> However, internal domains should have their top domain externally registered and controlled
Not necessarily. `.internal` exists for that purpose, and people have historically used `.lan` for similar purposes. There's no particular reason internal names need to have resolvable DNS names of any kind, if they're not going to be externally accessible, unless you're trying to do something like dns-01.
> Not necessarily. `.internal` exists for that purpose …
.internal is being considered for that purpose:
> IANA has performed an evaluation to determine a suitable string to be reserved for the purpose of a top-level domain that may be used for internal or private use applications. The string “INTERNAL” has been identified as appropriate for this purpose.
> In accordance with the process described by ICANN, this assessment will be put for a public comment proceeding, followed by review and potential adoption by ICANN.
> There's no particular reason internal names need to have resolvable DNS names of any kind […]
Sure there are: for putting into a certificate which can be linked to a public certificate authority (CA) so that users don't have to install a custom/private CA just to use internal services. I'm at a place where the dumbass team before me used an internal-only TLD (lan/local/internal), and now we (the new team) can't issue certs for things internally.
I did specifically say "unless you're trying to do something like dns-01". If you want to issue public certificates for your internal domains, by all means use a public name for them.
In my experience, you can and will encounter a situation with conflicting resolvings of .internal unless the use is all properly scoped to broadcast and administrative zones (ha ha ha fat chance, though respect to anyone who really tries).
.lan, .home, and similar have the issue that they aren't actually reserved so they can conflict (see the land-grab of .dev that Google did after ICANN opened up TLDs).
The one way that has most stability (and is best recommendation I have seen) is to have a publicly reserved zone, which doesn't need to have anything other than NS records pointing to hostnames visible from your internal networks (I am always tempted to have essentially NS -> AAAA + PTR pointing at anycast internal v6 address).
Turns out it does not need to be separate domain from some other domain of yours, it can be let's say i.your-company-name.com. - I am partial to your-company-name.net. but that can be confusing for less computer crazy people.
Not necessarily. `.internal` exists for that purpose, and people have historically used `.lan` for similar purposes. There's no particular reason internal names need to have resolvable DNS names of any kind, if they're not going to be externally accessible, unless you're trying to do something like dns-01.