Campus DNS Standards

This page contains information about implementation details related to the campus domain registration policy.

Introduction

This document describes the standard as set forth by CITES pertaining to the governance and rules of the Domain Name System (DNS) Service at the University of Illinois, Urbana-Champaign campus.

EDUCAUSE has delegated the second level domains uiuc.edu and illinois.edu to CITES acting on the authority of the University of Illinois at Urbana-Champaign with the agreement that DNS service will be properly maintained and configured.

ARIN has allocated to CITES, acting on the authority of the University of Illinois at Urbana-Champaign, the IP blocks 130.126.0.0/16, 128.174.0.0/16, 192.17.0.0/16, 72.36.64.0/18, and 2620:0:E00::/48 and the delegated reverse DNS (PTR) records for these blocks.

CITES provides DNS service to the Urbana-Champaign campus and controls allocation, management and delegation of these zones.

Terminology

American Registry for Internet Numbers (ARIN): An organization that llocates IP address space to the University of Illinois at Urbana-Champaign.
Delegation: Handing over authority for a portion of a DNS namespace.
Domain: A name which identifies an entity on the Internet. Examples of domains are uiuc.edu, illinois.edu.
Domain Name System (DNS): A method of translating a readable name to an Internet Protocol (IP) address.
EDUCAUSE: Grants .edu domains and offers resources for the advancement of higher education to the education community.
FQDN (Fully Qualified Domain Name): The full entry in DNS for a machine, e.g. host.unit.illinois.edu.
Hostmanager: Processes all campus DNS requests.
Hostname: A unique name given to a network-attached device.
IP Address: A number to identify a device on a network.
IP Address space/block: A group of IP Addresses.
Split domain entries: Campus names that are used by external groups to offer services.
Subdomain: A subset of a domain. Examples of subdomains are unit.uiuc.edu, unit.illinois.edu.
Subnet: A subset of an IP address space.
Time to live (TTL): The amount of time the authoritative nameserver caches a record when queried by a caching server.
Third-level name: Either a domain name or a host name immediately preceding "illinois.edu".

Roles, obligations, and resources

Units DNS requests and maintenance are processed via the unit's IT professional for network support (aka network admin).
The IT professional for network support is designated by the unit head in agreement with CITES.

See the DNS tools section for help finding your network admin and for a listing of useful CITES tools.

The primary contact for DNS for CITES is the hostmanager, or hostmgr@illinois.edu

The CITES DNS draft Policy may be viewed on the CIO web page:
http://www.cio.illinois.edu/policies/registeringdomains/index.html

Unit costs for DNS registrations

Each campus unit is eligible for one domain free of charge. Additional domains cost $10 per year. Approved vanity domains also cost $10 per year with a one time setup fee equal to the amount that CITES pays the registrar.

During the illinois.edu migration, campus units will only be billed once per domain, even if the same domain exists in both illinois.edu and uiuc.edu. Each unique domain will be billed separately.

For example:

sample1.uiuc.edu and sample1.illinois.edu are the same domain, so only one domain fee is charged.
sample1.uiuc.edu, sample1.illinois.edu, and sample2.illinois.edu include two different domains, so two domain fees are charged.
sample1.uiuc.edu, sample2.illinois.edu, and sample3.illinois.edu are three different domains, so three domain fees are charged.

General usage of DNS

The use of any domain name or IP address space that is managed by or associated with the University of Illinois at Urbana-Champaign must conform to the "UIUC Acceptable Use Policy". The AUP specifies no commercial use of network resources or other purposes that interfere with the mission of the University.

Inter-unit DNS entries

Units wishing to create pointers from a domain they control to another unit (for example, cs.illinois.edu hostnames pointing into Beckman Institute subnets) should do so in cooperation with CITES. CITES will set up a discussion so that both groups are aware of the request and can coordinate the use of the new DNS entries.

External domain entries

Units should create and maintain their entries in cooperation with hostmanager, either via delegation or using the normal CITES server. Please see the section on non-.edu domains.

