Master Domain Register
UCCA Knowledge Base | Infrastructure | DNS & Security
Version 3.0 | Audited 2026-03-06 | Terraform repo: uccaonline/ucca-infra @ 3b274b8
Auth codes NOT stored here — retrieve from registrar accounts (Porkbun / VentraIP / Cloudflare Registrar)
ACTION REQUIRED
- ucca.com.au — INVALID REGISTRANT — expires 2026-03-24. Enable auto-renew and resolve auDA registrant issue immediately.
- ucca.asia — expires 2026-03-24 (18 days). Renew immediately at Porkbun.
1. DNS & Registrar Account Structure
All 7 active UCCA zones use Cloudflare for DNS management. Two Cloudflare accounts maintain separation between investor-visible infrastructure and personal/legacy assets.
| Cloudflare Account |
Domains |
Terraform Managed |
Purpose |
| UCCA (current) |
ucca.online, ucca.com.au, ucca.au, rtopacks.com.au, ucca.asia, ucca.college, ucca.live |
Yes — ucca-infra repo |
Investor-visible platform infrastructure |
| Tim Personal (to create) |
webhost., 5star., ibackup., imonitor., rignold.com, skaterboy.com, foreskin.net etc. |
No — dashboard only |
Personal and legacy assets — kept separate from UCCA |
| Registrar |
Domains |
Auth Code Location |
Notes |
| Cloudflare Registrar |
ucca.online (transfer in progress as of 2026-03-06) |
Cloudflare dashboard |
Transfer from Namecheap initiated 2026-03-06. Auto-manages DNSSEC DS records post-transfer. |
| Porkbun |
ucca.asia, ucca.college, ucca.live, shopucca.com, ucca.university |
porkbun.com account |
Porkbun API enabled. DS records submitted via API 2026-03-06. |
| VentraIP (AU) |
ucca.com.au, ucca.au, rtopacks.com.au, rtopacks.site |
ventraip.com.au account |
Required for .au namespace — cannot move to Cloudflare Registrar. DNSSEC auto-managed via CF NS delegation. |
| Namecheap |
ucca.online (departing) |
Namecheap account |
Transfer to Cloudflare Registrar initiated 2026-03-06. EPP approved. ETA 5-7 days. |
2. Security Baseline — All 7 Zones
The following controls are uniformly applied across all 7 UCCA Cloudflare zones as of 2026-03-06 audit. All settings are Terraform-managed in uccaonline/ucca-infra.
| Control |
Setting |
Status |
| DNSSEC |
DS record algorithm 13 (ECDSAP256SHA256), digest type 2 (SHA-256), key tag 2371 |
7/7 Active |
| CAA Records |
5 records: issue letsencrypt.org + digicert.com + pki.goog, issuewild ";", iodef admin@ucca.online |
7/7 Complete |
| SSL/TLS Mode |
Full (Strict) — validates full cert chain |
7/7 Applied |
| HSTS |
max-age=63072000 (2yr), includeSubDomains, preload, nosniff |
7/7 Applied |
| Always Use HTTPS |
On |
7/7 Applied |
| Min TLS Version |
1.2 |
7/7 Applied |
| TLS 1.3 |
On |
7/7 Applied |
| Automatic HTTPS Rewrites |
On |
7/7 Applied |
| Browser Integrity Check |
On |
7/7 Applied |
| Brotli Compression |
On |
7/7 Applied |
| Opportunistic Encryption |
On |
7/7 Applied |
| Security Level |
Medium |
7/7 Applied |
3. Zone Detail — DNS & Email Security
| Field |
Value |
| Registrar |
Cloudflare Registrar (transfer from Namecheap in progress — initiated 2026-03-06) |
| DNS Provider |
Cloudflare — zone ID 7fa71c... |
| Expiry |
2027-11-11 |
| Entity |
UCCA Inc (US) — Delaware C-Corp |
| DNSSEC |
Active — DS 2371 13 2 propagated |
| CAA |
PASS — 5 records |
| DMARC |
p=reject; rua=admin@ucca.online; ruf=admin@ucca.online; fo=1 |
| SPF |
