fix records repetition (#1432 )

Co-authored-by: Arpit Shah <arpit_shah@cable.comcast.com>
fix for vinyldns banner log (#1444 )
2025-08-30 05:47:56 +00:00 · 2025-08-12 15:06:44 -04:00 · 2025-08-12 09:11:23 -04:00 · 2025-08-05 14:02:53 -04:00 · 2025-08-05 19:04:52 +05:30 · 2025-07-24 21:41:45 -04:00
417 changed files with 25419 additions and 5055 deletions
--- a/.github/workflows/notify.yml
+++ b/.github/workflows/notify.yml
@ -0,0 +1,55 @@
+name: Notify on Workflow Complete
+
+on:
+  workflow_run:
+    workflows: [Verify and Test, VinylDNS Official Release]
+    types:
+      - completed
+
+jobs:
+  notify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send Slack Notification On Success
+        uses: slackapi/slack-github-action@v1.18.0
+        if: github.event.workflow_run.conclusion == 'success'
+        with:
+          # For posting a rich message using Block Kit
+          payload: |
+            {
+              "text": "GitHub Action ${{ github.event.workflow.name }} completed successfully!\nAction: ${{ github.event.workflow_run.html_url }}",
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": ":check_mark: GitHub Action `${{ github.event.workflow.name }}` completed successfully!\nAction: ${{ github.event.workflow_run.html_url }}"
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+
+      - name: Send Slack Notification on Failure
+        uses: slackapi/slack-github-action@v1.18.0
+        if: github.event.workflow_run.conclusion != 'success'
+        with:
+          # For posting a rich message using Block Kit
+          payload: |
+            {
+              "text": "GitHub Action ${{ github.event.workflow.name }} FAILED!\nAction: ${{ github.event.workflow_run.html_url }}",
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": ":x: GitHub Action `${{ github.event.workflow.name }}` FAILED!\nAction: ${{ github.event.workflow_run.html_url }}"
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
--- a/.github/workflows/publish-site.yml
+++ b/.github/workflows/publish-site.yml
@ -1,4 +1,4 @@
-name: Microsite
+name: Documentation Site
 concurrency:
  cancel-in-progress: true
  group: "publish-site"
--- a/.github/workflows/release-beta.yml
+++ b/.github/workflows/release-beta.yml
@ -0,0 +1,149 @@
+name: VinylDNS Beta Release
+concurrency:
+  cancel-in-progress: true
+  group: "release"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  workflow_dispatch:
+    inputs:
+      verify-first:
+        description: 'Verify First?'
+        required: true
+        default: 'true'
+      create-gh-release:
+        description: 'Create a GitHub Release?'
+        required: true
+        default: 'true'
+      publish-images:
+        description: 'Publish Docker Images?'
+        required: true
+        default: 'true'
+      pre-release:
+        description: 'Is this a pre-release?'
+        required: true
+        default: 'true'
+
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  verify:
+    name: Verify Release
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout current branch
+        if: github.event.inputs.verify-first == 'true'
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Tests
+        id: verify
+        if: github.event.inputs.verify-first == 'true'
+        run: cd build/ && ./assemble_api.sh && ./run_all_tests.sh
+
+  create-gh-release:
+    name: Create GitHub Release
+    needs: verify
+    runs-on: ubuntu-latest
+    if: github.event.inputs.create-gh-release == 'true'
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout current branch
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build Artifacts
+        id: build
+        run: cd build/ && ./assemble_api.sh && ./assemble_portal.sh
+
+      - name: Get Version
+        id: get-version
+        run: echo "::set-output name=vinyldns_version::$(awk -F'"' '{print $2}' ./version.sbt)"
+
+      - name: Create GitHub Release
+        id: create_release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ steps.get-version.outputs.vinyldns_version }}
+          generate_release_notes: true
+          files: artifacts/*
+          prerelease: ${{ github.event.inputs['pre-release'] == 'true' }}
+
+  docker-release-api:
+    name: Release API Docker Image
+    needs: [ verify, create-gh-release ]
+    runs-on: ubuntu-latest
+    if: github.event.inputs.publish-images == 'true'
+
+    steps:
+      - name: Get Version
+        id: get-version
+        run: echo "::set-output name=vinyldns_version::$(curl -s https://api.github.com/repos/vinyldns/vinyldns/releases | jq -rc '.[0].tag_name')"
+
+      - name: Checkout current branch (full)
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.get-version.outputs.vinyldns_version }}
+          fetch-depth: 0
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Import Content Trust Key
+        run: docker trust key load <(echo "${SIGNING_KEY}") --name vinyldns_svc
+        env:
+          SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
+
+      # This will publish the latest release
+      - name: Publish API Docker Image
+        run: make -C build/docker/api publish
+        env:
+          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
+
+  docker-release-portal:
+    name: Release Portal Docker Image
+    needs: [ verify, create-gh-release ]
+    runs-on: ubuntu-latest
+    if: github.event.inputs.publish-images == 'true'
+
+    steps:
+      - name: Get Version
+        id: get-version
+        run: echo "::set-output name=vinyldns_version::$(curl -s https://api.github.com/repos/vinyldns/vinyldns/releases | jq -rc '.[0].tag_name')"
+
+      - name: Checkout current branch (full)
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.get-version.outputs.vinyldns_version }}
+          fetch-depth: 0
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Import Content Trust Key
+        run: docker trust key load <(echo "${SIGNING_KEY}") --name vinyldns_svc
+        env:
+          SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
+
+      # This will publish the latest release
+      - name: Publish Portal Docker Image
+        run: make -C build/docker/portal publish
+        env:
+          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
--- a/.github/workflows/release-vnext.yml
+++ b/.github/workflows/release-vnext.yml
@ -24,11 +24,13 @@ jobs:

    steps:
      - name: Checkout current branch
+        if: github.event_name != 'push' # We only need to verify if this is manually triggered
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: Build and Test
+        if: github.event_name != 'push' # We only need to verify if this is manually triggered
        run: cd build/ && ./assemble_api.sh && ./run_all_tests.sh

  docker-release-api:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -22,7 +22,7 @@ on:
        description: 'Publish Docker Images?'
        required: true
        default: 'true'
-        
+
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

@ -34,7 +34,7 @@ jobs:
    steps:
      - name: Checkout current branch
        if: github.event.inputs.verify-first == 'true'
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0

@ -48,12 +48,12 @@ jobs:
    needs: verify
    runs-on: ubuntu-latest
    if: github.event.inputs.create-gh-release == 'true'
-    permissions: 
+    permissions:
      contents: write
-      
+
    steps:
      - name: Checkout current branch
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0

@ -67,7 +67,7 @@ jobs:

      - name: Create GitHub Release
        id: create_release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
        with:
          tag_name: v${{ steps.get-version.outputs.vinyldns_version }}
          generate_release_notes: true
@ -83,15 +83,15 @@ jobs:
      - name: Get Version
        id: get-version
        run: echo "::set-output name=vinyldns_version::$(curl -s https://api.github.com/repos/vinyldns/vinyldns/releases | jq -rc '.[0].tag_name')"
-        
+
      - name: Checkout current branch (full)
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
        with:
          ref: ${{ steps.get-version.outputs.vinyldns_version }}
          fetch-depth: 0

      - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@ -118,15 +118,15 @@ jobs:
      - name: Get Version
        id: get-version
        run: echo "::set-output name=vinyldns_version::$(curl -s https://api.github.com/repos/vinyldns/vinyldns/releases | jq -rc '.[0].tag_name')"
-        
+
      - name: Checkout current branch (full)
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
        with:
          ref: ${{ steps.get-version.outputs.vinyldns_version }}
          fetch-depth: 0

      - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@ -26,10 +26,42 @@ jobs:
          fetch-depth: 0

      - name: Build and Test
+        id: build
        run: cd build/ && ./assemble_api.sh && ./run_all_tests.sh

      - name: Codecov
-        uses: codecov/codecov-action@v2
+        id: codecov0
+        uses: codecov/codecov-action@v4
+        continue-on-error: true
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
-          fail_ci_if_error: false
+      - name: Codecov Retry
+        id: codecov1
+        if: steps.codecov0.outcome=='failure'
+        uses: codecov/codecov-action@v4
+        continue-on-error: true
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Codecov Retry 2
+        id: codecov2
+        if: steps.codecov1.outcome=='failure'
+        uses: codecov/codecov-action@v4
+        continue-on-error: true
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Codecov Retry 3
+        id: codecov3
+        if: steps.codecov2.outcome=='failure'
+        uses: codecov/codecov-action@v4
+        continue-on-error: true
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: set the status              # set the workflow status if command failed
+        if: steps.build.outcome=='success'
+        run: |
+          if ${{ steps.codecov0.outcome=='success' || steps.codecov1.outcome=='success' || steps.codecov2.outcome=='success' || steps.codecov3.outcome=='success' }}; then
+             echo "Codecov completed successfully"
+          else
+            echo "Codecov failed after three retries"
+            exit 1
+          fi
--- a/.gitignore
+++ b/.gitignore
@ -34,5 +34,16 @@ project/metals.sbt
 quickstart/data
 **/.virtualenv
 **/.venv*
-**/*cache*
 **/artifacts/
+**/.env.overrides
+**/node_modules
+.run
+**/*.zip
+**/*.log
+modules/portal/public/custom/
+modules/portal/public/gentelella/
+modules/portal/public/javascripts/
+modules/portal/public/project/
+modules/portal/public/stylesheets/
+**/.env.*
+modules/portal/package-lock.json
--- a/AUTHORS.md
+++ b/AUTHORS.md
@ -21,12 +21,14 @@ in any way, but do not see your name here, please open a PR to add yourself (in
 - Joe Crowe
 - Jearvon Dharrie
 - Andrew Dunn
+- Josh Edwards
 - Ryan Emerle
 - David Grizzanti
 - Alejandro Guirao
 - Daniel Jin
 - Harry Kauffman
 - Krista Khare
+- Sokitha Krishnan
 - Patrick Lee
 - Sheree Liu
 - Michael Ly
@ -36,14 +38,18 @@ in any way, but do not see your name here, please open a PR to add yourself (in
 - Joshulyne Park
 - Nathan Pierce
 - Michael Pilquist
+- Aravindh Raju
 - Sriram Ramakrishnan
 - Khalid Reid
 - Timo Schmid
 - Trent Schmidt
+- Arpit Shah
 - Ghafar Shah
+- Nick Spadaccino
 - Rebecca Star
 - Jess Stodola
 - Juan Valencia
+- Jayaraj Velkumar
 - Anastasia Vishnyakova
 - Jim Wakemen
 - Fei Wan
--- a/DEVELOPER_GUIDE.md
+++ b/DEVELOPER_GUIDE.md
@ -10,6 +10,7 @@
    * [Portal](#portal)
    * [Documentation](#documentation)
 - [Running VinylDNS Locally](#running-vinyldns-locally)
+    * [Support for M1 Macs](#support-for-m1-macs)
    * [Starting the API Server](#starting-the-api-server)
    * [Starting the Portal](#starting-the-portal)
 - [Testing](#testing)
@ -27,18 +28,19 @@

 ## Developer Requirements (Local)

- Java 8+
+- Java (version: >= 8, <= 11)
 - Scala 2.12
 - sbt 1.4+
-
-
 - curl
 - docker
 - docker-compose
 - GNU Make 3.82+
 - grunt
- npm
+- Node.js/npm v12+
 - Python 3.5+
+- [coreutils](https://www.gnu.org/software/coreutils/)
+  - Linux: `apt install coreutils` or `yum install coreutils`
+  - macOS: [`brew install coreutils`](https://formulae.brew.sh/formula/coreutils)

 ## Developer Requirements (Docker)

@ -174,6 +176,7 @@ Once the prerequisites are running, you can start up sbt by running `sbt` from t

 - `project api` to change the sbt project to the API
 - `reStart` to start up the API server
+  - To enable interactive debugging, you can run `set Revolver.enableDebugging(port = 5020, suspend = true)` before running `reStart` 
 - Wait until you see the message `VINYLDNS SERVER STARTED SUCCESSFULLY` before working with the server
 - To stop the VinylDNS server, run `reStop` from the api project
 - To stop the dependent Docker containers: `utils/clean-vinyldns-containers.sh`
@ -187,7 +190,7 @@ To run the portal locally, you _first_ have to start up the VinylDNS API Server.
 instructions for [Staring the API Server](#starting-the-api-server) or by using the QuickStart:

 ```shell
-quickstart/quickstart-vinyldns.sh --api-only
+quickstart/quickstart-vinyldns.sh --api
 ```

 Once that is done, in the same `sbt` session or a different one, go to `project portal` and then
@ -265,7 +268,7 @@ Additionally, you can pass `--interactive` to `make run` or `make run-local` to
 From there you can run tests with the `/functional_test/run.sh` command. This allows for finer-grained control over the
 test execution process as well as easier inspection of logs.

-You can run a specific test by name by running `make run -- -k <name of test function>`. Any arguments after
+You can run a specific test by name by running `make build` and `make run -- -k <name of test function>`. Any arguments after
 `make run --` will be passed to the test runner [`test/api/functional/run.sh`](test/api/functional/run.sh).

 Finally, you can execute `make run-deps-bg` to all of the dependencies for the functional test, but not run the tests.
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 [![VinylDNS Release](https://img.shields.io/github/v/release/vinyldns/vinyldns?label=latest%20release&logo=github)](https://github.com/vinyldns/vinyldns/releases/latest)
-[![VinylDNS API Docker Image](https://img.shields.io/docker/v/vinyldns/api?color=brightgreen&label=API%20Image&logo=docker&logoColor=white)](https://hub.docker.com/r/vinyldns/api/tags?page=1&ordering=last_updated)
-[![VinylDNS Portal Docker Image](https://img.shields.io/docker/v/vinyldns/portal?color=brightgreen&label=Portal%20Image&logo=docker&logoColor=white)](https://hub.docker.com/r/vinyldns/portal/tags?page=1&ordering=last_updated)
+[![VinylDNS API Docker Image](https://img.shields.io/github/v/release/vinyldns/vinyldns?color=brightgreen&label=API%20Image&logo=docker&logoColor=white&cacheSeconds=300)](https://hub.docker.com/r/vinyldns/api/tags?page=1&ordering=last_updated)
+[![VinylDNS Portal Docker Image](https://img.shields.io/github/v/release/vinyldns/vinyldns?color=brightgreen&label=Portal%20Image&logo=docker&logoColor=white&cacheSeconds=300)](https://hub.docker.com/r/vinyldns/portal/tags?page=1&ordering=last_updated)

 <p align="left">
  <a href="https://www.vinyldns.io/">
@ -145,9 +145,9 @@ See the [Contributing Guide](CONTRIBUTING.md).

 The current maintainers (people who can merge pull requests) are:

- Ryan Emerle ([@remerle](https://github.com/remerle))
- Sriram Ramakrishnan ([@sramakr](https://github.com/sramakr))
- Jim Wakemen ([@jwakemen](https://github.com/jwakemen))
+- Arpit Shah ([@arpit4ever](https://github.com/arpit4ever))
+- Nick Spadaccino ([@nspadaccino](https://github.com/nspadaccino))
+- Jayaraj Velkumar ([@Jay07GIT](https://github.com/Jay07GIT))

 See [AUTHORS.md](AUTHORS.md) for the full list of contributors to VinylDNS.

--- a/build.sbt
+++ b/build.sbt
@ -2,10 +2,9 @@ import CompilerOptions._
 import Dependencies._
 import microsites._
 import org.scalafmt.sbt.ScalafmtPlugin._
-import scoverage.ScoverageKeys.{coverageFailOnMinimum, coverageMinimum}
+import scoverage.ScoverageKeys.{coverageMinimum, coverageFailOnMinimum}

 import scala.language.postfixOps
-import scala.sys.env
 import scala.util.Try

 lazy val IntegrationTest = config("it").extend(Test)
@ -38,7 +37,7 @@ lazy val sharedSettings = Seq(
  // coverage options
  coverageMinimum := 85,
  coverageFailOnMinimum := true,
-  coverageHighlighting := true,
+  coverageHighlighting := true
 )

 lazy val testSettings = Seq(
@ -73,6 +72,10 @@ lazy val apiAssemblySettings = Seq(
      MergeStrategy.discard
    case PathList("scala", "tools", "nsc", "doc", "html", "resource", "lib", "template.js") =>
      MergeStrategy.discard
+    case "simulacrum/op.class" | "simulacrum/op$.class" | "simulacrum/typeclass$.class"
+         | "simulacrum/typeclass.class" | "simulacrum/noop.class" =>
+      MergeStrategy.discard
+    case x if x.endsWith("module-info.class") => MergeStrategy.discard
    case x =>
      val oldStrategy = (assemblyMergeStrategy in assembly).value
      oldStrategy(x)
@ -113,8 +116,8 @@ lazy val coreBuildSettings = Seq(
  // do not use unused params as NoOpCrypto ignores its constructor, we should provide a way
  // to write a crypto plugin so that we fall back to a noarg constructor
  scalacOptions ++= scalacOptionsByV(scalaVersion.value).filterNot(_ == "-Ywarn-unused:params"),
-  PB.targets in Compile := Seq(PB.gens.java("2.6.1") -> (sourceManaged in Compile).value),
-  PB.protocVersion := "-v261"
+  PB.targets in Compile := Seq(PB.gens.java("3.21.7") -> (sourceManaged in Compile).value),
+  PB.protocVersion := "3.21.7"
 )

 lazy val corePublishSettings = Seq(
@ -205,9 +208,11 @@ lazy val portalSettings = Seq(
  routesGenerator := InjectedRoutesGenerator,
  coverageExcludedPackages := "<empty>;views.html.*;router.*;controllers\\.javascript.*;.*Reverse.*",
  javaOptions in Test += "-Dconfig.file=conf/application-test.conf",
-  // ads the version when working locally with sbt run
+  // Adds the version when working locally with sbt run
  PlayKeys.devSettings += "vinyldns.base-version" -> (version in ThisBuild).value,
-  // adds an extra classpath to the portal loading so we can externalize jars, make sure to create the lib_extra
+  // Automatically run the prepare portal script before `run`
+  PlayKeys.playRunHooks += PreparePortalHook(baseDirectory.value),
+  // Adds an extra classpath to the portal loading so we can externalize jars, make sure to create the lib_extra
  // directory and lay down any dependencies that are required when deploying
  scriptClasspath in bashScriptDefines ~= (cp => cp :+ "lib_extra/*"),
  mainClass in reStart := None,
@ -240,7 +245,7 @@ lazy val portal = (project in file("modules/portal"))
  .settings(testSettings)
  .settings(portalSettings)
  .settings(
-    name := "portal",
+    name := "portal"
  )
  .dependsOn(mysql)

@ -252,6 +257,8 @@ lazy val docSettings = Seq(
  micrositeDescription := "DNS Automation and Governance",
  micrositeAuthor := "VinylDNS",
  micrositeHomepage := "https://vinyldns.io",
+  micrositeTwitter := "@vinyldns_oss",
+  micrositeTwitterCreator := "@vinyldns_oss",
  micrositeDocumentationUrl := "/api",
  micrositeDocumentationLabelDescription := "API Documentation",
  micrositeHighlightLanguages ++= Seq("json", "yaml", "bnf", "plaintext"),
--- a/build/assemble_artifacts.sh
+++ b/build/assemble_artifacts.sh
@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+#
+# This script will build the API and Portal artifacts from the current
+# workspace code
+#
+set -euo pipefail
+
+DIR=$(
+  cd "$(dirname "$0")"
+  pwd -P
+)
+
+usage() {
+  echo "USAGE: assemble_artifacts.sh [options]"
+  echo -e "\t-c, --clean         removes all files from the ./artifacts directory"
+}
+
+clean(){
+  echo "Cleaning artifacts"
+  if [ -d "${DIR}/../artifacts/" ] && [ -f "${DIR}/../artifacts/vinyldns-api.jar" ]; then
+    rm "${DIR}/../artifacts/vinyldns-api.jar"
+  fi
+  if [ -d "${DIR}/../artifacts/" ] && [ -f "${DIR}/../artifacts/vinyldns-portal.zip" ]; then
+    rm "${DIR}/../artifacts/vinyldns-portal.zip"
+  fi
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+  --clean | -c)
+    clean
+    exit 0
+    ;;
+  *)
+    usage
+    exit 1
+    ;;
+  esac
+done
+
+clean
+"${DIR}/assemble_api.sh" && "${DIR}/assemble_portal.sh"
--- a/build/docker/.env
+++ b/build/docker/.env
@ -17,3 +17,4 @@ JDBC_URL=jdbc:mariadb://vinyldns-integration:19002/vinyldns?user=root&password=p
 JDBC_MIGRATION_URL=jdbc:mariadb://vinyldns-integration:19002/?user=root&password=pass
 JDBC_USER=root
 JDBC_PASSWORD=pass
+FLYWAY_OUT_OF_ORDER=false
--- a/build/docker/api/Dockerfile
+++ b/build/docker/api/Dockerfile
@ -31,8 +31,9 @@ VOLUME ["/opt/vinyldns/lib_extra/", "/opt/vinyldns/conf/"]
 EXPOSE 9000

 ENV JVM_OPTS=""
-ENTRYPOINT ["/bin/bash", "-c", "java ${JVM_OPTS} -Dconfig.file=/opt/vinyldns/conf/application.conf \
+ENV INIT_SCRIPT="/bin/true"
+ENTRYPOINT ["/bin/bash", "-c", "${INIT_SCRIPT} && java ${JVM_OPTS} -Dconfig.file=/opt/vinyldns/conf/application.conf \
                                -Dlogback.configurationFile=/opt/vinyldns/conf/logback.xml \
                                -Dvinyldns.version=$(cat /opt/vinyldns/version) \
-                                -cp /opt/vinyldns/lib_extra/* \
-                                -jar /opt/vinyldns/vinyldns-api.jar" ]
+                                -cp /opt/vinyldns/lib_extra/*:/opt/vinyldns/vinyldns-api.jar \
+                                vinyldns.api.Boot" ]
--- a/build/docker/api/application.conf
+++ b/build/docker/api/application.conf
@ -28,6 +28,16 @@ vinyldns {
  multi-record-batch-change-enabled = true
  multi-record-batch-change-enabled = ${?MULTI_RECORD_BATCH_CHANGE_ENABLED}

+  # Server settings
+  use-recordset-cache = true
+  use-recordset-cache = ${?USE_RECORDSET_CACHE}
+  load-test-data = false
+  load-test-data = ${?LOAD_TEST_DATA}
+  # should be true while running locally or when we have only one api server/instance, for zone sync scheduler to work
+  is-zone-sync-schedule-allowed = true
+  # should be set to true only on a single server/instance else automated sync will be performed at every server/instance
+  is-zone-sync-schedule-allowed = ${?IS_ZONE_SYNC_SCHEDULE_ALLOWED}
+
  # configured backend providers
  backend {
    # Use "default" when dns backend legacy = true
@ -151,6 +161,17 @@ vinyldns {
    port=${?API_SERVICE_PORT}
  }

+  api {
+    limits {
+      batchchange-routing-max-items-limit = 100
+      membership-routing-default-max-items = 100
+      membership-routing-max-items-limit = 1000
+      membership-routing-max-groups-list-limit = 3000
+      recordset-routing-default-max-items= 100
+      zone-routing-default-max-items = 100
+      zone-routing-max-items-limit = 100
+    }
+  }

  approved-name-servers = [
    "172.17.42.1.",
@ -178,14 +199,22 @@ vinyldns {
      name = ${?DATABASE_NAME}
      driver = "org.mariadb.jdbc.Driver"
      driver = ${?JDBC_DRIVER}
-      migration-url = "jdbc:mariadb://localhost:19002/?user=root&password=pass"
+      migration-url = "jdbc:mariadb://localhost:19002/?user=root&password=pass&socketTimeout=20000"
      migration-url = ${?JDBC_MIGRATION_URL}
-      url = "jdbc:mariadb://localhost:19002/vinyldns?user=root&password=pass"
+      url = "jdbc:mariadb://localhost:19002/vinyldns?user=root&password=pass&socketTimeout=20000"
      url = ${?JDBC_URL}
      user = "root"
      user = ${?JDBC_USER}
      password = "pass"
      password = ${?JDBC_PASSWORD}
+      flyway-out-of-order = false
+      flyway-out-of-order = ${?FLYWAY_OUT_OF_ORDER}
+
+      max-lifetime = 300000
+      connection-timeout-millis = 30000
+      idle-timeout = 150000
+      maximum-pool-size = 20
+      minimum-idle = 5
    }

    # TODO: Remove the need for these useless configuration blocks
@ -198,6 +227,8 @@ vinyldns {
      }
      record-set {
      }
+      record-set-cache {
+      }
      zone-change {
      }
      record-change {
@ -320,13 +351,17 @@ akka.http {
    # Set to `infinite` to disable.
    bind-timeout = 5s

+    # A default request timeout is applied globally to all routes and can be configured using the
+    # akka.http.server.request-timeout setting (which defaults to 20 seconds).
+    # request-timeout = 60s
+
    # Show verbose error messages back to the client
    verbose-error-messages = on
  }

  parsing {
-    # Spray doesn't like the AWS4 headers
-    illegal-header-warnings = on
+    # Don't complain about the / in the AWS SigV4 auth header
+    ignore-illegal-header-for = ["authorization"]
  }
 }

--- a/build/docker/api/logback.xml
+++ b/build/docker/api/logback.xml
@ -1,32 +1,28 @@
 <configuration>
+    <variable name="VINYLDNS_LOG_LEVEL" value="${VINYLDNS_LOG_LEVEL:-INFO}" />
+
    <!-- Test configuration, log to console so we can get the docker logs -->
    <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
-        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
-            <pattern>%d [test] %-5p | \(%logger{4}:%line\) | %msg %n</pattern>
+        <encoder class="co.elastic.logging.logback.EcsEncoder">
+            <serviceName>vinyldns-api</serviceName>
+            <serviceNodeName>vinyldns-api</serviceNodeName>
        </encoder>
    </appender>

-    <logger name="org.flywaydb" level="DEBUG">
+
+    <logger name="vinyldns.core.route.Monitor" level="OFF"/>
+
+    <logger name="scalikejdbc.StatementExecutor$$anon$1" level="OFF"/>
+
+    <logger name="com.zaxxer.hikari" level="ERROR">
        <appender-ref ref="CONSOLE"/>
    </logger>

-    <logger name="org.flywaydb.core.internal.dbsupport.SqlScript" level="DEBUG">
-        <appender-ref ref="CONSOLE"/>
+    <logger name="BANNER_LOGGER" level="INFO" additivity="false">
+        <appender-ref ref="BANNER_APPENDER"/>
    </logger>

-    <logger name="org.flywaydb.core.internal.command.DbMigrate" level="DEBUG">
-        <appender-ref ref="CONSOLE"/>
-    </logger>
-
-    <logger name="vinyldns.core.route.Monitor" level="OFF">
-        <appender-ref ref="CONSOLE"/>
-    </logger>
-
-    <logger name="scalikejdbc.StatementExecutor$$anon$1" level="OFF">
-        <appender-ref ref="CONSOLE"/>
-    </logger>
-
-    <root level="INFO">
+    <root level="${VINYLDNS_LOG_LEVEL}">
        <appender-ref ref="CONSOLE"/>
    </root>
 </configuration>
--- a/build/docker/portal/Dockerfile
+++ b/build/docker/portal/Dockerfile
@ -39,7 +39,8 @@ VOLUME ["/opt/vinyldns/lib_extra/", "/opt/vinyldns/conf/"]
 EXPOSE 9001

 ENV JVM_OPTS=""
-ENTRYPOINT ["/bin/bash","-c", "java ${JVM_OPTS} -Dvinyldns.version=$(cat /opt/vinyldns/version) \
+ENV INIT_SCRIPT="/bin/true"
+ENTRYPOINT ["/bin/bash","-c", "${INIT_SCRIPT} && java ${JVM_OPTS} -Dvinyldns.version=$(cat /opt/vinyldns/version) \
                               -Dlogback.configurationFile=/opt/vinyldns/conf/logback.xml \
                               -Dconfig.file=/opt/vinyldns/conf/application.conf \
                               -cp /opt/vinyldns/conf:/opt/vinyldns/lib/*:/opt/vinyldns/lib_extra/* \
--- a/build/docker/portal/application.conf
+++ b/build/docker/portal/application.conf
@ -37,6 +37,38 @@ LDAP {
  }
 }

+mysql {
+  class-name = "vinyldns.mysql.repository.MySqlDataStoreProvider"
+  endpoint = "localhost:19002"
+  endpoint = ${?MYSQL_ENDPOINT}
+
+  settings {
+    # JDBC Settings, these are all values in scalikejdbc-config, not our own
+    # these must be overridden to use MYSQL for production use
+    # assumes a docker or mysql instance running locally
+    name = "vinyldns"
+    name = ${?DATABASE_NAME}
+    driver = "org.mariadb.jdbc.Driver"
+    driver = ${?JDBC_DRIVER}
+    migration-url = "jdbc:mariadb://"${mysql.endpoint}"/?user=root&password=pass&socketTimeout=20000"
+    migration-url = ${?JDBC_MIGRATION_URL}
+    url = "jdbc:mariadb://"${mysql.endpoint}"/vinyldns?user=root&password=pass&socketTimeout=20000"
+    url = ${?JDBC_URL}
+    user = "root"
+    user = ${?JDBC_USER}
+    password = "pass"
+    password = ${?JDBC_PASSWORD}
+    flyway-out-of-order = false
+    flyway-out-of-order = ${?FLYWAY_OUT_OF_ORDER}
+
+    max-lifetime = 300000
+    connection-timeout-millis = 30000
+    idle-timeout = 150000
+    maximum-pool-size = 20
+    minimum-idle = 5
+  }
+}
+
 # Note: This MUST match the API or strange errors will ensue, NoOpCrypto should not be used for production
 crypto {
  type = "vinyldns.core.crypto.NoOpCrypto"
@ -44,6 +76,18 @@ crypto {
  secret = ${?CRYPTO_SECRET}
 }

+api {
+  limits {
+    batchchange-routing-max-items-limit = 100
+    membership-routing-default-max-items = 100
+    membership-routing-max-items-limit = 1000
+    membership-routing-max-groups-list-limit = 3000
+    recordset-routing-default-max-items= 100
+    zone-routing-default-max-items = 100
+    zone-routing-max-items-limit = 100
+  }
+}
+
 http.port = 9001
 http.port = ${?PORTAL_PORT}

@ -57,6 +101,12 @@ shared-display-enabled = ${?SHARED_ZONES_ENABLED}
 play.http.secret.key = "changeme"
 play.http.secret.key = ${?PLAY_HTTP_SECRET_KEY}

+# See https://www.playframework.com/documentation/2.8.x/AllowedHostsFilter for more details.
+# Note: allowed = ["."] matches all hosts hence would not be recommended in a production environment.
+play.filters.hosts {
+  allowed = ["."]
+}
+
 # You can provide configuration overrides via local.conf if you don't want to replace everything in
 # this configuration file
 include "local.conf"
--- a/build/docker/portal/logback.xml
+++ b/build/docker/portal/logback.xml
@ -1,10 +1,11 @@
 <configuration>
-    
+  <variable name="VINYLDNS_LOG_LEVEL" value="${VINYLDNS_LOG_LEVEL:-INFO}" />
  <conversionRule conversionWord="coloredLevel" converterClass="play.api.libs.logback.ColoredLevel" />

-  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-    <encoder>
-      <pattern>%d{"yyyy-MM-dd HH:mm:ss,SSS"} %coloredLevel - %logger - %message%n%xException</pattern>
+  <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
+    <encoder class="co.elastic.logging.logback.EcsEncoder">
+      <serviceName>vinyldns-portal</serviceName>
+      <serviceNodeName>vinyldns-portal</serviceNodeName>
    </encoder>
  </appender>
  <!--
@ -14,8 +15,12 @@
  <logger name="play" level="INFO" />
  <logger name="application" level="DEBUG" />

-  <root level="INFO">
-    <appender-ref ref="STDOUT" />
+  <logger name="com.zaxxer.hikari" level="ERROR">
+    <appender-ref ref="CONSOLE"/>
+  </logger>
+
+  <root level="${VINYLDNS_LOG_LEVEL}">
+    <appender-ref ref="CONSOLE" />
  </root>

 </configuration>
--- a/build/sbt.sh
+++ b/build/sbt.sh
@ -3,5 +3,47 @@ set -euo pipefail

 DIR=$(cd -P -- "$(dirname -- "$0")" && pwd -P)

+usage() {
+  echo "USAGE: sbt.sh [options]"
+  echo -e "\t-d, --debug        enable debugging"
+  echo -e "\t-p, --debug-port   the debug port (default: 5021)"
+  echo -e "\t-e, --expose       expose one or more ports using the Docker format for exposing ports"
+}
+
+DEBUG_SETTINGS=""
+DEBUG_PORT=5021
+EXPOSE_PORTS=""
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+  --debug | -d)
+    DEBUG_SETTINGS="-e SBT_OPTS=\"-agentlib:jdwp=transport=dt_socket,server=y,suspend=n"
+    shift
+    ;;
+  --debug-port | -p)
+    DEBUG_PORT=$2
+    shift
+    shift
+    ;;
+  --expose | -e)
+    EXPOSE_PORTS="${EXPOSE_PORTS} -p \"$2\""
+    shift
+    shift
+    ;;
+  *)
+    usage
+    exit 1
+    ;;
+  esac
+done
+
+if [ "${DEBUG_SETTINGS}" != "" ]; then
+  DEBUG_SETTINGS="${DEBUG_SETTINGS},address=${DEBUG_PORT}\""
+
+  # If given a debug port outside of the default range, expose the selected port
+  if [[ "$DEBUG_PORT" -lt 5020 ]] || [[ "$DEBUG_PORT" -gt 5030 ]]; then
+    DEBUG_SETTINGS="${DEBUG_SETTINGS} -p \"${DEBUG_PORT}:${DEBUG_PORT}\""
+  fi
+fi
+
 cd "$DIR/../test/api/integration"
-make build DOCKER_PARAMS="--build-arg SKIP_API_BUILD=true" && make run-local WITH_ARGS="sbt" DOCKER_PARAMS="-e RUN_SERVICES=none --env-file \"$DIR/../test/api/integration/.env.integration\""
+make build DOCKER_PARAMS="--build-arg SKIP_API_BUILD=true" && make run-local WITH_ARGS="sbt" DOCKER_PARAMS="-p \"5020-5030:5020-5030\" ${DEBUG_SETTINGS} ${EXPOSE_PORTS} -e RUN_SERVICES=none --env-file \"$DIR/../test/api/integration/.env.integration\""
--- a/build/verify.sh
+++ b/build/verify.sh
@ -2,6 +2,11 @@
 set -euo pipefail

 DIR=$(cd -P -- "$(dirname -- "$0")" && pwd -P)
+source "${DIR}/../utils/includes/terminal_colors.sh"
+
+if [ ! -d "${DIR}/../artifacts" ] || [ ! -f "${DIR}/../artifacts/vinyldns-api.jar" ]; then
+  echo -e "${F_YELLOW}Warning:${F_RESET} you might want to run 'build/assemble_api.sh' first to improve performance"
+fi

 cd "${DIR}/../test/api/integration"
 make build && make run DOCKER_PARAMS="-v \"$(pwd)/../../../target:/build/target\"" WITH_ARGS="bash -c \"sbt ';validate' && sbt ';verify'\""
--- a/modules/api/src/it/resources/application.conf
+++ b/modules/api/src/it/resources/application.conf
@ -49,6 +49,7 @@ vinyldns {
                key-name = ${?DEFAULT_DNS_KEY_NAME}
                key = "nzisn+4G2ldMn0q1CV3vsg=="
                key = ${?DEFAULT_DNS_KEY_SECRET}
+                algorithm = "HMAC-MD5"
                primary-server = "127.0.0.1:19001"
                primary-server = ${?DEFAULT_DNS_ADDRESS}
              }
@ -58,6 +59,7 @@ vinyldns {
                key-name = ${?DEFAULT_DNS_KEY_NAME}
                key = "nzisn+4G2ldMn0q1CV3vsg=="
                key = ${?DEFAULT_DNS_KEY_SECRET}
+                algorithm = "HMAC-MD5"
                primary-server = "127.0.0.1:19001"
                primary-server = ${?DEFAULT_DNS_ADDRESS}
              },
@ -161,6 +163,28 @@ vinyldns {
    "ns1.parent.com4."
  ]

+  # approved zones, individual users, users in groups, record types and no.of.dots that are allowed for dotted hosts
+  dotted-hosts = {
+    # for local testing
+    allowed-settings = [
+      {
+      zone = "*mmy."
+      user-list = ["testuser"]
+      group-list = ["dummy-group"]
+      record-types = ["AAAA"]
+      dots-limit = 3
+      },
+      {
+      # for wildcard zones. Settings will be applied to all matching zones
+      zone = "parent.com."
+      user-list = ["professor", "testuser"]
+      group-list = ["testing-group"]
+      record-types = ["A", "CNAME"]
+      dots-limit = 3
+      }
+    ]
+  }
+
  # Note: This MUST match the Portal or strange errors will ensue, NoOpCrypto should not be used for production
  crypto {
    type = "vinyldns.core.crypto.NoOpCrypto"
@ -186,6 +210,8 @@ vinyldns {
      user = ${?JDBC_USER}
      password = "pass"
      password = ${?JDBC_PASSWORD}
+      flyway-out-of-order = false
+      flyway-out-of-order = ${?FLYWAY_OUT_OF_ORDER}
    }

    # TODO: Remove the need for these useless configuration blocks
@ -198,6 +224,8 @@ vinyldns {
      }
      record-set {
      }
+      record-set-cache {
+      }
      zone-change {
      }
      record-change {
@ -320,13 +348,17 @@ akka.http {
    # Set to `infinite` to disable.
    bind-timeout = 5s

+    # A default request timeout is applied globally to all routes and can be configured using the
+    # akka.http.server.request-timeout setting (which defaults to 20 seconds).
+    # request-timeout = 60s
+
    # Show verbose error messages back to the client
    verbose-error-messages = on
  }

  parsing {
-    # Spray doesn't like the AWS4 headers
-    illegal-header-warnings = on
+    # Don't complain about the / in the AWS SigV4 auth header
+    ignore-illegal-header-for = ["authorization"]
  }
 }

--- a/modules/api/src/it/resources/logback-test.xml
+++ b/modules/api/src/it/resources/logback-test.xml
@ -1,7 +1,8 @@
 <configuration>
    <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
-        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
-            <pattern>%msg%n</pattern>
+        <encoder class="co.elastic.logging.logback.EcsEncoder">
+            <serviceName>vinyldns-api</serviceName>
+            <serviceNodeName>vinyldns-api</serviceNodeName>
        </encoder>
    </appender>

