[dns-operations] subzone delegation best practice

Michele Neylon - Blacknight michele at blacknight.com
Wed Sep 26 12:23:19 UTC 2018

We’ve had some “interesting” issues with subdomains getting compromised and some vendors deciding to blacklist *.ourbrand.tld
So based on our experience I’d avoid it ☺

Letting a 3rd party use a separate domain OR a subdomain of a secondary domain name makes more sense for us at least



Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

From: dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of Sue Steffen <lilycrown at gmail.com>
Date: Tuesday 25 September 2018 at 19:33
To: "dns-operations at lists.dns-oarc.net" <dns-operations at lists.dns-oarc.net>
Subject: [dns-operations] subzone delegation best practice

I would like to get the opinions of this list concerning subzone delegations to 3rd parties.

We have a very recognizable zone name, xyz.com<http://xyz.com>, We have many publicly facing URL's and the usual email protection records DKIM, SPF, DMARC.  We are very concerned about protecting our brand.

We also have a multitude of 3rd party vendors providing various niche services.    These vendors want to have subzones delegated to them so they can manage their own email-related records an such.  Most of them we have setup with their own domains to use on our behalf ( like xyz-them.com<http://xyz-them.com>, xyz-those.com<http://xyz-those.com>, etc).   We constantly get requests to use a subzone off of our main zone for these vendors (like them.xyz.com<http://them.xyz.com>, those.xyz.com<http://those.xyz.com>).

Is it preferable to have 3rd parties use an entirely separate zone, thus protecting the reputation of our primary zone?  I worry about a mistake by a vendor causing our main zone to be blacklisted.

Or is it preferable to use subzones off of the main zone, thus giving the public comfort that they are clicking a link or receiving an email from a valid xyz.com<http://xyz.com> site?

How does your firm handle 3rd party delegations?

Thanks for your thoughts,

Sue Steffen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180926/56646310/attachment.html>

More information about the dns-operations mailing list