Reverse DNS (in-addr.arpa)

All hosts must have PTR records. This rule is enforced to help the campus be in compliance with industry best practice. As numerous services use PTR records, it can cause considerable problems to users if an IP does not have a matching PTR record.

Time-To-Live (TTL) recommendations

The Time-To-Live (TTL) DNS parameter is used to control how long DNS resolvers cache a DNS record. Setting a TTL value too low reduces the efficiency of caching and increases DNS server traffic/load. Setting a TTL too high means that DNS changes may not be recognized in a timely manner.

The campus standard for TTL records is 2 hours (7200 seconds). Contact Hostmanager at hostmgr@illinois.edu for changes to a domain's TTL. TTL changes to individual records can be done by IT Professionals with appropriate access to the record in the DNS appliance web interface (https://dns.cites.illinois.edu/).

Assignment of domains and subdomains

Acceptable Name Guidelines

Units requesting a new third-level name (e.g. xyz.illinois.edu) must meet the following guidelines from the Office of Public Affairs for acceptable domain names. (Pre-existing domains are 'grandfathered' under prior guidelines.)

The domain name can only contain the characters (a-z), -, and (0-9), which complies with RFC 1123 (Section 2.1)
Marketability - the domain name should be succinct and descriptive of its purpose. For example, publicaffairs.illinois.edu not opa.illinois.edu
Intuitiveness - the domain name should be easily understood and not confused with another unit. For example, studentaffairs.illinois.edu not vcsa.illinois.edu
Supportive of brand - the domain name should not be contrary to the Illinois brand. The UIUC initialism should not be used in newly created domain names. In general, avoid acronyms and initialisms unless they are universally recognized. For example, creativeservices.illinois.edu not cs.illinois.edu (which could be confused with Computer Science.)
Appropriateness - Language which could be considered derogatory, offensive, or misleading should be avoided.
Respectful of scope and role - Third-level campus domain names (or single hostnames) should reflect high-level organizations in the university (colleges, departments, inter-departmental organizations,) or campus-wide services (www, campusrec, careercenter). Since third-level names apply at the campus level, the requesting unit must have the authority to represent the organization or service indicated or implied by the name. For example, research.illinois.edu could only be requested by a unit on campus that speaks for all research at the campus level.

Name requests which violate these guidelines must be justified and go through an approval process.

Non-.edu (vanity) domains (.org, .net)

Domains outside the .edu namespace (vanity domains) both incur cost and require the approval of Public Affairs. The following requirements apply in addition to the normal considerations for domain creations:

Must be registered through CITES.
Hostmanager works with Public Affairs to obtain approval for non .edu requests.
CITES will submit requests for Vanity Domains for a department/unit.
Requirements defined for Third Level Domains must be met.
Department/Unit pays initial registration and/or transfer fees, plus $10/year to CITES. Initial registration or transfer fees will be equal to the amount that CITES pays the registrar.
Changes to the domain must be kept to a minimum. There may be an additional fee for excessive changes to the domain. Typical traffic would be an initial set up and a few changes per year.

Approval / escalation process

The following table represents the new request approval order, and the next escalation step should a request be denied:

Step	Approval	Process
0	Unit Network Admin	for host or subdomain assignments under an assigned domain, ie: hostname.unit.illinois.edu
1	CITES Hostmanager	screens based on existing registrations, and acceptable use & guidelines
2	within CITES	technical and security concerns
3	CITES Executive Director, with CIO's Office	surveys for campus conflicts
4	Office of Public Affairs	final ruling

New third level domains in illinois.edu

Conditions for a top level host

Hosts registered in the top level domain will be names of large campus wide services. These services can be universal campus services (i.e. netfiles, kerberos) or services that are outward facing (i.e. www, ns).
Hosts registered in the top level can not be names of Campus Colleges, Departments, Interdepartmental Projects/Groups or acronyms made from the above (i.e. engineering, las, cs)

Subdomains will be the names of Colleges (Engineering, LAS), Departments on campus (math, cs, english, physics), Interdepartmental Projects/Groups (sustainablebioenergy), or campus-wide services/entities (careercenter, McKinley...).

