On Friday, 7 November 2025 22:41:25 Central European Standard Time Michael Richardson wrote: > Joe Abley <[email protected]> wrote: > > I presented today in Montréal about our proposal > > draft-jabley-dnsop-zone-cut-to-nowhere. > > > > https://datatracker.ietf.org/doc/draft-jabley-dnsop-zone-cut-to-nowher > > e/ > > Interesting. > I think that this is useful work, and we should do something here. > In places where I have deployed "internal.example.com"/"corp.example.com", > (and I significantly prefer this over split-horizon DNS) > with the authoritative name servers only accessible from "inside", > I have intentionally used unrouted IPv6 (GUA) for the NS. > > People's VPN clients are then configured to bring up the VPN when there is > traffic so that prefix. Thus, the act of asking for > www.internal.example.com attempts to bring up the VPN to get there. > If the VPN fails, then the name does not resolve, but it's not unknown. > (I find this much better than using RFC9704)
Not gonna lie, even as a major proponent of .internal and .lan before it, I am starting to get more and more tempted to just tie it to nixmagic.com if it's going to require extra keystrokes / DHCP search domains anyway. Just works better with things like TLS too, even if internal (webserver can do ACME challenges, those certs can be deployed elsewhere later). And I do want to make all my DNS traffic hit my own authoritative servers, if they are going to exert nonstandard(-ish) behavior of any kind. That being said, I am no less inclined to keep progress on .internal going. We are disproportionately likely to own public domains, which does not reflect well to outside the IETF community. -- [Met vriendelijke groet] [Best regards] [Michael De Roover] --- --- --- --- [Mail] [*@nixmagic.com] [michael@[email protected]] [Web] [https://michael.de.roover.eu.org] [Forge] [https://git.nixmagic.com] [Weather] [Antwerpen] [23:00] [12.1°C] --- --- --- --- [0] [2025-11-07 23:56 CET] [~] [[email protected]] [$] [/usr/bin/sign-mail] [>_] --- --- --- --- _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
