Authoritative Server - Referrals to root

Jim Reid jim at rfc1035.com
Fri Apr 8 14:26:53 UTC 2005 

>> If there's something I've overlooked, please tell us.
>
> 1) /IF/ a TLD named "internal" were created, it seems likely and 
> obvious
>    that there's a good chance it would be created for purposes 
> apparently
>    relating to the meaning of the word, and hence would likely be the
>    equivalent of 10-net space.

First of all, that assumption may not be the justification for the 
creation of that TLD if it ever does get created. RFC2606 "reserved" 
some TLD labels, even though its just a BCP. .internal wasn't one of 
them. BTW that RFC says the labels are for "private testing of existing 
DNS related code, examples in documentation, DNS related 
experimentation, invalid DNS names, or other similar uses": nothing 
about internal naming schemes.

Secondly, you're confusing a bogus, internal-use-only TLD, with a valid 
domain name. Creating your own private copy of 10.in-addr.arpa (or any 
other reverse zone for RFC1918 nets) is mostly harmless.  On the 
internet, 10.in-addr.arpa already exists and has a defined purpose. 
This can't be said for your .internal TLD. In fact, private copies of 
the reverse zones for RFC1918 nets is a Very Good Thing. It takes a lot 
of bogus traffic away from the root servers. [Check out the AS112 
project.] There is of course a whole world of pain whenever two or more 
of these nets are merged: say when the intranets of two organisations 
are joined together after a merger or acquisition.

Note that I'm not saying having a TLD like .internal for private 
purposes is a Bad Thing. It's just that the name of that TLD needs to 
be agreed and documented. The name shouldn't just be plucked out of 
thin air. If a domain name is to be used for internal purposes, its 
name should be one that's been expressly set aside for that purpose. ie 
Those using that name can be certain it's not going to appear on the 
public internet. That holds irrespective of whether the chosen 
internal-only domain is a TLD or not.

> 2) /IF/ a TLD named "internal" were created which was not actually 
> intended
>    for internal use, but, perhaps, was meant for domain names for 
> doctors
>    of internal medicine, or some other lameness, well, really, it's 
> /not/
>    that hard to do s/internal/foo/ in your zones tree.

That would be the easy bit. You then have to go through every desktop, 
bookmark, hyperlink and application in your net to make sure they now 
use your bogus foo TLD instead of your bogus internal TLD. Then you get 
to repeat that when ICANN  gets around to creating .foo. :-)

> It seems highly unlikely to happen.

When it comes to ICANN and TLDs, anything is possible. :-) There are 
some voices at ICANN who advocate there should be thousands of TLDs and 
market forces can decide which ones survive and which ones don't. If 
those voices get elected or become the orthodox viewpoint....

> 3) There's generally plenty of warning of up and coming new TLD's, so
>    neither 1 nor 2 are currently an issue, and by the time it would 
> be, it
>    still isn't because we'd have done something about it.

In other words, tough nuts for you. As I said already.

> We, however, have lots of boxes out at customer sites, and since our
> customers are allowed to renumber and move equipment on their networks 
> as
> dictated by their own engineering needs, the complexity of such a 
> solution
> started to get a bit much.  Our particular deployment design involves
> having a private 10-net address for each server (simply the public IP
> address/netmask, with the first octet changed to 10) for intraserver
> transfer, management, and other various purposes. This particular 
> solution
> allows us to call the external interface "${hostname}", and the 
> internal
> interface "${hostname}.internal", which has a nice symmetry, and can be
> automatically derived.

So could "internal.${hostname}".

> I guess the interesting question is how many operational resolution 
> issues
> are there at sites that have installed RFC1918 zones as local masters?

There shouldn't be any. If a net is using RFC1918 addressing it really 
must run reverse DNS for the corresponding in-addr.arpa zones. That 
stops reverse lookups for these nets going to the root servers and 
getting punted to the AS112 servers.

More information about the bind-users mailing list