1. 36
  1. 4

    Although it’s not core to the matter, this would be a good reason not to spread your identity around to too many domains. If you don’t control .com (you don’t) you can’t prevent someone else from taking example.com after you abandon it. But if you control example.com (maybe you do) you can retire dead.services.example.com and nobody can register it. Still have to remember to actually retire it, of course. Doh!

    1. 1

      There have just been lots of cases where people didn’t retire subdomains regardless of the dots involved.

      A better way to solve it might be like heroku does it. You have to cname to a unique subdomain of them to proof ownership of the domain. If an attacker claims the dormant domain, they’d have to use a new cname, new id. So it doesn’t work.

      1. 2

        Yeah, my point is more that with a subdomain its at least possible. You can’t kill a TLD except by holding it forever.

        I wouldn’t really trust hosts to do this verification. Maybe they should because it’s nice, but I don’t attribute the “vulnerability” to them.