[dns-operations] subzone delegation best practice
m3047 at m3047.net
Wed Sep 26 16:44:33 UTC 2018
(This is more "operations that the DNS affects" than "operation of the
TLDR: You're a Pseudo TLD. Understand what that means. Act appropriately.
So you have a situation where you're delegating to an independent party to
operate, but the presumed sanction for delegees who fail to comport
themselves properly... removing their delegation... is not an option.
Even if you put them all under a secondary (branded) domain, they can
still debase and disrupt each other if the secondary domain becomes
recognized as "bad".
You can either put contractual language in place stipulating
responsibilities and remedies, or not. Even with contractual obligtions,
they mean mostly nothing without ongoing monitoring and enforcement. Let's
assume that letting people do whatever they want and governing arbitrarily
by exception is going to end badly for your reputation: your customers
will deem you capricious and evasive regarding operating conditions, and
the internet at large will deem you nonresponsive and just plain stinky.
Congratulations, you're a pseudo TLD (PTLD). You might start wondering
exactly how you ended up in this business, and why you wanted to be there.
I'm going to point out one additional issue with web services in
particular which in turn leads to a measure which all PTLDs should take,
and although it's scaled far better than I ever imagined possible I
hesitate to call it the "solution": Where would the web be without
I bet it would be really cool to issue supercookies for .tld, but I can't
because the browsers won't let me (or at least I hope so). Your customers
under this domain (a PTLD) can likely do the same thing. You might not
want your customers setting cookies in your own domain; this would be a
good reason not to delegate subdomains under your own web-friendly domain
and instead corral them in a separate, secondary domain.
Why can't I set cookes for .tld? Because browsers avail themselves of
something called a "public suffix list" (PSL). Here is the essentially
canonical one: https://publicsuffix.org/
If you are running a PTLD, you need to get yourself listed in the public
I don't know what "vendor" does, perhaps they sell imported rabid weasels
or ice cream sandwiches. But if they're selling threat indicators, they
should be cleaning that data against the PSL. They're motivated to do so.
Why? Because threat indicator vendors are pathologically afraid of false
positives. Nobody wants to block .uk or .com. But maybe .bid or tk. ;-)
There's a reason. Don't be like them.
There is a behavioral component as well. Sometimes people block things
just because the risk is low: there is no perceived business case for
employees (in particular) to visit certain sites or receive email from
them. A popular (in the marketplace) option is blocking newly
(observed|registered|changed domains based on the rationalization that
our company isn't going to be doing business with a company that just put
up its web site yesterday. Except for exceptions, of course.
Fred Morris, internet plumber
ronin, currently serving no one
On Wed, 26 Sep 2018, Michele Neylon - Blacknight wrote:
> Our issues were primarily "web" related.
> Up until a couple of years ago anyone who signed up for a shared hosting
> account with ourselves was assigned a "temporary" subdomain off our main
> domain name. Unfortunately even when they had their own domains people
> kept referencing the placeholder and when their sites got infected or
> compromised ..
> On 09/26/2018 05:23 AM, Michele Neylon - Blacknight wrote:
> > We’ve had some “interesting” issues with subdomains getting compromised
> > and some vendors deciding to blacklist *.ourbrand.tld
More information about the dns-operations