Authoritative DNS
The DNS servers that hold the canonical records for a zone. Where the buck stops when a resolver needs an authoritative answer.
An authoritative DNS server is the place that knows the actual records for a zone. Distinct from a recursive resolver, which just looks things up and caches them.
If you publish DNS, you have an authoritative server. Whether you run it yourself (BIND, NSD, Knot, PowerDNS) or use a hosted provider (Cloudflare, Route 53, Vercel DNS, GoDaddy) doesn't matter to clients; from their perspective, your nameservers ARE the authoritative source.
The two-server pattern
DNS standards expect at least two authoritative nameservers per zone, on different networks. The historical reasoning was redundancy — if one server is down, the other still answers.
Modern hosted providers offer this transparently. When you set up Cloudflare or Route 53, you get 2–4 nameserver hostnames; they each anycast-route to many global PoPs. Single-provider but multi-server.
For maximum redundancy you can split authoritative DNS across two providers (e.g., 2 Cloudflare NS + 2 Route 53 NS, sharing the same zone data via API sync). Operationally heavy; most SaaS don't bother.
Common authoritative DNS providers
| Provider | Anycast | Free tier | API |
|---|---|---|---|
| Cloudflare | Yes | Yes | REST |
| Route 53 | Yes | Pay per zone | AWS SDK |
| Google Cloud DNS | Yes | Pay per zone | REST |
| NS1 | Yes | Limited | REST |
| DNSimple | Yes | No, but cheap | REST |
| Vercel DNS | Yes | Yes (free zones) | REST |
For SaaS hosting many tenant zones, anycast + API is the table-stakes feature set.