Every time I try to add a domain alias, I get the error “domain_aliases is owned by another account”. Even when I put a random number in the domain ensuring it can’t have been used on netlify by someone else.
Even when I ensure that DNS is already set up pointing to netlify.
I believe the problem is because of: geo.africadatahub.org (maybe some other domains too, but this was the first one with the issue that I found).
The DNS Zone for that domain has been created in a different Netlify account. For security reasons, we don’t allow adding subdomains of domains with DNS zones in other accounts. The reason why it’s not working now is that, for any change that you make (including removing any of the old domains except the one with the issue), the domains are going to be validated against this condition and it’s going to be rejected.
You can try contacting the domain owner to remove the domain from their account.
This DNS setup is by design (of our infrastructure).
Our site is a white-labeled tool which needs to be served on a range of domains. We want one netlify app to host the frontend, serving a range of custom domains.
Their domain happens to be managed on netlify. They don’t own our site, and should not need to set up a netlify app from our git repo with the chance of different release behaviour to the rest of our sites, just to be able to use their subdomain as a hostname running our tool.
Why does the behaviour differ for domains hosted on netlify vs domains hosted on other providers?
There are better domain-host-agnostic ways to verify domain ownership and avoid domain squatting. e.g. That’s what you’re trying to prevent, right? That I’m squatting on geo.africadatahub.org which might prevent them from setting up a site on the domain they actually own? See how Google Search Engine Console verifies domain ownership, or at least delegation of a specific permission on a particular subdomain Verify your site ownership - Search Console Help
I would suggest looking at standard schemes for this, but you can do it with a DNS TXT record by which domain owners can assert that they give permission to route traffic to a given app. Let’s say we want to add geo.africadatahub.org as a subdomain to our app, routing traffic to this app and not any other app with this as a subdomain:
I add the txt record in my DNS admin panel, or I ask the owners of africadatahub.org to set it up in theirs. If the custom domain happens to be managed by my account, you can provide a shortcut. Otherwise it’s still a trivial and common record to set up.
you check whether that record exists, and matches the nonce you gave me. If someone else set up an app with this as a subdomain, you would have given a different nonce, and you would not verify their custom subdomain.
you see that the domain is verified, add the domain to my TLS cert, and route traffic to my app.
This is a lot of work to implement, I’m sure. But I don’t understand why you have stronger verification for netlify-hosted domains than others. This is not a feature, it’s a bug.
The verification is identical for domains using external DNS and Netlify DNS. If the domain is used on one team, our service prevents it from being used on other teams.
We do have a possible workflow that might solve this domain sharing issue and there is more about that below. First, I wanted to say something regarding the domain verification process you described. We do something very similar already albeit using a manual process instead of an automated one (and I’d love to see it automated as well):
Note, with that process above we delete the domain from the other team. We don’t enable sharing with that workflow. The workflow we removes domains from the “wrong” team (“wrong” as determined by the person that can prove they control the domain).
There is an alternative as mentioned above. Our support team can create an override to allow a domain to be used on two teams at the same time. There is a bottleneck though, which is that this override must be put on both teams.
I say “bottleneck” because it sounds like the domain sharing in your case is not going to be between your team and one other team. Instead, it sounds like the domain sharing will be between your team and many teams. Is that correct? If we need to do this often then it will become a bottleneck (and there are other issues with this as well which I can explain in more detail if the workflow need is one to many).
If it will just be these two teams, then this is an easy fix. If it just sharing between two teams, please let us know and we’ll put the override in place.
If instead you need the domain sharing to be between one and many teams, then it would help us to better understand your workflow and the reasons the “one to many” domain sharing. If this is the case, we’ll open a support ticket to discuss those details privately.
Would please let us know which of the two sharing types is required (the “one to many” or the “one to one”)? Based on your reply we will either enable sharing between the two or we will open a support ticket for more in-depth discussion.
We will rarely see domains that are used on multiple netlify apps, but it is entirely possible that people will want to use our service (requiring a subdomain to be a custom domain on our app) who have another netlify app on the domain.
So the manual allow would be very much appreciated. How would you like to verify permission from the other app owner? Perhaps email me at firstname.lastname@example.org and I can have that owner contact you?
From this I understood that the issue was that the DNS was hosted by netlify. From what you say I now understand the issue to be that there simply happens to be another app that has the apex or some subdomain as a custom domain.
By the way, does this mean they will also have trouble adding custom domains on that app until the block is removed?
Hi, @JD1. Yes, likely this error will continue until the override is added or the custom domain is removed from one of the teams.
Sending an email from each team’s owner email address to email@example.com would be the faster way to get the override in place. I’m opening a support ticket to make the process faster for you but if you would have the other team owner email that email address (and, ideally, include a link to this forum post), that will get the ball rolling for the other team involved as well.
Please let us know if you do not see the email for the support ticket (or if there are other questions about this) by replying here.