DNSControl automates DNS changes across providers. Main risks are credential leakage and uncontrolled push workflows.
- Store provider credentials in secret managers.
- Use scoped API tokens with minimal permissions.
- Rotate credentials and revoke unused tokens.
¶ GitOps and Change Control
- Require review for DNS config changes.
- Protect main branch and release workflows.
- Use signed commits or trusted CI pipelines.
- Run
dnscontrol preview in CI before push.
- Restrict production pushes to controlled runners.
- Log and retain change history with actor identity.