v=spf1 include:_spf.google.com include:relay.mailchannels.net ~all |
| DKIM Selectors |
mx._domainkey (MailChannels), resend._domainkey (Resend/SES) |
| MX / Mail Provider |
Google Workspace — aspmx.l.google.com (priorities 1/5/5/10/10) |
| SSL/TLS |
Full (Strict) |
| HSTS |
2yr, includeSubDomains, preload, nosniff |
| Outstanding |
Google DKIM (google._domainkey) not set — generate in Google Workspace Admin |
| Field |
Value |
| Registrar |
VentraIP (Synergy Wholesale) — .au namespace, permanent |
| DNS Provider |
Cloudflare — zone ID eb4469... |
| Expiry |
2027-02-20 — check VentraIP dashboard |
| Entity |
United Central Colleges of Australia Pty Ltd (ABN 59 168 872 535) |
| DNSSEC |
Active — DS 2371 13 2 auto-activated via VentraIP/CF NS |
| CAA |
PASS — 5 records |
| DMARC |
p=reject; rua=admin@rtopacks.com.au; ruf=admin@rtopacks.com.au; fo=1 |
| SPF |
v=spf1 include:_spf.google.com ~all |
| DKIM Selectors |
google._domainkey (Google Workspace), resend._domainkey (Resend/SES) |
| MX / Mail Provider |
Google Workspace — ASPMX.L.GOOGLE.COM (priorities 1/5/5/10/10) |
| SSL/TLS |
Full (Strict) |
| HSTS |
2yr, includeSubDomains, preload, nosniff |
| Outstanding |
None — fully hardened |
3.3 ucca.com.au — AU Corporate Surface
| Field |
Value |
| Registrar |
VentraIP — INVALID REGISTRANT STATUS — expires 2026-03-24 |
| DNS Provider |
Cloudflare — zone ID 76daed... |
| Expiry |
2026-03-24 — 18 DAYS — URGENT |
| Entity |
United Central Colleges of Australia Pty Ltd (ABN 59 168 872 535) |
| DNSSEC |
Active — DS 2371 13 2 auto-activated via VentraIP/CF NS |
| CAA |
PASS — 5 records |
| DMARC |
p=reject; rua=admin@ucca.online — missing ruf and fo=1 |
| SPF |
v=spf1 include:_spf.google.com ~all |
| DKIM Selectors |
google._domainkey (Google Workspace) |
| MX / Mail Provider |
Google Workspace — aspmx.l.google.com (priorities 1/5/5/10/10) |
| SSL/TLS |
Full (Strict) |
| HSTS |
2yr, includeSubDomains, preload, nosniff |
| Outstanding |
P0: Fix invalid registrant at VentraIP (auDA compliance — ABN/contact). P0: Enable auto-renew. Medium: Add ruf + fo=1 to DMARC. |
3.4 ucca.au — Redirect Domain
| Field |
Value |
| Registrar |
VentraIP — purchased 2026-03-05 |
| DNS Provider |
Cloudflare — zone ID 8a0095... |
| Expiry |
2027-03-05 — check VentraIP dashboard |
| Purpose |
301 redirect to ucca.com.au — purchased to unblock Meta AU business verification |
| Entity |
United Central Colleges of Australia Pty Ltd (ABN 59 168 872 535) |
| DNSSEC |
Active — DS 2371 13 2 auto-activated via VentraIP/CF NS |
| CAA |
PASS — 5 records |
| DMARC |
p=reject; rua=admin@ucca.online — missing ruf and fo=1 |
| SPF |
v=spf1 -all (hard fail — non-mail domain) |
| DKIM Selectors |
None — correct for non-mail domain |
| MX / Mail Provider |
None — correct for redirect-only domain |
| SSL/TLS |
Full (Strict) |
| HSTS |
2yr, includeSubDomains, preload, nosniff |
| Redirect Rule |
301 ucca.au + www.ucca.au → https://ucca.com.au (active, ruleset f233729b — dashboard only, not Terraform-managed) |
| Meta Verification |
TXT: facebook-domain-verification=9buux843m91f1h1kaaac6sh5p5wfez — confirmed live |
| Outstanding |
Low: Terraform-manage redirect ruleset when CF resolves Zone WAF token permission. Medium: Add ruf + fo=1 to DMARC. |
3.5 ucca.asia — Parked / Secondary
| Field |
Value |
| Registrar |
