Re: [DNSOP] howto "internal"

Joe Abley <jabley@hopcount.ca> Tue, 24 July 2018 16:02 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAA16130DF5 for <dnsop@ietfa.amsl.com>; Tue, 24 Jul 2018 09:02:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f08Or9egdOp4 for <dnsop@ietfa.amsl.com>; Tue, 24 Jul 2018 09:02:48 -0700 (PDT)
Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4350130F3B for <dnsop@ietf.org>; Tue, 24 Jul 2018 09:02:48 -0700 (PDT)
Received: by mail-pg1-x531.google.com with SMTP id g2-v6so3210264pgs.6 for <dnsop@ietf.org>; Tue, 24 Jul 2018 09:02:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kpal+IJlwgmFWgKDbi6s+sMvjWSHFE0IeFbA3iQupVc=; b=RgGXuE5Tl8nRRl+O38/SuZoRJR8Uj2HVNLOVqJewuFn1BHKguXmOO8v/TWfN2ROZ5m SM3diqxlmsH3tTas6K3rsPMlDZArUpP768dy/2zvCfsHGu8wt29zxHC+k+GdpkNeTrOC I2CM3yO/Twc6Grx0c4vdl83jn0fNShZl7kxqs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kpal+IJlwgmFWgKDbi6s+sMvjWSHFE0IeFbA3iQupVc=; b=PHIVtZC+17NDBUsK6ht/3R9zIPG8yZOehz/OokAsCtba49YBCLCzd2V/4t0dX76Dv6 p4k7rI1GnptNI+t5JJE+c8RQMBikWZZuOsGnVdjEyb0N/Z4si56qslub13eAvUi/7r9e A01SvM1F2sdY8VMhnvYpy/n6TMzx29r0TsUqvWTq0p8pTnHcMOj9dEzM5MmXp76y+WWR hYswjI4xBW2mkVawo39lFTDhoK2c2/a9o0eOMPeMv/mfyKkx9J9H4znQNBCesy7ybtto rYckvqon7in6oLHcrWhK4L1Vg2IFL5Pf3x/doKmi7zgvDpR241uZtDjHHrErnQKHqEuS o0Bg==
X-Gm-Message-State: AOUpUlE+8e3WSPdoiG4GwGaCS0VX8OyHHS7X9Eh3G0XN9QtmsFjO+mGA Ursw8wAwcG5Kcu0Zx0dLdxKrInvqMWk=
X-Google-Smtp-Source: AAOMgpcCLtYkWID3rQvSTMfUGNoU7cpf8Av9VmGExVnt+pcEGWeNFWV2sHV0N+69uzR+VG4u6qQOfA==
X-Received: by 2002:a63:7b4d:: with SMTP id k13-v6mr16783156pgn.64.1532448167912; Tue, 24 Jul 2018 09:02:47 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:101:3:bc8f:3235:dd88:6672? ([2607:f2c0:101:3:bc8f:3235:dd88:6672]) by smtp.gmail.com with ESMTPSA id t14-v6sm12736671pgu.0.2018.07.24.09.02.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Jul 2018 09:02:46 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Joe Abley <jabley@hopcount.ca>
X-Mailer: iPad Mail (15F79)
In-Reply-To: <1cb82914-0bc3-9ea7-7f69-9dc826d19e48@andreasschulze.de>
Date: Tue, 24 Jul 2018 12:02:43 -0400
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A8C83D32-B1BC-40AF-B507-C7F1CCDAC39C@hopcount.ca>
References: <1cb82914-0bc3-9ea7-7f69-9dc826d19e48@andreasschulze.de>
To: "A. Schulze" <sca@andreasschulze.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1dXiAMgXtktldigNGoGuxzOQQTE>
Subject: Re: [DNSOP] howto "internal"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2018 16:02:52 -0000

Hi Andreas,

One problem with using non-unique namesapaces is that if you ever find yourself needing to join your infrastructure to someone else's you run the risk of collisions. 

[This is an analogue to the problem at the IP layer with using RFC 1918 addresses -- if I'm already using 192.168.1.0/24 and so is the other person, either one of us needs to renumber or we need a world of translation complexity to be able to talk to each other.]

My usual answer to your question is to register a domain for internal use and name everything within it. You can make the DNS records available to your internal resolver and not even delegate the zone in the public DNS if you like. The point of the registration is just uniqueness.

Using a subdomain of a name you already use is a functionally-equivalent answer, but it involves some degree of change to domain names you already use. Even if this is clearly low-cost today, it might add unwelcome complexity in the future.

There are many more angles to the wider discussion about new TLDs like internal, alt, etc or using names under example.com, but in your case since you get to start from scratch I think a few dollars per year to reserve a unique name is a cheap and good answer.


Joe

> On Jul 24, 2018, at 10:52, A. Schulze <sca@andreasschulze.de> wrote:
> 
> Hello,
> 
> some times ago there was an proposal (?) from Warren Kumari to define a zone "internal." for internal use.
> 
> We consider a major DNS redesign of a large enterprise network. Part of the network is private (RFC1918 address space in use)
> some other parts are public. The whole network is currently organized as subdomains of example.com. 
> 
> One problem is the inability of users to distinguish the public/private state of different subdomains.
> sub1.example.com is public, sub2.example.com isn't :-/
> 
> For that I like the proposal to use "internal." But that's far away from being a standard.
> So I like to ask about alternatives...
> 
> Thanks for suggestions
> Andreas
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop