We strongly recommend that you do not use wildcard DNS records, such as *.example.com. These records put you at an immediate risk of domain takeovers, even if you verify the domain. For example, if you verify example.com this prevents someone from using a.example.com but they could still take over b.a.example.com (which is covered by the wildcard DNS record).
It's crazy to me that they allow this vector at all, warning against it in documentation is not enough. Either have TXT verification or error out if they detect a wildcard record, but don't allow spam so easily!!!
I don't understand how they deal with the case in which two GitHub Pages claim the same domain, and that domain is pointing to GitHub and there us no other info. Who wins?
Pretty commonplace to use TXT records for that. Codeberg Pages does it that way. (For now, with the legacy method.. not sure what the plan is for the new git-pages backend.)
willhbr | 7 hours ago
This case is covered by the GH docs: https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/managing-a-custom-domain-for-your-github-pages-site
polywolf | 7 hours ago
It's crazy to me that they allow this vector at all, warning against it in documentation is not enough. Either have TXT verification or error out if they detect a wildcard record, but don't allow spam so easily!!!
radio | 4 hours ago
I don't understand how they deal with the case in which two GitHub Pages claim the same domain, and that domain is pointing to GitHub and there us no other info. Who wins?
radio | 4 hours ago
Couldn't they require a CNAME from the exact domain to
<github-user>.github.ioand verify if that matches the user who is claiming the domain?cr | an hour ago
That wouldn’t work on the apex record, since you cannot use CNAME there
natkr | 16 minutes ago
Pretty commonplace to use TXT records for that. Codeberg Pages does it that way. (For now, with the legacy method.. not sure what the plan is for the new git-pages backend.)
bpacia | 2 hours ago
Had the same thing happen to me back in September. I migrated all my stuff off of GitHub Pages the same day.