Porkbun — EXPIRES 2026-03-24 (18 DAYS) — RENEW IMMEDIATELY |
| DNS Provider |
Cloudflare — zone ID f70298... |
| Expiry |
2026-03-24 — URGENT |
| Purpose |
Brand protection / future APAC market |
| DNSSEC |
Active — DS submitted via Porkbun API 2026-03-06, propagating |
| CAA |
PASS — 5 records |
| DMARC |
p=none; rua=admin@ucca.online; ruf=admin@ucca.online; fo=1 — consider upgrading to p=reject (non-mail) |
| SPF |
v=spf1 -all (hard fail — non-mail domain) |
| DKIM Selectors |
None — correct for non-mail domain |
| MX / Mail Provider |
None — non-mail domain |
| SSL/TLS |
Full (Strict) |
| HSTS |
2yr, includeSubDomains, preload, nosniff |
| Outstanding |
URGENT: Renew at Porkbun before 2026-03-24. Medium: Upgrade DMARC to p=reject. |
| Field |
Value |
| Registrar |
Porkbun — $52.01/yr renewal |
| DNS Provider |
Cloudflare — zone ID 76c68d... |
| Expiry |
2027-01-23 |
| Purpose |
Legacy — had full SaaS stack (Shopify, Freshdesk, Freshworks, Mailgun, Google Workspace, Mailchimp). Facebook page attached. |
| DNSSEC |
Active — DS submitted via Porkbun API 2026-03-06, propagating |
| CAA |
PASS — 5 records |
| DMARC |
p=none; rua=admin@ucca.online; ruf=admin@ucca.online; fo=1 |
| SPF |
v=spf1 include:mailgun.org include:_spf.google.com ~all — Mailgun may no longer be active |
| DKIM Selectors |
krs._domainkey (Mailgun), k2+k3._domainkey (Mailchimp) — Google DKIM not configured |
| MX / Mail Provider |
Google Workspace — aspmx.l.google.com (active email on @ucca.college) |
| SSL/TLS |
Full (Strict) |
| HSTS |
2yr, includeSubDomains, preload, nosniff |
| Outstanding |
Medium: Audit active services — is Mailgun still in use? If not, remove from SPF. Configure Google DKIM. Upgrade DMARC to p=reject if non-mail. Expensive renewal — review before 2026-10. |
3.7 ucca.live — Secondary Domain
| Field |
Value |
| Registrar |
Porkbun — $26.26/yr renewal |
| DNS Provider |
Cloudflare — zone ID a49c43... |
| Expiry |
2027-01-23 — confirm in Porkbun dashboard |
| Purpose |
Active Google Workspace MX present — someone using @ucca.live email |
| DNSSEC |
Active — DS submitted via Porkbun API 2026-03-06, propagating |
| CAA |
PASS — 5 records |
| DMARC |
p=none; rua=admin@ucca.online; ruf=admin@ucca.online; fo=1 |
| SPF |
v=spf1 include:_spf.google.com ~all — should be -all if not sending |
| DKIM Selectors |
None — Google DKIM not configured despite active MX |
| MX / Mail Provider |
Google Workspace — aspmx.l.google.com (priorities 1/5/5/10/10) |
| SSL/TLS |
Full (Strict) |
| HSTS |
2yr, includeSubDomains, preload, nosniff |
| Outstanding |
Medium: Identify who uses @ucca.live email before any decisions. Configure Google DKIM if mail active. Upgrade DMARC to p=reject if non-mail. |
4. Zone Comparison Matrix
| Zone |
DNSSEC |
CAA |
DMARC Policy |
SPF |
DKIM |
MX |
SSL |
HSTS |
| ucca.online |
Active |
5/5 |
reject (no Google DKIM) |
~all |
2 selectors, no google |
GWS |
Strict |
2yr |
| rtopacks.com.au |
Active |
5/5 |
reject |
~all |
2 selectors |
GWS |
Strict |
2yr |
| ucca.com.au |
Active |
5/5 |
reject, no ruf/fo |
~all |
google |
GWS |
Strict |
2yr |
| ucca.au |
Active |
5/5 |
reject, no ruf/fo |
-all |
N/A |
none |
Strict |
2yr |
| ucca.asia |
Prop. |
5/5 |
none → p=reject? |
-all |
N/A |
none |
Strict |
2yr |
| ucca.college |
Prop. |
5/5 |
none, legacy stack |
mailgun? |
no google |
