Recurring Domain Verification

Hello, 

Reading the documentation at https://confluence.atlassian.com/cloud/domain-verification-873871234.html I understand that Atlassian wants to make sure that we still own the domain thus the periodic verification of the DNS TXT record.

The way I see it is if someone would take over the domain for whatever reason, being malicious they could just set the same DNS TXT record we have at the moment. As of this, I do not really understand what problem the recurring domain verification solves.


At the same time, requiring the DNS TXT record to include the Atlassian token allows attackers to identify what 3rd party services we use and try to target those or, simply use the information for social engineering. E.g. if they figure out we use Atlassian services they may try to send malicious emails to employees pretending to be Atlassian, asking employees to change their password on a fake site. (so they can steal credentials)

I guess the question is: what problem(s) the recurring domain verification is intended to solve? The documentation does not really go into details. What attack scenarios were considered? What is the likelihood of those attacks to be successful compared to the scenario I have outlined above?

1 answer

0 vote

The verification of domains is really only important if you want to enforce a password policy, or use SAML for authentication.   If you are not interested in either of these functions, then it isn't required to do this.

However if you do verify your domain, it also opens up the ability for you to manage those user accounts.    Previously all accounts in the Cloud were personal accounts.  But if the domain is verified, then the user accounts under that domain become managed.

Administer Atlassian accounts  - has a good breakdown of what this means and how it differs between the different ways accounts can be handled.


I'm sorry this doesn't directly address your questions on attack scenarios, but I hope this information helps explain what this feature is supposed to do.

Please also see:  

I am the JIRA Admin for our company account and I have been receiving emails that our domain verification has failed. The documentation that the email refers to no longer exists on your support site. Can you please redirect me to the updated link?

Here is the link from the email 

 

https://confluence.atlassian.com/cloud/domain-verification-873871234.html

Hi Anjani,

Thanks for mentioning this problem.

It looks like there was a problem with that page.  I was able to get some help internally and I believe that this page has been updated at this point to contain more clear instructions on how to verify your domain.

At this time, https://confluence.atlassian.com/cloud/domain-verification-873871234.html should be visible to everyone and have instructions on how to verify a domain.   If you continue to have problems with this, perhaps you can create a new question with more details about your specific problem.

Regards,
Andy

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,338 views 14 20
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot