-
Bug
-
Resolution: Timed out
-
Low
-
None
-
Severity 2 - Major
Issue Summary
If DNS contains a large number of unique TXT record items in the root of the domain (including the Atlassian Verification), the Domain cannot be verified or re-verified during the normal checks.
Steps to Reproduce
- set up 30 TXT record entries with a lot of text in them
- Wait for the changes to propagate to our system. Please note that the change may take up to 72 hours for our system to stop caching the old results.
- Attempt to claim the domain (or reclaim it)
Expected Results
The domain claims as expected
Actual Results
The domain claim fails and the following error is thrown in the logs:
Error: queryTxt ESERVFAIL EXAMPLE.com at QueryReqWrap.onresolve [as oncomplete] (dns.js:213:19)
Notes
Domain Verification is checked on standard DNS (not EDNS) and if the Message Size is greater than 512 bytes for TXT Records, the verification can fail
Workaround
Currently, there are only two methods that can be used to bypass this issue:
1. Delete some of the TXT record entries so that the message size is less than 512 bytes
2. Use HTTPS verification instead.
[AX-315] Domain Verifications Fails if Too many TXT records in DNS
Cool, cool. We have not had any other issues, but we also have not added any new DNS verification attempts for domains that have large amounts of TXT records for a while. Has Atlassian changed their DNS verification to be able to handle DNS queries that return more than one packet of data?
Thanks for your response 1ac34fa724a8. The issue you described was a known incident that was unrelated to this particular bug (it affected domain verification regardless of the number of TXT records): https://jira-software.status.atlassian.com/incidents/66dthj4991q8
This occurred for us October 23. Our domain went unverified and then re verified later
Do the watchers of this issue still experience this bug? We have not had any recent reports of it. Thank you!
Another option, don't use the domain TXT record, request a sub domain. For example:
- _atlassian.domain.name
- <random GUID that the Atlassian verification system tracks>.domain.name
- BONUS - This method will foil OSINT efforts to map service usage of target by threat actors
Hi everyone,
Thank you for watching, following, and providing valuable feedback for our teams. Due to inactivity, we will be closing this bug as "Timed Out", but if this is still affecting your team, let us know on this ticket so we can potentially re-evaluate.