Register New Defensive Domain
This document explains the process of registering a defensive domain at the Ministry of Justice.
The Defensive Domain Registrations policy is maintained by the Security team. Operations Engineering is not involved in deciding which domains require defensive registration or determining the criteria for such registrations. Our role is to implement the policy once a justified requirement is presented.
Pre-requisites
Before proceeding with the registration, ensure you have:
- A list of domains requiring defensive registration
- A copy of the approval email from the Security Team
- Access to MoJDSD AWS Route53
Register domain
Follow AWS Route53 documentation to register the domain via the console.
If we cannot register a domain as it is already owned by someone else, report that back to Requester and Security.
Add Hosted Zones to the DNS Repository
When a domain is registered, a Hosted Zone is automatically created in AWS Route 53. The steps below outline how to add this Hosted Zone for management in the DNS repository, along with configuring the standard DNS records required for all defensive domains.
Add the Hosted Zone YAML File
Create a new.yaml
file in thehostedzones
directory following the standard process.Configure Standard DNS Records
Add the following configuration to include the standard defensive domain records:
---
'':
- ttl: 300
type: CAA
values:
- flags: 0
tag: iodef
value: mailto:certificates@digital.justice.gov.uk
- flags: 0
tag: issue
value: ;
- ttl: 300
type: MX
value:
exchange: .
preference: 0
- ttl: 172800
type: NS
values:
- ns-xxxx.awsdns-xx.org.
- ns-xxxx.awsdns-xx.co.uk.
- ns-xxx.awsdns-xx.com.
- ns-xxx.awsdns-xx.net.
- ttl: 300
type: TXT
value: v=spf1 -all
'*._domainkey':
ttl: 300
type: TXT
value: v=DKIM1\; p=
_dmarc:
ttl: 300
type: TXT
Note: Update the NS
records with the actual values generated by Route 53 during the domain registration process.
Submit a Pull Request
Raise a pull request for the changes following the usual process.Repeat the Process for All Registered Domains
Complete the above steps for each domain that has been registered.Notify the Requester and Security Team
Inform both the requester and the Security team once the process is completed for all domains. value: v=DMARC1\;p=reject\;sp=reject\;rua=mailto:dmarc-rua@dmarc.service.gov.uk\;