[HN Gopher] Special-Use Domain 'Home.arpa.' (2018)
___________________________________________________________________
Special-Use Domain 'Home.arpa.' (2018)
Author : mcp_
Score : 33 points
Date : 2024-06-03 21:07 UTC (1 hours ago)
(HTM) web link (datatracker.ietf.org)
(TXT) w3m dump (datatracker.ietf.org)
| Y_Y wrote:
| https://home.arpa
| qwertox wrote:
| DNS_PROBE_FINISHED_NXDOMAIN. Is it different at your end or why
| are you posting this?
| egberts1 wrote:
| Because, it is the INTERNET! ( _cough_ _cough_ )
|
| Seriously, I run ARPA-NET in my home.internet, as well as IPX
| (Bayans VINES) and Frame Relay/X.25. Yeah, it's what I do.
| Also encrypted MAC-layers too.
|
| Now the real kicker is maintaining DNSSEC for my
| home.internet. A real exercise in extremity (but not futility
| yet it is doable)
| thot_experiment wrote:
| I just use home.com for all my home automation stuff, it's a lot
| easier to explain to houseguests than home.home.arpa would be.
| qwertox wrote:
| The issue with this is that you can't create certificates this
| way.
|
| Assume you own example.com, then you can issue a free
| certificate for *.example.com and use that certificate for all
| your home services. Using HTTPS in the intranet does have its
| benefits and eases coding when services require SSL.
|
| If you host vaultwarden.example.com in your intranet, then you
| don't have to publish the subdomain on a public nameserver;
| it's enough that your intranet DNS resolver can respond with
| the local A or AAA record for vaultwarden.example.com and it's
| covered by the wildcard certificate.
| codetrotter wrote:
| > you can't create certificates this way
|
| Sure I can. It's my network, so I decide what root CAs are
| trusted. Be your own CA, and tell your computers to trust
| your own CA cert.
|
| For example:
|
| https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-
| pi...
|
| or
|
| https://github.com/jsha/minica
| lytedev wrote:
| Per GP, this will be VERY difficult to explain to
| houseguests.
| codetrotter wrote:
| Why?
|
| Specifically, what I mean is, if you have house guests
| that care enough about your LAN that they actually _want_
| to access any of the services you have running on it - it
| shouldn 't be difficult to explain to them why and how to
| trust your CA.
|
| The main difficulty IME is getting any of your guests to
| care about your LAN services in the first place.
| 0x457 wrote:
| I'm sorry, but if you ask me to install your private CA
| on any of my devices... I would politely tell you to
| stop.
|
| As for house guests, I really like what OnHub did - you
| could allow anyone to network to control certain IoT
| devices. When someone was house sitting for me, they
| could have control thermostat, lights, etc from their
| phone without any apps or "add household member"
| shenanigans.
| cortesoft wrote:
| And how are you going to distribute these certificates to
| your houseguests?
| codetrotter wrote:
| I run a plain http server on the LAN that hosts a copy of
| the public part of the CA cert. Download it from there
| and add it to your trusted CAs.
| shawnz wrote:
| When you're a guest at a friend's house, for example, you
| would have no problem installing their root CA in exchange
| for the privilege of using their network? Wouldn't you find
| that to be a little bit antisocial or overbearing?
| thot_experiment wrote:
| I can just link people from home.com to a page with an ssl
| cert if it became necessary for some reason. I'm curious what
| benefits you're thinking using HTTPS on my intranet would
| have (other than circumventing increasingly overzealous
| browser vendor API lockdowns)
|
| (on that note, is there a chromium/firefox build available
| that disables all that garbage so I can test in peace without
| having to reverse proxy my dev server?)
| paulddraper wrote:
| But you have to explain the insecure connections?
| thot_experiment wrote:
| Why would they care? There's no reason to serve my home
| automation stuff over https.
| nick0garvey wrote:
| I use this for everything at my house. I haven't add any issues.
| bhaney wrote:
| That's cool, but it's ugly so I'm going to keep using a
| technically-incorrect-but-works-fine alternative
| alyandon wrote:
| I thought about going that route but ultimately decided to hijack
| .home internally for my home network.
