this post was submitted on 30 Dec 2024
239 points (85.0% liked)
Technology
60336 readers
4368 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Technically all you need is a DNS server.
No computer knows where <whatever.tld> is located, unless that route is hard-coded in a host file somewhere. It always has to ask a DNS server for that information. If that DNS server doesn't know, it will probably try asking some other DNS server, and so on up a chain. Eventually, it reaches a master DNS server that either has the answer on-hand somewhere in a database, or it says, "lmao, that doesn't exist". All the DNS servers and your PC down the chain take that answer. They might memorize it for a little while and hand it out to anyone who asks them, but after a while they'll ask their way up the chain again to see if the answer has changed since the last time they asked.
In order to "create" a TLD, all you have to do is make a DNS server that doesn't ask up the chain. Just pre-program the list of valid domains yourself. You can make them anything you want. You can even "steal" existing domains and make them point to anywhere you want. Nothing is stopping you. Your DNS server will confidently report its pre-programmed answers to anyone who asks.
The catch is that any Internet-enabled device that you want to be able to use your fancy new custom domains needs to be configured to ask your DNS server in particular. People would have to manually set your DNS server as their master server to ask, or they'd have to set it to ask some other DNS server that is itself pointed through some chain up to your DNS server. This is an explicitly opt-in system, and getting a significant mass of people to do that voluntarily is practically impossible. But it's not technically impossible.
The only reason you don't have to do this manually with every single device you buy is because most devices either come from the manufacturer with a hard-coded list of DNS servers they should trust by default, or a device on the local network whispers in their ear and tells them who the local DNS server is and the device just goes along with it. It's still technically an opt-in system; devices are simply either already "pre-opted in", or there's a system running on your network that auto-opts-in every device that connects, and most devices are designed to accept that auto-opt-in the moment they detect it.
Provided you manage to get the devices you want to listen to your DNS server, you may additionally want to set up a root certificate authority. The thing that makes the little padlock show up in your browser URL box to let you know the connection is secure. Kind of like the DNS server thing, this is also very simple--just run a cheeky little OpenSSL command or two and you can be a root CA in no time--but it suffers from the same "opt-in" problem. You have to manually configure any device you want to use your system to trust your certificates. Most devices just come with a list of "acceptable authorities" built-in, and those defaults are all most people are using. But nothing is stopping you from adding anything you want to that list at any time. You're just limited to doing it on a device-by-device basis.
At my company, we've set up our own custom DNS server and our own root CA. We serve internal websites at a custom TLD we made up, and we sign them with our custom certificates to keep the connections secure. But that only works because we've manually configured our workstations to ask our internal DNS server for DNS requests, and we've manually configured all the workstations to trust our root certificate authority. A random device that connects to our network that isn't configured with either of those things will not resolve any of our custom domains, nor will it securely connect to them. It also breaks if the configured devices aren't on the local company network, since the DNS server isn't reachable from the public web. Which is fine for us, since those internal websites aren't reachable on the public web either. But yeah, that's an example of the limitations.
If you want to create a TLD that will be auto-accepted by everyone who is already running the default chains of trust (which is probably what most people actually mean when they ask something like this), you have to seek out the big daddy at the root of that chain of trust and ask them to poof your TLD into existence for you. That would be ICANN, and they probably won't do anything like that without a big fat check and a lot of corporate lobbying.
tl;dr - The tech is built in such a way that nothing is stopping you from making your own toy, and anyone can play with your toy without needing to do much. But if you want your TLD to "just work" for everyone in the world without asking every single one of them to explicitly opt-in, which is probably what you actually want, then no, you basically can't do that.