On Wed, Apr 15, 2026, at 08:08, Daniel Salzman wrote:
Hi Bron,

Welcome aboard!

Hi Daniel, thank you!

First of all, I have to say that the ALIAS record type (and similar alternatives) is rather a workaround until
HTTPS/SVCB alias mode is widely supported. We added this type primarily for use with our Redis backend
and we aren't philosophically ready to add processing of it to the server itself. However, I believe we can find
a solution for your needs.

I think that your use case, where the target ALIAS zone is locally available, is not common. Usually, a full DNS resolver
is necessary, which is the biggest issue. Our server is focused on high performance, so performing the resolution
while responding to queries is not optimal. In your case it is not even necessary.

Yes, absolutely -we're not keen to make our server more expensive.  We switched to Knot in the first place because our old backend was being hammered by DDoS attacks, even behind Cloudflare caching frontends.

Possible options:
- Using our Redis backend in combination with https://gitlab.nic.cz/knot/knot-dns/-/blob/master/scripts/redis_unalias.py
   Sorry for the lack of documentation.
- If the dynamic records are uniform across the zones, cannot you use something like (ignore the random zone names)?:

knotc> zone-begin --
OK
knotc> zone-set -- test A 192.168.1.1
OK
knotc> zone-diff --
[.] +test. 3600 A 192.168.1.1
[e92bd5f.4738fa5efafc1ebdc3.] +test.e92bd5f.4738fa5efafc1ebdc3. 3600 A 192.168.1.1
[63da60e39bb6cd76fa.] +test.63da60e39bb6cd76fa. 3600 A 192.168.1.1
[96e07.] +test.96e07. 3600 A 192.168.1.1
[aa.] +test.aa. 3600 A 192.168.1.1
[center.] +test.center. 3600 A 192.168.1.1
[collector.] +test.collector. 3600 A 192.168.1.1
[e6a69.] +test.e6a69. 3600 A 192.168.1.1
[ecbecfc1abcc.] +test.ecbecfc1abcc. 6536 A 192.168.1.1
[hawking.] +test.hawking. 16183 A 192.168.1.1
[noc3598.] +test.noc3598. 3600 A 192.168.1.1
[records.] +test.records. 3600 A 192.168.1.1
knotc> zone-commit --
OK

It's sadly not 100% uniform across all zones.  We have default records, which can be overridden by individual customers.  

  - If you insist on the dynamic ALIAS resolution, a new query module could be implemented.

I do think that the ALIAS resolution the way I did it is an exact match for what we want, it's a layer of indirection for the records which are "a service provided by us" - the kind of thing you'd just use a CNAME for if it wasn't for how CNAMEs and MX records behave so unfortunately.

What do you think? Maybe more details about your deployment would help. Feel free to send
me relevant zone snippets.

Our goal is to be able to switch all the records with IPs starting 103.168 to IPs in a separate datacenter when transitioning traffic to the other site (either deliberately, or for disaster recovery)

Here is a zone which is absolutely vanilla, no special records.  It's one of my family's domains:

