[dns-operations] subzone delegation best practice

Doug Barton dougb at dougbarton.email
Wed Sep 26 14:24:49 UTC 2018


Can you say more about that, Michele? Is this e-mail stuff you're 
talking about?

On 09/26/2018 05:23 AM, Michele Neylon - Blacknight wrote:
> We’ve had some “interesting” issues with subdomains getting compromised 
> and some vendors deciding to blacklist *.ourbrand.tld
> 
> So based on our experience I’d avoid it ☺
> 
> Letting a 3^rd party use a separate domain OR a subdomain of a secondary 
> domain name makes more sense for us at least
> 
> Regards
> 
> Michele
> 
> --
> 
> Mr Michele Neylon
> 
> Blacknight Solutions
> 
> Hosting, Colocation & Domains
> 
> https://www.blacknight.com/
> 
> https://blacknight.blog/
> 
> Intl. +353 (0) 59  9183072
> 
> Direct Dial: +353 (0)59 9183090
> 
> Personal blog: https://michele.blog/
> 
> Some thoughts: https://ceo.hosting/
> 
> -------------------------------
> 
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> 
> Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
> 
> *From: *dns-operations <dns-operations-bounces at dns-oarc.net> on behalf 
> of Sue Steffen <lilycrown at gmail.com>
> *Date: *Tuesday 25 September 2018 at 19:33
> *To: *"dns-operations at lists.dns-oarc.net" 
> <dns-operations at lists.dns-oarc.net>
> *Subject: *[dns-operations] subzone delegation best practice
> 
> I would like to get the opinions of this list concerning subzone 
> delegations to 3rd parties.
> 
> We have a very recognizable zone name, xyz.com <http://xyz.com>, We have 
> many publicly facing URL's and the usual email protection records DKIM, 
> SPF, DMARC.  We are very concerned about protecting our brand.
> 
> We also have a multitude of 3rd party vendors providing various niche 
> services.    These vendors want to have subzones delegated to them so 
> they can manage their own email-related records an such.  Most of them 
> we have setup with their own domains to use on our behalf ( like 
> xyz-them.com <http://xyz-them.com>, xyz-those.com 
> <http://xyz-those.com>, etc).   We constantly get requests to use a 
> subzone off of our main zone for these vendors (like them.xyz.com 
> <http://them.xyz.com>, those.xyz.com <http://those.xyz.com>).
> 
> Is it preferable to have 3rd parties use an entirely separate zone, thus 
> protecting the reputation of our primary zone?  I worry about a mistake 
> by a vendor causing our main zone to be blacklisted.
> 
> Or is it preferable to use subzones off of the main zone, thus giving 
> the public comfort that they are clicking a link or receiving an email 
> from a valid xyz.com <http://xyz.com> site?
> 
> How does your firm handle 3rd party delegations?
> 
> Thanks for your thoughts,
> 
> Sue Steffen



More information about the dns-operations mailing list