Creating and managing .gov.uk subdomains
Find out how to securely create and manage subdomains in the public sector.
In this guidance ‘domain’ is referencing a .gov.uk domain that’s been issued and approved by the Protecting Public Sector Domains Team at Cabinet Office, for example, service.gov.uk. Subdomains refer to domains created from this level or below for example, tax.service.gov.uk or test.tax.service.gov.uk.
The Domains Team provides .gov.uk domain names to public sector organisations. Once you start using your own .gov.uk domain your organisation must take responsibility for using and protecting the domain.
This includes being aware of how subdomains under your domain are being used and managed even if you have a supplier doing this on your behalf.
Poor management of your domain and subdomains could have significant financial, security and reputational consequences for your organisation and other government services.
There is a risk to all public sector digital services if any .gov.uk domains are compromised.
1. What happens when you create subdomains
Your own team may be creating and managing subdomains for your organisation’s own use or you may be giving out (delegating) some subdomains for people in other teams or organisations to use.
Subject to your organisation’s policy, the registrant of a third level .gov.uk domain may give out subdomains to:
-
internal teams or individuals in your organisation
-
teams or individuals in another public sector organisation
-
third parties like suppliers
When a registrant has delegated a subdomain, they:
-
still hold ultimate accountability for all subdomains they delegate and everything beneath those subdomains
-
must make sure the security, stability, integrity and reputation of your subdomains are not compromised
-
may also need to provide service level agreements for the delegated domain depending on how critical it is to the team or organisation using it (more information in section 5)
By creating a subdomain the registrant has become a registry operator. It is important to keep track of all your subdomains, what they’re used for and who is responsible for them, because this can spiral out of control quickly, lose track of ownership, and your domain may become vulnerable to hijack.
Here is an example of delegating subdomains and how a registrant has become a registry operator:
-
The CDDO Domains Team issues
service.gov.uk
to GDS. -
The GDS registrant delegates a number of subdomains to different public sector organisations, including
tax.service.gov.uk
to HMRC andcheck-mot.service.gov.uk
to DVSA. -
This pattern can repeat. The HMRC registrant can then delegate
test.tax service.gov.uk
to another internal agency, department or supplier.
Your accountability for delegated domains starts when you approve a new subdomain of your .gov.uk domain. You remain accountable for all subdomains even if there are any successive delegations.
2. Before you delegate subdomains
You can only delegate subdomains if you’re the registrant and you’re managing your domain properly.
As a reminder, you must:
-
use a registrar or DNS supplier appropriate to the criticality of your service
-
understand how you are accountable for the protection of your .gov.uk domain
-
renew your domain every 2 years
-
make sure your team is able to follow the keeping your domain secure guidance
-
use a good UK-based supplier so your domain is protected by UK laws
-
make sure you stop using domains properly when they are not needed
-
create processes and agreements as outlined in the rest of this guidance
It is also important that you and your team understand how poor management of a domain or subdomain can impact the security of public sector services. For example:
-
important digital services can be compromised or taken offline
-
unmanaged domains can be taken over and used to spread malicious content
-
inconsistent and incorrect technical records can lead to domains and sensitive content being hijacked
3. Managing delegated subdomains
It is important that you have some processes to manage the .gov.uk subdomains you delegate. You can use the following checklist as a starting point.
3.1. Set your own criteria
Before accepting any subdomain requests you must:
-
choose who can have a subdomain
-
decide if you will allow critical services on your subdomains
-
set the rules for any naming criteria you may want to use
-
decide what your subdomains can be used for
3.2. Check the identity of the person applying
Always check the identity of anyone applying for a subdomain and that they have the authority to apply.
For example you could:
-
contact a person you know in the same or parent organisation to confirm the applicant works there
-
ask to see identification using a channel other than email, such as a video call
-
ask for written confirmation that they have authority to apply
-
verify the identity of all applicants even if the request comes from a public sector email address
3.3. Clarify the subdomain meets the rules and any special requirements
Before creating the subdomain you must:
-
check the subdomain name is clear and descriptive and follows any specific naming rules you may have
-
confirm what the domain is going to be used for
-
check if the domain requires a critical service level agreement (SLA) like 24 hour support and if you can provide this
3.4. Collect information about the subdomain user
You must collect and keep up to date information from subdomain applicants. We recommend using a secure database or spreadsheet. Use your preferred tool to record:
-
the name of the registrant
-
which team and organisation applied
-
the chosen domain name
-
what the domain is going to be used for
-
a role-based email like [email protected] and not the email of a named individual
-
who approved the domain name (if necessary)
-
delegation date
-
review date (to check if the domain is still being used)
-
any additional information
3.5. Pass on information about accountability
Make sure the person managing the new subdomain knows they are accountable for protecting their .gov.uk domain from the moment they start using it.
3.6. Keep subdomain contacts up to date
Check your records every 6 months to make sure you have up-to-date contact details.
3.7. Managing changes to subdomain data
You should make it clear how your subdomain contacts can make changes to registry data.
You must provide a role-based email address that they have to contact to submit any change requests.
You must always check important registry data like name servers are correct when any changes are made
3.8. Reassigning subdomains
If the person you assigned a subdomain to wants to give the subdomain to another person, they must provide you with all the relevant contact information and confirm what the domain will be used for.
3.9. Notifying customers about the service
You must tell your subdomain users about service issues and changes. For example, you must email your contact about:
-
maintenance to the service of the registry including maintenance that does not necessarily result in downtime, but may present an increased risk
-
service outages
-
changes to your service
4. Managing incidents and vulnerabilities
We recommend you set up a role-based support email so that your subdomain contacts can report vulnerabilities or other issues to you.
If you hear about any vulnerabilities which might affect other public sector organisations, you must report it to [email protected].
You must also:
-
know how to deal with any breaches or unacceptable use
-
make sure subdomain names when they are no longer needed or used
-
find a replacement contact for the subdomain if the contact you originally had no longer exists or cannot be reached
5. Check if you need a service level agreement for a subdomain you’ve delegated
When an SLA is necessary
If your domain or one of its subdomains supports critical services, you must define a business continuity plan and SLAs. These must reflect the criticality of your .gov.uk domain and its subdomains in the event of loss of service.
You are likely to need an SLA if you are delegating subdomains that are providing critical services to your users.
If the user of a domain you have delegated out needs an SLA, for example a target level of availability, please contact the Domains Team to discuss this by emailing [email protected].
Essential service and performance levels
If you do create contracts or SLAs, you must have clear performance and service availability requirements for your .gov.uk domain and be able to implement them. This includes:
-
DNS performance and availability
-
changes and how long they take to be implemented
-
customer service response times and availability
Any SLA you create must define customer service requirements and response times that are appropriate for your subdomain. For example:
-
how long it takes for a new subdomain to be approved
-
whether your customers have critical subdomains which need 24 hour support
-
how long customers will have to wait for technical changes to be implemented normally and during an emergency
We also recommend that you securely backup the registry data and have a transition plan to a new DNS supplier.