undefined | Better HN

0 pointspas1y ago0 comments

the frustration comes when non-corporate-provisoned clients get on the .internal network and have trouble using the services because of TLS errors (or the problem is lack of TLS)

and the recommendation is to simply do "*.internal.example.com" with LetsEncrypt (using DNS-01 validation), so every client gets the correct CA cert "for free"

...

obviously if you want mTLS, then this doesn't help much. (but still, it's true that using a public domain has many advantages, as having an airgapped network too)

0 comments

8organicbits1y ago

I'll add that anyone using VMs or containers will also run into trust issues too without extra configuration. I've seen lots of contractors resort to just ignoring certificate warnings instead of installing the corporate certs for each client they work with.

layer81y ago

You’re basically saying that .internal can cause frustration when it is used without good reason. Fair enough, but also not surprising. When it is used for the intended reasons though, then there’s just no other solution. It’s a trade-off between conflicting goals. “Simply do X instead” doesn’t remove the trade-off.

nightpool1y ago

What do you see as the intended reasons with no other solutions?

NegativeK1y ago

As a side point, there _needs_ to be something equivalent. People were doing all sorts of bad ideas before, and they had all the problems of .internal as well as the additional problems the hacks were causing -- like using .dev and then dealing with the fallout when the TLD was registered.

8organicbits1y ago

The biggest benefit of .internal IMO is that it is free to use. Free domains used to be a thing, but after the fall of Freenom you're stuck with free subdomains.

1 more reply

layer81y ago

The reasons are explained in https://itp.cdn.icann.org/en/files/security-and-stability-ad....

j / k navigate · click thread line to collapse

0 pointspas1y ago0 comments

the frustration comes when non-corporate-provisoned clients get on the .internal network and have trouble using the services because of TLS errors (or the problem is lack of TLS)

and the recommendation is to simply do "*.internal.example.com" with LetsEncrypt (using DNS-01 validation), so every client gets the correct CA cert "for free"

...

obviously if you want mTLS, then this doesn't help much. (but still, it's true that using a public domain has many advantages, as having an airgapped network too)

0 comments

8organicbits1y ago

layer81y ago

nightpool1y ago

What do you see as the intended reasons with no other solutions?

NegativeK1y ago

8organicbits1y ago

The biggest benefit of .internal IMO is that it is free to use. Free domains used to be a thing, but after the fall of Freenom you're stuck with free subdomains.

1 more reply

layer81y ago

The reasons are explained in https://itp.cdn.icann.org/en/files/security-and-stability-ad....

j / k navigate · click thread line to collapse