--- a/modules/api/src/it/scala/vinyldns/api/MySqlApiIntegrationSpec.scala
+++ b/modules/api/src/it/scala/vinyldns/api/MySqlApiIntegrationSpec.scala
@ -34,6 +34,6 @@ trait MySqlApiIntegrationSpec extends MySqlIntegrationSpec {

  def clearGroupRepo(): Unit =
    DB.localTx { s =>
-      s.executeUpdate("DELETE FROM groups")
+      s.executeUpdate("DELETE FROM `groups`")
    }
 }
--- a/modules/api/src/it/scala/vinyldns/api/backend/dns/DnsBackendIntegrationSpec.scala
+++ b/modules/api/src/it/scala/vinyldns/api/backend/dns/DnsBackendIntegrationSpec.scala
@ -16,19 +16,14 @@

 package vinyldns.api.backend.dns

-import org.joda.time.DateTime
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import org.scalatest.matchers.should.Matchers
 import org.scalatest.wordspec.AnyWordSpec
 import vinyldns.api.backend.dns.DnsProtocol.NoError
 import vinyldns.core.crypto.NoOpCrypto
-import vinyldns.core.domain.record.{
-  AData,
-  RecordSet,
-  RecordSetChange,
-  RecordSetChangeType,
-  RecordSetStatus,
-  RecordType
-}
+import vinyldns.core.domain.Encrypted
+import vinyldns.core.domain.record.{AData, RecordSet, RecordSetChange, RecordSetChangeType, RecordSetStatus, RecordType}
 import vinyldns.core.domain.zone.{Algorithm, Zone, ZoneConnection}

 class DnsBackendIntegrationSpec extends AnyWordSpec with Matchers {
@ -36,7 +31,7 @@ class DnsBackendIntegrationSpec extends AnyWordSpec with Matchers {
  private val testConnection = ZoneConnection(
    "vinyldns.",
    "vinyldns.",
-    "nzisn+4G2ldMn0q1CV3vsg==",
+    Encrypted("nzisn+4G2ldMn0q1CV3vsg=="),
    sys.env.getOrElse("DEFAULT_DNS_ADDRESS", "127.0.0.1:19001"),
    Algorithm.HMAC_MD5
  )
@ -74,7 +69,7 @@ class DnsBackendIntegrationSpec extends AnyWordSpec with Matchers {
        RecordType.A,
        200,
        RecordSetStatus.Active,
-        DateTime.now,
+        Instant.now.truncatedTo(ChronoUnit.MILLIS),
        None,
        List(AData("10.1.1.1"))
      )
--- a/modules/api/src/it/scala/vinyldns/api/domain/batch/BatchChangeRepositoryIntegrationSpec.scala
+++ b/modules/api/src/it/scala/vinyldns/api/domain/batch/BatchChangeRepositoryIntegrationSpec.scala
@ -16,7 +16,8 @@

 package vinyldns.api.domain.batch

-import org.joda.time.DateTime
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import org.scalatest.matchers.should.Matchers
 import org.scalatest.wordspec.AnyWordSpecLike
 import vinyldns.api.MySqlApiIntegrationSpec
@ -44,7 +45,7 @@ class BatchChangeRepositoryIntegrationSpec
        okUser.id,
        okUser.userName,
        None,
-        DateTime.now,
+        Instant.now.truncatedTo(ChronoUnit.MILLIS),
        List(
          SingleAddChange(
            Some("some-zone-id"),
--- a/modules/api/src/it/scala/vinyldns/api/domain/record/RecordSetServiceIntegrationSpec.scala
+++ b/modules/api/src/it/scala/vinyldns/api/domain/record/RecordSetServiceIntegrationSpec.scala
@ -19,54 +19,79 @@ package vinyldns.api.domain.record
 import cats.effect._
 import cats.implicits._
 import cats.scalatest.EitherMatchers
-import org.joda.time.DateTime
+import org.mockito.Matchers.any
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import org.mockito.Mockito._
 import org.scalatest.{BeforeAndAfterAll, BeforeAndAfterEach}
 import org.scalatest.matchers.should.Matchers
 import org.scalatestplus.mockito.MockitoSugar
 import org.scalatest.wordspec.AnyWordSpec
+import scalikejdbc.DB
 import vinyldns.api._
 import vinyldns.api.config.VinylDNSConfig
 import vinyldns.api.domain.access.AccessValidations
 import vinyldns.api.domain.zone._
 import vinyldns.api.engine.TestMessageQueue
-import vinyldns.core.TestMembershipData._
+import vinyldns.mysql.TransactionProvider
 import vinyldns.core.TestZoneData.testConnection
-import vinyldns.core.domain.{Fqdn, HighValueDomainError}
+import vinyldns.core.domain.{Encrypted, Fqdn, HighValueDomainError}
 import vinyldns.core.domain.auth.AuthPrincipal
 import vinyldns.core.domain.backend.{Backend, BackendResolver}
 import vinyldns.core.domain.membership.{Group, GroupRepository, User, UserRepository}
 import vinyldns.core.domain.record.RecordType._
 import vinyldns.core.domain.record._
 import vinyldns.core.domain.zone._
+import vinyldns.core.notifier.{AllNotifiers, Notification, Notifier}
+
+import scala.concurrent.ExecutionContext

 class RecordSetServiceIntegrationSpec
-    extends AnyWordSpec
+  extends AnyWordSpec
    with ResultHelpers
    with EitherMatchers
    with MockitoSugar
    with Matchers
    with MySqlApiIntegrationSpec
    with BeforeAndAfterEach
-    with BeforeAndAfterAll {
+    with BeforeAndAfterAll
+    with TransactionProvider {
+
+  private implicit val contextShift: ContextShift[IO] = IO.contextShift(ExecutionContext.global)

  private val vinyldnsConfig = VinylDNSConfig.load().unsafeRunSync()

  private val recordSetRepo = recordSetRepository
+  private val recordSetCacheRepo = recordSetCacheRepository
+
+  private val mockNotifier = mock[Notifier]
+  private val mockNotifiers = AllNotifiers(List(mockNotifier))
+
  private val zoneRepo: ZoneRepository = zoneRepository
  private val groupRepo: GroupRepository = groupRepository

  private var testRecordSetService: RecordSetServiceAlgebra = _

-  private val user = User("live-test-user", "key", "secret")
-  private val user2 = User("shared-record-test-user", "key-shared", "secret-shared")
+  private val user = User("live-test-user", "key", Encrypted("secret"))
+  private val testUser = User("testuser", "key", Encrypted("secret"))
+  private val user2 = User("shared-record-test-user", "key-shared", Encrypted("secret-shared"))
+
  private val group = Group(s"test-group", "test@test.com", adminUserIds = Set(user.id))
+  private val dummyGroup = Group(s"dummy-group", "test@test.com", adminUserIds = Set(testUser.id))
  private val group2 = Group(s"test-group", "test@test.com", adminUserIds = Set(user.id, user2.id))
  private val sharedGroup =
    Group(s"test-shared-group", "test@test.com", adminUserIds = Set(user.id, user2.id))
  private val auth = AuthPrincipal(user, Seq(group.id, sharedGroup.id))
  private val auth2 = AuthPrincipal(user2, Seq(sharedGroup.id, group2.id))
+  val dummyAuth: AuthPrincipal = AuthPrincipal(testUser, Seq(dummyGroup.id))

+  private val dummyZone = Zone(
+    s"dummy.",
+    "test@test.com",
+    status = ZoneStatus.Active,
+    connection = testConnection,
+    adminGroupId = dummyGroup.id
+  )
  private val zone = Zone(
    s"live-zone-test.",
    "test@test.com",
@ -81,7 +106,7 @@ class RecordSetServiceIntegrationSpec
    A,
    38400,
    RecordSetStatus.Active,
-    DateTime.now,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
    None,
    List(AData("10.1.1.1"))
  )
@ -91,17 +116,30 @@ class RecordSetServiceIntegrationSpec
    AAAA,
    38400,
    RecordSetStatus.Active,
-    DateTime.now,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
    None,
    List(AAAAData("fd69:27cc:fe91::60"))
  )
+  private val dottedTestRecord = RecordSet(
+    dummyZone.id,
+    "test.dotted",
+    AAAA,
+    38400,
+    RecordSetStatus.Active,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
+    None,
+    List(AAAAData("fd69:27cc:fe91::60")),
+    recordSetGroupChange =
+      Some(OwnerShipTransfer(ownerShipTransferStatus = OwnerShipTransferStatus.None,
+        requestedOwnerGroupId = None))
+  )
  private val subTestRecordA = RecordSet(
    zone.id,
    "a-record",
    A,
    38400,
    RecordSetStatus.Active,
-    DateTime.now,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
    None,
    List(AData("10.1.1.1"))
  )
@ -111,7 +149,7 @@ class RecordSetServiceIntegrationSpec
    AAAA,
    38400,
    RecordSetStatus.Active,
-    DateTime.now,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
    None,
    List(AAAAData("fd69:27cc:fe91::60"))
  )
@ -121,7 +159,7 @@ class RecordSetServiceIntegrationSpec
    NS,
    38400,
    RecordSetStatus.Active,
-    DateTime.now,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
    None,
    List(NSData(Fqdn("172.17.42.1.")))
  )
@ -139,7 +177,7 @@ class RecordSetServiceIntegrationSpec
    A,
    38400,
    RecordSetStatus.Active,
-    DateTime.now,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
    None,
    List(AData("10.1.1.1"))
  )
@ -149,7 +187,7 @@ class RecordSetServiceIntegrationSpec
    A,
    38400,
    RecordSetStatus.Active,
-    DateTime.now,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
    None,
    List(AData("10.1.1.1"))
  )
@ -168,7 +206,7 @@ class RecordSetServiceIntegrationSpec
    A,
    38400,
    RecordSetStatus.Active,
-    DateTime.now,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
    None,
    List(AData("1.1.1.1"))
  )
@ -188,7 +226,7 @@ class RecordSetServiceIntegrationSpec
    A,
    200,
    RecordSetStatus.Active,
-    DateTime.now,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
    None,
    List(AData("1.1.1.1")),
    ownerGroupId = Some(sharedGroup.id)
@ -200,19 +238,49 @@ class RecordSetServiceIntegrationSpec
    A,
    200,
    RecordSetStatus.Active,
-    DateTime.now,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
    None,
    List(AData("1.1.1.1")),
    ownerGroupId = Some("non-existent")
  )

+  private val sharedTestRecordPendingReviewOwnerShip = RecordSet(
+    sharedZone.id,
+    "shared-record-ownerShip-pendingReview",
+    A,
+    200,
+    RecordSetStatus.Active,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
+    None,
+    List(AData("1.1.1.1")),
+    ownerGroupId = Some(sharedGroup.id),
+    recordSetGroupChange = Some(OwnerShipTransfer(
+      ownerShipTransferStatus = OwnerShipTransferStatus.PendingReview,
+      requestedOwnerGroupId = Some(group.id)))
+  )
+
+  private val sharedTestRecordCancelledOwnerShip = RecordSet(
+    sharedZone.id,
+    "shared-record-ownerShip-cancelled",
+    A,
+    200,
+    RecordSetStatus.Active,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
+    None,
+    List(AData("1.1.1.1")),
+    ownerGroupId = Some(sharedGroup.id),
+    recordSetGroupChange = Some(OwnerShipTransfer(
+      ownerShipTransferStatus = OwnerShipTransferStatus.Cancelled,
+      requestedOwnerGroupId = Some(group.id)))
+  )
+
  private val testOwnerGroupRecordInNormalZone = RecordSet(
    zone.id,
    "user-in-owner-group-but-zone-not-shared",
    A,
    38400,
    RecordSetStatus.Active,
-    DateTime.now,
+    Instant.now.truncatedTo(ChronoUnit.MILLIS),
    None,
    List(AData("10.1.1.1")),
    ownerGroupId = Some(sharedGroup.id)
@ -241,8 +309,16 @@ class RecordSetServiceIntegrationSpec
    clearZoneRepo()
    clearGroupRepo()

-    List(group, group2, sharedGroup).traverse(g => groupRepo.save(g).void).unsafeRunSync()
-    List(zone, zoneTestNameConflicts, zoneTestAddRecords, sharedZone)
+    def saveGroupData(
+                       groupRepo: GroupRepository,
+                       group: Group
+                     ): IO[Group] =
+      executeWithinTransaction { db: DB =>
+        groupRepo.save(db, group)
+      }
+
+    List(group, group2, sharedGroup, dummyGroup).traverse(g => saveGroupData(groupRepo, g).void).unsafeRunSync()
+    List(zone, dummyZone, zoneTestNameConflicts, zoneTestAddRecords, sharedZone)
      .traverse(
        z => zoneRepo.save(z)
      )
@ -251,7 +327,10 @@ class RecordSetServiceIntegrationSpec
    // Seeding records in DB
    val sharedRecords = List(
      sharedTestRecord,
-      sharedTestRecordBadOwnerGroup
+      sharedTestRecordBadOwnerGroup,
+      sharedTestRecordPendingReviewOwnerShip,
+      sharedTestRecordCancelledOwnerShip
+
    )
    val conflictRecords = List(
      subTestRecordNameConflict,
@ -260,6 +339,7 @@ class RecordSetServiceIntegrationSpec
    val zoneRecords = List(
      apexTestRecordA,
      apexTestRecordAAAA,
+      dottedTestRecord,
      subTestRecordA,
      subTestRecordAAAA,
      subTestRecordNS,
@ -271,12 +351,15 @@ class RecordSetServiceIntegrationSpec
        conflictRecords.map(makeAddChange(_, zoneTestNameConflicts)) ++
        zoneRecords.map(makeAddChange(_, zone))
    )
-    recordSetRepo.apply(changes).unsafeRunSync()
+    executeWithinTransaction { db: DB =>
+      recordSetRepo.apply(db, changes)
+    }.unsafeRunSync()

    testRecordSetService = new RecordSetService(
      zoneRepo,
      groupRepo,
      recordSetRepo,
+      recordSetCacheRepo,
      mock[RecordChangeRepository],
      mock[UserRepository],
      TestMessageQueue,
@ -284,7 +367,10 @@ class RecordSetServiceIntegrationSpec
      mockBackendResolver,
      false,
      vinyldnsConfig.highValueDomainConfig,
-      vinyldnsConfig.serverConfig.approvedNameServers
+      vinyldnsConfig.dottedHostsConfig,
+      vinyldnsConfig.serverConfig.approvedNameServers,
+      useRecordSetCache = true,
+      mockNotifiers
    )
  }

@ -306,7 +392,7 @@ class RecordSetServiceIntegrationSpec
        A,
        38400,
        RecordSetStatus.Active,
-        DateTime.now,
+        Instant.now.truncatedTo(ChronoUnit.MILLIS),
        None,
        List(AData("10.1.1.1"))
      )
@ -321,6 +407,314 @@ class RecordSetServiceIntegrationSpec
        .name shouldBe "zone-test-add-records."
    }

+    "create dotted record fails if it doesn't satisfy dotted hosts config" in {
+      val newRecord = RecordSet(
+        zoneTestAddRecords.id,
+        "test.dot",
+        A,
+        38400,
+        RecordSetStatus.Active,
+        Instant.now.truncatedTo(ChronoUnit.MILLIS),
+        None,
+        List(AData("10.1.1.1"))
+      )
+      val result =
+        testRecordSetService
+          .addRecordSet(newRecord, auth)
+          .value
+          .unsafeRunSync()
+      leftValue(result) shouldBe a[InvalidRequest]
+    }
+
+    "create dotted record succeeds if it satisfies all dotted hosts config" in {
+      val newRecord = RecordSet(
+        dummyZone.id,
+        "testing.dotted",
+        AAAA,
+        38400,
+        RecordSetStatus.Active,
+        Instant.now.truncatedTo(ChronoUnit.MILLIS),
+        None,
+        List(AAAAData("fd69:27cc:fe91::60"))
+      )
+      // succeeds as zone, user and record type is allowed as defined in application.conf
+      val result =
+        testRecordSetService
+          .addRecordSet(newRecord, dummyAuth)
+          .value
+          .unsafeRunSync()
+      rightValue(result)
+        .asInstanceOf[RecordSetChange]
+        .recordSet
+        .name shouldBe "testing.dotted"
+    }
+
+    "fail creating dotted record if it satisfies all dotted hosts config except dots-limit for the zone" in {
+      val newRecord = RecordSet(
+        dummyZone.id,
+        "test.dotted.more.dots.than.allowed",
+        AAAA,
+        38400,
+        RecordSetStatus.Active,
+        Instant.now.truncatedTo(ChronoUnit.MILLIS),
+        None,
+        List(AAAAData("fd69:27cc:fe91::60"))
+      )
+
+      // The number of dots allowed in the record name for this zone as defined in the config is 3.
+      // Creating with 4 dots results in an error
+      val result =
+        testRecordSetService
+          .addRecordSet(newRecord, dummyAuth)
+          .value
+          .unsafeRunSync()
+      leftValue(result) shouldBe a[InvalidRequest]
+    }
+
+    "auto-approve ownership transfer request, if user tried to update the ownership" in {
+      val newRecord = sharedTestRecord.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(ownerShipTransferStatus = OwnerShipTransferStatus.AutoApproved,
+          requestedOwnerGroupId = Some(group.id))))
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, auth2)
+        .value
+        .unsafeRunSync()
+
+      val change = rightValue(result).asInstanceOf[RecordSetChange]
+      change.recordSet.name shouldBe "shared-record"
+      change.recordSet.ownerGroupId.get shouldBe group.id
+      change.recordSet.recordSetGroupChange.get.ownerShipTransferStatus shouldBe OwnerShipTransferStatus.AutoApproved
+      change.recordSet.recordSetGroupChange.get.requestedOwnerGroupId.get shouldBe group.id
+    }
+
+    "approve ownership transfer request, if user requested for ownership transfer" in {
+      val newRecord = sharedTestRecordPendingReviewOwnerShip.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(
+          ownerShipTransferStatus = OwnerShipTransferStatus.ManuallyApproved)))
+
+      doReturn(IO.unit).when(mockNotifier).notify(any[Notification[_]])
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, auth2)
+        .value
+        .unsafeRunSync()
+
+      val change = rightValue(result).asInstanceOf[RecordSetChange]
+      change.recordSet.name shouldBe "shared-record-ownerShip-pendingReview"
+      change.recordSet.ownerGroupId.get shouldBe group.id
+      change.recordSet.recordSetGroupChange.get.ownerShipTransferStatus shouldBe OwnerShipTransferStatus.ManuallyApproved
+      change.recordSet.recordSetGroupChange.get.requestedOwnerGroupId.get shouldBe group.id
+    }
+
+    "reject ownership transfer request, if user requested for ownership transfer" in {
+      val newRecord = sharedTestRecordPendingReviewOwnerShip.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(
+          ownerShipTransferStatus = OwnerShipTransferStatus.ManuallyRejected)))
+
+      doReturn(IO.unit).when(mockNotifier).notify(any[Notification[_]])
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, auth2)
+        .value
+        .unsafeRunSync()
+
+      val change = rightValue(result).asInstanceOf[RecordSetChange]
+      change.recordSet.name shouldBe "shared-record-ownerShip-pendingReview"
+      change.recordSet.ownerGroupId.get shouldBe sharedGroup.id
+      change.recordSet.recordSetGroupChange.get.ownerShipTransferStatus shouldBe OwnerShipTransferStatus.ManuallyRejected
+      change.recordSet.recordSetGroupChange.get.requestedOwnerGroupId.get shouldBe group.id
+    }
+
+    "request ownership transfer, if user not in the owner group and wants to own the record" in {
+      val newRecord = sharedTestRecord.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(
+          ownerShipTransferStatus = OwnerShipTransferStatus.Requested,
+          requestedOwnerGroupId = Some(dummyGroup.id))))
+
+      doReturn(IO.unit).when(mockNotifier).notify(any[Notification[_]])
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, dummyAuth)
+        .value
+        .unsafeRunSync()
+
+      val change = rightValue(result).asInstanceOf[RecordSetChange]
+      change.recordSet.name shouldBe "shared-record"
+      change.recordSet.ownerGroupId.get shouldBe sharedGroup.id
+      change.recordSet.recordSetGroupChange.get.ownerShipTransferStatus shouldBe OwnerShipTransferStatus.PendingReview
+      change.recordSet.recordSetGroupChange.get.requestedOwnerGroupId.get shouldBe dummyGroup.id
+    }
+
+    "fail requesting ownership transfer if user is not in owner group and tried to update other fields in record set" in {
+      val newRecord = sharedTestRecord.copy(
+        ttl = 3000,
+        recordSetGroupChange =
+          Some(OwnerShipTransfer(
+            ownerShipTransferStatus = OwnerShipTransferStatus.Requested,
+            requestedOwnerGroupId = Some(dummyGroup.id))))
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, dummyAuth)
+        .value
+        .unsafeRunSync()
+
+      leftValue(result) shouldBe a[InvalidRequest]
+    }
+
+    "fail updating if user is not in owner group for ownership transfer approval" in {
+      val newRecord = sharedTestRecordPendingReviewOwnerShip.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(
+          ownerShipTransferStatus = OwnerShipTransferStatus.ManuallyApproved)))
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, dummyAuth)
+        .value
+        .unsafeRunSync()
+
+      leftValue(result) shouldBe a[NotAuthorizedError]
+    }
+
+    "fail updating if user is not in owner group for ownership transfer reject" in {
+      val newRecord = sharedTestRecordPendingReviewOwnerShip.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(
+          ownerShipTransferStatus = OwnerShipTransferStatus.ManuallyRejected)))
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, dummyAuth)
+        .value
+        .unsafeRunSync()
+
+      leftValue(result) shouldBe a[NotAuthorizedError]
+    }
+
+    "cancel the ownership transfer request, if user not require ownership transfer further" in {
+      val newRecord = sharedTestRecordPendingReviewOwnerShip.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(
+          ownerShipTransferStatus = OwnerShipTransferStatus.Cancelled)))
+
+      doReturn(IO.unit).when(mockNotifier).notify(any[Notification[_]])
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, auth)
+        .value
+        .unsafeRunSync()
+
+      val change = rightValue(result).asInstanceOf[RecordSetChange]
+      change.recordSet.name shouldBe "shared-record-ownerShip-pendingReview"
+      change.recordSet.ownerGroupId.get shouldBe sharedGroup.id
+      change.recordSet.recordSetGroupChange.get.ownerShipTransferStatus shouldBe OwnerShipTransferStatus.Cancelled
+      change.recordSet.recordSetGroupChange.get.requestedOwnerGroupId.get shouldBe group.id
+    }
+
+    "fail approving ownership transfer request, if user is cancelled" in {
+      val newRecord = sharedTestRecordCancelledOwnerShip.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(
+          ownerShipTransferStatus = OwnerShipTransferStatus.ManuallyApproved)))
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, auth)
+        .value
+        .unsafeRunSync()
+
+      leftValue(result) shouldBe a[InvalidRequest]
+    }
+
+    "fail rejecting ownership transfer request, if user is cancelled" in {
+      val newRecord = sharedTestRecordCancelledOwnerShip.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(
+          ownerShipTransferStatus = OwnerShipTransferStatus.ManuallyRejected)))
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, auth)
+        .value
+        .unsafeRunSync()
+
+      leftValue(result) shouldBe a[InvalidRequest]
+    }
+
+    "fail auto-approving ownership transfer request, if user is cancelled" in {
+      val newRecord = sharedTestRecordCancelledOwnerShip.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(
+          ownerShipTransferStatus = OwnerShipTransferStatus.AutoApproved
+        )))
+
+      doReturn(IO.unit).when(mockNotifier).notify(any[Notification[_]])
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, auth)
+        .value
+        .unsafeRunSync()
+
+      leftValue(result) shouldBe a[InvalidRequest]
+    }
+
+    "fail auto-approving ownership transfer request, if zone is not shared" in {
+      val newRecord = dottedTestRecord.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(ownerShipTransferStatus = OwnerShipTransferStatus.AutoApproved,
+          requestedOwnerGroupId = Some(group.id))))
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, auth2)
+        .value
+        .unsafeRunSync()
+
+      leftValue(result) shouldBe a[InvalidRequest]
+    }
+
+    "fail approving ownership transfer request, if zone is not shared" in {
+      val newRecord = dottedTestRecord.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(
+          ownerShipTransferStatus = OwnerShipTransferStatus.ManuallyApproved
+        )))
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, auth2)
+        .value
+        .unsafeRunSync()
+
+      leftValue(result) shouldBe a[InvalidRequest]
+    }
+
+    "fail requesting ownership transfer, if zone is not shared" in {
+      val newRecord = dottedTestRecord.copy(recordSetGroupChange =
+        Some(OwnerShipTransfer(
+          ownerShipTransferStatus = OwnerShipTransferStatus.Requested,
+          requestedOwnerGroupId = Some(dummyGroup.id)
+        )))
+
+      doReturn(IO.unit).when(mockNotifier).notify(any[Notification[_]])
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, dummyAuth)
+        .value
+        .unsafeRunSync()
+
+      leftValue(result) shouldBe a[InvalidRequest]
+    }
+
+    "update dotted record succeeds if it satisfies all dotted hosts config" in {
+      val newRecord = dottedTestRecord.copy(ttl = 37000)
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, dummyAuth)
+        .value
+        .unsafeRunSync()
+      val change = rightValue(result).asInstanceOf[RecordSetChange]
+      change.recordSet.name shouldBe "test.dotted"
+      change.recordSet.ttl shouldBe 37000
+    }
+
+    "update dotted record name fails as updating a record name is not allowed" in {
+      val newRecord = dottedTestRecord.copy(name = "trial.dotted")
+
+      val result = testRecordSetService
+        .updateRecordSet(newRecord, dummyAuth)
+        .value
+        .unsafeRunSync()
+      // We get an "InvalidRequest: Cannot update RecordSet's name."
+      leftValue(result) shouldBe a[InvalidRequest]
+    }
+
    "update apex A record and add trailing dot" in {
      val newRecord = apexTestRecordA.copy(ttl = 200)
      val result = testRecordSetService
@ -532,26 +926,33 @@ class RecordSetServiceIntegrationSpec
        Some(group2.id)
    }

+    "delete dotted host record successfully for user in record owner group" in {
+      val result = testRecordSetService
+        .deleteRecordSet(dottedTestRecord.id, dottedTestRecord.zoneId, dummyAuth)
+        .value
+        .unsafeRunSync()
+
+      result should be(right)
+    }
+
    "fail deleting for user not in record owner group in shared zone" in {
-      val result = leftResultOf(
+      val result =
        testRecordSetService
          .deleteRecordSet(sharedTestRecord.id, sharedTestRecord.zoneId, dummyAuth)
-          .value
-      )
+          .value.unsafeRunSync().swap.toOption.get

      result shouldBe a[NotAuthorizedError]
    }

    "fail deleting for user in record owner group in non-shared zone" in {
-      val result = leftResultOf(
+      val result =
        testRecordSetService
          .deleteRecordSet(
            testOwnerGroupRecordInNormalZone.id,
            testOwnerGroupRecordInNormalZone.zoneId,
            auth2
          )
-          .value
-      )
+          .value.unsafeRunSync().swap.toOption.get

      result shouldBe a[NotAuthorizedError]
    }
--- a/modules/api/src/it/scala/vinyldns/api/domain/zone/ZoneServiceIntegrationSpec.scala
+++ b/modules/api/src/it/scala/vinyldns/api/domain/zone/ZoneServiceIntegrationSpec.scala
@ -18,7 +18,9 @@ package vinyldns.api.domain.zone

 import cats.data.NonEmptyList
 import cats.effect._
-import org.joda.time.DateTime
+
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import org.mockito.Mockito.doReturn
 import org.scalatest._
 import org.scalatest.matchers.should.Matchers
@ -26,9 +28,12 @@ import org.scalatest.wordspec.AnyWordSpec
 import org.scalatest.concurrent.{PatienceConfiguration, ScalaFutures}
 import org.scalatestplus.mockito.MockitoSugar
 import org.scalatest.time.{Seconds, Span}
+import scalikejdbc.DB
 import vinyldns.api.domain.access.AccessValidations
+import vinyldns.api.domain.membership.MembershipService
 import vinyldns.api.domain.record.RecordSetChangeGenerator
 import vinyldns.api.engine.TestMessageQueue
+import vinyldns.mysql.TransactionProvider
 import vinyldns.api.{MySqlApiIntegrationSpec, ResultHelpers}
 import vinyldns.core.TestMembershipData.{okAuth, okUser}
 import vinyldns.core.TestZoneData.okZone
@ -52,13 +57,14 @@ class ZoneServiceIntegrationSpec
    with ResultHelpers
    with MySqlApiIntegrationSpec
    with BeforeAndAfterAll
-    with BeforeAndAfterEach {
+    with BeforeAndAfterEach
+    with TransactionProvider {

  private val timeout = PatienceConfiguration.Timeout(Span(10, Seconds))

  private val recordSetRepo = recordSetRepository
  private val zoneRepo: ZoneRepository = zoneRepository
-
+  private val mockMembershipService = mock[MembershipService]
  private var testZoneService: ZoneServiceAlgebra = _

  private val badAuth = AuthPrincipal(okUser, Seq())
@ -69,7 +75,7 @@ class ZoneServiceIntegrationSpec
    typ = RecordType.SOA,
    ttl = 38400,
    status = RecordSetStatus.Active,
-    created = DateTime.now,
+    created = Instant.now.truncatedTo(ChronoUnit.MILLIS),
    records =
      List(SOAData(Fqdn("172.17.42.1."), "admin.test.com.", 1439234395, 10800, 3600, 604800, 38400))
  )
@ -79,7 +85,7 @@ class ZoneServiceIntegrationSpec
    typ = RecordType.NS,
    ttl = 38400,
    status = RecordSetStatus.Active,
-    created = DateTime.now,
+    created = Instant.now.truncatedTo(ChronoUnit.MILLIS),
    records = List(NSData(Fqdn("172.17.42.1.")))
  )
  private val testRecordA = RecordSet(
@ -88,7 +94,7 @@ class ZoneServiceIntegrationSpec
    typ = RecordType.A,
    ttl = 38400,
    status = RecordSetStatus.Active,
-    created = DateTime.now,
+    created = Instant.now.truncatedTo(ChronoUnit.MILLIS),
    records = List(AData("10.1.1.1"))
  )

@ -104,10 +110,13 @@ class ZoneServiceIntegrationSpec

    waitForSuccess(zoneRepo.save(okZone))
    // Seeding records in DB
-    waitForSuccess(recordSetRepo.apply(changeSetSOA))
-    waitForSuccess(recordSetRepo.apply(changeSetNS))
-    waitForSuccess(recordSetRepo.apply(changeSetA))
-
+    executeWithinTransaction { db: DB =>
+      IO {
+        waitForSuccess(recordSetRepo.apply(db, changeSetSOA))
+        waitForSuccess(recordSetRepo.apply(db, changeSetNS))
+        waitForSuccess(recordSetRepo.apply(db, changeSetA))
+      }
+    }
    doReturn(NonEmptyList.one("func-test-backend")).when(mockBackendResolver).ids

    testZoneService = new ZoneService(
@ -120,7 +129,8 @@ class ZoneServiceIntegrationSpec
      new ZoneValidations(1000),
      new AccessValidations(),
      mockBackendResolver,
-      NoOpCrypto.instance
+      NoOpCrypto.instance,
+      mockMembershipService
    )
  }

@ -142,8 +152,11 @@ class ZoneServiceIntegrationSpec
    }
    "accept a DeleteZone" in {
      val removeARecord = ChangeSet(RecordSetChangeGenerator.forDelete(testRecordA, okZone))
-      waitForSuccess(recordSetRepo.apply(removeARecord))
-
+      executeWithinTransaction { db: DB =>
+        IO {
+          waitForSuccess(recordSetRepo.apply(db, removeARecord))
+        }
+      }
      val result =
        testZoneService
          .deleteZone(okZone.id, okAuth)
--- a/modules/api/src/it/scala/vinyldns/api/domain/zone/ZoneViewLoaderIntegrationSpec.scala
+++ b/modules/api/src/it/scala/vinyldns/api/domain/zone/ZoneViewLoaderIntegrationSpec.scala
@ -19,8 +19,8 @@ package vinyldns.api.domain.zone
 import org.scalatest.matchers.should.Matchers
 import org.scalatest.wordspec.AnyWordSpec
 import org.xbill.DNS.ZoneTransferException
-import vinyldns.api.backend.dns.DnsBackend
 import vinyldns.api.config.VinylDNSConfig
+import vinyldns.core.domain.Encrypted
 import vinyldns.core.domain.backend.BackendResolver
 import vinyldns.core.domain.zone.{Zone, ZoneConnection}

@ -50,15 +50,13 @@ class ZoneViewLoaderIntegrationSpec extends AnyWordSpec with Matchers {
            ZoneConnection(
              "vinyldns.",
              "vinyldns.",
-              "nzisn+4G2ldMn0q1CV3vsg==",
+              Encrypted("nzisn+4G2ldMn0q1CV3vsg=="),
              sys.env.getOrElse("DEFAULT_DNS_ADDRESS", "127.0.0.1:19001")
            )
          ),
          transferConnection =
-            Some(ZoneConnection("invalid-connection.", "bad-key", "invalid-key", "10.1.1.1"))
+            Some(ZoneConnection("invalid-connection.", "bad-key", Encrypted("invalid-key"), "10.1.1.1"))
        )
-        val backend = backendResolver.resolve(zone).asInstanceOf[DnsBackend]
-        println(s"${backend.id}, ${backend.xfrInfo}, ${backend.resolver.getAddress}")
        DnsZoneViewLoader(zone, backendResolver.resolve(zone), 10000)
          .load()
          .unsafeRunSync()
@ -83,7 +81,7 @@ class ZoneViewLoaderIntegrationSpec extends AnyWordSpec with Matchers {
            ZoneConnection(
              "vinyldns.",
              "vinyldns.",
-              "nzisn+4G2ldMn0q1CV3vsg==",
+              Encrypted("nzisn+4G2ldMn0q1CV3vsg=="),
              sys.env.getOrElse("DEFAULT_DNS_ADDRESS", "127.0.0.1:19001")
            )
          ),
@ -91,7 +89,7 @@ class ZoneViewLoaderIntegrationSpec extends AnyWordSpec with Matchers {
            ZoneConnection(
              "vinyldns.",
              "vinyldns.",
-              "nzisn+4G2ldMn0q1CV3vsg==",
+              Encrypted("nzisn+4G2ldMn0q1CV3vsg=="),
              sys.env.getOrElse("DEFAULT_DNS_ADDRESS", "127.0.0.1:19001")
            )
          )
--- a/modules/api/src/it/scala/vinyldns/api/notifier/email/EmailNotifierIntegrationSpec.scala
+++ b/modules/api/src/it/scala/vinyldns/api/notifier/email/EmailNotifierIntegrationSpec.scala
@ -24,8 +24,9 @@ import org.scalatest.matchers.should.Matchers
 import org.scalatest.wordspec.AnyWordSpecLike
 import vinyldns.core.domain.batch._
 import vinyldns.core.domain.record.RecordType
-import vinyldns.core.domain.record.AData
-import org.joda.time.DateTime
+import vinyldns.core.domain.record.{AData, OwnerShipTransferStatus, RecordSetChange, RecordSetChangeStatus, RecordSetChangeType, RecordType}
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import vinyldns.core.TestMembershipData._
 import java.nio.file.{Files, Path, Paths}

@ -34,6 +35,8 @@ import cats.effect.{IO, Resource}
 import scala.collection.JavaConverters._
 import org.scalatest.BeforeAndAfterEach
 import cats.implicits._
+import vinyldns.core.TestRecordSetData.{ownerShipTransfer, rsOk}
+import vinyldns.core.TestZoneData.okZone

 class EmailNotifierIntegrationSpec
    extends MySqlApiIntegrationSpec
@ -56,12 +59,12 @@ class EmailNotifierIntegrationSpec

  "Email Notifier" should {

-    "send an email" taggedAs (SkipCI) in {
+    "send an email for batch change" taggedAs (SkipCI) in {
      val batchChange = BatchChange(
        okUser.id,
        okUser.userName,
        None,
-        DateTime.now,
+        Instant.now.truncatedTo(ChronoUnit.MILLIS),
        List(
          SingleAddChange(
            Some("some-zone-id"),
@ -83,7 +86,7 @@ class EmailNotifierIntegrationSpec
      val program = for {
        _ <- userRepository.save(okUser)
        notifier <- new EmailNotifierProvider()
-          .load(NotifierConfig("", emailConfig), userRepository)
+          .load(NotifierConfig("", emailConfig), userRepository, groupRepository)
        _ <- notifier.notify(Notification(batchChange))
        emailFiles <- retrieveEmailFiles(targetDirectory)
      } yield emailFiles
@ -93,7 +96,29 @@ class EmailNotifierIntegrationSpec
      files.length should be(1)

    }
+    "send an email for recordSetChange ownerShip transfer" taggedAs (SkipCI) in {
+      val recordSetChange = RecordSetChange(
+        okZone,
+        rsOk.copy(ownerGroupId= Some(okGroup.id),recordSetGroupChange =
+          Some(ownerShipTransfer.copy(ownerShipTransferStatus = OwnerShipTransferStatus.PendingReview, requestedOwnerGroupId = Some(dummyGroup.id)))),
+        "system",
+        RecordSetChangeType.Create,
+        RecordSetChangeStatus.Complete
+      )

+      val program = for {
+        _ <- userRepository.save(okUser)
+        notifier <- new EmailNotifierProvider()
+          .load(NotifierConfig("", emailConfig), userRepository, groupRepository)
+        _ <- notifier.notify(Notification(recordSetChange))
+        emailFiles <- retrieveEmailFiles(targetDirectory)
+      } yield emailFiles
+
+      val files = program.unsafeRunSync()
+
+      files.length should be(1)
+
+    }
  }

  def deleteEmailFiles(path: Path): IO[Unit] =
--- a/modules/api/src/it/scala/vinyldns/api/notifier/sns/SnsNotifierIntegrationSpec.scala
+++ b/modules/api/src/it/scala/vinyldns/api/notifier/sns/SnsNotifierIntegrationSpec.scala
@ -22,7 +22,7 @@ import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration
 import com.amazonaws.services.sns.AmazonSNSClientBuilder
 import com.amazonaws.services.sqs.AmazonSQSClientBuilder
 import com.typesafe.config.{Config, ConfigFactory}
-import org.joda.time.DateTime
+import java.time.Instant
 import org.json4s.DefaultFormats
 import org.json4s.jackson.JsonMethods._
 import org.scalatest.matchers.should.Matchers
@ -56,7 +56,7 @@ class SnsNotifierIntegrationSpec
        okUser.id,
        okUser.userName,
        None,
-        DateTime.parse("2019-07-22T19:38:23Z"),
+        Instant.parse("2019-07-22T19:38:23Z"),
        List(
          SingleAddChange(
            Some("some-zone-id"),
@ -85,16 +85,17 @@ class SnsNotifierIntegrationSpec
      val sns = AmazonSNSClientBuilder.standard
        .withEndpointConfiguration(
          new EndpointConfiguration(
-            snsConfig.getString("service-endpoint"),
+            sys.env.getOrElse("SNS_SERVICE_ENDPOINT", snsConfig.getString("service-endpoint")),
            snsConfig.getString("signing-region")
          )
        )
        .withCredentials(credentialsProvider)
        .build()
+
      val sqs = AmazonSQSClientBuilder
        .standard()
        .withEndpointConfiguration(
-          new EndpointConfiguration(sys.env.getOrElse("SNS_SERVICE_ENDPOINT", "http://127.0.0.1:19003"), "us-east-1")
+          new EndpointConfiguration(sys.env.getOrElse("SQS_SERVICE_ENDPOINT", "http://127.0.0.1:19003"), "us-east-1")
        )
        .withCredentials(credentialsProvider)
        .build()
@ -110,7 +111,7 @@ class SnsNotifierIntegrationSpec
          sns.subscribe(topic, "sqs", queueUrl)
        }
        notifier <- new SnsNotifierProvider()
-          .load(NotifierConfig("", snsConfig), userRepository)
+          .load(NotifierConfig("", snsConfig), userRepository, groupRepository)
        _ <- notifier.notify(Notification(batchChange))
        _ <- IO.sleep(1.seconds)
        messages <- IO {
--- a/modules/api/src/it/scala/vinyldns/api/route53/Route53ApiIntegrationSpec.scala
+++ b/modules/api/src/it/scala/vinyldns/api/route53/Route53ApiIntegrationSpec.scala
@ -30,7 +30,7 @@ import vinyldns.api.engine.ZoneSyncHandler
 import vinyldns.api.{MySqlApiIntegrationSpec, ResultHelpers}
 import vinyldns.core.TestRecordSetData._
 import vinyldns.core.domain.backend.{Backend, BackendResolver}
-import vinyldns.core.domain.record.{NameSort, RecordType}
+import vinyldns.core.domain.record.{NameSort, RecordType, RecordTypeSort}
 import vinyldns.core.domain.zone.{Zone, ZoneChange, ZoneChangeType}
 import vinyldns.core.health.HealthCheck.HealthCheck
 import vinyldns.route53.backend.{Route53Backend, Route53BackendConfig}
@ -57,6 +57,8 @@ class Route53ApiIntegrationSpec
          "test",
          Some("access"),
          Some("secret"),
+          None,
+          None,
          sys.env.getOrElse("R53_SERVICE_ENDPOINT", "http://localhost:19003"),
          "us-east-1"
        )
@ -109,6 +111,7 @@ class Route53ApiIntegrationSpec
      val syncHandler = ZoneSyncHandler.apply(
        recordSetRepository,
        recordChangeRepository,
+        recordSetCacheRepository,
        zoneChangeRepository,
        zoneRepository,
        backendResolver,
@ -119,7 +122,7 @@ class Route53ApiIntegrationSpec

      // We should have both the record we created above as well as at least one NS record
      val results = recordSetRepository
-        .listRecordSets(Some(testZone.id), None, None, None, None, None, NameSort.ASC)
+        .listRecordSets(Some(testZone.id), None, None, None, None, None, NameSort.ASC, RecordTypeSort.ASC)
        .unsafeRunSync()
      results.recordSets.map(_.typ).distinct should contain theSameElementsAs List(
        rsOk.typ,
--- a/modules/api/src/main/resources/application.conf
+++ b/modules/api/src/main/resources/application.conf
@ -28,6 +28,16 @@ vinyldns {
  multi-record-batch-change-enabled = true
  multi-record-batch-change-enabled = ${?MULTI_RECORD_BATCH_CHANGE_ENABLED}

+  # Server settings
+  use-recordset-cache = false
+  use-recordset-cache = ${?USE_RECORDSET_CACHE}
+  load-test-data = false
+  load-test-data = ${?LOAD_TEST_DATA}
+  # should be true while running locally or when we have only one api server/instance, for zone sync scheduler to work
+  is-zone-sync-schedule-allowed = true
+  # should be set to true only on a single server/instance else automated sync will be performed at every server/instance
+  is-zone-sync-schedule-allowed = ${?IS_ZONE_SYNC_SCHEDULE_ALLOWED}
+
  # configured backend providers
  backend {
    # Use "default" when dns backend legacy = true
@ -127,7 +137,10 @@ vinyldns {
      from = ${?EMAIL_FROM}
    }
  }
-
+  valid-email-config{
+       email-domains = ["test.com","*dummy.com"]
+       number-of-dots= 2
+     }
  sns {
    class-name = "vinyldns.apadi.notifier.sns.SnsNotifierProvider"
    class-name = ${?SNS_CLASS_NAME}
@ -151,6 +164,17 @@ vinyldns {
    port=${?API_SERVICE_PORT}
  }

+  api {
+    limits {
+      batchchange-routing-max-items-limit = 100
+      membership-routing-default-max-items = 100
+      membership-routing-max-items-limit = 1000
+      membership-routing-max-groups-list-limit = 3000
+      recordset-routing-default-max-items= 100
+      zone-routing-default-max-items = 100
+      zone-routing-max-items-limit = 100
+    }
+  }

  approved-name-servers = [
    "172.17.42.1.",
@ -161,6 +185,19 @@ vinyldns {
    "ns1.parent.com4."
  ]

