you don't need to have a pds running to verify your domain, but it's a failsafe in case the dns doesn't work
what I am currently looking into is how to fix this lol, it's obviously intentional but I can't seem to see why and obviously if you can control what the domain is then you can impersonate the domain itself. which makes me wonder if other object storages are at risk