Some blog owners are confused about how domain ownership verification works - or should work.
The domain ownership verification process involves two challenges. Both accessing the registrars zone editor, and parsing the displayed content, is a challenge - for anybody but the domain owner. Or sometimes, including the domain owner.
Blogger uses an intriguing technique, to verify that the blog owner, submitting a blog for domain publishing, is also the domain owner. They give the blog owner a token to add, to the domain - then verify that the token was added, before publishing the blog to the domain.
How does Blogger verify that the token, that they provide, is actually added to the domain?
Blogger has no special ability, where domain access is involved. Their program can't examine the domain zone editor display, any more than any other non domain owner. And parsing the zone editor display, with different displays because each different registrar / domain host provides their own individual zone editor, will require complex coding.
The verification token is a DNS address.
The Blogger provided domain ownership verification token is actually a domain DNS address. The address in the token connects a unique domain host to a special Blogger verification server.
When the blog / domain owner publishes a blog to the domain, the publishing process checks to see if the domain host (aka the "short" token) connects to the Blogger verification server (aka the "long" token). Each short and long token is unique, for each domain - and acts as a domain ownership "certificate".
If the short and long tokens connect, ownership is verified.
If the "short" token address connects to the "long" token address, domain ownership is verified - and the blog can be published to the domain.
Only the blog owner (when publishing the blog to the domain) knows the essential certificate values - and only the domain owner can access the domain zone editor, to install the certificate. Only if the blog and domain owner are the same person - or know and trust each other - can the certificate be installed, to allow the blog owner to publish the blog to the domain.
If the certificate has not been installed, the blog owner sees the infamous "Third-party domain settings" display - and gets the certificate values, to add to the domain.
The "short" token (12 alphanumeric characters), combined with the "long" token (14 characters), produces the equivalent of a 26 character random values password. How many blog owners use even 12 characters, in their password (and preferably better than "password")?
Considering the complex values in both tokens, a domain hijack is unlikely to involve the publishing process. Domain ownership verification is well designed - similar to the whole custom domain DNS infrastructure.
But, there is a complication here.
Many domains, hosted by thousands of different domain hosts, cause problems.
How does the "Publishing" program react, if the certificate has not been installed? The "Publishing" program starts ownership verification, by feeding the "short" token into a DNS resolution process - then waits to see if the "short" token address connects to the Blogger verification server, and the "long" token address.
The key word, here, is "wait".
How long should the "Publishing" process wait, before displaying the infamous "Third-party domain settings" message? With thousands of different domain hosts, located all over the Internet, some may provide instant response - and others may require many long seconds of waiting.
Never type the addresses by hand - even 1 character misplaced or mistyped will break ownership verification. Always copy then paste from "Third-party domain settings" into the registrar "Add CNAME" wizard. And verify the second "CNAME" values - the "long" and "short" addresses - after the address is added to the domain.
With details properly verified, waiting 5 or 10 minutes after hitting "Save" would be a good way to make the verification reliable - but how many blog owners, anxious to see their new blog address, will wait that long? Even 5 or 10 seconds is too long to wait, for most owners.
And even waiting, you may see "Third-party domain settings", unnecessarily.
I already added the second "CNAME"! How can I add it, again?
The "Publishing" process has no way of waiting reliably, when the second "CNAME" can't be resolved, immediately. It waits an arbitrary number of milliseconds, detects no connection to the verification server - then times out and displays "Third-party domain settings". Sometimes, the domain resolves - and the blog is published - even as "Third-party domain settings" is being displayed.
Verify domain connectivity, before giving up, in despair.
With "Third-party domain settings" displayed, after you just added the second "CNAME", and carefully verified the addresses, you should maybe check the blog again, using your browser. Sometimes, you may find the blog displayed to you, or some of your readers, using the new domain URL - even though Blogger is still instructing you to add the ownership verification, to publish to the domain.
With the blog displayed in the browser, and even though "Third-party domain settings" is displayed, start the domain migration process - and get on with your life. Don't spend time unnecessarily republishing the blog to the domain, if the blog and domain is live.
Of course, you can only set "HTTPS Availability" and "HTTPS Redirection" after the blog is successfully published to the domain. With these latency issues considered, maybe we should still be observing a 3 to 5 day formal "Transition Period", before enabling "HTTPS Availability" and "HTTPS Redirection".
Possibly, republishing the blog unnecessarily - or enabling "HTTPS Redirect" too soon - may contribute to the infamous "Another blog ..." database corruption.
When you publish your blog to a #Blogger custom domain URL, you may sometimes add and carefully verify the second "CNAME" - and still see the well known "Third-party domain settings" message and instructions to add the second "CNAME", again!
If this happens to you, before throwing up your arms in despair, or unnecessarily trying again to republish the blog to the domain, check the blog. In some cases, the blog may be published to the domain URL, even with "Third-party domain settings" displayed.
