diff --git a/ddns/ddns.yaml b/ddns/ddns.yaml
index 2bfc3aa..3d1566a 100644
--- a/ddns/ddns.yaml
+++ b/ddns/ddns.yaml
@@ -12,7 +12,7 @@ type: Opaque
 stringData:
   # FQDN,clé_DDNS (une ligne par host marqué "dynamic" sur dns.he.net)
   hosts.csv: |
-    undercloud.dev,JmcqpomJT6CZtbuP
+    undercloud.dev,fIHrC4yqYmnlLFBG
     firewall.undercloud.dev,JmcqpomJT6CZtbuP
 ---
 apiVersion: v1
@@ -24,18 +24,26 @@ data:
   update.sh: |
     #!/bin/sh
     set -eu
+
+    # Get public IPv4 once
     V4="$(curl -4 -fsS --max-time 5 https://ipv4.icanhazip.com || true)"
-    V6="$(curl -6 -fsS --max-time 5 https://ipv6.icanhazip.com || true)"
+    [ -n "${V4:-}" ] || { echo "no IPv4 detected"; exit 0; }
 
     while IFS=, read -r HOST PASS; do
-      [ -z "${HOST:-}" ] && continue
-      # Update A via IPv4 transport if you want IPv4 too:
-      [ -n "$V4" ] && curl -4 -fsS --connect-timeout 5 \
-        "https://dyn.dns.he.net/nic/update?hostname=${HOST}&password=${PASS}&myip=${V4}" || true
-      # Update AAAA via IPv4 transport (key part):
-      [ -n "$V6" ] && curl -4 -fsS --connect-timeout 5 \
-        "https://dyn.dns.he.net/nic/update?hostname=${HOST}&password=${PASS}&myip=${V6}" || true
+      # trim spaces and skip blanks/comments
+      HOST="$(printf %s "$HOST" | tr -d ' \t\r')"
+      PASS="$(printf %s "$PASS" | tr -d ' \t\r')"
+      case "$HOST" in ''|\#*) continue;; esac
+      [ -n "$PASS" ] || { echo "skip $HOST: empty key" >&2; continue; }
+
+      RESP="$(curl -4 -fsS --connect-timeout 5 --retry 2 --retry-connrefused \
+        -A 'he-ddns/1.0' \
+        https://dyn.dns.he.net/nic/update \
+        -d "hostname=$HOST" -d "password=$PASS" -d "myip=$V4" || echo 'curlfail')"
+
+      echo "$HOST -> $RESP"
     done < /secrets/hosts.csv
+
 ---
 apiVersion: batch/v1
 kind: CronJob