Even stupid age-old BIND zone files can be version controlled and commented. Anything inferior to that level of documentability should be an instant no-no.
That can help with the ongoing maintenance of your records, but doesn't help you when you're adding the record in the first place.
As pointed out by singron at https://news.ycombinator.com/item?id=38069760 a malicious service provider (SP1) could give you a DNS record that was really issued by a different service provider (SP2). When you publish the DNS record, you're actually authorizing SP1's account at SP2 to use your domain.
With non-opaque records, you can be sure of what you're publishing.
agwa|2 years ago
As pointed out by singron at https://news.ycombinator.com/item?id=38069760 a malicious service provider (SP1) could give you a DNS record that was really issued by a different service provider (SP2). When you publish the DNS record, you're actually authorizing SP1's account at SP2 to use your domain.
With non-opaque records, you can be sure of what you're publishing.
c4mpute|2 years ago