It would be great if you could restrict an API Token to modify only a single DNS record or subdomain.
Here are specific use cases:
In AWS EC2, IP addresses are often ephemeral. Updating DNS per server could be automated with an API key and a restricted subdomain. Let’s say, create a subdomain called “dynamic” or “dyn” and let the servers modify this.
Let’s Encrypt certbot-dns-cloudflare needs access to the zone in order to renew certificates.
There is no reason these processes should have access to all DNS records in a zone. Just the ones they required. Do you agree?