Domain names registration and management standard

Document type:

Standard

Version:

Final v4.0.0

Status:

CurrentMandated

Effective:

October 2025–current

Security classification:

OFFICIAL-Public

Category:

Digital capability

Introduction

Purpose

A Queensland Government Enterprise Architecture (QGEA) standard provides information for Queensland Government agencies on the mandatory and recommended practices for a given topic area. They are intended to help departments and agencies understand the appropriate approach to address an issue or to undertake a task. Unlike a guideline, which is best practice advice, a QGEA standard is mandatory and is enforced by policy. This standard should be read in conjunction with the Domain names policy.

Agencies should review the applicability of the Digital services policy when registering domains.

Audience

This document is primarily intended for any of the following:

• agency chief information officers
• agency ICT operational management and staff
• agency staff maintaining websites.

Scope

This standard applies to the registration and management of all ‘qld.gov.au’ domains for internal (government only) and external use (public), for any purpose, i.e. website access, applications and systems.

The following are out of scope of the current standard:

• email addressing (refer to Email domain security guideline)
• .edu.au domains which are administered under the Education Services Australia domain name .edu.au policies
• information relating to website content management (refer to Digital services policy).

Applicability

This standard applies to all Queensland Government agencies. Statutory authorities and local government entities are eligible to register a qld.gov.au domain name if they desire but are not required to do so. If they do wish to register a government domain, they are required to adhere to this standard.

Roles and responsibilities

The Australian Government Department of Finance (DoF) is the delegated authority for Australian Government domains.

Domain name registration requests are lodged through DoF’s domain name registration website. DoF automatically forwards the request to the domain provider (qld.gov.au) for assessment and potential registration.

Queensland Government domain delegate

In accordance with the governance framework of the .gov.au domain administration, a single agency in each jurisdiction (state or territory), known as the domain provider, has the delegated authority to assess individual domain name applications for that jurisdiction. The Queensland Government domain provider is the Department of Customer Services, Open Data and Small and Family Business and contact information is available at domainname.gov.au.

Agencies (Registrants)

Each agency must develop procedures in support of this standard. Agency procedures must nominate an authorised agency officer or position (e.g. IT Manager), to be registered with the Queensland Government domain provider. The nominee will be registered as the registrant contact in the domain name system (refer to registrant contact criteria below).

Where an agency uses a federated approach for domain management, a contact for each area/division must be nominated. That contact will become the registrant for that area/division.

• Agency procedures must provide for proactive management of domain names including maintaining a full list of all domain names and their expiry dates (e.g. qld.gov.au, .au, .com.au etc) which are held by the agency. This includes managing the impact on domain names after a machinery-of-government change, particularly where a domain is to be transferred to another agency.
• Agencies must put in place procedures to ensure domain name registries are updated with the contact details of authorised registrant and technical account holders when they change.
• Agencies must regularly review the continued requirement for domain names on their list as per the Information and cyber security policy (IS18) for protection of all information, application and technology assets.

Agencies can extend this standard for use within their agency but must not at any time conflict with the specifications marked as must or required in this document.

Registrant contact criteria (Individual submitting the application)

The registrant contact must be an employee of the registrant organisation and shall certify, through their acceptance of the registrant agreement, that the chief executive officer or delegate has approved the submission of the domain name application on behalf of that organisation.

In exceptional circumstances:

• the chief executive officer, or delegate, of the registrant may delegate authority for a third party to act on their behalf as registrant contact
• the domain provider may, at their discretion, act as registrant contact for domain names within their jurisdiction.

Technical contact criteria

The registrant contact may nominate a third party, such as a service provider, to act as the technical contact for a domain name.

Pre-registration considerations

Internal agency approvals

Applications for domain name registration must only be made once the relevant internal agency procedures for consultation and approval have been achieved.

Internal agency approvals for new domain names must also be in accordance with any relevant government policies regarding provision of online services and consolidation of websites; including, but not limited to, the Principles for the use of service delivery channels.

Before requesting a new Queensland Government domain name, agencies must consider if the content can be published on an existing website. Use this checklist to assess the business requirements (ForGov login is required).

Agencies must defer purchase of advertising and collateral until after the domain name has been approved and registered.

Choice of domains

Domain names registered by Queensland Government agencies must be in the .qld.gov.au domain space.

However, there are reasons why domain names may also be registered in other domain name spaces, e.g. .com.au, .org.au, .au etc.  Refer to Other domains for further information.

