Hi DNS WG, I’m looking for advice from operators who run authoritative DNS at scale. I’ve been building a domain reselling platform for ~2 years. Today, we manage customer DNS zones via the individual registrar/provider APIs (multiple upstreams). Operationally it’s painful: high/variable latency, inconsistent semantics, and unpredictable failures. Long-term, we’d like to operate our own authoritative DNS service (geo-distributed, e.g. ns1/ns2/ns3) and have customer domains delegate directly to our nameservers. The challenge: I’m struggling to find a “right-sized” authoritative DNS stack that is API-first (or at least automation-friendly) without having to build an entire DNS control plane from scratch. What we’re looking for: - Clean, automatable zone + record lifecycle (create/retrieve/update/delete) via API or well-supported automation interfaces - Preferably open standards / minimal vendor lock-in - DNSSEC support What we’ve considered so far: - BIND / NSD / Knot: solid, but “no native API” makes dynamic management feel awkward at scale or require custom workarounds (which often rely on consistency from provider-side which tends to cause issues) - PowerDNS: seems powerful, but may be heavier than we need (happy to be convinced otherwise) - Managed (Cloudflare / NS1 etc.): technically great, but cost/lock-in doesn’t fit our reseller model, also, we are fans of self-hosting in the Hetzner Cloud Questions for the group: 1. If you were starting this today, what stack (authoritative server + control/management layer) would you recommend for this kind of product? 2. Are there established open-source “control planes” or patterns people use (e.g., RFC2136 dynamic updates, catalog zones, GitOps-style zone generation, database-backed auth, etc.) that work well in practice? 3. Any pitfalls you’d warn about when turning authoritative DNS into a customer-facing service? Happy to share more details (expected zone counts, update rates, deployment model) if that helps. Thanks a lot in advance, Sebastiaan