The days of .dev domains for testing code are over(medium.engineering) |
The days of .dev domains for testing code are over(medium.engineering) |
The "internal purposes" misconception stems from the TLD-wide wildcard DNS entry pointing to 127.0.53.53 that is required by ICANN's Controlled Interruption process for all new gTLDs. For more info see here: https://www.icann.org/resources/pages/name-collision-ro-faqs...
(Source: I'm the lead engineer of Google Registry.)
Of course, I could change my ways and start using a different naming system: I notice a lot of development shops using .local, albeit for same machine dev & testing.
Edit: lol. tried to use 'star'.dev, but it came out in italics!
It turns out that part of the way the internet is declared to work includes reserved TLDs to be used for testing. So the burden of responsibility for avoiding a situation such as the article describes lies on the developer to use one of those reserved TLDs instead of ".dev", which anyone could (and now, has) come to control.
https://en.wikipedia.org/wiki/.local#Microsoft_recommendatio...
Just buy medium-devel.com or something and make it resolve to 127.0.0.1 in internal DNS. This gets you a couple of benefits:
- No one will ever take it from you
- You can configure it in external DNS if you'd like
- You can get a real, publicly-trusted SSL certificate for it, for free, because Let's Encrypt can resolve DNS challenges against it
(By the way, you want to get an SSL certificate for internal development, because of the policy - Chrome-initiated but now followed by the HTML standards folks in general - to require HTTPS for fancy new features like geolocation and service workers: https://www.chromium.org/Home/chromium-security/prefer-secur... If you don't have HTTPS of some sort, you can't test these features locally.)
Something that pisses me off even more is that a few months back there was an IETF draft to specify the .home TLD to only resolve local network requests. It seemed pretty reasonable, but there was pushback and it was changed to home.arpa, since the .arpa TLD is already restricted. So big companies can pick up any TLD they want, but regular users will forever be forced to type in extra characters.
There are no gTLDs intended only for internal company use. There are many that are intended for only a single companyto use them, though externally.
For example, the .americanexpress gtld (https://www.nic.americanexpress/) will only provide domains to entities affiliated with american express.
Same with .dodge, and .google, and many many others.
ICANN handled this quite well -- they let others object to applications, let anyone who may have a trademark or reason to claim the word was generic come forwards, left time for comments, etc etc.
If you're objecting to this now, not back when the program was being formed, you clearly handled this poorly by not being involved in something you care about.
If you don't care and weren't involved, you also don't have the full picture and your outrage very well might be misplaced.
> If you don't care and weren't involved, you also don't have the full picture and your outrage very well might be misplaced.
That's an unhelpful and unreasonable response. You shouldn't blame people for not being attuned to the activities an obscure bureaucracy (the gTLD process), just because they might be affected by it. The gTLD process has a problem, not the people negatively affected by it.
There really ought to be a long post-implementation objection period for gTLDs, and the existing process should be changed to allow for that. The top goal of the DNS system right now should be to not break stuff, and that should override any entity's desire to buy a gTLD for $$$.
Mostly I tend to see companies either inventing an unregistered TLD, often using their own company name, or they use ".local", which can cause issues - some systems treat this name specially.
A third option would be putting all internal names under an "internal.yourcompany.com", but that's long and annoying.
Ideally I'd like to see a ".private" or ".internal" TLD recognised as special-use under the same semantics as ".test". Does anyone have any better option?
Is that monopolistic behaviour?
No. Acquiring the TLD has nothing to do with any monopoly, so it's just a browser decision made by Chrome, and it isn't locking anybody out of any markets.
It's also technically not even a change to the status quo. Beforehand, you weren't supposed to be using .dev like that. As the article says, you should have been using .test or .invalid. After Google's actions, you still shouldn't have been using .dev and should have been using .test or .invalid. You can't hear my tone, but I don't mean that in the imperative or angry; we've pretty much all screwed that up at some point. But a screw-up it was.
This is like Ford registering ".car" gTLD for themselves (although actually worse).
> It's also technically not even a change to the status quo.
If it wasn't a change to the status quo, they would have just used the exact same test domains you mention. You're saying that what we should not have done, is okay for Google to do.
So it isn't exactly a shock that this bad practice is going to bite its users. I think the reason it's getting headlines is why it's biting those users now, all at once.
