[samwillis]

Well there is already .local, so I suppose what you are asking for is a simple way to do TLS with .local?

I’m not well enough versed in TLS and certs, I assume a wild card self cert for .local is a bad idea?

https://en.m.wikipedia.org/wiki/.local

[nonameiguess]

Link-local mDNS only works within a single broadcast domain, and a single home LAN can have many broadcast domains. The ask here is to have a reserved TLD that can be resolved by an actual DNS server, but only locally, and that public CAs will recognize as a valid TLD.

Many home router software right now that includes a DNS server will automatically add .localdomain entries for all hosts on that router's LAN, but I think the issue is public CAs won't issue you a cert for something like "wiki.localdomain" because many people would be asking for the same name, so you're forced to stand up your own CA and add it to the thousand different trust stores that all applications on all of your devices use.

It'd be nice to have a TLD in which no one can ever own the names, so many people can be issued the exact same certificate, with a guarantee that no resolver will ever go beyond its own LAN to return an address.

[toast0]

> guarantee that no resolver will ever go beyond its own LAN to return an address.

How do you define that boundary, when it's not the broadcast domain. Even if it is the broadcast domain, I'm not sure that makes a reasonable boundary for people at a coffeehouse, etc.

If there's consensus that for some domain, certificates don't actually mean anything, because anyone can get a CA to issue it, there should also be consensus to accept self-signed certificates for that domain.

[nybble41]

> If there's consensus that for some domain, certificates don't actually mean anything, because anyone can get a CA to issue it, there should also be consensus to accept self-signed certificates for that domain.

Or my preferred hybrid approach: use a self-signed certificate and include the fingerprint (base32-encoded) in the domain name. The browser would recognize this pattern and accept the certificate, for that one domain, because it already meets all the requirements for domain validation. Discovery remains an issue–we need browsers to list the local mDNS services—but once you have the URL you can bookmark it and know that no other device can impersonate that domain/certificate combination.

[ryandrake]

I thought .home.arpa[1] was the preferred TLD for internal residential home networks now, not .local

I use my own CA root and individual certificates for each of my internal machines that use TLS.

1: https://datatracker.ietf.org/doc/html/rfc8375