lorinna.net.	3600	IN	SOA	( ns1.messagingengine.com.
	postmaster.messagingengine.com.
				2026041300	;serial
				86343		;refresh
				600		;retry
				1209600		;expire
				3600		;minimum
	)
lorinna.net.	3600	IN	NS	ns1.messagingengine.com.
lorinna.net.	3600	IN	NS	ns2.messagingengine.com.
lorinna.net.	3600	IN	MX	10 in1-smtp.messagingengine.com.
lorinna.net.	3600	IN	MX	20 in2-smtp.messagingengine.com.
lorinna.net.	3600	IN	A	103.168.172.37
lorinna.net.	3600	IN	A	103.168.172.52
lorinna.net.	3600	IN	TXT	"v=spf1 include:spf.messagingengine.com ?all"
*.lorinna.net.	3600	IN	MX	10 in1-smtp.messagingengine.com.
*.lorinna.net.	3600	IN	MX	20 in2-smtp.messagingengine.com.
*.lorinna.net.	3600	IN	A	103.168.172.37
*.lorinna.net.	3600	IN	A	103.168.172.52
_dmarc.lorinna.net.	3600	IN	TXT	"v=DMARC1; p=none;"
fm1._domainkey.lorinna.net.	3600	IN	CNAME	( fm1.lorinna.net.dkim.fmhosted.com.
	)
fm2._domainkey.lorinna.net.	3600	IN	CNAME	( fm2.lorinna.net.dkim.fmhosted.com.
	)
fm3._domainkey.lorinna.net.	3600	IN	CNAME	( fm3.lorinna.net.dkim.fmhosted.com.
	)
mesmtp._domainkey.lorinna.net.	3600	IN	CNAME	(
	mesmtp.lorinna.net.dkim.fmhosted.com. )
_autodiscover._tcp.lorinna.net.	3600	IN	SRV	( 0 1 443
	autodiscover.fastmail.com. )
_caldav._tcp.lorinna.net.	3600	IN	SRV	0 0 0 .
_caldavs._tcp.lorinna.net.	3600	IN	SRV	0 1 443 d27457.caldav.fastmail.com.
_carddav._tcp.lorinna.net.	3600	IN	SRV	0 0 0 .
_carddavs._tcp.lorinna.net.	3600	IN	SRV	( 0 1 443 d27457.carddav.fastmail.com.
	)
_imap._tcp.lorinna.net.	3600	IN	SRV	0 0 0 .
_imaps._tcp.lorinna.net.	3600	IN	SRV	0 1 993 imap.fastmail.com.
_jmap._tcp.lorinna.net.	3600	IN	SRV	0 1 443 api.fastmail.com.
_pop3._tcp.lorinna.net.	3600	IN	SRV	0 0 0 .
_pop3s._tcp.lorinna.net.	3600	IN	SRV	10 1 995 pop.fastmail.com.
_submission._tcp.lorinna.net.	3600	IN	SRV	0 0 0 .
_submissions._tcp.lorinna.net.	3600	IN	SRV	0 1 465 smtp.fastmail.com.
mail.lorinna.net.	3600	IN	MX	10 in1-smtp.messagingengine.com.
mail.lorinna.net.	3600	IN	MX	20 in2-smtp.messagingengine.com.
mail.lorinna.net.	3600	IN	A	103.168.172.65

And here's one where the apex A record and www A record are pointed to an external system, but the rest is managed at Fastmail.

miv.org.au.	3600	IN	SOA	( ns1.messagingengine.com.
	postmaster.messagingengine.com.
				2026041300	;serial
				86223		;refresh
				600		;retry
				1209600		;expire
				3600		;minimum
	)
miv.org.au.	3600	IN	NS	ns1.messagingengine.com.
miv.org.au.	3600	IN	NS	ns2.messagingengine.com.
miv.org.au.	3600	IN	MX	10 in1-smtp.messagingengine.com.
miv.org.au.	3600	IN	MX	20 in2-smtp.messagingengine.com.
miv.org.au.	3600	IN	A	178.62.49.34
miv.org.au.	3600	IN	TXT	(
	google-site-verification=3xg8-ieU1iufBCuguKrrUSGTEnrDYy7aSnPLvN66XHk )
miv.org.au.	3600	IN	TXT	"v=spf1 include:spf.messagingengine.com ?all"
*.miv.org.au.	3600	IN	MX	10 in1-smtp.messagingengine.com.
*.miv.org.au.	3600	IN	MX	20 in2-smtp.messagingengine.com.
*.miv.org.au.	3600	IN	A	103.168.172.37
*.miv.org.au.	3600	IN	A	103.168.172.52
_dmarc.miv.org.au.	3600	IN	TXT	"v=DMARC1; p=none;"
fm1._domainkey.miv.org.au.	3600	IN	CNAME	fm1.miv.org.au.dkim.fmhosted.com.
fm2._domainkey.miv.org.au.	3600	IN	CNAME	fm2.miv.org.au.dkim.fmhosted.com.
fm3._domainkey.miv.org.au.	3600	IN	CNAME	fm3.miv.org.au.dkim.fmhosted.com.
mesmtp._domainkey.miv.org.au.	3600	IN	CNAME	(
	mesmtp.miv.org.au.dkim.fmhosted.com. )
_autodiscover._tcp.miv.org.au.	3600	IN	SRV	( 0 1 443 autodiscover.fastmail.com.
	)
_caldav._tcp.miv.org.au.	3600	IN	SRV	0 0 0 .
_caldavs._tcp.miv.org.au.	3600	IN	SRV	0 1 443 d442465.caldav.fastmail.com.
_carddav._tcp.miv.org.au.	3600	IN	SRV	0 0 0 .
_carddavs._tcp.miv.org.au.	3600	IN	SRV	( 0 1 443 d442465.carddav.fastmail.com.
	)
_imap._tcp.miv.org.au.	3600	IN	SRV	0 0 0 .
_imaps._tcp.miv.org.au.	3600	IN	SRV	0 1 993 imap.fastmail.com.
_jmap._tcp.miv.org.au.	3600	IN	SRV	0 1 443 api.fastmail.com.
_pop3._tcp.miv.org.au.	3600	IN	SRV	0 0 0 .
_pop3s._tcp.miv.org.au.	3600	IN	SRV	10 1 995 pop.fastmail.com.
_submission._tcp.miv.org.au.	3600	IN	SRV	0 0 0 .
_submissions._tcp.miv.org.au.	3600	IN	SRV	0 1 465 smtp.fastmail.com.
mail.miv.org.au.	3600	IN	MX	10 in1-smtp.messagingengine.com.
mail.miv.org.au.	3600	IN	MX	20 in2-smtp.messagingengine.com.
mail.miv.org.au.	3600	IN	A	103.168.172.65
www.miv.org.au.	3600	IN	A	178.62.49.34

