Wondering why your internal .dev web app has stopped working?
Blame Google. And ICANN
Network admins, code wranglers and other techies have hit an unusual problem this week: their test and development environments have vanished.
Rather than connecting to private stuff on an internal .dev domain to pick up where they left off, a number of engineers and sysadmins are facing an error message in their web browser complaining it is "unable to provide a secure connection."
How come? It's thanks to a recent commit to Chromium that has been included in the latest version of Google Chrome. As developers update their browsers, they may find themselves booted out their own systems.
Under the commit, Chrome forces connections to all domains ending in .dev (as well as .foo) to use HTTPS via a HTTP Strict Transport Security (HSTS) header. This is part of Google's larger and welcome push for HTTPS to be used everywhere for greater security. Essentially, you have to use HTTPS to connect to .dev websites, and if you haven't bothered configuring secure HTTP on your internal .dev work servers, your browser won't connect.
Why on Earth would Google start breaking internal domains by insisting on unnecessary security measures for a top-level domain that doesn't exist on the public internet?
Ah, well, that's the thing: .dev does exist on the public internet.
In fact, the .dev global top-level domain is owned by Google. And even though it has only made one domain live so far – the contractually obliged nic.dev – the search engine giant has the ability to add whatever .dev domains it wants to the public internet at any time it wants.
In fact, probably the only reason that hasn't happened before now was Google's decision to keep the top-level domain all to itself, combined with a scaling back of what was once a huge domain expansion plan but was dropped after Google became constrained by investors and was turned into Alphabet.
The use of .dev domains are pretty common for internal software and web app testing: an alternative to .localhost, .local and .test. But as we noted long ago, under ICANN's top-level domain expansion program, Google applied for and secured ownership of the generic top-level domain .dev.
Unlike .local, .test, and .example, .dev is not on a list of specially protected names. No one lodged a complaint with ICANN to ring-fence the gTLD while the Chocolate Factory was applying for it in 2012 – most likely because very few people in the web development community engage with the DNS overseer.
In fact, both Google and Amazon applied for .dev, and Google got hold of it when it cut a deal with Amazon where the online retailer was given control of .book and .talk in return for Google having .dev and .drive.
In case you were wondering, there are actually quite a few protected domain names. There are the 32 special use domains reserved by IANA under RFC 6761 which are mostly to do with internet routing but also include domains that internet engineers use a lot – like example.com.
Then there are the 11 IANA-managed reserved domains that were created to test the use of non-English languages as domain names. That was back in 2007 when ICANN finally recognized (or, more accurately, was forced to recognize) the importance of other languages on the internet and realized it had to make sure it didn't break the web (internationalized domain names, or IDNs, or becoming increasingly important for many online, although they still have compatibility problems with the broader internet.)
And then there are the literally hundreds of domain names that ICANN has been forced to protect at the second-level after international organizations made a huge fuss during the gTLD expansion program. Those names won't affect web devs, however.
Oh, and then there are the 25 names that ICANN has decided can never be approved at the top level and has also forced gTLD operators under contract with it to never include in their root zone files – almost all of which are purely internal names, like "gnso" which stands for Generic Names Supporting Organization and is a part of the organization's internal structure.
But despite these dozens of protected and reserved names, the .dev top-level domain was not on the right people's radar and so was sold to Google for $185,000. Now Google can do whatever it likes with it.
What does this mean if you are a web developer and have been using .dev domains? Well, it means you have two options: you either self-certify your own domains, or you shift to new top-level domains. While you can grab free HTTPS certs from Let's Encrypt, it's not feasible to use those internally on .dev domains.
If you want to avoid the ad giant's touch, shift everything over to one of the protected names - .invalid, .local, .localhost, .test, .example. Or if you want to revel in the pecularities of the domain name system, why not build your internal development environment on 'test.icann'? ®
Sponsored: Becoming a Pragmatic Security Leader