+  # approved zones, individual users, users in groups, record types and no.of.dots that are allowed for dotted hosts
+  dotted-hosts = {
+    allowed-settings = [
+      {
+      zone = "zonenamehere."
+      user-list = []
+      group-list = []
+      record-types = []
+      dots-limit = 0
+      }
+    ]
+  }
+
  # Note: This MUST match the Portal or strange errors will ensue, NoOpCrypto should not be used for production
  crypto {
    type = "vinyldns.core.crypto.NoOpCrypto"
@ -178,14 +215,22 @@ vinyldns {
      name = ${?DATABASE_NAME}
      driver = "org.mariadb.jdbc.Driver"
      driver = ${?JDBC_DRIVER}
-      migration-url = "jdbc:mariadb://localhost:19002/?user=root&password=pass"
+      migration-url = "jdbc:mariadb://localhost:19002/?user=root&password=pass&socketTimeout=20000"
      migration-url = ${?JDBC_MIGRATION_URL}
-      url = "jdbc:mariadb://localhost:19002/vinyldns?user=root&password=pass"
+      url = "jdbc:mariadb://localhost:19002/vinyldns?user=root&password=pass&socketTimeout=20000"
      url = ${?JDBC_URL}
      user = "root"
      user = ${?JDBC_USER}
      password = "pass"
      password = ${?JDBC_PASSWORD}
+      flyway-out-of-order = false
+      flyway-out-of-order = ${?FLYWAY_OUT_OF_ORDER}
+
+      max-lifetime = 300000
+      connection-timeout-millis = 30000
+      idle-timeout = 150000
+      maximum-pool-size = 20
+      minimum-idle = 5
    }

    # TODO: Remove the need for these useless configuration blocks
@ -198,6 +243,8 @@ vinyldns {
      }
      record-set {
      }
+      record-set-cache {
+      }
      zone-change {
      }
      record-change {
@ -320,13 +367,17 @@ akka.http {
    # Set to `infinite` to disable.
    bind-timeout = 5s

+    # A default request timeout is applied globally to all routes and can be configured using the
+    # akka.http.server.request-timeout setting (which defaults to 20 seconds).
+    # request-timeout = 60s
+
    # Show verbose error messages back to the client
    verbose-error-messages = on
  }

  parsing {
-    # Spray doesn't like the AWS4 headers
-    illegal-header-warnings = on
+    # Don't complain about the / in the AWS SigV4 auth header
+    ignore-illegal-header-for = ["authorization"]
  }
 }

--- a/modules/api/src/main/resources/logback.xml
+++ b/modules/api/src/main/resources/logback.xml
@ -1,24 +1,17 @@
 <configuration>
    <!-- Test configuration, log to console so we can get the docker logs -->
    <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
-        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
-            <pattern>%d [test] %-5p | \(%logger{4}:%line\) | %msg %n</pattern>
+        <encoder class="co.elastic.logging.logback.EcsEncoder">
+            <serviceName>vinyldns-api</serviceName>
+            <serviceNodeName>vinyldns-api</serviceNodeName>
        </encoder>
    </appender>

-    <logger name="org.flywaydb" level="DEBUG">
+    <logger name="com.zaxxer.hikari" level="ERROR">
        <appender-ref ref="CONSOLE"/>
    </logger>

-    <logger name="org.flywaydb.core.internal.dbsupport.SqlScript" level="DEBUG">
-        <appender-ref ref="CONSOLE"/>
-    </logger>
-
-    <logger name="org.flywaydb.core.internal.command.DbMigrate" level="DEBUG">
-        <appender-ref ref="CONSOLE"/>
-    </logger>
-
-    <root level="ERROR">
+    <root level="INFO">
        <appender-ref ref="CONSOLE"/>
    </root>
 </configuration>
--- a/modules/api/src/main/resources/reference.conf
+++ b/modules/api/src/main/resources/reference.conf
@ -90,6 +90,29 @@ vinyldns {
    "ns1.parent.com."
  ]

+  # approved zones, individual users, users in groups, record types and no.of.dots that are allowed for dotted hosts
+  dotted-hosts = {
+    # for local testing
+    allowed-settings = [
+      {
+      # for wildcard zones. Settings will be applied to all matching zones
+      zone = "*ent.com*."
+      user-list = ["ok"]
+      group-list = ["dummy-group"]
+      record-types = ["CNAME"]
+      dots-limit = 3
+      },
+      {
+      # for wildcard zones. Settings will be applied to all matching zones
+      zone = "dummy*."
+      user-list = ["sharedZoneUser"]
+      group-list = ["history-group1"]
+      record-types = ["A"]
+      dots-limit = 3
+      }
+    ]
+  }
+
  # color should be green or blue, used in order to do blue/green deployment
  color = "green"

@ -105,7 +128,18 @@ vinyldns {
    host = "127.0.0.1"
    port = 9000
  }
-
+  # limits for batchchange routing, membership routing , recordset routing , zone routing
+  api {
+    limits {
+      batchchange-routing-max-items-limit = 100
+      membership-routing-default-max-items = 100
+      membership-routing-max-items-limit = 1000
+      membership-routing-max-groups-list-limit = 3000
+      recordset-routing-default-max-items= 100
+      zone-routing-default-max-items = 100
+      zone-routing-max-items-limit = 100
+    }
+  }
  mysql {
    class-name = "vinyldns.mysql.repository.MySqlDataStoreProvider"

@ -119,6 +153,7 @@ vinyldns {
      url = "jdbc:mariadb://localhost:19002/vinyldns?user=root&password=pass"
      user = "root"
      password = "pass"
+      flyway-out-of-order = false
    }

    repositories {
@ -134,7 +169,10 @@ vinyldns {
      from = "VinylDNS <do-not-reply@vinyldns.io>"
    }
  }
-
+ valid-email-config{
+      email-domains = ["test.com","*dummy.com"]
+      number-of-dots= 2
+    }
  sns {
    class-name = "vinyldns.api.notifier.sns.SnsNotifierProvider"
    settings {
@ -191,4 +229,15 @@ vinyldns {
  default-ttl = 7200

  validate-record-lookup-against-dns-backend = false
+
+  use-recordset-cache = false
+  use-recordset-cache = ${?USE_RECORDSET_CACHE}
+
+  load-test-data = false
+  load-test-data = ${?LOAD_TEST_DATA}
+
+  # should be true while running locally or when we have only one api server/instance, for zone sync scheduler to work
+  is-zone-sync-schedule-allowed = true
+  # should be set to true only on a single server/instance else automated sync will be performed at every server/instance
+  is-zone-sync-schedule-allowed = ${?IS_ZONE_SYNC_SCHEDULE_ALLOWED}
 }
--- a/modules/api/src/main/resources/test/logback.xml
+++ b/modules/api/src/main/resources/test/logback.xml
@ -1,24 +1,27 @@
 <configuration>
    <!-- Test configuration, log to console so we can get the docker logs -->
    <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
-        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
-            <pattern>%d [test] %-5p | \(%logger{4}:%line\) | %msg %n</pattern>
+        <encoder class="co.elastic.logging.logback.EcsEncoder">
+            <serviceName>vinyldns-api</serviceName>
+            <serviceNodeName>vinyldns-api</serviceNodeName>
        </encoder>
    </appender>

-    <logger name="org.flywaydb" level="DEBUG">
-        <appender-ref ref="CONSOLE"/>
+    <appender name="BANNER_APPENDER" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <pattern>%msg%n</pattern>
+        </encoder>
+    </appender>
+
+    <logger name="org.flywaydb" level="DEBUG"/>
+    <logger name="org.flywaydb.core.internal.dbsupport.SqlScript" level="DEBUG"/>
+    <logger name="org.flywaydb.core.internal.command.DbMigrate" level="DEBUG"/>
+
+    <logger name="BANNER_LOGGER" level="INFO" additivity="false">
+        <appender-ref ref="BANNER_APPENDER"/>
    </logger>

-    <logger name="org.flywaydb.core.internal.dbsupport.SqlScript" level="DEBUG">
-        <appender-ref ref="CONSOLE"/>
-    </logger>
-
-    <logger name="org.flywaydb.core.internal.command.DbMigrate" level="DEBUG">
-        <appender-ref ref="CONSOLE"/>
-    </logger>
-
-    <root level="ERROR">
+    <root level="INFO">
        <appender-ref ref="CONSOLE"/>
    </root>
 </configuration>
--- a/modules/api/src/main/scala/vinyldns/api/Boot.scala
+++ b/modules/api/src/main/scala/vinyldns/api/Boot.scala
@ -18,8 +18,9 @@ package vinyldns.api

 import akka.actor.ActorSystem
 import akka.http.scaladsl.Http
-import akka.stream.{ActorMaterializer, Materializer}
-import cats.effect.{ContextShift, IO, Timer}
+import akka.stream.{Materializer, ActorMaterializer}
+import cats.effect.{Timer, IO, ContextShift}
+import cats.data.NonEmptyList
 import com.typesafe.config.ConfigFactory
 import fs2.concurrent.SignallingRef
 import io.prometheus.client.CollectorRegistry
@ -27,29 +28,35 @@ import io.prometheus.client.dropwizard.DropwizardExports
 import io.prometheus.client.hotspot.DefaultExports
 import org.slf4j.LoggerFactory
 import vinyldns.api.backend.CommandHandler
-import vinyldns.api.config.VinylDNSConfig
-import vinyldns.api.domain.access.{AccessValidations, GlobalAcls}
+import vinyldns.api.config.{LimitsConfig, VinylDNSConfig}
+import vinyldns.api.domain.access.{GlobalAcls, AccessValidations}
 import vinyldns.api.domain.auth.MembershipAuthPrincipalProvider
-import vinyldns.api.domain.batch.{BatchChangeConverter, BatchChangeService, BatchChangeValidations}
+import vinyldns.api.domain.batch.{BatchChangeService, BatchChangeConverter, BatchChangeValidations}
 import vinyldns.api.domain.membership._
 import vinyldns.api.domain.record.RecordSetService
 import vinyldns.api.domain.zone._
 import vinyldns.api.metrics.APIMetrics
-import vinyldns.api.repository.{ApiDataAccessor, ApiDataAccessorProvider, TestDataLoader}
+import vinyldns.api.repository.{ApiDataAccessorProvider, ApiDataAccessor, TestDataLoader}
 import vinyldns.api.route.VinylDNSService
 import vinyldns.core.VinylDNSMetrics
 import vinyldns.core.domain.backend.BackendResolver
 import vinyldns.core.health.HealthService
-import vinyldns.core.queue.{MessageCount, MessageQueueLoader}
-import vinyldns.core.repository.DataStoreLoader
+import vinyldns.core.queue.{MessageQueueLoader, MessageCount}

 import scala.concurrent.{ExecutionContext, Future}
 import scala.io.{Codec, Source}
 import vinyldns.core.notifier.NotifierLoader
+import vinyldns.core.repository.DataStoreLoader
+import java.util.concurrent.{Executors, ScheduledExecutorService, TimeUnit}

 object Boot extends App {

  private val logger = LoggerFactory.getLogger("Boot")
+  private val bannerLogger = LoggerFactory.getLogger("BANNER_LOGGER")
+
+  // Create a ScheduledExecutorService with a new single thread
+  private val executor: ScheduledExecutorService = Executors.newSingleThreadScheduledExecutor()
+
  private implicit val ec: ExecutionContext = scala.concurrent.ExecutionContext.global
  private implicit val cs: ContextShift[IO] = IO.contextShift(ec)
  private implicit val timer: Timer[IO] = IO.timer(ec)
@ -69,45 +76,59 @@ object Boot extends App {
      banner <- vinyldnsBanner()
      vinyldnsConfig <- VinylDNSConfig.load()
      system <- IO(ActorSystem("VinylDNS", ConfigFactory.load()))
-      loaderResponse <- DataStoreLoader
-        .loadAll[ApiDataAccessor](
-          vinyldnsConfig.dataStoreConfigs,
-          vinyldnsConfig.crypto,
-          ApiDataAccessorProvider
-        )
+      loaderResponse <- DataStoreLoader.loadAll[ApiDataAccessor](
+        vinyldnsConfig.dataStoreConfigs,
+        vinyldnsConfig.crypto,
+        ApiDataAccessorProvider
+      )
      repositories = loaderResponse.accessor
      backendResolver <- BackendResolver.apply(vinyldnsConfig.backendConfigs)
-      _ <- TestDataLoader
-        .loadTestData(
+      _ <- if (vinyldnsConfig.serverConfig.loadTestData) {
+        TestDataLoader.loadTestData(
          repositories.userRepository,
          repositories.groupRepository,
          repositories.zoneRepository,
-          repositories.membershipRepository
-        )
+          repositories.membershipRepository)
+      } else {
+        IO.unit
+      }
      messageQueue <- MessageQueueLoader.load(vinyldnsConfig.messageQueueConfig)
      processingSignal <- SignallingRef[IO, Boolean](vinyldnsConfig.serverConfig.processingDisabled)
      msgsPerPoll <- IO.fromEither(MessageCount(vinyldnsConfig.messageQueueConfig.messagesPerPoll))
      notifiers <- NotifierLoader.loadAll(
        vinyldnsConfig.notifierConfigs,
-        repositories.userRepository
+        repositories.userRepository,
+        repositories.groupRepository
      )
      _ <- APIMetrics.initialize(vinyldnsConfig.apiMetricSettings)
-      _ <- CommandHandler
-        .run(
-          messageQueue,
-          msgsPerPoll,
-          processingSignal,
-          vinyldnsConfig.messageQueueConfig.pollingInterval,
-          repositories.zoneRepository,
-          repositories.zoneChangeRepository,
-          repositories.recordSetRepository,
-          repositories.recordChangeRepository,
-          repositories.batchChangeRepository,
-          notifiers,
-          backendResolver,
-          vinyldnsConfig.serverConfig.maxZoneSize
-        )
-        .start
+      // Schedule the zone sync task to be executed every 5 seconds
+      _ <- if (vinyldnsConfig.serverConfig.isZoneSyncScheduleAllowed){ IO(executor.scheduleAtFixedRate(() => {
+        val zoneChanges = for {
+          zoneChanges <- ZoneSyncScheduleHandler.zoneSyncScheduler(repositories.zoneRepository)
+          _ <- if (zoneChanges.nonEmpty) messageQueue.sendBatch(NonEmptyList.fromList(zoneChanges.toList).get) else IO.unit
+        } yield ()
+        zoneChanges.unsafeRunAsync {
+          case Right(_) =>
+            logger.debug("Zone sync scheduler ran successfully!")
+          case Left(error) =>
+            logger.error(s"An error occurred while performing the scheduled zone sync. Error: $error")
+        }
+      }, 0, 1, TimeUnit.SECONDS)) } else IO.unit
+      _ <- CommandHandler.run(
+        messageQueue,
+        msgsPerPoll,
+        processingSignal,
+        vinyldnsConfig.messageQueueConfig.pollingInterval,
+        repositories.zoneRepository,
+        repositories.zoneChangeRepository,
+        repositories.recordSetRepository,
+        repositories.recordChangeRepository,
+        repositories.recordSetCacheRepository,
+        repositories.batchChangeRepository,
+        notifiers,
+        backendResolver,
+        vinyldnsConfig.serverConfig.maxZoneSize
+      ).start
    } yield {
      val batchAccessValidations = new AccessValidations(
        vinyldnsConfig.globalAcls,
@ -121,9 +142,11 @@ object Boot extends App {
        vinyldnsConfig.highValueDomainConfig,
        vinyldnsConfig.manualReviewConfig,
        vinyldnsConfig.batchChangeConfig,
-        vinyldnsConfig.scheduledChangesConfig
+        vinyldnsConfig.scheduledChangesConfig,
+        vinyldnsConfig.serverConfig.approvedNameServers
      )
-      val membershipService = MembershipService(repositories)
+      val membershipService = MembershipService(repositories,vinyldnsConfig.validEmailConfig)
+
      val connectionValidator =
        new ZoneConnectionValidator(
          backendResolver,
@ -138,7 +161,10 @@ object Boot extends App {
          backendResolver,
          vinyldnsConfig.serverConfig.validateRecordLookupAgainstDnsBackend,
          vinyldnsConfig.highValueDomainConfig,
-          vinyldnsConfig.serverConfig.approvedNameServers
+          vinyldnsConfig.dottedHostsConfig,
+          vinyldnsConfig.serverConfig.approvedNameServers,
+          vinyldnsConfig.serverConfig.useRecordSetCache,
+          notifiers
        )
      val zoneService = ZoneService(
        repositories,
@ -147,7 +173,18 @@ object Boot extends App {
        zoneValidations,
        recordAccessValidations,
        backendResolver,
-        vinyldnsConfig.crypto
+        vinyldnsConfig.crypto,
+        membershipService
+      )
+      //limits configured in reference.conf passing here
+      val limits = LimitsConfig(
+        vinyldnsConfig.limitsconfig.BATCHCHANGE_ROUTING_MAX_ITEMS_LIMIT,
+        vinyldnsConfig.limitsconfig.MEMBERSHIP_ROUTING_DEFAULT_MAX_ITEMS,
+        vinyldnsConfig.limitsconfig.MEMBERSHIP_ROUTING_MAX_ITEMS_LIMIT,
+        vinyldnsConfig.limitsconfig.MEMBERSHIP_ROUTING_MAX_GROUPS_LIST_LIMIT,
+        vinyldnsConfig.limitsconfig.RECORDSET_ROUTING_DEFAULT_MAX_ITEMS,
+        vinyldnsConfig.limitsconfig.ZONE_ROUTING_DEFAULT_MAX_ITEMS,
+        vinyldnsConfig.limitsconfig.ZONE_ROUTING_MAX_ITEMS_LIMIT
      )
      val healthService = new HealthService(
        messageQueue.healthCheck :: backendResolver.healthCheck(
@ -176,6 +213,7 @@ object Boot extends App {
      val collectorRegistry = CollectorRegistry.defaultRegistry
      val vinyldnsService = new VinylDNSService(
        membershipService,
+        limits,
        processingSignal,
        zoneService,
        healthService,
@ -192,7 +230,7 @@ object Boot extends App {
      // Need to register a jvm shut down hook to make sure everything is cleaned up, especially important for
      // running locally.
      sys.ShutdownHookThread {
-        logger.error("STOPPING VINYLDNS SERVER...")
+        logger.info("STOPPING VINYLDNS SERVER...")

        //shutdown data store provider
        loaderResponse.shutdown()
@ -206,10 +244,10 @@ object Boot extends App {
        ()
      }

-      logger.error(
+      logger.info(
        s"STARTING VINYLDNS SERVER ON ${vinyldnsConfig.httpConfig.host}:${vinyldnsConfig.httpConfig.port}"
      )
-      logger.error(banner)
+      bannerLogger.info(banner)

      // Starts up our http server
      implicit val actorSystem: ActorSystem = system
@ -224,11 +262,12 @@ object Boot extends App {
  // runApp gives us a Task, we actually have to run it!  Running it will yield a Future, which is our app!
  runApp().unsafeRunAsync {
    case Right(_) =>
-      logger.error("VINYLDNS SERVER STARTED SUCCESSFULLY!!")
+      logger.info("VINYLDNS SERVER STARTED SUCCESSFULLY!!")
    case Left(startupFailure) =>
      logger.error(s"VINYLDNS SERVER UNABLE TO START $startupFailure")
      startupFailure.printStackTrace()
      // It doesn't do us much good to keep the application running if it failed to start.
      sys.exit(1)
  }
+
 }
--- a/modules/api/src/main/scala/vinyldns/api/backend/CommandHandler.scala
+++ b/modules/api/src/main/scala/vinyldns/api/backend/CommandHandler.scala
@ -28,12 +28,18 @@ import vinyldns.api.engine.{
 }
 import vinyldns.core.domain.backend.{Backend, BackendResolver}
 import vinyldns.core.domain.batch.{BatchChange, BatchChangeCommand, BatchChangeRepository}
-import vinyldns.core.domain.record.{RecordChangeRepository, RecordSetChange, RecordSetRepository}
+import vinyldns.core.domain.record.{
+  RecordChangeRepository,
+  RecordSetChange,
+  RecordSetCacheRepository,
+  RecordSetRepository
+}
 import vinyldns.core.domain.zone._
 import vinyldns.core.queue.{CommandMessage, MessageCount, MessageQueue}

 import scala.concurrent.duration._
 import vinyldns.core.notifier.AllNotifiers
+import java.io.{PrintWriter, StringWriter}

 object CommandHandler {

@ -89,7 +95,9 @@ object CommandHandler {
        )
        .parJoin(maxOpen)
        .handleErrorWith { error =>
-          logger.error("Encountered unexpected error in main flow", error)
+          val errorMessage = new StringWriter
+          error.printStackTrace(new PrintWriter(errorMessage))
+          logger.error(s"Encountered unexpected error in main flow. Error: ${errorMessage.toString.replaceAll("\n",";").replaceAll("\t"," ")}")

          // just continue, the flow should never stop unless explicitly told to do so
          flow()
@ -118,7 +126,9 @@ object CommandHandler {
        .handleErrorWith { error =>
          // on error, we make sure we still continue; should only stop when the app stops
          // or processing is disabled
-          logger.error("Encountered error polling message queue", error)
+          val errorMessage = new StringWriter
+          error.printStackTrace(new PrintWriter(errorMessage))
+          logger.error(s"Encountered error polling message queue. Error: ${errorMessage.toString.replaceAll("\n",";").replaceAll("\t"," ")}")

          // just keep going on the stream
          pollingStream()
@ -132,7 +142,7 @@ object CommandHandler {
    _.evalMap[IO, Any] { message =>
      message.command match {
        case sync: ZoneChange
-            if sync.changeType == ZoneChangeType.Sync || sync.changeType == ZoneChangeType.Create =>
+            if sync.changeType == ZoneChangeType.Sync || sync.changeType == ZoneChangeType.AutomatedSync || sync.changeType == ZoneChangeType.Create =>
          logger.info(s"Updating visibility timeout for zone change; changeId=${sync.id}")
          mq.changeMessageTimeout(message, 1.hour)

@ -153,7 +163,7 @@ object CommandHandler {
    _.evalMap[IO, MessageOutcome] { message =>
      message.command match {
        case sync: ZoneChange
-            if sync.changeType == ZoneChangeType.Sync || sync.changeType == ZoneChangeType.Create =>
+            if sync.changeType == ZoneChangeType.Sync || sync.changeType == ZoneChangeType.AutomatedSync || sync.changeType == ZoneChangeType.Create =>
          outcomeOf(message)(zoneSyncProcessor(sync))

        case zoneChange: ZoneChange =>
@ -177,7 +187,9 @@ object CommandHandler {
      .attempt
      .map {
        case Left(e) =>
-          logger.warn(s"Failed processing message need to retry; $message", e)
+          val errorMessage = new StringWriter
+          e.printStackTrace(new PrintWriter(errorMessage))
+          logger.warn(s"Failed processing message need to retry; $message. Error: ${errorMessage.toString.replaceAll("\n",";").replaceAll("\t"," ")}")
          RetryMessage(message)
        case Right(ok) => ok
      }
@ -194,28 +206,30 @@ object CommandHandler {
    }.as(())

  def run(
-      mq: MessageQueue,
-      msgsPerPoll: MessageCount,
-      processingSignal: SignallingRef[IO, Boolean],
-      pollingInterval: FiniteDuration,
-      zoneRepo: ZoneRepository,
-      zoneChangeRepo: ZoneChangeRepository,
-      recordSetRepo: RecordSetRepository,
-      recordChangeRepo: RecordChangeRepository,
-      batchChangeRepo: BatchChangeRepository,
-      notifiers: AllNotifiers,
-      backendResolver: BackendResolver,
-      maxZoneSize: Int
+           mq: MessageQueue,
+           msgsPerPoll: MessageCount,
+           processingSignal: SignallingRef[IO, Boolean],
+           pollingInterval: FiniteDuration,
+           zoneRepo: ZoneRepository,
+           zoneChangeRepo: ZoneChangeRepository,
+           recordSetRepo: RecordSetRepository,
+           recordChangeRepo: RecordChangeRepository,
+           recordSetCacheRepo: RecordSetCacheRepository,
+           batchChangeRepo: BatchChangeRepository,
+           notifiers: AllNotifiers,
+           backendResolver: BackendResolver,
+           maxZoneSize: Int
  )(implicit timer: Timer[IO]): IO[Unit] = {
    // Handlers for each type of change request
    val zoneChangeHandler =
-      ZoneChangeHandler(zoneRepo, zoneChangeRepo, recordSetRepo)
+      ZoneChangeHandler(zoneRepo, zoneChangeRepo, recordSetRepo, recordSetCacheRepo)
    val recordChangeHandler =
-      RecordSetChangeHandler(recordSetRepo, recordChangeRepo, batchChangeRepo)
+      RecordSetChangeHandler(recordSetRepo, recordChangeRepo,recordSetCacheRepo, batchChangeRepo )
    val zoneSyncHandler =
      ZoneSyncHandler(
        recordSetRepo,
        recordChangeRepo,
+        recordSetCacheRepo,
        zoneChangeRepo,
        zoneRepo,
        backendResolver,
--- a/modules/api/src/main/scala/vinyldns/api/backend/dns/DnsBackend.scala
+++ b/modules/api/src/main/scala/vinyldns/api/backend/dns/DnsBackend.scala
@ -29,6 +29,7 @@ import vinyldns.core.domain.record.RecordType.RecordType
 import vinyldns.core.domain.record.{RecordSet, RecordSetChange, RecordSetChangeType, RecordType}
 import vinyldns.core.domain.zone.{Algorithm, Zone, ZoneConnection}

+import java.io.{PrintWriter, StringWriter}
 import scala.collection.JavaConverters._

 object DnsProtocol {
@ -165,6 +166,7 @@ class DnsBackend(val id: String, val resolver: DNS.SimpleResolver, val xfrInfo:
    val dnsName = recordDnsName(name, zoneName)
    logger.info(s"Querying for dns dnsRecordName='${dnsName.toString}'; recordType='$typ'")
    val lookup = new DNS.Lookup(dnsName, toDnsRecordType(typ))
+
    lookup.setResolver(resolver)
    lookup.setSearchPath(List(Name.empty).asJava)
    lookup.setCache(null)
@ -213,8 +215,29 @@ class DnsBackend(val id: String, val resolver: DNS.SimpleResolver, val xfrInfo:
        resp <- toDnsResponse(resp)
      } yield resp

+    val message =
+      for {
+        str <- Either.catchNonFatal(s"DNS Resolver: ${resolver.toString}, " +
+          s"Resolver Address=${resolver.getAddress.getAddress}, Resolver Host=${resolver.getAddress.getHostName}, " +
+          s"Resolver Port=${resolver.getPort}, Timeout=${resolver.getTimeout.toString}"
+        )
+      } yield str
+
+    val resolver_debug_message = message match {
+      case Right(value) => value
+      case Left(_) => s"DNS Resolver: ${resolver.toString}"
+    }
+
+    val receivedResponse = result match {
+      case Right(value) => value.toString.replaceAll("\n",";").replaceAll("\t"," ")
+      case Left(e) =>
+        val errorMessage = new StringWriter
+        e.printStackTrace(new PrintWriter(errorMessage))
+        errorMessage.toString.replaceAll("\n",";").replaceAll("\t"," ")
+    }
+
    logger.info(
-      s"DnsConnection.send - Sending DNS Message ${obscuredDnsMessage(msg).toString}\n...received response $result"
+      s"DnsConnection.send - Sending DNS Message ${obscuredDnsMessage(msg).toString.replaceAll("\n",";").replaceAll("\t"," ")}. Received response: $receivedResponse. DNS Resolver Info: $resolver_debug_message"
    )

    result
@ -234,10 +257,10 @@ class DnsBackend(val id: String, val resolver: DNS.SimpleResolver, val xfrInfo:
        // so if we can parse the error into an rcode, then we need to handle it properly; otherwise, we can try again
        // The DNS.Rcode.value function will return -1 if the error cannot be parsed into an integer
        if (DNS.Rcode.value(query.error) >= 0) {
-          logger.info(s"Received TRY_AGAIN from DNS lookup; converting error: ${query.error}")
+          logger.warn(s"Received TRY_AGAIN from DNS lookup; converting error: ${query.error.replaceAll("\n",";")}")
          fromDnsRcodeToError(DNS.Rcode.value(query.error), query.error)
        } else {
-          logger.info(s"Unparseable error code returned from DNS: ${query.error}")
+          logger.warn(s"Unparseable error code returned from DNS: ${query.error.replaceAll("\n",";")}")
          Left(TryAgain(query.error))
        }

@ -293,7 +316,7 @@ object DnsBackend {
    new DNS.TSIG(
      parseAlgorithm(conn.algorithm),
      decryptedConnection.keyName,
-      decryptedConnection.key
+      decryptedConnection.key.value
    )
  }

--- a/modules/api/src/main/scala/vinyldns/api/backend/dns/DnsConversions.scala
+++ b/modules/api/src/main/scala/vinyldns/api/backend/dns/DnsConversions.scala
@ -19,7 +19,8 @@ package vinyldns.api.backend.dns
 import java.net.InetAddress
 import cats.syntax.either._
 import org.apache.commons.codec.binary.Hex
-import org.joda.time.DateTime
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import org.xbill.DNS
 import scodec.bits.ByteVector
 import vinyldns.api.backend.dns.DnsProtocol._
@ -203,8 +204,9 @@ trait DnsConversions {
      typ = fromDnsRecordType(r.getType),
      ttl = r.getTTL,
      status = RecordSetStatus.Active,
-      created = DateTime.now,
-      records = f(r)
+      created = Instant.now.truncatedTo(ChronoUnit.MILLIS),
+      records = f(r),
+      recordSetGroupChange = Some(OwnerShipTransfer(ownerShipTransferStatus = OwnerShipTransferStatus.None))
    )

  // if we do not know the record type, then we cannot parse the records, but we should be able to get everything else
@ -215,8 +217,9 @@ trait DnsConversions {
      typ = fromDnsRecordType(r.getType),
      ttl = r.getTTL,
      status = RecordSetStatus.Active,
-      created = DateTime.now,
-      records = Nil
+      created = Instant.now.truncatedTo(ChronoUnit.MILLIS),
+      records = Nil,
+      recordSetGroupChange = Some(OwnerShipTransfer(ownerShipTransferStatus = OwnerShipTransferStatus.None))
    )

  def fromARecord(r: DNS.ARecord, zoneName: DNS.Name, zoneId: String): RecordSet =
@ -278,7 +281,7 @@ trait DnsConversions {

  def fromSPFRecord(r: DNS.SPFRecord, zoneName: DNS.Name, zoneId: String): RecordSet =
    fromDnsRecord(r, zoneName, zoneId) { data =>
-      List(SPFData(data.getStrings.asScala.mkString(",")))
+      List(SPFData(data.getStrings.asScala.mkString))
    }

  def fromSRVRecord(r: DNS.SRVRecord, zoneName: DNS.Name, zoneId: String): RecordSet =
@ -393,7 +396,8 @@ trait DnsConversions {
          new DNS.SSHFPRecord(recordName, DNS.DClass.IN, ttl, algorithm, typ, Hex.decodeHex(fingerprint.toCharArray()))

        case SPFData(text) =>
-          new DNS.SPFRecord(recordName, DNS.DClass.IN, ttl, text)
+          val texts = text.grouped(255).toList
+          new DNS.SPFRecord(recordName, DNS.DClass.IN, ttl, texts.asJava)

        case TXTData(text) =>
          val texts = text.grouped(255).toList
--- a/modules/api/src/main/scala/vinyldns/api/config/DottedHostsConfig.scala
+++ b/modules/api/src/main/scala/vinyldns/api/config/DottedHostsConfig.scala
@ -0,0 +1,31 @@
+/*
+ * Copyright 2018 Comcast Cable Communications Management, LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package vinyldns.api.config
+
+import pureconfig.ConfigReader
+import pureconfig.generic.auto._
+
+final case class ZoneAuthConfigs(zone: String, userList: List[String], groupList: List[String], recordTypes: List[String], dotsLimit: Int)
+final case class DottedHostsConfig(zoneAuthConfigs: List[ZoneAuthConfigs])
+
+object DottedHostsConfig {
+  implicit val configReader: ConfigReader[DottedHostsConfig] =
+    ConfigReader.forProduct1[DottedHostsConfig, List[ZoneAuthConfigs]](
+      "allowed-settings",
+    )(zoneAuthConfigs =>
+      DottedHostsConfig(zoneAuthConfigs))
+}
--- a/modules/api/src/main/scala/vinyldns/api/config/HighValueDomainConfig.scala
+++ b/modules/api/src/main/scala/vinyldns/api/config/HighValueDomainConfig.scala
@ -31,6 +31,6 @@ object HighValueDomainConfig {
      "ip-list"
    ) {
      case (regexList, ipList) =>
-        HighValueDomainConfig(toCaseIgnoredRegexList(regexList), ipList.flatMap(IpAddress(_)))
+        HighValueDomainConfig(toCaseIgnoredRegexList(regexList), ipList.flatMap(IpAddress.fromString(_)))
    }
 }
--- a/modules/api/src/main/scala/vinyldns/api/config/LimitsConfig.scala
+++ b/modules/api/src/main/scala/vinyldns/api/config/LimitsConfig.scala
@ -0,0 +1,61 @@
+/*
+ * Copyright 2018 Comcast Cable Communications Management, LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package vinyldns.api.config
+
+import pureconfig.ConfigReader
+
+final case class LimitsConfig(
+    BATCHCHANGE_ROUTING_MAX_ITEMS_LIMIT: Int,
+    MEMBERSHIP_ROUTING_DEFAULT_MAX_ITEMS: Int,
+    MEMBERSHIP_ROUTING_MAX_ITEMS_LIMIT: Int,
+    MEMBERSHIP_ROUTING_MAX_GROUPS_LIST_LIMIT: Int,
+    RECORDSET_ROUTING_DEFAULT_MAX_ITEMS: Int,
+    ZONE_ROUTING_DEFAULT_MAX_ITEMS: Int,
+    ZONE_ROUTING_MAX_ITEMS_LIMIT: Int
+)
+object LimitsConfig {
+  implicit val configReader: ConfigReader[LimitsConfig] =
+    ConfigReader.forProduct7[LimitsConfig, Int, Int, Int, Int, Int, Int, Int](
+      "batchchange-routing-max-items-limit",
+      "membership-routing-default-max-items",
+      "membership-routing-max-items-limit",
+      "membership-routing-max-groups-list-limit",
+      "recordset-routing-default-max-items",
+      "zone-routing-default-max-items",
+      "zone-routing-max-items-limit"
+    ) {
+      case (
+          batchchange_routing_max_items_limit,
+          membership_routing_default_max_items,
+          membership_routing_max_items_limit,
+          membership_routing_max_groups_list_limit,
+          recordset_routing_default_max_items,
+          zone_routing_default_max_items,
+          zone_routing_max_items_limit
+          ) =>
+        LimitsConfig(
+          batchchange_routing_max_items_limit,
+          membership_routing_default_max_items,
+          membership_routing_max_items_limit,
+          membership_routing_max_groups_list_limit,
+          recordset_routing_default_max_items,
+          zone_routing_default_max_items,
+          zone_routing_max_items_limit
+        )
+    }
+
+}
--- a/modules/api/src/main/scala/vinyldns/api/config/ManualReviewConfig.scala
+++ b/modules/api/src/main/scala/vinyldns/api/config/ManualReviewConfig.scala
@ -41,7 +41,7 @@ object ManualReviewConfig {
        ManualReviewConfig(
          enabled,
          toCaseIgnoredRegexList(domainsConfig.getStringList("domain-list").asScala.toList),
-          domainsConfig.getStringList("ip-list").asScala.toList.flatMap(IpAddress(_)),
+          domainsConfig.getStringList("ip-list").asScala.toList.flatMap(IpAddress.fromString(_)),
          domainsConfig.getStringList("zone-name-list").asScala.toSet
        )
    }
--- a/modules/api/src/main/scala/vinyldns/api/config/ServerConfig.scala
+++ b/modules/api/src/main/scala/vinyldns/api/config/ServerConfig.scala
@ -23,20 +23,25 @@ import vinyldns.api.domain.zone.ZoneRecordValidations
 import scala.util.matching.Regex

 final case class ServerConfig(
-    healthCheckTimeout: Int,
-    defaultTtl: Int,
-    maxZoneSize: Int,
-    syncDelay: Int,
-    validateRecordLookupAgainstDnsBackend: Boolean,
-    approvedNameServers: List[Regex],
-    color: String,
-    version: String,
-    keyName: String,
-    processingDisabled: Boolean
-)
+                               healthCheckTimeout: Int,
+                               defaultTtl: Int,
+                               maxZoneSize: Int,
+                               syncDelay: Int,
+                               validateRecordLookupAgainstDnsBackend: Boolean,
+                               approvedNameServers: List[Regex],
+                               color: String,
+                               version: String,
+                               keyName: String,
+                               processingDisabled: Boolean,
+                               useRecordSetCache: Boolean,
+                               loadTestData: Boolean,
+                               isZoneSyncScheduleAllowed: Boolean,
+                             )
 object ServerConfig {
+
  import ZoneRecordValidations.toCaseIgnoredRegexList
-  implicit val configReader: ConfigReader[ServerConfig] = ConfigReader.forProduct10[
+
+  implicit val configReader: ConfigReader[ServerConfig] = ConfigReader.forProduct13[
    ServerConfig,
    Int,
    Int,
@ -47,6 +52,9 @@ object ServerConfig {
    String,
    String,
    Config,
+    Boolean,
+    Boolean,
+    Boolean,
    Boolean
  ](
    "health-check-timeout",
@ -58,20 +66,25 @@ object ServerConfig {
    "color",
    "version",
    "defaultZoneConnection",
-    "processing-disabled"
+    "processing-disabled",
+    "use-recordset-cache",
+    "load-test-data",
+    "is-zone-sync-schedule-allowed"
  ) {
    case (
-        timeout,
-        ttl,
-        maxZone,
-        syncDelay,
-        validateDnsBackend,
-        approvedNameServers,
-        color,
-        version,
-        zoneConnConfig,
-        processingDisabled
-        ) =>
+      timeout,
+      ttl,
+      maxZone,
+      syncDelay,
+      validateDnsBackend,
+      approvedNameServers,
+      color,
+      version,
+      zoneConnConfig,
+      processingDisabled,
+      useRecordSetCache,
+      loadTestData,
+      isZoneSyncScheduleAllowed) =>
      ServerConfig(
        timeout,
        ttl,
@ -82,7 +95,10 @@ object ServerConfig {
        color,
        version,
        zoneConnConfig.getString("keyName"),
-        processingDisabled
+        processingDisabled,
+        useRecordSetCache,
+        loadTestData,
+        isZoneSyncScheduleAllowed
      )
  }
 }
--- a/modules/api/src/main/scala/vinyldns/api/config/ValidEmailConfig.scala
+++ b/modules/api/src/main/scala/vinyldns/api/config/ValidEmailConfig.scala
@ -0,0 +1,42 @@
+/*
+ * Copyright 2018 Comcast Cable Communications Management, LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package vinyldns.api.config
+
+import pureconfig.ConfigReader
+
+ case class ValidEmailConfig(
+    valid_domains : List[String],
+    number_of_dots : Int)
+object ValidEmailConfig {
+  implicit val configReader: ConfigReader[ValidEmailConfig] =
+    ConfigReader.forProduct2[ValidEmailConfig,List[String],Int](
+      "email-domains",
+      "number-of-dots"
+    )
+    {
+      case (
+        valid_domains,
+        number_of_dots,
+        ) =>
+        ValidEmailConfig(
+          valid_domains,
+          number_of_dots,
+
+        )
+    }
+
+}
--- a/modules/api/src/main/scala/vinyldns/api/config/VinylDNSConfig.scala
+++ b/modules/api/src/main/scala/vinyldns/api/config/VinylDNSConfig.scala
@ -37,6 +37,8 @@ import scala.reflect.ClassTag

 final case class VinylDNSConfig(
    serverConfig: ServerConfig,
+    limitsconfig: LimitsConfig,
+    validEmailConfig: ValidEmailConfig,
    httpConfig: HttpConfig,
    highValueDomainConfig: HighValueDomainConfig,
    manualReviewConfig: ManualReviewConfig,
@ -46,6 +48,7 @@ final case class VinylDNSConfig(
    notifierConfigs: List[NotifierConfig],
    dataStoreConfigs: List[DataStoreConfig],
    backendConfigs: BackendConfigs,
+    dottedHostsConfig: DottedHostsConfig,
    configuredDnsConnections: ConfiguredDnsConnections,
    apiMetricSettings: APIMetricsSettings,
    crypto: CryptoAlgebra,
@ -80,9 +83,12 @@ object VinylDNSConfig {

    for {
      config <- IO.delay(ConfigFactory.load())
+      limitsconfig <- loadIO[LimitsConfig](config, "vinyldns.api.limits") //Added Limitsconfig to fetch data from the reference.config and pass to LimitsConfig.config
+      validEmailConfig <- loadIO[ValidEmailConfig](config, path="vinyldns.valid-email-config")
      serverConfig <- loadIO[ServerConfig](config, "vinyldns")
      batchChangeConfig <- loadIO[BatchChangeConfig](config, "vinyldns")
      backendConfigs <- loadIO[BackendConfigs](config, "vinyldns.backend")
+      dottedHostsConfig <- loadIO[DottedHostsConfig](config, "vinyldns.dotted-hosts")
      httpConfig <- loadIO[HttpConfig](config, "vinyldns.rest")
      hvdConfig <- loadIO[HighValueDomainConfig](config, "vinyldns.high-value-domains")
      scheduledChangesConfig <- loadIO[ScheduledChangesConfig](config, "vinyldns")
@ -98,6 +104,8 @@ object VinylDNSConfig {
        .map(GlobalAcls.apply)
    } yield VinylDNSConfig(
      serverConfig,
+      limitsconfig,
+      validEmailConfig,
      httpConfig,
      hvdConfig,
      manualReviewConfig,
@ -107,6 +115,7 @@ object VinylDNSConfig {
      notifierConfigs,
      dataStoreConfigs,
      backendConfigs,
+      dottedHostsConfig,
      connections,
      metricSettings,
      crypto,
--- a/modules/api/src/main/scala/vinyldns/api/domain/DomainValidations.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/DomainValidations.scala
@ -27,8 +27,13 @@ import scala.util.matching.Regex
  Object to house common domain validations
 */
 object DomainValidations {
+
+  val validReverseZoneFQDNRegex: Regex =
+    """^(?:([0-9a-zA-Z\-\/_]{1,63}|[0-9a-zA-Z\-\/_]{1}[0-9a-zA-Z\-\/_]{0,61}[0-9a-zA-Z\-\/_]{1}|[*.]{2}[0-9a-zA-Z\-\/_]{0,60}[0-9a-zA-Z\-\/_]{1})\.)*$""".r
+  val validForwardZoneFQDNRegex: Regex =
+    """^(?:([0-9a-zA-Z_]{1,63}|[0-9a-zA-Z_]{1}[0-9a-zA-Z\-_]{0,61}[0-9a-zA-Z_]{1}|[*.]{2}[0-9a-zA-Z\-_]{0,60}[0-9a-zA-Z_]{1})\.)*$""".r
  val validFQDNRegex: Regex =
-    """^(?:([0-9a-zA-Z_]{1,63}|[0-9a-zA-Z_]{1}[0-9a-zA-Z\-\/_]{0,61}[0-9a-zA-Z_]{1})\.)*$""".r
+    """^(?:([0-9a-zA-Z_]{1,63}|[0-9a-zA-Z_]{1}[0-9a-zA-Z\-\/_]{0,61}[0-9a-zA-Z_]{1}|[*.]{2}[0-9a-zA-Z\-\/_]{0,60}[0-9a-zA-Z_]{1})\.)*$""".r
  val validIpv4Regex: Regex =
    """^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$""".r
  val validIpv6Regex: Regex =
@ -54,16 +59,47 @@ object DomainValidations {
  val TTL_MIN_LENGTH: Int = 30
  val TXT_TEXT_MIN_LENGTH: Int = 1
  val TXT_TEXT_MAX_LENGTH: Int = 64764
-  val MX_PREFERENCE_MIN_VALUE: Int = 0
-  val MX_PREFERENCE_MAX_VALUE: Int = 65535
+  val INTEGER_MIN_VALUE: Int = 0
+  val INTEGER_MAX_VALUE: Int = 65535
+
+  // Cname check - Cname should not be IP address
+  def validateCname(name: Fqdn, isReverse: Boolean): ValidatedNel[DomainValidationError, Fqdn] =
+    validateIpv4Address(name.fqdn.dropRight(1)).isValid match {
+      case true => InvalidIPv4CName(name.toString).invalidNel
+      case false => validateIsReverseCname(name, isReverse)
+    }

  def validateHostName(name: Fqdn): ValidatedNel[DomainValidationError, Fqdn] =
    validateHostName(name.fqdn).map(_ => name)

