Domain Name System (DNS) records
The Reliability Engineering team is responsible for managing several DNS zones.
By default, zones are hosted by AWS (Route 53) and Google Cloud Platform (Cloud DNS)
As of Feb 2020, there are 40 hosted zones. A list is retrievable from a terminal using:
gds aws govuk-production-admin -- aws route53 list-hosted-zones | grep Name
Some individual records within these zones are managed by other teams.
Amazon Route 53 and Google Cloud DNS
Use the “production” account. Speak to Infrastructure if you require access.
Records for GOV.UK systems
We use a few domains:
alphagov.co.ukis the old domain name GOV.UK publishing used to live on. We maintain records which point to Bouncer so that these URLs redirect.
govuk.service.gov.ukare where GOV.UK lives.
Making changes to publishing.service.gov.uk
To make a change to this zone, begin by adding the records to the yaml file for the zone held in the DNS config repo.
We use a Jenkins job that publishes changes to
job uses Terraform and pushes changes to the
When the changes have been reviewed and merged, you can deploy them using the “Deploy DNS” Jenkins job.
You will need to assume the appropriate role and copy and paste the credentials in to the Jenkins job.
gds aws govuk-production-admin -e
Changes should be deployed for each provider (AWS & Google) separately, first run a “plan” action, and when you’re happy with the changes, run “apply”.
Within the Jenkins job (under “Configure”), select the provider, zone & action. Once build is complete, examine the logs before progressing to the next stage (Apply).
- Due to the Terraform state being held in an S3 bucket, you will require access to the GOV.UK AWS “production” account to roll changes for both Amazon and Google.
- The order in which you deploy to providers is not important.
- You will not require credentials for Google Cloud. These credentials are stored in Jenkins itself.
- When deploying to Google it’s normal to see changes in TXT records relating to escaping of quotes. You can safely ignore these if they don’t change any of the content of the record. This is a bug in the way we handle splitting long TXT records between AWS and GCP in our YAML -> Ruby -> Terraform process.
- To change a DNS record, the Google provider deletes and re-adds that record. This can sometimes cause a race condition where Google tries to create the new one before it has sucessfully deleted the old one. In this case, the build will fail, and you need to re-run the GCP
Making changes to internal DNS (govuk.digital and govuk-internal.digital)
Currently these zones are only used in environments running on AWS.
These DNS zones are hosted in Route53 and managed by Terraform. Changes can be made in the govuk-aws and govuk-aws-data repositories. While GOV.UK migrates to AWS speak with Reliability Engineering for support making your changes.
DNS for the
gov.uk top level domain
Jisc is a non-profit which provides networking to
UK education and government. They control the
gov.uk. top-level domain.
Requests to modify the DNS records for
gov.uk. should be sent by email to
email@example.com from someone on Jisc’s approved contacts list. Speak to a
senior technologist member of GOV.UK or Reliability Engineering if you need to
make a change and don’t have access.
2nd line should be notified of any planned changes via email.
gov.uk.is a top-level domain so it cannot contain a CNAME record (see RFC 1912 section 2.4). Instead, it contains A records that point to anycast IP addresses for our CDN provider.
www.gov.uk.is a CNAME to
www-cdn.production.govuk.service.gov.uk., which means we do not need to make a request to Jisc if we want to change CDN providers. Just change where the CNAME points to.
At the moment Reliability Engineering are also responsible for delegating DNS to other government services.
The request will arrive by email or Zendesk from a member of the GOV.UK Proposition
team. The request will contain the service domain name that needs to be delegated and
more than one nameserver hostname (usually
In Route 53, create a new node for the service domain underneath
NS records for that node.
We do not manage DNS for service domains. If you get a request asking you to add
anything other than
NS records, it should be rejected. This is so we’re not
the single point of DNS for government.
There are ongoing plans to move this responsibility to a different part of GDS.
Other weird bits of DNS
If you receive a request to change any other DNS that hasn’t come from the GOV.UK Proposition team, send it to them using the Zendesk group “3rd Line–GOV.UK Proposition”.