The "internal purposes" misconception stems from the TLD-wide wildcard DNS entry pointing to 127.0.53.53 that is required by ICANN's Controlled Interruption process for all new gTLDs. For more info see here: https://www.icann.org/resources/pages/name-collision-ro-faqs...
(Source: I'm the lead engineer of Google Registry.)
Of course, I could change my ways and start using a different naming system: I notice a lot of development shops using .local, albeit for same machine dev & testing.
Edit: lol. tried to use 'star'.dev, but it came out in italics!
It turns out that part of the way the internet is declared to work includes reserved TLDs to be used for testing. So the burden of responsibility for avoiding a situation such as the article describes lies on the developer to use one of those reserved TLDs instead of ".dev", which anyone could (and now, has) come to control.
https://en.wikipedia.org/wiki/.local#Microsoft_recommendatio...
Just buy medium-devel.com or something and make it resolve to 127.0.0.1 in internal DNS. This gets you a couple of benefits:
- No one will ever take it from you
- You can configure it in external DNS if you'd like
- You can get a real, publicly-trusted SSL certificate for it, for free, because Let's Encrypt can resolve DNS challenges against it
(By the way, you want to get an SSL certificate for internal development, because of the policy - Chrome-initiated but now followed by the HTML standards folks in general - to require HTTPS for fancy new features like geolocation and service workers: https://www.chromium.org/Home/chromium-security/prefer-secur... If you don't have HTTPS of some sort, you can't test these features locally.)
We set up `*.l.example.com` (where example.com is our company's domain) to all resolve to 127.0.0.1. I personally have nginx set up to map `project.client.l.example.com` to `/path/to/webroot/client/project/`.
All of our infrastructure has hostnames under our domain and references other pieces of infrastructure using those hostnames.
Why is everyone putting so much effort into trying to operate outside of the established domain name system? To avoid paying the $10/yr?
If your public-facing website is just a static landing page (e.g., you're a B2B company or a design agency or a hedge fund or whatever), then yeah, using .dev.contoso.com works.
(By the way, the same analysis applies to running internal services at out-of-date-wiki.corp.contoso.com - consider whether you'd be happier hosting them at out-of-date-wiki.contoso-corp.com instead, and having contoso-corp.com not exist in external DNS.)
Something that pisses me off even more is that a few months back there was an IETF draft to specify the .home TLD to only resolve local network requests. It seemed pretty reasonable, but there was pushback and it was changed to home.arpa, since the .arpa TLD is already restricted. So big companies can pick up any TLD they want, but regular users will forever be forced to type in extra characters.
There are no gTLDs intended only for internal company use. There are many that are intended for only a single companyto use them, though externally.
For example, the .americanexpress gtld (https://www.nic.americanexpress/) will only provide domains to entities affiliated with american express.
Same with .dodge, and .google, and many many others.
ICANN handled this quite well -- they let others object to applications, let anyone who may have a trademark or reason to claim the word was generic come forwards, left time for comments, etc etc.
If you're objecting to this now, not back when the program was being formed, you clearly handled this poorly by not being involved in something you care about.
If you don't care and weren't involved, you also don't have the full picture and your outrage very well might be misplaced.
> If you don't care and weren't involved, you also don't have the full picture and your outrage very well might be misplaced.
That's an unhelpful and unreasonable response. You shouldn't blame people for not being attuned to the activities an obscure bureaucracy (the gTLD process), just because they might be affected by it. The gTLD process has a problem, not the people negatively affected by it.
There really ought to be a long post-implementation objection period for gTLDs, and the existing process should be changed to allow for that. The top goal of the DNS system right now should be to not break stuff, and that should override any entity's desire to buy a gTLD for $$$.
Mostly I tend to see companies either inventing an unregistered TLD, often using their own company name, or they use ".local", which can cause issues - some systems treat this name specially.
A third option would be putting all internal names under an "internal.yourcompany.com", but that's long and annoying.
Ideally I'd like to see a ".private" or ".internal" TLD recognised as special-use under the same semantics as ".test". Does anyone have any better option?
The currently safe way is to use a public domain that you own (you could use a distinct subdomain for this, which is not publicly exposed but which is in DNS on your internal network; e.g., intranet.example.com if you own example.com); as you note, this gives a long full domain.
> Mostly I tend to see companies either inventing an unregistered TLD, often using their own company name, or they use ".local", which can cause issues - some systems treat this name specially.
“.local” is a reserved domain with special semantics, see RFC 6762.
> Ideally I'd like to see a ".private" or ".internal" TLD recognised as special-use under the same semantics as ".test".