+  def validateIsReverseCname(name: Fqdn, isReverse: Boolean): ValidatedNel[DomainValidationError, Fqdn] =
+    validateIsReverseCname(name.fqdn, isReverse).map(_ => name)
+
+  def validateIsReverseCname(name: String, isReverse: Boolean): ValidatedNel[DomainValidationError, String] = {
+    isReverse match {
+      case true =>
+        val checkRegex = validReverseZoneFQDNRegex
+          .findFirstIn(name)
+          .map(_.validNel)
+          .getOrElse(InvalidCname(name,isReverse).invalidNel)
+        val checkLength = validateStringLength(name, Some(HOST_MIN_LENGTH), HOST_MAX_LENGTH)
+
+        checkRegex.combine(checkLength).map(_ => name)
+      case false =>
+        val checkRegex = validForwardZoneFQDNRegex
+          .findFirstIn(name)
+          .map(_.validNel)
+          .getOrElse(InvalidCname(name,isReverse).invalidNel)
+        val checkLength = validateStringLength(name, Some(HOST_MIN_LENGTH), HOST_MAX_LENGTH)
+
+        checkRegex.combine(checkLength).map(_ => name)
+    }
+  }
+
  def validateHostName(name: String): ValidatedNel[DomainValidationError, String] = {
    /*
      Label rules are as follows (from RFC 952; detailed in RFC 1034):
-        - Starts with a letter, OR digit, or underscore (as of RFC 1123)
+        - Starts with a letter, or digit, or underscore or asterisk (as of RFC 1123)
        - Interior contains letter, digit or hyphen, or underscore
        - Ends with a letter or digit, or underscore
      All possible labels permutations:
@ -71,6 +107,8 @@ object DomainValidations {
        - A combination of 1-63 letters/digits: [0-9a-zA-Z]{1,63}
        - A single letter/digit followed by up to 61 letters, digits, hyphens or slashes
        and ending with a letter/digit:[0-9a-zA-Z]{1}[0-9a-zA-Z\-]{0,61}[0-9a-zA-Z]{1}
+        - A wildcard and dot character (*.) followed by up to 60 letters, digits, hyphens or slashes
+        and ending with a letter/digit:[*.]{2}[0-9a-zA-Z\-\/_]{0,60}[0-9a-zA-Z_]{1}
      A valid domain name is a series of one or more <label>s,
      joined by dots/slashes and terminating on a zero-length <label> (ie. dot)
     */
@ -83,6 +121,8 @@ object DomainValidations {
    checkRegex.combine(checkLength).map(_ => name)
  }

+
+
  def validateIpv4Address(address: String): ValidatedNel[DomainValidationError, String] =
    validIpv4Regex
      .findFirstIn(address)
@ -120,7 +160,15 @@ object DomainValidations {
  def validateTxtTextLength(value: String): ValidatedNel[DomainValidationError, String] =
    validateStringLength(value, Some(TXT_TEXT_MIN_LENGTH), TXT_TEXT_MAX_LENGTH)

-  def validateMxPreference(pref: Int): ValidatedNel[DomainValidationError, Int] =
-    if (pref >= MX_PREFERENCE_MIN_VALUE && pref <= MX_PREFERENCE_MAX_VALUE) pref.validNel
-    else InvalidMxPreference(pref, MX_PREFERENCE_MIN_VALUE, MX_PREFERENCE_MAX_VALUE).invalidNel[Int]
+  def validateMX_NAPTR_SRVData(number: Int, recordDataType: String, recordType: String): ValidatedNel[DomainValidationError, Int] =
+    if (number >= INTEGER_MIN_VALUE && number <= INTEGER_MAX_VALUE) number.validNel
+    else InvalidMX_NAPTR_SRVData(number, INTEGER_MIN_VALUE, INTEGER_MAX_VALUE, recordDataType, recordType).invalidNel[Int]
+
+  def validateNaptrFlag(value: String): ValidatedNel[DomainValidationError, String] =
+    if (value == "U" || value == "S" || value == "A" || value == "P") value.validNel
+    else InvalidNaptrFlag(value).invalidNel[String]
+
+  def validateNaptrRegexp(value: String): ValidatedNel[DomainValidationError, String] =
+    if ((value.startsWith("!") && value.endsWith("!")) || value == "") value.validNel
+    else InvalidNaptrRegexp(value).invalidNel[String]
 }
--- a/modules/api/src/main/scala/vinyldns/api/domain/ReverseZoneHelpers.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/ReverseZoneHelpers.scala
@ -17,7 +17,7 @@
 package vinyldns.api.domain

 import cats.implicits._
-import com.aaronbedra.orchard.CIDR
+import com.comcast.ip4s.{Cidr, Ipv4Address, Ipv6Address}
 import vinyldns.api.domain.zone.InvalidRequest
 import vinyldns.core.domain.zone.Zone
 import vinyldns.api.backend.dns.DnsConversions._
@ -30,8 +30,9 @@ object ReverseZoneHelpers {
    if (zone.isIPv4) {
      recordsetIsWithinCidrMaskIpv4(mask: String, zone: Zone, recordName: String)
    } else {
-      val ipAddr = convertPTRtoIPv6(zone, recordName)
-      Try(CIDR.valueOf(mask).contains(ipAddr)).getOrElse(false)
+      val ipAddr = Ipv6Address.fromString(convertPTRtoIPv6(zone, recordName))
+      Try(Cidr(Cidr.fromString6(mask).get.address,Cidr.fromString6(mask).get.prefixBits).contains(ipAddr.get))
+        .getOrElse(false)
    }

  // NOTE: this will not work for zones with less than 3 octets
@ -62,7 +63,7 @@ object ReverseZoneHelpers {
    }

  def convertPTRtoIPv4(zone: Zone, recordName: String): String = {
-    val zoneName = zone.name.split("in-addr.arpa.")(0)
+    val zoneName = zone.name.dropRight("in-addr.arpa.".length)
    val zoneOctets = ipv4ReverseSplitByOctets(zoneName)
    val recordOctets = ipv4ReverseSplitByOctets(recordName)

@ -74,7 +75,7 @@ object ReverseZoneHelpers {
  }

  def convertPTRtoIPv6(zone: Zone, recordName: String): String = {
-    val zoneName = zone.name.split("ip6.arpa.")(0)
+    val zoneName = zone.name.dropRight("ip6.arpa.".length)
    val zoneNameNibblesReversed = zoneName.split('.').reverse.toList
    val recordSetNibblesReversed = recordName.split('.').reverse.toList
    val allUnseparated = (zoneNameNibblesReversed ++ recordSetNibblesReversed).mkString("")
@ -86,11 +87,12 @@ object ReverseZoneHelpers {
      zone: Zone,
      recordName: String
  ): Boolean = {
-    val recordIpAddr = convertPTRtoIPv4(zone, recordName)
+
+    val recordIpAddr = Ipv4Address.fromString(convertPTRtoIPv4(zone, recordName))

    Try {
      // make sure mask contains 4 octets, expand if not
-      val ipMaskOctets = CIDR.parseBlock(mask).head.split('.').toList
+      val ipMaskOctets = Cidr.fromString4(mask).get.address.toString.split('.').toList

      val fullIp = ipMaskOctets.length match {
        case 1 => (ipMaskOctets ++ List("0", "0", "0")).mkString(".")
@ -99,9 +101,8 @@ object ReverseZoneHelpers {
        case 4 => ipMaskOctets.mkString(".")
      }

-      val updatedMask = fullIp + "/" + CIDR.valueOf(mask).getMask
-
-      CIDR.valueOf(updatedMask).contains(recordIpAddr)
+      val updatedMask = Cidr(recordIpAddr.get,Cidr.fromString4(mask).get.prefixBits)
+      updatedMask.contains(Ipv4Address.fromString(fullIp).get)
    }.getOrElse(false)
  }

@ -109,7 +110,7 @@ object ReverseZoneHelpers {
    string.split('.').filter(!_.isEmpty).reverse.toList

  private def getZoneAsCIDRString(zone: Zone): Either[Throwable, String] = {
-    val zoneName = zone.name.split("in-addr.arpa.")(0)
+    val zoneName = zone.name.dropRight("in-addr.arpa.".length)
    val zoneOctets = ipv4ReverseSplitByOctets(zoneName)
    val zoneString = zoneOctets.mkString(".")

@ -147,7 +148,7 @@ object ReverseZoneHelpers {
      zone: Zone,
      recordName: String
  ): Either[Throwable, Unit] = {
-    val v6Regex = "([0-9a-f][.]){32}ip6.arpa.".r
+    val v6Regex = "(?i)([0-9a-f][.]){32}ip6.arpa.".r

    s"$recordName.${zone.name}" match {
      case v6Regex(_*) => ().asRight
--- a/modules/api/src/main/scala/vinyldns/api/domain/access/AccessValidations.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/access/AccessValidations.scala
@ -34,10 +34,17 @@ class AccessValidations(
    ensuring(
      NotAuthorizedError(s"User ${auth.signedInUser.userName} cannot access zone '${zone.name}'")
    )(
-      auth.isSystemAdmin || auth
+      auth.isSystemAdmin || zone.shared || auth
        .isGroupMember(zone.adminGroupId) || userHasAclRules(auth, zone)
    )

+  def canSeeZoneChange(auth: AuthPrincipal, zone: Zone): Either[Throwable, Unit] =
+    ensuring(
+      NotAuthorizedError(s"User ${auth.signedInUser.userName} cannot access zone '${zone.name}' changes")
+    )(
+      auth.isSystemAdmin || zone.shared || auth.isGroupMember(zone.adminGroupId)
+    )
+
  def canChangeZone(
      auth: AuthPrincipal,
      zoneName: String,
@ -73,6 +80,7 @@ class AccessValidations(
      recordType: RecordType,
      zone: Zone,
      recordOwnerGroupId: Option[String],
+      superUserCanUpdateOwnerGroup: Boolean = false,
      newRecordData: List[RecordData] = List.empty
  ): Either[Throwable, Unit] = {
    val accessLevel =
@ -82,7 +90,7 @@ class AccessValidations(
        s"User ${auth.signedInUser.userName} does not have access to update " +
          s"$recordName.${zone.name}"
      )
-    )(accessLevel == AccessLevel.Delete || accessLevel == AccessLevel.Write)
+    )(accessLevel == AccessLevel.Delete || accessLevel == AccessLevel.Write || superUserCanUpdateOwnerGroup)
  }

  def canDeleteRecordSet(
@ -222,7 +230,9 @@ class AccessValidations(
      AccessLevel.Delete
    case support if support.isSystemAdmin =>
      val aclAccess = getAccessFromAcl(auth, recordName, recordType, zone)
-      if (aclAccess == AccessLevel.NoAccess) AccessLevel.Read else aclAccess
+      if (aclAccess == AccessLevel.NoAccess)
+        AccessLevel.Read
+      else aclAccess
    case globalAclUser
        if globalAcls.isAuthorized(globalAclUser, recordName, recordType, zone, recordData) =>
      AccessLevel.Delete
--- a/modules/api/src/main/scala/vinyldns/api/domain/access/AccessValidationsAlgebra.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/access/AccessValidationsAlgebra.scala
@ -27,6 +27,8 @@ trait AccessValidationsAlgebra {

  def canSeeZone(auth: AuthPrincipal, zone: Zone): Either[Throwable, Unit]

+  def canSeeZoneChange(auth: AuthPrincipal, zone: Zone): Either[Throwable, Unit]
+
  def canChangeZone(
      auth: AuthPrincipal,
      zoneName: String,
@ -47,6 +49,7 @@ trait AccessValidationsAlgebra {
      recordType: RecordType,
      zone: Zone,
      recordOwnerGroupId: Option[String],
+      superUserCanUpdateOwnerGroup: Boolean = false,
      newRecordData: List[RecordData] = List.empty
  ): Either[Throwable, Unit]

--- a/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeConverter.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeConverter.scala
@ -18,7 +18,8 @@ package vinyldns.api.domain.batch

 import cats.data.NonEmptyList
 import cats.syntax.list._
-import org.joda.time.DateTime
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import org.slf4j.LoggerFactory
 import vinyldns.api.domain.batch.BatchChangeInterfaces._
 import vinyldns.api.domain.batch.BatchTransformations._
@ -27,13 +28,14 @@ import vinyldns.api.domain.record.RecordSetChangeGenerator
 import vinyldns.core.domain.record._
 import vinyldns.core.domain.zone.Zone
 import vinyldns.core.domain.batch._
-import vinyldns.core.domain.record.RecordType.RecordType
+import vinyldns.core.domain.record.RecordType.{RecordType, UNKNOWN}
 import vinyldns.core.queue.MessageQueue

 class BatchChangeConverter(batchChangeRepo: BatchChangeRepository, messageQueue: MessageQueue)
    extends BatchChangeConverterAlgebra {

-  private val logger = LoggerFactory.getLogger("BatchChangeConverter")
+  private val failedMessage: String = "Error queueing RecordSetChange for processing"
+  private val logger = LoggerFactory.getLogger(classOf[BatchChangeConverter])

  def sendBatchForProcessing(
      batchChange: BatchChange,
@ -67,15 +69,20 @@ class BatchChangeConverter(batchChangeRepo: BatchChangeRepository, messageQueue:
      recordSetChanges: List[RecordSetChange]
  ): BatchResult[Unit] = {
    val convertedIds = recordSetChanges.flatMap(_.singleBatchChangeIds).toSet
-
    singleChanges.find(ch => !convertedIds.contains(ch.id)) match {
-      case Some(change) => BatchConversionError(change).toLeftBatchResult
-      case None =>
+      // Each single change has a corresponding recordset id
+      // If they're not equal, then there's a delete request for a record that doesn't exist. So we allow this to process
+      case Some(_) if singleChanges.map(_.id).length != recordSetChanges.map(_.id).length && !singleChanges.map(_.typ).contains(UNKNOWN) =>
        logger.info(s"Successfully converted SingleChanges [${singleChanges
          .map(_.id)}] to RecordSetChanges [${recordSetChanges.map(_.id)}]")
        ().toRightBatchResult
+      case Some(change) => BatchConversionError(change).toLeftBatchResult
+      case None =>
+          logger.info(s"Successfully converted SingleChanges [${singleChanges
+            .map(_.id)}] to RecordSetChanges [${recordSetChanges.map(_.id)}]")
+          ().toRightBatchResult
+        }
    }
-  }

  def putChangesOnQueue(
      recordSetChanges: List[RecordSetChange],
@ -104,7 +111,6 @@ class BatchChangeConverter(batchChangeRepo: BatchChangeRepository, messageQueue:
    val idsMap = recordSetChanges.flatMap { rsChange =>
      rsChange.singleBatchChangeIds.map(batchId => (batchId, rsChange.id))
    }.toMap
-
    val withStatus = batchChange.changes.map { change =>
      idsMap
        .get(change.id)
@ -113,19 +119,27 @@ class BatchChangeConverter(batchChangeRepo: BatchChangeRepository, messageQueue:
          change
        }
        .getOrElse {
-          // failure here means there was a message queue issue for this change
-          change.withFailureMessage("Error queueing RecordSetChange for processing")
+          // Match and check if it's a delete change for a record that doesn't exists.
+          change match {
+            case _: SingleDeleteRRSetChange if change.recordSetId.isEmpty =>
+              // Mark as Complete since we don't want to throw it as an error
+              change.withDoesNotExistMessage
+            case _ =>
+              // Failure here means there was a message queue issue for this change
+              change.withFailureMessage(failedMessage)
+          }
        }
    }
-
    batchChange.copy(changes = withStatus)
  }

  def storeQueuingFailures(batchChange: BatchChange): BatchResult[Unit] = {
-    val failedChanges = batchChange.changes.collect {
+    // Update if Single change is Failed or if a record that does not exist is deleted
+    val failedAndNotExistsChanges = batchChange.changes.collect {
      case change if change.status == SingleChangeStatus.Failed => change
    }
-    batchChangeRepo.updateSingleChanges(failedChanges).as(())
+    val storeChanges = batchChangeRepo.updateSingleChanges(failedAndNotExistsChanges).as(())
+    storeChanges
  }.toBatchResult

  def createRecordSetChangesForBatch(
@ -200,7 +214,7 @@ class BatchChangeConverter(batchChangeRepo: BatchChangeRepository, messageQueue:
        }
    }

-    // New record set for add/update or single delete
+    // New record set for add/update/full deletes
    lazy val newRecordSet = {
      val firstAddChange = singleChangeNel.collect {
        case sac: SingleAddChange => sac
@ -219,7 +233,34 @@ class BatchChangeConverter(batchChangeRepo: BatchChangeRepository, messageQueue:
            recordType,
            ttl,
            RecordSetStatus.Pending,
-            DateTime.now,
+            Instant.now.truncatedTo(ChronoUnit.MILLIS),
+            None,
+            proposedRecordData.toList,
+            ownerGroupId = setOwnerGroupId,
+            recordSetGroupChange = Some(OwnerShipTransfer(ownerShipTransferStatus = OwnerShipTransferStatus.None))
+          )
+      }
+    }
+
+    // New record set for single delete which exists in dns backend but not in vinyl
+    lazy val newDeleteRecordSet = {
+      val firstDeleteChange = singleChangeNel.collect {
+        case sad: SingleDeleteRRSetChange => sad
+      }.headOption
+
+      val newTtlRecordNameTuple = firstDeleteChange
+        .map(del => del.recordName)
+        .orElse(existingRecordSet.map(rs => Some(rs.name)))
+
+      newTtlRecordNameTuple.collect{
+        case Some(recordName) =>
+          RecordSet(
+            zone.id,
+            recordName,
+            recordType,
+            7200L,
+            RecordSetStatus.Pending,
+            Instant.now.truncatedTo(ChronoUnit.MILLIS),
            None,
            proposedRecordData.toList,
            ownerGroupId = setOwnerGroupId
@ -242,7 +283,12 @@ class BatchChangeConverter(batchChangeRepo: BatchChangeRepository, messageQueue:
          existingRs <- existingRecordSet
          newRs <- newRecordSet
        } yield RecordSetChangeGenerator.forUpdate(existingRs, newRs, zone, userId, singleChangeIds)
-      case _ => None // This case should never happen
+      case OutOfSync =>
+        newDeleteRecordSet.map { newDelRs =>
+          RecordSetChangeGenerator.forOutOfSync(newDelRs, zone, userId, singleChangeIds)
+        }
+      case _ =>
+        None // This case should never happen
    }
  }
 }
--- a/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeErrors.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeErrors.scala
@ -16,7 +16,7 @@

 package vinyldns.api.domain.batch

-import org.joda.time.DateTime
+import java.time.Instant
 import vinyldns.api.domain.batch.BatchChangeInterfaces.ValidatedBatch
 import vinyldns.api.domain.batch.BatchTransformations.ChangeForValidation
 import vinyldns.core.domain.DomainValidationError
@ -69,7 +69,7 @@ case object ScheduledTimeMustBeInFuture extends BatchChangeErrorResponse {
  val message: String = "Scheduled time must be in the future."
 }

-final case class ScheduledChangeNotDue(scheduledTime: DateTime) extends BatchChangeErrorResponse {
+final case class ScheduledChangeNotDue(scheduledTime: Instant) extends BatchChangeErrorResponse {
  val message: String =
    s"Cannot process scheduled change as it is not past the scheduled date of $scheduledTime"
 }
--- a/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeProtocol.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeProtocol.scala
@ -17,7 +17,7 @@
 package vinyldns.api.domain.batch

 import cats.data.NonEmptyList
-import org.joda.time.DateTime
+import java.time.Instant
 import vinyldns.core.domain.{DomainValidationError, SingleChangeError}
 import vinyldns.core.domain.DomainHelpers.ensureTrailingDot
 import vinyldns.core.domain.batch._
@ -28,7 +28,7 @@ final case class BatchChangeInput(
    comments: Option[String],
    changes: List[ChangeInput],
    ownerGroupId: Option[String] = None,
-    scheduledTime: Option[DateTime] = None
+    scheduledTime: Option[Instant] = None
 )

 object BatchChangeInput {
@ -44,12 +44,14 @@ object BatchChangeInput {
 sealed trait ChangeInput {
  val inputName: String
  val typ: RecordType
+  val systemMessage: Option[String]
  def asNewStoredChange(errors: NonEmptyList[DomainValidationError], defaultTtl: Long): SingleChange
 }

 final case class AddChangeInput(
    inputName: String,
    typ: RecordType,
+    systemMessage: Option[String],
    ttl: Option[Long],
    record: RecordData
 ) extends ChangeInput {
@ -68,7 +70,7 @@ final case class AddChangeInput(
      knownTtl,
      record,
      SingleChangeStatus.NeedsReview,
-      None,
+      systemMessage,
      None,
      None,
      errors.toList.map(SingleChangeError(_))
@ -79,6 +81,7 @@ final case class AddChangeInput(
 final case class DeleteRRSetChangeInput(
    inputName: String,
    typ: RecordType,
+    systemMessage: Option[String],
    record: Option[RecordData]
 ) extends ChangeInput {
  def asNewStoredChange(
@ -93,7 +96,7 @@ final case class DeleteRRSetChangeInput(
      typ,
      record,
      SingleChangeStatus.NeedsReview,
-      None,
+      systemMessage,
      None,
      None,
      errors.toList.map(SingleChangeError(_))
@ -104,6 +107,7 @@ object AddChangeInput {
  def apply(
      inputName: String,
      typ: RecordType,
+      systemMessage: Option[String],
      ttl: Option[Long],
      record: RecordData
  ): AddChangeInput = {
@ -111,28 +115,29 @@ object AddChangeInput {
      case PTR => inputName
      case _ => ensureTrailingDot(inputName)
    }
-    new AddChangeInput(transformName, typ, ttl, record)
+    new AddChangeInput(transformName, typ, systemMessage, ttl, record)
  }

  def apply(sc: SingleAddChange): AddChangeInput =
-    AddChangeInput(sc.inputName, sc.typ, Some(sc.ttl), sc.recordData)
+    AddChangeInput(sc.inputName, sc.typ, sc.systemMessage, Some(sc.ttl), sc.recordData)
 }

 object DeleteRRSetChangeInput {
  def apply(
      inputName: String,
      typ: RecordType,
+      systemMessage: Option[String],
      record: Option[RecordData] = None
  ): DeleteRRSetChangeInput = {
    val transformName = typ match {
      case PTR => inputName
      case _ => ensureTrailingDot(inputName)
    }
-    new DeleteRRSetChangeInput(transformName, typ, record)
+    new DeleteRRSetChangeInput(transformName, typ, systemMessage, record)
  }

  def apply(sc: SingleDeleteRRSetChange): DeleteRRSetChangeInput =
-    DeleteRRSetChangeInput(sc.inputName, sc.typ, sc.recordData)
+    DeleteRRSetChangeInput(sc.inputName, sc.typ, sc.systemMessage, sc.recordData)
 }

 object ChangeInputType extends Enumeration {
--- a/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeReviewInfo.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeReviewInfo.scala
@ -16,10 +16,11 @@

 package vinyldns.api.domain.batch

-import org.joda.time.DateTime
+import java.time.Instant
+import java.time.temporal.ChronoUnit

 final case class BatchChangeReviewInfo(
    reviewerId: String,
    reviewComment: Option[String],
-    reviewTimestamp: DateTime = DateTime.now()
+    reviewTimestamp: Instant = Instant.now.truncatedTo(ChronoUnit.MILLIS)
 )
--- a/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeService.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeService.scala
@ -20,7 +20,9 @@ import cats.data.Validated.{Invalid, Valid}
 import cats.data._
 import cats.effect._
 import cats.implicits._
-import org.joda.time.DateTime
+
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import org.slf4j.{Logger, LoggerFactory}
 import vinyldns.api.domain.DomainValidations._
 import vinyldns.api.domain.auth.AuthPrincipalProvider
@ -32,19 +34,9 @@ import vinyldns.core.domain.auth.AuthPrincipal
 import vinyldns.core.domain.batch.BatchChangeApprovalStatus.BatchChangeApprovalStatus
 import vinyldns.core.domain.batch._
 import vinyldns.core.domain.batch.BatchChangeApprovalStatus._
-import vinyldns.core.domain.{
-  CnameAtZoneApexError,
-  SingleChangeError,
-  UserIsNotAuthorizedError,
-  ZoneDiscoveryError
-}
-import vinyldns.core.domain.membership.{
-  Group,
-  GroupRepository,
-  ListUsersResults,
-  User,
-  UserRepository
-}
+import vinyldns.core.domain.batch.BatchChangeStatus.BatchChangeStatus
+import vinyldns.core.domain.{CnameAtZoneApexError, SingleChangeError, UserIsNotAuthorizedError, ZoneDiscoveryError}
+import vinyldns.core.domain.membership.{Group, GroupRepository, ListUsersResults, User, UserRepository}
 import vinyldns.core.domain.record.RecordType._
 import vinyldns.core.domain.record.RecordSetRepository
 import vinyldns.core.domain.zone.ZoneRepository
@ -350,7 +342,7 @@ class BatchChangeService(
  ): ValidatedBatch[ChangeForValidation] =
    changes.mapValid { change =>
      change.typ match {
-        case A | AAAA | CNAME | MX | TXT => forwardZoneDiscovery(change, zoneMap)
+        case A | AAAA | CNAME | MX | TXT | NS | NAPTR | SRV => forwardZoneDiscovery(change, zoneMap)
        case PTR if validateIpv4Address(change.inputName).isValid =>
          ptrIpv4ZoneDiscovery(change, zoneMap)
        case PTR if validateIpv6Address(change.inputName).isValid =>
@ -447,7 +439,7 @@ class BatchChangeService(
        auth.userId,
        auth.signedInUser.userName,
        batchChangeInput.comments,
-        DateTime.now,
+        Instant.now.truncatedTo(ChronoUnit.MILLIS),
        changes,
        batchChangeInput.ownerGroupId,
        BatchChangeApprovalStatus.PendingReview,
@ -462,7 +454,7 @@ class BatchChangeService(
        auth.userId,
        auth.signedInUser.userName,
        batchChangeInput.comments,
-        DateTime.now,
+        Instant.now.truncatedTo(ChronoUnit.MILLIS),
        changes,
        batchChangeInput.ownerGroupId,
        BatchChangeApprovalStatus.AutoApproved,
@ -480,14 +472,15 @@ class BatchChangeService(
    val hardErrorsPresent = allErrors.exists(_.isFatal)
    val noErrors = allErrors.isEmpty
    val isScheduled = batchChangeInput.scheduledTime.isDefined && this.scheduledChangesEnabled
+    val isNSRecordsPresent = batchChangeInput.changes.exists(_.typ == NS)

    if (hardErrorsPresent) {
      // Always error out
      errorResponse
-    } else if (noErrors && !isScheduled) {
+    } else if (noErrors && !isScheduled && !isNSRecordsPresent) {
      // There are no errors and this is not scheduled, so process immediately
      processNowResponse
-    } else if (this.manualReviewEnabled && allowManualReview) {
+    } else if (this.manualReviewEnabled && allowManualReview || isNSRecordsPresent) {
      if ((noErrors && isScheduled) || batchChangeInput.ownerGroupId.isDefined) {
        // There are no errors and this is scheduled
        // or we have soft errors and owner group is defined
@ -589,15 +582,22 @@ class BatchChangeService(

  def listBatchChangeSummaries(
      auth: AuthPrincipal,
+      userName: Option[String] = None,
+      dateTimeStartRange: Option[String] = None,
+      dateTimeEndRange: Option[String] = None,
      startFrom: Option[Int] = None,
      maxItems: Int = 100,
      ignoreAccess: Boolean = false,
+      batchStatus: Option[BatchChangeStatus] = None,
      approvalStatus: Option[BatchChangeApprovalStatus] = None
  ): BatchResult[BatchChangeSummaryList] = {
    val userId = if (ignoreAccess && auth.isSystemAdmin) None else Some(auth.userId)
+    val submitterUserName = if(userName.isDefined && userName.get.isEmpty) None else userName
+    val startDateTime = if(dateTimeStartRange.isDefined && dateTimeStartRange.get.isEmpty) None else dateTimeStartRange
+    val endDateTime = if(dateTimeEndRange.isDefined && dateTimeEndRange.get.isEmpty) None else dateTimeEndRange
    for {
      listResults <- batchChangeRepo
-        .getBatchChangeSummaries(userId, startFrom, maxItems, approvalStatus)
+        .getBatchChangeSummaries(userId, submitterUserName, startDateTime, endDateTime, startFrom, maxItems, batchStatus, approvalStatus)
        .toBatchResult
      rsOwnerGroupIds = listResults.batchChanges.flatMap(_.ownerGroupId).toSet
      rsOwnerGroups <- groupRepository.getGroups(rsOwnerGroupIds).toBatchResult
@ -614,7 +614,10 @@ class BatchChangeService(
      listWithGroupNames = listResults.copy(
        batchChanges = summariesWithReviewerUserNames,
        ignoreAccess = ignoreAccess,
-        approvalStatus = approvalStatus
+        approvalStatus = approvalStatus,
+        userName = userName,
+        dateTimeStartRange = dateTimeStartRange,
+        dateTimeEndRange = dateTimeEndRange
      )
    } yield listWithGroupNames
  }
@ -631,7 +634,7 @@ class BatchChangeService(
      approvalStatus = BatchChangeApprovalStatus.ManuallyRejected,
      reviewerId = Some(reviewerId),
      reviewComment = reviewComment,
-      reviewTimestamp = Some(DateTime.now),
+      reviewTimestamp = Some(Instant.now.truncatedTo(ChronoUnit.MILLIS)),
      changes = rejectedSingleChanges
    )

@ -644,7 +647,7 @@ class BatchChangeService(
    // Update rejection attributes and single changes for batch change
    val cancelledBatch = batchChange.copy(
      approvalStatus = BatchChangeApprovalStatus.Cancelled,
-      cancelledTimestamp = Some(DateTime.now),
+      cancelledTimestamp = Some(Instant.now.truncatedTo(ChronoUnit.MILLIS)),
      changes = cancelledSingleChanges
    )

--- a/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeServiceAlgebra.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeServiceAlgebra.scala
@ -19,6 +19,7 @@ package vinyldns.api.domain.batch
 import vinyldns.api.domain.batch.BatchChangeInterfaces.BatchResult
 import vinyldns.core.domain.auth.AuthPrincipal
 import vinyldns.core.domain.batch.BatchChangeApprovalStatus.BatchChangeApprovalStatus
+import vinyldns.core.domain.batch.BatchChangeStatus.BatchChangeStatus
 import vinyldns.core.domain.batch.{BatchChange, BatchChangeInfo, BatchChangeSummaryList}

 // $COVERAGE-OFF$
@ -33,9 +34,13 @@ trait BatchChangeServiceAlgebra {

  def listBatchChangeSummaries(
      auth: AuthPrincipal,
+      userName: Option[String] = None,
+      dateTimeStartRange: Option[String] = None,
+      dateTimeEndRange: Option[String] = None,
      startFrom: Option[Int],
      maxItems: Int,
      ignoreAccess: Boolean,
+      batchStatus: Option[BatchChangeStatus],
      approvalStatus: Option[BatchChangeApprovalStatus]
  ): BatchResult[BatchChangeSummaryList]

--- a/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeValidations.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchChangeValidations.scala
@ -16,26 +16,26 @@

 package vinyldns.api.domain.batch

-import java.net.InetAddress
-
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import cats.data._
 import cats.implicits._
-import vinyldns.api.config.{
-  BatchChangeConfig,
-  HighValueDomainConfig,
-  ManualReviewConfig,
-  ScheduledChangesConfig
-}
+import vinyldns.api.config.{BatchChangeConfig, HighValueDomainConfig, ManualReviewConfig, ScheduledChangesConfig}
 import vinyldns.api.domain.DomainValidations._
 import vinyldns.api.domain.access.AccessValidationsAlgebra
 import vinyldns.core.domain.auth.AuthPrincipal
 import vinyldns.api.domain.batch.BatchChangeInterfaces._
 import vinyldns.api.domain.batch.BatchTransformations._
+import vinyldns.api.domain.zone.ZoneRecordValidations.isStringInRegexList
 import vinyldns.api.domain.zone.ZoneRecordValidations
+import vinyldns.core.Messages.{nonExistentRecordDataDeleteMessage, nonExistentRecordDeleteMessage}
+import vinyldns.core.domain.DomainHelpers.omitTrailingDot
 import vinyldns.core.domain.record._
 import vinyldns.core.domain._
-import vinyldns.core.domain.batch.{BatchChange, BatchChangeApprovalStatus, OwnerType, RecordKey}
+import vinyldns.core.domain.batch.{BatchChange, BatchChangeApprovalStatus, OwnerType, RecordKey, RecordKeyData}
 import vinyldns.core.domain.membership.Group
+import vinyldns.core.domain.zone.Zone
+import scala.util.matching.Regex

 trait BatchChangeValidationsAlgebra {

@ -51,10 +51,10 @@ trait BatchChangeValidationsAlgebra {
  ): ValidatedBatch[ChangeInput]

  def validateChangesWithContext(
-      groupedChanges: ChangeForValidationMap,
-      auth: AuthPrincipal,
-      isApproved: Boolean,
-      batchOwnerGroupId: Option[String]
+    groupedChanges: ChangeForValidationMap,
+    auth: AuthPrincipal,
+    isApproved: Boolean,
+    batchOwnerGroupId: Option[String]
  ): ValidatedBatch[ChangeForValidation]

  def canGetBatchChange(
@ -85,7 +85,8 @@ class BatchChangeValidations(
    highValueDomainConfig: HighValueDomainConfig,
    manualReviewConfig: ManualReviewConfig,
    batchChangeConfig: BatchChangeConfig,
-    scheduledChangesConfig: ScheduledChangesConfig
+    scheduledChangesConfig: ScheduledChangesConfig,
+    approvedNameServers: List[Regex]
 ) extends BatchChangeValidationsAlgebra {

  import RecordType._
@ -182,7 +183,7 @@ class BatchChangeValidations(

  def validateScheduledApproval(batchChange: BatchChange): Either[BatchChangeErrorResponse, Unit] =
    batchChange.scheduledTime match {
-      case Some(dt) if dt.isAfterNow => Left(ScheduledChangeNotDue(dt))
+      case Some(dt) if dt.isAfter(Instant.now.truncatedTo(ChronoUnit.MILLIS)) => Left(ScheduledChangeNotDue(dt))
      case _ => Right(())
    }

@ -211,18 +212,18 @@ class BatchChangeValidations(
      isApproved: Boolean
  ): SingleValidation[Unit] = {
    val validTTL = addChangeInput.ttl.map(validateTTL(_).asUnit).getOrElse(().valid)
-    val validRecord = validateRecordData(addChangeInput.record)
+    val validRecord = validateRecordData(addChangeInput.record, addChangeInput)
    val validInput = validateInputName(addChangeInput, isApproved)

    validTTL |+| validRecord |+| validInput
  }

  def validateDeleteRRSetChangeInput(
-      deleteRRSetChangeInput: DeleteRRSetChangeInput,
-      isApproved: Boolean
+    deleteRRSetChangeInput: DeleteRRSetChangeInput,
+    isApproved: Boolean
  ): SingleValidation[Unit] = {
    val validRecord = deleteRRSetChangeInput.record match {
-      case Some(recordData) => validateRecordData(recordData)
+      case Some(recordData) => validateRecordData(recordData, deleteRRSetChangeInput)
      case None => ().validNel
    }
    val validInput = validateInputName(deleteRRSetChangeInput, isApproved)
@ -230,22 +231,32 @@ class BatchChangeValidations(
    validRecord |+| validInput
  }

-  def validateRecordData(record: RecordData): SingleValidation[Unit] =
+  def validateRecordData(record: RecordData,change: ChangeInput): SingleValidation[Unit] =
    record match {
      case a: AData => validateIpv4Address(a.address).asUnit
      case aaaa: AAAAData => validateIpv6Address(aaaa.address).asUnit
-      case cname: CNAMEData => validateHostName(cname.cname).asUnit
+      case cname: CNAMEData =>
+        /*
+        To validate the zone is reverse
+         */
+        val isIPv4: Boolean = change.inputName.toLowerCase.endsWith("in-addr.arpa.")
+        val isIPv6: Boolean = change.inputName.toLowerCase.endsWith("ip6.arpa.")
+        val isReverse: Boolean = isIPv4 || isIPv6
+        validateCname(cname.cname,isReverse).asUnit
      case ptr: PTRData => validateHostName(ptr.ptrdname).asUnit
      case txt: TXTData => validateTxtTextLength(txt.text).asUnit
      case mx: MXData =>
-        validateMxPreference(mx.preference).asUnit |+| validateHostName(mx.exchange).asUnit
+        validateMX_NAPTR_SRVData(mx.preference, "preference", "MX").asUnit |+| validateHostName(mx.exchange).asUnit
+      case ns: NSData => validateHostName(ns.nsdname).asUnit
+      case naptr: NAPTRData => validateMX_NAPTR_SRVData(naptr.preference, "preference", "NAPTR").asUnit |+| validateMX_NAPTR_SRVData(naptr.order, "order", "NAPTR").asUnit |+| validateHostName(naptr.replacement).asUnit |+| validateNaptrFlag(naptr.flags).asUnit |+| validateNaptrRegexp(naptr.regexp).asUnit
+      case srv: SRVData => validateMX_NAPTR_SRVData(srv.priority, "priority", "SRV").asUnit |+| validateMX_NAPTR_SRVData(srv.port, "port", "SRV").asUnit |+| validateMX_NAPTR_SRVData(srv.weight, "weight", "SRV").asUnit |+| validateHostName(srv.target).asUnit
      case other =>
        InvalidBatchRecordType(other.toString, SupportedBatchChangeRecordTypes.get).invalidNel[Unit]
    }

  def validateInputName(change: ChangeInput, isApproved: Boolean): SingleValidation[Unit] = {
    val typedChecks = change.typ match {
-      case A | AAAA | MX =>
+      case A | AAAA | MX | NS | NAPTR | SRV =>
        validateHostName(change.inputName).asUnit |+| notInReverseZone(change)
      case CNAME | TXT =>
        validateHostName(change.inputName).asUnit
@ -272,17 +283,17 @@ class BatchChangeValidations(
  /* context validations */

  def validateChangesWithContext(
-      groupedChanges: ChangeForValidationMap,
-      auth: AuthPrincipal,
-      isApproved: Boolean,
-      batchOwnerGroupId: Option[String]
+    groupedChanges: ChangeForValidationMap,
+    auth: AuthPrincipal,
+    isApproved: Boolean,
+    batchOwnerGroupId: Option[String]
  ): ValidatedBatch[ChangeForValidation] =
-    // Updates are a combination of an add and delete for a record with the same name and type in a zone.
+  // Updates are a combination of an add and delete for a record with the same name and type in a zone.
    groupedChanges.changes.mapValid {
      case add: AddChangeForValidation
-          if groupedChanges
-            .getLogicalChangeType(add.recordKey)
-            .contains(LogicalChangeType.Add) =>
+        if groupedChanges
+          .getLogicalChangeType(add.recordKey)
+          .contains(LogicalChangeType.Add) =>
        validateAddWithContext(add, groupedChanges, auth, isApproved, batchOwnerGroupId)
      case addUpdate: AddChangeForValidation =>
        validateAddUpdateWithContext(addUpdate, groupedChanges, auth, isApproved, batchOwnerGroupId)
@ -304,35 +315,34 @@ class BatchChangeValidations(
    else
      ().validNel

