Granular permissions for API Tokens - DNS

Hi,

It would be great if you could restrict an API Token to modify only a single DNS record or subdomain.

Here are specific use cases:

  • In AWS EC2, IP addresses are often ephemeral. Updating DNS per server could be automated with an API key and a restricted subdomain. Let’s say, create a subdomain called “dynamic” or “dyn” and let the servers modify this.

  • Let’s Encrypt certbot-dns-cloudflare needs access to the zone in order to renew certificates.

There is no reason these processes should have access to all DNS records in a zone. Just the ones they required. Do you agree?

Thanks!