HSCN domain naming standards and guidance

This guide describes the operation of the HSCN Domain Name Service (DNS) Service as it interoperates with our customers. It describes mandatory and prohibited zone and record configurations. It applies equally to all users of the HSCN DNS Service.

Management

The trusted domain name administrator and technical contacts

It is a requirement of the Minimum Cyber Security Standard that a domain name administrator is appointed. The domain name administrator has the authority to request changes to domain names and records in the apex domain namespaces, and authorise technical contacts who will submit day-to-day DNS change requests.

The apex domain namespace refers to the parent domains in which all of our sub-domains and records ultimately reside.

At NHS Digital, we are responsible for the apex domains nhs.uk, nhs.net and hscic.gov.uk.

Responsibilities of the domain name administrator

The domain name administrator must:

apply for a domain name in the apex domain namespaces
provide a role-based email contact when applying, so the DNS Team can contact them in the future - for example domainmanagement@[your-organisation].nhs.uk or domainmanagement_[your-organisation]@nhs.net
manage the sub-domains in the apex domain namespace for which they are responsible
update their contact details, and those of the authorised technical contacts at least yearly, and each time those details change
ensure that domain names and the records contained therein adhere to NHS Digital policy
ensure that each domain name has a process in place to manage its lifecycle
request removal of defunct sub-domains and records
sign a memorandum of understanding (MOU) acknowledging their responsibilities and agreeing to abide by NHS Digital’s published standards and guidance relating to DNS

Failure to follow these guidelines will severely hamper an organisation’s ability to request new DNS names, or changes to existing DNS names.

Responsibilities of technical contacts

Technical contacts must:

be authorised by the domain name administrator to manage sub-domains in the apex domain namespace for which they are responsible
provide individual email and telephone contact details, so the DNS Team can contact them in the future
request changes to records in the sub-domains of the apex domain namespace for which they are responsible - requests must comply with all DNS Requests for Comments (RFCs)
update their contact details at least yearly, and each time those details change
request removal of defunct sub-domains and records

Failure to follow these guidelines will prevent a technical contact from being able to request new records, or changes to existing DNS records.

Self-administration

Self-administration is the ability to edit an organisation’s DNS records in near real-time. NHS Digital has developed the facility to permit self-administration for those organisations that provide sufficient details of the domain name administrator and technical contacts and register for multi-factor authentication (MFA).

Once a domain name administrator or technical contact has authenticated on the application, they will be able to make changes to the sub-domains to be applied at the next batch run.

To be eligible for self-administration, the records in question must be in their own sub-domain (they cannot be in the apex domains).

Contact [email protected] to register for self-administration.

Domain and record naming

When choosing the name of any DNS record or sub-domain, organisations must adhere to the NHS Digital Domain and Record Naming standards and guidance.

Chosen names should be:

available
descriptive
geographically relevant
independent of machinery of government
non-generic
unique
not confusing for users

Available

The proposed name must be available.

The NHS Digital DNS Team ([email protected]) can advise if a proposed name is available. Not all allocated names can be queried in DNS. This is because some names are reserved, but not created in DNS until needed.

Descriptive

Your proposed name must clearly describe your organisation or the NHS service you’re providing. Think about users of the name and make sure the name is not too long or complicated.

Your proposed name must:

be between 3 and 63 characters long
contain only alphanumeric characters (0-9 and a-z) and the ‘-‘ (dash) symbol
not be the same or substantially similar to an existing .nhs.uk domain name
not use ‘&’ (ampersands) or ‘_’ (underscores)
not include abbreviations like ltd, plc and gov
not include a postcode

You could use the full name of your organisation, NHS service or an appropriate suffix. For GP surgeries, domain names should reflect the official name of the surgery.

‘*’ or wildcard names should not be used anywhere.

Geographically relevant

If appropriate, your proposed name should be relevant to the area your organisation or the NHS service you’re providing serves.

Independent of machinery of government

You might wish to avoid components of your names that are subject to machinery of government changes. This allows an organisation to potentially continue using a name when a structural change is made by the government.

For example, names suffixed with 'pct' (for primary care trust) were made defunct by the 2013 move to clinical commissioning groups (CCGs), leaving 1071 defunct 'pct' DNS Domains requiring migration to new domains and removal. This issue creates unnecessary additional work in migration of email and web services and clean-up of the DNS database, that could be avoided.

Non-generic

If you apply for a generic word or combination of generic words for a nhs.uk name, the NHS Digital DNS Team will consider it on its merits and may refer the request to other authorities. Central NHS or government organisations may have a claim on generic words used as names, and may claim them without reference to the current user. For example: deepcleaning.nhs.uk.