-  def matchRecordData(existingRecordSetData: List[RecordData], recordData: RecordData): Boolean =
-    existingRecordSetData.exists { rd =>
-      (rd, recordData) match {
-        case (AAAAData(rdAddress), AAAAData(proposedAddress)) =>
-          InetAddress.getByName(proposedAddress).getHostName == InetAddress
-            .getByName(rdAddress)
-            .getHostName
-        case _ => rd == recordData
-      }
+  def matchRecordData(existingRecordSetData: List[RecordData], recordData: RecordData): Boolean = {
+    existingRecordSetData.par.exists { rd =>
+      rd == recordData
    }
+  }

  def ensureRecordExists(
-      change: ChangeForValidation,
-      groupedChanges: ChangeForValidationMap
-  ): SingleValidation[Unit] =
+    change: ChangeForValidation,
+    groupedChanges: ChangeForValidationMap
+  ): Boolean = {
    change match {
      // For DeleteRecord inputs, need to verify that the record data actually exists
-      case DeleteRRSetChangeForValidation(
-          _,
-          _,
-          DeleteRRSetChangeInput(inputName, _, Some(recordData))
-          )
-          if !groupedChanges
-            .getExistingRecordSet(change.recordKey)
-            .exists(rs => matchRecordData(rs.records, recordData)) =>
-        DeleteRecordDataDoesNotExist(inputName, recordData).invalidNel
+      case DeleteRRSetChangeForValidation(_, _, DeleteRRSetChangeInput(_, _, _, Some(recordData)))
+        if !groupedChanges
+          .getExistingRecordSet(change.recordKey)
+          .exists(rs => matchRecordData(rs.records, recordData)) =>
+        false
      case _ =>
-        ().validNel
+        true
    }
+  }
+
+  def updateSystemMessage(changeInput: ChangeInput, systemMessage: String): ChangeInput = {
+    changeInput match {
+      case dci: DeleteRRSetChangeInput => dci.copy(systemMessage = Some(systemMessage))
+      case _ => changeInput
+    }
+  }

  def validateDeleteWithContext(
      change: ChangeForValidation,
@ -341,15 +351,34 @@ class BatchChangeValidations(
      isApproved: Boolean
  ): SingleValidation[ChangeForValidation] = {

-    val validations =
-      groupedChanges.getExistingRecordSet(change.recordKey) match {
-        case Some(rs) =>
-          userCanDeleteRecordSet(change, auth, rs.ownerGroupId, rs.records) |+|
-            zoneDoesNotRequireManualReview(change, isApproved) |+|
-            ensureRecordExists(change, groupedChanges)
-        case None => RecordDoesNotExist(change.inputChange.inputName).invalidNel
-      }
-    validations.map(_ => change)
+    val recordData = change match {
+      case AddChangeForValidation(_, _, inputChange, _, _) => inputChange.record.toString
+      case DeleteRRSetChangeForValidation(_, _, inputChange) => inputChange.record.map(_.toString).getOrElse("")
+    }
+
+    val addInBatch = groupedChanges.getProposedAdds(change.recordKey)
+    val isSameRecordUpdateInBatch = recordData.nonEmpty && addInBatch.contains(RecordData.fromString(recordData, change.inputChange.typ).get)
+
+    // Perform the system message update based on the condition
+    val updatedChange = if (groupedChanges.getExistingRecordSet(change.recordKey).isEmpty && !isSameRecordUpdateInBatch) {
+      val updatedChangeInput = updateSystemMessage(change.inputChange, nonExistentRecordDeleteMessage)
+      change.withUpdatedInputChange(updatedChangeInput)
+    } else if (!ensureRecordExists(change, groupedChanges)) {
+      val updatedChangeInput = updateSystemMessage(change.inputChange, nonExistentRecordDataDeleteMessage)
+      change.withUpdatedInputChange(updatedChangeInput)
+    } else {
+      change
+    }
+
+    val validations = groupedChanges.getExistingRecordSet(updatedChange.recordKey) match {
+      case Some(rs) =>
+        userCanDeleteRecordSet(updatedChange, auth, rs.ownerGroupId, rs.records) |+|
+          zoneDoesNotRequireManualReview(updatedChange, isApproved)
+      case None =>
+        if (isSameRecordUpdateInBatch) InvalidUpdateRequest(updatedChange.inputChange.inputName).invalidNel else ().validNel
+    }
+
+    validations.map(_ => updatedChange)
  }

  def validateAddUpdateWithContext(
@ -378,7 +407,7 @@ class BatchChangeValidations(
            ) |+|
            zoneDoesNotRequireManualReview(change, isApproved)
        case None =>
-          RecordDoesNotExist(change.inputChange.inputName).invalidNel
+          InvalidUpdateRequest(change.inputChange.inputName).invalidNel
      }
    }

@ -393,30 +422,52 @@ class BatchChangeValidations(
      auth: AuthPrincipal,
      isApproved: Boolean
  ): SingleValidation[ChangeForValidation] = {
+
+    // To handle add and delete for the record with same record data is present in the batch
+    val recordData = change match {
+      case AddChangeForValidation(_, _, inputChange, _, _) => inputChange.record.toString
+      case DeleteRRSetChangeForValidation(_, _, inputChange) => inputChange.record.map(_.toString).getOrElse("")
+    }
+
+    val addInBatch = groupedChanges.getProposedAdds(change.recordKey)
+    val isSameRecordUpdateInBatch = recordData.nonEmpty && addInBatch.contains(RecordData.fromString(recordData, change.inputChange.typ).get)
+
+    // Perform the system message update based on the condition
+    val updatedChange = if (groupedChanges.getExistingRecordSet(change.recordKey).isEmpty && !isSameRecordUpdateInBatch) {
+      val updatedChangeInput = updateSystemMessage(change.inputChange, nonExistentRecordDeleteMessage)
+      change.withUpdatedInputChange(updatedChangeInput)
+    } else if (!ensureRecordExists(change, groupedChanges)) {
+      val updatedChangeInput = updateSystemMessage(change.inputChange, nonExistentRecordDataDeleteMessage)
+      change.withUpdatedInputChange(updatedChangeInput)
+    } else {
+      change
+    }
+
    val validations =
-      groupedChanges.getExistingRecordSet(change.recordKey) match {
+      groupedChanges.getExistingRecordSet(updatedChange.recordKey) match {
        case Some(rs) =>
-          val adds = groupedChanges.getProposedAdds(change.recordKey).toList
-          userCanUpdateRecordSet(change, auth, rs.ownerGroupId, adds) |+|
-            zoneDoesNotRequireManualReview(change, isApproved) |+|
-            ensureRecordExists(change, groupedChanges)
+          val adds = groupedChanges.getProposedAdds(updatedChange.recordKey).toList
+          userCanUpdateRecordSet(updatedChange, auth, rs.ownerGroupId, adds) |+|
+            zoneDoesNotRequireManualReview(updatedChange, isApproved)
        case None =>
-          RecordDoesNotExist(change.inputChange.inputName).invalidNel
+          if(isSameRecordUpdateInBatch) InvalidUpdateRequest(updatedChange.inputChange.inputName).invalidNel else ().validNel
      }

-    validations.map(_ => change)
+    validations.map(_ => updatedChange)
  }

  def validateAddWithContext(
-      change: AddChangeForValidation,
-      groupedChanges: ChangeForValidationMap,
-      auth: AuthPrincipal,
-      isApproved: Boolean,
-      ownerGroupId: Option[String]
+    change: AddChangeForValidation,
+    groupedChanges: ChangeForValidationMap,
+    auth: AuthPrincipal,
+    isApproved: Boolean,
+    ownerGroupId: Option[String]
  ): SingleValidation[ChangeForValidation] = {
    val typedValidations = change.inputChange.typ match {
-      case A | AAAA | MX =>
+      case A | AAAA | MX | SRV | NAPTR =>
        newRecordSetIsNotDotted(change)
+      case NS =>
+        newRecordSetIsNotDotted(change) |+| nsValidations(change.inputChange.record, change.recordName, change.zone, approvedNameServers)
      case CNAME =>
        cnameHasUniqueNameInBatch(change, groupedChanges) |+|
          newRecordSetIsNotDotted(change)
@ -426,8 +477,29 @@ class BatchChangeValidations(
        InvalidBatchRecordType(other.toString, SupportedBatchChangeRecordTypes.get).invalidNel
    }

+    // To handle add and delete for the record with same record data is present in the batch
+    val recordData = change match {
+      case AddChangeForValidation(_, _, inputChange, _, _) => inputChange.record.toString
+    }
+
+    val deletes = groupedChanges.getProposedDeletes(change.recordKey)
+    val isDeleteExists = deletes.nonEmpty
+    val isSameRecordUpdateInBatch = if(recordData.nonEmpty){
+      if(deletes.contains(RecordData.fromString(recordData, change.inputChange.typ).get)) true else false
+    } else false
+
+    val commonValidations: SingleValidation[Unit] = {
+      groupedChanges.getExistingRecordSet(change.recordKey) match {
+        case Some(_) =>
+          ().validNel
+        case None =>
+          if(isSameRecordUpdateInBatch) InvalidUpdateRequest(change.inputChange.inputName).invalidNel else ().validNel
+      }
+    }
+
    val validations =
      typedValidations |+|
+        commonValidations |+|
        noIncompatibleRecordExists(change, groupedChanges) |+|
        userCanAddRecordSet(change, auth) |+|
        recordDoesNotExist(
@ -435,11 +507,12 @@ class BatchChangeValidations(
          change.recordName,
          change.inputChange.inputName,
          change.inputChange.typ,
-          groupedChanges
+          change.inputChange.record,
+          groupedChanges,
+          isDeleteExists
        ) |+|
        ownerGroupProvidedIfNeeded(change, None, ownerGroupId) |+|
        zoneDoesNotRequireManualReview(change, isApproved)
-
    validations.map(_ => change)
  }

@ -477,11 +550,17 @@ class BatchChangeValidations(
      recordName: String,
      inputName: String,
      typ: RecordType,
-      groupedChanges: ChangeForValidationMap
-  ): SingleValidation[Unit] =
-    groupedChanges.getExistingRecordSet(RecordKey(zoneId, recordName, typ)) match {
-      case Some(_) => RecordAlreadyExists(inputName).invalidNel
-      case None => ().validNel
+      recordData: RecordData,
+      groupedChanges: ChangeForValidationMap,
+      isDeleteExist: Boolean
+  ): SingleValidation[Unit] = {
+    val record = groupedChanges.getExistingRecordSetData(RecordKeyData(zoneId, recordName, typ, recordData))
+    if(record.isDefined) {
+      record.get.records.contains(recordData) match {
+        case true => ().validNel
+        case false => if(isDeleteExist) ().validNel else RecordAlreadyExists(inputName).invalidNel
+      }
+    } else ().validNel
    }

  def noIncompatibleRecordExists(
@ -552,6 +631,7 @@ class BatchChangeValidations(
        input.inputChange.typ,
        input.zone,
        ownerGroupId,
+        false,
        addRecords
      )
    result
@ -670,7 +750,7 @@ class BatchChangeValidations(
  ): Either[BatchChangeErrorResponse, Unit] =
    (scheduledChangesEnabled, input.scheduledTime) match {
      case (_, None) => Right(())
-      case (true, Some(scheduledTime)) if scheduledTime.isAfterNow => Right(())
+      case (true, Some(scheduledTime)) if scheduledTime.isAfter(Instant.now.truncatedTo(ChronoUnit.MILLIS)) => Right(())
      case (true, _) => Left(ScheduledTimeMustBeInFuture)
      case (false, _) => Left(ScheduledChangesDisabled)
    }
@ -688,4 +768,46 @@ class BatchChangeValidations(
        change.inputChange.inputName
      )
    }
+
+  def nsValidations(
+     newRecordSetData: RecordData,
+     newRecordSetName: String,
+     zone: Zone,
+     approvedNameServers: List[Regex]
+  ): SingleValidation[Unit] = {
+
+      isNotOrigin(
+        newRecordSetName,
+        zone,
+        s"Record with name $newRecordSetName is an NS record at apex and cannot be added"
+      )
+      containsApprovedNameServers(newRecordSetData, approvedNameServers)
+  }
+
+  def isNotOrigin(recordSet: String, zone: Zone, err: String): SingleValidation[Unit] =
+    if(!isOriginRecord(recordSet, omitTrailingDot(zone.name))) ().validNel else InvalidBatchRequest(err).invalidNel
+
+  def isOriginRecord(recordSetName: String, zoneName: String): Boolean =
+    recordSetName == "@" || omitTrailingDot(recordSetName) == omitTrailingDot(zoneName)
+
+  def containsApprovedNameServers(
+     nsRecordSet: RecordData,
+     approvedNameServers: List[Regex]
+  ): SingleValidation[Unit] = {
+    val nsData = nsRecordSet match {
+      case ns: NSData => ns
+      case _ => ??? // this would never be the case
+    }
+    isApprovedNameServer(approvedNameServers, nsData)
+  }
+
+  def isApprovedNameServer(
+    approvedServerList: List[Regex],
+    nsData: NSData
+  ): SingleValidation[Unit] =
+    if (isStringInRegexList(approvedServerList, nsData.nsdname.fqdn)) {
+      ().validNel
+    } else {
+      NotApprovedNSError(nsData.nsdname.fqdn).invalidNel
+    }
 }
--- a/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchTransformations.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/batch/BatchTransformations.scala
@ -16,7 +16,6 @@

 package vinyldns.api.domain.batch

-import java.net.InetAddress
 import java.util.UUID

 import vinyldns.api.domain.ReverseZoneHelpers
@ -24,13 +23,13 @@ import vinyldns.api.domain.batch.BatchChangeInterfaces.ValidatedBatch
 import vinyldns.api.domain.batch.BatchTransformations.LogicalChangeType.LogicalChangeType
 import vinyldns.api.backend.dns.DnsConversions.getIPv6FullReverseName
 import vinyldns.core.domain.batch._
-import vinyldns.core.domain.record.{AAAAData, RecordData, RecordSet, RecordSetChange}
+import vinyldns.core.domain.record.{RecordData, RecordSet, RecordSetChange}
 import vinyldns.core.domain.record.RecordType._
 import vinyldns.core.domain.zone.Zone
 import vinyldns.core.domain.record.RecordType.RecordType

 object SupportedBatchChangeRecordTypes {
-  val supportedTypes = Set(A, AAAA, CNAME, PTR, TXT, MX)
+  val supportedTypes = Set(A, AAAA, CNAME, PTR, TXT, MX, NS, SRV, NAPTR)
  def get: Set[RecordType] = supportedTypes
 }

@ -68,6 +67,9 @@ object BatchTransformations {
    def get(recordKey: RecordKey): Option[RecordSet] =
      get(recordKey.zoneId, recordKey.recordName, recordKey.recordType)

+    def get(recordKeyData: RecordKeyData): Option[RecordSet] =
+      get(recordKeyData.zoneId, recordKeyData.recordName, recordKeyData.recordType)
+
    def getRecordSetMatch(zoneId: String, name: String): List[RecordSet] =
      recordSetMap.getOrElse((zoneId, name.toLowerCase), List())
  }
@ -79,6 +81,7 @@ object BatchTransformations {
    val recordKey = RecordKey(zone.id, recordName, inputChange.typ)
    def asStoredChange(changeId: Option[String] = None): SingleChange
    def isAddChangeForValidation: Boolean
+    def withUpdatedInputChange(inputChange: ChangeInput): ChangeForValidation
  }

  object ChangeForValidation {
@ -115,7 +118,7 @@ object BatchTransformations {
        ttl,
        inputChange.record,
        SingleChangeStatus.Pending,
-        None,
+        inputChange.systemMessage,
        None,
        None,
        List.empty,
@ -124,6 +127,10 @@ object BatchTransformations {
    }

    def isAddChangeForValidation: Boolean = true
+
+    def withUpdatedInputChange(inputChange: ChangeInput): ChangeForValidation = {
+      this.copy(inputChange = inputChange.asInstanceOf[AddChangeInput])
+    }
  }

  final case class DeleteRRSetChangeForValidation(
@ -140,7 +147,7 @@ object BatchTransformations {
        inputChange.typ,
        inputChange.record,
        SingleChangeStatus.Pending,
-        None,
+        inputChange.systemMessage,
        None,
        None,
        List.empty,
@ -148,6 +155,10 @@ object BatchTransformations {
      )

    def isAddChangeForValidation: Boolean = false
+
+    def withUpdatedInputChange(inputChange: ChangeInput): ChangeForValidation = {
+      this.copy(inputChange = inputChange.asInstanceOf[DeleteRRSetChangeInput])
+    }
  }

  final case class BatchConversionOutput(
@ -171,9 +182,15 @@ object BatchTransformations {
    def getExistingRecordSet(recordKey: RecordKey): Option[RecordSet] =
      existingRecordSets.get(recordKey)

+    def getExistingRecordSetData(recordKeyData: RecordKeyData): Option[RecordSet] =
+      existingRecordSets.get(recordKeyData)
+
    def getProposedAdds(recordKey: RecordKey): Set[RecordData] =
      innerMap.get(recordKey).map(_.proposedAdds).toSet.flatten

+    def getProposedDeletes(recordKey: RecordKey): Set[RecordData] =
+      innerMap.get(recordKey).map(_.proposedDeletes).toSet.flatten
+
    // The new, net record data factoring in existing records, deletes and adds
    // If record is not edited in batch, will fallback to look up record in existing
    // records
@ -188,13 +205,6 @@ object BatchTransformations {
  }

  object ValidationChanges {
-    def matchRecordData(existingRecord: RecordData, recordData: String): Boolean =
-      existingRecord match {
-        case AAAAData(address) =>
-          InetAddress.getByName(address).getHostName ==
-            InetAddress.getByName(recordData).getHostName
-        case _ => false
-      }

    def apply(
        changes: List[ChangeForValidation],
@ -214,16 +224,11 @@ object BatchTransformations {
          case DeleteRRSetChangeForValidation(
              _,
              _,
-              DeleteRRSetChangeInput(_, AAAA, Some(AAAAData(address)))
-              ) =>
-            existingRecords.filter(r => matchRecordData(r, address))
-          case DeleteRRSetChangeForValidation(
-              _,
-              _,
-              DeleteRRSetChangeInput(_, _, Some(recordData))
+              DeleteRRSetChangeInput(_, _, _, Some(recordData))
              ) =>
            Set(recordData)
-          case _: DeleteRRSetChangeForValidation => existingRecords
+          case _: DeleteRRSetChangeForValidation =>
+            existingRecords
        }
        .toSet
        .flatten
@ -231,26 +236,45 @@ object BatchTransformations {
      // New proposed record data (assuming all validations pass)
      val proposedRecordData = existingRecords -- deleteChangeSet ++ addChangeRecordDataSet

-      // Note: "Update" where an Add and DeleteRecordSet is provided for a DNS record that does not exist will be
-      // treated as a logical Add since the delete validation will fail (on record does not exist)
      val logicalChangeType = (addChangeRecordDataSet.nonEmpty, deleteChangeSet.nonEmpty) match {
-        case (true, true) => LogicalChangeType.Update
-        case (true, false) => LogicalChangeType.Add
-        case (false, true) =>
-          if ((existingRecords -- deleteChangeSet).isEmpty) {
-            LogicalChangeType.FullDelete
+        case (true, true) =>
+          if (existingRecords.isEmpty) {
+            // Note: "Add" where an Add and DeleteRecordSet is provided for a DNS record that does not exist.
+            // Adds the record if it doesn't exist and ignores the delete.
+            LogicalChangeType.Add
          } else {
+            // Note: "Update" where an Add and DeleteRecordSet is provided for a DNS record that exist, but record data for DeleteRecordSet does not exist.
+            // Updates the record and ignores the delete.
            LogicalChangeType.Update
          }
-        case (false, false) => LogicalChangeType.NotEditedInBatch
+        case (true, false) => LogicalChangeType.Add
+        case (false, true) =>
+          if (existingRecords == deleteChangeSet) {
+            LogicalChangeType.FullDelete
+          } else if (existingRecords.nonEmpty) {
+            LogicalChangeType.Update
+          } else {
+            LogicalChangeType.OutOfSync
+          }
+        case (false, false) =>
+          if(changes.exists {
+            case _: DeleteRRSetChangeForValidation => true
+            case _ => false
+            }
+          ){
+            LogicalChangeType.OutOfSync
+          } else {
+            LogicalChangeType.NotEditedInBatch
+          }
      }

-      new ValidationChanges(addChangeRecordDataSet, proposedRecordData, logicalChangeType)
+      new ValidationChanges(addChangeRecordDataSet, deleteChangeSet, proposedRecordData, logicalChangeType)
    }
  }

  final case class ValidationChanges(
      proposedAdds: Set[RecordData],
+      proposedDeletes: Set[RecordData],
      proposedRecordData: Set[RecordData],
      logicalChangeType: LogicalChangeType
  )
@ -263,6 +287,6 @@ object BatchTransformations {

  object LogicalChangeType extends Enumeration {
    type LogicalChangeType = Value
-    val Add, FullDelete, Update, NotEditedInBatch = Value
+    val Add, FullDelete, Update, NotEditedInBatch, OutOfSync = Value
  }
 }
--- a/modules/api/src/main/scala/vinyldns/api/domain/membership/MembershipProtocol.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/membership/MembershipProtocol.scala
@ -17,8 +17,9 @@
 package vinyldns.api.domain.membership

 import java.util.UUID
-
-import org.joda.time.DateTime
+import java.time.Instant
+import java.time.temporal.ChronoUnit
+import vinyldns.core.domain.auth.AuthPrincipal
 import vinyldns.core.domain.membership.GroupChangeType.GroupChangeType
 import vinyldns.core.domain.membership.GroupStatus.GroupStatus
 import vinyldns.core.domain.membership.LockStatus.LockStatus
@ -30,21 +31,26 @@ final case class GroupInfo(
    name: String,
    email: String,
    description: Option[String] = None,
-    created: DateTime = DateTime.now,
+    created: Instant = Instant.now.truncatedTo(ChronoUnit.MILLIS),
    status: GroupStatus = GroupStatus.Active,
    members: Set[UserId] = Set.empty,
    admins: Set[UserId] = Set.empty
 )
 object GroupInfo {
-  def apply(group: Group): GroupInfo = GroupInfo(
+  def apply(group: Group): GroupInfo = fromGroup(group, abridged = false, None)
+
+  def fromGroup(group: Group, abridged: Boolean = false,
+                authPrincipal: Option[AuthPrincipal]): GroupInfo = GroupInfo(
    id = group.id,
    name = group.name,
    email = group.email,
    description = group.description,
-    created = group.created,
-    status = group.status,
-    members = group.memberIds.map(UserId),
-    admins = group.adminUserIds.map(UserId)
+    created = if (abridged) null else group.created,
+    status = if (abridged) null else group.status,
+    members = (if (abridged && authPrincipal.isDefined) group.memberIds.filter(x => authPrincipal.get.userId == x && authPrincipal.get.isGroupMember(group.id))
+              else group.memberIds).map(UserId),
+    admins = (if (abridged && authPrincipal.isDefined) group.adminUserIds.filter(x => authPrincipal.get.userId == x && authPrincipal.get.isGroupAdmin(group))
+              else group.adminUserIds).map(UserId)
  )
 }

@ -54,7 +60,9 @@ final case class GroupChangeInfo(
    userId: String,
    oldGroup: Option[GroupInfo] = None,
    id: String = UUID.randomUUID().toString,
-    created: String = DateTime.now.getMillis.toString
+    created: Instant = Instant.now.truncatedTo(ChronoUnit.MILLIS),
+    userName: String,
+    groupChangeMessage: String
 )

 object GroupChangeInfo {
@ -64,7 +72,9 @@ object GroupChangeInfo {
    userId = groupChange.userId,
    oldGroup = groupChange.oldGroup.map(GroupInfo.apply),
    id = groupChange.id,
-    created = groupChange.created.getMillis.toString
+    created = groupChange.created,
+    userName = groupChange.userName.getOrElse("unknown user"),
+    groupChangeMessage = groupChange.groupChangeMessage.getOrElse("")
  )
 }

@ -76,7 +86,7 @@ case class UserInfo(
    firstName: Option[String] = None,
    lastName: Option[String] = None,
    email: Option[String] = None,
-    created: Option[DateTime] = None,
+    created: Option[Instant] = None,
    lockStatus: LockStatus
 )
 object UserInfo {
@ -92,13 +102,28 @@ object UserInfo {
    )
 }

+case class UserResponseInfo(
+   id: String,
+   userName: Option[String] = None,
+   groupId: Set[String] = Set.empty
+ )
+
+object UserResponseInfo {
+  def apply(user: User , group: Group): UserResponseInfo =
+    UserResponseInfo(
+      id = user.id,
+      userName = Some(user.userName),
+      groupId = Set(group.id)
+    )
+}
+
 case class MemberInfo(
    id: String,
    userName: Option[String] = None,
    firstName: Option[String] = None,
    lastName: Option[String] = None,
    email: Option[String] = None,
-    created: Option[DateTime] = None,
+    created: Option[Instant] = None,
    isAdmin: Boolean = false,
    lockStatus: LockStatus
 )
@ -135,8 +160,8 @@ final case class ListAdminsResponse(admins: Seq[UserInfo])

 final case class ListGroupChangesResponse(
    changes: Seq[GroupChangeInfo],
-    startFrom: Option[String] = None,
-    nextId: Option[String] = None,
+    startFrom: Option[Int] = None,
+    nextId: Option[Int] = None,
    maxItems: Int
 )

@ -153,6 +178,10 @@ final case class GroupNotFoundError(msg: String) extends Throwable(msg)

 final case class GroupAlreadyExistsError(msg: String) extends Throwable(msg)

+final case class GroupValidationError(msg: String) extends Throwable(msg)
+
+final case class EmailValidationError(msg: String) extends Throwable(msg)
+
 final case class UserNotFoundError(msg: String) extends Throwable(msg)

 final case class InvalidGroupError(msg: String) extends Throwable(msg)
--- a/modules/api/src/main/scala/vinyldns/api/domain/membership/MembershipService.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/membership/MembershipService.scala
@ -16,8 +16,11 @@

 package vinyldns.api.domain.membership

+import cats.effect.IO
 import cats.implicits._
+import scalikejdbc.DB
 import vinyldns.api.Interfaces._
+import vinyldns.api.config.ValidEmailConfig
 import vinyldns.api.repository.ApiDataAccessor
 import vinyldns.core.domain.auth.AuthPrincipal
 import vinyldns.core.domain.membership.LockStatus.LockStatus
@ -25,16 +28,18 @@ import vinyldns.core.domain.zone.ZoneRepository
 import vinyldns.core.domain.membership._
 import vinyldns.core.domain.record.RecordSetRepository
 import vinyldns.core.Messages._
+import vinyldns.mysql.TransactionProvider

 object MembershipService {
-  def apply(dataAccessor: ApiDataAccessor): MembershipService =
+  def apply(dataAccessor: ApiDataAccessor,emailConfig:ValidEmailConfig): MembershipService =
    new MembershipService(
      dataAccessor.groupRepository,
      dataAccessor.userRepository,
      dataAccessor.membershipRepository,
      dataAccessor.zoneRepository,
      dataAccessor.groupChangeRepository,
-      dataAccessor.recordSetRepository
+      dataAccessor.recordSetRepository,
+      emailConfig
    )
 }

@ -44,8 +49,9 @@ class MembershipService(
    membershipRepo: MembershipRepository,
    zoneRepo: ZoneRepository,
    groupChangeRepo: GroupChangeRepository,
-    recordSetRepo: RecordSetRepository
-) extends MembershipServiceAlgebra {
+    recordSetRepo: RecordSetRepository,
+    validDomains: ValidEmailConfig
+) extends MembershipServiceAlgebra with TransactionProvider {

  import MembershipValidations._

@ -54,21 +60,20 @@ class MembershipService(
    val adminMembers = inputGroup.adminUserIds
    val nonAdminMembers = inputGroup.memberIds.diff(adminMembers)
    for {
+      _ <- groupValidation(newGroup)
+      _ <- emailValidation(newGroup.email)
      _ <- hasMembersAndAdmins(newGroup).toResult
      _ <- groupWithSameNameDoesNotExist(newGroup.name)
      _ <- usersExist(newGroup.memberIds)
-      _ <- groupChangeRepo.save(GroupChange.forAdd(newGroup, authPrincipal)).toResult[GroupChange]
-      _ <- groupRepo.save(newGroup).toResult[Group]
-      // save admin and non-admin members separately
-      _ <- membershipRepo
-        .saveMembers(newGroup.id, adminMembers, isAdmin = true)
-        .toResult[Set[String]]
-      _ <- membershipRepo
-        .saveMembers(newGroup.id, nonAdminMembers, isAdmin = false)
-        .toResult[Set[String]]
+      _ <- createGroupData(GroupChange.forAdd(newGroup, authPrincipal), newGroup, adminMembers, nonAdminMembers).toResult[Unit]
    } yield newGroup
  }

+  def listEmailDomains(authPrincipal: AuthPrincipal): Result[List[String]] = {
+    val validEmailDomains = validDomains.valid_domains
+    IO(validEmailDomains).toResult
+  }
+
  def updateGroup(
      groupId: String,
      name: String,
@ -81,6 +86,8 @@ class MembershipService(
    for {
      existingGroup <- getExistingGroup(groupId)
      newGroup = existingGroup.withUpdates(name, email, description, memberIds, adminUserIds)
+      _ <- groupValidation(newGroup)
+      _ <- emailValidation(newGroup.email)
      _ <- canEditGroup(existingGroup, authPrincipal).toResult
      addedAdmins = newGroup.adminUserIds.diff(existingGroup.adminUserIds)
      // new non-admin members ++ admins converted to non-admins
@ -90,18 +97,7 @@ class MembershipService(
      _ <- hasMembersAndAdmins(newGroup).toResult
      _ <- usersExist(addedNonAdmins)
      _ <- differentGroupWithSameNameDoesNotExist(newGroup.name, existingGroup.id)
-      _ <- groupChangeRepo
-        .save(GroupChange.forUpdate(newGroup, existingGroup, authPrincipal))
-        .toResult[GroupChange]
-      _ <- groupRepo.save(newGroup).toResult[Group]
-      // save admin and non-admin members separately
-      _ <- membershipRepo
-        .saveMembers(existingGroup.id, addedAdmins, isAdmin = true)
-        .toResult[Set[String]]
-      _ <- membershipRepo
-        .saveMembers(existingGroup.id, addedNonAdmins, isAdmin = false)
-        .toResult[Set[String]]
-      _ <- membershipRepo.removeMembers(existingGroup.id, removedMembers).toResult[Set[String]]
+      _ <- updateGroupData(GroupChange.forUpdate(newGroup, existingGroup, authPrincipal), newGroup, existingGroup, addedAdmins, addedNonAdmins, removedMembers).toResult[Unit]
    } yield newGroup

  def deleteGroup(groupId: String, authPrincipal: AuthPrincipal): Result[Group] =
@ -111,16 +107,64 @@ class MembershipService(
      _ <- isNotZoneAdmin(existingGroup)
      _ <- isNotRecordOwnerGroup(existingGroup)
      _ <- isNotInZoneAclRule(existingGroup)
-      _ <- groupChangeRepo
-        .save(GroupChange.forDelete(existingGroup, authPrincipal))
-        .toResult[GroupChange]
-      _ <- membershipRepo
-        .removeMembers(existingGroup.id, existingGroup.memberIds)
-        .toResult[Set[String]]
-      deletedGroup = existingGroup.copy(status = GroupStatus.Deleted)
-      _ <- groupRepo.delete(deletedGroup).toResult[Group]
+      deletedGroup <- deleteGroupData(GroupChange.forDelete(existingGroup, authPrincipal), existingGroup).toResult[Group]
    } yield deletedGroup

+  def createGroupData(
+   groupChangeData: GroupChange,
+   newGroup: Group,
+   adminMembers: Set[String],
+   nonAdminMembers: Set[String]
+  ): IO[Unit] =
+    executeWithinTransaction { db: DB =>
+      for {
+        _ <- groupChangeRepo.save(db, groupChangeData)
+        _ <- groupRepo.save(db, newGroup)
+        // save admin and non-admin members separately
+        _ <- membershipRepo
+          .saveMembers(db, newGroup.id, adminMembers, isAdmin = true)
+        _ <- membershipRepo
+          .saveMembers(db, newGroup.id, nonAdminMembers, isAdmin = false)
+      } yield ()
+    }
+
+  def updateGroupData(
+   groupChangeData: GroupChange,
+   newGroup: Group,
+   existingGroup: Group,
+   addedAdmins: Set[String],
+   addedNonAdmins: Set[String],
+   removedMembers: Set[String]
+  ): IO[Unit] =
+    executeWithinTransaction { db: DB =>
+      for {
+        _ <- groupChangeRepo
+          .save(db, groupChangeData)
+        _ <- groupRepo.save(db, newGroup)
+        // save admin and non-admin members separately
+        _ <- membershipRepo
+          .saveMembers(db, existingGroup.id, addedAdmins, isAdmin = true)
+        _ <- membershipRepo
+          .saveMembers(db, existingGroup.id, addedNonAdmins, isAdmin = false)
+        _ <- membershipRepo.removeMembers(db, existingGroup.id, removedMembers)
+      } yield ()
+    }
+
+  def deleteGroupData(
+   groupChangeData: GroupChange,
+   existingGroup: Group,
+  ): IO[Group] =
+    executeWithinTransaction { db: DB =>
+      for {
+        _ <- groupChangeRepo
+          .save(db, groupChangeData)
+        _ <- membershipRepo
+          .removeMembers(db, existingGroup.id, existingGroup.memberIds)
+        deletedGroup = existingGroup.copy(status = GroupStatus.Deleted)
+        _ <- groupRepo.delete(deletedGroup)
+      } yield deletedGroup
+    }
+
  def getGroup(id: String, authPrincipal: AuthPrincipal): Result[Group] =
    for {
      group <- getExistingGroup(id)
@ -156,7 +200,8 @@ class MembershipService(
      startFrom: Option[String],
      maxItems: Int,
      authPrincipal: AuthPrincipal,
-      ignoreAccess: Boolean
+      ignoreAccess: Boolean,
+      abridged: Boolean = false
  ): Result[ListMyGroupsResponse] = {
    val groupsCall =
      if (authPrincipal.isSystemAdmin || ignoreAccess) {
@ -166,7 +211,7 @@ class MembershipService(
      }

    groupsCall.map { grp =>
-      pageListGroupsResponse(grp.toList, groupNameFilter, startFrom, maxItems, ignoreAccess)
+      pageListGroupsResponse(grp.toList, groupNameFilter, startFrom, maxItems, ignoreAccess, abridged, authPrincipal)
    }
  }.toResult

@ -175,16 +220,24 @@ class MembershipService(
      groupNameFilter: Option[String],
      startFrom: Option[String],
      maxItems: Int,
-      ignoreAccess: Boolean
-  ): ListMyGroupsResponse = {
+      ignoreAccess: Boolean,
+      abridged: Boolean = false,
+      authPrincipal: AuthPrincipal
+    ): ListMyGroupsResponse = {
    val allMyGroups = allGroups
      .filter(_.status == GroupStatus.Active)
-      .sortBy(_.id)
-      .map(GroupInfo.apply)
+      .sortBy(_.name.toLowerCase)
+      .map(x => GroupInfo.fromGroup(x, abridged, Some(authPrincipal)))

-    val filtered = allMyGroups
-      .filter(grp => groupNameFilter.forall(grp.name.contains(_)))
-      .filter(grp => startFrom.forall(grp.id > _))
+    val filtered = if(startFrom.isDefined){
+      val prevPageGroup = allMyGroups.filter(_.id == startFrom.get).head.name
+      allMyGroups
+        .filter(grp => groupNameFilter.map(_.toLowerCase).forall(grp.name.toLowerCase.contains(_)))
+        .filter(grp => grp.name.toLowerCase > prevPageGroup.toLowerCase)
+    } else {
+      allMyGroups
+        .filter(grp => groupNameFilter.map(_.toLowerCase).forall(grp.name.toLowerCase.contains(_)))
+    }

    val nextId = if (filtered.length > maxItems) Some(filtered(maxItems - 1).id) else None
    val groups = filtered.take(maxItems)
@ -192,24 +245,131 @@ class MembershipService(
    ListMyGroupsResponse(groups, groupNameFilter, startFrom, nextId, maxItems, ignoreAccess)
  }

+  def getGroupChange(
+    groupChangeId: String,
+    authPrincipal: AuthPrincipal
+  ): Result[GroupChangeInfo] =
+    for {
+      result <- groupChangeRepo
+        .getGroupChange(groupChangeId)
+        .toResult[Option[GroupChange]]
+      _ <- isGroupChangePresent(result).toResult
+      _ <- canSeeGroupChange(result.get.newGroup.id, authPrincipal).toResult
+      allUserIds = getGroupUserIds(Seq(result.get))
+      allUserMap <- getUsers(allUserIds).map(_.users.map(x => x.id -> x.userName).toMap.withDefaultValue("unknown user"))
+      groupChangeMessage <- determineGroupDifference(Seq(result.get), allUserMap)
+      groupChanges = (groupChangeMessage, Seq(result.get)).zipped.map{ (a, b) => b.copy(groupChangeMessage = Some(a)) }
+      userIds = Seq(result.get).map(_.userId).toSet
+      users <- getUsers(userIds).map(_.users)
+      userMap = users.map(u => (u.id, u.userName)).toMap
+    } yield groupChanges.map(change => GroupChangeInfo.apply(change.copy(userName = userMap.get(change.userId)))).head
+
  def getGroupActivity(
      groupId: String,
-      startFrom: Option[String],
+      startFrom: Option[Int],
      maxItems: Int,
      authPrincipal: AuthPrincipal
  ): Result[ListGroupChangesResponse] =
    for {
-      _ <- canSeeGroup(groupId, authPrincipal).toResult
+      _ <- canSeeGroupChange(groupId, authPrincipal).toResult
      result <- groupChangeRepo
        .getGroupChanges(groupId, startFrom, maxItems)
        .toResult[ListGroupChangesResults]
+      allUserIds = getGroupUserIds(result.changes)
+      allUserMap <- getUsers(allUserIds).map(_.users.map(x => x.id -> x.userName).toMap.withDefaultValue("unknown user"))
+      groupChangeMessage <- determineGroupDifference(result.changes, allUserMap)
+      groupChanges = (groupChangeMessage, result.changes).zipped.map{ (a, b) => b.copy(groupChangeMessage = Some(a)) }
+      userIds = result.changes.map(_.userId).toSet
+      users <- getUsers(userIds).map(_.users)
+      userMap = users.map(u => (u.id, u.userName)).toMap
    } yield ListGroupChangesResponse(
-      result.changes.map(GroupChangeInfo.apply),
+      groupChanges.map(change => GroupChangeInfo.apply(change.copy(userName = userMap.get(change.userId)))),
      startFrom,
-      result.lastEvaluatedTimeStamp,
+      result.nextId,
      maxItems
    )

