Comment by CydeWeys

3 years ago

Anything touching the DNS records for the root of your entire web presence is not simple and needs substantial review.

Adding a new DNS record for a new, specific purpose is simple and low-impact, technically.

  • …which gets promptly forgotten about after it’s initial use case and years later your user database gets sold on the internet.

    How many “low-impact” things have been compromised over the years, I wonder?

    • Unless you have anyone competent running the DNS config, or have a ticketing workflow of any kind, and I can't figure out what you think a DNS record with a onetime validation token could do if left unmanaged beyond some adversary discovery.