> That's how you get conflicts.
No, it is how to avoid conflicts: by publicly claiming a namespace.
> Somebody forgets to renew the domain or thinks there's nothing there because it doesn't resolve from the public internet and now you've got a conflict with the squatter who registers it 17 seconds later and/or whoever they sell it to.
So you have the option of: theoretically losing the name space and causing conflicts because of incompetence, or the guaranteed chance of strange behaviour due to incompetence of choosing a kludgey solution.
> This also works poorly for small and medium organizations […]
But even an organization of a modicum of size needs to register a domain for being able to use e-mail. Maybe if you're a sole proprietor you'll use your gmail.com or outlook.com address for business, but once you have even a handful of employees you'll want to give each of them a 'business e-mail' at your company's name.
And once you have a company-name e-mail domain/address congratulations, you can now use the same domain for IT namespacing purposes.
And if you forget to renew you have larger problems than potentially broken internal/IT DNS: someone else changes the MX records and your company's e-mail is sent somewhere else, and you can't send out.
> No, it is how to avoid conflicts: by publicly claiming a namespace.
Which is what this is doing, by publicly claiming a namespace for anyone's internal use. Since it's internal use and there is no public use, there can't be a public conflict.
> theoretically losing the name space and causing conflicts because of incompetence
This is not theoretical. It's a major part of the squatter's business model. People don't renew their domains and then get extorted to buy them back. Happens all the time, and is significantly more likely to happen for an internal domain that has no DNS records with the registrar and doesn't appear to be in use.
> But even an organization of a modicum of size needs to register a domain for being able to use e-mail.
Which will be a different domain, often administered by different people, because it's being used for the company's public infrastructure rather than its internal network.
> Which will be a different domain, often administered by different people, because it's being used for the company's public infrastructure rather than its internal network.
Wat?
I've worked at 3-IT-person academic departments, 30-person start-ups, and 3000-person publicly traded corporations, and I've always seen the same domain used internally and externally.
The only exception is where I'm currently at, where the dumbasses who were here previously (and set things up initially) decided to use .local—instead of the sane thing, which would have been to peal off a sub-domain of the public domain we already have. I'd like to know which illegal substance they were using when that decision was made.
It's common for the people administering a company's public website and mail servers to be different people than the ones administering desktops and printers and Active Directory.
And the last of those is a major contributor to this since it wants to take over the domain it's on. You can solve this by delegating a subdomain to it, but now your internal use domain is longer, and there are security implications to this because now unrelated internal systems may e.g. have access to cookies set for the public website. Or have the ability to issue dynamic DNS updates, so an attacker who compromises a random low-level internal system can point a name inside the company's public domain to their own servers and even potentially have a TLS certificate issued to it via ACME, even if the public infrastructure hasn't been compromised.