+  def getGroupUserIds(groupChange: Seq[GroupChange]): Set[String] = {
+    var userIds: Set[String] = Set.empty[String]
+    for (change <- groupChange) {
+      if (change.oldGroup.isDefined) {
+        val adminAddDifference = change.newGroup.adminUserIds.diff(change.oldGroup.get.adminUserIds)
+        val adminRemoveDifference = change.oldGroup.get.adminUserIds.diff(change.newGroup.adminUserIds)
+        val memberAddDifference = change.newGroup.memberIds.diff(change.oldGroup.get.memberIds)
+        val memberRemoveDifference = change.oldGroup.get.memberIds.diff(change.newGroup.memberIds)
+        userIds = userIds ++ adminAddDifference ++ adminRemoveDifference ++ memberAddDifference ++ memberRemoveDifference
+      }
+    }
+    userIds
+  }
+
+  def determineGroupDifference(groupChange: Seq[GroupChange],  allUserMap: Map[String, String]): Result[Seq[String]] = {
+    var groupChangeMessage: Seq[String] = Seq.empty[String]
+
+    for (change <- groupChange) {
+      val sb = new StringBuilder
+      if (change.oldGroup.isDefined) {
+        if (change.oldGroup.get.name != change.newGroup.name) {
+          sb.append(s"Group name changed to '${change.newGroup.name}'. ")
+        }
+        if (change.oldGroup.get.email != change.newGroup.email) {
+          sb.append(s"Group email changed to '${change.newGroup.email}'. ")
+        }
+        if (change.oldGroup.get.description != change.newGroup.description) {
+          val description = if(change.newGroup.description.isEmpty) "" else change.newGroup.description.get
+          sb.append(s"Group description changed to '$description'. ")
+        }
+        val adminAddDifference = change.newGroup.adminUserIds.diff(change.oldGroup.get.adminUserIds)
+        if (adminAddDifference.nonEmpty) {
+          sb.append(s"Group admin/s with user name/s '${adminAddDifference.map(x => allUserMap(x)).mkString("','")}' added. ")
+        }
+        val adminRemoveDifference = change.oldGroup.get.adminUserIds.diff(change.newGroup.adminUserIds)
+        if (adminRemoveDifference.nonEmpty) {
+          sb.append(s"Group admin/s with user name/s '${adminRemoveDifference.map(x => allUserMap(x)).mkString("','")}' removed. ")
+        }
+        val memberAddDifference = change.newGroup.memberIds.diff(change.oldGroup.get.memberIds)
+        if (memberAddDifference.nonEmpty) {
+          sb.append(s"Group member/s with user name/s '${memberAddDifference.map(x => allUserMap(x)).mkString("','")}' added. ")
+        }
+        val memberRemoveDifference = change.oldGroup.get.memberIds.diff(change.newGroup.memberIds)
+        if (memberRemoveDifference.nonEmpty) {
+          sb.append(s"Group member/s with user name/s '${memberRemoveDifference.map(x => allUserMap(x)).mkString("','")}' removed. ")
+        }
+        groupChangeMessage = groupChangeMessage :+ sb.toString().trim
+      }
+      // It'll be in else statement if the group was created or deleted
+      else {
+        if (change.changeType == GroupChangeType.Create) {
+          sb.append("Group Created.")
+        }
+        else if (change.changeType == GroupChangeType.Delete){
+          sb.append("Group Deleted.")
+        }
+        groupChangeMessage = groupChangeMessage :+ sb.toString()
+      }
+    }
+    groupChangeMessage
+  }.toResult
+
+  /**
+   * Retrieves the requested User from the given userIdentifier, which can be a userId or username
+   * @param userIdentifier The userId or username
+   * @return The found User
+   */
+  def getUser(userIdentifier: String, authPrincipal: AuthPrincipal): Result[User] =
+    userRepo
+      .getUserByIdOrName(userIdentifier)
+      .orFail(UserNotFoundError(s"User $userIdentifier was not found"))
+      .toResult[User]
+
+
+  def getUserDetails(userIdentifier: String, authPrincipal: AuthPrincipal): Result[UserResponseInfo] =
+    for{
+        user <- getUser(userIdentifier,authPrincipal)
+        group <-  membershipRepo.getGroupsForUser(user.id).toResult[Set[String]]
+    } yield UserResponseInfo(user.id, Some(user.userName), group)
+
+
  def getUsers(
      userIds: Set[String],
      startFrom: Option[String] = None,
@ -231,6 +391,47 @@ class MembershipService(
      .orFail(GroupNotFoundError(s"Group with ID $groupId was not found"))
      .toResult[Group]

+  // Validate group details. Group name and email cannot be empty
+  def groupValidation(group: Group): Result[Unit] = {
+    Option(group) match {
+      case Some(value) if Option(value.name).forall(_.trim.isEmpty) || Option(value.email).forall(_.trim.isEmpty) =>
+        GroupValidationError(GroupValidationErrorMsg).asLeft
+      case _ =>
+        ().asRight
+    }
+  }.toResult
+   // Validate email details.Email domains details are fetched from the config file.
+  def emailValidation(email: String): Result[Unit] = {
+    val emailDomains = validDomains.valid_domains
+    val numberOfDots=  validDomains.number_of_dots
+    val splitEmailDomains = emailDomains.mkString(",")
+    val emailRegex ="""^(?!\.)(?!.*\.$)(?!.*\.\.)[a-zA-Z0-9._+!&-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$""".r
+    val index = email.indexOf('@');
+    val emailSplit = if(index != -1){
+      email.substring(index+1,email.length)}
+    val wildcardEmailDomains=if(splitEmailDomains.contains("*")){
+      emailDomains.map(x=>x.replaceAllLiterally("*",""))}
+    else emailDomains
+
+    Option(email) match {
+      case Some(value) if (emailRegex.findFirstIn(value) != None && emailSplit.toString.count(_ == '.')>0)=>
+
+        if ((emailDomains.contains(emailSplit) || emailDomains.isEmpty || wildcardEmailDomains.exists(x => emailSplit.toString.endsWith(x)))&&
+              emailSplit.toString.count(_ == '.')<=numberOfDots)
+        ().asRight
+        else {
+          if(emailSplit.toString.count(_ == '.')>numberOfDots){
+            EmailValidationError(DotsValidationErrorMsg + " " + numberOfDots).asLeft
+          }
+          else {
+            EmailValidationError(EmailValidationErrorMsg + " " + wildcardEmailDomains.mkString(",")).asLeft
+          }
+        }
+      case _ =>
+        EmailValidationError(InvalidEmailValidationErrorMsg).asLeft
+    }}.toResult
+
+
  def groupWithSameNameDoesNotExist(name: String): Result[Unit] =
    groupRepo
      .getGroupByName(name)
@ -257,7 +458,7 @@ class MembershipService(
      .getGroupByName(name)
      .map {
        case Some(existingGroup)
-            if existingGroup.status != GroupStatus.Deleted && existingGroup.id != groupId =>
+          if existingGroup.status != GroupStatus.Deleted && existingGroup.id != groupId =>
          GroupAlreadyExistsError(GroupAlreadyExistsErrorMsg.format(name, existingGroup.email)).asLeft
        case _ =>
          ().asRight
--- a/modules/api/src/main/scala/vinyldns/api/domain/membership/MembershipServiceAlgebra.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/membership/MembershipServiceAlgebra.scala
@ -25,6 +25,8 @@ trait MembershipServiceAlgebra {

  def createGroup(inputGroup: Group, authPrincipal: AuthPrincipal): Result[Group]

+  def listEmailDomains(authPrincipal: AuthPrincipal):Result[List[String]]
+
  def updateGroup(
      groupId: String,
      name: String,
@ -39,12 +41,15 @@ trait MembershipServiceAlgebra {

  def getGroup(id: String, authPrincipal: AuthPrincipal): Result[Group]

+  def getGroupChange(id: String, authPrincipal: AuthPrincipal): Result[GroupChangeInfo]
+
  def listMyGroups(
      groupNameFilter: Option[String],
      startFrom: Option[String],
      maxItems: Int,
      authPrincipal: AuthPrincipal,
-      ignoreAccess: Boolean
+      ignoreAccess: Boolean,
+      abridged: Boolean = false
  ): Result[ListMyGroupsResponse]

  def listMembers(
@ -58,7 +63,7 @@ trait MembershipServiceAlgebra {

  def getGroupActivity(
      groupId: String,
-      startFrom: Option[String],
+      startFrom: Option[Int],
      maxItems: Int,
      authPrincipal: AuthPrincipal
  ): Result[ListGroupChangesResponse]
@ -68,4 +73,14 @@ trait MembershipServiceAlgebra {
      lockStatus: LockStatus,
      authPrincipal: AuthPrincipal
  ): Result[User]
+
+  def getUser(
+      userIdentifier: String,
+      authPrincipal: AuthPrincipal
+  ): Result[User]
+
+  def getUserDetails(
+               userIdentifier: String,
+               authPrincipal: AuthPrincipal
+             ): Result[UserResponseInfo]
 }
--- a/modules/api/src/main/scala/vinyldns/api/domain/membership/MembershipValidations.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/membership/MembershipValidations.scala
@ -19,10 +19,12 @@ package vinyldns.api.domain.membership
 import vinyldns.api.Interfaces.ensuring
 import vinyldns.core.domain.auth.AuthPrincipal
 import vinyldns.api.domain.zone.NotAuthorizedError
-import vinyldns.core.domain.membership.Group
+import vinyldns.core.domain.membership.{Group, GroupChange}

 object MembershipValidations {

+  private val canViewGroupDetails = true
+
  def hasMembersAndAdmins(group: Group): Either[Throwable, Unit] =
    ensuring(InvalidGroupError("Group must have at least one member and one admin")) {
      group.memberIds.nonEmpty && group.adminUserIds.nonEmpty
@ -39,7 +41,17 @@ object MembershipValidations {
    }

  def canSeeGroup(groupId: String, authPrincipal: AuthPrincipal): Either[Throwable, Unit] =
+    ensuring(NotAuthorizedError("Not authorized")) {
+      authPrincipal.isGroupMember(groupId) || authPrincipal.isSystemAdmin || canViewGroupDetails
+    }
+
+  def canSeeGroupChange(groupId: String, authPrincipal: AuthPrincipal): Either[Throwable, Unit] =
    ensuring(NotAuthorizedError("Not authorized")) {
      authPrincipal.isGroupMember(groupId) || authPrincipal.isSystemAdmin
    }
+
+  def isGroupChangePresent(groupChange: Option[GroupChange]): Either[Throwable, Unit] =
+    ensuring(InvalidGroupRequestError("Invalid Group Change ID")) {
+      groupChange.isDefined
+  }
 }
--- a/modules/api/src/main/scala/vinyldns/api/domain/record/ListRecordSetChangesResponse.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/record/ListRecordSetChangesResponse.scala
@ -17,13 +17,13 @@
 package vinyldns.api.domain.record

 import vinyldns.api.domain.zone.RecordSetChangeInfo
-import vinyldns.core.domain.record.ListRecordSetChangesResults
+import vinyldns.core.domain.record.{ListFailedRecordSetChangesResults, ListRecordSetChangesResults, RecordSetChange}

 case class ListRecordSetChangesResponse(
    zoneId: String,
    recordSetChanges: List[RecordSetChangeInfo] = Nil,
-    nextId: Option[String],
-    startFrom: Option[String],
+    nextId: Option[Int],
+    startFrom: Option[Int],
    maxItems: Int
 )

@ -41,3 +41,43 @@ object ListRecordSetChangesResponse {
      listResults.maxItems
    )
 }
+
+case class ListRecordSetHistoryResponse(
+     zoneId: Option[String],
+     recordSetChanges: List[RecordSetChangeInfo] = Nil,
+     nextId: Option[Int],
+     startFrom: Option[Int],
+     maxItems: Int
+ )
+
+object ListRecordSetHistoryResponse {
+  def apply(
+             zoneId: Option[String],
+             listResults: ListRecordSetChangesResults,
+             info: List[RecordSetChangeInfo]
+           ): ListRecordSetHistoryResponse =
+    ListRecordSetHistoryResponse(
+      zoneId,
+      info,
+      listResults.nextId,
+      listResults.startFrom,
+      listResults.maxItems
+    )
+}
+
+case class ListFailedRecordSetChangesResponse(
+                                               failedRecordSetChanges: List[RecordSetChange] = Nil,
+                                               nextId: Int,
+                                               startFrom: Int,
+                                               maxItems: Int
+                                             )
+
+object ListFailedRecordSetChangesResponse {
+  def apply(
+             ListFailedRecordSetChanges: ListFailedRecordSetChangesResults
+           ): ListFailedRecordSetChangesResponse =
+    ListFailedRecordSetChangesResponse(
+      ListFailedRecordSetChanges.items,
+      ListFailedRecordSetChanges.nextId,
+      ListFailedRecordSetChanges.startFrom,
+      ListFailedRecordSetChanges.maxItems)}
--- a/modules/api/src/main/scala/vinyldns/api/domain/record/RecordSetCacheService.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/record/RecordSetCacheService.scala
@ -0,0 +1,47 @@
+/*
+ * Copyright 2018 Comcast Cable Communications Management, LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package vinyldns.api.domain.record
+
+import cats.effect.IO
+import org.slf4j.LoggerFactory
+import scalikejdbc.DB
+import vinyldns.core.domain.record.{ListRecordSetResults, NameSort, RecordSetCacheRepository, RecordSetRepository, RecordTypeSort}
+import vinyldns.mysql.TransactionProvider
+
+
+class RecordSetCacheService(recordSetRepository: RecordSetRepository,
+                            recordSetCacheRepository: RecordSetCacheRepository) extends TransactionProvider {
+  private val logger = LoggerFactory.getLogger(classOf[RecordSetCacheService])
+
+  final def populateRecordSetCache(nextId: Option[String] = None): IO[ListRecordSetResults] = {
+    logger.info(s"Populating recordset data. Starting at $nextId")
+    for {
+      result <- recordSetRepository.listRecordSets(None, nextId, Some(1000), None, None, None, NameSort.ASC, RecordTypeSort.ASC)
+
+      _ <- executeWithinTransaction { db: DB =>
+        IO {
+          result.recordSets.par.foreach(recordSet => {
+            recordSetCacheRepository.updateRecordDataList(db, recordSet.id, recordSet.records, recordSet.typ, recordSet.zoneId, recordSet.fqdn.get)
+          })
+        }
+      }
+      _ <- populateRecordSetCache(result.nextId)
+    } yield {
+      result
+    }
+  }
+}
--- a/modules/api/src/main/scala/vinyldns/api/domain/record/RecordSetChangeGenerator.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/record/RecordSetChangeGenerator.scala
@ -17,8 +17,8 @@
 package vinyldns.api.domain.record

 import java.util.UUID
-
-import org.joda.time.DateTime
+import java.time.temporal.ChronoUnit
+import java.time.Instant
 import vinyldns.api.backend.dns.DnsConversions
 import vinyldns.core.domain.auth.AuthPrincipal
 import vinyldns.core.domain.zone.Zone
@ -37,7 +37,7 @@ object RecordSetChangeGenerator extends DnsConversions {
      recordSet = recordSet.copy(
        name = relativize(recordSet.name, zone.name),
        id = UUID.randomUUID().toString, // TODO once user cant specify ID, no need to refresh it here
-        created = DateTime.now,
+        created = Instant.now.truncatedTo(ChronoUnit.MILLIS),
        status = RecordSetStatus.Pending
      ),
      userId = userId,
@ -69,7 +69,7 @@ object RecordSetChangeGenerator extends DnsConversions {
        id = replacing.id,
        name = relativize(newRecordSet.name, zone.name),
        status = RecordSetStatus.PendingUpdate,
-        updated = Some(DateTime.now)
+        updated = Some(Instant.now.truncatedTo(ChronoUnit.MILLIS))
      ),
      userId = userId,
      changeType = RecordSetChangeType.Update,
@ -105,7 +105,7 @@ object RecordSetChangeGenerator extends DnsConversions {
      recordSet = recordSet.copy(
        name = relativize(recordSet.name, zone.name),
        status = RecordSetStatus.PendingDelete,
-        updated = Some(DateTime.now)
+        updated = Some(Instant.now.truncatedTo(ChronoUnit.MILLIS))
      ),
      userId = userId,
      changeType = RecordSetChangeType.Delete,
@ -113,6 +113,25 @@ object RecordSetChangeGenerator extends DnsConversions {
      singleBatchChangeIds = singleBatchChangeIds
    )

+  def forOutOfSync(
+   recordSet: RecordSet,
+   zone: Zone,
+   userId: String,
+   singleBatchChangeIds: List[String]
+ ): RecordSetChange =
+    RecordSetChange(
+      zone = zone,
+      recordSet = recordSet.copy(
+        name = relativize(recordSet.name, zone.name),
+        status = RecordSetStatus.PendingDelete,
+        updated = Some(Instant.now.truncatedTo(ChronoUnit.MILLIS))
+      ),
+      userId = userId,
+      changeType = RecordSetChangeType.Sync,
+      updates = Some(recordSet),
+      singleBatchChangeIds = singleBatchChangeIds
+    )
+
  def forDelete(
      recordSet: RecordSet,
      zone: Zone,
@ -150,7 +169,7 @@ object RecordSetChangeGenerator extends DnsConversions {
        id = replacing.id,
        name = relativize(newRecordSet.name, zone.name),
        status = RecordSetStatus.Active,
-        updated = Some(DateTime.now),
+        updated = Some(Instant.now.truncatedTo(ChronoUnit.MILLIS)),
        ownerGroupId = replacing.ownerGroupId
      ),
      userId = "system",
--- a/modules/api/src/main/scala/vinyldns/api/domain/record/RecordSetService.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/record/RecordSetService.scala
@ -27,31 +27,38 @@ import vinyldns.core.domain.zone.{Zone, ZoneCommandResult, ZoneRepository}
 import vinyldns.core.queue.MessageQueue
 import cats.data._
 import cats.effect.IO
+import org.slf4j.{Logger, LoggerFactory}
 import org.xbill.DNS.ReverseMap
-import vinyldns.api.config.HighValueDomainConfig
+import vinyldns.api.config.{ZoneAuthConfigs, DottedHostsConfig, HighValueDomainConfig}
 import vinyldns.api.domain.DomainValidations.{validateIpv4Address, validateIpv6Address}
 import vinyldns.api.domain.access.AccessValidationsAlgebra
 import vinyldns.core.domain.record.NameSort.NameSort
 import vinyldns.core.domain.record.RecordType.RecordType
 import vinyldns.core.domain.DomainHelpers.ensureTrailingDot
 import vinyldns.core.domain.backend.{Backend, BackendResolver}
+import vinyldns.core.domain.record.RecordTypeSort.RecordTypeSort
+import vinyldns.core.notifier.{AllNotifiers, Notification}

 import scala.util.matching.Regex

 object RecordSetService {
  def apply(
-      dataAccessor: ApiDataAccessor,
-      messageQueue: MessageQueue,
-      accessValidation: AccessValidationsAlgebra,
-      backendResolver: BackendResolver,
-      validateRecordLookupAgainstDnsBackend: Boolean,
-      highValueDomainConfig: HighValueDomainConfig,
-      approvedNameServers: List[Regex]
-  ): RecordSetService =
+             dataAccessor: ApiDataAccessor,
+             messageQueue: MessageQueue,
+             accessValidation: AccessValidationsAlgebra,
+             backendResolver: BackendResolver,
+             validateRecordLookupAgainstDnsBackend: Boolean,
+             highValueDomainConfig: HighValueDomainConfig,
+             dottedHostsConfig: DottedHostsConfig,
+             approvedNameServers: List[Regex],
+             useRecordSetCache: Boolean,
+             notifiers: AllNotifiers
+           ): RecordSetService =
    new RecordSetService(
      dataAccessor.zoneRepository,
      dataAccessor.groupRepository,
      dataAccessor.recordSetRepository,
+      dataAccessor.recordSetCacheRepository,
      dataAccessor.recordChangeRepository,
      dataAccessor.userRepository,
      messageQueue,
@ -59,30 +66,44 @@ object RecordSetService {
      backendResolver,
      validateRecordLookupAgainstDnsBackend,
      highValueDomainConfig,
-      approvedNameServers
+      dottedHostsConfig,
+      approvedNameServers,
+      useRecordSetCache,
+      notifiers
+
    )
 }

 class RecordSetService(
-    zoneRepository: ZoneRepository,
-    groupRepository: GroupRepository,
-    recordSetRepository: RecordSetRepository,
-    recordChangeRepository: RecordChangeRepository,
-    userRepository: UserRepository,
-    messageQueue: MessageQueue,
-    accessValidation: AccessValidationsAlgebra,
-    backendResolver: BackendResolver,
-    validateRecordLookupAgainstDnsBackend: Boolean,
-    highValueDomainConfig: HighValueDomainConfig,
-    approvedNameServers: List[Regex]
-) extends RecordSetServiceAlgebra {
+                        zoneRepository: ZoneRepository,
+                        groupRepository: GroupRepository,
+                        recordSetRepository: RecordSetRepository,
+                        recordSetCacheRepository: RecordSetCacheRepository,
+                        recordChangeRepository: RecordChangeRepository,
+                        userRepository: UserRepository,
+                        messageQueue: MessageQueue,
+                        accessValidation: AccessValidationsAlgebra,
+                        backendResolver: BackendResolver,
+                        validateRecordLookupAgainstDnsBackend: Boolean,
+                        highValueDomainConfig: HighValueDomainConfig,
+                        dottedHostsConfig: DottedHostsConfig,
+                        approvedNameServers: List[Regex],
+                        useRecordSetCache: Boolean,
+                        notifiers: AllNotifiers
+                      ) extends RecordSetServiceAlgebra {

  import RecordSetValidations._
  import accessValidation._

+  val logger: Logger = LoggerFactory.getLogger(classOf[RecordSetService])
+
+  val approverOwnerShipTransferStatus = List(OwnerShipTransferStatus.ManuallyApproved , OwnerShipTransferStatus.AutoApproved, OwnerShipTransferStatus.ManuallyRejected)
+  val requestorOwnerShipTransferStatus = List(OwnerShipTransferStatus.Cancelled , OwnerShipTransferStatus.Requested, OwnerShipTransferStatus.PendingReview)
+
  def addRecordSet(recordSet: RecordSet, auth: AuthPrincipal): Result[ZoneCommandResult] =
    for {
      zone <- getZone(recordSet.zoneId)
+      authZones = dottedHostsConfig.zoneAuthConfigs.map(x => x.zone)
      change <- RecordSetChangeGenerator.forAdd(recordSet, zone, Some(auth)).toResult
      // because changes happen to the RS in forAdd itself, converting 1st and validating on that
      rsForValidations = change.recordSet
@ -102,13 +123,27 @@ class RecordSetService(
      ownerGroup <- getGroupIfProvided(rsForValidations.ownerGroupId)
      _ <- canUseOwnerGroup(rsForValidations.ownerGroupId, ownerGroup, auth).toResult
      _ <- noCnameWithNewName(rsForValidations, existingRecordsWithName, zone).toResult
+      allowedZoneList <- getAllowedZones(authZones).toResult[Set[String]]
+      isInAllowedUsers = checkIfInAllowedUsers(zone, dottedHostsConfig, auth)
+      isUserInAllowedGroups <- checkIfInAllowedGroups(zone, dottedHostsConfig, auth).toResult[Boolean]
+      isAllowedUser = isInAllowedUsers || isUserInAllowedGroups
+      isRecordTypeAllowed = checkIfInAllowedRecordType(zone, dottedHostsConfig, rsForValidations)
+      isRecordTypeAndUserAllowed = isAllowedUser && isRecordTypeAllowed
+      allowedDotsLimit = getAllowedDotsLimit(zone, dottedHostsConfig)
+      recordFqdnDoesNotAlreadyExist <- recordFQDNDoesNotExist(rsForValidations, zone).toResult[Boolean]
      _ <- typeSpecificValidations(
        rsForValidations,
        existingRecordsWithName,
        zone,
        None,
-        approvedNameServers
+        approvedNameServers,
+        recordFqdnDoesNotAlreadyExist,
+        allowedZoneList,
+        isRecordTypeAndUserAllowed,
+        allowedDotsLimit
      ).toResult
+      _ <- if(allowedZoneList.contains(zone.name)) checkAllowedDots(allowedDotsLimit, rsForValidations, zone).toResult else ().toResult
+      _ <- if(allowedZoneList.contains(zone.name)) isNotApexEndsWithDot(rsForValidations, zone).toResult else ().toResult
      _ <- messageQueue.send(change).toResult[Unit]
    } yield change

@ -119,13 +154,31 @@ class RecordSetService(
      _ <- unchangedRecordName(existing, recordSet, zone).toResult
      _ <- unchangedRecordType(existing, recordSet).toResult
      _ <- unchangedZoneId(existing, recordSet).toResult
+      _ <- if(requestorOwnerShipTransferStatus.contains(recordSet.recordSetGroupChange.map(_.ownerShipTransferStatus).getOrElse("<none>"))
+        && !auth.isSuper && !auth.isGroupMember(existing.ownerGroupId.getOrElse("None")))
+        unchangedRecordSet(existing, recordSet).toResult else ().toResult
+      _ <- if(existing.recordSetGroupChange.map(_.ownerShipTransferStatus).getOrElse("<none>") == OwnerShipTransferStatus.Cancelled
+        && !auth.isSuper) {
+        recordSetOwnerShipApproveStatus(recordSet).toResult
+      } else ().toResult
+      _ = logger.info(s"updated recordsetgroupchange: ${recordSet.recordSetGroupChange}")
+      _ = logger.info(s"existing recordsetgroupchange: ${existing.recordSetGroupChange}")
+      recordSet <- updateRecordSetGroupChangeStatus(recordSet, existing, zone)
      change <- RecordSetChangeGenerator.forUpdate(existing, recordSet, zone, Some(auth)).toResult
      // because changes happen to the RS in forUpdate itself, converting 1st and validating on that
      rsForValidations = change.recordSet
+      superUserCanUpdateOwnerGroup = canSuperUserUpdateOwnerGroup(existing, recordSet, zone, auth)
      _ <- isNotHighValueDomain(recordSet, zone, highValueDomainConfig).toResult
-      _ <- canUpdateRecordSet(auth, existing.name, existing.typ, zone, existing.ownerGroupId).toResult
+      _ <- if(requestorOwnerShipTransferStatus.contains(recordSet.recordSetGroupChange.map(_.ownerShipTransferStatus).getOrElse("<none>"))
+        && !auth.isSuper && !auth.isGroupMember(existing.ownerGroupId.getOrElse("None"))) ().toResult
+      else canUpdateRecordSet(auth, existing.name, existing.typ, zone, existing.ownerGroupId, superUserCanUpdateOwnerGroup).toResult
      ownerGroup <- getGroupIfProvided(rsForValidations.ownerGroupId)
-      _ <- canUseOwnerGroup(rsForValidations.ownerGroupId, ownerGroup, auth).toResult
+      _ <- if(requestorOwnerShipTransferStatus.contains(recordSet.recordSetGroupChange.map(_.ownerShipTransferStatus).getOrElse("<none>"))
+        && !auth.isSuper && !auth.isGroupMember(existing.ownerGroupId.getOrElse("None")))
+        canUseOwnerGroup(rsForValidations.recordSetGroupChange.map(_.requestedOwnerGroupId).get, ownerGroup, auth).toResult
+      else if(approverOwnerShipTransferStatus.contains(recordSet.recordSetGroupChange.map(_.ownerShipTransferStatus).getOrElse("<none>"))
+        && !auth.isSuper) canUseOwnerGroup(existing.ownerGroupId, ownerGroup, auth).toResult
+      else canUseOwnerGroup(rsForValidations.ownerGroupId, ownerGroup, auth).toResult
      _ <- notPending(existing).toResult
      existingRecordsWithName <- recordSetRepository
        .getRecordSetsByName(zone.id, rsForValidations.name)
@ -138,21 +191,40 @@ class RecordSetService(
        validateRecordLookupAgainstDnsBackend
      )
      _ <- noCnameWithNewName(rsForValidations, existingRecordsWithName, zone).toResult
+      authZones = dottedHostsConfig.zoneAuthConfigs.map(x => x.zone)
+      allowedZoneList <- getAllowedZones(authZones).toResult[Set[String]]
+      isInAllowedUsers = checkIfInAllowedUsers(zone, dottedHostsConfig, auth)
+      isUserInAllowedGroups <- checkIfInAllowedGroups(zone, dottedHostsConfig, auth).toResult[Boolean]
+      isAllowedUser = isInAllowedUsers || isUserInAllowedGroups
+      isRecordTypeAllowed = checkIfInAllowedRecordType(zone, dottedHostsConfig, rsForValidations)
+      isRecordTypeAndUserAllowed = isAllowedUser && isRecordTypeAllowed
+      allowedDotsLimit = getAllowedDotsLimit(zone, dottedHostsConfig)
      _ <- typeSpecificValidations(
        rsForValidations,
        existingRecordsWithName,
        zone,
        Some(existing),
-        approvedNameServers
+        approvedNameServers,
+        true,
+        allowedZoneList,
+        isRecordTypeAndUserAllowed,
+        allowedDotsLimit
      ).toResult
+      _ <- if(existing.name == rsForValidations.name) ().toResult else if(allowedZoneList.contains(zone.name)) checkAllowedDots(allowedDotsLimit, rsForValidations, zone).toResult else ().toResult
+      _ <- if(allowedZoneList.contains(zone.name)) isNotApexEndsWithDot(rsForValidations, zone).toResult else ().toResult
      _ <- messageQueue.send(change).toResult[Unit]
+      _ <- if(recordSet.recordSetGroupChange != None &&
+        recordSet.recordSetGroupChange.map(_.ownerShipTransferStatus).getOrElse("<none>") != OwnerShipTransferStatus.None &&
+        recordSet.recordSetGroupChange.map(_.ownerShipTransferStatus).getOrElse("<none>") != OwnerShipTransferStatus.AutoApproved)
+        notifiers.notify(Notification(change)).toResult
+      else ().toResult
    } yield change

  def deleteRecordSet(
-      recordSetId: String,
-      zoneId: String,
-      auth: AuthPrincipal
-  ): Result[ZoneCommandResult] =
+                       recordSetId: String,
+                       zoneId: String,
+                       auth: AuthPrincipal
+                     ): Result[ZoneCommandResult] =
    for {
      zone <- getZone(zoneId)
      existing <- getRecordSet(recordSetId)
@ -164,20 +236,259 @@ class RecordSetService(
      _ <- messageQueue.send(change).toResult[Unit]
    } yield change

+  //update ownership transfer is zone is shared
+  def updateRecordSetGroupChangeStatus(recordSet: RecordSet, existing: RecordSet, zone: Zone): Result[RecordSet] = {
+    val existingOwnerShipTransfer = existing.recordSetGroupChange.getOrElse(OwnerShipTransfer.apply(OwnerShipTransferStatus.None, Some("none")))
+    val ownerShipTransfer = recordSet.recordSetGroupChange.getOrElse(OwnerShipTransfer.apply(OwnerShipTransferStatus.None, Some("none")))
+    if (recordSet.recordSetGroupChange != None &&
+      ownerShipTransfer.ownerShipTransferStatus != OwnerShipTransferStatus.None)
+      if (zone.shared){
+        if (approverOwnerShipTransferStatus.contains(ownerShipTransfer.ownerShipTransferStatus)) {
+          val recordSetOwnerApproval =
+            ownerShipTransfer.ownerShipTransferStatus match {
+              case OwnerShipTransferStatus.ManuallyApproved =>
+                recordSet.copy(ownerGroupId = existingOwnerShipTransfer.requestedOwnerGroupId,
+                  recordSetGroupChange = Some(ownerShipTransfer.copy(ownerShipTransferStatus = OwnerShipTransferStatus.ManuallyApproved,
+                    requestedOwnerGroupId = existingOwnerShipTransfer.requestedOwnerGroupId)))
+              case OwnerShipTransferStatus.ManuallyRejected =>
+                recordSet.copy(
+                  recordSetGroupChange = Some(ownerShipTransfer.copy(ownerShipTransferStatus = OwnerShipTransferStatus.ManuallyRejected,
+                    requestedOwnerGroupId = existingOwnerShipTransfer.requestedOwnerGroupId)))
+              case OwnerShipTransferStatus.AutoApproved =>
+                recordSet.copy(
+                  ownerGroupId = ownerShipTransfer.requestedOwnerGroupId,
+                  recordSetGroupChange = Some(ownerShipTransfer.copy(ownerShipTransferStatus = OwnerShipTransferStatus.AutoApproved,
+                    requestedOwnerGroupId = ownerShipTransfer.requestedOwnerGroupId)))
+
+              case _ => recordSet.copy(
+                recordSetGroupChange = Some(ownerShipTransfer.copy(
+                  ownerShipTransferStatus = OwnerShipTransferStatus.None,
+                  requestedOwnerGroupId = Some("null"))))
+            }
+          for {
+            recordSet <- recordSetOwnerApproval.toResult
+          } yield recordSet
+        }
+        else {
+          val recordSetOwnerRequest =
+            ownerShipTransfer.ownerShipTransferStatus match {
+              case OwnerShipTransferStatus.Cancelled =>
+                recordSet.copy(recordSetGroupChange = Some(ownerShipTransfer.copy(
+                  ownerShipTransferStatus = OwnerShipTransferStatus.Cancelled,
+                  requestedOwnerGroupId = existingOwnerShipTransfer.requestedOwnerGroupId)))
+              case OwnerShipTransferStatus.Requested | OwnerShipTransferStatus.PendingReview => recordSet.copy(
+                recordSetGroupChange = Some(ownerShipTransfer.copy(ownerShipTransferStatus = OwnerShipTransferStatus.PendingReview)))
+            }
+          for {
+            recordSet <- recordSetOwnerRequest.toResult
+          } yield recordSet
+        }
+      } else for {
+        _ <- unchangedRecordSetOwnershipStatus(recordSet, existing).toResult
+      } yield recordSet.copy(
+        recordSetGroupChange = Some(ownerShipTransfer.copy(
+          ownerShipTransferStatus = OwnerShipTransferStatus.None,
+          requestedOwnerGroupId = Some("null"))))
+    else recordSet.copy(
+      recordSetGroupChange = Some(ownerShipTransfer.copy(
+        ownerShipTransferStatus = OwnerShipTransferStatus.None,
+        requestedOwnerGroupId = Some("null")))).toResult
+  }
+
+  // For dotted hosts. Check if a record that may conflict with dotted host exist or not
+  def recordFQDNDoesNotExist(newRecordSet: RecordSet, zone: Zone): IO[Boolean] = {
+    // Use fqdn for searching through `recordset` mysql table to see if it already exist
+    val newRecordFqdn = if(newRecordSet.name != zone.name) newRecordSet.name + "." + zone.name else newRecordSet.name
+
+    for {
+      record <- recordSetRepository.getRecordSetsByFQDNs(Set(newRecordFqdn))
+      isRecordAlreadyExist = doesRecordWithSameTypeExist(record, newRecordSet)
+      doesNotExist = if(isRecordAlreadyExist) false else true
+    } yield doesNotExist
+  }
+
+  // Check if a record with same type already exist in 'recordset' mysql table
+  def doesRecordWithSameTypeExist(oldRecord: List[RecordSet], newRecord: RecordSet): Boolean = {
+    if(oldRecord.nonEmpty) {
+      val typeExists = oldRecord.map(x => x.typ == newRecord.typ)
+      if (typeExists.contains(true)) true else false
+    }
+    else {
+      false
+    }
+  }
+
+  // Get zones that are allowed to create dotted hosts using the zones present in dotted hosts config
+  def  getAllowedZones(zones: List[String]): IO[Set[String]] = {
+    if(zones.isEmpty){
+      val noZones: IO[Set[String]] = IO(Set.empty)
+      noZones
+    }
+    else {
+      // Wildcard zones needs to be passed to a separate method
+      val wildcardZones = zones.filter(_.contains("*")).map(_.replace("*", "%"))
+      // Zones without wildcard character are passed to a separate function
+      val namedZones = zones.filter(zone => !zone.contains("*"))
+      for{
+        namedZoneResult <- zoneRepository.getZonesByNames(namedZones.toSet)
+        wildcardZoneResult <- zoneRepository.getZonesByFilters(wildcardZones.toSet)
+        zoneResult = namedZoneResult ++ wildcardZoneResult // Combine the zones
+      } yield zoneResult.map(x => x.name)
+    }
+  }
+
+  // Check if user is allowed to create dotted hosts using the users present in dotted hosts config
+  def getAllowedDotsLimit(zone: Zone, config: DottedHostsConfig): Int = {
+    val configZones = config.zoneAuthConfigs.map(x => x.zone)
+    val zoneName = if(zone.name.takeRight(1) != ".") zone.name + "." else zone.name
+    val dottedZoneConfig = configZones.filter(_.contains("*")).map(_.replace("*", "[A-Za-z0-9.]*"))
+    val isContainWildcardZone = dottedZoneConfig.exists(x => zoneName.matches(x))
+    val isContainNormalZone = configZones.contains(zoneName)
+    if(isContainNormalZone){
+      config.zoneAuthConfigs.filter(x => x.zone == zoneName).head.dotsLimit
+    }
+    else if(isContainWildcardZone){
+      config.zoneAuthConfigs.filter(x => zoneName.matches(x.zone.replace("*", "[A-Za-z0-9.]*"))).head.dotsLimit
+    }
+    else {
+      0
+    }
+  }
+
+  // Check if user is allowed to create dotted hosts using the users present in dotted hosts config
+  def checkIfInAllowedUsers(zone: Zone, config: DottedHostsConfig, auth: AuthPrincipal): Boolean = {
+    val configZones = config.zoneAuthConfigs.map(x => x.zone)
+    val zoneName = if(zone.name.takeRight(1) != ".") zone.name + "." else zone.name
+    val dottedZoneConfig = configZones.filter(_.contains("*")).map(_.replace("*", "[A-Za-z0-9.]*"))
+    val isContainWildcardZone = dottedZoneConfig.exists(x => zoneName.matches(x))
+    val isContainNormalZone = configZones.contains(zoneName)
+    if(isContainNormalZone){
+      val users = config.zoneAuthConfigs.flatMap {
+        x: ZoneAuthConfigs =>
+          if (x.zone == zoneName) x.userList else List.empty
+      }
+      if(users.contains(auth.signedInUser.userName)){
+        true
+      }
+      else {
+        false
+      }
+    }
+    else if(isContainWildcardZone){
+      val users = config.zoneAuthConfigs.flatMap {
+        x: ZoneAuthConfigs =>
+          if (x.zone.contains("*")) {
+            val wildcardZone = x.zone.replace("*", "[A-Za-z0-9.]*")
+            if (zoneName.matches(wildcardZone)) x.userList else List.empty
+          } else List.empty
+      }
+      if(users.contains(auth.signedInUser.userName)){
+        true
+      }
+      else {
+        false
+      }
+    }
+    else {
+      false
+    }
+  }
+
+  // Check if user is allowed to create dotted hosts using the record types present in dotted hosts config
+  def checkIfInAllowedRecordType(zone: Zone, config: DottedHostsConfig, rs: RecordSet): Boolean = {
+    val configZones = config.zoneAuthConfigs.map(x => x.zone)
+    val zoneName = if(zone.name.takeRight(1) != ".") zone.name + "." else zone.name
+    val dottedZoneConfig = configZones.filter(_.contains("*")).map(_.replace("*", "[A-Za-z0-9.]*"))
+    val isContainWildcardZone = dottedZoneConfig.exists(x => zoneName.matches(x))
+    val isContainNormalZone = configZones.contains(zoneName)
+    if(isContainNormalZone){
+      val rType = config.zoneAuthConfigs.flatMap {
+        x: ZoneAuthConfigs =>
+          if (x.zone == zoneName) x.recordTypes else List.empty
+      }
+      if(rType.contains(rs.typ.toString)){
+        true
+      }
+      else {
+        false
+      }
+    }
+    else if(isContainWildcardZone){
+      val rType = config.zoneAuthConfigs.flatMap {
+        x: ZoneAuthConfigs =>
+          if (x.zone.contains("*")) {
+            val wildcardZone = x.zone.replace("*", "[A-Za-z0-9.]*")
+            if (zoneName.matches(wildcardZone)) x.recordTypes else List.empty
+          } else List.empty
+      }
+      if(rType.contains(rs.typ.toString)){
+        true
+      }
+      else {
+        false
+      }
+    }
+    else {
+      false
+    }
+  }
+
+  // Check if user is allowed to create dotted hosts using the groups present in dotted hosts config
+  def checkIfInAllowedGroups(zone: Zone, config: DottedHostsConfig, auth: AuthPrincipal): IO[Boolean] = {
+    val configZones = config.zoneAuthConfigs.map(x => x.zone)
+    val zoneName = if(zone.name.takeRight(1) != ".") zone.name + "." else zone.name
+    val dottedZoneConfig = configZones.filter(_.contains("*")).map(_.replace("*", "[A-Za-z0-9.]*"))
+    val isContainWildcardZone = dottedZoneConfig.exists(x => zoneName.matches(x))
+    val isContainNormalZone = configZones.contains(zoneName)
+    val groups = if(isContainNormalZone){
+      config.zoneAuthConfigs.flatMap {
+        x: ZoneAuthConfigs =>
+          if (x.zone == zoneName) x.groupList else List.empty
+      }
+    }
+    else if(isContainWildcardZone){
+      config.zoneAuthConfigs.flatMap {
+        x: ZoneAuthConfigs =>
+          if (x.zone.contains("*")) {
+            val wildcardZone = x.zone.replace("*", "[A-Za-z0-9.]*")
+            if (zoneName.matches(wildcardZone)) x.groupList else List.empty
+          } else List.empty
+      }
+    }
+    else {
+      List.empty
+    }
+    for{
+      groupsInConfig <- groupRepository.getGroupsByName(groups.toSet)
+      members = groupsInConfig.flatMap(x => x.memberIds)
+      usersList <- if(members.isEmpty) IO(Seq.empty) else userRepository.getUsers(members, None, None).map(x => x.users)
+      users = if(usersList.isEmpty) Seq.empty else usersList.map(x => x.userName)
+      isPresent = users.contains(auth.signedInUser.userName)
+    } yield isPresent
+  }
+
  def getRecordSet(
-      recordSetId: String,
-      authPrincipal: AuthPrincipal
-  ): Result[RecordSetInfo] =
+                    recordSetId: String,
+                    authPrincipal: AuthPrincipal
+                  ): Result[RecordSetInfo] =
    for {
      recordSet <- getRecordSet(recordSetId)
      groupName <- getGroupName(recordSet.ownerGroupId)
    } yield RecordSetInfo(recordSet, groupName)