In cases where registration under non-government or education domains is for protection against cybersquatting, agencies should consider both of the following issues in deciding which domain names to register:

• Level of risk (i.e. likelihood and impact) from cybersquatting:
  Is the level of risk high enough to warrant protection? (Note: this should be assessed in accordance with the agency's risk management procedures.)
• Variations of the name to be registered:
  When determining what domain names to register, a name cannot be registered if it is identical to one already registered. Therefore, consideration should be given to both of the following:
  • registering the name under several different domain spaces (i.e. .au, .com, .net, .org, .com.au, .net.au, .org.au.)
  • registering variations of the name, including common misspellings.

Selecting government domain names

When selecting domain names in the qld.gov.au space, agencies must ensure the following:

• the names adhere to the DoF Eligibility and allocation policy and Choosing a domain name guideline
• names in the form of acronyms are not also the name of a more broadly recognised international organisation or company (e.g. oecd.qld.gov.au), or could apply to multiple organisations (e.g. bpa.qld.gov.au for the Bundaberg Port Authority and the Beach Protection Authority)
• names preceding the states suffix do not contain the state suffix (e.g. ecommerceqld.qld.gov.au)
• domain names for local government authorities be consistent across Queensland, and ideally across Australia - the following examples show the accepted convention: sunshinecoast.qld.gov.au, scenicrim.qld.gov.au and brisbane.qld.gov.au.

Trademarks

When seeking to register a domain name, consideration may be given to whether the chosen name should also be registered as a trademark. A registered trademark can offer greater protection against unauthorised use.

Further information on trademark registration can be obtained from IP Australia and professional legal advice should be sought if a decision is taken to register a trademark.

Registration procedure for .qld.gov.au domain

After the agency’s consultation and approval process is complete and has received internal approval, the authorised agency officer should submit the domain name registration request directly at www.domainname.gov.au where the domain name:

• being requested is the primary agency domain name (e.g. for new departments/agencies created as part of machinery-of-government changes and where the domain name is to be used for system or email purposes)
• is for an IT service or system (for example where a domain name is for email use or payroll system)
• is for a specific function of a government agency (e.g. women, parks)
• is for a government commission of inquiry or review
• is for a statutory authority, government owned corporation or council
• is for cross-jurisdictional projects or services. Agencies should ensure where the domain name request is for cross-jurisdictional purposes, this information is included in the stated purpose section when submitting the domain name application.

Where a new domain name is desired for a campaign or program website, approval must be sought from Queensland Online by submitting the web site request form (ForGov login is required).

Queensland Online will inform the domain provider (qld.gov.au) if they have approved the request. The authorised agency contact must submit the domain name registration request online at https://www.domainname.gov.au/.

If the domain name requested does not meet the policy requirements, the domain provider (qld.gov.au) has the right to decline a domain name registration request.

A full description of why the domain name is required should be included in the stated purpose section of the domain name registration request form. A detailed explanation of all fields is provided on the electronic form, and further information can be accessed on auDAs help page.

Registrant and Technical contact Information provided in the DoF template will be publicly available on the internet once the registration request has been processed. The status of an existing domain name can be checked using WHOIS.

Default domain configuration upon activation

Some domain names are registered purely to prevent other parties from registering that domain, in which case they remain in the state known as “EPP Inactive” as they have no associated domain server.

All domain names registered by Queensland Government entities that become active must have basic default Domain Name System (DNS) configurations applied. This will ensure domains are not used by malicious or unauthorised parties for email spoofing purposes. This should apply to all domains, not just .qld.gov.au or .qld.edu.au domains.

For domains that will not be used to send emails, the following entries must be made in the domains DNS. In the examples given below the domain name is “agencydomain.qld.gov.au”, which should be replaced with the domain name being registered.

• agencydomain.qld.gov.au IN TXT "v=spf1 –all"
• *.agencydomain.qld.gov.au IN TXT "v=spf1 –all"
• _dmarc.agencydomain.qld.gov.au IN TXT "v=DMARC1; p=reject; fo=1; rua=mailto:dmarc-qldgov@qld.gov.au; ruf=mailto:dmarc-qldgovforensic@qld.gov.au"

The Queensland Government Cyber Security Unit (QGCSU) can provide further details and assistance if required. By way of explanation, the first two lines ensure no email servers are permitted for sending emails from the domain or any subdomains that may be created. The third entry establishes a DMARC=reject policy for the domain along with reporting of email delivery so that agencies may monitor the domain for any issues with email delivery or spoofing attempts. QGCSU can provide access to a DMARC analysis and monitoring tool at no charge to facilitate this monitoring.