And here's one that runs entirely separately, just using Fastmail for DNS:

dkim2.com.	3600	IN	SOA	( ns1.messagingengine.com.
	postmaster.messagingengine.com.
				2026040300	;serial
				86265		;refresh
				600		;retry
				1209600		;expire
				3600		;minimum
	)
dkim2.com.	3600	IN	NS	ns1.messagingengine.com.
dkim2.com.	3600	IN	NS	ns2.messagingengine.com.
dkim2.com.	3600	IN	MX	10 mail.dkim2.com.
dkim2.com.	3600	IN	A	134.209.211.166
dkim2.com.	3600	IN	TXT	"v=spf1 a mx -all"
*.dkim2.com.	3600	IN	MX	10 mail.dkim2.com.
_dmarc.dkim2.com.	3600	IN	TXT	( "v=DMARC1; p=none; rua=mailto:dmarc@dkim2.com"
	)
ed25519._domainkey.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=ed25519; p=H4AK/+/8XXxmn/bnyOHaqPpyJtrqBf80sgZpnepMPUQ=" )
fm1._domainkey.dkim2.com.	3600	IN	CNAME	fm1.dkim2.com.dkim.fmhosted.com.
fm2._domainkey.dkim2.com.	3600	IN	CNAME	fm2.dkim2.com.dkim.fmhosted.com.
fm3._domainkey.dkim2.com.	3600	IN	CNAME	fm3.dkim2.com.dkim.fmhosted.com.
mesmtp._domainkey.dkim2.com.	3600	IN	CNAME	(
	mesmtp.dkim2.com.dkim.fmhosted.com. )
sel1._domainkey.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa;   p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwtNJpRLYM99Ya2Vm5Th/BUxw7MazipAvYMHJA80TD9P1F5gx6eHMT8kErqOG5w7ngZPAoEvH0Dq2rfyGC7gqp93RR7xCD/YNm72/uq9NC+zv1gQ3IqeHbKJEd8MQMj4CL+0fhRyAPpMWEPirYGSgVDxKjJHwa0XLlt00iI6DV1m/IhbH2hzcd6WfBBdiFLV+ovTS8InQDedl12aJtRJv/gKLA+6+Nd4DlTb3mBT2JvT0WoIbJ43pZpBR8ItXHOGT75mxMILEcWI2EhtPq/GaJHWbn7RxgyV0I44bTUiKut+8udflCjSpiOBXlFNp20bUQTjNxKNcCiLGFzc8cYFIwIDAQAB"
	)
dev.dkim2.com.	3600	IN	A	134.209.211.166
mail.dkim2.com.	3600	IN	A	134.209.211.166
mailman.dkim2.com.	3600	IN	MX	10 mail.dkim2.com.
mailman.dkim2.com.	3600	IN	A	134.209.211.166
mailman.dkim2.com.	3600	IN	A	134.209.211.166
mailman.dkim2.com.	3600	IN	TXT	"v=spf1 a mx -all"
_dmarc.mailman.dkim2.com.	3600	IN	TXT	"v=DMARC1; p=none"
sympa.dkim2.com.	3600	IN	MX	10 mail.dkim2.com.
sympa.dkim2.com.	3600	IN	A	134.209.211.166
sympa.dkim2.com.	3600	IN	A	134.209.211.166
sympa.dkim2.com.	3600	IN	TXT	"v=spf1 a mx -all"
_dmarc.sympa.dkim2.com.	3600	IN	TXT	"v=DMARC1; p=none"
test1.dkim2.com.	3600	IN	MX	10 mail.dkim2.com.
test1.dkim2.com.	3600	IN	TXT	"v=spf1 a mx -all"