Requirements for Third Level Domain Requests

The domain name must follow the Acceptable Name Guidelines and all policies outlined in this standard. The person or group making the request must have a university affiliation (registered organization, staff, faculty, student) and the request should be routed through the unit's Network Admin.

Requested third-level domains must not already exist and must not be reserved for future use (e.g. illinois.edu transition.) Contact Hostmanager to check domain availability.

There is no setup fee for third-level illinois.edu domains, but units will be billed according to the unit costs for DNS registrations (currently $10/year/domain)

The domain request must include:

the desired host or domain name
a description of the name and purpose
contact information (considerations for hosted vs. delegated)
organization codes and account numbers

Fill out the web form to start the domain registration request.

After approval, CITES will process the request and setup access to the domain through CITES DNS tools, or delegate it to the unit's servers if requested (see below.) Domain requests will be acknowledged within one business day and processed within 5 business days.

Hosts and domains beyond the third level

Hosts and domains beyond the third level are administered by the unit responsible for the third level. The provisioning of fourth-level domains (and beyond) is permissible as long as the following criteria are met:

The names follow the acceptable name guidelines
The length of the fully qualified domain name of a host does not exceed 255 characters.
The beyond-third-level domains are still administratively controlled bythe third-level domain IT Professional.
The technical implementation of DNS server and tools supports this additional level of subdomains.
- Currently, IT Pros are able to create domains beyond the third level in the DNS appliance web interface without the need for Hostmanager intervention. Contact Hostmanager at hostmgr@illinois.edu with questions about whether or not a domain beyond the third level is necessary.

There is no additional cost for beyond-third-level subdomains (i.e. only the third-level domain is billed.)

Maintaining DNS records

CITES maintains tools for unit Network Administrators to maintain the subdomains they are assigned. Units may also request CITES to delegate management of the domain to the unit.

CITES DNS Tools

Adding or removing host names

To register, rename, or delete a device, please use the DNS appliance web interface.

Adding or removing aliases/CNAMEs

To register a CNAME (alias) to an existing host, please use the DNS appliance web interface or email Hostmanager at hostmgr@illinois.edu.

Adding or removing MX records

Adding MX records within the domains you have access to can be done using the DNS appliance web interface. Please email Hostmanager at hostmgr@illinois.edu to make changes to any MX records that point outside the domains under your control.

Hostname lookup

To view information and find information about specific hosts, please use the DNS appliance web interface. However, the Web DNS Lookup is also still available.

DNS viewing tools

To view either IP space files, Domain files, or Network files please use the Data File Viewing Page or the DNS appliance web interface.

Everything else

For mass changes (such as reordering an entire domain/network) and all other topics, please contact Hostmanager at hostmgr@illinois.edu.

Identifying your netadmin

To identify your netadmin, please contact the CITES Help Desk.

Implementation of changes / requests through CITES

Changes submitted via the DNS appliance web interface will take effect during the next scheduled reload. Reloads occur every two hours on the even hour.

Requests emailed directly to host manager will be hand processed as time allows. Upon completion, hostmanager will send a completion email to the requestor. Typically, the activation of these requests is within the above mentioned every two hour processing times; however, fluctuations in request load may push the time-line out further. We ask that you give your request a full 24 hours for processing and activation.

Requests that have a sensitive time-line, either during regular CITES business hours or outside of them, should be mailed to host manager and clearly communicated in the body of the email the desired time of activation. We ask that you coordinate all time sensitive requests a full 24 hours in advance.

Requests to modify TTLs
The campus standard TTL is set at the domain level and inherited by all records of that domain. The campus standard is 2 hours. This duration can be lowered to help propagate changes to high profile machines (i.e Mail servers, Web servers, etc..) to external nameservers. Requests for lowering of a TTL for a domain should be mailed to host manager and coordinated accordingly. TTL changes to individual records can be done by IT Professionals with appropriate access to the record in the DNS appliance web interface.

Delegation of domains to unit-managed DNS servers

Units may request CITES to delegate management of the domain to unit-managed DNS servers. Delegated domains must follow other standards and practices in this document, but are served from unit-managed servers.

