Subject: Re: [DNSOP] DNS names for local networks - not only home residental networks ... Date: Sun, Sep 03, 2017 at 08:47:30PM +0200 Quoting Walter H. (walte...@mathemainzel.info): > On 03.09.2017 06:32, Måns Nilsson wrote: > > Corporate environments are a somewhat different matter, since you can > > expect them to own their own domain name and have people who can set up > > devices to use it. > > > BUT this need not necessarily be a public domain ..., just think of Active > > > Directory Domains ... > > AD is DNS, and it follows the same rules. > yes and no; AD is more, and so many companies got the advice to use a domain > name, > that is NOT public, because it is not internet ...
A lot of Microsoft -focused consultants have, say, a very confused view of what the Internet is, and especially what DNS is. Consequently, a lot of FUD is propagated about the AD implementation. Reading the TechNet whitepapers and combining that data with some testing soon reveals that the only strange thing in AD DNS is the use of GSSAPI to secure updates. This has seen 3rd party implementation, and is used in both commercial and open-source software to provide DNS to AD. It is only DNS, well thought out and used do a lot of things. > > A sub-domain, a separate domain > > or two-face (using the same domain name as you public-facing resources > > but a different set of authoritative servers and some careful setup of > > full-service resolvers), all work. The single thing that does not work > > is to use name-space you do not own (like LOCAL or a domain name from a > > non-existent TLD, like "web". Ooops. It does now...) and hope it doesn't > > escape. Or that somebody registers the name and tries to impersonate you. > even if I fully ACK this, but 15 years ago, nobody said, that ".local", ... > would conflict one day ... Nobody said that it would be conflict-free forever either. The best available strategy was, and is, to use names within a domain you have some control over. > and also the company I work for has decided at these times to use a ".local" > as internal domain and AD; > now it is impossible to change this ... Bad advice does not improve with aging. > I for myself use a ".home.arpa" as internal name (I'm no company just a > citizen), > and for IPv6 connections I use a subdomain of my public domain, > which is only used to get resolved correctly ... > e.g. the IPv6 of my proxy resolves to proxy.sub.example.com and > proxy.sub.example.com resolved to this IPv6 ... > and router (firewall) blocks the whole prefix to be connected from outside > (internet) ... Practical operational experience suggests that firewalls leak. Not in the expected ways, but in new unforseen trickles. The best available strategy was, and is, to use names within a domain you have some control over. It seems I'm repeating myself. My apologies. I'll quit now. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 The PILLSBURY DOUGHBOY is CRYING for an END to BURT REYNOLDS movies!!
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
