I work for the university of mainz.
we were considering adding our main domain to the Public-Suffix-List maintained by Mozilla - essentially for two reasons:
- We delegate the control of many subdomains to faculties or institutes, so we probably should not allow setting “supercookies”.
- For planning Lets-Encrypt Rollouts we do not have any relyable upper count of certificates per week, since the subdomain owners can (and since some of them are using LE already, will) make our life “hard”.
Now the problem with the psl is the policy and a technical pitfall:
- You cannot add psl entries for bypassing (or moving it to subdomains) rate limits
- Even providing valid reasons (like RWTH Aachen did in April) will not lead to predictable results - the PR for the addition from them (despite having ~1000 subdomains delegated to other entities) is just ignored and lingers around.
- By using the PSL, we configure parts of our environment way outside of our environment. The PSL has impact to browsers and DMARC, but the control lies with 2 or 4 maintainers of the list. That maintainers are not our Admins - they should not be able to control anything within our environment. If our network admins decide, we should regard our main domain as public suffix, then they should be able to set appropriate records and not discuss that matter with any external entity.
So I’d propose to allow determination of public-suffixes with an alternate approach: ask the DNS for _ispublicSuffix.example.com or something like that, and allow admins to control their environment.