[jamil7]

Heroku also doesn't enforce any verification that you own a domain name. Another user can simply add any domain they like to their app if you haven't claimed it by adding it to your app first. Regardless of ownership and you will no longer be able to add your own domain to your app getting a generic "domain is already in use" error. Happened to me a few years ago, had to reach out to support and prove I owned the domain. They made me verify I owned it and fixed it but said theres nothing they can do going forward. Granted it's a total edge case but was still an unnexpected experience, maybe it's fixed now who knows.

Edit: Looks like this is fairly common on PAAS so my original comment isn't that relevant.

[londons_explore]

As long as support can fix this, it isn't really a problem is it? If you point your domain to heroku having not set it up first, that's on you...

[awirth]

You would think so, but it turns out that this ("subdomain takeovers") is a very common mis-configuration for a lot of *aaS services. Enough so that some bug bounty programs won't pay out much for it or at all because it happens so much and they don't consider the shared-suffix issue very important.

On the provider side though, requiring ownership verification (txt records, etc) introduces friction on the on-boarding process. It's likely any reasonably competent provider that doesn't implement verification has had a serious internal discussion about it and decided it's not worth thinning their funnel for.

[jamil7]

Yeah like I said in another comment it seems like it's normal across these paas platforms.

> If you point your domain to heroku having not set it up first, that's on you...

How is it on you? it's possible a previous owner had a heroku app with that domain attached to it or someone just added it to their app before you setup a heroku app.

[swiley]

How does GitHub’s gh pages handle this? I don’t remember them doing anything either.

[imrehg]

They don't. I've lost ability to deploy GitHub pages to domains I own because of this, when a repo went out of my control with CNAME set... Now I cannot change the CNAME there, and cannot verify a new repo with that name.

So far GitLab seems to be the best one I've run into, they do validation, and as long as you keep control of the domain, you keep control of your pages.

[derision]

Pretty sure you have to set some DNS records for gh pages

[swiley]

Yes you have to point a record at the gh pages if you want to use dns with it, but I don’t think their server checks for that.

[awirth]

Is it possible to subscribe to a firehose of .COM NS record updates through one of those fancy things like dnsdb? If so, perhaps there's an opportunity here for exploiting that race condition en-masse for services that support direct NS-style delegation, like netlify.

[jamil7]

I actually don't know as I haven't used it in a while. But I did just test netlify and the same issue exists there, domains need to be unique, perhaps there isn't a nice way of dealing with that edge case.