Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Recurring Domain Verification

Zsolt Imre
Zsolt Imre June 29, 2017

Hello, 

Reading the documentation at https://confluence.atlassian.com/cloud/domain-verification-873871234.html I understand that Atlassian wants to make sure that we still own the domain thus the periodic verification of the DNS TXT record.

The way I see it is if someone would take over the domain for whatever reason, being malicious they could just set the same DNS TXT record we have at the moment. As of this, I do not really understand what problem the recurring domain verification solves.


At the same time, requiring the DNS TXT record to include the Atlassian token allows attackers to identify what 3rd party services we use and try to target those or, simply use the information for social engineering. E.g. if they figure out we use Atlassian services they may try to send malicious emails to employees pretending to be Atlassian, asking employees to change their password on a fake site. (so they can steal credentials)

I guess the question is: what problem(s) the recurring domain verification is intended to solve? The documentation does not really go into details. What attack scenarios were considered? What is the likelihood of those attacks to be successful compared to the scenario I have outlined above?

Answer
Watch
Like Be the first to like this
712 views

1 answer

0 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 19, 2017

The verification of domains is really only important if you want to enforce a password policy, or use SAML for authentication.   If you are not interested in either of these functions, then it isn't required to do this.

However if you do verify your domain, it also opens up the ability for you to manage those user accounts.    Previously all accounts in the Cloud were personal accounts.  But if the domain is verified, then the user accounts under that domain become managed.

Administer Atlassian accounts  - has a good breakdown of what this means and how it differs between the different ways accounts can be handled.


I'm sorry this doesn't directly address your questions on attack scenarios, but I hope this information helps explain what this feature is supposed to do.

Please also see:  

View More Comments
Anjani
Anjani October 22, 2017

I am the JIRA Admin for our company account and I have been receiving emails that our domain verification has failed. The documentation that the email refers to no longer exists on your support site. Can you please redirect me to the updated link?

Here is the link from the email 

 

https://confluence.atlassian.com/cloud/domain-verification-873871234.html

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 24, 2017

Hi Anjani,

Thanks for mentioning this problem.

It looks like there was a problem with that page.  I was able to get some help internally and I believe that this page has been updated at this point to contain more clear instructions on how to verify your domain.

At this time, https://confluence.atlassian.com/cloud/domain-verification-873871234.html should be visible to everyone and have instructions on how to verify a domain.   If you continue to have problems with this, perhaps you can create a new question with more details about your specific problem.

Regards,
Andy

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events