A bit off-topic: When is domain validation required?

[Mark Drummond]

Two related issues from the last ~24 hours or so:

1. I saw one of our developers ask our infrastructure folks to add a domain validation record to our (non-google) DNS, for a domain that I had already validated (we already have many App Engine hosted services using hostnames under that domain). Why would App Engine ask to validate a domain that is already validated?

2. A domain I previously validated no longer appears in the list of options when I go to add a hostname to a new App Engine app. There are already apps using hostnames under that domain, so why would the domain no longer show up in the list of options when adding a new name to an App Engine app?

And a general question: Do domain validation records need to stay in place? Or can they be deleted after the domain is validated? If the records need to be left in place and our infrastructure team removed them, that might explain my second Q above.

Thanks,

Mark

[Mohammad I (Cloud Platform Support)]

Hello Mark,

Once you have verified as a domain owner in Web Central, it is possible for you to delegate subdomains to developers within the organization to do their tasks without having to verify domain ownership themselves[1]. For more information on delegating, see Managing users, owners, and permissions.

The domain name verification is automatically re-confirmed about every 30 days. In case the verification string from your DNS settings is removed for some reason, it will restrict your ability to change the configuration within the Google Cloud Platform Console. This restriction does not change the serving setup for the domain and app continues to serve over the domain[2,3]. Verifying your domain primarily just proves to Google that your application is in fact allowed to receive all the traffic for domain because you've shown that you "own" it[4].

[1]https://cloud.google.com/endpoints/docs/openapi/verify-domain-name#delegating_to_developers

[2]https://cloud.google.com/endpoints/docs/openapi/verify-domain-name#verifying_ownership

[3]https://cloud.google.com/appengine/docs/standard/python/mapping-custom-domains#adding_a_custom_domain_for_your_application

[4]https://groups.google.com/d/msg/google-appengine/jhJkoUf4p8M/EuMBw_nbDQAJ

[Mark Drummond]

Hi Mohammad,

Thanks for the feedback. Very helpful.

Given the following:

Only the user account that has verified ownership of the domain name can deploy the API initially. After that first API deployment, project members with Editor permissions can deploy it.

I read that as meaning, since I am the one who usually validates our domains, I should be the one to enable the API for any given project. If someone else has tried to enable the API, I should disabled it and then re-enable it myself. As long as I am the one to enable the API, the project Owners and Editors will be able to use the domains I have previously validated.

Regarding the missing domains, it may be the case that someone removed the associated validation records. They may not have realized the records must remain in place and thought they were "cleaning up" old records that don't resolve to anything (we usually use CNAME validation records as I have found the TXT records to be unreliable).

[Mark Drummond]

I just confirmed that the verification record must have been removed. The "Webmaster Central" page provides a very convenient history of events for your domains, even if they have been removed. I'll have my ops folks re-add the associated verification records.

[Amit (Google Cloud Support)]

Hi Mark,

You are right. Since you are the person who validates the domain, the first time you need to deploy the API. And after that the members with ‘Editor’ permission are able to access that API or deploy a new one. And regarding domain validation record add up, I think you are on the right track