Features

DNS Change Management BETA

Batch DNS record updates into a reviewable changeset before they hit production. Every change is dry-run validated, optionally routed for approval, applied on your schedule, and tracked across DNS resolvers until it has fully propagated.

A Reviewable Workflow Around Every Change

DNS edits made directly at the provider have no review step, no audit trail, and no validation. ZoneWatcher's changesets wrap every modification in a workflow that mirrors the way your team already ships code: draft, review, approve, apply, verify. The diff is visible at every stage, the AI risk score sits next to the diff, and nothing reaches the provider until somebody with the right role clicks Apply.

The Changeset Lifecycle

A changeset moves through a defined set of states. Most teams use a subset, but the full path looks like this:

Draft: Add create, update, and delete record changes; name the changeset for later reference.
Submitted & Pending Approval: The draft is locked from edits and routed to an approver, with the AI risk summary and full diff in their notification feed.
Approved & Scheduled: Apply now or pick a future UTC timestamp; ZoneWatcher dispatches automatically at the scheduled moment.
Applying & Applied: Provider rate-limits trigger automatic backoff and retry; partial failures land in Failed with a Retry action scoped to just the failed items.
Verified: ZoneWatcher re-reads the zone and confirms every record matches the expected post-change state.
Propagated: Public DNS resolvers around the world report the new value; per-resolver status is visible in real time.

Dry-Run Validation

Before a changeset is submitted, the Validate action runs a dry-run against the live provider data. It confirms every target record still exists, that the after-state passes provider rules (TTL bounds, type restrictions, allowed characters), and that no other team member has touched the same records since the draft was started. Validation runs automatically on submit; you can also trigger it manually at any time before the changeset becomes terminal.

Built-in AI Risk Scoring

Every pending changeset receives a risk score from 1 to 100 along with a plain-language summary explaining what it does and why it matters. The score factors in record-type criticality, ASN and geolocation shifts on IP changes, attack patterns like mail-server hijacks or nameserver takeovers, and historical context from your zone. It appears in the changeset list, on the detail page, and inside the approval modal so reviewers can spot risky changes at a glance. Read more on the AI DNS Risk Assessment page.

Notifications for Every State Transition

Each notification channel can subscribe to changeset events — Submitted, Approval requested, Approved, Rejected, Cancelled, Schedule reminder, Applied, Propagated, Conflict, Propagation timeout, Failed, Rolled back, and Rollback failed. Every notification deep-links back to the changeset so the on-call engineer is never more than one click from the diff.

Available on the Control Plan

DNS Change Management is included on the Control plan and is currently in beta — vendor support is rolling out incrementally, and the Add Change and Revert Change actions are only visible on zones whose provider has change management enabled. Start a free trial to test the full workflow on your own zones, or read the change management guide for the complete state machine.