←back to thread

.INTERNAL is now reserved for private-use applications

(www.icann.org)
563 points joncfoo | 1 comments | 09 Aug 24 16:36 UTC | HN request time: 0s | source
Show context
8organicbits ◴[09 Aug 24 22:03 UTC] No.41205729[source]
My biggest frustration with .internal is that it requires a private certificate authority. Lots of organizations struggle to fully set up trust for the private CA on all internal systems. When you add BYOD or contractor systems, it's a mess.

Using a publicly valid domain offers a number of benefits, like being able to use a free public CA like Lets Encrypt. Every machine will trust your internal certificates out of the box, so there is minimal toil.

Last year I built getlocalcert [1] as a free way to automate this approach. It allows you to register a subdomain, publish TXT records for ACME DNS certificate validation, and use your own internal DNS server for all private use.

[1] https://www.getlocalcert.net/

replies(12): >>41206030 #>>41206106 #>>41206231 #>>41206513 #>>41206719 #>>41206776 #>>41206828 #>>41207112 #>>41208240 #>>41208353 #>>41208964 #>>41210736 #
mschuster91 ◴[09 Aug 24 23:25 UTC] No.41206231[source]
> Lots of organizations struggle to fully set up trust for the private CA on all internal systems.

Made worse by the fact phone OSes have made it very difficult to install CAs.

replies(1): >>41206466 #
booi ◴[10 Aug 24 00:18 UTC] No.41206466[source]
And in on some platforms and configurations, impossible.

Same with the .dev domain

replies(2): >>41206630 #>>41206687 #
jhardy54 ◴[10 Aug 24 01:03 UTC] No.41206630[source]
.dev isn’t a TLD for internal use though, do you have the same problem when you use .test?
replies(1): >>41209682 #
1. dijit ◴[10 Aug 24 14:15 UTC] No.41209682[source]
gonna go ahead and cast shade at Google because of how they handled that.

Their original application for .dev was written to "ensure its reserved use for internal projects - since it is a common internal TLD for development" - then once granted a few years later they started selling domains with it.

** WITH HSTS PRELOADING ** ensuring that all those internal dev sites they were aware of would break.