Reliability Engineering Team Manual Internal
Table of contents

This documentation is intended for internal use by the RE team.

GOV.UK Verify

DNS changes

The main domain associated with Verify infrastructural things is ida.digital.cabinet-office.gov.uk. It lives in GOV.UK DNS. signin.service.gov.uk also lives in GOV.UK DNS.

How to deploy GOV.UK DNS changes

  • Make a change to alphagov/govuk-dns-config (private repo). There’s a YAML file for each zone in the root of the repository. Make a PR with your changes, get someone to approve it, and merge.
  • Run gds aws govuk-production-admin -e in shell to get your credentials. You will need some GOV.UK production access to do this.
  • Go to https://deploy.publishing.service.gov.uk/job/Deploy_DNS/build - this is the ‘Build with Parameters’ form of the DNS deployment job
  • You’ll need to log into Jenkins using GitHub, you will need to be in the gov-uk-dns-administrators team.
  • Fill out the form with your credentials, action will be ‘plan’, and the correct zone for your change. Do this once with provider aws and once with provider gcp.
  • Click on each of the plan jobs and look at their console output (you may have to wait for it to complete, especially the AWS plan).

    • If you updated a record, expect to see Terraform deleting and re-creating it.
    • If you add a new record, expect to see lots of green.
    • When you apply changes to GCP, there may be some unrelated TXT record updates containing quotes and backslashes. This is due to a bug with govuk-dns - the underlying system - and how it splits long TXT records per provider. These are able to be ignored.
  • If that was okay, fill out the form for each provider again but this time with action 'apply’. If updating a record, the GCP one may need to be repeated to work properly as it will try to create a record before Terraform has processed the destruction of the previous one.