Lobby google through petitions and collective developer action to surrender their .dev TLD and create an RFC that makes it reserved for developer used, similarly to .example and .test.
A case can be made. How strong it will be remains to be seen. I hope Google can see the greater good in this. They have a lot of good will to win amongst the developer community.
Remember when APNIC got 1/8 from IANA and had to go test what would happen if they announced 1.2.3.4 to the Internet? Just because something has been done historically doesn't mean we need to ban it entirely from the future.
Developers are humans. Technical justification is one of the things that should be considered when making decisions. There are many others.
Developers have not been widely using .example and .test as the spec recommends. They have been using .dev. It makes sense for it to be added as a reserved testing TLD. No one can force Google to do it. We can just petition them and hope that they do the right thing.
There is a lot of goodwill that Google can gain by allowing free use of `.dev`. Even more if they propose a spec to add it to the reserved domains. I would imagine it would be at least $185,000 worth of goodwill.
Not only is this problematic but so is HSTS, and the push for increasing reliance on CAs and in effect making self signed certs pointless.
The great concern for SSL by many people is simply ad supporting behavior masquerading as concern for privacy and state actors. Apparently ssl which is routinely mitm'd by small time corporations can protect privacy. Accept that with straight face while mitm vendors interests are paid attention to in standards meetings.
And Mozilla, the so called 'defender' cashing in on the public good will whenever it suits them conveniently caves in to Google at every opportunity.
Am I missing something or are they whining over nothing? I would get a little perturbed if only .dev domains show up if you're on a google ip or something, but for now, using https is totally do-able.
Unless you've bound yourself to Big G's browser. We only use that for last-minute rendering tests because management doesn't trust it not to leak info back to Mountain View.
Also, does Medium have a minimum word requirement? For some reason Medium articles always seem unnecessarily extra large.
:(
[ ] True [x] False
First, is it the OS that distrusts certificates, or is it the HTTP client?
Second, CA certificates such as the ones trusted by HTTP clients (contained in "browsers") are self-signed certificates.
Pre-installed CA certificates in corporate HTTP clients (e.g., Chrome, etc.) and CA certificates in downloadbale "bundles" available from corporations (e.g., Mozilla) are self-signed.
I really dislike allowing domains to be used in such a way. It seems extremely short sighted.
Unfortunately, the time to oppose this was long ago when gTLDs were first being debated...
I see this kind of attitude a lot when it comes to technology "Oh it's already happened just accept it" Or "It's the way everything is so just go along with it"
I'm getting fairly sick of being told I shouldn't disagree with or be against something because"that's the way it is"
Since when has technology ever been about accepting things the way they are? The whole reason we even have an internet is because people decided the way things were weren't good enough.
I would like to add that clearly, those that was involved in the process have made a less than perfect decision in allowing .dev to be bought by anyone.
It's been in widespread - informal - use for decades, and the decision to allow it to be sold has now directly affected multiple third parties negatively. If one assumes the people involved in the process knowledge in the area of domain names, they knew this but choose to ignore it for no good reason.
TLD's with widespread historical, albeit informal use should absolutely have been reserved.
We set up `*.l.example.com` (where example.com is our company's domain) to all resolve to 127.0.0.1. I personally have nginx set up to map `project.client.l.example.com` to `/path/to/webroot/client/project/`.
All of our infrastructure has hostnames under our domain and references other pieces of infrastructure using those hostnames.
Why is everyone putting so much effort into trying to operate outside of the established domain name system? To avoid paying the $10/yr?
If your public-facing website is just a static landing page (e.g., you're a B2B company or a design agency or a hedge fund or whatever), then yeah, using .dev.contoso.com works.
(By the way, the same analysis applies to running internal services at out-of-date-wiki.corp.contoso.com - consider whether you'd be happier hosting them at out-of-date-wiki.contoso-corp.com instead, and having contoso-corp.com not exist in external DNS.)
The currently safe way is to use a public domain that you own (you could use a distinct subdomain for this, which is not publicly exposed but which is in DNS on your internal network; e.g., intranet.example.com if you own example.com); as you note, this gives a long full domain.
> Mostly I tend to see companies either inventing an unregistered TLD, often using their own company name, or they use ".local", which can cause issues - some systems treat this name specially.
“.local” is a reserved domain with special semantics, see RFC 6762.