GWS |
Strict |
2yr |
| ucca.live |
Prop. |
5/5 |
none, no DKIM |
~all not -all |
missing |
GWS |
Strict |
2yr |
5. Outstanding Actions
| Priority |
Action |
Domain |
Owner |
Deadline |
| P0 URGENT |
Enable auto-renew + fix invalid registrant (auDA ABN/contact compliance) |
ucca.com.au |
Tim — VentraIP |
TODAY |
| P0 URGENT |
Renew domain — 18 days to expiry |
ucca.asia |
Tim — Porkbun |
2026-03-20 |
| P1 High |
Generate Google DKIM in Google Workspace Admin |
ucca.online |
Tim + Alex |
This week |
| P1 High |
Identify who uses @ucca.live — decide: keep MX + configure DKIM, or remove MX |
ucca.live |
Tim |
This week |
| P1 High |
Approve/confirm ucca.online registrar transfer at Namecheap |
ucca.online |
Tim — Namecheap |
2026-03-11 |
| P2 Medium |
Add ruf + fo=1 to DMARC on ucca.com.au and ucca.au |
ucca.com.au, ucca.au |
Alex — Terraform |
This week |
| P2 Medium |
Audit ucca.college — is Mailgun still active? Remove from SPF if not. Configure Google DKIM. |
ucca.college |
Tim + Alex |
Before 2026-10 |
| P2 Medium |
Upgrade DMARC to p=reject on ucca.asia, ucca.college, ucca.live if confirmed non-mail |
ucca.asia, ucca.college, ucca.live |
Alex — Terraform |
After mail audit |
| P2 Medium |
After ucca.online transfer completes: uncomment Terraform resource, add Registrar permission, terraform import |
ucca.online |
Tim + Alex |
Post transfer |
| P3 Low |
Terraform-manage ucca.au redirect ruleset when CF resolves Zone WAF permission gap |
ucca.au |
Alex — Terraform |
When CF fixes |
| P3 Low |
Evaluate ucca.university renewal ($49.95/yr, auto-renew OFF, expires 2026-05-16) |
ucca.university |
Tim — Porkbun |
2026-04-16 |
| P3 Low |
Create Tim personal Cloudflare account — migrate personal domains off nameserver.net.au |
Personal domains |
Tim |
Ongoing |
6. SOC 2 Relevance
The DNS security controls implemented in this session map to several SOC 2 Trust Service Criteria.
| SOC 2 Criteria |
Control |
Evidence |
| CC6.1 — Logical access controls |
DNSSEC on all 7 zones |
Prevents DNS hijacking and cache poisoning |
| CC6.1 — Logical access controls |
CAA records — 5 per zone |
Restricts SSL cert issuance to approved CAs only |
| CC6.6 — Security against threats |
DMARC p=reject on primary domains |
Prevents email spoofing and phishing |
| CC6.6 — Security against threats |
SPF on all zones |
Authorises legitimate mail senders |
| CC6.6 — Security against threats |
DKIM on active mail domains |
Cryptographic signing of outbound email |
| CC6.7 — Transmission encryption |
TLS 1.2 minimum + TLS 1.3 enabled |
Enforces modern encryption for all connections |
| CC6.7 — Transmission encryption |
HSTS 2yr + preload on all zones |
Forces HTTPS permanently |
| CC6.7 — Transmission encryption |
SSL Full Strict on all zones |
Full cert chain validation on origin |
| CC7.2 — Monitoring for threats |
DMARC rua/ruf reporting |
Aggregate and forensic DMARC reports |
| CC9.1 — Risk mitigation |
Terraform IaC for all DNS |
All security controls declared as code, version controlled |
Note
SOC 2 certification requires a full audit by an accredited CPA firm covering all Trust Service Criteria. DNS security controls are necessary but not sufficient.
Version History
| Version |
Date |
Change |
Author |
| 1.0 |
2026-03-11 |
Converted from domain-register-v3.0.docx |
Claude Code |