[dns-operations] subzone delegation best practice

m3047 m3047 at m3047.net
Wed Sep 26 16:44:33 UTC 2018

(This is more "operations that the DNS affects" than "operation of the 
DNS". Nonetheless.)

TLDR: You're a Pseudo TLD. Understand what that means. Act appropriately.

So you have a situation where you're delegating to an independent party to 
operate, but the presumed sanction for delegees who fail to comport 
themselves properly... removing their delegation... is not an option.

Even if you put them all under a secondary (branded) domain, they can 
still debase and disrupt each other if the secondary domain becomes 
recognized as "bad".

You can either put contractual language in place stipulating 
responsibilities and remedies, or not. Even with contractual obligtions, 
they mean mostly nothing without ongoing monitoring and enforcement. Let's 
assume that letting people do whatever they want and governing arbitrarily 
by exception is going to end badly for your reputation: your customers 
will deem you capricious and evasive regarding operating conditions, and 
the internet at large will deem you nonresponsive and just plain stinky.

Congratulations, you're a pseudo TLD (PTLD). You might start wondering 
exactly how you ended up in this business, and why you wanted to be there.

I'm going to point out one additional issue with web services in 
particular which in turn leads to a measure which all PTLDs should take, 
and although it's scaled far better than I ever imagined possible I 
hesitate to call it the "solution": Where would the web be without 

I bet it would be really cool to issue supercookies for .tld, but I can't 
because the browsers won't let me (or at least I hope so). Your customers 
under this domain (a PTLD) can likely do the same thing. You might not 
want your customers setting cookies in your own domain; this would be a 
good reason not to delegate subdomains under your own web-friendly domain 
and instead corral them in a separate, secondary domain.

Why can't I set cookes for .tld? Because browsers avail themselves of 
something called a "public suffix list" (PSL). Here is the essentially 
canonical one: https://publicsuffix.org/

If you are running a PTLD, you need to get yourself listed in the public 
suffix list.

I don't know what "vendor" does, perhaps they sell imported rabid weasels 
or ice cream sandwiches. But if they're selling threat indicators, they 
should be cleaning that data against the PSL. They're motivated to do so.

Why? Because threat indicator vendors are pathologically afraid of false 
positives. Nobody wants to block .uk or .com. But maybe .bid or tk. ;-) 
There's a reason. Don't be like them. 

There is a behavioral component as well. Sometimes people block things 
just because the risk is low: there is no perceived business case for 
employees (in particular) to visit certain sites or receive email from 
them. A popular (in the marketplace) option is blocking newly 
(observed|registered|changed domains based on the rationalization that 
our company isn't going to be doing business with a company that just put 
up its web site yesterday. Except for exceptions, of course.


Fred Morris, internet plumber
ronin, currently serving no one

On Wed, 26 Sep 2018, Michele Neylon - Blacknight wrote:
> [...]
> Our issues were primarily "web" related.
> Up until a couple of years ago anyone who signed up for a shared hosting 
> account with ourselves was assigned a "temporary" subdomain off our main 
> domain name. Unfortunately even when they had their own domains people 
> kept referencing the placeholder and when their sites got infected or 
> compromised ..
> [...]
>    On 09/26/2018 05:23 AM, Michele Neylon - Blacknight wrote:
>    > We’ve had some “interesting” issues with subdomains getting compromised
>    > and some vendors deciding to blacklist *.ourbrand.tld
>    >

More information about the dns-operations mailing list