The NHS Digital DNS Team recommend that you make use of generic words as sub-domains of your domain name. For example: flu.twcsa.nhs.uk.

Unique

Your proposed name must be unique. If your proposed name is substantially the same as another nhs.uk name, you must choose another name.

Where the proposed name relates to sub-domain of nhs.uk, or a record in the apex domain, the name must be unique across the whole of the NHS.

Where the proposed name is a resource record in a sub-domain, the name need be unique only within that sub-domain.

The NHS Digital DNS Team ([email protected]) can advise if a proposed name is available.

Not confusing for users

If you use an acronym, initialism, or abbreviation this must be descriptive, unique and clear to avoid user confusion. You can use commonly-used abbreviations and abbreviations that are well-known to your users.

Other

Names must not:

host a website with persistent errors or security issues
redirect entirely to a non-public sector domain like .co.uk, .org.uk, .info or .com
pose an immediate security threat or interfere with the secure and stable operation of the nhs.uk domain or the NHS.UK ecosystem
infringe on the intellectual property rights of another individual or entity
advertise products, commodities or services of private individuals, firms or corporations
breach NHS brand guidelines
be used for party political purposes
violate any UK laws, regulations or policies
violate the privacy or publicity rights of another individual or entity

Non-compliance

The NHS Digital DNS team reserves the right to remove any DNS zones and associated DNS records on the nhs.uk Nameservers (NS) if it feels that the domain name in question is contravening any of our standards, or poses a security or safety risk. For further advice and guidance, please contact [email protected].

Hierarchy

DNS names are arranged in a hierarchy of levels. Levels are delimited by “.” and counted from the right. Using the DNS names 'accessrequest.beta.genomics.nhs.uk' and 'relay.nhs.uk' as examples:

Level 5	Level 4	Level 3	Level 2	Level 1
accessrequest	beta	genomics	nhs	uk
		relay	nhs	uk

When referring to these levels within the HSCN DNS Service:

Level 2 and 1 is the apex domain (meaning nhs.uk, nhs.net)
Level 3 is a sub-domain or resource record in the apex domain if appropriate
Level 4 is a sub-domain or resource record in a sub-domain as appropriate
the bottom level (in our examples 'accessrequest' and 'relay') are always simply resource records

Records in the apex domains

A record in an apex domain is one that addresses a resource directly from the apex domain and is specifically not a sub-domain or off-infrastructure delegation. For example, jane.nhs.uk, where 'jane' is not a sub-domain of 'nhs.uk' and is not an off-infrastructure delegation.

Records in the apex domains must be exclusively at level 3 in the DNS hierarchy. In the above example 'jane' is at level 3. Refer to the Hierarchy section, above.

Records in the apex domains are subject to NHS Digital Domain and Record Naming standards and guidance.

Eligibility

Records in the apex domains are used exclusively for national programmes and services serving the whole NHS. For example:

mail.nhs.net
infrastructure.nhs.uk
api.nhs.uk
screening.nhs.uk

These records are typically requested and operated by central government organisations or NHS Digital.

Lifecycle

Records in the apex domains must be reviewed regularly, and removed immediately they are no longer required.

Unused records in the apex domains will be removed without notice.

Sub-domain of the apex domains

A sub-domain of an apex domain exists where one or more records are collected together into a self-contained zone, and delegation records exist in the apex domain. Using the apex domain nhs.uk as the example:

A delegation for the sub-domain 'bob' is created within the apex domain 'nhs.uk'.
The zone 'bob.nhs.uk' is created with a Start of Authority (SOA) record and a set of Nameserver records. The sub-domain 'bob.nhs.uk' is now established and can have records created within it, for example: 'fred.bob.nhs.uk'

A sub-domain of an apex domain must be at level 3 and below in the DNS hierarchy. In the above example, 'bob' is at level 3. Refer to the Hierarchy section, above.

Sub-domains of the apex domains, and their child records are subject to NHS Digital Domain and Record Naming standards and guidance.

