Add IONOS product domains

[1and1tecsec]

Public Suffix List (PSL) Pull Request (PR) Template

Each PSL PR needs to have a description, rationale, indication of DNS validation and syntax checking, as well as a number of acknowledgements from the submitter. This template must be included with each PR, and the submitting party MUST provide responses to all of the elements in order to be considered.

Checklist of required steps

• Description of Organization

• Robust Reason for PSL Inclusion

• DNS verification via dig

• Run Syntax Checker (make test)

• Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _PSL txt record in place in the respective zone(s) in the affected section

Submitter affirms the following:

• We are listing any third-party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)
  • We do not submit suffixes to the Public Suffix List to work around rate-limits of any third-party products or tooling.

• This request was not submitted with the objective of working around other third-party limits

• The submitter acknowledges that it is their responsibility to maintain the domains within their section. This includes removing names which are no longer used, retaining the _psl DNS entry, responding to e-mails to the supplied address. Failure to maintain entries may result in removal of individual entries or the entire section.

• The Guidelines were carefully read and understood, and this request conforms
• The submission follows the guidelines on formatting and sorting

---

For Private section requests that are submitting entries for domains that match their organization website's primary domain, please understand that this can have impacts that may not match the desired outcome and take a long time to rollback, if at all.

To ensure that requested changes are entirely intentional, make sure that you read the affectation and propagation expectations, that you understand them, and confirm this understanding.

PR Rollbacks have lower priority, and the volunteers are unable to control when or if browsers or other parties using the PSL will refresh or update.

(Link: about propagation/expectations)

• Yes, I understand. I could break my organization's website cookies etc. and the rollback timing, etc is acceptable. Proceed.

---

Description of Organization

The IONOS Group offers shared, dedicated, managed and cloud hosting and domain registration services, managing around 6 million customer contracts and more than 22 million domains. Roughly 2/3 of our customer base is located in Europe (Germany, UK, France, Spain, Italy, ...).

IONOS has essentially been around under various names for more than 2 decades (Schlund+Partner, 1&1 Puretec, 1&1 Internet, ...). After merging with more acquisitions (Fasthosts, Arsys, Strato, home.pl, World4you, ...) and some restructuring, IONOS has been spun off into a separate company with a new name.

The PR is submitted by Security Engineer Henrik Willert, acting on behalf of the Technical Security team of IONOS. This is a collaborative effort, mostly driven and made possible by Systems Architect Anders Henke and Software Architect Jonas Julino.

Organization Website: https://www.ionos-group.com/
Products Website: https://www.ionos.com/

Reason for PSL Inclusion

Customer instances of our shared web hosting products come with one or more free subdomains of a product-line specific domain.
Those subdomains allow customers to test changes without affecting their primary website. In some products, the subdomain is also used to configure a customer's individual instance. In all of those cases described below, those subdomains do host only customer-generated content and/or applications.

Common patterns for the WordPress-range of products are:

<string>.live-website.com
<string>.apps-1and1.com
<string>.apps-1and1.net

The (alphanumeric) string is usually derived from other user-provided information, such as a project or domain name.

One of our website builder products uses the following patterns:

s<id>.websitebuilder.online
n<id>.websitebuilder.online

A recent hosting product connecting GitHub repositories to fully-featured shared hosting webspaces does use the following pattern:

home-<id>.app-ionos.space

The ids for websitebuilder.online and app-ionos.space are automatically generated.

Each of those those subdomains mentioned above are independent instances and so should be treated accordingly:

• do not share cookies (or any other trust) across different subdomains for the same domain.
• do not abbreviate a subdomains's FQDN to its (shared) apex domain when highlighting domains in the URL bar.

A PSL inclusion should help with both of this.

Other products also do have further list of domains who should've been put on PSL a long time ago, but we're still evaluating what could possibly break and will file another request when we're ready to have them included.

To meet the 2y-criteria from #1109, we've been manually renewing those domains to the following registry expiry dates:

apps-1and1.com: 2030-05-20T16:04:03Z
live-website.com: 2030-06-21T09:21:07Z
apps-1and1.net: 2030-05-20T16:03:27Z
websitebuilder.online: 2029-11-09T23:59:59.0Z
app-ionos.space: 2030-01-28T23:59:59.0Z

We also intend to keep those registrations in good standing and plan automating renewal according to PSL requirements.
Additionally, those domains are set to auto-renewal, so at worst: they'll renew during the last month before expiry.

