Hacker News new | ask | show | jobs
by mezzode 878 days ago
As others have mentioned there already is the ".home.arpa" TLD but I definitely think ".internal" is a step up in terms of clarity. That said, for my internal network I just put things under a subdomain of a domain I own so I can use HTTPS with a proper SSL cert
3 comments
eqvinox 877 days ago
> I just put things under a subdomain of a domain I own

Yup, same here. Great in combination with ACME DNS-01 so your DNS server can request all those certificates and then push them out to your devices. (Otherwise the hostnames need to be externally accessible, which means either exposing the internal devices, or mucking around with split-view DNS. The former is a terrible idea, the latter is also DNS server complexity and worse than doing DNS-01 IMHO.)

link
mdaniel 877 days ago
IMHO if you are already doing some process of "push certificates out to devices," you'll likely be much happier with getting a wildcard cert using DNS-01 and change that update process from "all devices all the time according to their schedule" over to "all devices but once every 80 days"

I do appreciate the threat model of one device getting owned leaks all your certs but security is always a trade-off between security and convenience. It also lowers the load upon the LE servers, for what that's worth

link
eqvinox 877 days ago
Not sure everything updating at the same time is more "convenient" than staggered failures. For one, if multiple things break at the same time, it's easier to lock yourself out of things in more complicated ways. Also it's generally the first refresh that breaks, and everything at once only helps when you freshly roll out certs to a whole bunch of devices… if you add things incrementally (e.g. either because you finally get around to it, or you just bought something new) it makes no difference if it's all in the same cycle. Except now you have a wildcard cert floating around…
link
MaxBarraclough 877 days ago
That seems like a great way to go - get it signed the normal way and TLS will 'just work', no messing about configuring trust on your devices.

Will this be possible with .internal ?

link
8organicbits 877 days ago
The TLS cert will either be self-signed or you'll need to run a private CA. A public CA won't issue you a cert as you can't own any .internal domain.
link
ahoka 877 days ago
You can use a proper certificate with any domain you like.
link
eqvinox 877 days ago
except not with .home.arpa .internal .lan or whatever else, since you don't have "domain ownership"
link