AlphaThis is a new service – your feedback will help us to improve it.

  1. Home
  2. Documentation
  3. Cloud Optimisation and Accountability
  4. Register New Defensive Domain

Register New Defensive Domain

Register New Defensive Domain

This document explains the process of registering a defensive domain at the Ministry of Justice.

The Defensive Domain Registrations policy is maintained by the Security team. Operations Engineering is not involved in deciding which domains require defensive registration or determining the criteria for such registrations. Our role is to implement the policy once a justified requirement is presented.

Pre-requisites

Before proceeding with the registration, ensure you have:

  • A list of domains requiring defensive registration
  • A copy of the approval email from the Security Team
  • Access to MoJDSD AWS Route53

Register domain

Follow AWS Route53 documentation to register the domain via the console.

If we cannot register a domain as it is already owned by someone else, report that back to Requester and Security.

Add Hosted Zones to the DNS Repository

When a domain is registered, a Hosted Zone is automatically created in AWS Route 53. The steps below outline how to add this Hosted Zone for management in the DNS repository, along with configuring the standard DNS records required for all defensive domains.

  1. Add the Hosted Zone YAML File
    Create a new .yaml file in the hostedzones directory following the standard process.

  2. Configure Standard DNS Records
    Add the following configuration to include the standard defensive domain records:

    ---
'':
  - ttl: 300
    type: CAA
    values:
      - flags: 0
        tag: iodef
        value: mailto:certificates@digital.justice.gov.uk
      - flags: 0
        tag: issue
        value: ;
  - ttl: 300
    type: MX
    value:
      exchange: .
      preference: 0
  - ttl: 172800
    type: NS
    values:
      - ns-xxxx.awsdns-xx.org.
      - ns-xxxx.awsdns-xx.co.uk.
      - ns-xxx.awsdns-xx.com.
      - ns-xxx.awsdns-xx.net.
  - ttl: 300
    type: TXT
    value: v=spf1 -all
'*._domainkey':
  ttl: 300
  type: TXT
  value: v=DKIM1\; p=
_dmarc:
  ttl: 300
  type: TXT

    Note: Update the NS records with the actual values generated by Route 53 during the domain registration process.

  3. Submit a Pull Request
    Raise a pull request for the changes following the usual process.

  4. Repeat the Process for All Registered Domains
    Complete the above steps for each domain that has been registered.

  5. Notify the Requester and Security Team
    Inform both the requester and the Security team once the process is completed for all domains. value: v=DMARC1;p=reject;sp=reject;rua=mailto:dmarc-rua@dmarc.service.gov.uk;

Last reviewed: 30 June 2025Review status: ✗ Review overdueOwner: #operations-engineering-alertsSource: View source on GitHub

Was this page useful?