AWS Submissions to the Public Suffix List - Q1 2024

[erichays]

Public Suffix List (PSL) Pull Request (PR) Template

Each PSL PR needs to have a description, rationale, indication of DNS validation and syntax checking, as well as a number of acknowledgements from the submitter. This template must be included with each PR, and the submitting party MUST provide responses to all of the elements in order to be considered.

Checklist of required steps

• Description of Organization
• Robust Reason for PSL Inclusion
• DNS verification via dig
• Run Syntax Checker (make test)
• Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _PSL txt record in place in the respective zone(s) in the affected section

Submitter affirms the following:

• We are listing any third-party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)
  AWS does not submit suffixes to the Public Suffix List to work around rate-limits of any third-party products or tooling.
• This request was not submitted with the objective of working around other third-party limits
  Please see the Reason section below for objectives in this pull request.
• The Guidelines were carefully read and understood, and this request conforms
• The submission follows the guidelines on formatting and sorting

For Private section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.

To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.

PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.

(Link: about propagation/expectations)

• Yes, I understand. I could break my organization's website cookies etc. and the rollback timing, etc is acceptable. Proceed.

Description of Organization

Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud, offering over 200 fully featured services from data centers globally. More information about AWS is available on our website: What is AWS?

Organization Website: AWS Homepage

Reason for PSL Inclusion

These features/services have been identified by AWS Security and AWS service teams as supporting different distinct customers/resources across shared DNS suffixes. Adding these suffixes to the PSL is expected to improve the security posture of customers using our services. This may include:

• impact to the Same-Origin Policy in modern browsers (cookies + others)
• representation of these domains to the CA/Browser Forum
• any other use-cases of the PSL which may benefit from updated information about multi-tenant AWS services

Number of users this request is being made to serve:

These changes are expected to impact all customers using these AWS services. This includes both AWS-internal and external customers. Specific user counts for these listed features/services are not publicly available.

Services/Features in PR:

• Amazon Cognito
• Amazon EMR
• Amazon Managed Workflows for Apache Airflow
• Amazon SageMaker Ground Truth
• Amazon SageMaker Notebook Instances
• Amazon SageMaker Studio
• AWS Directory Service

DNS Verification via dig

DNS query results

auth.ap-south-2.amazoncognito.com: dig +short -t TXT _psl.auth.ap-south-2.amazoncognito.com)
"https://github.com/publicsuffix/list/pull/1919"



auth.ap-southeast-4.amazoncognito.com: dig +short -t TXT _psl.auth.ap-southeast-4.amazoncognito.com)
"https://github.com/publicsuffix/list/pull/1919"



auth.eu-central-2.amazoncognito.com: dig +short -t TXT _psl.auth.eu-central-2.amazoncognito.com)
"https://github.com/publicsuffix/list/pull/1919"



auth.eu-south-2.amazoncognito.com: dig +short -t TXT _psl.auth.eu-south-2.amazoncognito.com)
"https://github.com/publicsuffix/list/pull/1919"



auth.me-central-1.amazoncognito.com: dig +short -t TXT _psl.auth.me-central-1.amazoncognito.com)
"https://github.com/publicsuffix/list/pull/1919"



awsapps.com: dig +short -t TXT _psl.awsapps.com)
"https://github.com/publicsuffix/list/pull/1919"



