The Great .corp Renaming

Florian Weimer

CORP” is among the the 1,400 strings listed as potential new top-level domains (TLDs) by ICANN. This means that many companies potentially face significant costs to rename all hosts that currently use a custom version of the .corp TLD, to avoid data leakage and reachability issues.

Six applicants have expressed interest in running an official .corp TLD (Internet Corporation for Assigned Names and Numbers, Reveal Day 13 June 2012 – New gTLD Applied-For Strings <>, June 2012, retrieved 2012-06-16). . This is problematic because .corp is already in wide use, as a custom TLD for internal host names which should not be reachable from the outside.

Using a custom TLD might seem a fundamentally bad idea, but up until now, it was a reasonable way to isolate your own infrastructure from fluctuations in the public DNS. For instance, you cannot lose control of your .corp domain because your registrar is compromised—you never really own it in the first place. Using a TLD such as .corp rather than a bare TLD consisting of the company name is necessary because bare TLDs (such as “to”) cannot be resolved in Microsoft environments. (Microsoft sometimes uses “CORP” in reference material, in the for of contoso.corp: Michael Platts, DNS Client Name Resolution behavior in Windows Vista vs. Windows XP <>, April 2009, retrieved 2012-06-16.)

Given that there not just one, but six applications for the .corp TLD, it is likely that this round of new top-level domains under the ICANN DNS root will lead to public resolution of .corp domain names, giving results which do not match those expected from a custom .corp TLD inside a company. The availability of top-level domains for registration radically changes the picture and seriously questions the usefulness of custom TLDs (or the wisdom of an aggressive increase in the TLD count, if you wish). In addition, further registration rounds with less cost for applicants seem very likely.

What does this mean in practice? Anybody who registers a domain under .corp in good faith (if they become available for registration eventually) might be surprised to learn that it is not usable due to these collisions. In many cases, users at companies which have deployed a custom .corp TLD will not be able to view web pages hosted on public .corp domains. Worse, systems run by registrants of .corp domains might receive leaked data (particularly email) from systems using a previously-internal .corp subdomain. Defensive registrations are problematic because if there is a collision for a particular subdomain, only one party can be delegated that subdomain.

In order to get an idea how widespread custom .corp TLDs are, I compiled the following table from message headers posted to public mailing lists and published proxy auto-configuration files. Some of the information could be outdated because there is no way to refute that an organization uses a particular DNS name space internally.

bank.corpWells Fargo (specifically,
easynet.corpEasynet Global Services
intra.corpTBA Group (grupotba.intra.corp in particular)
kls.corpKLS Diversified Asset Management LP
mail.corpDyn (could be Zimbra misconfiguration)
nmhg.corpNACCO Materials Handling Group
wrcapital.corpWR Platform Advisors LP

Even this short list contains a collision, and it is reasonable to expect that for the generic names (bank.corp, hq.corp, intra.corp, m.corp, mail.corp) more collisions exist in the wild. As mentioned above, for these names, defensive registrations are difficult and may not be completely effective.

It is unclear whether any of the applicants is aware of this situation and has applied for this TLD specifically because many companies are practically forced to block registration of certain names. For previous new TLDs, such protective action was fueled by trademark and brand protection concerns, but this time, there is a technical reason as well. The situation could end up being comparable to that of the .xxx top-level domain, where the registry offers, at a higher price, non-delegating registrations which are not attributed to the registrant. For registrants, hiding their affiliation with the .corp registry is likely not a high priority. But the .xxx model has a key property which would be useful for .corp: Non-delegating registrations can be sold to multiple registrants at the same time. If this is implemented, all companies interested in blocking, say, mail.corp could ensure that it remains blocked.

But if a company cannot obtain the registration of a .corp domain name it uses, and cannot prevent others from obtaining it, either, then there is only one feasible long-term option: rename all your hosts, so that they are within a name space controlled by the company. For some companies in the table above, this would be a costly multi-year effort.


Florian Weimer
Home Blog (DE) Blog (EN) RSS Feeds Impressum