Eligibility

Organisations permitted to request a sub-domain name within the apex domain namespaces are:

Department of Health and Social Care (DHSC) agencies and public bodies
national organisations wholly owned by the Secretary of State for Health
NHS trusts and foundation trusts
clinical commissioning groups (CCGs)
commissioning support units (CSUs)
GP surgeries/clinics
independent sector treatment centres (ISTCs)
NHS healthcare services

Organisations not permitted to request a sub-domain name within the apex domain namespaces are:

local health campaigns
consultations
single trusts leading on a national level, such as for a rare disease - these should develop content on their corporate website
individuals (including elected representatives)
associations representing public sector staff
public sector pension funds
social enterprises/community interest companies
fundraising charities, voluntary and privately-owned organisations, including charitable arms of NHS trusts
companies and organisations registered at Companies House
public, privately-owned or charitable organisations undertaking work or programmes both targeting and within the NHS
internet management and network-related companies, including internet service providers (ISPs) and hosting companies
British overseas territories and international organisations

Lifecycle

It is the responsibility of the trusted domain name administrator within an organisation to renew their claim to each sub-domain each year, and in doing so, ensure that their contact details, and those of the technical contacts are complete and accurate. Failure to do this will result in loss of control of sub-domains, and may result in domain names being suspended.

Sub-domains of the apex domains must be reviewed regularly, and removed immediately they are no longer required.

Empty sub-domains will be automatically removed without notice, although the name will remain registered to the original owning organisation, subject to NHS Digital Domain and Record Naming standards and guidance.

DHSC agencies and public bodies must get clearance to use the NHS brand before requesting a sub-domain name within the apex domain namespace. Requests must be submitted by the DHSC Digital team.

National organisations wholly owned by the Secretary of State for Health must get clearance to use the NHS brand before requesting a sub-domain name within the apex domain namespace.

Records in a sub-domain

A record in a sub-domain is one that addresses a resource from a sub-domain and is, specifically, not a further sub-domain or off-infrastructure delegation. For example, bob.jane.nhs.uk, where 'bob' is a resource record in the sub-domain 'jane', and is not an off-infrastructure delegation.

A record in a sub-domain must be at level 4 and below in the DNS hierarchy. In the above example 'bob' is at level 4. Refer to the Hierarchy section, above.

Records in a sub-domain are subject to NHS Digital Domain and Record Naming standards and guidance.

Lifecycle

Records in sub-domains must be reviewed regularly and removed immediately when they are no longer required.

Unused records in sub-domains will be removed without notice.

Off-infrastructure delegation of sub-domains

An off-infrastructure delegation exists where an NS record is created to delegate control of a sub-domain of nhs.uk to a DNS service outside of the HSCN DNS Service.

Where no technical alternative exists, it may still be necessary to create NS records to support off-infrastructure delegations these cases are expected to be rare.

Off-infrastructure delegations, and their child records are subject to NHS Digital Domain and Record Naming standards and guidance.

Re-patriation

NHS Digital will review all existing off-infrastructure delegations and re-patriate those deemed to fail security, eligibility or naming tests.

Eligibility

The devolved administrations are automatically granted off-infrastructure delegations for sub-domains related to the devolved health services. For example, scot.nhs.uk.

All other requests will be subject to review, which will include evaluation of security implications, clinical safety, evidence of robust management processes and technical constraints.

Lifecycle

Off-infrastructure delegations must be reviewed regularly, and removed immediately they are no longer required, or when the third-party provider stops responding to queries.

Unused off-infrastructure delegations will be removed without notice.

Acceptable use

Off-infrastructure delegations present 4 primary ongoing security and clinical safety risks:

They can be hi-jacked by malign entities, who will then use the compromised resource to pretend to be an NHS provider.
They can be easily misconfigured and cause denial of service to the apex domain.
They place reliance on potentially unvetted third-parties for security, clinical safety and NHS brand-integrity.
They can be easily misconfigured and permit anonymous remote download of the entire delegation.

Evidence of continued mitigation of these risks will be required from the owning organisation.

Secondary off-infrastructure delegations are not permitted under any circumstances.

A secondary off-infrastructure delegation exists where a sub-domain is delegated off-infrastructure, and then a child of that sub-domain is further delegated elsewhere.

Secondary off-infrastructure delegations present 5 primary ongoing security and clinical safety risks:

They can be hi-jacked by malign entities, who will then use the compromised resource to pretend to be an NHS provider.
They can be easily misconfigured and cause denial of service to the apex domain.
They place reliance on potentially unvetted third-parties for security, clinical safety and NHS brand-integrity.
They can be easily misconfigured and permit anonymous remote download of the entire delegation.
They are virtually invisible to administrators of the apex domain.

Non-compliance

The NHS Digital DNS team reserves the right to re-patriate any off-infrastructure delegation if it feels that the off-infrastructure delegation in question is contravening any of our standards, or poses a security or safety risk. For further advice and guidance, please contact [email protected].

