Mastodawn

Piotr P. Karwasz Jan 1, 2025

Sindarina, Edge Case Detective

Since I keep seeing developers use ‘pretty’ IP addresses like ’1.2.3.4’ in example configurations; a reminder that you MUST NOT use publicly routable addresses that you do not control in your code.

Instead, use one of the available 'TEST-NET' IPv4 or IPv6 ranges documented in RFC 6890;

192.0.2.0/24
198.51.100.0/24
203.0.113.0/24

❌ 1.2.3.4
✅ 192.0.2.4

and for IPv6;

✅ 2001:db8::/32

Pass it on to all of your fellow developers, documentation writers, and so forth.

Full RFC for special purpose addresses;

https://datatracker.ietf.org/doc/rfc6890/

Reserved for documentation, IPv4 and IPv6;

https://datatracker.ietf.org/doc/rfc5737/
https://datatracker.ietf.org/doc/rfc3849/

1/ 🧵

RFC 6890: Special-Purpose IP Address Registries

This memo reiterates the assignment of an IPv4 address block (192.0.0.0/24) to IANA. It also instructs IANA to restructure its IPv4 and IPv6 Special-Purpose Address Registries. Upon restructuring, the aforementioned registries will record all special-purpose address blocks, maintaining a common set of information regarding each address block.

IETF Datatracker

Sindarina, Edge Case Detective Jun 24, 2023

The same goes for domain names; do NOT use a public domain name you do not control in your configuration, documentation, or UI language.

Instead, use one of the available reserved domain names documented in RFC 2606, such as 'example.com', 'example.net', or the .example top-level domain.

❌ test.com
❌ yourdomain.com
✅ example.com
✅ yourdomain.example

Pass it on to your fellow developers, designers, documentation writers, and so forth.

Full RFC text is here;

https://datatracker.ietf.org/doc/rfc2606/

2/ 🧵

RFC 2606: Reserved Top Level DNS Names

To reduce the likelihood of conflict and confusion, a few top level domain names are reserved for use in private testing, as examples in documentation, and the like. In addition, a few second level domain names reserved for use as examples are documented. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.

IETF Datatracker

Sindarina, Edge Case Detective Jun 24, 2023

Oh, and please, if you are sending email, don't make up random addresses for your app to test with. Only send mail to addresses you know are valid, and for which you have permission to send mail.

If you need to test SMTP while developing software, use a mock SMTP server that drops all outgoing email in a local directory, so you can inspect it without dumping a metric ton of email in your upstream's SMTP queue.

If you absolutely must generate unique email addresses for testing, either register a domain for that purpose and set up mail handling for it, or use the .test TLD, and have as many unique domain names as you like.

3/ END

Sindarina, Edge Case Detective Jun 24, 2023

There's always at least one person who doth protest too loudly, whenever they are alerted to bad habits like these 😂

Sindarina, Edge Case Detective Mar 2, 2024

ADDENDUM: If you need to generate reverse DNS records for IP addresses, DO NOT simply paste in the entire IPv4 address as the hostname, such as in this example;

❌ 198.51.100.1.net.example
❌ 198.51.100.2.net.example

If you absolutely need to use dots, like for delegation within a large enterprise or to clients, reverse the string instead;

✅ 1.100.51.198.rev.net.example
✅ 2.100.51.198.rev.net.example

Most to least specific, always.

In the vast majority of cases, keep it simple, with something like this;

✅ ip-198-51-100-1.dhcp.net.example
✅ ip-198-51-100-2.dhcp.net.example

Can be delegated if needs be, and is clearly separate.

AlisonW ♿🏳️‍🌈♾️Dec 31, 2024

@sindarina
And for your non-routable local network use a subdomain of .INTERNAL !

LisPi Sep 17, 2023

@sindarina 1.2.3.4 is cute and memorable though. They really should've reserved it, it would've been sensible.

There's a reason the test phone numbers use all-5 sequences like (555) 555 XXXX. (Admittedly that really wasn't intentional and it just happened due to a number of reasons, but that's a detail.)

I'm disappointed that wasn't a comment brought up when those RFCs were drafted.

