On Mon, Sep 4, 2017 at 4:45 PM, Mark Andrews <ma...@isc.org> wrote: > > In message <efe320cf9580d4c1bb2b26dd1c294306.1504529...@squirrel.mail>, > "Walter > H." writes: >> On Mon, September 4, 2017 14:22, Mark Andrews wrote: >> > >> > In message <c0c73dab49c6452c616c86656704ecd0.1504518...@squirrel.mail>, >> > "Walter H." writes: >> >> where there anyone who said: "don't use it", 15 years ago? >> > >> > Yes. There were lots that discourage the use of .local, lan, >> > .corp etc. Just becaue you didn't hear from them doesn't mean >> > they weren't out there. >> >> a discourage is not a "don't use" :-) > > We gave them fair warning that and domain they choose could be > allocated in the future. We told them to the advice you have been > getting today. Use a zone registered to them. They, like you are > today, are ignoring the advice. >
Yup, but people continue to ignore the advice, and, as far as I can see, will continue to do so - .internal is intended to give people a place where they can go do whatever they want without just squatting on something. I personally believe they should just use something which they have registered -- but, I also believe that abstinence is the only way to prevent teen pregnancy. Seeing as my believing this doesn't actually *stop* teenagers having sex, I'd like them to do so in the least risky way possible -- .internal, a condom for the namespace. >> >> > 'home.arpa' is in the process of being registered so that it >> >> > can be used safely in the environment it is designed to be used in. >> >> >> >> yes, but commonly for residental networks, not company/enterprise >> >> networks, >> >> they want/need something shorter like ".corp", ".lan", ".local", ... >> > Perhaps corp.arpa, or internal.arpa, or home.arpa is the right answer - unfortunately I think that they fail the "looks pretty" property. >> > Want maybe, need absolutely not. >> question: why isn't this the answer of a car dealer? > > Because the car dealer is trying to take as much money off you as > they can. We on the other hand are trying to save you money by > stopping you and everyone else getting into situations that will > cost you/them thousands of dollars to rectify in the future. > >> > Everyone was told to register the domain you want to use, there was >> > no exception for active directory. Sorry, nope. You might have said that, I might have said that, but many people remained unaware -- also Microsoft suggested ( https://support.microsoft.com/en-us/help/296250/the-domain-name-system-name-recommendations-for-small-business-server ) "Three practical methods to name the DNS domain are: * Make the name a private domain name that is used for name resolution on the internal Small Business Server network. This name is usually configured with the first-level domain of .local. At the present time, the .local domain name is not registered on the Internet. * Make the name a sub-domain of a publicly registered domain name. For example, if the publicly registered domain name is Contoso.com, a sub-domain of Corp.contoso.com can be used. * Make the name the same as a publicly registered domain name. Most Small Business Server customers should use the first method. The following list describes some of the advantages when you use a separate and private domain name for the local Small Business Server network: The management of the local namespace is controlled by the Small Business Server Server. When you use a private FQDN for local DNS name resolution, the DNS server becomes the start of authority for the local domain. This result means that a query to external DNS root servers is not required for local resource name resolution. The security may be increased for your DNS server by not enabling zone transfers by means of the zone transfer properties of the forward lookup zone. Because dynamic registration of internal hosts can occur with the DNS server, if you disable the zone transfers from external clients, you can limit the exposure of internal host names to the Internet. The natural separation of internal and external networks occurs because of the use of a separate internal namespace. A client query generated from the Internet for www.contoso.local does not return any valid domain information because .local, at the present time, is not a registered domain name. However, by using the Web Publishing rules in Internet Security and Acceleration (ISA) Server, internal Web sites can be hosted externally and viewed by using resolvable domain names. This hosting still requires a registered domain name as well as the appropriate public DNS records that resolve to the external IP address of Small Business Server. Refer to "Configuring Publishing" in ISA Server Help for more information about Web Publishing rules." Microsoft now recommends that people put stuff under a registered name, but a significant number of people heard (and followed) the earlier advice. Microsoft also used .corp (or contoso.corp) in a large number of examples (e.g: https://blogs.technet.microsoft.com/networking/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp/: , including (IIRC) the step by step walkthrough of how to setup Active Directory - and many people followed this -- http://www.enyo.de/fw/notes/the-great-corp-renaming.html So, yes, people shouldn't have just used .local, or .corp -- but I entirely understand why they did. Reserving a TLD for internal shenanigans certainly won't fix existing deployments. It also won't stop people from sometimes squatting on whatever-they-feel-like. However, it will give people who are going to do this sort of thing a safe place to do it. As Andrew says, there are an almost unlimited number of strings that can be made with 63 octets. I think the benefit of giving people a sandbox for this outweighs the costs (basically none). Yes, there will be collisions if e.g. companies merge, VPNs, and other cases (just like there were with RFC1918); I think we need to note that as a disclaimer in the document. People choosing to use this should be consenting adults. >> >> not really, at those days only a few TLDs where possible, the many TLDs >> came some years later ... > > People were wanting to deploy more TLDs from the moment the Internet > was opened up to the public. > >> by the way: where is the problem with .home or .corp? >> I ask this, because at my hoster I pre-reserved my "local domain" - a >> .home, that I have used for many years several zears ago and nothing >> happened ... >> >> > IPv6 would have been deployed a lot sooner. :-) >> >> not really, my ISP is still IPv4 only ..., my IPv6 connectivity is a >> HE-tunnel ... >> and the brand new OS from Microsoft still has the bugs inside: TEREDO, ... >> which I had to deactivate first, before it is usable with IPv6 at all ... > > If you didn't have the relief valve of RFC 1918 addresses then yes > IPv6 would have come a lot quicker and stuff like TEREDO wouldn't > exist. > >> > Except such systems exist. Go look at what a Mac does. ping for >> > test.local and look and port 5353 traffic and compare it to port 53 >> > traffic. >> >> I know, this RFC was written by Apple; >> >> no Apple no problem, I would say :-) > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
