Some small social organisations exist naturally in a tree, even if they largely operate independently. For example scout troups, guide companies, Phab clubs, some churches and so on. In these cases the activity the organisation is known for, such as bring people of all abilities to come together on equal terms, in the case of Phab clubs.
Oxford Phab club is one of about 140 clubs in England and Wales which is affiliated to the national Phab organisation, which has a Domain Name of phab.org.uk, whereas Oxford Phab has registered a Domain Name of oxfordphab.org.uk, and those other Phab clubs which do have a presence on the internet all have individually registered Doman Names, some of which contain the word phab.
Large companies have no excuse, but in many many cases the parent organisation is actually small, often less than a dozen people, and do not have the kind of systems administrator needed at present to deal with such matters. Making DNS delegation simpler to manage, while retaining flexibility is a valuable goal. For example when a Phab club affiliates to the national body it should be possible to that club to be offered a delegated DNS zone for its use, so that that club could use, for example oxford.phab.org.uk for its web site, email, social media etc.
On the wider internet this explosion of names is not good for anybody. Companies spend huge amounts on building trust in their brand, and then dilute it by registering random domain names which happen to have their name somewhere in it, and are then disclaim any responsibility when their customers are scammed by going to bigcorpticket.example.com, when the ‘official’ site was bigcorptickets.example.com. No scammer can register tickets.bigcorp.example.com (I have used the example reserved domain because nobody can register under that, and any other short domain name is probably registered). Phishing attacks could be hugely reduced if more people understood the hierarchical nature of the DNS. See the Equifax section below for a real life example.
Domain delegation, being your own primary delegated domain and being a secondary for another small organisation are technical goals for a small organisation server, even if they will never be used by, for example the Ambridge Garden Club.
Trees and Trust – some examples
The UK National Health service is generally good at using nhs.uk as a top level domain, and web sites for real NHS facilities tend to end in .nhs.uk – for example https://ouh.nhs.uk/ is the Oxford University Hospitals NHS Foundation Trust, which works closely with Oxford University for research aspects. Genuine web sites about such research almost always have a form like https://www.ndm.ox.ac.uk/ – again Oxford University, and the UK academic community in general, understands the domain system.
This consistency is slightly diluted by some use of nhs.net, some some emails may end in @nhs.net, as well as those which end @nhs.uk, or @somedepartment.nhs.uk
NHS services are being outsourced, and diluting the brand, so some patient letters now come from @drdoctor.co.uk – an NHS private provider, but the patient letters are reached by clicking on a link from https://nhs.my (where the .my ending would suggest the services were being provided from Malaysia – possibly by the Ministry of Health Malaysia). As DrDoctor is being trusted with patient appointment information, they should have access to an nhs subdomain – only to be used for purposes under that contract, and if a URL shortening service really is needed, then, for example u.nhs.net is as short as tinyurl.com.
The 2017 Equifax data breach – not using the DNS tree
When Equifax, a company whose sole purpose is to be a holder of a large quantity of personal financial information, had a data breach, due to their failure to follow good practice in managing their computer systems. This was the 2017 Equifax data breach. Their reaction to the problem was made worse by their failure to understand the potential benefits of being a tree. They set up a new web site – www.equifaxsecurity2017.com, to consumers could find out if their data was at risk. To prove their identity to the web site, consumers had to provide some private information, their last name and the last six digits of their social security number. Knowledge of this was supposed to be enough for Equifax to tell which consumer you were.
The problem with this approach is that Equifax knew that they had set up this name, and so felt consumers should trust it with their personal information because it had Equifax in the name. A security researcher, Nick Sweeting, demonstrated the risks of this by creating a domain www.securityequifax2017.com – as a parody of the official Equifax one. Due to confusion between the site names the Equifax help desk was sending people to the fake site rather than their real one. As he, and anyone else who understands the internet, will try to explain; this could not happen if their web site had been called security2017.equifax.com – or any other name which ends in .equifax.com
There is more on the problems of proving identity on the internet at The Proof of Identity Problem.
Being your own tree
Even for a small organisation there are advantages to being aware of the tree-like structure of the DNS. Suppose, for example, that Ambridge Garden Club ran an email newsletter as a mailing list which club members, or any interested people could join. Creating a subdomain newsletter.ambridge-garden-club.org.uk would keep the email for the newsletter distinct from the email for club members themselves. For a medium sized organisation this could be out sourced to a bulk mail specialist, and this is more easily done if it has its own subdomain. For a small organisation, such as the Ambridge Garden Club it could be handled on their server by specialist list management software such as Sympa or Mailman.
Preparing for parenting
For a small organisation, setting out on the Internet for the first time, the thought that there may be child organisations which would benefit from a degree of independence may seem far away, but the decision about where you buy your DNS from may affect your ability to have children (in a DNS sense).
Quite a few popular DNS registrars (vendors) do not have a facility, through their web control panel, to facilitate delegating a subdomain.
When a tree based name might not be appropriate.
There can be a good reason for not using a subdomain. You might have a product or service which you hope will flourish and could become an independent entity. Sitting ‘under’ your main organisation name will make that harder.
Embedded brand names are usually a mistake.
If you see a domain name like equifaxsecurity2017.com which contains a name of a brand or company this is a strong indicator of trouble for that brand.
- The name is owned by the company, and they do not understand how the internet works.
- The name has been registered by criminals pretending to be that company, and want to dupe that companies customers. (or security researchers wanting to make a point)
- The name was registered by a group of lawyers who are starting a class action against the company
- The name was registered by an advocacy or consumer group who want to complain about you – a domain called yourbrandname-sucks is, unless you manufacture vacuum cleaners, unlikely to be complimentary.