Patrick Mevzek Dec 31, 2024

@lispi314 @sindarina Why is `1.2.3.4` "cute"? And not `0.1.2.3` ? Or `10.20.30.40`? How is it more memorable than all other bad cases like `1.1.1.1`? More importantly: why do you even care to memorize it? No one should bother with memorizing IP addresses, specially those of current Internet aka IPv6 ones, but even for legacy IPv4 ones. There was this thing invented long ago to help humans use just names they are comfortable with, called the DNS...

Sindarina, Edge Case Detective Dec 31, 2024

@pmevzek You're responding to someone in my mentions who replied a long time ago. I skipped them back then, and they don't need to be corrected now 😜

Patrick Mevzek Dec 31, 2024

@sindarina They appeared now in my timeline for some parts of the thread, so I read the full thread for context and replied on what seemed most irritating to me (as I just got a similar discussion in a - this time - recent thread), but I didn't look at the dates, that is correct. My plea will be https://xkcd.com/386/

Duty Calls

xkcd

Sindarina, Edge Case Detective Dec 31, 2024

@pmevzek A mere warning shall suffice, then 😄

sebastian büttrich Dec 31, 2024

@sindarina
I hardly dare say it, but in a recent network deployment I assisted with, the head of IT had insisted real routable random IPs be used in their private network, as private ones were to easy to guess and thus abuse ...
I shall not disclose where ...

Sindarina, Edge Case Detective Dec 31, 2024

@sebastian Oh dear 😂

Zimmie Dec 31, 2024

@sebastian @sindarina I know of a network equipment vendor which used a real, public address block belonging to a real, much larger company internally in a product they shipped. There were a few companies which were customers of both. Hilarity ensued.

The same network equipment vendor now uses 192.0.2 internally in a major product. Their reasoning is nobody should be using it, therefore *they* should use it.

Ölbaum Jan 3, 2025

@sindarina Probably because they keep setting the same pattern: someone “alerts to bad habits” without any explanation of the reasons they’re bad habits, or worse, with judgmental comments like “I shouldn’t have to keep telling you this” or “I’m not going to explain why,” which makes their post not an “alerting to bad habits” one but a “asserting their superiority over less experienced people” one.

Sindarina, Edge Case Detective Jan 3, 2025

@oscherler Thank you for your comment, random person who doth protest too loudly 🙏🏻

Gwenn Jun 25, 2023

@sindarina
4/ Do not use "/dev/sda" or any valid volume name in an example for a formatting command.

LisPi Sep 17, 2023

@gboussard @sindarina More people need to know about /dev/disk/by-id/ and WWNs.

It's a good way to avoid unpleasant mistakes and to keep track of assets.

jordan Jun 25, 2023

@sindarina had to alert my company that we were sending automated emails of sensitive data to an email address at test.com before. whoever owns those domains probably has access to every secret in the country by now...

Zimmie Dec 31, 2024

@wagesj45 @sindarina I’ve worked for a company which used a public domain name which they don’t own as their internal AD domain name. So much data leakage.

Jens Dibbern Jun 25, 2023

@sindarina And, for the love of god, start using test e-mail infrastructure. It's a 10 minute job to start a greenmail container or something similar. Gazillions of postmasters are sick of seeing your junk in their logs.

Rōger Nōden Mar 3, 2024

@sindarina a good mock SMTP option is mailtrap.io

MTRNord Dec 31, 2024

@sindarina Reminds me that Grafana sets a default alert contact to every instance which afaik cant be removed using provisioning. Which is annoying as fastmail keeps complaining about unable to send email to example.com :|

Pixelcode 🇺🇦Dec 31, 2024

Also, Germany's Federal Network Agency has defined various “drama numbers” – unassigned phone numbers for use in movies: https://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Sachgebiete/Telekommunikation/Unternehmen_Institutionen/Nummerierung/Rufnummern/mittlg148_2021.pdf?__blob=publicationFile&v=1

Landline:
Berlin: 030 23125 000 – 999
Frankfurt a.M.: 069 90009 000 – 999
Hamburg: 040 66969 000 – 999
Cologne: 0221 4710 000 – 999
Munich: 089 99998 000 – 999

Mobile:
0152 28817386
0152 28895456
0152 54599371
0171 39200 00 – 99
0172 9925904
0172 9968532
0172 9973185
0172 9973186
0172 9980752
0174 9091317
0174 9464308
0176 040690 00 – 99

Raven667 Dec 31, 2024

@pixelcode @sindarina 66969...nice (that may or may not be a coincidence, a giggling German is not out of the question)

Raven667 Dec 31, 2024

@sindarina I set up a little ansible play that adds regex-based virtualhost config to postfix that effectively makes _all_ mail delivered to a local user, for our QA hosts, so all the cron jobs and reporting jobs and whatnot that use /usr/sbin/sendmail have their output captured and *don't* *leak*, because customers _love_ it when they get a bunch of weird reports and errors from random QA systems in various states of broken when testing (so does the helpdesk when fielding their paniced calls).

