What we all keep ignoring is that .internal DOES NOT WORK WITH BRING YOUR OWN DEVICE scenarios Reverse for RFC1918 addresses work with BYOD because we have public AS112 servers that serve UNSIGNED reverse zones. This breaks the DNSSEC chain of trust cleanly allowing the zones to be used by everyone. We have FAILED to do this for .internal. So either every device needs to know a priori that DNSSEC doesn’t work for .internal which makes it a special use domain or we add .internal to the root with an insecure delegation to break the chain of trust cleanly.
Many years ago I ran across a large company that had a large internal network. It purposely used IP addresses that were already assigned to others. They didn't want their internal numbers to conflict with the numbers assigned to their externally visible devices. Sort of a split view approach. Seemed very risky to me.
Steve
Joe Abley <[email protected]> wrote:
> Nobody liked this idea at the time and it withered on the vine. I seem to remember one reaction being (paraphrasing) "this is a draft that literally recommends doing nothing, we don't need a draft for that" which I don't quite agree with but which made me smile at the time.
:-)
In addition, I kind of feel that a good way to
guarantee that somebody will use the domain is to
claim that it is never used anywhere.
People will take that as a way to do all sorts of
weird things. "We _know_ this domain isn't used
anywhere else, so we can just it to do X."
(See e.g., the use of Class E network space by
different companies and organizations.)
-Jan
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
-- Sent by a Verified
sender
|
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
