As a practical matter .corp is already used for this purpose and ICANN has been forced to accept the practice. So that would be a good choice.
But you can't get a CA issued certificate for .corp any more. So you will find that a large number of applications that have embedded assumptions about the use of WebPKI certs will cause headaches. Many companies I have dealt with have a separate corporate domain [e.g. paypal-inc.com] Split horizon DNS is very common and causes a pain because there is no way to know what view of the DNS a particular machine is seeing for a given resolution. This is one of the issues I have looked to clear up in my Private DNS proposal. It is clearly undesirable for internal machine names to be publicly visible or for a particular user or machine/user to have a view of the Internet that varies according to where or how they connect. VPNs are abominable to debug and use. Each machine or user/machine combo should have the same view of the Internet regardless of where it is accessing the net from. This is not possible with traditional DNS but putting in an encryption and authentication layer clears the whole situation up. I don't know if there is a strong privacy case for Encrypting DNS traffic or not. The big problem is that the leverage you get from encrypting the traffic tends to be small if the adversary can perform traffic analysis. But I can make a very strong case that Private DNS makes network admin a lot easier. On Mon, Jun 23, 2014 at 5:37 PM, Phil Regnauld <regna...@nsrc.org> wrote: > Doug Barton (dougb) writes: > > > > > >* Registered domain name (e.g., somecompany.com) > > >* Fantasy tld (e.g., .mycorp) > > >* .local (collides zeroconf/mDNS) > > > > You missed a fourth option, which is generally my preference. Use a > > subdomain of an existing registered domain. I generally like > > is.example.com, where "IS" stands for Internal Systems, but feel > > free to be creative there. Generally a good idea to keep it short > > though. > > +1. Microsoft has made this their recommended way as well (after > years of getting lambasted for suggesting .local and .corp). > > For Jim suggesting split DNS: please, no. It's troubleshooting > hell trying to figure out what the user on the phone is seeing, > etc. > > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs >
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
