Alternate Public-Suffix determination


#1

Hello everybody,

I work for the university of mainz.
we were considering adding our main domain to the Public-Suffix-List maintained by Mozilla - essentially for two reasons:

  1. We delegate the control of many subdomains to faculties or institutes, so we probably should not allow setting “supercookies”.
  2. For planning Lets-Encrypt Rollouts we do not have any relyable upper count of certificates per week, since the subdomain owners can (and since some of them are using LE already, will) make our life “hard”.

Now the problem with the psl is the policy and a technical pitfall:

  1. You cannot add psl entries for bypassing (or moving it to subdomains) rate limits
  2. Even providing valid reasons (like RWTH Aachen did in April) will not lead to predictable results - the PR for the addition from them (despite having ~1000 subdomains delegated to other entities) is just ignored and lingers around.
  3. By using the PSL, we configure parts of our environment way outside of our environment. The PSL has impact to browsers and DMARC, but the control lies with 2 or 4 maintainers of the list. That maintainers are not our Admins - they should not be able to control anything within our environment. If our network admins decide, we should regard our main domain as public suffix, then they should be able to set appropriate records and not discuss that matter with any external entity.

So I’d propose to allow determination of public-suffixes with an alternate approach: ask the DNS for _ispublicSuffix.example.com or something like that, and allow admins to control their environment.


#2

For what it’s worth:

There was an IETF Working Group working on domain boundaries. I’m not sure what happened, it looks like it ended without reaching consensus.

https://datatracker.ietf.org/wg/dbound/about/

You can request a rate limit increase from Let’s Encrypt. They should be happy to do it. You or someone else from the university just have to fill out the form and wait a few weeks. :slight_smile: (It’s not immediate, but you won’t get held up in limbo.)


#3

Thanks for your answer - the DBOUND looks like it could somewhen solve that problem with the dependency on the psl-maintainers. Also I did not want to be harsh to them personally, but I don’t think it’s any good practice to rely on external entities for my configuration.

Probably LE is in a position to define or at least heavily influence such a standard :slight_smile:

Event though I think raising the Rate Limit isn’t really a solution for the problem (but eases the pain), I’ll request it. Do you by any chance have an idea what a proper upper rate limit would be?
There’ll roughly be 800 DNS names which are out of our control and about 1500 which we control directly, but are structured in subdomains. What’s sensible to go for without beeing outragous?


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.