[dns-operations] TLD(s) for private use

Andrew Sullivan ajs at anvilwalrusden.com
Wed Sep 6 15:35:49 UTC 2017


On Wed, Sep 06, 2017 at 03:28:00PM +0100, James Stevens wrote:
> 
> Many are well aware of the RFC1918 IPs for use on a private LAN.

I think that they're aware that they exist, but given the state of the
Internet I think it is safe to say that many people don't seem to
understand the consequence of their use and abuse.

> Domains with no NS in the parent zone become harder to discover & get data
> about. This is true of any sub-domain in a TLD, but registering a name for
> that purpose involves (1) an annual cost & risk this will fail to be done at
> some point and (2) finding a registrar who will allow this.

In the case of (1), of course, the cost is in fact just the cost of
using public infrastructure for what you want to do.  The risk that
you won't register/renew the name is a risk that is entirely under
your own control, and not subject to the whims of the names community
that makes policy at ICANN; in other words, it is risk entirely under
your own control instead of the risk that someone might or might not
do something, so I would think responsible management would understand
which is preferable.  And of course, there are _lots_ of registrars
who will take your money for a domain name registration.  Once you
have registered the domain, they don't even need to know (or have any
reason to know) what you are doing with it.  ICANN registrars are not
the name space police.

> Creating a sub-domain in a domain that was used for something else, would
> likely create confusion for future engineers

Really?  notpublic.example.com would seem pretty clear to me.

> , in a way that (say) a
> universally known "unregistered" prefix like "zz--" would not - in the same
> way that all network engineers understand the implications when they see an
> RFC1918 IP.

Oh, if _only_ all network engineers understood such implications!  If
that were true, then my printer would not occasionally turn out to be
on the network of Oracle's London office whenever I connected to the
VPN.  1918 address space is in fact problematic because it is supposed
to have _only_ local significance, but people don't use it that way
because of NAT.

> There can often be information some operating systems automatically put in
> their DNS you wouldn't want in the public domain.

I'm afraid that you're out of luck, however, in that case, because it
is now and has always been the case that hiding things in the DNS
using split-brain topologies does not successfully hide those things.
They leak all the time.

Best regards,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com



More information about the dns-operations mailing list