Closed agherzan closed 6 years ago
Hey Andrei, It's really just a precaution. If you create a subdomain dedicated to this system, then you can be sure you don't change or delete DNS records not used by the system. If you are careful or understand the risk in your environment, you can use your primary zone. I'm working on v2 of this BTW. Going to deprecate the instructions and instead provide a CloudFormation template to provision the system. I'll also support private DNS for local device discovery, and IPV6. If time allows I'll also switch the config from son in S3 to DynamoDB.
I suspected something along these lines. It seems though a little bit of a extra care because you base the operations on the json configuration which only allows specific domains to be changed.
A user could put a hostname into the json that caused an existing record to be overwritten. So if multiple people or groups were involved wires could get crossed.
IAM doesn't support record-level permissions for Route53, only zone level.
On Dec 20, 2017, at 3:49 PM, Andrei Gherzan <notifications@github.com mailto:notifications@github.com> wrote:
I suspected something along these lines. It seems though a little bit of a extra care because you base the operations on the json configuration which only allows specific domains to be changed.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/awslabs/route53-dynamic-dns-with-lambda/issues/17#issuecomment-353216259, or mute the thread https://github.com/notifications/unsubscribe-auth/APBWQkftEOHh0pKGT-ImDaiIdVTbNmGpks5tCZ0CgaJpZM4RJGgQ.
https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png https://github.com/awslabs/route53-dynamic-dns-with-lambda https://github.com/awslabs/route53-dynamic-dns-with-lambda/issues/17#issuecomment-353216259
Got it. In the scenario it makes sense. Thanks for the information.
I see that the example uses a separate hosted zone as a subdomain delegated from the "main" hosted zone. Is there any reson why not to use the initial hosted zone? In the example why not use "example.com" hosted zone and avoid the 'dance' creating a new hosted zone and delegating a record?