Recommendations for DNS hosting

I’m looking for a new provider for hosting my DNS zones and was wondering if anyone can provide some recommendations? My main requirements are that they provide an API with fine-grain access controls, and are relatively cheap. I currently have 3 domains, but this tends to go up and down a bit depending on how trigger happy I get buying new domains :wink:

My requirement for API access is mostly for generating LetsEncrypt certificates, so ideally the provider is supported by either and/or lego.

I’m currently using Cloudflare which is fine for the most part (and free) but leaves a little to be desired on the API access side of things. You can generate tokens on Cloudflare to use for updating DNS records, but you can only limit the scope of the access to whole zones. My main concern is that if a server/device gets compromised and/or an API token is leaked, then that basically means someone could taken over the domain… once your DNS is compromised, they can redirect your email and it is basically game over for any other accounts associated with email address on that domain.

So I’m after a service that would allow me to limit API access to specific DNS entries, or at least, subdomains.

And no, I’m not really interested in self-hosting a DNS service.

This is what I do :joy:. acme-dns container looking after the challenge on the sub domain meaning I seperate the responder to a different dns server just for my letsencrypt stuffs. And wildcards rock :partying_face:

By coincidence I came across a mention of using DNS aliases for ACME challenges in the wiki. There is a bit more info about it in this article from 2018 which also mentions acme-dns. So that provides a few more options I hadn’t thought of before.

acme-dns looks useful, but seems like it only allows one set of credentials which would need to be used everywhere. This seems like a bit of an oversight, though I guess you could add your own wrapper service around it to provide better auth.

I’d still prefer a DNS host with a decent API/auth setup, so I’m happy for hear of any other suggestions.