Number of users this request is being made to serve:
We estimate that more than 600k customer instances are affected by the domains mentioned above.

DNS Verification via dig

💻:~[0]$ dig +short TXT _psl.apps-1and1.com
"https://github.com/publicsuffix/list/pull/2083"
💻:~[0]$ dig +short TXT _psl.live-website.com
"https://github.com/publicsuffix/list/pull/2083"
💻:~[0]$ dig +short TXT _psl.apps-1and1.net
"https://github.com/publicsuffix/list/pull/2083"
💻:~[0]$ dig +short TXT _psl.websitebuilder.online
"https://github.com/publicsuffix/list/pull/2083"
💻:~[0]$ dig +short TXT _psl.app-ionos.space
"https://github.com/publicsuffix/list/pull/2083"

Results of Syntax Checker (make test)

💻:~/Documents/dev/public-suffix-list[0]$ make test
cd linter;                                \
  ./pslint_selftest.sh;                     \
  ./pslint.py ../public_suffix_list.dat;
test_allowedchars: OK
test_dots: OK
test_duplicate: OK
test_exception: OK
test_NFKC: OK
test_punycode: OK
test_section1: OK
test_section2: OK
test_section3: OK
test_section4: OK
test_spaces: OK
test_wildcard: OK
test -d libpsl || git clone --depth=1 https://github.com/rockdaboot/libpsl;   \
  cd libpsl;                                                                    \
  git pull;                                                                     \
  echo "EXTRA_DIST =" >  gtk-doc.make;                                          \
  echo "CLEANFILES =" >> gtk-doc.make;                                          \
  autoreconf --install --force --symlink;
Already up to date.
autopoint: using AM_GNU_GETTEXT_REQUIRE_VERSION instead of AM_GNU_GETTEXT_VERSION
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: linking file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: linking file 'm4/libtool.m4'
libtoolize: linking file 'm4/ltoptions.m4'
libtoolize: linking file 'm4/ltsugar.m4'
libtoolize: linking file 'm4/ltversion.m4'
libtoolize: linking file 'm4/lt~obsolete.m4'
configure.ac:1: warning: file `version.txt' included several times
configure.ac:4: warning: file `version.txt' included several times
aclocal.m4:765: AM_INIT_AUTOMAKE is expanded from...
configure.ac:4: the top level
configure.ac:369: warning: file `version.txt' included several times
configure.ac:10: installing 'build-aux/compile'
configure.ac:4: installing 'build-aux/missing'
fuzz/Makefile.am: installing 'build-aux/depcomp'
cd libpsl && ./configure -q -C --enable-runtime=libicu --enable-builtin=libicu --with-psl-file=/home/hwillert/Documents/dev/public-suffix-list/public_suffix_list.dat --with-psl-testfile=/home/hwillert/Documents/dev/public-suffix-list/tests/tests.txt && make -s clean && make -s check -j4
configure: WARNING: --enable-builtin=libicu is deprecated, use --enable-builtin (enabled by default)
config.status: creating po/POTFILES
config.status: creating po/Makefile
Making clean in po
Making clean in include
Making clean in src
rm -f ./so_locations
Making clean in tools
 rm -f psl
Making clean in fuzz
 rm -f libpsl_icu_fuzzer libpsl_icu_load_fuzzer libpsl_icu_load_dafsa_fuzzer
Making clean in tests
 rm -f test-is-public test-is-public-all test-is-cookie-domain-acceptable test-is-public-builtin test-registrable-domain
Making clean in msvc
Making check in po
Making check in include
Making check in src
  CC       libpsl_la-psl.lo
  CC       libpsl_la-lookup_string_in_fixed_set.lo
  CCLD     libpsl.la
Making check in tools
  CC       psl.o
  CCLD     psl
Making check in fuzz
  CC       libpsl_fuzzer.o
  CC       main.o
  CC       libpsl_load_fuzzer.o
  CC       libpsl_load_dafsa_fuzzer.o
  CCLD     libpsl_icu_fuzzer
  CCLD     libpsl_icu_load_fuzzer
  CCLD     libpsl_icu_load_dafsa_fuzzer
PASS: libpsl_icu_load_dafsa_fuzzer
PASS: libpsl_icu_fuzzer
PASS: libpsl_icu_load_fuzzer
============================================================================
Testsuite summary for libpsl 0.21.5
============================================================================
# TOTAL: 3
# PASS:  3
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
Making check in tests
  CC       test-is-public.o
  CC       common.o
  CC       test-is-public-all.o
  CC       test-is-cookie-domain-acceptable.o
  CC       test-is-public-builtin.o
  CC       test-registrable-domain.o
  CCLD     test-is-public
  CCLD     test-is-cookie-domain-acceptable
  CCLD     test-is-public-all
  CCLD     test-is-public-builtin
  CCLD     test-registrable-domain
PASS: test-is-public-builtin
PASS: test-is-public
PASS: test-is-cookie-domain-acceptable
PASS: test-registrable-domain
PASS: test-is-public-all
============================================================================
Testsuite summary for libpsl 0.21.5
============================================================================
# TOTAL: 5
# PASS:  5
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
Making check in msvc