> Ideally I'd like to see a ".private" or ".internal" TLD recognised as special-use under the same semantics as ".test".
I'm kind of surprised that we haven't seen an RFC gain acceptance for this already, but I expect something like this will happen and be registered with the IANA special use domains registry.
It's still very much in the early stages though.
Even then, though, you can end up with all sorts of problems during mergers/acquisitions when previously separate intranets end up getting joined, exposing naming conflicts. Ultimately you always need to use a globally unique namespace, so either use a real domain name (guaranteed unique) or do something unique on top of .internal, e.g. .yourcompanyname.internal (still not guaranteed unique, but better).
See also: https://jdebp.eu/FGA/dns-use-domain-names-that-you-own.html
An implementation policy that is overtly not a stable specification changed.
Using “test" at some level of the domain name, including the top level if desired, has been the documented correct and safe answer for a long time, and .dev has always been an unnecessarily risky hack. (Amusingly, everyone else doing that hack got screwed because Google was using it as well and realized that if it didn't take control of the TLD and manage it to support it's pre-existing internal use, it ran the risk of someone else doing that.)
Whether or not that disagreement can be reasonably expected to have meaningful impact on what many others regard as a decision long made is a different question, and the one to which I was speaking.
[a-zA-Z0-9\.]+@[a-zA-Z0-9]+\.[a-zA-Z0-9]+
see also: https://hn.algolia.com/?query=falsehoods%20programmers%20bel...
In the case of .dev, it didn't even appear in the weeds of usage when the DNS root servers were measured for traffic to identify potential new TLDs usage conflicts in the real world (e.g. https://www.icann.org/en/system/files/files/name-collision-0... p22). Even if .dev were in significant usage, that traffic was not reaching the domain name system. The complaint seems to be fundamentally to be about the pre-loaded configuration of Chrome, not the DNS.
In the case of your regex, it would breaks millions of production domains in used today and fail in a wide variety of scenarios. It is only understandable in the context of someone who hasn't done any cursory research into the topic.
Even in the static-site case where the risk may be minimal, there's certainly no harm in moving these sorts of things to a separate domain - especially for anyone looking at this as a new setup due to .dev issues.
What you can do is transfer the TLD to a different operator, and/or change its registration policies, though all of the existing domains on the TLD need to remain with their existing owners, as domain names are legally treated as property and cannot be confiscated except through due process (like a court seizure following a ruling on illegal activities).
That's just current convention, though. If better governance means being less private-property absolutism, I'm for it. ICANN or whoever could just update the terms of their contract to allow revocation of the TLD (with a refund), if there's too much weeping and gnashing of teeth over it's issuance. People would just need to understand domains on a new TLD aren't going to be as ironclad as ones on more established TLDs.
With all that said, whether or not one can have a reasonable expectation that one's perfectly valid opinion might have any impact on what many in the outside world regard as a settled matter is perhaps upon occasion a more subtle and complex question.
Every day I read comments, articles and opinion pieces making excuses for companies, entities and individuals stifling innovation for profit and closed environments. The spirit allowing all this technology and innovation to be created seems to be gone and replaced with the same culture of acceptance and worship you find in religions. Technology is supposed to be about benefitting humanity as a whole not private companies.
I don't give a shit how much money a compay has spent on research or investing in whatever. Any company that is large enough to have that kind of impact on the world has only gotten there from money contributed by billions of people around the world. If a company is big enough to have the same kind of influence, or more, on the world as a government they are no different. This world is shifting to some kind of corporate power structure. The largest companies in the world have more power and influence than many nations. These are not private individuals. Whether we like it or not, technology companies, food producers, weapons manufacturers, drug companies, media companies and any other companies that have enough money to buy governments are now the monarchs of this world. Accepting their control over the technology that allows us the small freedoms we have left means we fully accept our new fate as serfs in our modern technolgical oligarchy.
Fuck that. The only freedoms I've had in life come from the internet. The freedom to learn anything I want to communicate anything with anyone I want.
Computers in general. They provide an equalizing power the likes of which have never been seen in history. Every day companies find new ways to lock down or abstract away this technology in the name of security.
