NHS Connecting For Health Policy for the nhs.uk namespace
This document provides information for the .nhs.uk namespace with regards to both websites and e-mail domains. The .nhs.uk namespace is controlled by the NHS CFH. This document is aimed at both e-mail and website administrators and assumes a basic knowledge of network technologies and DNS in particular.
This document aims to answer good practice associated with integrating DNS within N3.
- E-mail policy for the nhs.uk domain
- Website policy for the nhs.uk domain
- Reasons and benefits for the policies within the NHS
The NHS needs to be able to assure the quality, timeliness and accuracy of DNS entries for domains that deliver nationally important applications. These include:
- SMTP mail
- External (www.) web sites or applications.
- Internal (nww.) web sites or applications
Domains which deliver these nationally important applications such as SMTP mail or external web sites should be hosted on the central NHS Domain Name Server (DNS).
We have a duty to ensure that the NHS brand as a whole is kept the same to the general public.
2. E-mail policy on the nhs.uk domain
The nhs.uk domain name indicates to the outside world that the domain is part of the NHS and under managerial control of the NHS. The NHS CFH, as manager of the NHS network (N3), is the responsible organisation for control of that domain name. With the notable exception of NHSMail, only .nhs.uk domains can be hosted within N3.
Delegation, which is to delegate control of a namespace to a local name server and make it totally authoritative, is not preferred N3 policy and is actively discouraged.
N3 policy is that all external mail (that is, external to the healthcare entity's LAN) traffic must be resolved by the NHS DNS servers. Mail servers using the nhs.uk domain name must be hosted within N3.
It is recognised that there are a very small number of nhs.uk users external to N3 who established services prior to N3 and have been unable to move to N3 for commercial or technical reasons. These are not to be used as a precedent for further expansion of this style of use.
In choosing an e-mail name for your domain, it should be clear and nationally recognizable.
For branding reasons, we would permit only one email domain per organisation.
SMTP Permitted Usage Policy
SMTP domains using the central relay will only be granted to NHS and DH organisations.
SMTP email domains should not, under any circumstances be used by third parties or private companies for commercial purposes or for the promotion of commercial corporate identity.
The NHS CFH DNS Team reserves the right to remove any DNS zones and associated DNS records on the NHS.UK Name Servers if it feels that the SMTP domain name in question is contravening any of our policies. For further advice and guidance, please contact DNSTeam@nhs.net
3. Website policy on the nhs.uk domain
The policy is similar to e-mail in that delegation to local DNS servers is actively discouraged by the NHS CFH. With respect to external (www) web site registration; we cannot delegate the domain name to the Internet Service Providers (ISPs).
The nhs.uk namespace is assigned for use for messaging as well as website name resolution within the N3. Therefore, we can only allow 'Address' records or 'CNAME' records on our external DNS servers for external (www) websites.
Preferred NHS CFH policy is that your main domain name is recognisable nationally. Healthcare entities should only have one (and a maximum of two) main organisational domain name(s) to be used at any one time so as to promote brand continuity. As the domain is already .nhs.uk there is no need to repeat NHS in a domain name, this is poor branding and will be prohibited. Attempts to register multiple domain names for the same organisation will be actively discouraged by the DNS Team.
Generic domain names will only be granted if they are for projects with a national remit or are for use by a national body. National-level generic domains will only be granted where it is demonstrated that such a registration will not cause conflict with domain names for existing organisations or projects.
It is advised that after obtaining your organisation's domain name (yourorg.nhs.uk), any future requests to add host names, applications or services should create and then apply for a sub-domain (child domain) below the main domain name.
E.g. nww.department.yourorg.nhs.uk Or www.localhealthcampaign.yourorg.nhs.uk Or application.yourorg.nhs.uk
It is advised that you refer to the Department of Health Guidelines for generic guidance.
A naming schema similar to the one employed with respect to your e-mail domain is preferable when choosing a website name.
E.g. www.anytownssa.nhs.uk points to Anytown shared services agency website. Or nww.anyshireha.nhs.uk points to Anyshire strategic health authority intranet site. Or prescriptions.anytownpct.nhs.uk points to a prescriptions application of Anytown PCT.
