How .gov.uk domains are protected
Read this to understand the relationship between all the parties involved in the management and protection of .gov.uk domain names.
The Central Digital and Data Office (CDDO) intends to procure a new .gov.uk Registry Operator. The changes below will come into effect when .gov.uk domains have migrated to this new Registry.
Public sector bodies buy a third-level .gov.uk domain (for example, mydomain.gov.uk) through a .gov.uk Approved Registrar, which may also offer additional services like email and website hosting services. A public sector body that has bought such a third level domain is called a Registrant.
Some Registrants delegate lower-level subdomains out to other public sector bodies, making the users of those domains sub-Registrants. For example, the Government Digital Service (GDS) is a Registrant and has service.gov.uk. GDS has delegated the lower-level domain book-theory-test.service.gov.uk out to DVLA, which is a sub-Registrant.
If a vulnerability is detected in any .gov.uk domain or subdomain it’s important that CDDO, the Registry Operator, Registrars, Registrants and sub-Registrants all understand their roles and responsibilities and work together quickly to fix the vulnerability.
CDDO is introducing new rules to make sure all parties understand their roles and responsibilities. All the agreements between these organisations must now include these Additional terms for .gov.uk agreements.
Here is an overview of the roles and responsibilities.
How CDDO protects .gov.uk domains
CDDO maintains the domain name registration and management rules which are fully described in the Apply for a .gov.uk domain name: step by step.
CDDO also monitors .gov.uk domains for potential vulnerabilities and is the escalation point for supporting Registants and Registrars to deal with serious or persistent risks to the .gov.uk domain.
How the Registry Operator protects .gov.uk domains
The .gov.uk Registry Operator is responsible for the monitoring and support of .gov.uk Registrars to make sure that they continue to meet the Criteria to be a .gov.uk Approved Registrar, and they support their Registrants to meet the domain name registration and management rules.
The .gov.uk Registry Operator commits to this through its contract with CDDO and through terms in the Registry Registrar agreement (RRA) they have with Registrars.
How Registrars protect .gov.uk domains
Registrars must help their Registants protect their .gov.uk domain names. They do this by following the Criteria to be a .gov.uk Approved Registrar.
Registrars commit to meeting the criteria also through terms in the RRA they have with the Registry Operator.
How Registrants protect .gov.uk domains
All .gov.uk Registrants must protect their .gov.uk domain by following the relevant domain name registration and management rules found here:
All .gov.uk Registrants must have either a:
-
Registrant Agreement with the Registrar that contains terms which reference these rules or
-
RRA with the Registry Operator - where the Registrant is also the Registrar
How sub-Registrants protect .gov.uk domains
All .gov.uk sub-Registrants must protect their .gov.uk domain by following the relevant domain name registration and management rules found here:
All .gov.uk sub-Registrants must have a Registrant Agreement with their Registrant that contains terms which reference these rules. You can find out more information about how to do this in the Additional terms for .gov.uk agreements guidance.