Peter Thomassen

#474 (subnet scoping) is done and has been deployed.

#478 (expiration by age and non-use) is done and has been deployed.

It is in production. The docs describe in which ways the token scope can be narrowed, and how to do that using the API: https://desec.readthedocs.io/en/latest/auth/tokens.html#token-scoping-domain-policies Some more features may come...

Yes, that's why the issue is open (and ACME scoping, which is kind of a sub-case) of what you're proposing. However, I'm planning to work on 2FA (#316) first (starting...

Not really internal data structures, rather interface aspects / exposed schemas. Such as: how to deal with wildcards like `_acme-challenge.*.$DOMAIN`? This particular instance is not a valid DNS name, as...

Nice idea! Unfortunately, it cannot be implemented in a straightforward fashion in our architecture ... We currently do not expose any nameserver to the public (except on the slaves). As...

Unfortunately, it's a bit more complicated: Neither are the slave pdns servers exposed on the frontend machines (they are "presided" by a dnsdist instance of which I'm not sure whether...

Here's a simplified diagram of our architecture. Some components are missing (VPN server, monitoring components, Celery task runners etc.). The replication mechanism duplicates the "Public DNS database" from the left...

yeah, same here. It's a "speculative" PR that I just made as I came across things that may be incompatible as I was going over the Python 3.11 changelog. I...

FWIW, I left the improved formatting in api/api/celery.py as well as the faketime stuff in various images. Both may come in handy later.