I’ve been thinking about setting up Tailscale, reading up on various Reddit post and watching a couple of Tom’s videos. This Reddit post shocked me. I’m curious what Tom and others on this forum think. Seems like Tailscale should default to a domain being shared, then let ownership needs to be proven.
Since I my own domain when testing not an issue I have run into. Their response in that reddit post makes sense as to why it happened:
Tailscalar here.
Yeah, this sucks.
We’re working on changing the identity model. (how users/domains/tailnets all map to each other)
When we first started, we were trying to make it easy for companies to sign up and start working with their coworkers, but we had a special case for @gmail.com users getting their own tailnets (because at the time, we only supported Google Auth). Later we added GitHub, and GitHub special cases for individuals vs orgs (which nicely mapped to our single-user vs multi-user tailnets).
Over time, we added more auth providers like (and BYO-OIDC) and this whole assume-a-multi-user-tailnet-unless-gmail-and-192-other-shared-email-hosts model really fell apart. We “decompose” (add to our shared email domain list) tailnets every month or so as we find them. We didn’t have your domain on our list previously.
We’re in the middle of changing the identity model to make this class of problem go away entirely, though.
Meanwhile, we just chatted about it and seems like the quickest thing we can do here is turn on User Approvals for all new tailnets so at least the admin of new tailnets like yours has to approve people joining them.
https://www.reddit.com/r/Tailscale/comments/1ksy3xy/someone_just_randomly_joined_my_tailnet/mtqd4et/