- Domains: are “identified by a domain name, and consists of that part of the domain name space that is at or below the domain name which specifies the domain” (p.7, RFC 1034)
- Subdomains: are subsets of a parent domain e.g. unit.ox.ac.uk is subdomain of the parent ox.ac.uk domain.
- Name Servers: “…are server programs which hold information about the domain tree's structure and set information.” (p.5, RFC 1034)
- DNSSEC: “…[adds] origin authentication and integrity protection for DNS data, as well as a means of public key distribution. These extensions do not provide confidentiality.” (p.2, RFC 4033).
- AD Zones: "For a given domain, certain subdomains are used by Microsoft Active Directory 1.The term AD Zones is used to refer specifically to these subdomains but not the parent domain of unit.ox.ac.uk."
DNS naming policy
Information on the DNS naming policy for ox.ac.uk and non-ox.ac.uk domains
The university itself owns several domains for trademark protection (for instance oxforduniversity.com) or for historical reasons (such as oxford.ac.uk and oxford.edu). College or department usage of these domains is deprecated and new DNS entries will not be permitted; units should normally look to use the ox.ac.uk domain, save for exceptions as described below.
We strongly advise that external domains should be registered through us to simplify administration and to minimise future problems, although this is not mandatory save in the case of .ac.uk domains. IT Services are a member of Nominet and act as a registrar for co.uk, org.uk and other Nominet-managed second-level domains. For most other domain names, IT Services act as an OpenSRS reseller. For certain special cases (such as .museum), we simply register through commercial providers.
- 1.1 All DNS records must conform to international standards as laid down in the RFC’s 2.
- 1.2 All names must not risk bringing the University into disrepute.
- 1.3 Domain names must be approved by a Head of Department/Head of House.
- 1.4 All active IP addresses must have a PTR record.
Note: Due to current technical limitations there is a temporary exemption for IPv6.
- 1.5 All authoritative name servers must be capable of running DNSSEC 3.
- 1.6 IT Services may, from time to time, review domain names to ensure that they are still needed and/or legitimate. Those that are no longer being used will be taken down and may be reused.
- 1.7 Any DNS records that do not conform to international and/or University standards must be removed promptly.
Policy for ox.ac.uk domain
- 2.1 ‘The University's policy is that all University activities (other than those within OUP's remit) should be presented within the ox.ac.uk domain.’ 4 Exceptions are permissible if they meet certain criteria and are discussed later in this document.
- 2.2 For reasons of accountability and security, hostnames within the ox.ac.uk domain may not ordinarily be pointed at IP addresses outside the address space allocated to the University. An exception may be granted where IT Services are satisfied the Unit retains a level of control over the hosted service comparable with a service hosted on the University network (see Conditions below). All exceptions will be reviewed periodically.
- 2.3 Delegation of Subdomains to a Unit’s Name Servers.
Note: Due to current technical limitations IT Services can ordinarily only delegate AD zones. IT Services hope to change this in the future.
- 2.3.1 We will only permit ‘full’ zone delegation in that the Unit has complete control and responsibility for this subdomain.
- 2.3.2 The zone may then be used for any service except for the following:
- 220.127.116.11 Email (MX records) can only be for recognised Units/Sub-Units on the University organisation structure.
- 18.104.22.168 No ‘personal/vanity’ domain names.
- 2.3.3 The zone becomes the responsibility of the Unit but IT Services may carry out ‘due diligence’ inspections to ensure that zone is not causing reputational damage to the ox.ac.uk domain in any way 5.
Policy for non-ox.ac.uk domains
- 3.1 ‘The University's policy is that all University activities (other than those within OUP's remit) should be presented within the ox.ac.uk domain. IT Services is solely responsible for controlling ox.ac.uk and its sub-domains. Any department, faculty, unit, institute or other grouping within the University (except OUP) which wishes to make use of any other domain should refer to IT Services for approval (which in general will be granted only in connection with projects which have a wider reach than the University, and which need a distinct and identifiable presence).’ 6
- 3.2 Hostnames not within the ox.ac.uk domain may not ordinarily be pointed at IP addresses on the University network. Exceptions will be made only by special arrangement (and may require payment of a licence fee). Reverse-mapping will always return an address within ox.ac.uk.
- 3.3 Purchasing
- 3.3.1 Subject to all the above caveats IT Services will purchase domains for all Units.
