There are 2 domains that are currently managed by the Digital Marketplace team.

Main production service domain.

Used for preview and staging environments, test user emails and for internal tools that we host ourselves (like CI).

Environment subdomains for preview, staging and production are documented in Environments.


DNS records for all domains are hosted AWS Route 53.

All records are managed with Digital Marketplace AWS Terraform modules.

Main AWS account manages the domain (which is registered through AWS on the same account). It delegates and subdomains to development and production AWS accounts. It also manages the records for, which point to the Jenkins EC2 instance.

* is delegated from the DNS to Route 53 hosted zones on our production AWS account.

Most of these records (including MX, DMARC, DKIM, and other TXT records) used to be managed by CloudFormation stacks and haven’t been imported into our Terraform modules after the move to GOV.UK PaaS. These records can be edited manually in Route 53 or imported and updated with Terraform.

SSL/TLS cerfiticates and *

SSL/TLS certificates for *, *, and * are generated by our PaaS cdn-route service and issued by Let’s Encrypt. Current certificates are attached to Cloudfront using Terraform as outlined in the process of setting up the PaaS CDN service with a custom domain - There should be no manual renewal process needed by developers.

Our Jenkins server sits behind an Amazon Elastic Load Balancer (ELB). ELB’s get a free certificate. We have a wildcard certificate set up for * which we use for Jenkins. This should allow us to spin up a new Jenkins server in parallel with the current server (on a different subdomain) but with the same certificate. This eases the process of transitioning the ci subdomain between servers.

The certificate is created and managed by our Terraform in the main accounts file. See the Jenkins section of this manual for more information on our Jenkins setup.