| Internet-Draft | Private use top-level domain | May 2026 |
| Davies, et al. | Expires 7 November 2026 | [Page] |
This document describes the "internal" top-level domain for use in private applications.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 November 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
There are situations in which private network operators may wish to use their own domain naming scheme that is not intended to be used or accessible by the global domain name system (DNS), such as within corporate or home networks.¶
The "internal" top-level domain (TLD) is specifically designated for this purpose. Domains under this TLD are not resolvable in the global DNS but can be configured and utilized within private networks according to the operator's requirements. This concept is analogous to private-use IP address ranges (e.g., [RFC1918]), providing a similar function within the DNS ecosystem.¶
Network operators have long relied on various unregistered names for private-use DNS, often in an uncoordinated manner. This practice can lead to incompatibilities and unintended consequences for Internet users. For instance, an organization might adopt a name for internal use that is later introduced into the global DNS, resulting in name collisions and unpredictable behavior.¶
In almost all cases, an entity should use a sub-domain of a global DNS name that it controls. This ensures that names are globally unique and avoids the potential for confusion that may arise from the use of private-use namespaces. However, in some cases, such as for isolated networks that will never be connected to the global Internet, use of the "internal" top-level domain may be appropriate.¶
Entities choosing to do so should be cognizant of the implications of this decision, including:¶
The potential for collisions if multiple networks using "internal" are interconnected in the future.¶
The risk of leakage of "internal" names into the global DNS.¶
The lack of global uniqueness of "internal" names.¶
DNSSEC validating resolvers relying on the global DNS trust anchor will fail to resolve names ending in "internal".¶
Other namespaces are reserved for similar purposes, which superficially may seem to serve the same purpose as the "internal" domain, but are intended for different use cases.¶
The "local" namespace [RFC6762] is reserved for use with the multicast DNS protocol. This protocol allows for resolution between devices on a local network. This namespace does not use typical DNS zones for name allocation, and instead uses the multicast DNS protocol to negotiate names and resolve conflicts. It is expected "internal" will be used for applications where names are specified in locally-configured zones.¶
The "alt" namespace [RFC9476] is reserved for contexts where identifiers are used that may look like domain names, but do not use the DNS protocol for resolution. This is in contrast to the "internal" domain which is to be used with the DNS protocol, but in limited private-use network scope.¶
The "home.arpa" namespace [RFC8375] is reserved for use within residential networks, including with the Home Networking Control Protocol [RFC7788].¶
The document requires no IANA actions. For the reasons stated above, the "internal" top-level domain is reserved from being used in the global DNS.¶
While the "internal" namespace is designated for private use, it is important to recognize its limitations and potential risks:¶
Leakage into the broader Internet: Names within the "internal" namespace may inadvertently appear in log files, email headers, or other contexts, leading to potential exposure. Users should not rely on the confidentiality of these names.¶
Lack of global uniqueness: Names in the "internal" namespace are not globally unique. For example, multiple networks may use the same name, such as "accounting.internal," for entirely different purposes. This is similar to the use of the "local" namespace in multicast DNS, where many devices might share the name "printer.local." Users should exercise caution when performing operations that require authenticity, such as entering credentials.¶
Collision risks: If two networks using the "internal" namespace are interconnected, name collisions may occur. This is analogous to IP address conflicts when private-use IP ranges (e.g., [RFC1918]) are interconnected. Organizations should carefully evaluate this risk before adopting the "internal" namespace.¶
DNSSEC limitations: DNSSEC-validating resolvers that rely on the global DNS trust anchor will fail to resolve names ending in "internal." This limitation should be considered when planning network configurations.¶
Implications for HTTP cookies: Cookies set for a domain like "accounting.internal" on one network may be sent to a different "accounting.internal" if the user switches networks. To mitigate this, organizations can use the Secure flag for cookies. Additionally, since the "internal" namespace does not resolve in the global DNS, Certificate Authorities are not expected to issue certificates for it. Organizations requiring HTTPS for "internal" domains will need to establish their own private Certificate Authority (CA), which is beyond the scope of this document.¶
Impacts on traceability: Users should also not assume the appearance of such names is indicative of the true source of transmissions. When diagnosing network issues, the appearance of such addresses must be interpreted with the associated context to ascertain the private network with which the name is being used. A name within the "internal" namespace can never be used by itself to identify the origin of a communication.¶
This reservation is the result of a community deliberation on this topic over many years, most notably [SAC113]. The SAC113 advisory recommended the establishment of a single top-level domain for private-use applications. DNS records within this top-level domain will not be resolvable in contexts outside of a private network.¶
A selection process [IANA-Assessment] determined "internal" was the best suited string given the requirement that a single string be selected for this purpose, and subsequently reserved for this purpose in July 2024. [ICANN-Board-Resolution]¶
The authors would like to thank the members of the Internet community who participated in the discussions that led to the establishment of the "internal" top-level domain, including those who contributed to the SAC113 advisory and the IANA assessment process.¶
The authors would especially like to thank Eliot Lear for extensive discussion and feedback on this document. Additional feedback and suggestions were received from Joe Abley, Mark Andrews, Wes Hardakerm Paul Hoffman, Philip Homburg, David Lawrence, John Levine, Benno Overeinder, Petr Špaček, Ondrej Surý, Peter Thomassen and Suzanne Woolf.¶
I-D source is maintained at: https://github.com/kjd/draft-davies-internal-tld¶