For new domains that are to be used to send emails, the following DNS entry should be made. This will enable reporting of email DMARC compliance, which can then be used to configure appropriate SPF and DKIM records as the email services are established. Again, the QGCSU provided DMARC analysis and monitoring tool can assist with this.

• _dmarc.agencydomain.qld.gov.au IN TXT "v=DMARC1; p=none; fo=1; rua=mailto:dmarc-qldgov@qld.gov.au; ruf=mailto:dmarc-qldgovforensic@qld.gov.au”

For more information on DMARC related configuration, training, or assistance, contact CyberSecurityUnit@qld.gov.au.

Maintaining domain name registrations

Domain names in the .qld.gov.au space and those in the .au space (managed by CITEC), are automatically renewed every 12 months. No invoices or reminders are sent to domain owners.

Decision making for fourth level domain management (e.g. health.qld.gov.au, transport.qld.gov.au) and their subdomains, is the responsibility of individual agencies.

A decision must be made prior to the domain expiry date as to whether the domain name registration should be renewed. Authorised agency contacts can request a report of their .qld.gov.au domains and expiry dates by contacting dna@qld.gov.au.

Automatic domain renewal does not apply to commercially registered domains (i.e. .com.au; .org.au etc.). In those cases, renewal is addressed by the agency with their service provider.

Deleting domains

Agencies must review all existing domains on an annual basis and make an assessment as to whether these domains are still required.

Agencies are individually responsible for organising any period of remapping or redirection from old domain names which may be necessary prior to the deletion of the name in question.

Where a domain name is no longer needed, the domain zone file should be deleted from the DNS by the service provider who hosts the zone file prior to the online domain name deletion request form being submitted.

A deletion request can be made by either sending an email to dna@qld.gov.au or by submitting a DoF domain deletion request form.

Domain deletion considerations

Consideration should be given to:

• whether the system, project or slogan is still current
• what level of goodwill is held in the domain name
• the level of perceived risk in relinquishing the domain name.

Agencies should develop a content transition plan to guide the steps needed during decommissioning. This could include content, domain names, DNS, certificates, emails, redirects. It could also include migrating the content to www.qld.gov.au if the campaign or program had its own domain.

Domain names ownership and contact details

If agencies contract or deal with third parties, contracts must stipulate that ownership of domain names that arise out of, or that may be registered in relation to such dealings, is retained by the State.

The agency should always be listed as the registrant organisation, with the registrant account contact being from the agency. Technical contact details can be from an external internet service provider.

A registered domain name can carry significant value, and this arrangement should clearly be reflected in the relevant contract or agreement between the parties. Professional legal advice should be sought in this respect.

Agencies must put in place procedures to ensure domain name registries are updated with the contact details of new responsible account holders when they change.

Transferring domain names

There may be circumstances where it will be necessary to transfer a registered domain name to another party. For example, a machinery-of-government change may transfer an area of responsibility, from one department to another. Where this applies, the change of contact details form which is available on the DoF Domain name website should be submitted or send an email to dna@qld.govau. The request for transfer can be submitted by either party.

When this occurs, all contact and ownership details must be updated in the relevant databases and registries.

Dispute resolution for qld.gov.au domains

Under the government domain registration process, an applicant, in lodging the request for a name, asserts they have a right to the requested name. The process only assesses the domains compliance with qld.gov.au and gov.au policies. It is the applicant’s responsibility to determine if they have the legal right to a name.

In the case of conflicting name requests between an applicant and an existing .gov.au domain name registration, in the first instance the parties concerned (applicant and existing registrant) should attempt to resolve the matter, and report to the domain provider (qld.gov.au) if the resolution includes a change of registration details.

Should a dispute not be able to be resolved between the parties, this should be reported to the domain provider (qld.gov.au) for further consultation and mediation.

If the domain provider (qld.gov.au) declines to register a requested name and the requesting agency wishes to appeal, in the first instance this should be directed back to the domain provider (qld.gov.au).

If the appeal remains unresolved at this level and if further action is desired, then agencies should either:

• follow the QGEA exception process, if rejected on the basis of Queensland policy
• approach DoF as the administrator of the .gov.au domain if rejection is based on DoF policy.

