At my employer we use real domains, but do not expose them to the outside world (they just see 127.0.0.1). It's a better than inverting security through obscurity like I have seen elsewhere (not that you would do that Andreas).
Paul, I am not with 100% love of the .alt name./idea but I do agree that if we don't do something the Real Users (tm) will do something even more broken and horrific. Tim On Tue, Jul 24, 2018 at 11:32 AM, Tony Finch <d...@dotat.at> wrote: > Petr Špaček <petr.spa...@nic.cz> wrote: > > > > My operational experience indicates that it is easiest to just use > > "corp.example.com.", "office.example.com.", or even "i.example.com.". > > We use private.cam.ac.uk. > > > Nice thing is that this approach doesn't require: > > - views > > We have an empty version of private.cam.ac.uk in an external view, > originally set up to avoid problems with CAA checking for X.509 > certificates. It also massively reduces retries for REFUSED queries from > outside. (Our qps went down by about 50% when we introduced this view!) > > > - forwarding > > However you do still need forwarding (or stealth secondarying) for RFC1918 > reverse DNS. Catalog zones make stealth secondaries almost as easy as > forwarding to set up and maintain :-) > > > - explicit trust anchor (if you want DNSSEC inside internal network) > > > > and generally just works :-) > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > Sole: Westerly backing southerly, 3 or 4, increasing 5 or 6 later in west.. > Slight, becoming moderate in west. Mainly fair. Moderate or good. > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
