Skip to main content

Delegation of subdomains

Overview

The purpose of this runbook is to provide Operations Engineering with an overview of DNS delegation and the risks associated with it so that requests can be handled appropriately.

What is delegation of a domain?

Delegation of a domain means transferring management and control of a domain to another team. As soon ownership of a domain has been delegated that owner can then create further DNS subdomains, and even delegate more subdomains elsewhere. For that reason we have strict rules about delegation. We are also responsible for following GDS guidance of domains management for justice.gov.uk and subdomains, which are delegated to us from GDS.

Risks associated with domain delegation

  • Loss of control of a subdomain - We no longer manage the domain but are still responsible in the eyes of GDS. We need to ensure that controllers are aware of the security and our requirements for DNS.

  • Further delegation - It is possible for the owner of a delegated domain to further delegate a subdomain to another controller. If we delegate a domain there is a risk that we don’t know about further delegations. To mitigate this risk we should make controllers aware of the implications of delegating domains and their responsibilities as controllers.

  • Non-compliance with domain naming standards - As soon as we delegate management of a domain the new controller can create new subdomains that may not adhere to the MoJ naming standards and GDS naming standards. Failure to comply with standards may result in delegation from GDS being taken away and MoJ no longer being able to manage it’s own domains. We should ensure that domain controllers are made aware of the naming standards and their responsibilities.

What does a domain delegation look like?

A delegated domain will look like an NS type DNS record. Example:

ns-2048.awsdns-64.com
ns-2049.awsdns-65.net
ns-2050.awsdns-66.org
ns-2051.awsdns-67.co.uk

Any DNS change request that includes the creation of an NS record for a subdomain is a delegation, and the resulting change will give whoever manages those NS records full management of that subdomain. On that basis we should pay special attention for these types of request.

Requests for domain delegation

All requests for delegation should be made in writing to domains@digital.justice.gov.uk. Requests should include supporting justification for delegation.

What might we approve?

  • Delegations to other Teams within the Hosting Service i.e. Cloud Platform, Modernisation Platform, and Digital Studio Operations

What won’t we approve?

  • Delegation to external 3rd party suppliers or services.

Right of Appeal

The requester can appeal any decision, however a change to a decision will only be reconsidered with approval by Security.

Any appeal should be made in writing to domains@digital.justice.gov.uk. Any appeal should include justification for the request, and written risk acceptance from the information asset owner (IAO). That request should then be submitted to security@justice.gov.uk for consideration.

Any decision made by Security is final.

This page was last reviewed on 5 September 2024. It needs to be reviewed again on 5 December 2024 by the page owner #operations-engineering-alerts .