I can answer why this is at the company I work at right now:

It's a PITA to coordinate between teams, and my team doesn't control the main domain. If I wanted my team's application to run on the parent domain, I would have to negotiate with the crayon eaters in IT to make a subdomain, point it at whatever server, and then if I want any other changes to be made, I'd have to schedule a followup meeting, which will generate more meetings, etc.

If I want to make any changes to the mycompany.othertld domain, I can just do it, with no approval from anyone.

▲

SoftTalker 4 days ago | parent [-]

Are you arguing that it’s a good idea for random developers to be able to set up new subdomains on the company domain without any oversight?

	▲	mdaniel 4 days ago \| parent \| next [-]
		Do they work there or not? I deeply appreciate that everyone's threat model is different, but I'd bet anyone that wants to create a new DNS record also has access to credentials that would do a ton more actual damage to the company if they so chose Alternatively, yup, SOC2 is a thing: optionally create a ticket tracking the why, then open a PR against the IaC repo citing that ticket, have it ack-ed by someone other than the submitter, audit trail complete, change managed, the end
	▲	4 days ago \| parent \| prev \| next [-]
		[deleted]
	▲	OkayPhysicist 4 days ago \| parent \| prev [-]
		What's your threat model that says they shouldn't? If you don't trust your senior devs, you're already pwned.