[groundcat]

Please remove the empty line (to avoid breaking some parsers)

[1and1tecsec]

Fixed in ff20b6b ✔️

[groundcat]

Expiration (Note: Must remain >2 years at all times):

• Domain Name: APPS-1AND1.COM
  Registry Expiry Date: 2030-05-20T16:04:03Z

• Domain Name: LIVE-WEBSITE.COM
  Registry Expiry Date: 2030-06-21T09:21:07Z

• Domain Name: APPS-1AND1.NET
  Registry Expiry Date: 2030-05-20T16:03:27Z

• Domain Name: WEBSITEBUILDER.ONLINE
  Registry Expiry Date: 2029-11-09T23:59:59.0Z

• Domain Name: APP-IONOS.SPACE
  Registry Expiry Date: 2030-01-28T23:59:59.0Z

According to WHOIS records, all domains are currently in good standing. Please ensure they are renewed in the coming years to maintain a validity period of more than two years at all times in the future.

DNS _psl entries (Note: Must remain in place):

The DNS entries appear correct based on checks with multiple public DNS servers. Please ensure they remain in place at all times in the future.

• Domain Name: APPS-1AND1.COM

  Responses from multiple DNS servers for the _psl TXT record of the domain:

  • Response from 8.8.8.8: "https://github.com/publicsuffix/list/pull/2083"
  • Response from 1.1.1.1: "https://github.com/publicsuffix/list/pull/2083"
  • Response from 208.67.222.222: "https://github.com/publicsuffix/list/pull/2083"

• Domain Name: LIVE-WEBSITE.COM

  Responses from multiple DNS servers for the _psl TXT record of the domain:

  • Response from 8.8.8.8: "https://github.com/publicsuffix/list/pull/2083"
  • Response from 1.1.1.1: "https://github.com/publicsuffix/list/pull/2083"
  • Response from 208.67.222.222: "https://github.com/publicsuffix/list/pull/2083"

• Domain Name: APPS-1AND1.NET

  Responses from multiple DNS servers for the _psl TXT record of the domain:

  • Response from 8.8.8.8: "https://github.com/publicsuffix/list/pull/2083"
  • Response from 1.1.1.1: "https://github.com/publicsuffix/list/pull/2083"
  • Response from 208.67.222.222: "https://github.com/publicsuffix/list/pull/2083"

• Domain Name: WEBSITEBUILDER.ONLINE

  Responses from multiple DNS servers for the _psl TXT record of the domain:

  • Response from 8.8.8.8: "https://github.com/publicsuffix/list/pull/2083"
  • Response from 1.1.1.1: "https://github.com/publicsuffix/list/pull/2083"
  • Response from 208.67.222.222: "https://github.com/publicsuffix/list/pull/2083"

• Domain Name: APP-IONOS.SPACE

  Responses from multiple DNS servers for the _psl TXT record of the domain:

  • Response from 8.8.8.8: "https://github.com/publicsuffix/list/pull/2083"
  • Response from 1.1.1.1: "https://github.com/publicsuffix/list/pull/2083"
  • Response from 208.67.222.222: "https://github.com/publicsuffix/list/pull/2083"

Sources: dig command using DNS servers: Google (8.8.8.8), Cloudflare (1.1.1.1), OpenDNS (208.67.222.222).

Sorting:

The sorting appears to be correct.

Reasoning/Organization Description:

The submitter mentioned that different web hosting customers have their own subdomains. This seems to be a reasonable request for PSL inclusion to enable cookie separation between subdomains that belong to different clients of web hosting or entities, consistent with the submitter's description.

To assess website usage, I queried multiple search engines and discovered a considerable number of subdomains, which aligns with the reported number of users:

• Domain Name: APPS-1AND1.COM

  Google and Brave show a considerable number of sites, not yet discoverable by other search engines:

  • Google
  • Bing
  • DuckDuckGo
  • Yahoo
  • Brave

  Checked the Certificate Transparency Logs. Wildcard SSL is used:

  • crt.sh

  No known potential abuse or malicious activity was discovered when querying trusted security vendors:

  • VirusTotal

• Domain Name: LIVE-WEBSITE.COM

  Google and Brave show a considerable number of sites, not yet discoverable by other search engines:

  • Google
  • Bing
  • DuckDuckGo
  • Yahoo
  • Brave

  Checked the Certificate Transparency Logs. Wildcard SSL is used:

  • crt.sh

  When querying trusted security vendors, 1 out of 93 vendors flagged it as Malicious:

  • VirusTotal

• Domain Name: APPS-1AND1.NET

  Considerable amount of sites across all search engines:

  • Google
  • Bing
  • DuckDuckGo
  • Yahoo
  • Brave

  Checked the Certificate Transparency Logs. Wildcard SSL is used:

  • crt.sh

  No known potential abuse or malicious activity was discovered when querying trusted security vendors:

  • VirusTotal

• Domain Name: WEBSITEBUILDER.ONLINE

  Google and Brave show a considerable number of sites, not yet discoverable by other search engines:

  • Google
  • Bing
  • DuckDuckGo
  • Yahoo
  • Brave

  Checked the Certificate Transparency Logs. Wildcard SSL is used:

  • crt.sh

  When querying trusted security vendors, 1 out of 93 vendors flagged it as Suspicious:

  • VirusTotal

• Domain Name: APP-IONOS.SPACE

  Considerable amount of sites across all search engines:

  • Google
  • Bing
  • DuckDuckGo
  • Yahoo
  • Brave

  Checked the Certificate Transparency Logs. Wildcard SSL is used:

  • crt.sh

  ⚠️ When querying trusted security vendors, 5 out of 93 vendors flagged it as Malicious, warranting a closer look to determine whether functional abuse mitigation is established:

  • VirusTotal

[groundcat]

There doesn't seem to be a relevance issue, but one of the domains, app-ionos.space, has a higher portion of security vendors flagging it as malicious. It's understandable that such issues can occur when you offer namespace on the second-level domain.

@1and1tecsec I wonder if you have existing mitigations to prevent future abuse, such as an abuse reporting procedure or some sort of detection that your company handles promptly. This would deter potential adversaries, especially as it will be added to the Public Suffix List.

[1and1tecsec]

@groundcat
Our abuse team is available via AS8560 role accounts (abuse at ionos.com).

They have different processes in place, depending on the maturity of the integration after the re-organization of our company. This includes internal sensors for detection, external reports, and feeds, to process reports automatically or manually in order to ensure a broad coverage of mitigation measures against abuse. Our products do integrate into those processes at different levels, from the classic "manual case handling" down to "automated lock of the corresponding file/directory/domain/webspace/contract/customer and on-call escalation". As many phishing cases are using fraudulent orders, fraud processes also have an important role to prevent phishing cases in the first place, in addition to the abuse processes mentioned above.

The product using the domain app-ionos.space is somewhere in the lower mid-range of such integrations, but we're in the process of improving that to a more advanced level, so it reaches the same maturity as the other domains.

[simon-friedberger]

• Expiration (Note: Must STAY >2y at all times)
  • apps-1and1.com expires 2030-05-20
  • live-website.com expires 2030-06-21
  • apps-1and1.net expires 2030-05-20
  • websitebuilder.online expires 2029-11-09
  • app-ionos.space expires 2030-01-28
• DNS _psl entries (Note: Must STAY in place)
• Tests pass
• Sorting
• Reasoning/Organization description
• Non-personal email address