Bug with handling of fed.us domains

[konklone]

Not sure if this is a trustymail issue or a report-generating issue, but fed.us is not a domain -- it's a public suffix:

https://publicsuffix.org/list/public_suffix_list.dat

This means that domains like fs.fed.us should be treated as a second level domain, and should be assigned to the Forest Service['s parent agency], and the fed.us domain should not be present (and not assigned to any particular agency).

[konklone]

Also, just to be clear from a technical standpoint, this means that fed.us isn't treated as a registerable domain by browsers that use the PSL (which I think is all of them, and certainly Firefox and Chrome). It also means that cookies can't be set for fed.us that would be valid across domains that end with fed.us, so they are completely separate security boundaries.

That said, I have no idea whether DMARC enforcers care about the Public Suffix List, so if we care about fraudulent emails from [email protected], then given how small fed.us is, we could potentially set a default DMARC record for it, in case any clients would actually check and respect the DMARC record for that domain.

That would be a question for the DotGov program about TLD-level support, which also owns and operates fed.us as a registerable suffix alongside .gov, and not SLD-level implementation of the type contemplated directly by the BOD.