Skip to main content

Policies supporting domain name administrators and technical contacts

Policies supporting domain name administrators and technical contacts to comply with HSCN DNS.

Page contents

General

At minimum, systems and services making use of Health and Social Care Network (HSCN) Domain Name Service (DNS) must:

Compliance

Failure to comply with this policy will result in the domain being removed from your control and ultimately decommissioned. 

Off-infrastructure delegations

An off-infrastructure delegation exists where an NS record is created to delegate control of a sub-domain of nhs.uk to a DNS service outside of the HSCN DNS Service.

The off-infrastructure delegation presents a number of severe security risks to the NHS and NHS.UK ecosystem and is subject to the same security controls as the HSCN DNS Service.

At minimum, systems and services making use of off-infrastructure delegations must:

  • comply with the Cyber Assessment Framework (CAF)
  • comply with the schedule of activities for Domain Name administrators and technical contacts
  • comply with national guidance on hosting NHS and social care data
  • dump DNS query or response data in near real-time to S3 Bucket, Storage Account, Cloud Storage, etc (as agreed with CSOC) for collection by CSOC
  • retain query or response data permanently until collection has been confirmed by CSOC, then retain for 3 months
  • not create onward delegations for sub-domains. Onward delegation (aka sub-delegation) is prohibited
  • not make use of vendor-lock-in features that might hamper the portability of the domain name to another provider
  • not make use of non-RFC-compliant record types or data, such as ANAME or ALIAS records
  • co-operate with audits performed by NHS Cyber, the DNS team, NCSC, or nominated third-parties

Compliance

Failure to comply with this policy will result in the termination of an off-infrastructure delegation.

Last edited: 28 August 2024 2:40 pm