Reading the documentation at https://confluence.atlassian.com/cloud/domain-verification-873871234.html I understand that Atlassian wants to make sure that we still own the domain thus the periodic verification of the DNS TXT record.
The way I see it is if someone would take over the domain for whatever reason, being malicious they could just set the same DNS TXT record we have at the moment. As of this, I do not really understand what problem the recurring domain verification solves.
At the same time, requiring the DNS TXT record to include the Atlassian token allows attackers to identify what 3rd party services we use and try to target those or, simply use the information for social engineering. E.g. if they figure out we use Atlassian services they may try to send malicious emails to employees pretending to be Atlassian, asking employees to change their password on a fake site. (so they can steal credentials)
I guess the question is: what problem(s) the recurring domain verification is intended to solve? The documentation does not really go into details. What attack scenarios were considered? What is the likelihood of those attacks to be successful compared to the scenario I have outlined above?
The verification of domains is really only important if you want to enforce a password policy, or use SAML for authentication. If you are not interested in either of these functions, then it isn't required to do this.
However if you do verify your domain, it also opens up the ability for you to manage those user accounts. Previously all accounts in the Cloud were personal accounts. But if the domain is verified, then the user accounts under that domain become managed.
Administer Atlassian accounts - has a good breakdown of what this means and how it differs between the different ways accounts can be handled.
I'm sorry this doesn't directly address your questions on attack scenarios, but I hope this information helps explain what this feature is supposed to do.
Please also see:
I am the JIRA Admin for our company account and I have been receiving emails that our domain verification has failed. The documentation that the email refers to no longer exists on your support site. Can you please redirect me to the updated link?
Here is the link from the email
Thanks for mentioning this problem.
It looks like there was a problem with that page. I was able to get some help internally and I believe that this page has been updated at this point to contain more clear instructions on how to verify your domain.
At this time, https://confluence.atlassian.com/cloud/domain-verification-873871234.html should be visible to everyone and have instructions on how to verify a domain. If you continue to have problems with this, perhaps you can create a new question with more details about your specific problem.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot