Skip to main content

Register New Defensive Domain

This document explains the process of registering a defensive domain at the Ministry of Justice.

The Defensive Domain Registrations policy is maintained by the Security team. Operations Engineering is not involved in deciding which domains require defensive registration or determining the criteria for such registrations. Our role is to implement the policy once a justified requirement is presented.

Pre-requisites

Before proceeding with the registration, ensure you have:

  • A list of domains requiring defensive registration
  • A copy of the approval email from the Security Team
  • Access to MoJDSD AWS Route53

Register domain

Follow AWS Route53 documentation to register the domain via the console.

If we cannot register a domain as it is already owned by someone else, report that back to Requester and Security.

Add Hosted Zones to the DNS Repository

When a domain is registered, a Hosted Zone is automatically created in AWS Route 53. The steps below outline how to add this Hosted Zone for management in the DNS repository, along with configuring the standard DNS records required for all defensive domains.

  1. Add the Hosted Zone YAML File
    Create a new .yaml file in the hostedzones directory following the standard process.

  2. Configure Standard DNS Records
    Add the following configuration to include the standard defensive domain records:

   ---
   '':
     - ttl: 300
       type: CAA
       values:
         - flags: 0
           tag: iodef
           value: mailto:certificates@digital.justice.gov.uk
         - flags: 0
           tag: issue
           value: ;
     - ttl: 300
       type: MX
       value:
         exchange: .
         preference: 0
     - ttl: 172800
       type: NS
       values:
         - ns-xxxx.awsdns-xx.org.
         - ns-xxxx.awsdns-xx.co.uk.
         - ns-xxx.awsdns-xx.com.
         - ns-xxx.awsdns-xx.net.
     - ttl: 300
       type: TXT
       value: v=spf1 -all
   '*._domainkey':
     ttl: 300
     type: TXT
     value: v=DKIM1\; p=
   _dmarc:
     ttl: 300
     type: TXT

Note: Update the NS records with the actual values generated by Route 53 during the domain registration process.

  1. Submit a Pull Request
    Raise a pull request for the changes following the usual process.

  2. Repeat the Process for All Registered Domains
    Complete the above steps for each domain that has been registered.

  3. Notify the Requester and Security Team
    Inform both the requester and the Security team once the process is completed for all domains. value: v=DMARC1\;p=reject\;sp=reject\;rua=mailto:dmarc-rua@dmarc.service.gov.uk\;

This page was last reviewed on 16 October 2024. It needs to be reviewed again on 16 April 2025 by the page owner #operations-engineering-alerts .
This page was set to be reviewed before 16 April 2025 by the page owner #operations-engineering-alerts. This might mean the content is out of date.