|
|
|
|
|
|
by nonameiguess
1612 days ago
|
|
|
Link-local mDNS only works within a single broadcast domain, and a single home LAN can have many broadcast domains. The ask here is to have a reserved TLD that can be resolved by an actual DNS server, but only locally, and that public CAs will recognize as a valid TLD. Many home router software right now that includes a DNS server will automatically add .localdomain entries for all hosts on that router's LAN, but I think the issue is public CAs won't issue you a cert for something like "wiki.localdomain" because many people would be asking for the same name, so you're forced to stand up your own CA and add it to the thousand different trust stores that all applications on all of your devices use. It'd be nice to have a TLD in which no one can ever own the names, so many people can be issued the exact same certificate, with a guarantee that no resolver will ever go beyond its own LAN to return an address. |
|
|
How do you define that boundary, when it's not the broadcast domain. Even if it is the broadcast domain, I'm not sure that makes a reasonable boundary for people at a coffeehouse, etc.
If there's consensus that for some domain, certificates don't actually mean anything, because anyone can get a CA to issue it, there should also be consensus to accept self-signed certificates for that domain.