You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, when creating a deployment on Akash, a user can specify an accept host without any ownership verification. If another user attempts to deploy with the same accept on the same provider, they receive an "accept in use" error. This creates potential issues:
Namespace Hijacking: A user can claim an accept host for a domain they do not own.
Deployment Disruption: If someone knows an existing deployment’s accept host, they can attempt to deploy with the same accept, causing conflicts.
Security Risks: Without verification, a user could take over a hostname after another deployment is removed.
Deploy a service with accept: myapp.example.com on an Akash provider.
Attempt to deploy another service with the same accept on the same provider.
The second deployment fails with an "accept in use" error.
If the first deployment is removed, any user can now claim accept: myapp.example.com, potentially taking over a previously existing hostname.
Expected Behavior
Only the owner of a domain should be able to deploy using accept: myapp.example.com. Without verification, users can unintentionally or maliciously hijack hostnames, causing service disruption or preventing legitimate deployments. A verification mechanism should be in place to ensure only authorized users can claim a hostname.
Additional Context
Potential Solutions
DNS-Based Verification: Require a DNS TXT or CNAME record proving domain ownership before allowing accept usage.
TLS Certificate Check: Validate that a deployment serves a valid SSL certificate for the specified host.
Cloudflare-Like Proxy Requirement: Ensure that DNS records for the domain point to an Akash provider before allowing deployment.
On-Chain or Signed Proofs: Implement an optional on-chain domain verification mechanism.
This would prevent namespace hijacking, service disruption, and security risks while improving the integrity of Akash-hosted applications.
Would love to hear thoughts on possible mitigations! 🚀
The text was updated successfully, but these errors were encountered:
Describe the Bug
Currently, when creating a deployment on Akash, a user can specify an
accept
host without any ownership verification. If another user attempts to deploy with the sameaccept
on the same provider, they receive an "accept in use" error. This creates potential issues:accept
host for a domain they do not own.accept
host, they can attempt to deploy with the sameaccept
, causing conflicts.deploy.yaml
To Reproduce
accept: myapp.example.com
on an Akash provider.accept
on the same provider.accept: myapp.example.com
, potentially taking over a previously existing hostname.Expected Behavior
Only the owner of a domain should be able to deploy using
accept: myapp.example.com
. Without verification, users can unintentionally or maliciously hijack hostnames, causing service disruption or preventing legitimate deployments. A verification mechanism should be in place to ensure only authorized users can claim a hostname.Additional Context
Potential Solutions
accept
usage.This would prevent namespace hijacking, service disruption, and security risks while improving the integrity of Akash-hosted applications.
Would love to hear thoughts on possible mitigations! 🚀
The text was updated successfully, but these errors were encountered: