNS queries for years. They could have used anything that wasn't a TLD at the time like "companyname.companyname" that would have been trademark protected, but they chose ".com" I never understood it. This is a realm where the lack of any sort of best practice led to a bunch of hair-brained worst practices. We shouldn't need this, but we do.
Not needed (Score:2)
You can create your own arbitrarily-named internal domains and always have been able to do so.
I just use my normal domain name. The internal addresses aren't published to my external dns. The external addresses are also reflected in my internal DNS records. This is not hard or even complicated.
With that said, it's not going to hurt anything, so OK? But why bother?
Re:Not needed (Score:5, Insightful)
With that said, it's not going to hurt anything, so OK? But why bother?
Just so that there's a TLD that's guaranteed to never be made available globally. Many other TLDs can be presumed to work in such a manner in practice, but it's good to have one that's actually guaranteed by rule to have that characteristic.
Re: (Score:2)
The downside to using a real domain is the chance of a misconfigured system making everything public instead of keeping it internal.
The downside to using an arbitrary domain is that someone could register the top-level domain, and then we're back to the possible misconfigured case again.
Re: (Score:2)
The downside to using a real domain is the chance of a misconfigured system making everything public instead of keeping it internal.
I solve that by having totally separate servers which do not communicate. Nobody can access my internal DNS server, it's not routed externally, and I'm not expecting anything to propagate between them. It does mean I have to make some changes in two places, but no big deal there.
Re: (Score:2)
If you sever all your server's wired connections, disconnect power and pour them in to a 50 ton block of concrete they'll be even more secure. Useless, but secure.
Re: (Score:2)
I agree, and I think this is the 'best practice' have an internal namespace that exists inside the scope of a public namespace you own. However you accomplish that.
I think there is probably something to be said for have a separate sub scope for things that are not provided as public DNS responses. I like to do something like .internal does not
private.example.com., or corp.example.com., etc so there is some clarity of expectation around what should resolve in which context but otherwise yes this is the way.
Re: (Score:2)
Using DNS on an internal network should never be pay to play. Doing so anyway just sets a bad precedent: "Subscribe to yet another thing or we'll break your internal network." It's a protection racket and should be stopped.
Re: (Score:2)
I am speaking the context of an organization; that probably has or will wish to have some public presence at some point, or simply has an interest in domain-squatting anyway so as to prevent others from being confused with them.
Your attitude also fails to address the real challenges around certificates ( a racket sure but one we pretty well have to deal with ) and real risks if you have a larger number of users around name conflicts where they may unintentially send sensitive information to a different host
Uh.. this differs from .local ? (Score:2)
Re: (Score:1)
Re:Uh.. this differs from .local ? (Score:4, Informative)
.local traffic is not supposed to traverse subnets. This is for networks bigger than a simple local multicast.
Re: (Score:1)
Re: (Score:2)
Slurs get reclaimed. I would never expect to see .[n word] as a TLD but .queer is definitely possible.
De-Facto already the case (Score:1)
Many, many internal domains have .int or .internal or something similar as TLD. All they had to do was never give them out as their 'special' TLDs. The whole concept of 'special' TLD seems a bit overkill and moves the problem of assigning 'domains' from the registrar to ICANN as now everyone is trying to register .google, .microsoft and .mycompany.
Re: (Score:2)
So no, please don't use .int as "internal domain". I still think .local is a better de-facto choice.
An alternative suggestion (Score:2)
Stop creating new top-level domains, then we won't have to worry about it.
Re: (Score:2)
Stop creating new top-level domains, then we won't have to worry about it.
Yes, but then how will we reap millions (billions?) in fees from companies that need to register name.everytld to prevent malicious third parties from registering them?
Use zones (Score:2)
Re: (Score:2)
Re: (Score:2)
Usually just 'split DNS' with zones.
But, yeah, configure your devops to include/exclude addresses for machines, often different depending on who's asking.
