I’d suggested here that NS add the ability to act as an authoritative DNS server–for a variety of reasons, but one of the big ones is to handle all the various DNS records that proper email hosting calls for. This is the approach taken by Mail in a Box. Recently, I’ve become aware of Couldron, which is similar in concept (i.e., an easy-to-install mailserver and webmail system for self-hosted email). But it takes a different approach to DNS records–rather than having your server act as authoritative DNS for your domain, it uses the API of your DNS host to create the necessary records there.
This seems like a good alternative to my previous request. It means NS doesn’t need quite the uptime and availability that a proper DNS host would, but still automates creation of all the DNS records for mail (IIRC, MIAB creates dozens of them). And if you have the ability to create and alter DNS records, it’d be trivial to also add that ability to any of the web apps that want their own FQDN–when you’re configuring the settings for Wordpress, for example, add a checkbox for “create this DNS record” right below the field for the hostname.
This would, of course, mean coding support for a number of DNS hosts’ APIs–I’d think Cloudflare should be high on the list, along with OVH, Route 53, Digital Ocean… And while I’m certainly no expert in the NS8 architecture, this seems like something that would belong in the core, which individual apps could then access with an API method like create-dns-record ($label, $type, $contents). The mail app can then (at the user’s request), once the mail server hostname is configured, create the A, MX, SPF, DKIM, and other relevant records. When a new domain is added, it can add those records as well. Maybe get fancy and rotate DKIM keys or whatever. When I set up a virtual host in the web server app, it can create a CNAME record pointing to the server’s main FQDN, and then get the Let’s Encrypt cert for it. And so on.
Compared to my suggestion of NS being its own authoritative DNS host, this has reduced attack surface. You’re still relying on an external DNS host though.