If someone doesn't disagree future generations may not know the freedom that comes with being able to host their own platform for data exchange or running code through a compiler and watching something they created come to life. This is something the common man has not had access to throughout most of history. Knowledge, freedom of expression and access to creative tools, were things reserved for the wealthy or those in power. This is a small window in history when commoners have access to the same technology and power of expression as the rich. They are slowly taking this away and no one will notice until it's gone and we're right back where we've been though the rest of history.
No, what we should not have done is used an unregistered and unreserved TLD for testing/development. What Google has done is registered the .dev TLD, and started to use it for development.
This is the internet development equivalent of the copyrighting of the song "Happy Birthday to You".
And? What entitles any of us to use that domain? And as far as that goes, you can, as I understand it, still use that tld, since your local DNS resolver or hosts file can always override how hosts are resolved in there. The only real issue is if you hit the specific issue where a change in Chrome behaviour w/r/t this specific TLD, breaks something in your workflow.
You're right. I didn't pay for it, so I'm not entitled to get to use it.
Just because there is only one internet, and only one top level domain namespace, and just because I don't have $150,000, does not entitle me to get to use some part of the internet in the same way as a single corporation with a lot of money.
What entitles anyone to use the internet? I don't pay for the root name servers. I don't pay for peering transit. I don't pay for core routers.
I guess your point must be that corporations [and nations] should use their money and influence to acquire large chunks of the internet and screw with it in any way that they possibly can. And we should not care, because we are not entitled to it.
Correct. So what was the point of the rest of your nonsensical rambling? Or do you have some other explanation of why you're entitled to you use that specific tld namespace? You can't just use arbitrary domains that you don't own, why should tld's be any different especially given the advent of gtld's which radically expanded the namespace?
You're also ignoring that that that you can still use .dev. The case where Google's ownership of it prevents you from using it (for internal use anyway) is a very specific, limited scenario.
does not entitle me to get to use some part of the internet in the same way as a single corporation with a lot of money
Nothing about this prevents you from using any part of the Internet. At worst it restricts, ever so slightly, the way you can name your resources. But there have always been restrictions on how you can name your resources.
You have answered the question "Was this selfish behavior?" or "Was this an asshole move?", with an answer I agree with. But that was not the question. The question was whether this was monopolistic behavior. The answer is no. As far as I know, several other TLDs have been similarly locked down by companies with no claim to monopoly power in any industry, which pretty much proves it's not related to monopoly power.
So basically Google decided to break everyone else, because they were afraid someone would break them. They should be more considerate of other developers who use .dev internally like them.
Once the gTLD landgrab was announced, it was too late to push the new RFC approach, and it was likely someone was going to get the gTLD.
Someone who was using it for internal use like Google is probably less disruptive to existing users (even with their HSTS action) than if it had been someone who wanted to sell it for public use, which would have produced real chaos.
Why? What do they owe anyone?
> Why? What do they owe anyone?
Your attitude is the root cause of so many problems.
The have a moral obligation to not be jerks. If you're not aware, one of the things jerks are known for is acting selfishly with no concern for how their actions affect others.
Google shouldn't have been allowed to buy a gTLD like dev in the first place. But, since it has and Google only plans on using it internally, it should only use it in ways that don't break existing usages.
Do you have any source for this statement?
What are you talking about????
The Chairman of ICANN said at the creation of gTLDs: "Today's decision will usher in a new internet age. We have provided a platform for the next generation of creativity and inspiration. Unless there is a good reason to restrain it, innovation should be allowed to run free."
Taking the entire ".DEV" TLD for a single corporation, as if Google is the only development corporation in the world, is not providing a platform for the next generation of creativity and inspiration. Potentially millions of users of this TLD no longer have the option.
I am not the only person who feels this way: https://www.theregister.co.uk/2015/03/13/google_developer_gt...
Google also tried to take ".BLOG", for sole use by its Blogger platform. Luckily they were outbid.
When Amazon proposed it taking the ".BOOK" TLD, publishers objected because, duh, this would be a hugely unfair attack on book publishers, sellers, and authors.
On top of the above, Google broke private use of the TLD for literally everyone who wasn't using TLS (and not just for domains Google registers in the TLD), but I'm sure lots of people simply don't care when Google does dick things, so nevermind that.
My position is that a corporation should not be able to stifle free and fair use of the internet. It's not about entitlement, it's about the fact that the internet is a global economic engine intended to be used by everyone, and not just exclusive corporations with money and influence.