Table of Contents
Policy Statement |
|---|
Scope |
Why we have this Policy |
Responsibilities |
Procedures |
Website Address for this Policy |
Glossary |
Related Documents and Policies |
Policy Statement
The purpose of this policy is to define the terms under which the Domain Name System (DNS) is operated and maintained while also ensuring that the requirements of stakeholder groups are met. This policy is intended to ensure that the University utilizes limited DNS resources appropriately, that the University’s name and brand is protected, that security and legal risks are mitigated, and that DNS resources are allocated to the campus community appropriately.
Scope
All UC Berkeley Domain Names are the exclusive property of The Regents of the University of California (The Regents). UC Berkeley Domain Names are subject to this policy and other University policies even if the websites or other electronic services associated with them are contractually delegated to, or operated by, non-campus entities. Similarly, this policy and other University policies apply whether sites or services associated with UC Berkeley Domain Names are hosted on UC Berkeley servers or elsewhere.
Why we have this Policy
The DNS and domain names are a critical tool for enabling people to utilize and access resources on the Internet. Domain names have important branding, recognition and reputational considerations. In addition, the DNS is a technical system accessed by software and other systems to operate in a networked environment.
The University of California Berkeley owns the berkeley.edu Domain and administers its use to benefit the communication, research, academic and other interests and activities of the University. The University of California Berkeley has the right to protect its name in all of these situations. For these reasons, the University has established this policy which is administered by Network Services and the Communications and Public Affairs group. This policy applies to all
hostnames and zones (subdomains) within Berkeley.edu and any other domain names which are the property of the University.
Responsibilities
The Berkeley IT - Network Services unit is responsible for implementing, maintaining and supporting network connectivity and services for the campus community. In this role, Network Services is the steward of Internet resources assigned to the University to enable connectivity internally and to the global Internet. One of these resources is the berkeley.edu domain name.
Network Services manages and maintains the infrastructure which provides DNS to the University. Network Services also provides the services necessary for members of the campus community to create and manage DNS records. Network Services is responsible for ensuring the technical integrity, availability and supportability of the system and its utility to both people and the computer systems which rely on it.
Because of the branding and reputational importance of and the role the website plays in helping external and internal audiences navigate the complexity of the campus, the Communications and Public Affairs department has an interest in the publicly visible records in this domain, and the content which they make available.
Since the DNS is a primary method of defining the actual location and systems where the University’s IT services and data are provided and stored, the Information Security Office and the IT Policy department have an interest in ensuring that resources made available by the DNS comply with all appropriate policies and other requirements.
Ensuring the accessibility of public information and tools published by the University and its various departments and organizations to people with disabilities is an important goal in line with both our values and legal obligations. The Office of Disability Access and Compliance is involved in ensuring that this policy assists as necessary in meeting this goal.
Network Services is responsible for the administration of campus DNS services, including the addition or alteration of any records in the berkeley.edu domain and the majority of its subdomains. The DNS Administrator and Network Services team may at their discretion make decisions to ensure compliance with this policy. Network Services may delegate administrative control over parts of the DNS and the records it contains to other campus or external entities at their discretion as long as such delegation continues to ensure compliance with this policy.
Procedures
Eligibility
Eligibility to request records in the DNS, including individual hostnames, subdomains and other record types is available to any group or organization of students, faculty, or staff at theUniversity of California, Berkeley that applies for and obtains formal status as a registered,sponsored, or affiliated campus organization or sponsored departmental organization. These group types are defined in the Berkeley Campus Regulations [for] Implementing UniversityPolicies, see “General Definitions”
Subdomains
Unless specific criteria (see “Names and other records in berkeley.edu”, below) are met, all records and names will be created in an appropriate subdomain. All campus departments should obtain a subdomain which identifies their department. The name of that subdomain should be chosen to ensure clarity and usability. A department may have multiple subdomains as necessary to avoid the need to nest multiple levels of subdomains and to clearly name different groups, projects and initiatives.
All new departmental subdomains are subject to approval by the DNS Administrator and Network Services and the subdomain itself is subject to the entirety of this policy, including potential revocation.
Individual members of the campus community may also request subdomains if an existing departmental subdomain does not adequately represent the resources being named, or if there are other technical or operational considerations which must be satisfied.
Delegation of Subdomains
Campus departments and individuals may request the delegation of a subdomain. Delegation within the scope of DNS is both a technical construct as well as administrative. It requires that the requestor provide the necessary infrastructure to serve DNS for the delegated subdomain
and the administrative resources to manage it. All delegated subdomains must continue to comply with this policy, including any requirements that may be defined for the review and approval of the creation of particular record types.
Delegation of a subdomain may be revoked temporarily if such delegation results in an operational impact to University services or impairs the security of data for which the University is responsible. Delegation of a subdomain may be revoked temporarily due to failure to comply with this policy.
Delegations may be permanently revoked for repeated violations of this policy.
Self-Service of DNS Records
Network Services may provide on a case by case basis access for campus entities or individuals to self manage their DNS records. Such permissions can be requested via dns@berkeley.edu and will be reviewed and approved by Network Services and the DNS Administrator. Individuals and entities to which this access is granted agree to abide by the entirety of this policy, and assume responsibility for ensuring its implementation for records under their control.
Access to manage DNS records may be temporarily revoked if it results in operational or security concerns or if this policy is violated. Access to manage DNS records may be permanently revoked for repeated violations of this policy or serious or repeated operational or security issues.
Names and other records within berkeley.edu
Hostnames created within the top level berkeley.edu domain itself must meet specific criteria and will be reviewed by the appropriate staff within the Office of Communications and Public Affairs and Network Services. The following criteria will be considered when determining if the creation of a record within berkeley.edu itself is reasonable:
● User experience - common, important resources should be easy to access. For example, vpn.berkeley.edu.
