Pasting DNS records by hand looks safe because a human is in the loop, but a human is exactly the weak point. Here is how scope minimization, signed requests, an ownership check, and clean disconnect change the security picture, and where the real boundary still sits.