Future-proofing top-level domains for private networks

I recently installed some new servers on my home network to discover that systemd-resolved doesn’t resolve hostnames without dots. This got me on a journey on the internet trying to find what is the best practice for choosing a TLD for a private network and future-proof it.

To summon it up: there is no possibility to be sure of this.

In the early age, during the 90s, the Internet was more a playground for everyone. Then, in the end of the 90s, commercialism took a good grip over the Internet, it’s future and over the TLDs.

After reading this: https://www.theregister.com/2018/02/12/icann_corp_home_mail_gtlds it is obvious that we will never be sure.

The private IP-ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) that will never see the day of light on the public Internet is really common knowledge and regarded as a fact. But concerning TLDs for private networks, there seems to be a lot of confusion.

Some of the camps and sources for them are:

  1. Never use private TLD – buy a domain!
  2. According to https://www.rfc-editor.org/rfc/rfc2606 these are the only valid ones: .test, .example, .invalid, .localhost
  3. Here https://www.rfc-editor.org/rfc/rfc6762#appendix-G they advocate to not use private TLDs at all, but if you must, choose one of these: .intranet, .internal, .private, .corp, .home, .lan
  4. According to https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#User-assigned_code_elements there are some 2 character TLDs that can be used for private networks. Please read an active draft from ICANN on this subject: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-private-use-tld-00
  5. Some suggests using .[0-9] as a private TLD because it is not valid according to RFC-3696 and therefore will never be delegated by ICANN. See: https://cr.yp.to/djbdns/dot-local.html

As you can see, for example choosing .home as your private local network TLD could be a gamble. Maybe ICANN will drop it for commercial purposes, maybe not.

Questions that comes to mind are: why don’t we have a plethora of TLDs for private networks? Is it because there is no money for ICANN in this? Is it because there is no advocate for private users there?

Of course this is a reflection of where the main body of people come from that are engaged in these organizations: the universities, the commercial sector and the government.

Question: what would be the best mature path to take in this matter?

::: UPDATED WITH CONCLUSIONS :::

After further readings on this subject and looking at the answers and discussions on SE and elsewhere, I have come to the conclusion that these are the future-proof TLDs for private networks:

  • AA, QM to QZ, XA to XZ, and ZZ
  • [0-9]{1,}
Asked By: user442054

||

If you don’t want to buy a domain, or make the necessary configuration/registrations, my answer would be based on suggestion #4 : Use a tld based on one of the "User assigned code elements":

This ranges enumeration is available and has no prior recorded (public) usage (according to Wikipedia): QN, QP-QY, XB-XJ, XL-XM, XO-XT, XW, XY.

Combine that with an short, up to single-letter domain (if all your internal devices support that). Opt for something easy to type on your keyboard, or based on mnemonics, or both:

  • .k.xc for Kompanyname.XrossConnet
  • .q.qw very easy to type on many keyboards
  • .as.xc also easy to type
  • .m.qn my Quantum Network

Oh, I agree with the Comment from @JeffSchaller : This should have gone into a different SE. You can flag this yourself I think.

Answered By: Alex Stragies

home.arpa. is designated for non-unique use in residential home networks by RFC 8375.

Authority to reserve this TLD

.arpa is administered by IANA (https://www.iana.org/domains/arpa):

The .arpa domain is the “Address and Routing Parameter Area” domain and is designated to be used exclusively for Internet-infrastructure purposes. We administer the domain in cooperation with the Internet technical community through the guidance of the Internet Architecture Board. For the management guidelines and operational requirements of the .arpa domain, see RFC 3172.

And IANA have recored home.arpa in its special use domain names registry:

home.arpa. [RFC8375]

In other words the authors of RFC 8375 have been through the correct process to reserve home.arpa. before finalising RFC 8375.

This is a chain of authority that was effectively missing from RFCs that mentioned .home or .corp. Eg: see Errata 4677 on RFC 7788

Answered By: Sam Morris

.home .corp are safe

Question: what would be the best mature path to take in this matter?

ICANN, who have the authority here, have resolved NOT to issue .home .corp, (and .mail) TLDS. They decided this because of possible name collision with private networks.

These three are safe to use for private networks.

Be ware the news papers

Don’t be fooled sensational reads in news papers. There was an application to purchase these TLDs. That application cost $185,000 to make. That application was never approved.

The Register makes for good reading (it often does) but you shouldn’t read this and think that home corp and mail were under threat. The application was flagged as a security & stability risk and so was put on hold indefinitely in 2014.

Why aren’t there more private TLDs?

why don’t we have a plethora of TLDs for private networks?

That’s an interesting question. My guess is there is simply not the need. You could just as easily ask "why do we need three". Private IP ranges have become tricky because of the number of site-site VPNs. But interestingly such VPNs don’t commonly come with DNS meaning the risk of collision for a DNS domain is less than that of private IP CIDR blocks. Also there isn’t a commercial need for private TLD. You can have private DNS records for a public TLD, you just configure your DNS servers not to issue those records outside your internal networks.

Was .corp .home .mail ever under threat – the Facts

https://www.icann.org/resources/board-material/resolutions-2018-02-04-en#2.c

  • In 2012 there was an application to ICANN to purchase corp home mail with the fee of $185,000. This was as part of "the 2012 round of the New gTLD Program". ICANN began through their normal (slow) due diligence.
  • In 2013 The Security and Stability Advisory Committee flagged the issue of name collisions [with private networks].

    Whereas, in March 2013, the SSAC issued SAC057: SSAC Advisory on Internal Name Certificates, wherein the SSAC referred to the issue of "name collision" and provided the ICANN Board with steps for mitigating the issue.

  • In 2014, Despite attempts to analyse the problem and mitigate the issue ICANN resolved to delay the application indefinitely:

    Whereas, on 30 July 2014, the ICANN Board New gTLD Program Committee adopted the Name Collision Management Framework. In the Framework, .CORP, .HOME, and .MAIL were noted as high-risk strings whose delegation should be deferred indefinitely.

  • There were further attempts to find an acceptible mitigation. But none accepted.
  • In 2018 ICANN finally decided the application could not proceed any further and rejected it.

    Resolved (2018.02.04.12), the Board directs the President and CEO, or his designee(s), that the applications for .CORP, .HOME, and .MAIL should not proceed

Further reading

Interestingly the Security and Stability Advisory Committee for ICANN have also suggested there should be a single TLD explicitly reserved for local networks.

https://www.icann.org/en/system/files/files/sac-113-en.pdf

There doesn’t seem to be much progress, perhaps because we are all already using .home .corp.

Answered By: Philip Couling