Addon domains and DNS record verification

sparek-3

Well-Known Member
Aug 10, 2002
1,929
178
343
cPanel Access Level
Root Administrator
In order to create addon domains and domain aliases in end-user cPanels, cPanel requires that the destination domain name already be using the server's nameservers (or nameservers that resolve to the server's nameservers IPs).

I get this and I understand why it is in place. It is meant to verify that the cPanel user actually owns the domain name they are wanting to set up as an addon domain or domain alias. I actually like this aspect.

But there exists some TLDs - mostly specific country code TLDs - that require a DNS zone to exist on a nameserver for the domain name before the domain name can be set to use those nameservers.

This is essentially a catch-22 when it comes to creating addon domains and domain aliases for these TLDs. cPanel won't let the user create the addon domain/domain alias because the nameservers for the domain aren't pointing to the proper nameservers. And the TLD won't allow the user to set the nameservers because a DNS entry doesn't exist for the domain at that nameserver yet.

My question is... what is the proper way to handle this? How are owners of these domain names suppose to verify account ownership of the domain name in these situations?

This doesn't happen often, but I have had at least a handful of these situations over the past year or so and it's always puzzled me.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,012
647
263
Houston
cPanel Access Level
DataCenter Provider
Hi @sparek-3


It sounds like (and please correct me if I misunderstood what you're asking) you just need to change some tweak settings.

Specifically, the following two:

Allow Remote Domains
Allow creation of parked/addon domains that resolve to other servers (e.g. domain transfers) This can be a major security problem. If you must have it enabled, be sure not to allow users to park common Internet domains.
Allow unregistered domains
Allow creation of parked/addon domains that are not registered.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,929
178
343
cPanel Access Level
Root Administrator
Apologies for not being too clear.

That's true, those configuration options would work. But it's generally accepted to leave those options enabled. I agree with the reasons for leaving them enabled.

The issue pops up once in a blue moon, so I guess it's not entirely out of the realm to temporarily disable it and re-enable it once the client with this addon domain adds the domain. But doing this also completely circumvents the entire purpose of those configuration options, who's to say that the client isn't trying to take advantage of a lesser known, but specific to their needs, domain name hijacking?

It just doesn't seem like an eloquent solution.

Perhaps a TXT record verification process could be implemented. Say the user has one of these domain names that gets caught in this catch-22. The addon domain interface could create a token and a DNS TXT record instructing the user to create the TXT record and check back once it has been added to verify domain registration ownership.

Or is the issue just not common enough to warrant spending any time on?

Seeing as how this thread has not gotten any other responses... perhaps I'm operating as an army of one.
 

ronaldst

Well-Known Member
Feb 22, 2016
85
16
8
Norway
cPanel Access Level
Root Administrator
I've had a few of these occour as well.

I decided to add the domains manually from WHM (with root privileges, obviously).

At the time being I considered this to be the best option, and disabling the tweaks the least favourable one for obvious reasons.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,012
647
263
Houston
cPanel Access Level
DataCenter Provider
But doing this also completely circumvents the entire purpose of those configuration options, who's to say that the client isn't trying to take advantage of a lesser known, but specific to their needs, domain name hijacking?
You really don't unless you're aware of what the client is adding/doing which would be why there's no real automatic solution here besides utilizing the settings in place to suit your needs.

The tweak settings can be enabled/disabled at will - so if you need to enable it to allow for a user to create a domain you can do so until the domain is added then disable it once more. This can even be done after the domain is added and still doesn't point to the server or isn't registered.


addon domain interface could create a token and a DNS TXT record instructing the user to create the TXT record and check back once it has been added to verify domain registration ownership.
If the issue is the necessity for a TXT or some other type of record the root WHM user has the ability to modify the DNS zone files, as well as add them for domains that don't exist on the server. In most cases, the cPanel user will have the capability to manage existing DNS zones as well in the Zone Editor unless it's not a part of the package applied to their account.


I actually think it's a really good thing to have the server admin involved in the ability to add these, I'm not sure I would be on board with a solution that would just let folks automatically add these domains unless it was comprehensive.