The problem : Github pages allows anyone to claim the CNAME of any website. By adding a CNAME file to a github.io pages repo. If you migrate to github pages after this you will get the following warning when you try to deploy:
"The page build completed successfully, but returned the following warning for the
\<domain\> is already taken. Check out https://help.github.com/articles/troubleshooting-custom-domains#cname-errors for more information."
Github requires no DNS validation that you actually own the domain as a result anyone can claim your domain or your sub domains. This seems to be a known issue: https://help.github.com/en/github/working-with-github-pages/about-custom-domains-and-github-pages#updating-custom-domains-when-your-github-pages-site-is-disabled
Especially an issue for subdomains:
“Warning: We strongly recommend not using wildcard DNS records, such as *.example.com. A wildcard DNS record will allow anyone to host a GitHub Pages site at one of your subdomains.”
The solution : Github should require a domain to validate against a TXT definition defined by the dns provider used by the domain owner. In fact this would require no new code for github as they already do domain name ownership verification but it is only used for github badges for github groups. https://help.github.com/en/github/setting-up-and-managing-organizations-and-teams/verifying-your-organizations-domain
Is anyone else doing domain name verification? Yes gitlab is: https://docs.gitlab.com/ee/user/project/pages/custom_domains_ssl_tls_certification/#2-get-the-verification-code