Other domains

Government equivalent names

Registration outside qld.gov.au should only occur when one or more of the following apply:

• a compelling commercial business reason to do so, such as tourism sites (e.g. www.queenslandholidays.com.au) or other organisations that may not be readily recognised as government bodies
• the need to protect against the use of government 'brands' in other domain spaces (e.g. to stop cybersquatting)
  Note: this would only be necessary for high profile or commercially valuable brands and should not be done as a matter of course
• redirecting customers to the correct qld.gov.au site
• a communication strategy aims to target an international audience
• a commercial imperative exists for the site to use other domain spaces
• a collaborative web project exists outside of government.

Registration procedure for names in domains other than qld.gov.au

Registration of names in domains other than qld.gov.au is undertaken directly by the agency with commercial domain name registrars using their normal purchasing process.

Agencies must ensure appropriate approval processes, adhering to the requirements in this standard, surround the decision to obtain a domain name in a domain other than qld.gov.au.

Once a domain name is registered, it must be included in the list of agency-owned domain names maintained by the authorised agency officer/s.

Selecting non qld.gov.au domain names

When seeking to register a proposed domain name, a search of the name must be performed to determine whether the name is available for registration.

When conducting your search, the following tips may assist:

• conduct a general search using an internet search engine (e.g. Google, Bing)
• search the auDA WHOIS database
• search a database from an accredited domain name registration service for registered names (including variations), for example:
  • Domain Name Registrar (Australia)
  • VentraIP
  • MelbourneIT
  • Vodien Australia.
• conduct a search of the trade mark database at the Australian Trade Mark On-line Search System to ensure the domain name you wish to register does not conflict with a trade mark which has already been registered.

If a name is already registered in circumstances where it is likely to constitute cybersquatting, remedial action may be available as outlined below in 'If the requested name in the chosen domain is already registered'.

The fact that a name you wish to register as a domain name is already registered does not necessarily mean cybersquatting has taken place and care should be taken to determine whether its use is legitimate before taking remedial action.

When selecting a domain name where the use of other domain name spaces has been approved by the authorised agency officer, agencies must adhere to auDAs domain name eligibility and allocation policy rules for open second level domains (2LDs) or for generic top level domains refer to the Internet Corporation for Assigned Names and Numbers (ICANN).

Agencies should consider transferring all names in domains other than qld.gov.au to one of those domains if the purpose of the site is not within the scope of the above definitions.

If requested name in the chosen domain is already registered

A determination needs to first be made as to whether the registration constitutes cybersquatting. It will be an agency decision based upon the level of harm that has been caused or may be caused and the level of effort and resources it will take to combat the threat as to whether formal steps are taken to pursue the registered owner of the domain name. If you consider cybersquatting has occurred, seek legal advice about the options below.

If you believe the domain name you wish to register is victim to cybersquatting, you should initially contact the owner to discuss the transfer or cancellation of registration. If that fails, the following provides several courses of action, one of which may be appropriate.

Dispute resolution policy

Both the universal domain names resolution policy (UDRP) and the auDA domain name resolution policy (auDRP) are efficient, and cost-saving means of addressing cybersquatting without resorting to court. The UDRPs jurisdiction is limited to .com, .net or .org domain names, while the auDRPs jurisdiction is limited to Australian subdomains (i.e. .com.au, .net.au or .asn.au etc).

The only remedies available to a complainant from either the UDRP or auDRP are either the cancellation of the domain name or transfer of the domain name to the complainant. A court order is required should the complainant seek damages or any other remedial order.

The protection afforded by the UDRP and auDRP can extend to personal names, despite not being registered trademarks. However, this is in limited circumstances (particularly under the auDRP) and usually only successful for non-business celebrities such as actors and professional sports people, whose names can be said to be used in trade or commerce. Further information is available from the Uniform Domain-Name Dispute-Resolution Policy and the .au Dispute Resolution Policy (auDRP).

Alternate remedies

Alternate remedies may exist either under common law or legislation, such as Competition and Consumer Act 2010 (Cth) and Trade Marks Act 1995 (Cth), to stop or prevent cybersquatting. Agencies should obtain legal advice if cybersquatting is encountered and an agency wishes to instigate legal proceedings. The QGCSU should also be notified.

It is possible to reserve a domain name in the commercial space, so registration of the domain name passes to the new requestor once the current registration expires. In circumstances where a domain name is already registered, reservation of the name should occur to ensure the state obtains the registration, regardless of the outcome of any negotiations or further action regarding the threat of cybersquatting.