1 of 3: Federal DNS Patterns
Greetings fearless readers, I’m running out of metaphors for how deep the .gov domain space goes, far before I run out of analysis. Rest assured, this series will be fully published all this week, to make content small enough to parse and published close enough to be coherent.
This might also feel like watching 'Inception' as we go deeper and deeper into what I believe is an antipattern, DNS as Spellcheck, because it enables other [worse] 'slippery slope' patterns.
So let's get specific on domains that exist, that maybe shouldn’t.
First, let’s take a moment to say good by to flyhealthy.gov – this series uses 1,370 domains as flyhealth.gov from FAA (not TSA apparently) was sunset November 9th, per CISA's repo.
There's no definitive information from the US Government on the site, but based on information from Internet Archive's "Wayback Machine" it was first crawled in 2020 and this seems like the 'current' instantiation of the brand: https://www.transportation.gov/flyhealthy
This shows that the .gov domain space my be more dynamic than some assume.
So let’s start by realizing “the plane is always being flown as it's built”
Greg Boone Amanda D. et all had some some great discussion in my previous posts about how there may not be a clear 'best practice' for when something should, or shouldn’t, be created, or sunset, and what reasonable timeline(s) to use.
So let’s be more specific and about the reality of managing agency domains:
So don’t take the existence of any of these domains as a “got ya” – I am merely pointing them out as a potential avenue for government to evaluate and (re)explore their existence.
It’s also worthwhile to note that “a domain by another name” might not be as “free” even though the cost of a domain name is $0 thanks to CISA.
More specifically, even if a domain is setup as a shorthand redirect for another domain, it still creates an administrative burden for agencies and creates potential friction for users.
As someone who has to administer more than a few domains, just maintaining SPF, DKIM, and DMARC record types for email is more than just a trivial burden. That's true even for unused domains and doesn't account for the need to monitor logs and reports for domains and certs.
So imagine the operational and administrative overhead associated with the full lifecycle of a domain. That includes maintaining DNS records, responding to OMB data calls, monitoring security reports, etc. There is a very long tail of costs associated with each and every domain.
Given the errors I’ve seen in my ad-hoc testing, it seems accurate to state that even the most efficient and effective teams are not always perfect with burden of maintenance.
Every domain "known by another name", risks creating, or perpetuating, public uncertainty, and obligates agencies far into the future.
Since really every month, not just October, is cybersecurity awareness month, it’s worth (re)stating what a strange situation multiple domain names creates for the public.
Imagine visiting a .gov domain and being redirected to something different. Security aside, imagine the sense of ‘trust’ that could be lost when ‘spellcheck’ domains cause someone to see a different domain than what is branded in an advertised campaign. Everyone expects a degree of correctness when it comes to government services, and the confusion of multiple names that represent the same site and function could jeopardize that confidence.
The government, collectively, needs a cohesive and coherent approach.
Admittedly, this point may be a combination of the first two. However, I think it’s worth separating out as a standalone topic because the first two costs represent agency-specific obligations but we should also acknowledge there is a government-wide obligation as well.
The more .gov domains we have, the harder it is to create a coherent representation of government, and the easier it is to create confusion. More bluntly, how many people do you think have the time to analyze every .gov domain. Or how many conversations would OMB need to create a consistent customer experience across government? It’s a simple fact of human attention (think Dunbar’s number) that the less choices there are the easier it (generally) is to understand the ‘search.gov space’ (#dadJoke) and adhere to consistent norms.
领英推荐
There are certainly many more reasons why a large long tail of domains exists, and some tradeoffs are necessary but we should admit that there's no such thing as a 'free domain.'
Let's start reviewing what I've deemed “pairwise curiosities”
Sometimes these curiosities travel in groups of more than two and generally look like the spellcheck [anti]pattern. However, I think you'll quickly see the symptom as more insidious.
This is one of those longer datasets, so check the full list on our repo. It's also worth noting that I manually created this dataset through the brute force technique of scrolling, scrolling, and scrolling, and flagging interesting combinations by hand. There are almost certainly more examples that I've missed, which reinforces my previous point that almost 1,400 domains is too much for any small group, let alone a big group, of humans to maintain consistently!
Before we start aggregating these into buckets let’s get a few examples.
While I think it’s probably perfectly normal for some of these to exist currently, I hope some (most) are in the process of being sunset and will attempt to outline why in this post.
What else do you start to see in my handpicked examples, here and in the full list?
Bucket Overview
Based on what I see, I think generally there are four types of patterns at play here:
Agencies should avoid requesting unnecessary domain name variants unless there is a compelling need. Each domain name variation request will need a compelling justification, specific to that request.
Variations of domain names could include:
* Alternative name
* Different spellings, typos, or misspellings
* Foreign language equivalents
* Acronyms
You may not defensively register variations of a .gov domain name. While this practice may be common when registering domains open to the general public, the .gov domain space is not first come, first serve and agencies do not need to protect against unauthorized use of their brands. Additional domain names for the same use case may not be approved.
That’s worth everyone (re)reading again, highlighting, and surrounding with a bunch of gold stars. CISA makes the point well here “While this practice may be common when registering domains open to the general public, the .gov domain space is not first come, first serve and agencies do not need to protect against unauthorized use of their brands.” [emphasis mine]
Tune in next time to review the DNS as Spellcheck and Multiple Domains, One Brand patterns, and develop your own intuition.
Regional Sales Manager - Public Sector, Federal at Netskope
2 个月Agree on your comments. The .gov domain is a big area of (protective) focus for CISA as we move into the new year.
Tech storyteller & novelist. I make sense and dollars out of technobabble.
3 个月Any content that starts with "greetings, fearless readers," I'm going to read ??
This might also be the right moment to share a post[1] by Mark Headd that's been rattling around in my brain as inspiration: It's titled "Searching For Patterns in Digital Modernization" and while Mark was talking about software patterns I think it’s applicable for domains as well: “We are drawn to these patterns because they are widely used and … enable us to think about complex problems in ways that are easier to understand. ... In practice, these patterns do not always work well (or as well as we think they should) because a big chunk of the hard work of doing digital modernization in government is organizational, legal, and bureaucratic." - Mark Head [1] https://civic.io/2024/10/09/searching-for-patterns-in-digital-modernization/