+  def getRecordSetCount(zoneId: String, authPrincipal: AuthPrincipal): Result[RecordSetCount] = {
+    for {
+      zone <- getZone(zoneId)
+      _ <- canSeeZone(authPrincipal, zone).toResult
+      count  <- recordSetRepository.getRecordSetCount(zoneId).toResult
+    } yield RecordSetCount(count)
+  }
+
  def getRecordSetByZone(
-      recordSetId: String,
-      zoneId: String,
-      authPrincipal: AuthPrincipal
-  ): Result[RecordSetInfo] =
+                          recordSetId: String,
+                          zoneId: String,
+                          authPrincipal: AuthPrincipal
+                        ): Result[RecordSetInfo] =
    for {
      zone <- getZone(zoneId)
      recordSet <- getRecordSet(recordSetId)
@ -192,14 +503,15 @@ class RecordSetService(
    } yield RecordSetInfo(recordSet, groupName)

  def listRecordSets(
-      startFrom: Option[String],
-      maxItems: Option[Int],
-      recordNameFilter: String,
-      recordTypeFilter: Option[Set[RecordType]],
-      recordOwnerGroupFilter: Option[String],
-      nameSort: NameSort,
-      authPrincipal: AuthPrincipal
-  ): Result[ListGlobalRecordSetsResponse] =
+                      startFrom: Option[String],
+                      maxItems: Option[Int],
+                      recordNameFilter: String,
+                      recordTypeFilter: Option[Set[RecordType]],
+                      recordOwnerGroupFilter: Option[String],
+                      nameSort: NameSort,
+                      authPrincipal: AuthPrincipal,
+                      recordTypeSort: RecordTypeSort
+                    ): Result[ListGlobalRecordSetsResponse] =
    for {
      _ <- validRecordNameFilterLength(recordNameFilter).toResult
      formattedRecordNameFilter <- formatRecordNameFilter(recordNameFilter)
@ -211,7 +523,8 @@ class RecordSetService(
          Some(formattedRecordNameFilter),
          recordTypeFilter,
          recordOwnerGroupFilter,
-          nameSort
+          nameSort,
+          recordTypeSort
        )
        .toResult[ListRecordSetResults]
      rsOwnerGroupIds = recordSetResults.recordSets.flatMap(_.ownerGroupId).toSet
@ -230,16 +543,83 @@ class RecordSetService(
      recordSetResults.nameSort
    )

+  /**
+   * Searches recordsets, optionally using the recordset cache (controlled by the 'use-recordset-cache' setting)
+   *
+   * @param startFrom          The starting record
+   * @param maxItems           The maximum number of items
+   * @param recordNameFilter   The record name filter
+   * @param recordTypeFilter   The record type filter
+   * @param recordOwnerGroupId The owner group identifier
+   * @param nameSort           The sort direction
+   * @param authPrincipal      The authenticated principal
+   * @return A {@link ListGlobalRecordSetsResponse}
+   */
+  def searchRecordSets(
+                        startFrom: Option[String],
+                        maxItems: Option[Int],
+                        recordNameFilter: String,
+                        recordTypeFilter: Option[Set[RecordType]],
+                        recordOwnerGroupFilter: Option[String],
+                        nameSort: NameSort,
+                        authPrincipal: AuthPrincipal,
+                        recordTypeSort: RecordTypeSort
+                      ): Result[ListGlobalRecordSetsResponse] = {
+    for {
+      _ <- validRecordNameFilterLength(recordNameFilter).toResult
+      formattedRecordNameFilter <- formatRecordNameFilter(recordNameFilter)
+      recordSetResults <- if (useRecordSetCache) {
+        // Search the cache
+        recordSetCacheRepository.listRecordSetData(
+          None,
+          startFrom,
+          maxItems,
+          Some(formattedRecordNameFilter),
+          recordTypeFilter,
+          recordOwnerGroupFilter,
+          nameSort
+        ).toResult[ListRecordSetResults]
+      } else {
+        // Search the record table directly
+        recordSetRepository.listRecordSets(
+          None,
+          startFrom,
+          maxItems,
+          Some(formattedRecordNameFilter),
+          recordTypeFilter,
+          recordOwnerGroupFilter,
+          nameSort,
+          recordTypeSort
+        ).toResult[ListRecordSetResults]
+      }
+      rsOwnerGroupIds = recordSetResults.recordSets.flatMap(_.ownerGroupId).toSet
+      rsZoneIds = recordSetResults.recordSets.map(_.zoneId).toSet
+      rsGroups <- groupRepository.getGroups(rsOwnerGroupIds).toResult[Set[Group]]
+      rsZones <- zoneRepository.getZones(rsZoneIds).toResult[Set[Zone]]
+      setsWithSupplementalInfo = getSupplementalInfo(recordSetResults.recordSets, rsGroups, rsZones)
+    } yield ListGlobalRecordSetsResponse(
+      setsWithSupplementalInfo,
+      recordSetResults.startFrom,
+      recordSetResults.nextId,
+      recordSetResults.maxItems,
+      recordNameFilter,
+      recordSetResults.recordTypeFilter,
+      recordSetResults.recordOwnerGroupFilter,
+      recordSetResults.nameSort
+    )
+  }
+
  def listRecordSetsByZone(
-      zoneId: String,
-      startFrom: Option[String],
-      maxItems: Option[Int],
-      recordNameFilter: Option[String],
-      recordTypeFilter: Option[Set[RecordType]],
-      recordOwnerGroupFilter: Option[String],
-      nameSort: NameSort,
-      authPrincipal: AuthPrincipal
-  ): Result[ListRecordSetsByZoneResponse] =
+                            zoneId: String,
+                            startFrom: Option[String],
+                            maxItems: Option[Int],
+                            recordNameFilter: Option[String],
+                            recordTypeFilter: Option[Set[RecordType]],
+                            recordOwnerGroupFilter: Option[String],
+                            nameSort: NameSort,
+                            authPrincipal: AuthPrincipal,
+                            recordTypeSort: RecordTypeSort
+                          ): Result[ListRecordSetsByZoneResponse] =
    for {
      zone <- getZone(zoneId)
      _ <- canSeeZone(authPrincipal, zone).toResult
@ -251,7 +631,8 @@ class RecordSetService(
          recordNameFilter,
          recordTypeFilter,
          recordOwnerGroupFilter,
-          nameSort
+          nameSort,
+          recordTypeSort
        )
        .toResult[ListRecordSetResults]
      rsOwnerGroupIds = recordSetResults.recordSets.flatMap(_.ownerGroupId).toSet
@ -266,14 +647,15 @@ class RecordSetService(
      recordSetResults.recordNameFilter,
      recordSetResults.recordTypeFilter,
      recordSetResults.recordOwnerGroupFilter,
-      recordSetResults.nameSort
+      recordSetResults.nameSort,
+      recordSetResults.recordTypeSort
    )

  def getRecordSetChange(
-      zoneId: String,
-      changeId: String,
-      authPrincipal: AuthPrincipal
-  ): Result[RecordSetChange] =
+                          zoneId: String,
+                          changeId: String,
+                          authPrincipal: AuthPrincipal
+                        ): Result[RecordSetChange] =
    for {
      zone <- getZone(zoneId)
      change <- recordChangeRepository
@ -294,19 +676,62 @@ class RecordSetService(
    } yield change

  def listRecordSetChanges(
-      zoneId: String,
-      startFrom: Option[String] = None,
-      maxItems: Int = 100,
-      authPrincipal: AuthPrincipal
-  ): Result[ListRecordSetChangesResponse] =
+                            zoneId: String,
+                            startFrom: Option[Int] = None,
+                            maxItems: Int = 100,
+                            authPrincipal: AuthPrincipal
+                          ): Result[ListRecordSetChangesResponse] =
+      for {
+        zone <- getZone(zoneId)
+        _ <- canSeeZone(authPrincipal, zone).toResult
+        recordSetChangesResults <- recordChangeRepository
+          .listRecordSetChanges(Some(zone.id), startFrom, maxItems, None, None)
+          .toResult[ListRecordSetChangesResults]
+        recordSetChangesInfo <- buildRecordSetChangeInfo(recordSetChangesResults.items)
+      } yield ListRecordSetChangesResponse(zoneId, recordSetChangesResults, recordSetChangesInfo)
+
+  def listRecordSetChangeHistory(
+                            zoneId: Option[String] = None,
+                            startFrom: Option[Int] = None,
+                            maxItems: Int = 100,
+                            fqdn: Option[String] = None,
+                            recordType: Option[RecordType] = None,
+                            authPrincipal: AuthPrincipal
+                          ): Result[ListRecordSetHistoryResponse] =
    for {
-      zone <- getZone(zoneId)
+      zone <- getZone(zoneId.get)
      _ <- canSeeZone(authPrincipal, zone).toResult
      recordSetChangesResults <- recordChangeRepository
-        .listRecordSetChanges(zone.id, startFrom, maxItems)
+        .listRecordSetChanges(zoneId, startFrom, maxItems, fqdn, recordType)
        .toResult[ListRecordSetChangesResults]
      recordSetChangesInfo <- buildRecordSetChangeInfo(recordSetChangesResults.items)
-    } yield ListRecordSetChangesResponse(zoneId, recordSetChangesResults, recordSetChangesInfo)
+    } yield ListRecordSetHistoryResponse(zoneId, recordSetChangesResults, recordSetChangesInfo)
+
+  def listFailedRecordSetChanges(
+                                  authPrincipal: AuthPrincipal,
+                                  zoneId: Option[String] = None,
+                                  startFrom: Int= 0,
+                                  maxItems: Int = 100
+                                ): Result[ListFailedRecordSetChangesResponse] =
+    for {
+      recordSetChangesFailedResults <- recordChangeRepository
+        .listFailedRecordSetChanges(zoneId, maxItems, startFrom)
+        .toResult[ListFailedRecordSetChangesResults]
+      _ <- zoneAccess(recordSetChangesFailedResults.items, authPrincipal).toResult
+    } yield
+      ListFailedRecordSetChangesResponse(
+        recordSetChangesFailedResults.items,
+        recordSetChangesFailedResults.nextId,
+        startFrom,
+        maxItems)
+
+  def zoneAccess(
+                  RecordSetCh: List[RecordSetChange],
+                  auth: AuthPrincipal
+                ): List[Result[Unit]] =
+    RecordSetCh.map { zn =>
+      canSeeZone(auth, zn.zone).toResult
+    }

  def getZone(zoneId: String): Result[Zone] =
    zoneRepository
@ -340,8 +765,8 @@ class RecordSetService(
      .toResult

  def buildRecordSetChangeInfo(
-      changes: List[RecordSetChange]
-  ): Result[List[RecordSetChangeInfo]] = {
+                                changes: List[RecordSetChange]
+                              ): Result[List[RecordSetChangeInfo]] = {
    val userIds = changes.map(_.userId).toSet
    for {
      users <- userRepository.getUsers(userIds, None, None).map(_.users).toResult[Seq[User]]
@ -360,10 +785,10 @@ class RecordSetService(
    }

  def getSupplementalInfo(
-      recordsets: List[RecordSet],
-      groups: Set[Group],
-      zones: Set[Zone]
-  ): List[RecordSetGlobalInfo] =
+                           recordsets: List[RecordSet],
+                           groups: Set[Group],
+                           zones: Set[Zone]
+                         ): List[RecordSetGlobalInfo] =
    recordsets.map { rs =>
      val ownerGroupName =
        rs.ownerGroupId.flatMap(groupId => groups.find(_.id == groupId).map(_.name))
@ -391,14 +816,14 @@ class RecordSetService(
  }

  def recordSetDoesNotExist(
-      backendConnection: Zone => Backend,
-      zone: Zone,
-      recordSet: RecordSet,
-      validateRecordLookupAgainstDnsBackend: Boolean
-  ): Result[Unit] =
+                             backendConnection: Zone => Backend,
+                             zone: Zone,
+                             recordSet: RecordSet,
+                             validateRecordLookupAgainstDnsBackend: Boolean
+                           ): Result[Unit] =
    recordSetDoesNotExistInDatabase(recordSet, zone).value.flatMap {
      case Left(recordSetAlreadyExists: RecordSetAlreadyExists)
-          if validateRecordLookupAgainstDnsBackend =>
+        if validateRecordLookupAgainstDnsBackend =>
        backendConnection(zone)
          .resolve(recordSet.name, zone.name, recordSet.typ)
          .attempt
@ -412,16 +837,16 @@ class RecordSetService(
    }.toResult

  def isUniqueUpdate(
-      backendConnection: Zone => Backend,
-      newRecordSet: RecordSet,
-      existingRecordsWithName: List[RecordSet],
-      zone: Zone,
-      validateRecordLookupAgainstDnsBackend: Boolean
-  ): Result[Unit] =
+                      backendConnection: Zone => Backend,
+                      newRecordSet: RecordSet,
+                      existingRecordsWithName: List[RecordSet],
+                      zone: Zone,
+                      validateRecordLookupAgainstDnsBackend: Boolean
+                    ): Result[Unit] =
    RecordSetValidations
      .recordSetDoesNotExist(newRecordSet, existingRecordsWithName, zone) match {
      case Left(recordSetAlreadyExists: RecordSetAlreadyExists)
-          if validateRecordLookupAgainstDnsBackend =>
+        if validateRecordLookupAgainstDnsBackend =>
        backendConnection(zone)
          .resolve(newRecordSet.name, zone.name, newRecordSet.typ)
          .attempt
--- a/modules/api/src/main/scala/vinyldns/api/domain/record/RecordSetServiceAlgebra.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/record/RecordSetServiceAlgebra.scala
@ -17,12 +17,13 @@
 package vinyldns.api.domain.record

 import vinyldns.api.Interfaces.Result
-import vinyldns.api.domain.zone.RecordSetInfo
+import vinyldns.api.domain.zone.{RecordSetCount, RecordSetInfo}
 import vinyldns.core.domain.auth.AuthPrincipal
 import vinyldns.core.domain.zone.ZoneCommandResult
 import vinyldns.api.route.{ListGlobalRecordSetsResponse, ListRecordSetsByZoneResponse}
 import vinyldns.core.domain.record.NameSort.NameSort
 import vinyldns.core.domain.record.RecordType.RecordType
+import vinyldns.core.domain.record.RecordTypeSort.RecordTypeSort
 import vinyldns.core.domain.record.{RecordSet, RecordSetChange}

 trait RecordSetServiceAlgebra {
@ -31,54 +32,97 @@ trait RecordSetServiceAlgebra {
  def updateRecordSet(recordSet: RecordSet, auth: AuthPrincipal): Result[ZoneCommandResult]

  def deleteRecordSet(
-      recordSetId: String,
-      zoneId: String,
-      auth: AuthPrincipal
-  ): Result[ZoneCommandResult]
+                       recordSetId: String,
+                       zoneId: String,
+                       auth: AuthPrincipal
+                     ): Result[ZoneCommandResult]

  def getRecordSet(
-      recordSetId: String,
-      authPrincipal: AuthPrincipal
-  ): Result[RecordSetInfo]
+                    recordSetId: String,
+                    authPrincipal: AuthPrincipal
+                  ): Result[RecordSetInfo]

  def getRecordSetByZone(
-      recordSetId: String,
-      zoneId: String,
-      authPrincipal: AuthPrincipal
-  ): Result[RecordSetInfo]
+                          recordSetId: String,
+                          zoneId: String,
+                          authPrincipal: AuthPrincipal
+                        ): Result[RecordSetInfo]

  def listRecordSets(
-      startFrom: Option[String],
-      maxItems: Option[Int],
-      recordNameFilter: String,
-      recordTypeFilter: Option[Set[RecordType]],
-      recordOwnerGroupId: Option[String],
-      nameSort: NameSort,
-      authPrincipal: AuthPrincipal
-  ): Result[ListGlobalRecordSetsResponse]
+                      startFrom: Option[String],
+                      maxItems: Option[Int],
+                      recordNameFilter: String,
+                      recordTypeFilter: Option[Set[RecordType]],
+                      recordOwnerGroupId: Option[String],
+                      nameSort: NameSort,
+                      authPrincipal: AuthPrincipal,
+                      recordTypeSort: RecordTypeSort
+                    ): Result[ListGlobalRecordSetsResponse]
+
+  /**
+   * Searches recordsets, optionally using the recordset cache (controlled by the 'use-recordset-cache' setting)
+   *
+   * @param startFrom          The starting record
+   * @param maxItems           The maximum number of items
+   * @param recordNameFilter   The record name filter
+   * @param recordTypeFilter   The record type filter
+   * @param recordOwnerGroupId THe owner group identifier
+   * @param nameSort           The sort direction
+   * @param authPrincipal      The authenticated principal
+   * @return A {@link ListGlobalRecordSetsResponse}
+   */
+  def searchRecordSets(
+                        startFrom: Option[String],
+                        maxItems: Option[Int],
+                        recordNameFilter: String,
+                        recordTypeFilter: Option[Set[RecordType]],
+                        recordOwnerGroupId: Option[String],
+                        nameSort: NameSort,
+                        authPrincipal: AuthPrincipal,
+                        recordTypeSort: RecordTypeSort
+                      ): Result[ListGlobalRecordSetsResponse]

  def listRecordSetsByZone(
-      zoneId: String,
-      startFrom: Option[String],
-      maxItems: Option[Int],
-      recordNameFilter: Option[String],
-      recordTypeFilter: Option[Set[RecordType]],
-      recordOwnerGroupId: Option[String],
-      nameSort: NameSort,
-      authPrincipal: AuthPrincipal
-  ): Result[ListRecordSetsByZoneResponse]
+                            zoneId: String,
+                            startFrom: Option[String],
+                            maxItems: Option[Int],
+                            recordNameFilter: Option[String],
+                            recordTypeFilter: Option[Set[RecordType]],
+                            recordOwnerGroupId: Option[String],
+                            nameSort: NameSort,
+                            authPrincipal: AuthPrincipal,
+                            recordTypeSort: RecordTypeSort
+                          ): Result[ListRecordSetsByZoneResponse]

  def getRecordSetChange(
-      zoneId: String,
-      changeId: String,
-      authPrincipal: AuthPrincipal
-  ): Result[RecordSetChange]
+                          zoneId: String,
+                          changeId: String,
+                          authPrincipal: AuthPrincipal
+                        ): Result[RecordSetChange]

  def listRecordSetChanges(
-      zoneId: String,
-      startFrom: Option[String],
-      maxItems: Int,
-      authPrincipal: AuthPrincipal
-  ): Result[ListRecordSetChangesResponse]
+                            zoneId: String,
+                            startFrom: Option[Int],
+                            maxItems: Int,
+                            authPrincipal: AuthPrincipal
+                          ): Result[ListRecordSetChangesResponse]
+
+  def listRecordSetChangeHistory(
+                            zoneId: Option[String],
+                            startFrom: Option[Int],
+                            maxItems: Int,
+                            fqdn: Option[String],
+                            recordType: Option[RecordType],
+                            authPrincipal: AuthPrincipal
+                          ): Result[ListRecordSetHistoryResponse]
+
+  def listFailedRecordSetChanges(
+                                  authPrincipal: AuthPrincipal,
+                                  zoneId: Option[String],
+                                  startFrom: Int,
+                                  maxItems: Int
+                                ): Result[ListFailedRecordSetChangesResponse]
+
+  def getRecordSetCount(zoneId: String, authPrincipal: AuthPrincipal): Result[RecordSetCount]

 }
--- a/modules/api/src/main/scala/vinyldns/api/domain/record/RecordSetValidations.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/record/RecordSetValidations.scala
@ -20,13 +20,14 @@ import cats.syntax.either._
 import vinyldns.api.Interfaces._
 import vinyldns.api.backend.dns.DnsConversions
 import vinyldns.api.config.HighValueDomainConfig
+import vinyldns.api.domain.DomainValidations.validateIpv4Address
 import vinyldns.api.domain._
 import vinyldns.core.domain.DomainHelpers._
 import vinyldns.core.domain.record.RecordType._
 import vinyldns.api.domain.zone._
 import vinyldns.core.domain.auth.AuthPrincipal
 import vinyldns.core.domain.membership.Group
-import vinyldns.core.domain.record.{RecordSet, RecordType}
+import vinyldns.core.domain.record.{OwnerShipTransferStatus, RecordSet, RecordType}
 import vinyldns.core.domain.zone.Zone
 import vinyldns.core.Messages._

@ -90,6 +91,69 @@ object RecordSetValidations {
      !existingRecordsWithName.exists(rs => rs.id != newRecordSet.id && rs.typ == newRecordSet.typ)
    )

+  // Check whether the record has dot or not
+  def checkForDot(
+      newRecordSet: RecordSet,
+      zone: Zone,
+      existingRecordSet: Option[RecordSet] = None,
+      recordFqdnDoesNotExist: Boolean,
+      dottedHostZoneConfig: Set[String],
+      isRecordTypeAndUserAllowed: Boolean,
+      allowedDotsLimit: Int = 0
+  ): Either[Throwable, Unit] = {
+
+    val zoneName = if(zone.name.takeRight(1) != ".") zone.name + "." else zone.name
+    // Check if the zone of the recordset is present in dotted hosts config list
+    val isDomainAllowed = dottedHostZoneConfig.contains(zoneName)
+
+    // Check if record set contains dot and if it is in zone which is allowed to have dotted records from dotted hosts config
+    if(allowedDotsLimit != 0 && newRecordSet.name.contains(".") && isDomainAllowed && newRecordSet.name != zone.name) {
+      if(!isRecordTypeAndUserAllowed){
+        isUserAndRecordTypeAuthorized(newRecordSet, zone, existingRecordSet, recordFqdnDoesNotExist, isRecordTypeAndUserAllowed)
+      }
+      else {
+        isDotted(newRecordSet, zone, existingRecordSet, recordFqdnDoesNotExist, isRecordTypeAndUserAllowed)
+      }
+    }
+    else {
+      isNotDotted(newRecordSet, zone, existingRecordSet)
+    }
+  }
+
+  // For dotted host. Check if a record is already present which conflicts with the new dotted record. If so, throw an error
+  def isDotted(
+     newRecordSet: RecordSet,
+     zone: Zone,
+     existingRecordSet: Option[RecordSet] = None,
+     recordFqdnDoesNotExist: Boolean,
+     isRecordTypeAndUserAllowed: Boolean
+  ): Either[Throwable, Unit] =
+    ensuring(
+      InvalidRequest(
+        s"Record with fqdn '${newRecordSet.name}.${zone.name}' cannot be created. " +
+          s"Please check if a record with the same FQDN and type already exist and make the change there."
+      )
+    )(
+      (newRecordSet.name != zone.name || existingRecordSet.exists(_.name == newRecordSet.name)) && recordFqdnDoesNotExist && isRecordTypeAndUserAllowed
+    )
+
+  // For dotted host. Check if the user is authorized and the record type is allowed. If not, throw an error
+  def isUserAndRecordTypeAuthorized(
+     newRecordSet: RecordSet,
+     zone: Zone,
+     existingRecordSet: Option[RecordSet] = None,
+     recordFqdnDoesNotExist: Boolean,
+     isRecordTypeAndUserAllowed: Boolean
+  ): Either[Throwable, Unit] =
+    ensuring(
+      InvalidRequest(
+        s"Record type is not allowed or the user is not authorized to create a dotted host in the zone '${zone.name}'"
+      )
+    )(
+      (newRecordSet.name != zone.name || existingRecordSet.exists(_.name == newRecordSet.name)) && recordFqdnDoesNotExist && isRecordTypeAndUserAllowed
+    )
+
+  // Check if the recordset contains dot but is not in the allowed zones to create dotted records. If so, throw an error
  def isNotDotted(
      newRecordSet: RecordSet,
      zone: Zone,
@ -110,16 +174,20 @@ object RecordSetValidations {
      existingRecordsWithName: List[RecordSet],
      zone: Zone,
      existingRecordSet: Option[RecordSet],
-      approvedNameServers: List[Regex]
+      approvedNameServers: List[Regex],
+      recordFqdnDoesNotExist: Boolean,
+      dottedHostZoneConfig: Set[String],
+      isRecordTypeAndUserAllowed: Boolean,
+      allowedDotsLimit: Int = 0
  ): Either[Throwable, Unit] =
    newRecordSet.typ match {
-      case CNAME => cnameValidations(newRecordSet, existingRecordsWithName, zone, existingRecordSet)
-      case NS => nsValidations(newRecordSet, zone, existingRecordSet, approvedNameServers)
-      case SOA => soaValidations(newRecordSet, zone)
+      case CNAME => cnameValidations(newRecordSet, existingRecordsWithName, zone, existingRecordSet, recordFqdnDoesNotExist, dottedHostZoneConfig, isRecordTypeAndUserAllowed, allowedDotsLimit)
+      case NS => nsValidations(newRecordSet, zone, existingRecordSet, approvedNameServers, recordFqdnDoesNotExist, dottedHostZoneConfig, isRecordTypeAndUserAllowed, allowedDotsLimit)
+      case SOA => soaValidations(newRecordSet, zone, recordFqdnDoesNotExist, dottedHostZoneConfig, isRecordTypeAndUserAllowed, allowedDotsLimit)
      case PTR => ptrValidations(newRecordSet, zone)
      case SRV | TXT | NAPTR => ().asRight // SRV, TXT and NAPTR do not go through dotted host check
-      case DS => dsValidations(newRecordSet, existingRecordsWithName, zone)
-      case _ => isNotDotted(newRecordSet, zone, existingRecordSet)
+      case DS => dsValidations(newRecordSet, existingRecordsWithName, zone, recordFqdnDoesNotExist, dottedHostZoneConfig, isRecordTypeAndUserAllowed, allowedDotsLimit)
+      case _ => checkForDot(newRecordSet, zone, existingRecordSet, recordFqdnDoesNotExist, dottedHostZoneConfig, isRecordTypeAndUserAllowed, allowedDotsLimit)
    }

  def typeSpecificDeleteValidations(recordSet: RecordSet, zone: Zone): Either[Throwable, Unit] =
@ -140,7 +208,11 @@ object RecordSetValidations {
      newRecordSet: RecordSet,
      existingRecordsWithName: List[RecordSet],
      zone: Zone,
-      existingRecordSet: Option[RecordSet] = None
+      existingRecordSet: Option[RecordSet] = None,
+      recordFqdnDoesNotExist: Boolean,
+      dottedHostZoneConfig: Set[String],
+      isRecordTypeAndUserAllowed: Boolean,
+      allowedDotsLimit: Int = 0
  ): Either[Throwable, Unit] = {
    // cannot create a cname record if a record with the same exists
    val noRecordWithName = {
@ -165,6 +237,16 @@ object RecordSetValidations {
      )
    }

+    val isNotIPv4inCname = {
+      ensuring(
+        RecordSetValidation(
+          s"""Invalid CNAME: ${newRecordSet.records.head.toString.dropRight(1)}, valid CNAME record data cannot be an IP address."""
+        )
+      )(
+        validateIpv4Address(newRecordSet.records.head.toString.dropRight(1)).isInvalid
+      )
+    }
+
    for {
      _ <- isNotOrigin(
        newRecordSet,
@ -172,8 +254,9 @@ object RecordSetValidations {
        "CNAME RecordSet cannot have name '@' because it points to zone origin"
      )
      _ <- noRecordWithName
+      _ <- isNotIPv4inCname
      _ <- RDataWithConsecutiveDots
-      _ <- isNotDotted(newRecordSet, zone, existingRecordSet)
+      _ <- checkForDot(newRecordSet, zone, existingRecordSet, recordFqdnDoesNotExist, dottedHostZoneConfig, isRecordTypeAndUserAllowed, allowedDotsLimit)
    } yield ()

  }
@ -181,15 +264,15 @@ object RecordSetValidations {
  def dsValidations(
      newRecordSet: RecordSet,
      existingRecordsWithName: List[RecordSet],
-      zone: Zone
+      zone: Zone,
+      recordFqdnDoesNotExist: Boolean,
+      dottedHostZoneConfig: Set[String],
+      isRecordTypeAndUserAllowed: Boolean,
+      allowedDotsLimit: Int = 0
  ): Either[Throwable, Unit] = {
    // see https://tools.ietf.org/html/rfc4035#section-2.4
    val nsChecks = existingRecordsWithName.find(_.typ == NS) match {
-      case Some(ns) if ns.ttl == newRecordSet.ttl => ().asRight
-      case Some(ns) =>
-        InvalidRequest(
-          s"DS record [${newRecordSet.name}] must have TTL matching its linked NS (${ns.ttl})"
-        ).asLeft
+      case Some(_) => ().asRight
      case None =>
        InvalidRequest(
          s"DS record [${newRecordSet.name}] is invalid because there is no NS record with that " +
@ -198,7 +281,7 @@ object RecordSetValidations {
    }

    for {
-      _ <- isNotDotted(newRecordSet, zone)
+      _ <- checkForDot(newRecordSet, zone, None, recordFqdnDoesNotExist, dottedHostZoneConfig, isRecordTypeAndUserAllowed, allowedDotsLimit)
      _ <- isNotOrigin(
        newRecordSet,
        zone,
@ -212,10 +295,14 @@ object RecordSetValidations {
      newRecordSet: RecordSet,
      zone: Zone,
      oldRecordSet: Option[RecordSet],
-      approvedNameServers: List[Regex]
+      approvedNameServers: List[Regex],
+      recordFqdnDoesNotExist: Boolean,
+      dottedHostZoneConfig: Set[String],
+      isRecordTypeAndUserAllowed: Boolean,
+      allowedDotsLimit: Int = 0
  ): Either[Throwable, Unit] = {
    // TODO kept consistency with old validation. Not sure why NS could be dotted in reverse specifically
-    val isNotDottedHost = if (!zone.isReverse) isNotDotted(newRecordSet, zone) else ().asRight
+    val isNotDottedHost = if (!zone.isReverse) checkForDot(newRecordSet, zone, None, recordFqdnDoesNotExist, dottedHostZoneConfig, isRecordTypeAndUserAllowed, allowedDotsLimit) else ().asRight

    for {
      _ <- isNotDottedHost
@ -237,9 +324,9 @@ object RecordSetValidations {
    } yield ()
  }

-  def soaValidations(newRecordSet: RecordSet, zone: Zone): Either[Throwable, Unit] =
+  def soaValidations(newRecordSet: RecordSet, zone: Zone, recordFqdnDoesNotExist: Boolean, dottedHostZoneConfig: Set[String], isRecordTypeAndUserAllowed: Boolean, allowedDotsLimit: Int = 0): Either[Throwable, Unit] =
    // TODO kept consistency with old validation. in theory if SOA always == zone name, no special case is needed here
-    if (!zone.isReverse) isNotDotted(newRecordSet, zone) else ().asRight
+    if (!zone.isReverse) checkForDot(newRecordSet, zone, None, recordFqdnDoesNotExist, dottedHostZoneConfig, isRecordTypeAndUserAllowed, allowedDotsLimit) else ().asRight

  def ptrValidations(newRecordSet: RecordSet, zone: Zone): Either[Throwable, Unit] =
    // TODO we don't check for PTR as dotted...not sure why
@ -282,6 +369,29 @@ object RecordSetValidations {
      .leftMap(errors => InvalidRequest(errors.toList.map(_.message).mkString(", ")))
  }

+  def checkAllowedDots(allowedDotsLimit: Int, recordSet: RecordSet, zone: Zone): Either[Throwable, Unit] = {
+    ensuring(
+      InvalidRequest(
+        s"RecordSet with name ${recordSet.name} has more dots than that is allowed in config for this zone " +
+          s"which is, 'dots-limit = $allowedDotsLimit'."
+      )
+    )(
+      recordSet.name.count(_ == '.') <= allowedDotsLimit || (recordSet.name.count(_ == '.') == 1 &&
+        recordSet.name.takeRight(1) == ".") || recordSet.name == zone.name ||
+        (recordSet.typ.toString == "PTR" || recordSet.typ.toString == "SRV" || recordSet.typ.toString == "TXT" || recordSet.typ.toString == "NAPTR")
+    )
+  }
+
+  def isNotApexEndsWithDot(recordSet: RecordSet, zone: Zone): Either[Throwable, Unit] = {
+    ensuring(
+      InvalidRequest(
+        "RecordSet name cannot end with a dot, unless it's an apex record."
+      )
+    )(
+      recordSet.name.endsWith(zone.name) || !recordSet.name.endsWith(".")
+    )
+  }
+
  def canUseOwnerGroup(
      ownerGroupId: Option[String],
      group: Option[Group],
@ -327,11 +437,66 @@ object RecordSetValidations {
      InvalidRequest("Cannot update RecordSet's zone ID.")
    )

+  /**
+   * Checks of the user is a superuser, the zone is shared, and the only record attribute being changed
+   * is the record owner group.
+   */
+  def canSuperUserUpdateOwnerGroup(
+    existing: RecordSet,
+    updates: RecordSet,
+    zone: Zone,
+    auth: AuthPrincipal
+  ): Boolean =
+    (updates.ownerGroupId != existing.ownerGroupId
+        && updates.zoneId == existing.zoneId
+        && updates.name == existing.name
+        && updates.typ == existing.typ
+        && updates.ttl == existing.ttl
+        && updates.records == existing.records
+        && zone.shared
+        && auth.isSuper)
+
  def validRecordNameFilterLength(recordNameFilter: String): Either[Throwable, Unit] =
-    ensuring(
-      InvalidRequest(RecordNameFilterError)
-    ) {
-      val searchRegex: Regex = """[a-zA-Z0-9].*[a-zA-Z0-9]+""".r
-      searchRegex.findFirstIn(recordNameFilter).isDefined
+    ensuring(onError = InvalidRequest(RecordNameFilterError)) {
+      val searchRegex = "[a-zA-Z0-9].*[a-zA-Z0-9]+".r
+      val wildcardRegex = raw"^\s*[*%].*[*%]\s*$$".r
+      searchRegex.findFirstIn(recordNameFilter).isDefined && wildcardRegex.findFirstIn(recordNameFilter).isEmpty
    }
+
+  def unchangedRecordSet(
+                          existing: RecordSet,
+                          updates: RecordSet
+                        ): Either[Throwable, Unit] =
+    Either.cond(
+      updates.typ == existing.typ &&
+        updates.records == existing.records &&
+        updates.id == existing.id &&
+        updates.zoneId == existing.zoneId &&
+        updates.name == existing.name &&
+        updates.ownerGroupId == existing.ownerGroupId &&
+        updates.ttl == existing.ttl,
+      (),
+      InvalidRequest("Cannot update RecordSet's if user not a member of ownership group. User can only request for ownership transfer")
+    )
+
+  def recordSetOwnerShipApproveStatus(
+                                       updates: RecordSet,
+                                     ): Either[Throwable, Unit] =
+    Either.cond(
+      updates.recordSetGroupChange.map(_.ownerShipTransferStatus).getOrElse("<none>") != OwnerShipTransferStatus.ManuallyApproved &&
+        updates.recordSetGroupChange.map(_.ownerShipTransferStatus).getOrElse("<none>") != OwnerShipTransferStatus.AutoApproved &&
+        updates.recordSetGroupChange.map(_.ownerShipTransferStatus).getOrElse("<none>") != OwnerShipTransferStatus.ManuallyRejected,
+      (),
+      InvalidRequest("Cannot update RecordSet OwnerShip Status when request is cancelled.")
+    )
+
+  def unchangedRecordSetOwnershipStatus(
+                                         updates: RecordSet,
+                                         existing: RecordSet
+                                       ): Either[Throwable, Unit] =
+    Either.cond(
+      updates.recordSetGroupChange == existing.recordSetGroupChange || existing.recordSetGroupChange.isEmpty,
+      (),
+      InvalidRequest("Cannot update RecordSet OwnerShip Status when zone is not shared.")
+    )
 }
--- a/modules/api/src/main/scala/vinyldns/api/domain/zone/AclRuleOrdering.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/zone/AclRuleOrdering.scala
@ -16,7 +16,7 @@

 package vinyldns.api.domain.zone

-import com.aaronbedra.orchard.CIDR
+import com.comcast.ip4s.Cidr
 import vinyldns.core.domain.record.RecordType
 import vinyldns.core.domain.zone.ACLRule

@ -61,7 +61,7 @@ object ACLRuleOrdering extends ACLRuleOrdering {
 object PTRACLRuleOrdering extends ACLRuleOrdering {
  def sortableRecordMaskValue(rule: ACLRule): Int = {
    val slash = rule.recordMask match {
-      case Some(cidrRule) => CIDR.valueOf(cidrRule).getMask
+      case Some(cidrRule) => Cidr.fromString(cidrRule).get.prefixBits
      case None => 0
    }
    128 - slash
--- a/modules/api/src/main/scala/vinyldns/api/domain/zone/ListZoneChangesResponse.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/zone/ListZoneChangesResponse.scala
@ -17,7 +17,7 @@
 package vinyldns.api.domain.zone

 import vinyldns.api.domain.zone
-import vinyldns.core.domain.zone.{ListZoneChangesResults, ZoneChange}
+import vinyldns.core.domain.zone.{ListFailedZoneChangesResults, ListZoneChangesResults, ZoneChange}

 case class ListZoneChangesResponse(
    zoneId: String,
@ -37,3 +37,29 @@ object ListZoneChangesResponse {
      listResults.maxItems
    )
 }
+
+case class ListDeletedZoneChangesResponse(
+     zonesDeletedInfo: List[ZoneChangeDeletedInfo],
+     zoneChangeFilter: Option[String] = None,
+     nextId: Option[String] = None,
+     startFrom: Option[String] = None,
+     maxItems: Int = 100,
+     ignoreAccess: Boolean = false
+)
+
+case class ListFailedZoneChangesResponse(
+                                          failedZoneChanges: List[ZoneChange] = Nil,
+                                          nextId: Int,
+                                          startFrom: Int,
+                                          maxItems: Int
+                                        )
+
+object ListFailedZoneChangesResponse {
+  def apply(listResults: ListFailedZoneChangesResults): ListFailedZoneChangesResponse =
+    zone.ListFailedZoneChangesResponse(
+      listResults.items,
+      listResults.nextId,
+      listResults.startFrom,
+      listResults.maxItems
+    )
+}
--- a/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneChangeGenerator.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneChangeGenerator.scala
@ -17,8 +17,8 @@
 package vinyldns.api.domain.zone

 import java.util.UUID
-
-import org.joda.time.DateTime
+import java.time.temporal.ChronoUnit
+import java.time.Instant
 import vinyldns.core.crypto.CryptoAlgebra
 import vinyldns.core.domain.auth.AuthPrincipal
 import vinyldns.core.domain.zone._
@ -34,7 +34,7 @@ object ZoneChangeGenerator {
  ): ZoneChange =
    ZoneChange(
      zone
-        .copy(id = UUID.randomUUID().toString, created = DateTime.now, status = ZoneStatus.Syncing),
+        .copy(id = UUID.randomUUID().toString, created = Instant.now.truncatedTo(ChronoUnit.MILLIS), status = ZoneStatus.Syncing),
      authPrincipal.userId,
      ZoneChangeType.Create,
      status
@ -47,7 +47,7 @@ object ZoneChangeGenerator {
      crypto: CryptoAlgebra
  ): ZoneChange =
    ZoneChange(
-      newZone.copy(updated = Some(DateTime.now), connection = fixConn(oldZone, newZone, crypto)),
+      newZone.copy(updated = Some(Instant.now.truncatedTo(ChronoUnit.MILLIS)), connection = fixConn(oldZone, newZone, crypto)),
      authPrincipal.userId,
      ZoneChangeType.Update,
      ZoneChangeStatus.Pending
@ -55,15 +55,23 @@ object ZoneChangeGenerator {

  def forSync(zone: Zone, authPrincipal: AuthPrincipal): ZoneChange =
    ZoneChange(
-      zone.copy(updated = Some(DateTime.now), status = ZoneStatus.Syncing),
+      zone.copy(updated = Some(Instant.now.truncatedTo(ChronoUnit.MILLIS)), status = ZoneStatus.Syncing),
      authPrincipal.userId,
      ZoneChangeType.Sync,
      ZoneChangeStatus.Pending
    )