I'm kind of surprised that we haven't seen an RFC gain acceptance for this already, but I expect something like this will happen and be registered with the IANA special use domains registry.
It's still very much in the early stages though.
Even then, though, you can end up with all sorts of problems during mergers/acquisitions when previously separate intranets end up getting joined, exposing naming conflicts. Ultimately you always need to use a globally unique namespace, so either use a real domain name (guaranteed unique) or do something unique on top of .internal, e.g. .yourcompanyname.internal (still not guaranteed unique, but better).
See also: https://jdebp.eu/FGA/dns-use-domain-names-that-you-own.html
Is that monopolistic behaviour?
No. Acquiring the TLD has nothing to do with any monopoly, so it's just a browser decision made by Chrome, and it isn't locking anybody out of any markets.
It's also technically not even a change to the status quo. Beforehand, you weren't supposed to be using .dev like that. As the article says, you should have been using .test or .invalid. After Google's actions, you still shouldn't have been using .dev and should have been using .test or .invalid. You can't hear my tone, but I don't mean that in the imperative or angry; we've pretty much all screwed that up at some point. But a screw-up it was.
This is like Ford registering ".car" gTLD for themselves (although actually worse).
> It's also technically not even a change to the status quo.
If it wasn't a change to the status quo, they would have just used the exact same test domains you mention. You're saying that what we should not have done, is okay for Google to do.
So it isn't exactly a shock that this bad practice is going to bite its users. I think the reason it's getting headlines is why it's biting those users now, all at once.
Lobby google through petitions and collective developer action to surrender their .dev TLD and create an RFC that makes it reserved for developer used, similarly to .example and .test.
A case can be made. How strong it will be remains to be seen. I hope Google can see the greater good in this. They have a lot of good will to win amongst the developer community.
Remember when APNIC got 1/8 from IANA and had to go test what would happen if they announced 1.2.3.4 to the Internet? Just because something has been done historically doesn't mean we need to ban it entirely from the future.
Developers are humans. Technical justification is one of the things that should be considered when making decisions. There are many others.
Developers have not been widely using .example and .test as the spec recommends. They have been using .dev. It makes sense for it to be added as a reserved testing TLD. No one can force Google to do it. We can just petition them and hope that they do the right thing.
There is a lot of goodwill that Google can gain by allowing free use of `.dev`. Even more if they propose a spec to add it to the reserved domains. I would imagine it would be at least $185,000 worth of goodwill.
Not only is this problematic but so is HSTS, and the push for increasing reliance on CAs and in effect making self signed certs pointless.
The great concern for SSL by many people is simply ad supporting behavior masquerading as concern for privacy and state actors. Apparently ssl which is routinely mitm'd by small time corporations can protect privacy. Accept that with straight face while mitm vendors interests are paid attention to in standards meetings.
And Mozilla, the so called 'defender' cashing in on the public good will whenever it suits them conveniently caves in to Google at every opportunity.
Am I missing something or are they whining over nothing? I would get a little perturbed if only .dev domains show up if you're on a google ip or something, but for now, using https is totally do-able.
Unless you've bound yourself to Big G's browser. We only use that for last-minute rendering tests because management doesn't trust it not to leak info back to Mountain View.
Also, does Medium have a minimum word requirement? For some reason Medium articles always seem unnecessarily extra large.
:(
[ ] True [x] False
First, is it the OS that distrusts certificates, or is it the HTTP client?
Second, CA certificates such as the ones trusted by HTTP clients (contained in "browsers") are self-signed certificates.
Pre-installed CA certificates in corporate HTTP clients (e.g., Chrome, etc.) and CA certificates in downloadbale "bundles" available from corporations (e.g., Mozilla) are self-signed.
I really dislike allowing domains to be used in such a way. It seems extremely short sighted.
Unfortunately, the time to oppose this was long ago when gTLDs were first being debated...
I see this kind of attitude a lot when it comes to technology "Oh it's already happened just accept it" Or "It's the way everything is so just go along with it"
I'm getting fairly sick of being told I shouldn't disagree with or be against something because"that's the way it is"
Since when has technology ever been about accepting things the way they are? The whole reason we even have an internet is because people decided the way things were weren't good enough.
I would like to add that clearly, those that was involved in the process have made a less than perfect decision in allowing .dev to be bought by anyone.
It's been in widespread - informal - use for decades, and the decision to allow it to be sold has now directly affected multiple third parties negatively. If one assumes the people involved in the process knowledge in the area of domain names, they knew this but choose to ignore it for no good reason.
TLD's with widespread historical, albeit informal use should absolutely have been reserved.
