Azure updates for Microsoft Corporate Domains

[edwa001]

Public Suffix List (PSL) Pull Request (PR) Template

Each PSL PR needs to have a description, rationale, indication of DNS validation and syntax checking, as well as a number of acknowledgements from the submitter. This template must be included with each PR, and the submitting party MUST provide responses to all of the elements in order to be considered.

Checklist of required steps

• Description of Organization

• Robust Reason for PSL Inclusion

• DNS verification via dig

• Run Syntax Checker (make test)

• Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _PSL txt record in place in the respective zone(s) in the affected section

Submitter affirms the following:

• We are listing any third-party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)

• This request was not submitted with the objective of working around other third-party limits

• The Guidelines were carefully read and understood, and this request conforms
• The submission follows the guidelines on formatting and sorting

---

For Private section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.

To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.

PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.

(Link: about propagation/expectations)

• Yes, I understand. I could break my organization's website cookies etc. and the rollback timing, etc is acceptable. Proceed.

---

Description of Organization

Microsoft Azure is the world's computer. Microsoft empowers every individual and every organization on earth to achieve more.

Organization Website:

https://www.microsoft.com/

Reason for PSL Inclusion

We seek to have segmentation of these namespaces to appropriately isolate cookie and other divisions within browsers and applications. Similar to prior requests made by or on behalf of the Corporate Domains division at Microsoft, these requests contribute to the stable, secure and resilient operation of Azure on behalf of its customers and partners.

Number of users this request is being made to serve:

Azure currently supports millions of users.

DNS Verification via dig

Results of Syntax Checker (make test)

[dnsguru]

Did you mean to remove East Asia?

I missread the diff summary, please disregard

[dnsguru]

Please notify us when the DNS TXT records are in place

[dnsguru]

This has been reviewed via telephone call to MS Corporate Domains Division to confirm this was submitted with their understanding and approval.

[mozfreddyb]

This has been reviewed via telephone call to MS Corporate Domains Division to confirm this was submitted with their understanding and approval.

In the interest of transparency, what did that validation look like? Do you have their number or do they have yours?
Does this skip any of the other validation or do we still expect them to have _psl TXT records (I hope the latter).

How do we want that process to look like in the future?

[dnsguru]

They will still need to place DNS TXT In this case, it was a new submitter to the repo, so I verified that the new submitter was indeed a Microsoft representative and spoke with the head of Microsoft Corporate Domains on a teams call about their submission. I have met this person through mutual attendance of ICANN meetings. In the call, I explained they will need to DNS validate and they identified that they will perform that step and update the pull request comments.

…

On Thu, Nov 9, 2023, 12:29 AM Frederik Braun ***@***.***> wrote: This has been reviewed via telephone call to MS Corporate Domains Division to confirm this was submitted with their understanding and approval. In the interest of transparency, what did that validation look like? Do you have their number or do they have yours? Does this skip any of the other validation or do we still expect them to have _psl TXT records (I hope the latter). How do we want that process to look like in the future? — Reply to this email directly, view it on GitHub <#1891 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACQTJNITIWWJJXUCXGZR4LYDSH5TAVCNFSM6AAAAAA7DWDL7OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBTGM3DKMZYGE> . You are receiving this because you were assigned.Message ID: ***@***.***>

[simon-friedberger]

This would be a great opportunity to ensure that all MS domains have a _psl. DNS entry.

[dnsguru]

We historically have _suggested_ but have not required for this for legacy names.

…

On Thu, Nov 9, 2023, 11:55 PM simon-friedberger ***@***.***> wrote: This would be a great opportunity to ensure that all MS domains have a _psl. DNS entry. — Reply to this email directly, view it on GitHub <#1891 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACQTJK2RXSSZ4HQZJ2XFRLYDXMVPAVCNFSM6AAAAAA7DWDL7OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBVGI2TINRQGY> . You are receiving this because you were assigned.Message ID: ***@***.***>

[dnsguru]

Hi @edwa001 - in performing reviews of the DNS I noticed that the proof items were not present in doing the TXT record look ups to correspond with the request. Working from the bottom up in the request, I checked the last three entries.

$ nslookup -type=txt _psl.servicebus.windows.net
Server:		1.1.1.1
Address:	1.1.1.1#53

** server can't find _psl.servicebus.windows.net: NXDOMAIN

$ nslookup -type=txt _psl.blob.core.windows.net
Server:		1.1.1.1
Address:	1.1.1.1#53

** server can't find _psl.blob.core.windows.net: NXDOMAIN

$ nslookup -type=txt _psl.trafficmanager.net
Server:		1.1.1.1
Address:	1.1.1.1#53

** server can't find _psl.trafficmanager.net: NXDOMAIN

[Peter253545]

Since domains issued on cloudapp.azure.com are in the format <label>.<region>.cloudapp.azure.com shouldn't the rule be *.cloudapp.azure.com so that domains issued to vms in the same region are treated as different?

[edwa001]

Thank you for calling that out, I have updated it to the wildcard

[edwa001]

Due to a misunderstanding the validation records have been added under the root of each domain. I will work on getting the _psl records added however there is a lot of bureaucratic process involved and it may take a while. Will the domain root validation records work for the sake of this pull request?

[edwa001]

@dnsguru As I updated one of the entries to a wildcard, can you please help validate the ordering once more?

[dnsguru]

@edwa001 please drop cloudapp.net to just above trafficmanager.net

[edwa001]

Updated order as requested

[dnsguru]

Perfect. Good to go.

[dnsguru]

• Sorted to Guidelines
• DNS TXT = Pull Request URL
• Tests Pass
• No conflict with base

APPROVED