- 3.3.2 As a matter of courtesy, IT Services can also register domains when requested by appropriate staff in Colleges and subsidiaries, which will be registered on their behalf.
- 3.4 DNS hosting on University of Oxford IP address space
- 3.4.1 Anything purchased by IT services would normally be DNS hosted on our central DNS servers.
- 3.4.2 We will also consider DNS hosting domains purchased through other means e.g. project shared between different Universities.
- 3.4.3 We will not host personal vanity domains, or any domain for non-University purposes.
- 3.4.4 Trademark Protection: In the case of domain names obtained purely for trademark protection, we will normally only permit a DNS entry for www within that domain. Accessing that site should result in the user being redirected to the standard URL within the ox.ac.uk domain. Where multiple domains have been obtained for use by the same project (for instance identical names under .com, .net, and .org), we strongly encourage use of one domain as standard and the alternatives to be configured as redirects.
In addition to local policy, all purchases and usage of domains must be in line with the policies laid down by the appropriate domain registries and the domain registrars through which we make our purchases. These are listed below:
- ICANN Uniform Domain Name Dispute Resolution Policy (applies to .com, .net, .org and some country-code top-level domains)
- OpenSRS Registration Agreement (for most domains other than .uk, .museum, .edu)
- Registrant Rights and Responsibilities Under the 2009 Registrar Accreditation Agreement
- Nominet terms and conditions (for other .uk domains)
- JANET(UK) Policy (for .ac.uk domains)
This policy was approved by OUCS/SMG (31/07/12), Now IT Services.
1 For a domain unit.ox.ac.uk, six are required at the time of writing: _tcp.unit.ox.ac.uk, _udp.unit.ox.ac.uk, _sites.unit.ox.ac.uk, _msdcs.unit.ox.ac.uk, DomainDNSZones.unit.ox.ac.uk and ForestDNSZones.unit.ox.ac.uk
2 At time of writing the foundational specifications are contained in RFC1034 and RFC1035. Many other RFCs also apply
3 While DNSSEC (RFC4033) is not deployed currently, it is anticipated that this will be a requirement across the Internet.
4 Legal Services website: was https ://legal.admin.ox.ac.uk/frequently-asked-questions#d.en.30994. Currently https://legal.admin.ox.ac.uk/
5 For example, being slow to respond, replying with out-of-date/inaccurate information.
6 Legal Services website: was https ://legal.admin.ox.ac.uk/frequently-asked-questions#d.en.30994. Currently https://legal.admin.ox.ac.uk/
In order to qualify the Head of Unit must certify that:
- There is a process (which includes appropriate remote access arrangements be they physical and/or virtual) to take down the server within 30 minutes (during normal working hours) of being requested to do so by IT Services (normally OxCERT). IT Services will make reasonable efforts to contact the unit's IT support staff by email (to the Unit's generic IT support address where available) and telephone.
- In exceptional circumstances there may be an urgent need to suspend service outside of normal working hours. IT Services will nevertheless make reasonable efforts to ensure the unit's IT support staff are aware as soon as possible.
- IT Services will set a "time to live" (TTL) of no more than 1800 seconds on all DNS entries pointing to systems outside the University network.
- If the unit cannot be contacted or are unable to take down the server in a timely manner, then IT Services may withdraw the DNS entry in question.
- Should this occur, the DNS entry will be pointed at a University IP address. This will return a generic "Service unavailable" error to HTTP requests on port 80, but will not respond to any other protocols.
- It is the Unit's responsibility to ensure that procedures are in place to restore service in a timescale appropriate to their requirements. Before full service can be restored, IT Services (usually OxCERT) will need to be satisfied that appropriate measures have been taken to resolve the problem(s) identified.
- They must maintain appropriate logs securely and be recoverable so that OxCERT/ any other lawfully entitled party can get these on request in a timely fashion.
- The system must be operated, and adequate data protection measures implemented, in accord with the University's IT Regulations and Information Security Policy.
- An annual self-certification process will be carried out. It is the responsibility of the Unit to ensure that this is returned complete within one month of receipt. DNS Registration will contact the Unit’s generic IT-support email address where available (otherwise all registered ITSS for the unit).
- Any failure to meet these conditions will result in a 30-day notice of withdrawal of the redirection.
If you cannot find the solution you need here then we have other ways to get IT support