emrappui-prod.ap-south-2.amazonaws.com: dig +short -t TXT _psl.emrappui-prod.ap-south-2.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrnotebooks-prod.ap-south-2.amazonaws.com: dig +short -t TXT _psl.emrnotebooks-prod.ap-south-2.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrstudio-prod.ap-south-2.amazonaws.com: dig +short -t TXT _psl.emrstudio-prod.ap-south-2.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrappui-prod.ap-southeast-4.amazonaws.com: dig +short -t TXT _psl.emrappui-prod.ap-southeast-4.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrnotebooks-prod.ap-southeast-4.amazonaws.com: dig +short -t TXT _psl.emrnotebooks-prod.ap-southeast-4.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrstudio-prod.ap-southeast-4.amazonaws.com: dig +short -t TXT _psl.emrstudio-prod.ap-southeast-4.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrappui-prod.ca-west-1.amazonaws.com: dig +short -t TXT _psl.emrappui-prod.ca-west-1.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrnotebooks-prod.ca-west-1.amazonaws.com: dig +short -t TXT _psl.emrnotebooks-prod.ca-west-1.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrstudio-prod.ca-west-1.amazonaws.com: dig +short -t TXT _psl.emrstudio-prod.ca-west-1.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrappui-prod.eu-central-2.amazonaws.com: dig +short -t TXT _psl.emrappui-prod.eu-central-2.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrnotebooks-prod.eu-central-2.amazonaws.com: dig +short -t TXT _psl.emrnotebooks-prod.eu-central-2.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrstudio-prod.eu-central-2.amazonaws.com: dig +short -t TXT _psl.emrstudio-prod.eu-central-2.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrappui-prod.eu-south-2.amazonaws.com: dig +short -t TXT _psl.emrappui-prod.eu-south-2.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrnotebooks-prod.eu-south-2.amazonaws.com: dig +short -t TXT _psl.emrnotebooks-prod.eu-south-2.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrstudio-prod.eu-south-2.amazonaws.com: dig +short -t TXT _psl.emrstudio-prod.eu-south-2.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrappui-prod.il-central-1.amazonaws.com: dig +short -t TXT _psl.emrappui-prod.il-central-1.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrnotebooks-prod.il-central-1.amazonaws.com: dig +short -t TXT _psl.emrnotebooks-prod.il-central-1.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



emrstudio-prod.il-central-1.amazonaws.com: dig +short -t TXT _psl.emrstudio-prod.il-central-1.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



*.af-south-1.airflow.amazonaws.com: dig +short -t TXT _psl.af-south-1.airflow.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



*.ap-east-1.airflow.amazonaws.com: dig +short -t TXT _psl.ap-east-1.airflow.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



*.eu-south-1.airflow.amazonaws.com: dig +short -t TXT _psl.eu-south-1.airflow.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



*.me-south-1.airflow.amazonaws.com: dig +short -t TXT _psl.me-south-1.airflow.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



*.us-west-1.airflow.amazonaws.com: dig +short -t TXT _psl.us-west-1.airflow.amazonaws.com)
"https://github.com/publicsuffix/list/pull/1919"



labeling.ap-northeast-1.sagemaker.aws: dig +short -t TXT _psl.labeling.ap-northeast-1.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



labeling.ap-northeast-2.sagemaker.aws: dig +short -t TXT _psl.labeling.ap-northeast-2.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



labeling.ap-south-1.sagemaker.aws: dig +short -t TXT _psl.labeling.ap-south-1.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



labeling.ap-southeast-1.sagemaker.aws: dig +short -t TXT _psl.labeling.ap-southeast-1.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



labeling.ap-southeast-2.sagemaker.aws: dig +short -t TXT _psl.labeling.ap-southeast-2.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



labeling.ca-central-1.sagemaker.aws: dig +short -t TXT _psl.labeling.ca-central-1.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



labeling.eu-central-1.sagemaker.aws: dig +short -t TXT _psl.labeling.eu-central-1.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



labeling.eu-west-1.sagemaker.aws: dig +short -t TXT _psl.labeling.eu-west-1.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



labeling.eu-west-2.sagemaker.aws: dig +short -t TXT _psl.labeling.eu-west-2.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



labeling.us-east-1.sagemaker.aws: dig +short -t TXT _psl.labeling.us-east-1.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



labeling.us-east-2.sagemaker.aws: dig +short -t TXT _psl.labeling.us-east-2.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



labeling.us-west-2.sagemaker.aws: dig +short -t TXT _psl.labeling.us-west-2.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



notebook-fips.us-west-1.sagemaker.aws: dig +short -t TXT _psl.notebook-fips.us-west-1.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"



studio.eu-south-2.sagemaker.aws: dig +short -t TXT _psl.studio.eu-south-2.sagemaker.aws)
"https://github.com/publicsuffix/list/pull/1919"