_dmarc.test1.dkim2.com.	3600	IN	TXT	"v=DMARC1; p=none"
ed25519._domainkey.test1.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=ed25519; p=hwjviTXyzUXSCWayBqE17s/4NSynQKxw58jayHudRAI=" )
rsa1024._domainkey.test1.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIubB7x1q3rNGDWgObuKSOyYVtVKmcJpIvtWdRzg71iGRGqMdEE18GAOk+6j+GAcHTppkh4qR1d9vOl4S1L8ClAvSFUz0azi31fLQcMpZbagyseSq9FnF4nHL/7MAA2brAXkVCQ1rZLKNHMwkXGggkA9kg+LloNfSML+utkhN3gQIDAQAB"
	)
sel1._domainkey.test1.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRtvI17L4pHwF58KhyjiN7d74ZHDZia1IOzuXA6hygEuxt0+0Ey9PJvrDpKp/JsJIiJ0Ji8hrQfeMbAX5wHpz8GAkRlWOdorPuZiMZegTU9oD9nWRO/GcAu7Ub4V1pF6AwwfykCmzKbomX7jWa1y0oNgMHMUeZAi1XveQ6cfebJOwtgqWMOTSenY8+p8hU97YFxwKXO0FsAQYvNMMSZAXPM00V/ZaxiZ1UZUCMM/uesVkU7pIOzItGEjoWUrPkIos1GGf+2nBncqNgmivPkJPFeaJXOIL1iHqKJrSzZuTxCWPTQ+JVPyeAgDk0xyGK3RbiyItPjVZhBs7sZekNGVCwIDAQAB"
	)
sel2._domainkey.test1.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqiTwabnGlrGDoPlSHpfiWjsbwucsezwm/iU9bjloGqothOM7XNIrS1ub2f5BNz9yQjOhWGJ+fo8DOnF9YdUKXkBxuUdt49eyClLDaUG4Q35hJBWFF1MsmihtJpo6PzXGZYP/c4mPc2vXTPd3hbAqkftMgUCOCUIUyUEXhMl/R6/XkXATcyDId3TsSyQUJk3U+2r/wQJGz5JkOxyDX1NEawfh3GDuppCUFZFWnsrEvolBGDqZk8RG2FNmRysglRau4z9GG8jieXG4NjIT/yOh3pjbYGq4tgrMVZ7AcrIpCRbEJTUCExgrh3iQRXReVPy2qhcgY6BQLF2ahiTBUm2wAwIDAQAB"
	)
sel3._domainkey.test1.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr8xHmZoXE3P12DNh5jhFAJjtI9kosn3bISKWYNyn2PAn8E+Ik70iScLj8bFUNcjlLRtBDo5KZ323gdoYS3AUBSJlbkLJKCnQnH6pY+rawmt5kCNJm15DTFlOyZhaMWUilFyVzzGDqXf3d/VzFiX+13GnDdwR1QOnbOTMKx9Y0+nEhlnqRwv3YFjAO1aQOdFzguxMi5wiZQIFtmwwY8GgFIVrEqFq4UCU/hc/E2YcYjHv5zg2KR/zJivfXdLOceHqzJTYdOca/IDqfat2IgOooVVsfHZCCScOutZe9JwWYt98EOiFfvmLs3pvJnBLyGM2BOZUpJnkXSDCnTKxboRnqQIDAQAB"
	)
test2.dkim2.com.	3600	IN	MX	10 mail.dkim2.com.
test2.dkim2.com.	3600	IN	TXT	"v=spf1 a mx -all"
_dmarc.test2.dkim2.com.	3600	IN	TXT	"v=DMARC1; p=none"
rsa1024._domainkey.test2.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcSzEVS5IaMQZWJaqmA7dnD1fHuks1mqzY9RfQn9skWCYJZxHx0d45oSSrMt8lSKZiN4FLgbBl0jiLWXq+oPP3rUEhQrqElzyzo1Swn1Phsq45ij655pXFgZpfXvS95nP2GGDrQLcZhi5VNDg9ACoitB1CtxTipRXm8anlzLtg2QIDAQAB"
	)
sel1._domainkey.test2.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolQDA1kFcPW13OQNJv7zEGhf18S+PU8oGUOSScVYRJELDUxZzv0i1OsyNW5T2hZlmTDFRszoxstj1o8JBn9nYm6zfdvr4w8JS5SrAEx8MzI4N/SghA334hbXtXQZ3br179XVgTMGJL0OMWw2Qp0c9HQAtQNF3ckeMiPncWp8e58in5YCjvHhezl8/VGrBx+CsDKxT8JFs/0QluC6AFQuM9ZIsm3RPwf4BsPE0/ADpuA5GUUdYUzhNt2Uq9Wr82BJLt8cy1a9FVEGKxdMhgJ7Gx4hx8GpM/oaiQYMO9VmNZVz8n87BkNOnjlpYFCtfb9FH8/mYPwqaSa0DmcahfeHVQIDAQAB"
	)
sel2._domainkey.test2.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3i4wXkWpIYib21p0CZx1dobNCYababIxIZAJO5SEGiK++C7jLgnpqg+lvTKS7eR5q1MO3ZCY19Bgm/PcigLvuLtMzap4yY+h9hnsQYzrdcAamzrpB3cjiNoCNhT0Zp7kRI6Rx0t2Uc91e0CvaFf8zAJIF4VUyQNXx9Gn/SEtNr0iQCNsPptGA1PUGUwDQUGze7fkXtnBOrgvNjILfnUC7MA6W+2+mCYtHzOkRB+t6SMutR2cDSXabjYBL5/1bweL6ABDouGgBnIj9LrY6RcbzrBpLuUAuXi71dLEHs0KW0UdImyUpE1i+thKqhNGaYnaL8KrTlDUC8g62T2kQNuHJQIDAQAB"
	)
sel3._domainkey.test2.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDOUuL/rLDi7fohdOw/sk31eGe5CtX9UEw5pSQv/EyYwW9lxZqi9SwU8Of+z7uHLMFJi+YbYV25CYDUrDIE71WLKou3FL0WyH0U4DrZoR7CBnMjRz92Lqh+VV1PJz0t5mU8YD0O+JJ80jScKIIcC8r1qysQI9Y7EdIAWFZlYS97c6WhKVg94xeOAaRDnpbr80H29g9pqGs4Yk4Hc1r5OXptj12sBMO7JCz/4dQ2Di0JsPOwEjWNbV9ysz8EcSW/+RoFG5Iomf4/q/aW7T6tUGqdj8M0eQ0TO0xW0lc4jqKUHH85LbdZFhcDIBUg8ML6mRgSVy779MxMP7+uw3iVLQQIDAQAB"
	)
test3.dkim2.com.	3600	IN	MX	10 mail.dkim2.com.
test3.dkim2.com.	3600	IN	TXT	"v=spf1 a mx -all"
_dmarc.test3.dkim2.com.	3600	IN	TXT	"v=DMARC1; p=none"
ed25519._domainkey.test3.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=ed25519; p=reUWo3pXLWHk5dILIK4NoCR3F2iACFdQ/FlhvVvMtxc=" )
sel1._domainkey.test3.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAju2t0p4xwgCT4UCRgfNZ27U6nhQ5sHSV23hR2TBngda8yAChPInsdVyjJv+cSeZf7tG7yKrzKTM9KaKK8BzBguYrJ9DRJqg7MPPsXlZJ53Ydku3GKLcuiBmDrwUxyBGAMFxndVs+uNJkF2qi+RK0Dgd45wMZiJJF1K3bPjkkQub4Ex4MXvbIqqThthlYiKUGHFBPKg7DALkdoIlegrAP4xZ43Cszd5u9AvNdjvAr31ajjaGrGuQH+gW5kXdwZpDiQgvi0Obnr7AZeVSyr4I5CTNLoj4ed4I0AOJ3TsoZM1fFzHr/rqhL+oEKW3tA7UYGaRoXFDei0qLXhRGTJjzscQIDAQAB"
	)
sel2._domainkey.test3.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAynXlN4POdoj82RpdpD7iG8RR/RF1TjQxy65Fu/12cV0YYX1mZLOHcvSUkxkxMKSxdZnv/7UKuQcbdQXC7jBah/JQNYzLVDUe3bKbrjsypczRPYKajxnEYCsjvoKDR9g2XtlppGrchst77wcj3SWplz2MGBk5E2SGVo1TuvuRt2S0iiye8+Z2KBaVUE3t55YxRHhjIfudboyq4Vqt6o1/6gl7eieZjqfqIBcU8k1xgEG5EG5GYCV12cUzvFU4Q5jPIzDWydppSN+jsIdSRbA8E0GweeRYumuNHryfDexZ04GafvjDwC+b9PCD5r8xiyt7N8gPNG052smGeK39N9Y/TQIDAQAB"
