Hi DNS WG,
I’m looking for advice from operators who run authoritative DNS at scale.
I’ve been building a domain reselling platform for ~2 years. Today, we manage customer DNS zones via the individual registrar/provider APIs (multiple upstreams). Operationally it’s painful: high/variable latency, inconsistent semantics, and unpredictable failures. Long-term, we’d like to operate our own authoritative DNS service (geo-distributed, e.g. ns1/ns2/ns3) and have customer domains delegate directly to our nameservers.
The challenge: I’m struggling to find a “right-sized” authoritative DNS stack that is API-first (or at least automation-friendly) without having to build an entire DNS control plane from scratch.
What we’re looking for:
- Clean, automatable zone + record lifecycle (create/retrieve/update/delete) via API or well-supported automation interfaces
- Preferably open standards / minimal vendor lock-in
- DNSSEC support
What we’ve considered so far:
- BIND / NSD / Knot: solid, but “no native API” makes dynamic management feel awkward at scale or require custom workarounds (which often rely on consistency from provider-side which tends to cause issues)
- PowerDNS: seems powerful, but may be heavier than we need (happy to be convinced otherwise)
- Managed (Cloudflare / NS1 etc.): technically great, but cost/lock-in doesn’t fit our reseller model, also, we are fans of self-hosting in the Hetzner Cloud
Questions for the group:
- If you were starting this today, what stack (authoritative server + control/management layer) would you recommend for this kind of product?
- Are there established open-source “control planes” or patterns people use (e.g., RFC2136 dynamic updates, catalog zones, GitOps-style zone generation, database-backed auth, etc.) that work well in practice?
- Any pitfalls you’d warn about when turning authoritative DNS into a customer-facing service?
Happy to share more details (expected zone counts, update rates, deployment model) if that helps.
Thanks a lot in advance,
Sebastiaan