Results of Syntax Checker (make test)

Test results

cd linter;                                \
  ./pslint_selftest.sh;                     \
  ./pslint.py ../public_suffix_list.dat;
test_allowedchars: OK
test_dots: OK
test_duplicate: OK
test_exception: OK
test_NFKC: OK
test_punycode: OK
test_section1: OK
test_section2: OK
test_section3: OK
test_section4: OK
test_spaces: OK
test_wildcard: OK
test -d libpsl || git clone --depth=1 https://github.com/rockdaboot/libpsl;   \
  cd libpsl;                                                                    \
  git pull;                                                                     \
  echo "EXTRA_DIST =" >  gtk-doc.make;                                          \
  echo "CLEANFILES =" >> gtk-doc.make;                                          \
  autoreconf --install --force --symlink;
Already up to date.
autopoint: using AM_GNU_GETTEXT_REQUIRE_VERSION instead of AM_GNU_GETTEXT_VERSION
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: linking file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: linking file 'm4/libtool.m4'
libtoolize: linking file 'm4/ltoptions.m4'
libtoolize: linking file 'm4/ltsugar.m4'
libtoolize: linking file 'm4/ltversion.m4'
libtoolize: linking file 'm4/lt~obsolete.m4'
cd libpsl && ./configure -q -C --enable-runtime=libicu --enable-builtin=libicu --with-psl-file=/__fake__/public_suffix_list.dat --with-psl-testfile=/__fake__/tests/tests.txt && make -s clean && make -s check -j4
config.status: creating po/POTFILES
config.status: creating po/Makefile
Making clean in po
Making clean in include
Making clean in src
rm -f ./so_locations
Making clean in tools
 rm -f psl
Making clean in fuzz
 rm -f libpsl_icu_fuzzer libpsl_icu_load_fuzzer libpsl_icu_load_dafsa_fuzzer
Making clean in tests
 rm -f test-is-public test-is-public-all test-is-cookie-domain-acceptable test-is-public-builtin test-registrable-domain
Making clean in msvc
Making check in po
Making check in include
Making check in src
  CC       libpsl_la-psl.lo
  CC       libpsl_la-lookup_string_in_fixed_set.lo
  CCLD     libpsl.la
Making check in tools
  CC       psl.o
  CCLD     psl
Making check in fuzz
  CC       libpsl_fuzzer.o
  CC       main.o
  CC       libpsl_load_fuzzer.o
  CC       libpsl_load_dafsa_fuzzer.o
  CCLD     libpsl_icu_fuzzer
  CCLD     libpsl_icu_load_fuzzer
  CCLD     libpsl_icu_load_dafsa_fuzzer
PASS: libpsl_icu_fuzzer
PASS: libpsl_icu_load_dafsa_fuzzer
PASS: libpsl_icu_load_fuzzer
============================================================================
Testsuite summary for libpsl 0.21.5
============================================================================
# TOTAL: 3
# PASS:  3
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
Making check in tests
  CC       test-is-public.o
  CC       common.o
  CC       test-is-public-all.o
  CC       test-is-cookie-domain-acceptable.o
  CC       test-is-public-builtin.o
  CC       test-registrable-domain.o
  CCLD     test-is-cookie-domain-acceptable
  CCLD     test-is-public-builtin
  CCLD     test-is-public
  CCLD     test-is-public-all
  CCLD     test-registrable-domain
PASS: test-is-public-builtin
PASS: test-is-public
PASS: test-is-cookie-domain-acceptable
PASS: test-registrable-domain
PASS: test-is-public-all
============================================================================
Testsuite summary for libpsl 0.21.5
============================================================================
# TOTAL: 5
# PASS:  5
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
Making check in msvc

[aph3rson]

@dnsguru / @simon-friedberger: kind nudge, it's been a few weeks since we've moved this from draft to open. We saw that several other PRs have been actioned/merged in the meantime while ours is still labeled as Draft, so we wanted to follow up.

