Alternate Public-Suffix determination

glatzert · August 28, 2018, 7:35am

Hello everybody,

I work for the university of mainz.
we were considering adding our main domain to the Public-Suffix-List maintained by Mozilla - essentially for two reasons:

We delegate the control of many subdomains to faculties or institutes, so we probably should not allow setting “supercookies”.
For planning Lets-Encrypt Rollouts we do not have any relyable upper count of certificates per week, since the subdomain owners can (and since some of them are using LE already, will) make our life “hard”.

Now the problem with the psl is the policy and a technical pitfall:

You cannot add psl entries for bypassing (or moving it to subdomains) rate limits
Even providing valid reasons (like RWTH Aachen did in April) will not lead to predictable results - the PR for the addition from them (despite having ~1000 subdomains delegated to other entities) is just ignored and lingers around.
By using the PSL, we configure parts of our environment way outside of our environment. The PSL has impact to browsers and DMARC, but the control lies with 2 or 4 maintainers of the list. That maintainers are not our Admins - they should not be able to control anything within our environment. If our network admins decide, we should regard our main domain as public suffix, then they should be able to set appropriate records and not discuss that matter with any external entity.

So I’d propose to allow determination of public-suffixes with an alternate approach: ask the DNS for _ispublicSuffix.example.com or something like that, and allow admins to control their environment.

mnordhoff · August 28, 2018, 7:45am

For what it’s worth:

There was an IETF Working Group working on domain boundaries. I’m not sure what happened, it looks like it ended without reaching consensus.

https://datatracker.ietf.org/wg/dbound/about/

You can request a rate limit increase from Let’s Encrypt. They should be happy to do it. You or someone else from the university just have to fill out the form and wait a few weeks. (It’s not immediate, but you won’t get held up in limbo.)

glatzert · August 28, 2018, 11:00am

Thanks for your answer - the DBOUND looks like it could somewhen solve that problem with the dependency on the psl-maintainers. Also I did not want to be harsh to them personally, but I don’t think it’s any good practice to rely on external entities for my configuration.

Probably LE is in a position to define or at least heavily influence such a standard

Event though I think raising the Rate Limit isn’t really a solution for the problem (but eases the pain), I’ll request it. Do you by any chance have an idea what a proper upper rate limit would be?
There’ll roughly be 800 DNS names which are out of our control and about 1500 which we control directly, but are structured in subdomains. What’s sensible to go for without beeing outragous?

system · September 27, 2018, 11:00am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Please consider having "subdomain+domain" not be subject to the same 5/7-days rate limit Issuance Policy	6	4148	February 20, 2016
Subdomains letsencrypt limits quotas Issuance Policy	7	1145	February 9, 2022
Temporary Domain Rate Limit Issuance Policy	3	1491	July 1, 2017
Limits in Public Suffixes List Help	4	1671	September 1, 2020
Publicsuffix/list should be replaced with dedicated solution Issuance Policy	2	1890	July 5, 2017

Alternate Public-Suffix determination

Related topics