Sindarina, Edge Case Detective Dec 31, 2024

@raven667 There are also mock SMTP servers that just take all mail sent and put it into a local folder for analysis.

@sindarina https://github.com/rnwood/smtp4dev is a great tool for this. Works wonderfully in a container.

Beko Pharm (deprecated)Jun 24, 2023

@sindarina
....and don't use .local at home either. Learn about home.arpa

🩷Jun 24, 2023

@bekopharm .local is reserved and safe, and intended to be used with mDNS (which is implemented in "Bonjour" and "Avahi" and is sometimes referred to as "zeroconf", although that's not quite the correct term). 🤓

kepstin Jun 24, 2023

@sindastra @bekopharm I agree that you wouldn't want to use ".local" as a DNS domain tho. That way leads to annoying device discovery failure, such as printers not working.

Beko Pharm (deprecated)Jun 24, 2023

@kepstin @sindastra this

🩷Jun 24, 2023

@bekopharm @kepstin Oh, you two mean not to use ".local" as that "find domain"?

As in, fine for mDNS but not for the default in LAN?

kepstin Jun 24, 2023

@sindastra @bekopharm exactly; ".local" and a few special ranges of arpa reverse-dns domains are reserved for special use by RFC6762 and should not be used for anything other than Multicast DNS.

The special handling for these domains is described in https://www.rfc-editor.org/rfc/rfc6762#section-22.1 - includes things like that DNS libraries and DNS servers should recognize the domain and refuse to forward/resolve queries for it.

RFC 6762: Multicast DNS

embix Jun 24, 2023

@bekopharm @kepstin @sindastra @sindarina And although .mail, .corp and .home were rejected as gTLD, they could still be assigned in the future, if enshittification goes forth.

Wolf480pl Jun 26, 2023

@sindastra @bekopharm is there anything wrong with using subdomains under .local outside of mDNS?

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛Jun 25, 2023

@bekopharm This is the first time I hear of home.arpa. RFC: rfc-editor.org/rfc/rfc8375.htm…

"This document specifies the behavior that is expected from the Domain Name System with regard to DNS queries for names ending with '.home.arpa.' and designates this domain as a special-use domain name. 'home.arpa.' is designated for non-unique use in residential home networks. The Home Networking Control Protocol (HNCP) is updated to use the 'home.arpa.' domain instead of '.home'."

RFC 8375: Special-Use Domain 'home.arpa.'

butterflyoffire Jun 25, 2023

@sindarina How about `home.arpa` or `underground.home.arpa` ?

🔗 via @bortzmeyer https://www.bortzmeyer.org/8375.html

Blog Stéphane Bortzmeyer: RFC 8375: Special-Use Domain 'home.arpa.'

Sindarina, Edge Case Detective Jun 25, 2023

@butterflyoffire That's great for use at home, on residential networks, for those who want resolving DNS there without having to register a domain name for it.

Not really suitable for documentation and examples in the context I am talking about, though, unless you're specifically talking about that context.

It's an official RFC, here it is in English;

https://datatracker.ietf.org/doc/rfc8375/

RFC 8375: Special-Use Domain 'home.arpa.'

This document specifies the behavior that is expected from the Domain Name System with regard to DNS queries for names ending with '.home.arpa.' and designates this domain as a special-use domain name. 'home.arpa.' is designated for non-unique use in residential home networks. The Home Networking Control Protocol (HNCP) is updated to use the 'home.arpa.' domain instead of '.home'.

IETF Datatracker

caseyneiba 🦣Jun 25, 2023

@sindarina I have a follow up questions about bad domain name usage, I see lots of companies using name.local as their internal DNS, I always hate that (because I know .local is mDNS and shouldn't be used in unicast) but I don't know what to propose instead (if they can't use a subdomain of their public domain). Something like .home.arpa but for companies does not exist, does it ?

