On Fri, Apr 18, 2025 at 6:41 AM Philip Homburg <[email protected]> wrote:
> > The draft does not recommend using or not using .internal. It says: > > > > If an organization determines that it requires a private-use > > DNS namespace, it should either use sub-domains of a global > > DNS name that > > is under its organizational and operational control, or use > > the "internal" top-level domain. This document does not offer > > guidance on when a network operators should choose the "internal" > > top-level domain instead of a sub-domain of a global DNS name. > > This decision will depend on multiple factors such as network > > design or organizational needs, and is outside the scope of > > this publication. > > > > SAC113 said: Using sub-domains of registered public domain names > > is still the best practice to name internal resources. > > > > Im not against changing the draft to align more with the advice in > > SAC113, but my inclination is to keep the draft agnostic on this > > point. When the authors originally discussed it we decided against > > offering advice in either direction. > > I assume this IETF working group can form an independent opinion. > > In my opinion the issue is not whether public domains are better or not. > My issue is that the IETF should recommend against uses that lead to DNSSEC > failures. > > For example, home.arpa. is safe to use from a DNSSEC validation point of > view. > > So unless DNSSEC validation is improved the draft should actively recommend > against using internal. > I agree with this. And in fact there are other reasons to not recommend "internal". What happens if multiple organizations using "internal" as a private domain merge and need to integrate their networks and domains? They have a big mess to clean up the colliding domains. Why would the IETF ever recommend a DNS configuration that causes such situations to occur? (Yes, I realize that we have similar problems with IPv4 RFC1918 address space, but at least we made an effort to address that with IPv6 - by using globally routable address space everywhere or ULAs.). And if the use case for "internal" is not enterprise networks but primarily home networks, we have another specified solution for that (home.arpa). In my own organization, we would never recommend the use of "internal" for private domains. We use (multiple) subdomains of other global domains that we already own (i.e. what is in the SSAC recommendation). Shumon.
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
