Derp
Derp.
I mean, really?
Network admins, code wranglers and other techies have hit an unusual problem this week: their test and development environments have vanished. Rather than connecting to private stuff on an internal .dev domain to pick up where they left off, a number of engineers and sysadmins are facing an error message in their web browser …
It's not in the browser, it's in the DNS. Google owns the root domain name dev. From the article:
"In fact, the .dev global top-level domain is owned by Google."
(Has anybody considered using ElReg as hurdle during employment interviews? As in, "here, read this article and summarize it, and tell us what these terms mean, and how would you verify at least one of the points made in the article?")
(see bottom for the important bits)
Contact Information
Registrant Contact
Name: Charleston Road Registry Inc.
Organization: Charleston Road Registry Inc.
Mailing Address: 1600 Amphitheatre Parkway | Mountain View, CA 94043, United States
Phone: 1 650 253 0000
Ext:
Fax: 1 650 253 0001
Fax Ext:
Email:iana-contact@google.com
Admin Contact
Name: Domains Policy and Compliance
Organization: Google Inc.
Mailing Address: 601 N. 34th Street | Seattle, WA 98103, United States
Phone: 1 202 642 2325
Ext:
Fax: 1 650 492 5631
Fax Ext:
Email:iana-contact@google.com
Tech Contact
Name: Richard Roberto
Organization: Google Inc.
Mailing Address: 76 9th Avenue, 4th Floor | New York, NY 10011, United States
Phone: 1 212 565 2633
Ext:
Fax: 1 650 492 5631
Fax Ext:
Email:crr-tech@google.com
Registrar
WHOIS Server: whois.nic.google
URL: http://www.registry.google
Registrar:
IANA ID:
Abuse Contact Email:
Abuse Contact Phone:
Important Dates
Updated Date: 2016-08-03
Created Date: 2014-11-20
Name Servers
ns-tld1.charlestonroadregistry.com
ns-tld5.charlestonroadregistry.com
ns-tld2.charlestonroadregistry.com
ns-tld3.charlestonroadregistry.com
ns-tld4.charlestonroadregistry.com
> nslookup nic.dev
Server: UnKnown
Address: 192.168.2.1
Non-authoritative answer:
Name: nic.dev
Addresses: 2001:4860:4802:32::1d
216.239.32.29
But if you are doing this you are presumably running an internal DNS which will generally recognise itself as authoritative for the domain without reference to the root servers. Alternatives such as the hosts file will equally take precedence.
So yes, the fault lies squarely with Chrome for simply assuming a Google entity.
The job interview point is valid and I have used a similar technique in the past: ask about an area of current controversy and their opinion. Generally I have no interest in the actual opinion, rather it is the arguments used to support it: uninformed opinion and solid technical reasoning are easily separated.
However in this case the issue is indeed one of basic comprehension: the article makes clear the intended servers ARE indeed being reached, they simply are not configured for HTTPS which Google insist on out of nothing more than self interest. That's the point you failed to pick up on, and where this latest Google diktat falls apart.
Since when was Google appointed as the body responsible for deciding Internet standards ?
More importantly why are they not working with standards bodies to propose changes - where these sorts of things are scrutinised by other experienced people, hence reducing the impact of poorly thought through ideas.
Sure, HTTPS is a good thing in most cases, but is not necessary everywhere.
Only the person implementing the site will know if its applicable and will be able to consider the raft of other security related tasks to ensure an appropriately designed, built and operated site. This may include security principles like role based authentication, resilience, firewalls, etc or perhaps none if its a noddy application that runs locally within their home or some management interface on a dumb device (like a home grade switch) that doesn't offer an HTTPS capability as its not powerful enough to do that.
It's their web browser, same logic applies. They have the right to enforce any rules they like, in their web browser.
Also running local sites with real domains is a huge security risk. You're liable to leak data out to the internet domain.
Also running local sites with real domains is a huge security risk. You're liable to leak data out to the internet domain.
So what can you use that's not susceptible to being snagged one day as part of ICANN's money generation machine?
Then don't use a domain name you do not own. Your own domain and .local are both good (if not interchangeable) choices for intranet name resolution. A random domain that you think sounds cool and did not exist five years ago is not a good choice.
You may not have your own domain (e.g. home user) and you can't even use .local because Bonjour can go apeshit if you do.
A TLD for your own internal LAN should be doable without having to pay a rentier to do it properly. The fact that it isn't shows what this is really about.
No, you can't use .lan, because that's taken too. Try www.lan (El Reg won't let me link to it, probably rightly so in this case).
"A TLD for your own internal LAN should be doable without having to pay a rentier to do it properly."
yourname.local <-- try that. set up your DNS server using 'bind', hook it in with the isc DHCP server, and voila! works for me, since, like, forever, LONG before RFC6762 was written. May require Linux or BSD, to work properly.
I can't remember where I first read about '.local' though. It wasn't in the RFCs as I recall, but it may have been mentioned in IANA or ICANN documents someplace. It was related to the use of '.localhost' for ONLY the loopback, and '.local' for anything in a private address space.
A quick google search shows that Micro-shaft recommends it for domain controllers. Maybe THAT is where I first read about it, back in the 90's, setting up a windows NT 4 server domain controller for testing.