Website/Domain Name Permitted Usage Policy
Public-facing domain names (www) will only be granted to NHS and DH entities, associated healthcare providers (such as hospices) that provide essential services to the NHS will be considered on an individual basis if they can demonstrate sufficient cause to be allocated such a domain.
N3-facing domain names (nww) will only be granted to NHS and DH entities or associated third parties that are intrinsic to the functioning of the N3 network and the provision of healthcare.
NHS.UK domains must follow the NHS identity guidelines laid down by the DH and should not, under any circumstances, be used by third parties or private companies for commercial purposes or for the promotion of a commercial corporate identity.
The use of wildcard entries (*.anytown.nhs.uk) is considered poor use of DNS and will not be added onto the NHS.UK namespace. Requests should be for specific sub-domains.
The NHS CFH DNS Team reserves the right to remove any DNS zones and associated DNS records on the NHS.UK Name Servers if it feels that the domain name in question is contravening any of our policies. For further advice and guidance, please contact DNSTeam@nhs.net
4. Reasons and benefits for the policies within the NHS
The reasons and benefits of this policy are:
- Only by controlling the nhs.uk domain can network and messaging service levels for NHS users be guaranteed. External users could not be included within the area of service management and associated service levels. Using the NHS DNS enables organisations to participate in SMTP messaging through the SMTP Relay service. The central NHS DNS is managed by N3SP with a secondary DNS provided by Cable and Wireless (C&W). This service has a service level agreement to provide guarantees of its availability and resilience. Any changes to DNS content are backed up by agreed service levels.
- Use of the nhs.uk domain promotes confidence in the security environment of its users, including protection from external mail server attack and acceptance of the N3 Code of Connection, including an obligation to screen for viruses. If the nhs.uk domain is not restricted within N3 that level of security could not be guaranteed for any NHS users as it would not be clear whether those users were within nhs.uk or without.
- Mail abuse originating from an nhs.uk address but outside N3 could result in barring being made against all nhs.uk users as the barring is at domain level and would indicate nhs.uk as an untrustworthy source.
- If multiple routes are defined for messages in a SMTP community, only routes defined in the centralised NHS DNS will work consistently.
- Messaging via the Internet is more efficient if the NHS DNS and SMTP relay service is used. Messages going to the Internet will be correctly routed if the NHS DNS is used and return message routes from the Internet will only work if the organisation's details are in the NHS DNS. Participants gain from the resilience and security it provides to the NHS community.
- Placing nhs.uk addresses outside N3 further complicates both mail and IP routing. Simplification of that process aids both performance and reduces the risk of errors resulting from complex routing decisions. This is very important in the N3, which is the largest private intranet in Europe. Network or mail misuse resulting from an external nhs.uk address will bring both the NHS CFH and other nhs.uk users into disrepute.
- The existence of externally-hosted users of the nhs.uk namespace is not recognised within our current contracts for provision of DNS with respects to e-mail and the managed mail service.
- With respect to websites; we want to limit organisations listed with the nhs.uk namespace to be NHS entities. This is so as to associate the namespace with the NHS 'brand' as a whole. Also, by using sub domains of existing healthcare entities, we can maintain a hierarchical structure, as well as improve the functionality of the NHS DNS servers as a whole.
- NHS websites, like other public sector websites, are free of commercial advertising and activity so as to convey only the relevant information to the general public and to retain commercial impartiality. It is not the role of NHS CFH to recommend one company over another.
- By enforcing naming standards on new domain name applications (especially e-mail,) the NHS CFH facilitates the production of nationally recognizable NHS CFH domain names. In the past, healthcare entities chose their domain names thinking in a local mindset, and the domain names chosen were often made up of acronyms which were indecipherable at a national level.
- The ability to swiftly change DNS entries when problems occur is a key to delivery of the national SMTP mail service. This service is provided by the NHS CFH DNS Team. This will remove the need for administrators of organisations to configure and maintain changes to host names and IP addresses.