Re: [DNSOP] DNS names for local networks - not only home residental networks ...

Måns Nilsson <> Mon, 04 September 2017 10:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BCE1D126DD9 for <>; Mon, 4 Sep 2017 03:42:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id P9js_DXsgLB5 for <>; Mon, 4 Sep 2017 03:41:59 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6654A1241FC for <>; Mon, 4 Sep 2017 03:41:59 -0700 (PDT)
Received: by (Postfix, from userid 1004) id 102E89D61; Mon, 4 Sep 2017 12:41:57 +0200 (CEST)
Date: Mon, 04 Sep 2017 12:41:57 +0200
From: Måns Nilsson <>
To: "Walter H." <>
Cc: Tony Finch <>, "" <>
Message-ID: <>
References: <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="0/kgSOzhNoDC5T3a"
Content-Disposition: inline
In-Reply-To: <>
X-Clacks-Overhead: "GNU Sir Terry Pratchett"
X-Purpose: More of everything NOW!
X-happyness: Life is good.
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <>
Subject: Re: [DNSOP] DNS names for local networks - not only home residental networks ...
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Sep 2017 10:42:02 -0000

Subject: Re: [DNSOP] DNS names for local networks - not only home residental networks ... Date: Sun, Sep 03, 2017 at 08:47:30PM +0200 Quoting Walter H. (
> On 03.09.2017 06:32, Måns Nilsson wrote:
> > Corporate environments are a somewhat different matter, since you can
> > expect them to own their own domain name and have people who can set up
> > devices to use it.
> > > BUT this need not necessarily be a public domain ..., just think of Active
> > > Directory Domains ...
> > AD is DNS, and it follows the same rules.
> yes and no; AD is more, and so many companies got the advice to use a domain
> name,
> that is NOT public, because it is not internet ...

A lot of Microsoft -focused consultants have, say, a very confused view
of what the Internet is, and especially what DNS is. Consequently,
a lot of FUD is propagated about the AD implementation.  Reading the
TechNet whitepapers and combining that data with some testing  soon
reveals that the only strange thing in AD DNS is the use of GSSAPI to
secure updates. This has seen 3rd party implementation, and is used in
both commercial and open-source software to provide DNS to AD. It is
only DNS, well thought out and used do a lot of things.

> >   A sub-domain, a separate domain
> > or two-face (using the same domain name as you public-facing resources
> > but a different set of authoritative servers and some careful setup of
> > full-service resolvers), all work. The single thing that does not work
> > is to use name-space you do not own (like LOCAL or a domain name from a
> > non-existent TLD, like "web". Ooops. It does now...) and hope it doesn't
> > escape. Or that somebody registers the name and tries to impersonate you.

> even if I fully ACK this, but 15 years ago, nobody said, that  ".local", ...
> would conflict one day ...

Nobody said that it would be conflict-free forever either. The best
available strategy was, and is, to use names within a domain you have
some control over.

> and also the company I work for has decided at these times to use a ".local"
> as internal domain and AD;
> now it is impossible to change this ...

Bad advice does not improve with aging. 
> I for myself use a "" as internal name (I'm no company just a
> citizen),
> and for IPv6 connections I use a subdomain of my public domain,
> which is only used to get resolved correctly ...
> e.g.  the IPv6 of my proxy resolves to and
> resolved to this IPv6 ...
> and router (firewall) blocks the whole prefix to be connected from outside
> (internet) ...

Practical operational experience suggests that firewalls leak. Not in the expected
ways, but in new unforseen trickles. 

The best available strategy was, and is, to use names within a domain
you have some control over. It seems I'm repeating myself. My
apologies. I'll quit now.

Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE           SA0XLR            +46 705 989668