NHS Digital provide resource to support, maintain and update a free DNS management service, for the benefit, security and safety of the whole NHS.

Records with an off-infrastructure target

A record with an off-infrastructure target exists where a records’ resource record data (RData) points to a target that is hosted on a DNS service outside of the HSCN DNS Service. These are typically CNAME, MX, SRV and PTR, although other record types could also include a target component (such as CAA, DNAME, DS, URI and TXT).

By the end of November 2020, more than 250 records with off-infrastructure targets have been identified as compromised, investigated and removed.

Records with off-infrastructure targets are subject to NHS Digital Domain and Record Naming standards and guidance.

Key to record types

CNAME - Canonical name record

MX - Mail exchange record

SRV - Service locator record

PTR - Pointer record

CAA - Certification Authority Authorization record

DNAME - Delegation name record

DS - Delegation signer record

URI - Uniform Resource Identifier record

TXT - Text record

Eligibility

The devolved administrations are automatically granted requests for records with off-infrastructure targets within sub-domains related to the devolved health services.

Requests for records with off-infrastructure targets will be subject to review, which will include evaluation of security implications, clinical safety, evidence of robust management processes and technical constraints.

Records with off-infrastructure targets will not be permitted in the apex domains.

Lifecycle

Records with off-infrastructure targets must be reviewed regularly, and removed immediately they are no longer required, or when the third-party provider stops responding to queries.

Unused off-infrastructure delegations will be removed without notice.

Acceptable use

Records that direct traffic elsewhere present 3 primary ongoing security and clinical safety risks when those targets are off-infrastructure:

They can be hi-jacked by malign entities, who will then use the compromised resource to pretend to be an NHS provider.
They can be easily misconfigured and cause denial of service to the apex domain.
They place reliance on potentially unvetted third-parties for security, clinical safety and NHS brand-integrity.

Evidence of continued mitigation of these risks will be required from the owning organisation.

The following standards apply:

Off-infrastructure targets should be avoided wherever possible.
Where used, it is the owning organisation’s responsibility to ensure that off-infrastructure targets do not become orphaned, or taken-over by unauthorised entities.
Organisations using off-infrastructure targets (such as to contract content supply to a third party) are responsible for requesting the removal of off-infrastructure targets when the service is no longer being supplied.
Organisations using off-infrastructure targets are responsible for ensuring that supplier comply with NHS Digital security policies.
Off-infrastructure targets will be monitored and targets at apparent risk of take-over will be automatically deleted without notice.
Evidence of continued adherence to these standards will be required from the owning organisation.

Secondary off-infrastructure targets (such as where the target record is itself a pointer hosted elsewhere) are not permitted under any circumstances.

Non-compliance

The NHS Digital DNS team reserves the right to remove any record on the nhs.uk Nameservers with an off-infrastructure target if it feels that the record in question is contravening any of our standards, or poses a security or safety risk. For further advice and guidance, please contact [email protected].

Reverse-lookup zone (ARPA zone)

A reverse-lookup or ARPA zone exists where one or more PTR records are collected together into a self-contained zone arranged by IP address, and typically broken up by classless inter-domain routing (CIDR) boundaries.

The following standards apply:

ARPA zones on the internet can only be created for subnets actually assigned to NHS Digital by RIPE.
ARPA zones on HSCN can only be requested for subnets actually extant in peering.
ARPA zones on HSCN will be consolidated into /16 boundaries.
ARPA zones on HSCN cannot be delegated off-infrastructure.

Eligibility

ARPA zone necessarily remain under the control of NHS Digital.

Lifecycle

ARPA zones will be reviewed regularly and removed immediately when they are no longer required.

Empty ARPA zones will be automatically removed without notice.

PTR records in a reverse-lookup zone

A PTR record in a reverse-lookup (ARPA) zone is a pointer to a record in forward-lookup zone. It permits an IP address to be looked up to return a hostname.

The following standards apply.

PTR records can only be requested in ARPA zones.
PTR records on the internet can only be requested within subnets actually assigned to NHS Digital by RIPE and configured on the HSCN DNS Service - requests for PTR records in non-NHS Digital-assigned subnets must be directed to the assignee.
PTR records on HSCN can only be requested within subnets in use on HSCN and configured on the HSCN DNS Service.

Lifecycle

PTR records must be reviewed regularly, and removed immediately they are no longer required, or when the target is no longer resolvable.

Unused PTR records will be removed without notice.

Last edited: 22 March 2021 1:34 pm