| greggsy wrote:
| .home is fine, but .local is used by mDNS like Bonjour. In
| practice, it doesn't seem to cause much problems for printers
| and AirPlay.
| greggsy wrote:
| I'm holding out for a draft RFC to deprecate .local for mDNS, and
| allow it to be used for local domains. It's practically
| infeasible, but one can wish.
| dark-star wrote:
| Same here. We set up our company's intranet using a `.local`
| address long before mDNS was a thing. Needless to say it causes
| a lot of pain on a daily basis.
|
| On almost every linux installation we have to tweak
| `/etc/nsswitch.com` for it to work.
|
| I doubt it'll ever happen but hey, one can wish :)
| anderskaseorg wrote:
| That will never happen, but RFC 6762 suggests some other
| options for private networks: .intranet, .internal, .private,
| .corp, .lan.
|
| https://datatracker.ietf.org/doc/html/rfc6762#appendix-G
|
| ICANN seems to be in the process of finalizing a proposal to
| officially reserve .internal for this purpose.
|
| https://www.icann.org/en/announcements/details/icann-seeks-f...
| rootbear wrote:
| My Verizon FIOS router came with the ridiculous default domain
| "mynetworksettings.com". I haven't changed it yet, because I
| wasn't sure about .local vs .home and whether changing it would
| break something. As an OG ARPANET user, I rather like the idea of
| having a home "arpanet" so I think I'll give home.arpa a try!
| NewJazz wrote:
| Hey, at least Verizon bothered to register the domain.
| urda wrote:
| I use lan.urda.com for mine. Looooove having a public and private
| DNS record set.
| quincepie wrote:
| There was a also proposal for ICANN to reserve ".internal"
| (earlier this year) which is what I currently use. I suppose
| home.arpa has the advantage of being strictly resolved in the
| local zone while ".internal" would be more for anything in a
| private network (or a large multi zone network)?
|
| [1] https://www.icann.org/en/public-
| comment/proceeding/proposed-...
| titanomachy wrote:
| I'd need to self-sign my certificates, right? So any guests in my
| house (assuming a modern browser) would be presented with a big
| ugly security warning after navigating to a local home.arpa site?
|
| I pay $10/year for a custom domain on my country's TLD and host
| any local stuff on that, so I can use proper CA-signed
| certificates which are trusted by default. But I could see this
| being useful if I was only using my own clients.
| hackcasual wrote:
| There's a ton of gTLDs too, I just grabbed a cheap one and
| ACME-fied all my lan services
| riffic wrote:
| [RFC 8375]
| kstrauser wrote:
| ICANN has proposed using .internal; see
| https://news.ycombinator.com/item?id=39152306.
| mrbluecoat wrote:
| And how is .home.arpa better than RFC-2606 .test, .example,
| .invalid, or .localhost ?
| yjftsjthsd-h wrote:
| Because devices on my home network aren't examples, aren't
| invalid, aren't (all) localhost, and aren't (necessarily) for
| testing.
| lukevp wrote:
| What about devices on my work network? Is work.arpa a thing?
| Or are the labels arbitrary?
| NewJazz wrote:
| work.arpa is not a thing, but you could use .internal for
| corporate stuff.
| icedchai wrote:
| I use int.example.com for my home network, where example.com is a
| domain I've had for 30 years. Domains didn't cost anything back
| then!
| NewJazz wrote:
| This RFC is recommending a _default_ , _non-unique_ domain for
| residential routers to ship with.
|
| If you have a domain of your own, by all means use it. Most
| residential network operators don't.
| betaby wrote:
| What exactly does that mean? 'example.com' is registered to
| IANA since 1992.
| gl-prod wrote:
| OC replaced the real domain with example.com. Could have used
| int.google.com.
| throwanem wrote:
| It means grandparent commenter ain't sayin':
|
| > where example.com is a domain I've had for 30 years
|
| (That domain has that reservation specifically for use in
| arbitrary examples, as here.)
___________________________________________________________________
(page generated 2024-06-03 23:00 UTC)