Worthy of note: according to SOME several-year-old intarwebs references, Apple's mDNS stuff attempts (or used to attempt) to resolve a "name.local" name differently than a DNS lookup, by assuming they're multicast-only, but "name.whatever.local" appeared to work properly. Just to point it out, anyway.
It's their web browser, same logic applies. They have the right to enforce any rules they like, in their web browser.
It wouldn't be they realised they bought a lemon in the shape of a .dev TLD because other people used it before them and now they're using their general purpose trojan horse browser to make .dev get some traction by enforcing certificates so nobody else can use that TLD on their LAN?
Once Google's got everybody off its lawn, they can begin to monetise .dev.
> In the public internet, sure. But they have zero right to enforce any rules about it at all in a private network they don't own.
Then don't use a domain name you do not own. Your own domain and .local are both good (if not interchangeable) choices for intranet name resolution. A random domain that you think sounds cool and did not exist five years ago is not a good choice.
"Then don't use a domain name you do not own. Your own domain and .local are both good (if not interchangeable) choices for intranet name resolution. A random domain that you think sounds cool and did not exist five years ago is not a good choice."
This ^. This is not only good practise to use a domain you own, but for internal use, it is also recommended to use a subdomain of it, such as mycooldomain.example.com. This would only be resolvable internally, and not on the public Internet. So best practise (if you're referring to an AD domain) still lets you get mycooldomain when logging on. :)
"Then don't use a domain name you do not own. Your own domain and .local are both good"
etc.
I've been using ".local" for my own domain since the 90's. Prior to that I made up my own TLD but after reading up on it, it seemed that it was a bad idea (even back then).
I'd had some problems with a customer VPN setup that used the registered domain for their web site as their "windows domain". That caused lots of problems when VPN'ing into their network (as well as their router and network setup in general - they insisted on using the common/default 192.168.1.x address space, forcing my private LAN to use something else in order to VPN into them).
in any case, it's welcome that there's an RFC for '.local' (6762) but it shouldn't be restricted to ONLY multicast at any point in the future, either. RFC6762 might need an ammendment RFC to clarify that '.local' should be reserved for "general use" and NOT assumed to be multi-cast.
anyway, "companyname.local" works VERY VERY WELL for a corporate domain (for internal network addresses). I expect zillions of BOFH's and IT specialists have done this.
But they have zero right to enforce any rules about it at all in a private network they don't own.
If you use a TLD privately that is available on the global internet, you get all you deserve, it is as simple as that. It is not YOURS to use.
On the other hand, I think this change is silly and should be reverted.
If you're developing stuff for the web then not using Chrome isn't an option. It is needed to be tested against if for no other reason. The Chrome stupidity, if I read it right, is that any request to a .dev url must use https as enforced by Chrome. Glad I didn't choose .dev for my own internal TLD many moons ago. I'm not going to change it, but if I were doing it now, I would probably choose something else.
A local church uses .faith, as in ChurchName.faith, and in fact they have a .org address which redirects to the faith-based (ha!) hostname. If my DNS server dropped that on the floor, I'd never be able to get info which is required for my BUSINESS (not my personal life). Dropping valid DNS requests is not an option.
it's reserved for Bonjour / avahi / mDNS and if you try to use that with "classic" internal DNS then you can have all sorts of fun and games if you plug in a ithing or Linux box. As anyone who followed the original advice from Microsoft in setting up AD as [domain_name].local all those years ago will have long since discovered.
Exactly, don't ever use any domain you don't own.
.local will also bite you even harder in the bum as you can't get a cert from any CA for a domain with a reserved name in it since a few years ago: https://cabforum.org/internal-names/
Some people remain convinced that the NETBIOS name and the AD FQDN are one and the same, but you can have a nice 'mycompany' NETBIOS name while having 'internal.mycompany.com' as the FQDN.
Not really. The common use-case was for things like OWA portals, and you _didn't_ have to self cert until recently as CAs would quite happily issue you a cert for, say, whatever.mycompany.local until the rules changed.
Edit: That obviously didn't change it being not a great idea, but you could if you wanted.
Generic TLDs were a shit idea when they were proposed, and they are a shit idea now. Plenty of people didn't stick their head in the sand, and complained - but we still have them. I think people are fully entitled to whinge about them as much as they want to.
I think they're great unless you're one of those leeches that buys up thousands of domains. It's made their business plan obsolete. But then again, I've noticed that the commenters here on El Reg tend to be very resistant to change of any kind regardless of how useful the new feature might be.
Or an opinionated rant about something waiting to be broken having finally been broken?
Why would any half-competent developer use a domain they do not own and point it at their internal interfaces to boot? That is just begging for all sorts of trouble, of which denial of service is about the least problematic.
El Reg news are not reserved for competent developers or administrators (or operators). Sometimes their less competent or less experienced colleagues, or perhaps just learning, or even pointy-haired bosses read them, too. Something that is not news for one folk, might be news for another.
I wonder whether the people using a domain that they don't control are also using someone else's public IP range on their internal LAN?
It's tantamount to the same thing and will lead to the same problems.
10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 are available for a reason. The reserved TLDs listed in the article are available for exactly the same reason.
I remember coming across a “consultant” who used 1.209 or something similar as the internal ip range
For a company when asked why it was a us military range and nobody would ever needs to get to it.
When they moved buildings they were shifted to a proper private space to match the rest of the company.....