	)
sel3._domainkey.test3.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmJR1PxhxeO2eZlHPZfikAOyn/95rjszoGWRZti+0VyitapUVvla9noM3w0rbFEbVwW4Y3ILqY7j1C1jiM02okbYNYwE0CC1WSTGUrSoyRV7nGFJ5n6vcLCLqE9EFJwFnUCCXDTz+90D4aiXgasm/MAJJMkBQzdrrpQTwnLGVfWYGenqUWJ1+yn8kXmDq/wub0oE5G3DEE7noCgxpzkEd6tqCIJ3Z1wcA9qnUsTBjmDLPEZAwc4ajwZ/cfXceDXnprUKlFvq9tfMReKfObT2g6/iBsesBLCsuYgHKRydNqT1+YU0GmkSQkXutgyH5o4WzkUsPim2saIiTkVPTCtbWBwIDAQA"
	)
test4.dkim2.com.	3600	IN	MX	10 mail.dkim2.com.
test4.dkim2.com.	3600	IN	TXT	"v=spf1 a mx -all"
_dmarc.test4.dkim2.com.	3600	IN	TXT	"v=DMARC1; p=none"
ed25519._domainkey.test4.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=ed25519; p=fJAwKEPblCYdjrEIPeyOFy6AeXZUBALBdGQRjSPe97c=" )
sel1._domainkey.test4.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqxfEjz2MPZ7ZiE/uQkgPOC7mn0CweB5MZgHMqgGPQodj2DpbILnxBivC64VV5/JItBaNCtEL3UFY1YzlJOKzqjJacF66u9en4m6L6uC31vrHmVME6+rx7B5nMBlkwPheamx8Dyf+wNo3/9UCKxSdFdtiJLpLGC7Tg2ry7tpxST4Joaf9fIggc3Zmaraidk0S0uJKQq6ZKoZtjJkt0Bd+LGEnGC6C9/lrjHarnImc1bcELpJrzmneOmJO1/b4C8TXawu7luKn6dTWhujAOam+sO4vXxwpCDEa2saSrB6ru2Ef4ittBVn8fYDCwCjqbniU3B/g7BcBYnnMLUvQecZEqwIDAQAB"
	)
sel2._domainkey.test4.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApolcHH25pnffLSu90xCKJINg7wItlff/H1x529bcRoYDl171r7rqnXA4dBaVSQoIK+vHsoizucMNw1dvdlxgdjOjBxJQOzF5gT4rvFjXn6gJG41MJcAolxA12FAM3XAlYmy2tE5jIU9TXenLgnXzLuf+YYLWsU2XHFO7yQkOwakgLFVQ7hljB1lCA6gWdERj1pa/v0njvBCK2k4+n70cS0CVE4n1zeKUSM/WHhqrW1ty2N4DW47JpBlbmJLepMuR3wPnkE7vL4OR+2HmZ+x6DzdZbzo0FFvh7jdfjlX/BB84ixaXIsJfEzWZMRc6DF+7oQIJ7WkyAETX2CXp/GpQwwIDAQAB"
	)
sel3._domainkey.test4.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiy1mVSb6jt4Y4m0V2M3/e/azZBQUGjahidiAgIE/4ZrJn65azagf3byfJwSvyxbnUSNvvJRf4aEiktKVOWKm9HbFMB8bS972Uj6IhviNrbrI7fdos/wv7SB7lCEVETKHC8lot7mw3xD86RLzhBFlBpgKreQrN0bXGC7vkMLE5Noxxj1BdVOEL7RQf96NGgi08ksgvlOMAcEVsVrGYJbrqAW85QJYe/0oQTb9BB86gRqweaZprFPDKB0/UUlRMNNR3+Zwrp7ibb8c0QXaDJ4V+5k2ABw8Cp99uXHeK8K50nfakQnY5EUlQ8lpCIG2JHLHTF7s4TbnXJST7Jy5RSmNywIDAQAB"