● Enhancing the visibility of a name with broad impact to the campus community (e.g. in support of ongoing programs, fundraising efforts, etc).
● Providing subdomains for departments, other campus entities and individuals where the name requested provides a reasonable representation of the entity, its scope and relationship to the University.
● Providing access to services, projects or initiatives with a campus-wide or sufficiently broad scope where multiple departments or groups and individuals across multiple departments are involved.
● Technical or operational reasons which enable the function of network and computing services for campus, for example appropriate subdomains to group resources and systems.
Cases that either the Office of Communications and Public Affairs or Network Services staff determine require further adjudication to determine whether an exception is warranted may be directed to the DNS Policy Committee. This DNS Policy Committee is a group including, but not limited to, representatives from the Office of Communications and Public Affairs, Berkeley IT, and the Office of Disability Access and Compliance, or a designee it identifies such as Berkeley IT’s Digital Accessibility Program.
Some record types are required for the processing of information and providing connectivity services to the campus community (for example, MX records which determine how email isrouted). Network Services may determine the technical need for this type of record without consultation with any other campus entity. These types of records do not present a service which is user-accessible (i.e. do not create a public URL) so there are no website or public affairs policy considerations for these record types.
Offsite Hosting
By default, all requested records must point to infrastructure and IP addresses which are directly owned, allocated to and managed by the University. By exception and subject to additional review by the DNS Policy Committee, records may be created which point to resources hosted by third parties or outside of direct University control. These resources must ensure compliance with all applicable Campus and University Policies, including the IT Accessibility Policy, Campus Online Activities Policy, and the UC System-wide Information Security Policy (IS-3).
Failure to comply with the appropriate policies or other technical requirements may lead to temporary or permanent revocation of these records.
Hostnames and other Records
All hostnames and other records requested must have a legitimate use. For example, records will not be created for the sole purpose of “reserving” a name except where there is a clear case for doing so which supports the aims of the University.
Records must not be offensive or abusive in nature. The responsible offices for this policy will determine if a particular name is acceptable and, if there is disagreement or an appeal is sought, the issue may be taken to the DNS Policy Committee for review.
All hostnames and records must comply with all appropriate technical standards and processes, both global and which may be published or communicated by Network Services via Knowledge Base Articles or other means.
MX (eMail Routing) Records
MX and other email-related DNS records that resolve to resources hosted by third parties or outside of direct University control are also subject to additional review by the Information Security Office, as well as requiring approval by the campus email team. Approval for these types of records must be secured prior to their implementation in the campus DNS. To request approval for MX records, email bconnected@berkeley.edu
Ownership of Records and Revocation
All records within the berkeley.edu and its subdomains are the sole property of the Regents. The University reserves the right to revoke any previously assigned hostname at any time if it conflicts with this policy or other University policies, priorities or interests.
If a hostname is deemed by University Communications and Public Affairs to be in conflict with this policy, University Communications and Public Affairs will send a Notice of Revocation to the owner of the hostname, who will have 10 business days to appeal the decision. If the Information Security Office, Network Services, or University Communications and Public Affairs deems that there is a serious ongoing operational, security or reputational issue related to a hostname, a domain may be revoked simultaneously with the issue of notice. In the cases ofdisagreement between the Information Security Office, Network Services, or University Communications and Public Affairs on whether a hostname involves risk, the arbiter is the DNS Policy Committee.
Domains Outside berkeley.edu
Some campus entities may wish to register their own domains outside of berkeley.edu. This is acceptable as long as this is approved by the University Communications and Public Affairs Office and owners agree to comply with all applicable Campus and University Policies including this policy.
In the situation where a non-berkeley.edu domain is desired, but it will be maintained in the campus DNS the following also applies:
● The registrar used will need to make our name servers authoritative for the domain.
● The domain must be relevant to the University's mission.
● A security contact must be provided for the domain.
● Acknowledgement that all relevant university policies will be followed.
● Campus DNS will not be used to host domains intended for commercial purposes.
Additional Restrictions
The University may from time to time, in the face of major events, choose to restrict or impose additional requirements regarding hostnames and other records related to specific topics. For example, names related to ongoing emergencies or significant operational events may require additional vetting and approval or be subject to specific requirements.
Website Address for this Policy
https://technology.berkeley.edu/domain-name-system-dns-service-policy
Glossary
delegated subdomain- a domain name which belongs under the authority of one set of name servers, which is actually served by another set of servers.
domain name- a way to identify and locate computers connected to the Internet. No two organizations can have the same domain name. A domain name always contains two or more components separated by periods, called "dots"". For example, the Berkeley Campus domain name is "berkeley.edu".
Domain Name System (DNS)- the way that Internet domain names are located and translated into IP addresses.DNS server, nameserver- a server which provides IP address/hostname mapping for computers on a network.
Internet Protocol (IP) address- the location of a particular connection to the Internet, expressed as four series of digits separated by dots. A computer connection registered with the DNS has a domain name associated with its IP address.
primary nameserver- a nameserver which is authoritative for a domain and contains host information for that domain locally. Changes to the domain are made manually, or through dynamic updating, first to the primary nameserver.
hostname- a name registered to a particular host. For example: uclink.berkeley.edu or cory.eecs.berkeley.edu. The hostname is mapped to a unique IP address in the DNS.
secondary nameserver- a nameserver which is authoritative for a domain and transfers all of the host information from the primary nameserver.
subdomain- once a domain name has been established, subdomains can be created within it.
Related Documents and Policies
1. Berkeley Campus Regulations [for] Implementing University Policies
2. UC Regents Policy 5203: Policy on Support Groups, Campus Foundations, and Alumni Associations (2005)
