undefined | Better HN

0 pointsjt21905y ago0 comments

There’s always the .local TLD, which is reserved for this use case:

https://en.m.wikipedia.org/wiki/.local

0 comments

lvh5y ago

That works, but you can't get public certs for it, because you can't prove you own that domain (indeed, you don't :))

jt2190OP5y ago

Please remind me where I said anything about public certificates. ;-)

xg15 is going to have to run a self-hosted Certificate Authority (CA) and generate certificates himself.

Karunamon5y ago

That article goes on to state that .local is reserved by RFC6762 (multicast DNS), which if you use that domain on your network, will cause problems with any services using it, usually Macs or iPhones.

This document specifies that the DNS top-level domain ".local." is a special domain with special semantics, namely that any fully qualified name ending in ".local." is link-local, and names within this domain are meaningful only on the link where they originate. [...] Any DNS query for a name ending with ".local." MUST be sent to the mDNS IPv4 link-local multicast address 224.0.0.251 (or its IPv6 equivalent FF02::FB).

I'd recommend using something like .lan instead.

jt2190OP5y ago

I think you’re talking about running DNS locally (not sure) and resolving .local addresses by DNS. In that case, yes, the devices that do lookups by mDNS will experience a delay caused by first querying mDNS before falling back onto DNS. The solution is to set up mDNS for the internal resources.

Using an unregistered domain like .lan has serious security implications. See here: https://serverfault.com/a/17566

Karunamon5y ago

.lan is called out in appendix G of the MDNS RFC as "not recommended, but many people do this".

Personally speaking, I'm not too worried about .lan getting registered as a gTLD anytime soon. I'm a lot more worried about forgetting to renew my domain and having things horrifically break if/when that domain gets picked up by someone else. This is a lot more likely...

jt2190OP5y ago

I’m not sure I understand... What would break on your local network if a public domain you own and use only for internal resources is registered by someone else? How is this different from making up a domain name? In both cases you have to set up something to resolve the names to IP addresses on your local network, be it a hosts file or DNS. I would expect that to keep working regardless of the ownership of the domain name.

paledot5y ago

I would have said the same about .dev, and did, until Google came along and registered it.

nitrogen5y ago

Why not just use mDNS too and stick with .local?

xg155y ago

I haven't heard about that yet. this sounds interesting indeed. But how would I get a valid certificate for a .local domain?

jt2190OP5y ago

You need to set up your own “chain of trust” to verify your self-generated certificates. You can run your own Certificate Authority for example. (There are other approaches too.)

j / k navigate · click thread line to collapse

0 comments

lvh5y ago

That works, but you can't get public certs for it, because you can't prove you own that domain (indeed, you don't :))

jt2190OP5y ago

Please remind me where I said anything about public certificates. ;-)

xg15 is going to have to run a self-hosted Certificate Authority (CA) and generate certificates himself.

Karunamon5y ago

I'd recommend using something like .lan instead.

jt2190OP5y ago

Using an unregistered domain like .lan has serious security implications. See here: https://serverfault.com/a/17566

Karunamon5y ago

.lan is called out in appendix G of the MDNS RFC as "not recommended, but many people do this".

jt2190OP5y ago

paledot5y ago

I would have said the same about .dev, and did, until Google came along and registered it.

nitrogen5y ago

Why not just use mDNS too and stick with .local?

xg155y ago

I haven't heard about that yet. this sounds interesting indeed. But how would I get a valid certificate for a .local domain?

jt2190OP5y ago

You need to set up your own “chain of trust” to verify your self-generated certificates. You can run your own Certificate Authority for example. (There are other approaches too.)

j / k navigate · click thread line to collapse