I'm not sure what went wrong there. I ended up with 10 terminators being created and immediately removed due to them being duplicates apparently - not sure what logic I somehow did 
This has the following reason: We use our company TLD also for the ZITI Services. But we do have our domain available to the public and several subdomains for other, publicly accessible services, such as websites but also the ziti controller on zt.mydomain.com.
Oh my gosh! - I just figured this out while typing How can a wildcard work if the controller & routers are all accessible via the same TLD and therefore intercepted...?!
But maybe it would be nice to introduce a naming convention like:
server1.ssh.mydomain.com or at least server1.zitified.mydomain.com?
Any experience from customers here on your end? How do you do this "internally" at NetFoundry?
It should be OK to have your controller and routers in addresses that happen to be intercepted.
For IP-addressed controllers and routers, the tunnelers avoid intercepting their own outbound connections by creating so-called "exclusion routes" to ensure that those IPs aren't intercepted. These are just routes in the routing table that direct the packets going to the IP through the system's default gateway instead of the tun device.
For controllers that are addressed by hostname it's really the same thing. Whenever the tunneler learns about its controller or a new edge router, it first resolves the hostname and adds an exclusion route for the resulting IP. The only added complexity here is that the tunneler's dns server would be providing the answer for the hostname, so you'd exclusion routes for IPs that are in the tunnelers DNS ip range.
I can't speak to what customers do, but I generally like to make specific domains for my ziti services - usually "*.ziti" or some variation for clarity.
Thanks, I've spun up a new service that uses a .ziti TLD.
When trying to use the service I'm getting the error
service hdr427wpfKVRPS0gX5BVO has no terminators for instanceId el01.mydomain.ziti
But I can see there are two terminators for el01.mydomain.de, notice the .de instead of .ziti which is how the identity was named before. How can I trigger a "reset" for the terminator to be bound to the new name?
I ended up restarting the ziti-edge-tunnel which uses the identity, which worked.
1 Like