But apparently Windows NT locks you in to the initial setup name forever so if the name becomes valid or a domain expires you might be screwed.
You are not the target audience (Score:2)
Re: (Score:2)
And yes, it does have push notifications turned on by default. (That might not have been a good idea.)
Re: (Score:2)
ICANNs new proposal (Score:2)
Would not put it past them if in a few years from now they changed their mind and decided to auction off the TLD to the highest bidder anyway.
Stupid (Score:1)
Why not just designate the .local TLD for this purpose? Microsoft taught this in the MCSE courses way back in the 'beginning'.
It's still stupid. If you want to use a private domain, learn how or have your DNS server configured to do so. This is pollution.
Oh wait, yeah, some bad actor would try to register the .local TLD and both break this and create a huge security hole. Fixing something that requires further understanding of DSN than many organizations have or care to. If you wanna do something, you ought
Re: (Score:2)
So as far as ICANN is concerned,
*check the RFC authors
Re: (Score:2)
Well, MCSE trainers were bandying about the ,.local TLD as a clever hack in 1993, and my best efforts to teach DNS to the instructor I was saddled with proved fruitless. He was not having it. Nearly every other student in the class however was coming out of the Novell world. like I was, and at the next user group meeting we not only refuted it, we proved it at lab. Didn't matter until one of my clients hired on another firm with multiple MCSEs, you know, for redundancy, and they went bonkers over my registe
A qualified no. (Score:2)
I'm generally opposed to this idea.
"Internal" stuff is only internal today. Tomorrow will be different. Set the expectation that you should buy a domain and use it, even for internal stuff. If it's for some IOT kit or a home wifi router/nat device, isn't that why .local exists?
Over in Microsoft land we have a bunch of customers that did .corp or .internal domains and now they can't get certificates and they fight with UPN mismatches. Please no. This *feels* like it invites that again.
Re: (Score:2)
You cannot buy a domain, only rent it.
Re: (Score:2)
Microsoft rolls out 365
Microsoft: "WTF why are you using
Gee thanks MS. Can I bill you for all the Excedrin this has caused me to consume?
Re: (Score:2)
I feel you on this; It's the exact scenario I've worked through countless times. Never again; No .internal TLD, please.
Why? (Score:2)
I can already create an "internal" domain name inside a non-routable network. Why would they need to be registered with the routable DNS system?
I'm sorry. Do these people think we don't understand computers or something?
What about .private? (Score:2)
I thought that the .private TLD was reserved for this purpose long before the proliferation of TLDs. I can not find that right now. .int for the internal domain name that is intended to be not reachable from the outside, even though .int was intended to be for international. So they registered and used mycompanyname.com externally, and use mycompanyname.int internally.
I know of at least one company that used
dot local (Score:2)
Just do it (Score:1)
Re: (Score:2)
Microsoft telling everyone to use .local is partly what made this mess to begin with.
Re: (Score:1)
Not sure (Score:2)
I'm not sure I see the demand, frankly. While, yes, it's a sensible extension, I can also see it being widely abused.
We've already got the ability to use existing TLDs in a local-only or internal-only context. Many organizations will use some variation of a local/internal/lan/officename.domain.tld prefix with a public wildcard certificate for this purpose. Then, people can reach internal resources from anywhere (with or without the use of secondary DNS and/or VPN) without additional hoops to jump through -
Seems long (Score:2)
the word "INTERNAL" is longer than some IPv4 addresses. I'm not sure tacking that onto the end of everything is any easier.
The alternative has been to make everything internal under *.corp.mycompany.com. Which is even longer of course, but easy to set up.
Why not .test? (Score:2)
Are the semantics of .internal different from those of .test as described in RFC 6761 [ietf.org]?
Frist! (Score:2)
I claim penis.INTERNAL as a porn site!
.Internal certificates (Score:2)
Kinda long... (Score:2)
Would have been nicer if it was a little shorter...