Request a DNS Change for Offsite Hosting

How to Request a DNS (Domain Name System) Change for a Site Hosted on Pantheon

In order for your domain (URL) to work on your Pantheon site, you will need to request to add a new "hostname" (domain/URL) via the Socreg application: 

https://socreg.berkeley.edu/

Before requesting a new offsite hostname, you will need to complete the process to be registered as a "Security Contact" if you have not already done so. Offsite hostnames can be requested via Socreg's "New Offsite Hostname" form. 

If you need help using the Socreg (previously known as NetReg) application, please contact the Socreg team at socreg@berkeley.edu.

Security Contacts

Security Contacts are added as departments in the Socreg application. If you have not yet used the Socreg application or registered a Security Contact, you will need to complete the process through the "Asset/Access Requests" interface. Navigate to "Access/Access Requests" in the left sidebar menu of the Socreg application, then select either "Membership Request" or "New Department Request":

• if a Security Contact already exists and you need to be added to it, select "Membership Request."
• if a Security Contact does not exist, select "New Department Request."

If you have used the Socreg application before, you will not need to request access; instead, you will see your Security Contact(s) on the Socreg dashboard after logging in (under the "Security Contacts" tab). 

See the Basic Socreg Functions and Use Cases and Security Contacts pages on the Information Security Office website for more information. 

Offsite Hostname Form and Process

The "New Offsite Hostname" request can be found in either of the following locations in the left sidebar menu of the Socreg application:

• under "My Assets" (select "My Assets," then select "New Offsite Hostname"); and/or
• under your Security Contact record (select "Security Contacts," select your security contact, select the "Offsite Hostnames" tab, then select "New Offsite Hostname"). 

If you do not see the "New Offsite Hostname" option as described above, then you may need to register as a Security Contact (see above) in the Socreg application before proceeding. 

See Offsite Hostnames on the Information Security Office website for more information.

How to Fill Out the Offsite Hostname Form

• Offsite Hostname: "EXAMPLE.berkeley.edu."
  • Replace the above with your hostname
  • If you will be using more than one hostname per site: Once the primary hostname has been submitted and registered, email socreg@security.berkeley.edu to add additional hostnames to the same record. 
• Description: Basic description of website. 
• The Hosting Service: Pantheon
• Okay to Scan: Check the box
• Data Protection Level: You must select "Protection Level P1." The other available data protection levels are not allowed on Pantheon.
  • See "Protected Data Classification" below for more information.
• Hosting Service IP: Leave blank.
• Canonical Name: The live canonical Pantheon domain, e.g. "live-EXAMPLE.pantheonsite.io".
  • See "Provide A Record Information" below for information on how to find your "canonical domain"
• Notes to DNS Administrator: Enter the necessary DNS (Domain Name System) details.
  • See "Additional DNS Instructions" below for more information. 

After Submitting the Form

Once your request is approved, it will be passed to the campus DNS Administrator, and a ticket will be opened. The DNS changes will happen once the DNS Administrator processes your ticket. You may ask the DNS Administrator to schedule the DNS changes for a specific date if you provide advance notice (at least one week; see "Additional DNS Instructions" below). You will receive an email from the DNS Administrator once the DNS changes have been made, or if the changes have been scheduled. 

The DNS Administrator may have some questions before the DNS change can occur. See Special topics for Pantheon sites for information on possible DNS issues.

Protected Data Classification

Sites on Pantheon cannot include protected data. A breakdown of the Data Classification Levels can be found on the Security website. All websites on Pantheon can only host data classified as "Protection Level P1".

• If you have data that falls into the "Protection Level P2" or "Protection Level P3" category, you may still use Pantheon, and host the data on Box or Drive instead. The data can be uploaded to Box or Drive, and then you can restrict access to the document(s) accordingly, and then link to the document(s) from your Pantheon website.
• If you have data that falls into the "Protection Level P4" category,  please consult the Information Security Office (security@berkeley.edu) on possible options for hosting P4 data. CalShare is approved for P4 data. 

Additional DNS Instructions (for a new site)

Note: If you are launching a new site on Pantheon, and the production domain(s) are already pointed to a different site on Pantheon, please see Moving Your Domain from Pantheon site to Another.

Domains on Pantheon should be A records. This is recommended due to Pantheon's platform configurations. However, CNAMEs should continue to work.

Provide A Record Information

You will need to create your live environment on Pantheon and know the "canonical domain," or "platform domain," for your site.

The canonical domain will look like the below URL with your Pantheon site name in place of "EXAMPLE":

live-EXAMPLE.pantheonsite.io

In the above URL, "EXAMPLE" is the same Pantheon site name that can be found in your Dev and Test environment Pantheon URLs (e.g., test-EXAMPLE.pantheon.berkeley.edu) as well. 

Once you create your live environment and Pantheon and know your canonical domain (as described above), run the following terminal command in a terminal window:

$ host live-EXAMPLE.pantheonsite.io

You should then see the following in your terminal window:

$ host live-EXAMPLE.pantheonsite.io
live-EXAMPLE.pantheonsite.io is an alias for fe0.edge.pantheon.io.
fe0.edge.pantheon.io has address 23.nnn.nnn.nnn
fe0.edge.pantheon.io has IPv6 address nnnn:nna:nnn0::n
fe0.edge.pantheon.io has IPv6 address nnnn:nna:nnn1::n

In the "Additional Notes to DNS Administrator" field in the Socreg Offsite Hosting form, include the following information (replacing EXAMPLE.berkeley.edu with your real production hostname):

Please configure the following DNS records for EXAMPLE.berkeley.edu:

A record pointing to 23.nnn.nnn.nnn
AAAA record pointing to nnnn:nna:nnn0::n
AAAA record pointing to nnnn:nna:nnn1::n

Launch Date/Timing

If you have a specific launch date in mind (a day when the changes should be effective in the campus DNS), you can ask for it in the "Notes to DNS Administrator" box.

You should plan ahead if you have a specific launch date in mind. The DNS Administrator's ticket queue can be long, so DNS requests can take up to a week or more to complete. Asking for a quick turnaround (e.g., submitting the Offsite Hostname and asking for the DNS cutover to happen the next day) will not work, as it won't give the Socreg team and the DNS Administrator enough time to process your submission.

Add "www" Domains

If you also want to use a "www" record, e.g. www.EXAMPLE.berkeley.edu, you have to specifically request it here as an additional note to the DNS Administrator (e.g., "please include the www version of this domain").

Old (Deprecated) Information about CNAMEs

Previously, CNAMEs were recommended for all domains on Pantheon, unless the domains had specific requirements. A records are now recommended for all domains on Pantheon, due to Pantheon's platform configurations. 

CNAMEs should continue to work on Pantheon. If necessary, here are the instructions for requesting a CNAME:

• Follow the above instructions (under "Provide A Record Information") for finding your site's "canonical domain" (e.g., live-EXAMPLE.pantheonsite.io).
• Enter the following in the "Notes to DNS Administrator" text box:

"This should be a CNAME to live-EXAMPLE.pantheonsite.io". (Replace the EXAMPLE URL with your canonical domain.)