Domain validation release changes (#8729)

* Update 08-domain-hijacking.md

Updated text for domain validation release

* added verify-domain-with-remove-button.png

To reflect updated changes for domain validation

* Update 05-custom-domains.md

Updated the image for domain validation, added a Note and removed some text

* Update 05-custom-domains.md

Added an FAQ

* Update 04-domains.md

Changes for domain validation release

* Update custom-certificates.md

changes for domain validation release

* Update 08-launch.md

changes for domain validation release

* Update namecheap.md

changes for domain validation

* Update 08-domain-hijacking.md

Updated and removed text in past-tense

* Copy edits

* Set platform-edge-routing team as SME for /guides/domains

* Update 05-custom-domains.md

Added one more entry to the domain verification FAQ

* Update 05-custom-domains.md

Added terminus command link to the FAQ

* Copy edits

---------

Co-authored-by: Rachel Whitton <rachel@pantheon.io>

CODEOWNERS

@@ -1,4 +1,7 @@
 # These owners will be the default owners for everything in the repo. Unless a later match takes precedence, @pantheon-systems/docs-admins, as primary maintainers will be requested for review when someone opens a Pull Request.
 # Additional code owners can be added for specific paths.
 # For more information about CODEOWNERS files, refer to https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
-* @pantheon-systems/docs-admins
+* @pantheon-systems/docs-admins
+
+# The Platform-Edge-Routing team is responsible for connecting custom domains to Pantheon
+source/content/guides/domains/ @pantheon-systems/platform-edge-routing

source/content/custom-certificates.md

@@ -82,8 +82,6 @@ As an alternative, you can also submit the certificate bundle to Pantheon Suppor
 
 Next, [add the domain to your environment](/guides/domains).
 
-  If you are presented with the option to **Verify your domain to provision HTTPS**, skip the verification by clicking **Skip to updating DNS**.
-
 Once the certificate is in place, you will see the following under **Details** for your domain(s):
 
   ![Custom Certificate Confirmation](../images/dashboard/custom-cert-confirm.png)

source/content/dns-providers/namecheap.md

@@ -33,8 +33,6 @@ When entering the value for the Name/Host, the bare domain and trailing dot ("."
 
 After completing the fields on the page, click **Verify Ownership**.
 
-You can click **Skip without HTTPS** to skip verification. By skipping, vistors to your site will receive a browser warning until Pantheon automatically provisions HTTPS, which can take approximately one hour after going live.  
-
 ## Configure DNS Records on Namecheap
 
 ### A Record

source/content/guides/domains/05-custom-domains.md

@@ -53,9 +53,15 @@ Note that each custom domain is counted regardless of the environment to which i
 
 1. Select the method you prefer, and follow the instructions. Note that the values are randomized for security.
 
-1. Click **Verify Ownership** to confirm, or to skip HTTPS provisioning for now, click **Skip without HTTPS**:
+1. Click **Verify Ownership** to confirm:
 
-  ![Verify domain ownership for HTTPS by DNS or by uploading a file to an existing site](../../../images/dashboard/verify-domain-ownership.png)
+   <Alert title="Note" type="info">
+
+  If you have a wildcard domain pointed at Pantheon and you have a valid use case to skip this verification for your sub-domains (although it is recommended to prevent domain takeovers), you may request an exemption to skip the verification by contacting Pantheon Support via chat or [ticket](/guides/support/support-ticket/).
+
+  </Alert>
+
+  ![Verify domain ownership for HTTPS by DNS or by uploading a file to an existing site](../../../images/dashboard/verify-domain-with-remove-button.png)
 
   It might take 30 minutes or more for DNS records to propagate, depending on your DNS host and your domain's TTL values. If you encounter issues after 30 minutes, check some of the following:
 
@@ -77,6 +83,31 @@ Note that each custom domain is counted regardless of the environment to which i
 
    - Note that if the Platform detects a CNAME record, the **Status** will show `Remove this detected record` on the line with the CNAME. Remove the CNAME from the DNS management service to avoid potential issues or interruptions.
 