	)
test5.dkim2.com.	3600	IN	MX	10 mail.dkim2.com.
test5.dkim2.com.	3600	IN	TXT	"v=spf1 a mx -all"
_dmarc.test5.dkim2.com.	3600	IN	TXT	"v=DMARC1; p=none"
ed25519._domainkey.test5.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=ed25519; p=IAG1F5P3LD1Q8Y67PeW7YJLuvrM19wpaof+dzdC679I=" )
sel1._domainkey.test5.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YUNs4TOful7xAtEh/PcKbVRvxBOOC52crCwqRCeVUnsvyOPx/qtY0oA2qPZVzDFU/h3fyz54eqYMiOIbxJavt3+nDNf8VfyHxQfc6+JdHdcHAJDpM1EMgN5awMxvc76csMVN6hnYFeOuSZECQy8Kr2C8QPCTcoMeNmR0udfKBo17Gjx4Wg9QDlc0CrzdenXscs0+D/3Y47lN1KllQeBAR7wvTVFoFKvSZ2CvwW264Syx76viMd0+JaK0YdhAcphMuHeNWzCKA+pMVD45gtikpkOQo+MBQIV96lNXa3fEw20S1IZfCMZHMSBbLmsiDY4luCe6kA08khNaE/zBi1GbQIDAQAB"
	)
sel2._domainkey.test5.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSkJ+kfygUujU2u3tquvkjpPV/Gluz9k7rNnDfQwSddbZLOtDSQRt5pA04fjUcS+PraUAg2arKuGv05Nuw/X0ts7bh3N0b2Iwbg1IEGGa6gXMmJ6Lj5T0O716rk0GOvdWqLz/466MzCH8viwPwSLY25EBDD3r1Y9o58xy6VhiUuMsqttjzsk743A0wKQHr5FEYim0qnfY0ePfAr0s36XItgQaXH9pkr2CPmqSXlIwKN99h2TJVcf86dMDqxuqUnI2OilwKcGtMk2/oMxC3A5gGgFkivxUIdoKs0Y/JruR6mvnoFREbC5GToWNGCgciYbxMfaQIRO9tJwyPGl8gPpiQIDAQAB"
	)
sel3._domainkey.test5.dkim2.com.	3600	IN	TXT	(
	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsU7LuV9aZv8jiNflYQBEpGjGjzKF+PBBFSezLBkRsYQ8IKcmCa0v/BI2hC0h0DGqtOb4dz640F3oZFRyUcX5PsKinm6SChl1qOog4+3oNFs7bhe3NJm7MRgTCSKomEWKXJei303wy/iDKtm+KUL8mSFNlAr3FnVTxXq2LY+rUG786Ha7xvK7NeLN4+R22061QVf+rqWhMgZB0fEGzIAVx2C7P2dCMT1sZoPPXHajXmw36LbOUDp151tfH7LQ9qdPL+08FYjM4xoJdLy3kgHATb0bnebq0Mfxym2x14nI6YoOzqE+fcL4xJXqfVISC1Uyvx0ndNO6jajsBIbr2ihKewIDAQAB"
	)

... so basically my idea is to replace every current 103.168.172.x IP in our generated zones with an indirection to the actual service name, and then be able to update just that one zone file in order to change the IPs which are served for that service.

I'd be happy to re-implement that as a separate plugin, or as variables or some other way to do that indirection - I just want it to keep the DNS service fast, and allow me to switch all those records all at once.

Thanks,

Bron.
--
  Bron Gondwana, CEO, Fastmail Pty Ltd / Fastmail US LLC
  brong@fastmailteam.com