Definition of delegation

"Administrative responsibility over any zone may be divided, thereby creating additional zones. Authority is said to be delegated for a portion of the old space, usually in form of sub-domains, to another nameserver and administrative entity." — Wikipedia entry for DNS

Delegation is appropriate when the unit:

wishes to use its own tools and servers for managing its DNS records,
has business requirements (such as update frequency) that are not met by CITES DNS tools,
has technical integration requirements (such as Active Directory dynamic DNS)

What can be delegated?

unit third-level domains (e.g. unit.illinois.edu)
non-university domains (e.g. .org domains registered to the unit)
reverse IP lookup zones (PTR zones, e.g. 100.168.192.IN-ADDR.ARPA).
- The DNS architecture requires having 256 address blocks for reverse lookup delegation. Units with less than a 256 address subnet cannot have reverse DNS delegated.

Delegation considerations

In a delegated DNS environment, the unit's DNS servers are the primary responders to queries to delegated domains.

Because your DNS servers are the authoritative "holders" of your domain information, they should be well-managed and highly available.

CITES must have contact information on file for the DNS server administrators.

DNS outages often appear as full network outages, which harm the functionality and image of the university and your unit. The Internet takes DNS seriously and so do we.

DNS servers need to be in the CITES Fully Open firewall class to provide DNS responses to off-campus requests.

CITES needs to know if you are using a Windows Active Directory domain controller as the DNS server.

Recommended values for DNS delegations

CITES recommends that nameservers for delegated zones be configured with the following values. Note that CITES does not prohibit DNS administrators from making other choices, so long as the configuration still complies with the official requirements of delegation (as set forth in the delegation agreement).

Recommended values

SOA values

Refresh: 2 hours. Exception: If departmental name servers cannot send NOTIFYs to CITES name servers, please contact CITES DNS hostmgr@illinois.edu to determine an appropriate value.
Retry: 15 mins
Expiry: 2 to 4 weeks
Minimum: 15 mins

TIP: Don't forget that when modifying a high-profile record (e.g. for a public-facing webserver) it is a good idea to reduce the individual record TTL in advance of making the change (e.g. to a value of 1-5 minutes), and to restore it afterward to the default setting.

Firewall groups for "True" Delegations

Departmental name servers for "True" delegations MUST be placed in the Fully Open firewall group to allow udp/53 and tcp/53 from any host (including off campus).

Firewall groups for "Slaved" Delegations

Any departmental name servers for slaved delegations which advertise themselves in the NS RRset SHOULD allow udp/53 and tcp/53 from any host (including off campus).

Hidden/stealth departmental name servers which serve only slaved delegations and are not listed in any NS records MAY allow udp/53 and tcp/53 traffic from off campus but are not required to do so.

Recursion

All departmental name servers must either disable recursion and use the campus resolver (IPv4:130.126.2.131) or restrict recursion to only known hosts.

Delegation request process

Send an email to hostmgr@illinois.edu with the required information.

domains and zones to be delegated
DNS server names and IP addresses
Contact information for the zones
Reason for delegation

Delegation lifecycle

CITES will conduct a yearly audit of delegations, which will include an interview and a verification letter. The purpose of the interview is to define what needs and requirements are not being met with the CITES DNS service offering. Regular feedback equips CITES with the necessary information to keep services relevant to campus.

Domain lifecycle

Changes to domains

Domain removal
If you no longer are in need of a domain associated to you, email host manager. Once the requested date of removal is met, the domain will no longer resolve and billing will cease at that point.

Transfers within UIUC
If you no longer are in need of a domain and another department or unit would like to be associated with that domain, please contact host manager. Host manager will coordinate between both departments to reach an agreement.

Annual maintenance on domains

[Under development]

DNS technical considerations

Campus resolver IP address

As of August 2008, the DNS resolver address for campus is 130.126.2.131.

The old campus DNS servers 128.174.5.58 (argus.cso.uiuc.edu) and 128.174.5.102 (cyclops.cso.uiuc.edu), are no longer in service and were retired on July 31, 2009.

DNS Links

CITES DNS request forms
DNS Tools

Breadcrumbs to this page

On This Page

Related Links