The domain ownership verification process involves two challenges. Both accessing the registrars zone editor, and parsing the displayed content, is a challenge - for anybody but the domain owner. Or sometimes, including the domain owner.
Blogger uses an intriguing technique, to verify that the blog owner, submitting a blog for domain publishing, is also the domain owner. They give the blog owner a token to add, to the domain - then verify that the token was added, before publishing the blog to the domain.
How does Blogger verify that the token, that they provide, is actually added to the domain?
Blogger has no special ability, where domain access is involved. Their program can't examine the domain zone editor display, any more than any other non domain owner. And parsing the zone editor display, with different displays because each different registrar / domain host provides their own individual zone editor, will require complex coding.
The verification token is a DNS address.
The Blogger provided domain ownership verification token is actually a domain DNS address. The address in the token connects a unique domain host to a special Blogger verification server.
When the blog / domain owner publishes a blog to the domain, the publishing process checks to see if the domain host (aka the "short" token) connects to the Blogger verification server (aka the "long" token). Each short and long token is unique, for each domain - and acts as a domain ownership "certificate".
If the short and long tokens connect, ownership is verified.
If the "short" token address connects to the "long" token address, domain ownership is verified - and the blog can be published to the domain.
Only the blog owner (when publishing the blog to the domain) knows the essential certificate values - and only the domain owner can access the domain zone editor, to install the certificate. Only if the blog and domain owner are the same person - or know and trust each other - can the certificate be installed, to allow the blog owner to publish the blog to the domain.
If the certificate has not been installed, the blog owner sees the infamous "Third-party domain settings" display - and gets the certificate values, to add to the domain.
The "short" token (12 alphanumeric characters), combined with the "long" token (14 characters), produces the equivalent of a 26 character random values password. How many blog owners use even 12 characters, in their password (and preferably better than "password")?
Considering the complex values in both tokens, a domain hijack is unlikely to involve the publishing process. Domain ownership verification is well designed - similar to the whole custom domain DNS infrastructure.
But, there is a complication here.
Many domains, hosted by thousands of different domain hosts, cause problems.
How does the "Publishing" program react, if the certificate has not been installed? The "Publishing" program starts ownership verification, by feeding the "short" token into a DNS resolution process - then waits to see if the "short" token address connects to the Blogger verification server, and the "long" token address.
The key word, here, is "wait".
How long should the "Publishing" process wait, before displaying the infamous "Third-party domain settings" message? With thousands of different domain hosts, located all over the Internet, some may provide instant response - and others may require many long seconds of waiting.
Never type the addresses by hand - even 1 character misplaced or mistyped will break ownership verification. Always copy then paste from "Third-party domain settings" into the registrar "Add CNAME" wizard. And verify the second "CNAME" values - the "long" and "short" addresses - after the address is added to the domain.
With details properly verified, waiting 5 or 10 minutes after hitting "Save" would be a good way to make the verification reliable - but how many blog owners, anxious to see their new blog address, will wait that long? Even 5 or 10 seconds is too long to wait, for most owners.
And even waiting, you may see "Third-party domain settings", unnecessarily.
I already added the second "CNAME"! How can I add it, again?
The "Publishing" process has no way of waiting reliably, when the second "CNAME" can't be resolved, immediately. It waits an arbitrary number of milliseconds, detects no connection to the verification server - then times out and displays "Third-party domain settings". Sometimes, the domain resolves - and the blog is published - even as "Third-party domain settings" is being displayed.
Verify domain connectivity, before giving up, in despair.
With "Third-party domain settings" displayed, after you just added the second "CNAME", and carefully verified the addresses, you should maybe check the blog again, using your browser. Sometimes, you may find the blog displayed to you, or some of your readers, using the new domain URL - even though Blogger is still instructing you to add the ownership verification, to publish to the domain.
With the blog displayed in the browser, and even though "Third-party domain settings" is displayed, start the domain migration process - and get on with your life. Don't spend time unnecessarily republishing the blog to the domain, if the blog and domain is live.
Of course, you can only set "HTTPS Availability" and "HTTPS Redirection" after the blog is successfully published to the domain. With these latency issues considered, maybe we should still be observing a 3 to 5 day formal "Transition Period", before enabling "HTTPS Availability" and "HTTPS Redirection".
Possibly, republishing the blog unnecessarily - or enabling "HTTPS Redirect" too soon - may contribute to the infamous "Another blog ..." database corruption.
When you publish your blog to a #Blogger custom domain URL, you may sometimes add and carefully verify the second "CNAME" - and still see the well known "Third-party domain settings" message and instructions to add the second "CNAME", again!
If this happens to you, before throwing up your arms in despair, or unnecessarily trying again to republish the blog to the domain, check the blog. In some cases, the blog may be published to the domain URL, even with "Third-party domain settings" displayed.
Comments