ICANN proposes .INTERNAL domain for private networking

Using ad hoc private-use TLDs is not good enough

The Internet Corporation for Assigned Names and Numbers (ICANN) has put forth a proposal to create a new top-level domain (TLD) called .INTERNAL, in a bid to streamline internal networking and alleviate DNS conflicts.

This TLD, unlike others, would never be delegated in the global domain name system (DNS) root, effectively keeping it segregated from the broader internet.

ICANN, a non-profit organisation responsible for overseeing the DNS and establishing policies for new generic TLDs, started discussions about a reserved TLD for private networks in September 2020. The aim was to address the proliferation of ad hoc TLD solutions enterprises use, which often lead to uncoordinated naming practices and potential harm to internet users.

According to ICANN's Security and Stability Advisory Committee (SSAC), this practice presents significant challenges. Despite their intended internal use or confinement within scoped network domains, evidence suggests that these TLDs often permeate into the global public DNS infrastructure, resulting in the a variety of issues:

• Name collisions: When delegated by ICANN or during trial delegation periods, name collisions can occur, leading to unexpected and unpredictable behaviour.
• DNS overload: The unnecessary load on root name servers, caused by queries for non-delegated TLDs, adds strain to the DNS infrastructure.
• Security vulnerabilities: External resolution of names can expose networks to on-path attacks, compromising confidentiality. These risks persist if the TLDs remain in use, even after controlled interruption.
• Name ambiguity: Ambiguity arises when it's unclear to clients or services in which context a published name is applicable, leading to confusion and potential operational disruptions.
• Certificate security risks: Certificates issued by globally trusted Certification Authorities (CAs) for domain names within these TLDs pose security risks, potentially undermining trust in digital transactions.

The concept behind .INTERNAL mirrors the functionality of the familiar 192.168.x.x IPv4 bloc, offering a designated space for internal use within organisations without exposing it to the public internet.

During the consultation process [pdf], which involved evaluating 35 candidate strings across multiple languages, SSAC assessed each option for memorability and suitability.

Ultimately, the committee narrowed the selection down to two domain candidates: .PRIVATE and .INTERNAL.

Ultimately, ICANN decided to dismiss the .PRIVATE domain due to concerns about potential privacy implications and conflicting meanings across different languages. As a result, .INTERNAL emerged as the preferred choice.

While ICANN cannot mandate private entities to adopt the .INTERNAL domain, it strongly encourages stakeholders - including enterprises, system admins and private users - to embrace standardised naming conventions for internal resources.

ICANN also stressed the importance of using standard sub-domains of already registered public domain names as the best practice for private network management.

With the proposed adoption of the .INTERNAL domain scheduled for April 2024, ICANN is now inviting feedback from the internet community to ensure a smooth implementation.