Add schuldock.de for IServ GmbH/Stadt Hamburg #2492
Conversation
|
@KimBrodowski Since you seem to be the authors of the software, have you considered switching to host-only cookies? |
Our own software isn't my primary concern. We don't set the domain value in cookies, which should make them bound to the current domain. We go even further and restrict our cookies to our own application path ( The problem is that you can host pretty much everything under our domains. This is due to individual customers having full control of their DNS zones and servers. This is something that does actually happen, not just mere thought experiment. The domains are public suffixes in the true sense of the word. It's quite convenient for customers to use our base systems for their own applications as well, since we take care of operating system updates, tls certificates etc. We also make use of 3rd party software that doesn't always behave correctly. We of course hope to catch those cases before they are deployed to customers, but correct browser behavior makes this safer. PSL entries also enforce correct ratelimit behavior for 3rd parties. Before you get the pitchfork going, I know that ratelimits are a bit of a red flag around here, please let me clarify that I specifically don't mean ratelimit increases. When those are needed, we apply for those directly with e.g. LetsEncrypt and we have done so successfully multiple times in the past. The problem is that these exemptions only give you an additional increased limit, but don't stop customers from locking other customers out by doing silly or malicious things. Since these kind of requests don't go through our infrastructure, our ability to counter or even monitor these is limited. |
|
For the record: Shared domain usage is also not default for our deployments. The overwhelming majority of customers use one or multiple dedicated domains. We don't even charge for the primary domain (within reason). Shared domain usage is most prevalent for cloud deployments, because during the SARS-CoV-2 pandemic, we offered services free of charge, for certain customers like Stadt Hamburg, who want subdomains as part of their deployments and of course for test and development installations. The later two actually have entries on the PSL as well, since guidelines limiting that were not present at the time these were applied for. iserv.host, the subject of the previous PR, is something new for us. Before, we did not have a shared namespace for all customers. The software making use of that is also not live yet. |
Public Suffix List (PSL) Submission
Checklist of required steps
_pslTXT record in place in the respective zone(s).Note: See Reconsider exclusion of TLDs with limited registration terms · Issue #2486 · publicsuffix/list. DE domain registration terms cannot exceed 12 months and cannot be publicly queried. We commit to keep the domain alive.
Submitter affirms the following:
Abuse Contact: [email protected]
Abuse contact information (email or web form) is available and easily accessible.
URL where abuse contact or abuse reporting form can be found: https://schuldock.hamburg/impressum/
Secondary abuse contact information is available on our website: https://iserv.de/impressum
For PRIVATE section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.
To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.
PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.
(Link: about propagation/expectations)
Description of Organization
IServ GmbH is a German company providing IT solutions for the educational sector. Our main product is also called IServ. The IServ school platform is an all-in-one solution for the pedagogical side of a school's network. It provides basic functionality like e-mail, file sharing, instant messaging, calendars, a collaborative text editor etc., but also software deployment and an Active Directory domain controller as well as more education oriented features such as special examination modes for local computers and an exercise module in over 50 modules.
IServ is currently used by over 6,000 schools primarily in German-speaking regions and manages about 540,000 computers and 5,000,000 user accounts.
I'm the chief information security officer and an engineer at IServ GmbH. Previous requests for our organization have been submitted by me or my co-worker Mario Hoberg, a senior engineer at IServ GmbH.
The request is made on behalf of one of our customers, Stadt Hamburg, the 2nd largest city in Germany. We, IServ GmbH, maintain the infrastructure for this project.
We have decided to keep the record for this domain in our namespace, since the domain has been registered by us, zones are maintained by us, and we are responsible for any technical actions. Furthermore, we already have entries on the PSL for our company, so we are familiar with the processes and can maintain a closer eye over any technical requirements as they arise. Abuse contacts point to addresses provided by Stadt Hamburg, since they have organizational authority over assignments to schools. Since subdomains are not available to the general public, we do not expect any relevant abuse concerns.
Organization Website: https://iserv.de/
Reason for PSL Inclusion
We deploy IServ on-premise and cloud hosted under unique customer domains. For the city state Hamburg, one of our customers, IServ instances are deployed below schuldock.de.
Hostnames have the format
s\d+.schuldock.deSince individual schools have full control of their servers and DNS zones, we must isolate them from each other. This is why we would like the domain to be added to the PSL.
Unfortunately, it is not possible for us at this time to maintain 1 year of validity and provide 2 years of renaming validity for our de domains on the list. Our registry DENIC eG does not allow us to prolong de domains beyond the point they are already prolonged.. Our domains all automatically renew. We can affirm that we will keep this in place. Of course, we will keep
_pslRRs in place, as we have with all previous submissions. Please also note that expiration dates are not public for de domains.Number of users this request is being made to serve: 250,000
Previous requests:
DNS Verification