Seems like GitHub could solve this by making users verify they own a domain name by adding a value to a txt record rather than just seeing the domain points to github and letting any repo use it.
I’ve set up two static pages with custom domains using GH Pages in the past couple of months, and both times I had to go digging in the docs before I found the verification page as part of trying to figure out why https wasn’t working. Fucking inexplicably poor UX design from GH. If I add a custom domain, just ask me to verify it.
I would say probably 10 years, I remember reading about the CNAME github issue around 2015 or so, as before that most used to use jekyll with gh pages, was very popular among indie developers
There's a pattern in your comments of being snarky. Explaining what happened is fine, but on HN we're trying for curious conversation, and we clearly ask for kindness and to avoid swipes and other kinds of negativity towards other commenters.
It may be that the words you're writing don't seem so snarky when they're just being formulated in your mind; that's a common pitfall with online discussion forums. Please try to more thoughtful about how your words come across.
Why is securely setting up custom domains for github pages so error prone? The `<user>.github.io` CNAME record already contains the username. So why can another user steal it?
edit: apparently CNAME can't be used for TLD+1, only for subdomains, so you have to use a more error prone approach for those.
Practically, it's not limited to GitHub Pages, though.
By the way, even while a custom domain is still pending verification, the GitHub Pages LB will route the request based on the Host header, allowing for the following:
Another fun trick: You can also use wildcard DNS services like nip.io/sslip.io for alias domains, such as `my-page.185.199.108.153.sslip.io`. (Not sure of any practical use cases, though.)
Something similar once happened to me with an old domain with nameservers I had pointed to DigitalOcean from my registrar.
Managing DNS through DigitalOcean (although, this should be possible with any DNS service) requires both pointing the nameservers to that service and adding the domain to your account. If you delete the domain from your account, like I had, but forget to update the nameservers with your registrar, anyone else can claim the domain. Theoretically, if you redirect the nameservers first and then add the domain to your account, someone could swipe it from you, I guess. Though it would basically have to be pure luck.
Gigachad | 13 hours ago
rcfox | 13 hours ago
gavinsyancey | 13 hours ago
darkteflon | 12 hours ago
rockbruno | 12 hours ago
tamimio | 13 hours ago
I would say probably 10 years, I remember reading about the CNAME github issue around 2015 or so, as before that most used to use jekyll with gh pages, was very popular among indie developers
halapro | 12 hours ago
I think this is the expected outcome.
It's good you noticed and shared your findings, but to me this "works as intended"
tomhow | 12 hours ago
https://news.ycombinator.com/newsguidelines.html
halapro | 8 hours ago
It's like saying "my motorbike was stolen" when you let the key in the ignition for a day in the favelas. What did you expect exactly?
tomhow | 4 hours ago
It may be that the words you're writing don't seem so snarky when they're just being formulated in your mind; that's a common pitfall with online discussion forums. Please try to more thoughtful about how your words come across.
[OP] rmeertens | 12 hours ago
pigbearpig | 12 hours ago
You didn't think through the consequences, and you could learn a bit more about DNS.
[OP] rmeertens | 12 hours ago
I did not expect that Github facilitates other accounts creating scam pages under the domain I own...
est | 12 hours ago
Don't point a wildcard domain to Github. It's a wildcard and dangerous.
[OP] rmeertens | 12 hours ago
CodesInChaos | 12 hours ago
edit: apparently CNAME can't be used for TLD+1, only for subdomains, so you have to use a more error prone approach for those.
usagisushi | 11 hours ago
By the way, even while a custom domain is still pending verification, the GitHub Pages LB will route the request based on the Host header, allowing for the following:
Another fun trick: You can also use wildcard DNS services like nip.io/sslip.io for alias domains, such as `my-page.185.199.108.153.sslip.io`. (Not sure of any practical use cases, though.)ardeaver | 10 hours ago
Managing DNS through DigitalOcean (although, this should be possible with any DNS service) requires both pointing the nameservers to that service and adding the domain to your account. If you delete the domain from your account, like I had, but forget to update the nameservers with your registrar, anyone else can claim the domain. Theoretically, if you redirect the nameservers first and then add the domain to your account, someone could swipe it from you, I guess. Though it would basically have to be pure luck.
Why is it always slot machines though?