Ah, that's a clever mechanism. That way the secondary machine could not only keep the token secure, but also validate which DNS records to create.