0

I'm working on a web service. I need a way to verify a user owns a domain they attempt to use in the service.

How can I verify when a user attempts to add a domain to the service that they own the domain?

I have a few ideas, but I'm not sure how secure they would be:

  • Have them add a DNS record to the domain. Possibly a TXT record my service generates.
  • Send an email to an account on that domain they specify with a validation link.

Any other ideas?

ajb32x
  • 161
  • 1
  • 3
  • 1
    if they can add a domain record, then they own the domain (or at least have full control over it) - I'm not sure if this is a security question – schroeder Jul 25 '17 at 20:58
  • Do you think this would be better on stack overflow? I really just want a good way to verify a user owns the domain they are trying to use. – ajb32x Jul 25 '17 at 21:00
  • I'm not sure where this would be a good fit, actually. Any reason why you wouldn't go with the standard of adding a DNS record? – schroeder Jul 25 '17 at 21:01
  • That will probably work, I wanted to verify that is a good practice. I also wasn't sure if there is a more user friendly way. If that makes sense. Modifying a DNS record might be a deterrent to less technical users. – ajb32x Jul 25 '17 at 21:04
  • 1
    @ajb32x: have a look at the processes done by certificate authorities. They face the same problems when somebody requests a certificate for a specific domain and the ways the do the verification are discussed in https://security.stackexchange.com/questions/41289/, https://security.stackexchange.com/questions/115578/, https://security.stackexchange.com/questions/53408/, https://security.stackexchange.com/questions/36826/ – Steffen Ullrich Jul 25 '17 at 21:35
  • these approaches only verify site access, not ownership, if that matters. – dandavis Jul 25 '17 at 21:50

1 Answers1

1

Letsencrypt gives you a file containing a string that the user then uploads onto the website of the domain you wish to verify. This verifies that your user has control of the domain. DNS records are possible if there is no website, but this is cumbersome, and potentially very slow if the DNS has a long ttl. The other real alternative is to send an e-mail to root@domain or postmaster@domain. No one who doesn't control the domain are going to be able to recieve these email addresses. Of these DNS records are the most inconvenient I'm my opinion.

camelccc
  • 209
  • 1
  • 4