Consider running our own authoritative DNS server
Pros:
- DNSSEC
- SSHFP
Cons:
- More stuff to maintain (monitoring is very important!)
- If it break without us noticing, DNS stops working after some time (days/weeks depending on how we configure it)
- The tooling for managing DNS zones in a lot of cases sucks (no terraform providers :/)
- https://github.com/StackExchange/dnscontrol/ is worth mentioning though...
The best way to implement it is probably as a hidden master and use Hetzner as a slave (and HE?) (I use that setup myself).
Edited by Kristian Klausen