.INTERNAL is now reserved for private-use applications

(www.icann.org)

563 points joncfoo | 2 comments | 09 Aug 24 16:36 UTC | HN request time: 0.428s | source

Show context

8organicbits ◴[09 Aug 24 22:03 UTC] No.41205729[source]▶

>>41203368 (OP) #

My biggest frustration with .internal is that it requires a private certificate authority. Lots of organizations struggle to fully set up trust for the private CA on all internal systems. When you add BYOD or contractor systems, it's a mess.

Using a publicly valid domain offers a number of benefits, like being able to use a free public CA like Lets Encrypt. Every machine will trust your internal certificates out of the box, so there is minimal toil.

Last year I built getlocalcert [1] as a free way to automate this approach. It allows you to register a subdomain, publish TXT records for ACME DNS certificate validation, and use your own internal DNS server for all private use.

[1] https://www.getlocalcert.net/

replies(12): >>41206030 #>>41206106 #>>41206231 #>>41206513 #>>41206719 #>>41206776 #>>41206828 #>>41207112 #>>41208240 #>>41208353 #>>41208964 #>>41210736 #

1. seb1204 ◴[10 Aug 24 03:34 UTC] No.41207112[source]▶

>>41205729 #

https://letsencrypt.org/ does not work?

replies(1): >>41207166 #

2. francislavoie ◴[10 Aug 24 03:50 UTC] No.41207166[source]▶

>>41207112 (TP) #

No, that's a public CA. No public domain registrars will be allowed to sell .internal domains so no public DNS servers will resolve .internal and that's a requirement for let's encrypt to validate that you control the domain. So you must use a private CA (one that you create yourself, with something like Smallstep, Caddy, or OpenSSL commands) and you'll need to install that CA's root certificate on any devices you want to be able to connect to your server(s) that use .internal

↑