[sjy]

Can’t you just use a Let’s Encrypt cert? The domain needs to be publicly resolvable, but it doesn’t have to resolve to the same IP returned by your internal DNS, and you can use wildcard certificates if you don’t want your internal subdomains to be publicly resolvable at all.

[est]

> The domain needs to be publicly resolvable

The company TLD was purposely built to hide behind the LAN. Been publicly resolvable is a huge a security risk. Public recursive resolvers will log where and when a user visits an internal site.

[hedora]

Why not have the public resolver resolve everything to a “Your DNS is misconfigured; contact IT” static page?

[gsich]

Not if you use an internal resolver.

[kortilla]

Now your internal infrastructure depends on let’s encrypt as well as an external DNS registrar.