Removing gsi-family domains from the public sector

From: Technology in government
Published: Wed Mar 29 2023


Last updated: 29 March 2023

Most gsi-family domain names (gsi.gov.uk, gse.gov.uk, gcsx.gov.uk or gsx.gov.uk) are scheduled for removal from their internet-facing zones by the beginning of April.

A core pillar of the Transforming for a Digital Future strategy is delivering efficient, secure and sustainable technology, and, at CDDO's Securing Government Services team we're working hard to clean up and remove legacy services.

Some public sector organisations have previously used .gsi.gov.uk, x.gsi.gov.uk, .gsx.gov.uk, .gse.gov.uk and .gcsx.gov.uk to email each other in a secure way. However, the current email standards and guidance mean they can now get better security sending the same email over the internet rather than using the Public Services Network (PSN).

The PSN, where these gsi-family domains were used, is in the process of being wound down, and we officially stopped using these domains in 2019. The PSN email relay they depended on meanwhile was shut down in 2021.

The end of gsi-family domains

People are reluctant to remove old domain names, often because they are concerned there might be a forgotten service that depends on the domain. This means these old domains can get neglected and become vulnerable to spoofing and malicious attacks.

Many gsi-family domains still exist in both internet and PSN-facing zones. Most are dormant, some are misconfigured, and all are targeted heavily for email spoofing. As a result we plan to remove most of the internet-facing zones entirely at the beginning of April.

As a starting point we've added more protection to reduce the impact, in the form of DMARC records to protect the apex domains and prevent the spoofing of domains that don't exist. DMARC records tell the receiving email service what the legitimate senders are for that domain. If an email comes from somewhere else it gets marked as spam.

Timeline for changes

  1. At the end of January 2023 we updated the DMARC records to block email from any domain without its own DMARC record.
  2. At the beginning of March we suspended domains in the internet-facing zones for 72 hours to help identify any remaining services.
    Start of suspension: 10am Monday 6th March 2023
    End of suspension: 10am Thursday 9th March 2023
  3. On the 3rd April at 10am we'll permanently remove the internet-facing zones and the domains they contain.

This blog previously stated we would suspend and remove PSN-facing zones in addition to the internet-facing zones. This is no longer the case, although we will review the option to do this in the future.

Most of the domains appear to be dead already, pointing to services that do not exist or reject queries. It is possible there are still some dependencies we don't know about. Email may be being routed through to modern systems to provide continuity for old addresses.

What to do if you think you have gsi-family domains

If you still have one of these domains and it still works for email, start rejecting inbound email. You can also choose to include a bounce-back message giving senders the correct address. It will be removed at the beginning of April so it would be good to give anyone still using it some notice.

You should also check public facing websites or documentation for mentions of gsi-family domains and remove them.

We have identified a small number of domains that are operating internet facing services that can't yet migrate to a new domain. We have excluded these domains from the suspension and removal process.

If you have a domain you think you will need beyond the beginning of April, get in touch with us now at support@domains.gov.uk so we can work out a solution.

If you have a domain that has been suspended or removed as part of this work and you need it restored contact Nominet directly on psnsupport@nominet.uk or 01865 332493.

Company: Technology in government

Visit website »