Sindarina, Edge Case Detective Jun 25, 2023

@caseyneiba 'name.local' still happens on Windows networks a lot, yes, because it was all over the tutorials for a long time, and there's still plenty of admins who keep doing it.

The alternative is to register a ‘network domain’, specifically for use on the LAN/WAN. Like, for example, if your corporate website is at 'example.com’, you could put your Active Directory domain at 'example.net’, or some other variation on a recognisable name. There's a ‘.computer’, ‘.network’, and a ‘.systems’ gTLD now too, so there's plenty of options.

Just never pick one you don't control, like ‘corp.com’ 😄

claas Jun 26, 2023

@sindarina I wonder with how much traffic example.com is hit daily

Ben Ramsey Jun 29, 2023

@sindarina I remember the gnashing of teeth when Google bought the .dev TLD and included it in the HSTS preload list.

Sindarina, Edge Case Detective Jun 29, 2023

@ramsey Imagine how easily people could have prevented getting in trouble with that 😏

Flohw Jun 29, 2023

@sindarina is "domain.tld" safe to use? I use it a lot. 🤞

Sindarina, Edge Case Detective Jun 29, 2023

@flohw I would avoid it, and use something like 'domain.example’ instead 🙂

Flohw Jun 29, 2023

@sindarina Okay, thanks. As tld is not part of valid tld if I searched correctly, I thought it could be a valid choice. But there is a RFC to deal with that, using what's the RFC defines is a better choice. `example` is a really long tld. 😅

Sindarina, Edge Case Detective Jun 29, 2023

@flohw No, the whole point of not using a non-existent TLD is to avoid the fate of those who were using .dev locally, when that one got registered, and put into use.

You could always set up some form of autocompletion, or use a different domain, so you end up with something shorter, like ‘ab.example’.?

~n Dec 31, 2024

@sindarina As owner of some.host.name I wholeheartedly concur. 😄

Aubrey De Los Destinos Dec 31, 2024

@sindarina I couldn't have explained that to people in my previous work. Like, they would be oblivious to any arguments and keep on sending test emails to domains @ email.com and test.com.

@sindarina i always use .local simply because it's reserved and i don't have to remember "example.com"

Jack Yan (甄爵恩)Dec 31, 2024

@sindarina Phew, glad example.org is in there! The only one I remembered earlier this week and used.

xrvs Jun 24, 2023

@sindarina i also find it not obvious that 1.2.3.4 is supposedly an IP address

EndlessMason Jun 25, 2023

@xarvos @sindarina The movies have it right. Replace one of the octets with 555.

Any app that does any validation will say its invalid and hopefully that will be a clue to the user that "you have to set a real ip here for the product to work"

If its your own software you could even have a specific 555-in-ip error message explaining it in a more friendly way.

Compromise_bi_flag

@EndlessMason The GPP was boosted into my timeline today, and I found the age of your toot appropriate. 😀

EndlessMason Dec 31, 2024

@jima do I now have to wait 555 days to respond to this?

Compromise_bi_flag

@EndlessMason Nah, the serendipity of happening upon it without trying is more endearing. 😀

miki Jun 24, 2023

@sindarina Unless the config field is particularly security sensitive, I’d still use something like 1.2.3.4, just because it makes it obvious that the address is an example and needs to be changed. For users who don’t know about these ranges, AKA me from two minutes ago, 192.0.2.4 looks like an existing IP address, which may or may not point at a reasonable default / vendor-provided server, and so it isn’t obvious whether it should be touched. I would say that using those addresses is a tradeoff, and it should be considered how likely 1.2.3.4 is to ever become malicious, and what the consequences would be for a particular application. Another interesting way to solve this is to use 123.456.123.456, as that is not a valid address.

Sindarina, Edge Case Detective Jun 24, 2023

@miki 1.2.3.4 is a valid IPv4 address, just like, say, 1.1.1.1, and you should stop making excuses 🙂

miki Jun 24, 2023

@sindarina And so what? If using a valid address isn’t a security concern in a given context, where’s the problem exactly?

Sindarina, Edge Case Detective Jun 24, 2023

@miki Thousands of people over the decades who, like you, didn't think it would cause a problem, leaving others to clean up their messes down the road.

Like, entire chunks of the IPv4 address space that are unavailable because of assumptions made in the past.

Just change the habit, man 😄