In the short term, should we add to our internal SOPs to post a comment to our PR mentioning the maintainers when we move from draft -> open? We have been intentional about reducing our pings to the maintainers to prevent excess noise, but we understand how this kind of active notification might be helpful for your team.

---

In the longer term, is it worth revisiting the use of the DRAFT label? While we don’t have full insight into the internal processes of the maintainers of the list, it seems like it may be duplicative vs. GitHub's built-in draft pull request functionality. We are intentional about when we set this status on our PRs - it may make sense to use the draft status of a PR instead of a bespoke DRAFT label.
Alternatively, we’re curious if there is additional automation that could be added so that moving a request out of draft status would remove the DRAFT label and/or add a label that would otherwise indicate that it had moved from draft to open. If automation is the right route, we may be able to help create that automation so that the burden doesn’t fall to the maintainers.

[dnsguru]

Hi @aph3rson yes please add to sop there at the point these move from draft to open and also @dnsguru and @simon-friedberger so we have some indication that the PR has been identified by AWS as ready to review. Otherwise it blends into the noise.

There are no service levels pledged or anything of the like.

We are still volunteer maintainers and review of AWS / "Amazon and family" submissions typically have a lot to look at in contrast to other submitters.

The sheer volume of entries AWS has in the file is larger than most all other requestors, and there is gratitude for how your team has become the single point for across the various managed namespaces.

I think your idea will help... add a comment mentioning Simon and I that states
"AWS team has completed our draft work and are updating status... This is moving from draft to open, and should now be considered in the queue of PR to review" will help us see the rediness.

[aph3rson]

@dnsguru - noted, thanks for the context. We've updated our SOPs, and will add a comment when moving our pull request from draft -> open going forward.

---

On the topic of longer-term - would some automation that automatically manages the draft <-> open transitions be helpful?
This would not only help ourselves, but also other submitters of draft pull requests on the PSL (currently a few).

Our thoughts on how that automation might look:

• If a user opens a draft pull request, or if a pull request is converted to a draft (by the submitter or a maintainer):
  • the DRAFT label is added to the pull request, and
  • a comment is added to the PR, explaining that the draft state is not reviewed/actioned by maintainers, and to move to open when ready
• If a draft pull request is moved to open:
  • the DRAFT label is removed from the pull request, and
  • (optional) an additional label, e.g. Ready for Review is added, and
  • (if a certain amount of "debounce" time has passed since drafting/opening, e.g. 24 hours) a comment is added explaining that the PR has moved from draft to open, tagging one/more PSL maintainers.

Implementation of this should be feasible via GitHub Actions with a short workflow. We’ve been doing some proof of concept work for such a workflow and would gladly provide a code sample to help reduce developer pain on the maintainers.

[simon-friedberger]

• Expiration (Note: Must STAY >2y at all times)
  • amazoncognito.com expires 2024-11-08 ⚠️
  • amazonaws.com expires 2027-01-16
  • amazonaws.com expires 2027-01-16
• DNS _psl entries (Note: Must STAY in place)
• Tests pass
• Sorting
• Reasoning/Organization description

[dnsguru]

We discussed this PR among the reviewing volunteers, and it was determined that it would be proceeding to merge, but to be honest, there's a lot involved in these, sooo much more resource/time than other requestors that we have to invest, often finding domains that do not have the _PSL txt records in place or those that do not have the +2Y on them that we have to iterate or make exceptions for.

As I read your suggestions, I had perhaps misread that they were things being performed within AWS on their own pull request. Now as I read it, the suggestion was that we automate PR flow.

Automation of nags has low allure, as there are other, higher priority automations and test suites that are more pronounced technical debt here that could allow for more efficient processing - which would help things along generally.

Currently in the queue for automation are the validation of NS _PSL TXT and intra-section sorting.