+## FAQ
+### I have existing custom domains which were previously connected and launched prior to the enforcement of Domain Verification, will those be impacted?
+No. Any custom domains previously added or launched will not require explicit domain verification. However, if any of those domains are deleted by the customer and then re-added, the process of re-addition (whether to the same environment or any other environment) will trigger domain verification.
+
+### Is pre-provisioning HTTPS now a requirement to connect a custom domain?
+Yes. Skipping HTTPS provisioning is no longer an option.
+
+
+### Is Wild Card DNS routing supported by Domain Verification?
+Pantheon does not allow wild card domains to be directly added as a custom domain. Customers may point wildcard domains (eg: *.example.com) in their own DNS to Pantheon, but are still required to have specific domains (eg: mysite.example.com) added and connected to specific environments on Pantheon.
+
+### How can I know which domains are still pending ownership verification ?
+For any domain that has been added that is pending verification, clicking on the "Details" button in the Domains list page for that domain will take you to another page where you can put in the information required to verify ownership for that domain. If the ownership of the domain has been already verified, the detail page will instead show the DNS records you need to update in your authoritative DNS to point to Pantheon, as well as the status of HTTPS provisioning. In other words, if your domain is not verified, we will require you to provide the necessary information to verify ownership first.
+
+You can get a high-level status view for all custom domains connected to a given environment via Terminus using the [`domain:dns` command](/terminus/commands/domain-dns). Domains that are pending verification will have the "pending verification" status returned as part of the Terminus `domain:dns` command. 
+
+### Can I opt-out of Domain Verification for a given custom domain?
+We do not recommend opting out of domain verification for custom domains because it increases the risk of domains being taken over or hijacked. If you have a specific reason to exclude domains from domain verification (for example, for subdomains belonging to a WordPress Multisite for which domain verification is not feasible for a specific reason) you may reach out to Pantheon Support via chat or [ticket](/guides/support/support-ticket/)
+
+
+### Can I opt-out of Domain Verification for all domains connected to a given site, or across a given professional workspace?
+We do not provide such an opt-out mechanism by default. If you have a specific reason to exclude domains from domain verification (for example, for subdomains belonging to a WordPress Multisite for which domain verification is not feasible for a specific reason) you may reach out to Pantheon Support via chat or [ticket](/guides/support/support-ticket/)
+
+
+
 ## More Resources
 
 - [DNS](/guides/domains/dns)

source/content/guides/domains/08-domain-hijacking.md

@@ -21,6 +21,8 @@ Domain Name Server (DNS) hijacking is a type of DNS attack in which bad actors s
 
 ## How to Avoid DNS Hijacking
 
+Pantheon requires you to validate ownership of your custom domains at the time of adding  domains to Pantheon sites. For the specific steps on adding custom domains, see [Add a Custom Domain](/guides/domains/custom-domains#add-a-custom-domain). Validating ownership (which is now enforced) would ensure that your custom domains will not be taken over by bad actors. 
+
 ### Clear DNS Records Before Removing Unused Subdomains
 
 When removing unused sites, delete the corresponding A or CNAME records with your DNS provider.
@@ -45,4 +47,4 @@ Open a chat or [ticket](/guides/support/support-ticket/) to report a subdomain t
 
 - [Enforce HTTPS + HSTS](/pantheon-yml#enforce-https--hsts)
 - [Secure Development on Pantheon](/guides/secure-development)
-- [Pantheon Security](/guides/security)
+- [Pantheon Security](/guides/security)

source/content/guides/getstarted/08-launch.md

@@ -47,7 +47,7 @@ After you've done that, connect your DNS:
 
 1. Verify ownership by adding a new DNS TXT value or by uploading a file to a specific URL. Select the method you prefer, and follow the instructions. Note that the values are randomized for security.
 
-1. Click **Verify Ownership** to confirm, or to skip HTTPS provisioning for now, click **Skip without HTTPS**. It can take 30 minutes or more for DNS records to propagate, depending on your DNS host and your domain's TTL values.
+1. Click **Verify Ownership** to confirm. It can take 30 minutes or more for DNS records to propagate, depending on your DNS host and your domain's TTL values.
 
 1. Open a new tab or browser window, and copy the **Required Values** to your [DNS](/guides/domains/dns) provider. If you see a message like "Waiting for HTTPS, DNS records will be provided when HTTPS provisioning completes.", wait one minute, then refresh the page.
 
@@ -79,4 +79,4 @@ You can run diagnostics at [Let's Debug](https://letsdebug.net/) if you are havi
 
 </Accordion>
 
-Your site is now live at the domain you have purchased!
+Your site is now live at the domain you have purchased!

source/content/guides/launch/04-domains.md

@@ -34,7 +34,13 @@ The steps below will guide you through the process of migrating a site onto Pant
 
 1. Verify ownership by adding a new DNS TXT value or by uploading a file to a specific URL. Select the method you prefer, and follow the instructions. Note that the values are randomized for security. 
 
-1. Click **Verify Ownership** to confirm, or to skip HTTPS provisioning for now, click **Skip without HTTPS**.
+1. Click **Verify Ownership** to confirm.
+
+   <Alert title="Note" type="info">
+
+   If you have a wildcard domain pointed at Pantheon and you have a valid use case to skip this verification for your sub-domains (although it is recommended to prevent domain takeovers), you may request an exemption to skip the verification by contacting Pantheon Support via chat or [ticket](/guides/support/support-ticket/).
+
+  </Alert>
 
   It can take 30 minutes or more for DNS records to propagate, depending on your DNS host and your domain's TTL values. If you encounter issues after 30 minutes, check the following: