A "public suffix" is one under which Internet users can (or historically could) directly register names. Some examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. The Public Suffix List is a list of all known public suffixes.

The service at publicsuffix.zone allows querying the Public Suffix List (PSL) conveniently via the DNS.

$ export DOMAIN=supertux.github.io
$ dig +short PTR $DOMAIN.query.publicsuffix.zone | tail -n1
github.io.
$ psl-dns_query github.io
public github.io
$ psl-dns_query supertux.github.io
private github.io

Our PSL Query Service removes the need to parse the PSL on the application level. Instead, it enables simple lookups to immediately retrieve public suffix information.

PSL information is required in various contexts, for example for cookie scoping in browsers, for certificate issuance, and for the secure operation of authoritative multi-tenant nameservers. The list itself is maintained as a text file on GitHub.

Until now, applications requiring information from the PSL were compelled to bring their own copy of the list, parse it, and extract the required information using a multi-staged algorithm. In addition to the implementation and processing effort, applications also had to make sure to keep their local PSL copy up to date.

Our PSL Query Service removes the need for applications to parse or refresh the PSL altogether. Instead, it facilitates simple lookups to immediately retrieve the public suffix that is associated with a given name.

How it works

We created the DNS zone query.publicsuffix.zone. The public suffix for a $DOMAIN can be retrieved by querying the PTR record at $DOMAIN.query.publicsuffix.zone. The PSL rules are encoded in the zone's records by means of crafty CNAME redirects and shrewd wildcard configurations, such that the DNS lookup eventually arrives at a PTR record which does indeed point to the public suffix of $DOMAIN.

If $DOMAIN is subject to multiple PSL rules (e.g. it is covered by a wildcard, but an exception is defined), you will find TXT records alongside the PTR record, representing the PSL rules that were applied but overruled.

Please note that DNS resolvers learn about the domains that get queried, so depending on the use case, using this service may not be up to your privacy standards. In case you are interested in running a local copy of the PSL Query Service, please contact us via GitHub.

Libraries

Instead of querying the PSL zone yourself, you can use libraries to conveniently handle the lookup for you:

Limitations

The PSL specification allows for inline wildcards. For example, public.*.tld would we a valid PSL rule, signifying that a third-level domain under tld whose third-level label is public is a public suffix, regardless of the second-level label. Unfortunately, such rules cannot be directly mapped onto the DNS, and any possible workarounds would require auxiliary DNS lookups. As a result, the desired information would not generally be determinable with just one query.

Luckily, the PSL currently does not contain any such pathologic cases as of now, so that this limitation currently is of no consequence. Libraries such as psl-dns handle these cases gracefully, should they ever occur.

Wildcards at the left-most position are supported (such as *.ck), including exception rules (such as www.ck).

Who runs this service?

The Public Suffix Query Service is provided for free. It is operated by SSE, a Berlin-based IT security consultancy. SSE is invested in developing and promoting DNS-related (and other) security services for the public.

The PSL zone query.publicsuffix.zone is hosted with deSEC, a DNS hosting provider focusing on improving the security level of the DNS ecosystem.