Hi Chris,
To clarify, the notion of “users” is not the best one here, as all records of a domain are owned by the same user (the deSEC account owner). A user can create API tokens, and those may have different permissions. So, let’s focus on how these permissions could be implemented.
Your proposal requires that we keep track of which token was used when creating a certain DNS record. Apart from the necessary book-keeping logistics, this comes with a bunch of complications that may not be immediate obvious, but they are security relevant. For example, someone who can create SVCB records (we will start supporting them this winter) will effectively be able to override A/AAAA records. For many, this would be rather unexpected, and we’d like to reduce the potential for this type of accidental misconfiguration. So, I’m leaning towards not going down this route … not to mention other complications, such as what should be done when a token that owns a record is removed. Should the record also be removed, and why (not)?
Frankly, I also did not understand yet what the use case for this is. Why do you need this, and what other approaches did you rule out, and why?
Cheers,
Peter