Re: [dns-operations] Current thinking on internal corporate/campus domain names
RFC 2606 seems to suggest using a registered domain. That¹s great except that split-brain inevitably creeps into the equation. Is this a case of choosing the ³least worst² option? Register a domain, but delegate it to DNS servers that are not in your network and always contains a null-zone. Most registrars will provide you such service for free. Rubens ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Current thinking on internal corporate/campus domain names
Kelly, The “fantasy tld” is a really bad idea. There are several hundred new tld’s coming online and the topic of “collisions” between a fake internal and real external TLD has been the topic of much discussion (Google “icann name collisions”). I definitely vote for the registered name. If you are worried about split brain, most DNS software supports the concept of zones so you can ensure that only your internal network sees your internal naming.. Wayne On Jun 23, 2014, at 1:28 PM, Kelly Setzer kelly.set...@wnco.com wrote: What is current thinking/accepted practice for internal domain names? * Registered domain name (e.g., somecompany.com) * Fantasy tld (e.g., .mycorp) * .local (collides zeroconf/mDNS) This is for use within a corporate/campus setting. In times past, I have taken the fantasy approach. However, colleagues have pointed out that the growing list of new gTLDs and branded TLDs could collide with a fantasy TLD. RFC 2606 seems to suggest using a registered domain. That¹s great except that split-brain inevitably creeps into the equation. Is this a case of choosing the ³least worst² option? Thanks, Kelly *** CONFIDENTIALITY NOTICE *** This e-mail message and all attachments transmitted with it may contain legally privileged and confidential information intended solely for the use of the addressee. If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete this message from your system. Thank you. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs signature.asc Description: Message signed with OpenPGP using GPGMail ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Current thinking on internal corporate/campus domain names
On 23 Jun 2014, at 21:28, Kelly Setzer kelly.set...@wnco.com wrote: What is current thinking/accepted practice for internal domain names? RFC 2606 seems to suggest using a registered domain. That¹s great except that split-brain inevitably creeps into the equation. Is this a case of choosing the ³least worst² option? IMO split DNS using a properly registered domain name is the way to go. That way, you can be *sure* the name won't get hi-jacked for something else in a way that seriously disrupts things for your organisation. [Just like you wouldn't pluck IP addresses out of the air to number your network and hope nobody else will ever use the same prefix.] ICANN policy on TLD naming is subject to change. As is IETF thinking on which domain names are OK for private use. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] Current thinking on internal corporate/campus domain names
What is current thinking/accepted practice for internal domain names? * Registered domain name (e.g., somecompany.com) * Fantasy tld (e.g., .mycorp) * .local (collides zeroconf/mDNS) This is for use within a corporate/campus setting. In times past, I have taken the fantasy approach. However, colleagues have pointed out that the growing list of new gTLDs and branded TLDs could collide with a fantasy TLD. RFC 2606 seems to suggest using a registered domain. That¹s great except that split-brain inevitably creeps into the equation. Is this a case of choosing the ³least worst² option? Thanks, Kelly *** CONFIDENTIALITY NOTICE *** This e-mail message and all attachments transmitted with it may contain legally privileged and confidential information intended solely for the use of the addressee. If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete this message from your system. Thank you. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Current thinking on internal corporate/campus domain names
On Jun 23, 2014, at 4:28 PM, Kelly Setzer kelly.set...@wnco.com wrote: What is current thinking/accepted practice for internal domain names? * Registered domain name (e.g., somecompany.com) * Fantasy tld (e.g., .mycorp) * .local (collides zeroconf/mDNS) This is for use within a corporate/campus setting. Recipe for Success: 1. Design your DNS namespace as if your network is intimately connected to the Internet. 2. Use internal subdomains for general end systems if needed. 3. Don’t serve the zones for internal subdomains to the Internet at large. 4. Keep in mind that DNS resolution .ne. reachability. 5. Last, but not least, expect policy change from your management about connectivity. Ingredient 1 is key here. signature.asc Description: Message signed with OpenPGP using GPGMail ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Current thinking on internal corporate/campus domain names
On 6/23/2014 1:28 PM, Kelly Setzer wrote: What is current thinking/accepted practice for internal domain names? * Registered domain name (e.g., somecompany.com) * Fantasy tld (e.g., .mycorp) * .local (collides zeroconf/mDNS) You missed a fourth option, which is generally my preference. Use a subdomain of an existing registered domain. I generally like is.example.com, where IS stands for Internal Systems, but feel free to be creative there. Generally a good idea to keep it short though. Numerous advantages, including not having to register/maintain a new name, you control the delegation, etc. hth, Doug ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Current thinking on internal corporate/campus domain names
Doug Barton (dougb) writes: * Registered domain name (e.g., somecompany.com) * Fantasy tld (e.g., .mycorp) * .local (collides zeroconf/mDNS) You missed a fourth option, which is generally my preference. Use a subdomain of an existing registered domain. I generally like is.example.com, where IS stands for Internal Systems, but feel free to be creative there. Generally a good idea to keep it short though. +1. Microsoft has made this their recommended way as well (after years of getting lambasted for suggesting .local and .corp). For Jim suggesting split DNS: please, no. It's troubleshooting hell trying to figure out what the user on the phone is seeing, etc. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Current thinking on internal corporate/campus domain names
As a practical matter .corp is already used for this purpose and ICANN has been forced to accept the practice. So that would be a good choice. But you can't get a CA issued certificate for .corp any more. So you will find that a large number of applications that have embedded assumptions about the use of WebPKI certs will cause headaches. Many companies I have dealt with have a separate corporate domain [e.g. paypal-inc.com] Split horizon DNS is very common and causes a pain because there is no way to know what view of the DNS a particular machine is seeing for a given resolution. This is one of the issues I have looked to clear up in my Private DNS proposal. It is clearly undesirable for internal machine names to be publicly visible or for a particular user or machine/user to have a view of the Internet that varies according to where or how they connect. VPNs are abominable to debug and use. Each machine or user/machine combo should have the same view of the Internet regardless of where it is accessing the net from. This is not possible with traditional DNS but putting in an encryption and authentication layer clears the whole situation up. I don't know if there is a strong privacy case for Encrypting DNS traffic or not. The big problem is that the leverage you get from encrypting the traffic tends to be small if the adversary can perform traffic analysis. But I can make a very strong case that Private DNS makes network admin a lot easier. On Mon, Jun 23, 2014 at 5:37 PM, Phil Regnauld regna...@nsrc.org wrote: Doug Barton (dougb) writes: * Registered domain name (e.g., somecompany.com) * Fantasy tld (e.g., .mycorp) * .local (collides zeroconf/mDNS) You missed a fourth option, which is generally my preference. Use a subdomain of an existing registered domain. I generally like is.example.com, where IS stands for Internal Systems, but feel free to be creative there. Generally a good idea to keep it short though. +1. Microsoft has made this their recommended way as well (after years of getting lambasted for suggesting .local and .corp). For Jim suggesting split DNS: please, no. It's troubleshooting hell trying to figure out what the user on the phone is seeing, etc. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs