I’m looking for a new provider for hosting my DNS zones and was wondering if anyone can provide some recommendations? My main requirements are that they provide an API with fine-grain access controls, and are relatively cheap. I currently have 3 domains, but this tends to go up and down a bit depending on how trigger happy I get buying new domains 
My requirement for API access is mostly for generating LetsEncrypt certificates, so ideally the provider is supported by either acme.sh and/or lego.
I’m currently using Cloudflare which is fine for the most part (and free) but leaves a little to be desired on the API access side of things. You can generate tokens on Cloudflare to use for updating DNS records, but you can only limit the scope of the access to whole zones. My main concern is that if a server/device gets compromised and/or an API token is leaked, then that basically means someone could taken over the domain… once your DNS is compromised, they can redirect your email and it is basically game over for any other accounts associated with email address on that domain.
So I’m after a service that would allow me to limit API access to specific DNS entries, or at least, subdomains.
And no, I’m not really interested in self-hosting a DNS service.
. acme-dns container looking after the challenge on the sub domain meaning I seperate the responder to a different dns server just for my letsencrypt stuffs. And wildcards rock 