+  def forSyncs(zone: Zone): ZoneChange =
+    ZoneChange(
+      zone.copy(updated = Some(Instant.now.truncatedTo(ChronoUnit.MILLIS)), status = ZoneStatus.Syncing),
+      zone.scheduleRequestor.get,
+      ZoneChangeType.AutomatedSync,
+      ZoneChangeStatus.Pending
+    )
+
  def forDelete(zone: Zone, authPrincipal: AuthPrincipal): ZoneChange =
    ZoneChange(
-      zone.copy(updated = Some(DateTime.now), status = ZoneStatus.Deleted),
+      zone.copy(updated = Some(Instant.now.truncatedTo(ChronoUnit.MILLIS)), status = ZoneStatus.Deleted),
      authPrincipal.userId,
      ZoneChangeType.Delete,
      ZoneChangeStatus.Pending
--- a/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneProtocol.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneProtocol.scala
@ -16,44 +16,46 @@

 package vinyldns.api.domain.zone

-import org.joda.time.DateTime
+import java.time.Instant
 import vinyldns.core.domain.record.RecordSetChangeStatus.RecordSetChangeStatus
 import vinyldns.core.domain.record.RecordSetChangeType.RecordSetChangeType
 import vinyldns.core.domain.record.RecordSetStatus.RecordSetStatus
 import vinyldns.core.domain.record.RecordType.RecordType
-import vinyldns.core.domain.record.{RecordData, RecordSet, RecordSetChange}
-import vinyldns.core.domain.zone.{ACLRuleInfo, AccessLevel, Zone, ZoneACL, ZoneConnection}
+import vinyldns.core.domain.record.{RecordData, RecordSet, RecordSetChange, OwnerShipTransfer}
+import vinyldns.core.domain.zone.{ACLRuleInfo, AccessLevel, Zone, ZoneACL, ZoneChange, ZoneConnection}
 import vinyldns.core.domain.zone.AccessLevel.AccessLevel
 import vinyldns.core.domain.zone.ZoneStatus.ZoneStatus

 case class ZoneACLInfo(rules: Set[ACLRuleInfo])

 case class ZoneInfo(
-    name: String,
-    email: String,
-    status: ZoneStatus,
-    created: DateTime,
-    updated: Option[DateTime],
-    id: String,
-    connection: Option[ZoneConnection],
-    transferConnection: Option[ZoneConnection],
-    account: String,
-    shared: Boolean,
-    acl: ZoneACLInfo,
-    adminGroupId: String,
-    adminGroupName: String,
-    latestSync: Option[DateTime],
-    backendId: Option[String],
-    accessLevel: AccessLevel
-)
+                     name: String,
+                     email: String,
+                     status: ZoneStatus,
+                     created: Instant,
+                     updated: Option[Instant],
+                     id: String,
+                     connection: Option[ZoneConnection],
+                     transferConnection: Option[ZoneConnection],
+                     account: String,
+                     shared: Boolean,
+                     acl: ZoneACLInfo,
+                     adminGroupId: String,
+                     adminGroupName: String,
+                     latestSync: Option[Instant],
+                     backendId: Option[String],
+                     recurrenceSchedule: Option[String],
+                     scheduleRequestor: Option[String],
+                     accessLevel: AccessLevel
+                   )

 object ZoneInfo {
  def apply(
-      zone: Zone,
-      aclInfo: ZoneACLInfo,
-      groupName: String,
-      accessLevel: AccessLevel
-  ): ZoneInfo =
+             zone: Zone,
+             aclInfo: ZoneACLInfo,
+             groupName: String,
+             accessLevel: AccessLevel
+           ): ZoneInfo =
    ZoneInfo(
      name = zone.name,
      email = zone.email,
@ -70,28 +72,54 @@ object ZoneInfo {
      adminGroupName = groupName,
      latestSync = zone.latestSync,
      backendId = zone.backendId,
+      recurrenceSchedule = zone.recurrenceSchedule,
+      scheduleRequestor = zone.scheduleRequestor,
      accessLevel = accessLevel
    )
 }

+case class ZoneDetails(
+                     name: String,
+                     email: String,
+                     status: ZoneStatus,
+                     adminGroupId: String,
+                     adminGroupName: String,
+                   )
+
+object ZoneDetails {
+  def apply(
+             zone: Zone,
+             groupName: String,
+           ): ZoneDetails =
+    ZoneDetails(
+      name = zone.name,
+      email = zone.email,
+      status = zone.status,
+      adminGroupId = zone.adminGroupId,
+      adminGroupName = groupName,
+    )
+}
+
 case class ZoneSummaryInfo(
-    name: String,
-    email: String,
-    status: ZoneStatus,
-    created: DateTime,
-    updated: Option[DateTime],
-    id: String,
-    connection: Option[ZoneConnection],
-    transferConnection: Option[ZoneConnection],
-    account: String,
-    shared: Boolean,
-    acl: ZoneACL,
-    adminGroupId: String,
-    adminGroupName: String,
-    latestSync: Option[DateTime],
-    backendId: Option[String],
-    accessLevel: AccessLevel
-)
+                            name: String,
+                            email: String,
+                            status: ZoneStatus,
+                            created: Instant,
+                            updated: Option[Instant],
+                            id: String,
+                            connection: Option[ZoneConnection],
+                            transferConnection: Option[ZoneConnection],
+                            account: String,
+                            shared: Boolean,
+                            acl: ZoneACL,
+                            adminGroupId: String,
+                            adminGroupName: String,
+                            latestSync: Option[Instant],
+                            backendId: Option[String],
+                            recurrenceSchedule: Option[String],
+                            scheduleRequestor: Option[String],
+                            accessLevel: AccessLevel
+                          )

 object ZoneSummaryInfo {
  def apply(zone: Zone, groupName: String, accessLevel: AccessLevel): ZoneSummaryInfo =
@ -111,26 +139,50 @@ object ZoneSummaryInfo {
      adminGroupName = groupName,
      latestSync = zone.latestSync,
      zone.backendId,
+      recurrenceSchedule = zone.recurrenceSchedule,
+      scheduleRequestor = zone.scheduleRequestor,
+      accessLevel = accessLevel
+    )
+}
+
+case class ZoneChangeDeletedInfo(
+                         zoneChange: ZoneChange,
+                         adminGroupName: String,
+                         userName: String,
+                         accessLevel: AccessLevel
+                          )
+
+object ZoneChangeDeletedInfo {
+  def apply(zoneChange: List[ZoneChange],
+            groupName: String,
+            userName: String,
+            accessLevel: AccessLevel)
+  : ZoneChangeDeletedInfo =
+    ZoneChangeDeletedInfo(
+      zoneChange= zoneChange,
+      groupName = groupName,
+      userName = userName,
      accessLevel = accessLevel
    )
 }

 case class RecordSetListInfo(
-    zoneId: String,
-    name: String,
-    typ: RecordType,
-    ttl: Long,
-    status: RecordSetStatus,
-    created: DateTime,
-    updated: Option[DateTime],
-    records: List[RecordData],
-    id: String,
-    account: String,
-    accessLevel: AccessLevel,
-    ownerGroupId: Option[String],
-    ownerGroupName: Option[String],
-    fqdn: Option[String]
-)
+                              zoneId: String,
+                              name: String,
+                              typ: RecordType,
+                              ttl: Long,
+                              status: RecordSetStatus,
+                              created: Instant,
+                              updated: Option[Instant],
+                              records: List[RecordData],
+                              id: String,
+                              account: String,
+                              accessLevel: AccessLevel,
+                              ownerGroupId: Option[String],
+                              ownerGroupName: Option[String],
+                              recordSetGroupChange: Option[OwnerShipTransfer],
+                              fqdn: Option[String]
+                            )

 object RecordSetListInfo {
  def apply(recordSet: RecordSetInfo, accessLevel: AccessLevel): RecordSetListInfo =
@ -148,25 +200,27 @@ object RecordSetListInfo {
      accessLevel = accessLevel,
      ownerGroupId = recordSet.ownerGroupId,
      ownerGroupName = recordSet.ownerGroupName,
+      recordSetGroupChange = recordSet.recordSetGroupChange,
      fqdn = recordSet.fqdn
    )
 }

 case class RecordSetInfo(
-    zoneId: String,
-    name: String,
-    typ: RecordType,
-    ttl: Long,
-    status: RecordSetStatus,
-    created: DateTime,
-    updated: Option[DateTime],
-    records: List[RecordData],
-    id: String,
-    account: String,
-    ownerGroupId: Option[String],
-    ownerGroupName: Option[String],
-    fqdn: Option[String]
-)
+                          zoneId: String,
+                          name: String,
+                          typ: RecordType,
+                          ttl: Long,
+                          status: RecordSetStatus,
+                          created: Instant,
+                          updated: Option[Instant],
+                          records: List[RecordData],
+                          id: String,
+                          account: String,
+                          ownerGroupId: Option[String],
+                          ownerGroupName: Option[String],
+                          recordSetGroupChange: Option[OwnerShipTransfer],
+                          fqdn: Option[String]
+                        )

 object RecordSetInfo {
  def apply(recordSet: RecordSet, groupName: Option[String]): RecordSetInfo =
@ -183,35 +237,37 @@ object RecordSetInfo {
      account = recordSet.account,
      ownerGroupId = recordSet.ownerGroupId,
      ownerGroupName = groupName,
+      recordSetGroupChange = recordSet.recordSetGroupChange,
      fqdn = recordSet.fqdn
    )
 }

 case class RecordSetGlobalInfo(
-    zoneId: String,
-    name: String,
-    typ: RecordType,
-    ttl: Long,
-    status: RecordSetStatus,
-    created: DateTime,
-    updated: Option[DateTime],
-    records: List[RecordData],
-    id: String,
-    account: String,
-    ownerGroupId: Option[String],
-    ownerGroupName: Option[String],
-    fqdn: Option[String],
-    zoneName: String,
-    zoneShared: Boolean
-)
+                                zoneId: String,
+                                name: String,
+                                typ: RecordType,
+                                ttl: Long,
+                                status: RecordSetStatus,
+                                created: Instant,
+                                updated: Option[Instant],
+                                records: List[RecordData],
+                                id: String,
+                                account: String,
+                                ownerGroupId: Option[String],
+                                ownerGroupName: Option[String],
+                                recordSetGroupChange: Option[OwnerShipTransfer],
+                                fqdn: Option[String],
+                                zoneName: String,
+                                zoneShared: Boolean
+                              )

 object RecordSetGlobalInfo {
  def apply(
-      recordSet: RecordSet,
-      zoneName: String,
-      zoneShared: Boolean,
-      groupName: Option[String]
-  ): RecordSetGlobalInfo =
+             recordSet: RecordSet,
+             zoneName: String,
+             zoneShared: Boolean,
+             groupName: Option[String]
+           ): RecordSetGlobalInfo =
    RecordSetGlobalInfo(
      zoneId = recordSet.zoneId,
      name = recordSet.name,
@ -225,6 +281,7 @@ object RecordSetGlobalInfo {
      account = recordSet.account,
      ownerGroupId = recordSet.ownerGroupId,
      ownerGroupName = groupName,
+      recordSetGroupChange = recordSet.recordSetGroupChange,
      fqdn = recordSet.fqdn,
      zoneName = zoneName,
      zoneShared = zoneShared
@ -232,17 +289,17 @@ object RecordSetGlobalInfo {
 }

 case class RecordSetChangeInfo(
-    zone: Zone,
-    recordSet: RecordSet,
-    userId: String,
-    changeType: RecordSetChangeType,
-    status: RecordSetChangeStatus,
-    created: DateTime,
-    systemMessage: Option[String],
-    updates: Option[RecordSet],
-    id: String,
-    userName: String
-)
+                                zone: Zone,
+                                recordSet: RecordSet,
+                                userId: String,
+                                changeType: RecordSetChangeType,
+                                status: RecordSetChangeStatus,
+                                created: Instant,
+                                systemMessage: Option[String],
+                                updates: Option[RecordSet],
+                                id: String,
+                                userName: String
+                              )

 object RecordSetChangeInfo {
  def apply(recordSetChange: RecordSetChange, name: Option[String]): RecordSetChangeInfo =
@ -261,13 +318,16 @@ object RecordSetChangeInfo {
 }

 case class ListZonesResponse(
-    zones: List[ZoneSummaryInfo],
-    nameFilter: Option[String],
-    startFrom: Option[String] = None,
-    nextId: Option[String] = None,
-    maxItems: Int = 100,
-    ignoreAccess: Boolean = false
-)
+                              zones: List[ZoneSummaryInfo],
+                              nameFilter: Option[String],
+                              startFrom: Option[String] = None,
+                              nextId: Option[String] = None,
+                              maxItems: Int = 100,
+                              ignoreAccess: Boolean = false,
+                              includeReverse: Boolean = true
+                            )
+
+case class RecordSetCount( count: Int = 0 )

 // Errors
 case class InvalidRequest(msg: String) extends Throwable(msg)
@ -305,7 +365,7 @@ case class ConnectionFailed(zone: Zone, message: String) extends Throwable(messa
 case class RecordSetValidation(msg: String) extends Throwable(msg)

 case class ZoneValidationFailed(zone: Zone, errors: List[String], message: String)
-    extends Throwable(message)
+  extends Throwable(message)

 case class ZoneTooLargeError(msg: String) extends Throwable(msg)

--- a/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneRecordValidations.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneRecordValidations.scala
@ -19,13 +19,7 @@ package vinyldns.api.domain.zone
 import cats.implicits._
 import cats.data._
 import com.comcast.ip4s.IpAddress
-import com.comcast.ip4s.interop.cats.implicits._
-import vinyldns.core.domain.{
-  DomainHelpers,
-  DomainValidationError,
-  HighValueDomainError,
-  RecordRequiresManualReview
-}
+import vinyldns.core.domain.{DomainHelpers, DomainValidationError, HighValueDomainError, RecordRequiresManualReview}
 import vinyldns.core.domain.record.{NSData, RecordSet}

 import scala.util.matching.Regex
@ -41,7 +35,7 @@ object ZoneRecordValidations {

  /* Checks to see if an ip address is part of the ip address list */
  def isIpInIpList(ipList: List[IpAddress], ipToTest: String): Boolean =
-    IpAddress(ipToTest).exists(ip => ipList.exists(_ === ip))
+    IpAddress.fromString(ipToTest).exists(ip => ipList.exists(_ === ip))

  /* Checks to see if an individual ns data is part of the approved server list */
  def isApprovedNameServer(
--- a/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneService.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneService.scala
@ -16,17 +16,23 @@

 package vinyldns.api.domain.zone

+import cats.effect.IO
 import cats.implicits._
 import vinyldns.api.domain.access.AccessValidationsAlgebra
 import vinyldns.api.Interfaces
 import vinyldns.core.domain.auth.AuthPrincipal
 import vinyldns.api.repository.ApiDataAccessor
 import vinyldns.core.crypto.CryptoAlgebra
-import vinyldns.core.domain.membership.{Group, GroupRepository, User, UserRepository}
+import vinyldns.core.domain.membership.{Group, GroupRepository, ListUsersResults, User, UserRepository}
 import vinyldns.core.domain.zone._
 import vinyldns.core.queue.MessageQueue
 import vinyldns.core.domain.DomainHelpers.ensureTrailingDot
 import vinyldns.core.domain.backend.BackendResolver
+import com.cronutils.model.definition.CronDefinition
+import com.cronutils.model.definition.CronDefinitionBuilder
+import com.cronutils.parser.CronParser
+import com.cronutils.model.CronType
+import vinyldns.api.domain.membership.MembershipService

 object ZoneService {
  def apply(
@ -36,7 +42,8 @@ object ZoneService {
      zoneValidations: ZoneValidations,
      accessValidation: AccessValidationsAlgebra,
      backendResolver: BackendResolver,
-      crypto: CryptoAlgebra
+      crypto: CryptoAlgebra,
+      membershipService:MembershipService
  ): ZoneService =
    new ZoneService(
      dataAccessor.zoneRepository,
@ -48,7 +55,8 @@ object ZoneService {
      zoneValidations,
      accessValidation,
      backendResolver,
-      crypto
+      crypto,
+      membershipService
    )
 }

@ -62,7 +70,8 @@ class ZoneService(
    zoneValidations: ZoneValidations,
    accessValidation: AccessValidationsAlgebra,
    backendResolver: BackendResolver,
-    crypto: CryptoAlgebra
+    crypto: CryptoAlgebra,
+    membershipService:MembershipService
 ) extends ZoneServiceAlgebra {

  import accessValidation._
@ -75,12 +84,17 @@ class ZoneService(
  ): Result[ZoneCommandResult] =
    for {
      _ <- isValidZoneAcl(createZoneInput.acl).toResult
+      _ <- membershipService.emailValidation(createZoneInput.email)
      _ <- connectionValidator.isValidBackendId(createZoneInput.backendId).toResult
      _ <- validateSharedZoneAuthorized(createZoneInput.shared, auth.signedInUser).toResult
      _ <- zoneDoesNotExist(createZoneInput.name)
      _ <- adminGroupExists(createZoneInput.adminGroupId)
+      _ <- if(createZoneInput.recurrenceSchedule.isDefined) canScheduleZoneSync(auth).toResult else IO.unit.toResult
+      isCronStringValid = if(createZoneInput.recurrenceSchedule.isDefined) isValidCronString(createZoneInput.recurrenceSchedule.get) else true
+      _ <- validateCronString(isCronStringValid).toResult
      _ <- canChangeZone(auth, createZoneInput.name, createZoneInput.adminGroupId).toResult
-      zoneToCreate = Zone(createZoneInput, auth.isTestUser)
+      createdZoneInput = if(createZoneInput.recurrenceSchedule.isDefined) createZoneInput.copy(scheduleRequestor = Some(auth.signedInUser.userName)) else createZoneInput
+      zoneToCreate = Zone(createdZoneInput, auth.isTestUser)
      _ <- connectionValidator.validateZoneConnections(zoneToCreate)
      createZoneChange <- ZoneChangeGenerator.forAdd(zoneToCreate, auth).toResult
      _ <- messageQueue.send(createZoneChange).toResult[Unit]
@ -89,6 +103,7 @@ class ZoneService(
  def updateZone(updateZoneInput: UpdateZoneInput, auth: AuthPrincipal): Result[ZoneCommandResult] =
    for {
      _ <- isValidZoneAcl(updateZoneInput.acl).toResult
+      _ <- membershipService.emailValidation(updateZoneInput.email)
      _ <- connectionValidator.isValidBackendId(updateZoneInput.backendId).toResult
      existingZone <- getZoneOrFail(updateZoneInput.id)
      _ <- validateSharedZoneAuthorized(
@ -97,10 +112,14 @@ class ZoneService(
        auth.signedInUser
      ).toResult
      _ <- canChangeZone(auth, existingZone.name, existingZone.adminGroupId).toResult
+      _ <- if(updateZoneInput.recurrenceSchedule.isDefined) canScheduleZoneSync(auth).toResult else IO.unit.toResult
+      isCronStringValid = if(updateZoneInput.recurrenceSchedule.isDefined) isValidCronString(updateZoneInput.recurrenceSchedule.get) else true
+      _ <- validateCronString(isCronStringValid).toResult
      _ <- adminGroupExists(updateZoneInput.adminGroupId)
      // if admin group changes, this confirms user has access to new group
      _ <- canChangeZone(auth, updateZoneInput.name, updateZoneInput.adminGroupId).toResult
-      zoneWithUpdates = Zone(updateZoneInput, existingZone)
+      updatedZoneInput = if(updateZoneInput.recurrenceSchedule.isDefined) updateZoneInput.copy(scheduleRequestor = Some(auth.signedInUser.userName)) else updateZoneInput
+      zoneWithUpdates = Zone(updatedZoneInput, existingZone)
      _ <- validateZoneConnectionIfChanged(zoneWithUpdates, existingZone)
      updateZoneChange <- ZoneChangeGenerator
        .forUpdate(zoneWithUpdates, existingZone, auth, crypto)
@ -134,6 +153,12 @@ class ZoneService(
      accessLevel = getZoneAccess(auth, zone)
    } yield ZoneInfo(zone, aclInfo, groupName, accessLevel)

+  def getCommonZoneDetails(zoneId: String, auth: AuthPrincipal): Result[ZoneDetails] =
+    for {
+      zone <- getZoneOrFail(zoneId)
+      groupName <- getGroupName(zone.adminGroupId)
+    } yield ZoneDetails(zone, groupName)
+
  def getZoneByName(zoneName: String, auth: AuthPrincipal): Result[ZoneInfo] =
    for {
      zone <- getZoneByNameOrFail(ensureTrailingDot(zoneName))
@ -142,20 +167,25 @@ class ZoneService(
      accessLevel = getZoneAccess(auth, zone)
    } yield ZoneInfo(zone, aclInfo, groupName, accessLevel)

+  // List zones. Uses zone name as default while using search to list zones or by admin group name if selected.
  def listZones(
      authPrincipal: AuthPrincipal,
      nameFilter: Option[String] = None,
      startFrom: Option[String] = None,
      maxItems: Int = 100,
-      ignoreAccess: Boolean = false
+      searchByAdminGroup: Boolean = false,
+      ignoreAccess: Boolean = false,
+      includeReverse: Boolean = true
  ): Result[ListZonesResponse] = {
-    for {
-      listZonesResult <- zoneRepository.listZones(
-        authPrincipal,
-        nameFilter,
-        startFrom,
-        maxItems,
-        ignoreAccess
+    if(!searchByAdminGroup || nameFilter.isEmpty){
+      for {
+        listZonesResult <- zoneRepository.listZones(
+          authPrincipal,
+          nameFilter,
+          startFrom,
+          maxItems,
+          ignoreAccess,
+          includeReverse
      )
      zones = listZonesResult.zones
      groupIds = zones.map(_.adminGroupId).toSet
@ -167,10 +197,87 @@ class ZoneService(
      listZonesResult.startFrom,
      listZonesResult.nextId,
      listZonesResult.maxItems,
-      listZonesResult.ignoreAccess
-    )
+      listZonesResult.ignoreAccess,
+      listZonesResult.includeReverse
+    )}
+    else {
+      for {
+        groupIds <- getGroupsIdsByName(nameFilter.get)
+        listZonesResult <- zoneRepository.listZonesByAdminGroupIds(
+          authPrincipal,
+          startFrom,
+          maxItems,
+          groupIds,
+          ignoreAccess,
+          includeReverse
+        )
+        zones = listZonesResult.zones
+        groups <- groupRepository.getGroups(groupIds)
+        zoneSummaryInfos = zoneSummaryInfoMapping(zones, authPrincipal, groups)
+      } yield ListZonesResponse(
+        zoneSummaryInfos,
+        nameFilter,
+        listZonesResult.startFrom,
+        listZonesResult.nextId,
+        listZonesResult.maxItems,
+        listZonesResult.ignoreAccess,
+        listZonesResult.includeReverse
+      )
+    }
  }.toResult

+  def listDeletedZones(
+                        authPrincipal: AuthPrincipal,
+                        nameFilter: Option[String] = None,
+                        startFrom: Option[String] = None,
+                        maxItems: Int = 100,
+                        ignoreAccess: Boolean = false
+                      ): Result[ListDeletedZoneChangesResponse] = {
+    for {
+      listZonesChangeResult <- zoneChangeRepository.listDeletedZones(
+        authPrincipal,
+        nameFilter,
+        startFrom,
+        maxItems,
+        ignoreAccess
+      )
+      zoneChanges = listZonesChangeResult.zoneDeleted
+      groupIds = zoneChanges.map(_.zone.adminGroupId).toSet
+      groups <- groupRepository.getGroups(groupIds)
+      userId = zoneChanges.map(_.userId).toSet
+      users <- userRepository.getUsers(userId,None,None)
+      zoneDeleteSummaryInfos = ZoneChangeDeletedInfoMapping(zoneChanges, authPrincipal, groups, users)
+    } yield {
+      ListDeletedZoneChangesResponse(
+        zoneDeleteSummaryInfos,
+        listZonesChangeResult.zoneChangeFilter,
+        listZonesChangeResult.nextId,
+        listZonesChangeResult.startFrom,
+        listZonesChangeResult.maxItems,
+        listZonesChangeResult.ignoreAccess
+      )
+    }
+  }.toResult
+
+  private def ZoneChangeDeletedInfoMapping(
+                                            zoneChange: List[ZoneChange],
+                                            auth: AuthPrincipal,
+                                            groups: Set[Group],
+                                            users: ListUsersResults
+                                          ): List[ZoneChangeDeletedInfo] =
+    zoneChange.map { zc =>
+      val groupName = groups.find(_.id == zc.zone.adminGroupId) match {
+        case Some(group) => group.name
+        case None => "Unknown group name"
+      }
+      val userName = users.users.find(_.id == zc.userId) match {
+        case Some(user) => user.userName
+        case None => "Unknown user name"
+      }
+      val zoneAccess = getZoneAccess(auth, zc.zone)
+      ZoneChangeDeletedInfo(zc, groupName,userName, zoneAccess)
+    }
+
  def zoneSummaryInfoMapping(
      zones: List[Zone],
      auth: AuthPrincipal,
@ -193,12 +300,38 @@ class ZoneService(
  ): Result[ListZoneChangesResponse] =
    for {
      zone <- getZoneOrFail(zoneId)
-      _ <- canSeeZone(authPrincipal, zone).toResult
+      _ <- canSeeZoneChange(authPrincipal, zone).toResult
      zoneChangesResults <- zoneChangeRepository
        .listZoneChanges(zone.id, startFrom, maxItems)
        .toResult[ListZoneChangesResults]
    } yield ListZoneChangesResponse(zone.id, zoneChangesResults)

+  def listFailedZoneChanges(
+                             authPrincipal: AuthPrincipal,
+                             startFrom: Int= 0,
+                             maxItems: Int = 100
+                           ): Result[ListFailedZoneChangesResponse] =
+    for {
+      zoneChangesFailedResults <- zoneChangeRepository
+        .listFailedZoneChanges(maxItems, startFrom)
+        .toResult[ListFailedZoneChangesResults]
+      _ <- zoneAccess(zoneChangesFailedResults.items, authPrincipal).toResult
+    } yield
+      ListFailedZoneChangesResponse(
+        zoneChangesFailedResults.items,
+        zoneChangesFailedResults.nextId,
+        startFrom,
+        maxItems
+      )
+
+  def zoneAccess(
+                  zoneCh: List[ZoneChange],
+                  auth: AuthPrincipal
+                ): List[Result[Unit]] =
+    zoneCh.map { zn =>
+      canSeeZone(auth, zn.zone).toResult
+    }
+
  def addACLRule(
      zoneId: String,
      aclRuleInfo: ACLRuleInfo,
@ -242,9 +375,35 @@ class ZoneService(
    } yield zoneChange
  }

+  def getGroupsIdsByName(groupName: String): IO[Set[String]] = {
+    groupRepository.getGroupsByName(groupName).map(x => x.map(_.id))
+  }
+
  def getBackendIds(): Result[List[String]] =
    backendResolver.ids.toList.toResult

+  def isValidCronString(maybeString: String): Boolean = {
+    val isValid = try {
+      val cronDefinition: CronDefinition = CronDefinitionBuilder.instanceDefinitionFor(CronType.QUARTZ)
+      val parser: CronParser = new CronParser(cronDefinition)
+      val quartzCron = parser.parse(maybeString)
+      quartzCron.validate
+      true
+    }
+    catch {
+      case _: Exception =>
+        false
+    }
+    isValid
+  }
+
+  def validateCronString(isValid: Boolean): Either[Throwable, Unit] =
+    ensuring(
+      InvalidRequest("Invalid cron expression. Please enter a valid cron expression in 'recurrenceSchedule'.")
+    )(
+      isValid
+    )
+
  def zoneDoesNotExist(zoneName: String): Result[Unit] =
    zoneRepository
      .getZoneByName(zoneName)
@ -258,6 +417,13 @@ class ZoneService(
      }
      .toResult

+  def canScheduleZoneSync(auth: AuthPrincipal): Either[Throwable, Unit] =
+    ensuring(
+      NotAuthorizedError(s"User '${auth.signedInUser.userName}' is not authorized to schedule zone sync in this zone.")
+    )(
+      auth.isSystemAdmin
+    )
+
  def adminGroupExists(groupId: String): Result[Unit] =
    groupRepository
      .getGroup(groupId)
--- a/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneServiceAlgebra.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneServiceAlgebra.scala
@ -35,6 +35,8 @@ trait ZoneServiceAlgebra {

  def getZone(zoneId: String, auth: AuthPrincipal): Result[ZoneInfo]

+  def getCommonZoneDetails(zoneId: String, auth: AuthPrincipal): Result[ZoneDetails]
+
  def getZoneByName(zoneName: String, auth: AuthPrincipal): Result[ZoneInfo]

  def listZones(
@ -42,9 +44,19 @@ trait ZoneServiceAlgebra {
      nameFilter: Option[String],
      startFrom: Option[String],
      maxItems: Int,
-      ignoreAccess: Boolean
+      searchByAdminGroup: Boolean,
+      ignoreAccess: Boolean,
+      includeReverse: Boolean
  ): Result[ListZonesResponse]

+  def listDeletedZones(
+                        authPrincipal: AuthPrincipal,
+                        nameFilter: Option[String],
+                        startFrom: Option[String],
+                        maxItems: Int,
+                        ignoreAccess: Boolean
+                      ): Result[ListDeletedZoneChangesResponse]
+
  def listZoneChanges(
      zoneId: String,
      authPrincipal: AuthPrincipal,
@ -66,4 +78,9 @@ trait ZoneServiceAlgebra {

  def getBackendIds(): Result[List[String]]

+  def listFailedZoneChanges(
+                             authPrincipal: AuthPrincipal,
+                             startFrom: Int,
+                             maxItems: Int
+                           ): Result[ListFailedZoneChangesResponse]
 }
--- a/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneSyncScheduleHandler.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneSyncScheduleHandler.scala
@ -0,0 +1,74 @@
+/*
+ * Copyright 2018 Comcast Cable Communications Management, LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package vinyldns.api.domain.zone
+
+import cats.effect.IO
+import com.cronutils.model.CronType
+import com.cronutils.model.definition.{CronDefinition, CronDefinitionBuilder}
+import com.cronutils.model.time.ExecutionTime
+import com.cronutils.parser.CronParser
+import org.slf4j.LoggerFactory
+import vinyldns.core.domain.zone.{Zone, ZoneChange, ZoneRepository}
+import java.time.{Instant, ZoneId}
+import java.time.temporal.ChronoUnit
+
+object ZoneSyncScheduleHandler {
+  private val logger = LoggerFactory.getLogger("ZoneSyncScheduleHandler")
+
+  def zoneSyncScheduler(zoneRepository: ZoneRepository): IO[Set[ZoneChange]] = {
+    for {
+      zones <- zoneRepository.getAllZonesWithSyncSchedule
+      zoneScheduleIds = getZonesWithSchedule(zones.toList)
+      zoneChanges <- getZoneChanges(zoneRepository, zoneScheduleIds)
+    } yield zoneChanges
+  }
+
+  def getZoneChanges(zoneRepository: ZoneRepository, zoneScheduleIds: List[String]): IO[Set[ZoneChange]] = {
+    if(zoneScheduleIds.nonEmpty) {
+      for{
+        getZones <- zoneRepository.getZones(zoneScheduleIds.toSet)
+        syncZoneChange = getZones.map(zone => ZoneChangeGenerator.forSyncs(zone))
+      } yield syncZoneChange
+    } else {
+      IO(Set.empty)
+    }
+  }
+
+  def getZonesWithSchedule(zone: List[Zone]): List[String] = {
+    var zonesWithSchedule: List[String] = List.empty
+    for(z <- zone) {
+      if (z.recurrenceSchedule.isDefined) {
+        val now = Instant.now().atZone(ZoneId.of("UTC"))
+        val cronDefinition: CronDefinition = CronDefinitionBuilder.instanceDefinitionFor(CronType.QUARTZ)
+        val parser: CronParser = new CronParser(cronDefinition)
+        val executionTime: ExecutionTime = ExecutionTime.forCron(parser.parse(z.recurrenceSchedule.get))
+        val nextExecution = executionTime.nextExecution(now).get()
+        val diff = ChronoUnit.SECONDS.between(now, nextExecution)
+        if (diff == 1) {
+          zonesWithSchedule = zonesWithSchedule :+ z.id
+          logger.info("Zones with sync schedule: " + zonesWithSchedule)
+        } else {
+          List.empty
+        }
+      } else {
+        List.empty
+      }
+    }
+    zonesWithSchedule
+  }
+
+}
--- a/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneValidations.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneValidations.scala
@ -17,8 +17,9 @@
 package vinyldns.api.domain.zone

 import cats.syntax.either._
-import com.aaronbedra.orchard.CIDR
-import org.joda.time.DateTime
+import com.comcast.ip4s.Cidr
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import vinyldns.api.Interfaces.ensuring
 import vinyldns.core.domain.membership.User
 import vinyldns.core.domain.record.RecordType
@ -30,7 +31,7 @@ class ZoneValidations(syncDelayMillis: Int) {

  def outsideSyncDelay(zone: Zone): Either[Throwable, Unit] =
    zone.latestSync match {
-      case Some(time) if DateTime.now.getMillis - time.getMillis < syncDelayMillis => {
+      case Some(time) if Instant.now.truncatedTo(ChronoUnit.MILLIS).toEpochMilli - time.toEpochMilli < syncDelayMillis => {
        RecentSyncError(s"Zone ${zone.name} was recently synced. Cannot complete sync").asLeft
      }
      case _ => Right(())
@ -56,10 +57,10 @@ class ZoneValidations(syncDelayMillis: Int) {
  def aclRuleMaskIsValid(rule: ACLRule): Either[Throwable, Unit] =
    rule.recordMask match {
      case Some(mask) if rule.recordTypes == Set(RecordType.PTR) =>
-        Try(CIDR.valueOf(mask)) match {
+        Try(Cidr.fromString(mask).get) match {
          case Success(_) => Right(())
-          case Failure(e) =>
-            InvalidRequest(s"PTR types must have no mask or a valid CIDR mask: ${e.getMessage}").asLeft
+          case Failure(_) =>
+            InvalidRequest(s"PTR types must have no mask or a valid CIDR mask: Invalid CIDR block").asLeft
        }
      case Some(_) if rule.recordTypes.contains(RecordType.PTR) =>
        InvalidRequest("Multiple record types including PTR must have no mask").asLeft
--- a/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneViewLoader.scala
+++ b/modules/api/src/main/scala/vinyldns/api/domain/zone/ZoneViewLoader.scala
@ -20,7 +20,7 @@ import cats.effect._
 import org.slf4j.LoggerFactory
 import vinyldns.api.backend.dns.DnsConversions
 import vinyldns.core.domain.backend.Backend
-import vinyldns.core.domain.record.{NameSort, RecordSetRepository}
+import vinyldns.core.domain.record.{NameSort, RecordSetCacheRepository, RecordSetRepository, RecordTypeSort}
 import vinyldns.core.domain.zone.Zone
 import vinyldns.core.route.Monitored

@ -52,8 +52,11 @@ case class DnsZoneViewLoader(
 object VinylDNSZoneViewLoader {
  val logger = LoggerFactory.getLogger("VinylDNSZoneViewLoader")
 }
-case class VinylDNSZoneViewLoader(zone: Zone, recordSetRepository: RecordSetRepository)
-    extends ZoneViewLoader
+case class VinylDNSZoneViewLoader(
+    zone: Zone,
+    recordSetRepository: RecordSetRepository,
+    recordSetCacheRepository: RecordSetCacheRepository
+) extends ZoneViewLoader
    with Monitored {
  def load: () => IO[ZoneView] =
    () =>
@ -66,7 +69,8 @@ case class VinylDNSZoneViewLoader(zone: Zone, recordSetRepository: RecordSetRepo
            recordNameFilter = None,
            recordTypeFilter = None,
            recordOwnerGroupFilter = None,
-            nameSort = NameSort.ASC
+            nameSort = NameSort.ASC,
+            recordTypeSort = RecordTypeSort.ASC
          )
          .map { result =>
            VinylDNSZoneViewLoader.logger.info(
--- a/modules/api/src/main/scala/vinyldns/api/engine/RecordSetChangeHandler.scala
+++ b/modules/api/src/main/scala/vinyldns/api/engine/RecordSetChangeHandler.scala
@ -19,31 +19,41 @@ package vinyldns.api.engine
 import cats.effect.{ContextShift, IO, Timer}
 import cats.implicits._
 import org.slf4j.LoggerFactory
+import scalikejdbc.DB
 import vinyldns.api.backend.dns.DnsProtocol.TryAgain
 import vinyldns.api.domain.record.RecordSetChangeGenerator
 import vinyldns.api.domain.record.RecordSetHelpers._
+import vinyldns.core.Messages.{nonExistentRecordDataDeleteMessage, nonExistentRecordDeleteMessage}
 import vinyldns.core.domain.backend.{Backend, BackendResponse}
 import vinyldns.core.domain.batch.{BatchChangeRepository, SingleChange}
 import vinyldns.core.domain.record._
 import vinyldns.core.domain.zone.Zone
+import vinyldns.mysql.TransactionProvider

-object RecordSetChangeHandler {
+object RecordSetChangeHandler extends TransactionProvider {

  private val logger = LoggerFactory.getLogger("vinyldns.api.engine.RecordSetChangeHandler")
  private implicit val cs: ContextShift[IO] =
    IO.contextShift(scala.concurrent.ExecutionContext.global)

+  private val outOfSyncFailureMessage: String = "This record set is out of sync with the DNS backend; sync this zone before attempting to update this record set."
+  private val incompatibleRecordFailureMessage: String = "Incompatible record in DNS."
+  private val syncZoneMessage: String = "This record set is out of sync with the DNS backend. Sync this zone before attempting to update this record set."
+  private val recordConflictMessage: String = "Conflict due to the record having the same name as an NS record in the same zone. Please create the record using the DNS service the NS record has been delegated to (ex. AWS r53), or use a different record name."
+
  final case class Requeue(change: RecordSetChange) extends Throwable

  def apply(
-      recordSetRepository: RecordSetRepository,
-      recordChangeRepository: RecordChangeRepository,
-      batchChangeRepository: BatchChangeRepository
+             recordSetRepository: RecordSetRepository,
+             recordChangeRepository: RecordChangeRepository,
+             recordSetCacheRepository: RecordSetCacheRepository,
+             batchChangeRepository: BatchChangeRepository
  )(implicit timer: Timer[IO]): (Backend, RecordSetChange) => IO[RecordSetChange] =
    (conn, recordSetChange) => {
      process(
        recordSetRepository,
        recordChangeRepository,
+        recordSetCacheRepository,
        batchChangeRepository,
        conn,
        recordSetChange
@ -51,11 +61,12 @@ object RecordSetChangeHandler {
    }

  def process(
-      recordSetRepository: RecordSetRepository,
-      recordChangeRepository: RecordChangeRepository,
-      batchChangeRepository: BatchChangeRepository,
-      conn: Backend,
-      recordSetChange: RecordSetChange
+               recordSetRepository: RecordSetRepository,
+               recordChangeRepository: RecordChangeRepository,
+               recordSetCacheRepository: RecordSetCacheRepository,
+               batchChangeRepository: BatchChangeRepository,
+               conn: Backend,
+               recordSetChange: RecordSetChange
  )(implicit timer: Timer[IO]): IO[RecordSetChange] =
    for {
      wildCardExists <- wildCardExistsForRecord(recordSetChange.recordSet, recordSetRepository)
@ -64,18 +75,53 @@ object RecordSetChangeHandler {
        conn,
        wildCardExists,
        recordSetRepository,
-        recordChangeRepository
+        recordChangeRepository,
+        recordSetCacheRepository
      )
      changeSet = ChangeSet(completedState.change).complete(completedState.change)
-      _ <- recordSetRepository.apply(changeSet)
-      _ <- recordChangeRepository.save(changeSet)
-      singleBatchChanges <- batchChangeRepository.getSingleChanges(
-        recordSetChange.singleBatchChangeIds
-      )
-      singleChangeStatusUpdates = updateBatchStatuses(singleBatchChanges, completedState.change)
-      _ <- batchChangeRepository.updateSingleChanges(singleChangeStatusUpdates)
+      _ <- saveChangeSet(recordSetRepository, recordChangeRepository,recordSetCacheRepository, batchChangeRepository, recordSetChange, completedState, changeSet)
    } yield completedState.change

+  def saveChangeSet(
+                     recordSetRepository: RecordSetRepository,
+                     recordChangeRepository: RecordChangeRepository,
+                     recordSetCacheRepository: RecordSetCacheRepository,
+                     batchChangeRepository: BatchChangeRepository,
+                     recordSetChange: RecordSetChange,
+                     completedState: ProcessorState,
+                     changeSet: ChangeSet
+  ): IO[Unit] =
+    executeWithinTransaction { db: DB =>
+      for {
+       // Update single changes within this transaction to rollback the changes made to recordset and record change repo
+       // when exception occurs while updating single changes
+       singleBatchChanges <- batchChangeRepository.getSingleChanges(
+         recordSetChange.singleBatchChangeIds
+       )
+       singleChangeStatusUpdates = updateBatchStatuses(singleBatchChanges, completedState.change)
+       updatedChangeSet = if (singleChangeStatusUpdates.size == 1) {
+         // Filter out RecordSetChange from changeSet if systemMessage matches
+         val filteredChangeSetChanges = changeSet.changes.filterNot { recordSetChange =>
+           // Find the corresponding singleChangeStatusUpdate by recordChangeId
+           singleChangeStatusUpdates.exists { singleChange =>
+             singleChange.recordChangeId.contains(recordSetChange.id) &&
+               singleChange.systemMessage.exists(msg =>
+                 msg == nonExistentRecordDeleteMessage || msg == nonExistentRecordDataDeleteMessage
+               )
+           }
+         }
+         // Create a new ChangeSet with filtered changes
+         changeSet.copy(changes = filteredChangeSetChanges)
+       } else {
+         changeSet
+       }
+       _ <-  recordSetRepository.apply(db, updatedChangeSet)
+       _ <-  recordChangeRepository.save(db, updatedChangeSet)
+       _ <-  recordSetCacheRepository.save(db, updatedChangeSet)
+       _ <- batchChangeRepository.updateSingleChanges(singleChangeStatusUpdates)
+      } yield ()
+    }
+
  def updateBatchStatuses(
      singleChanges: List[SingleChange],
      recordSetChange: RecordSetChange
@ -123,11 +169,12 @@ object RecordSetChangeHandler {
  final case class Retry(change: RecordSetChange) extends ProcessingStatus

  def syncAndGetProcessingStatusFromDnsBackend(
-      change: RecordSetChange,
-      conn: Backend,
-      recordSetRepository: RecordSetRepository,
-      recordChangeRepository: RecordChangeRepository,
-      performSync: Boolean = false
+                                                change: RecordSetChange,
+                                                conn: Backend,
+                                                recordSetRepository: RecordSetRepository,
+                                                recordChangeRepository: RecordChangeRepository,
+                                                recordSetCacheRepository: RecordSetCacheRepository,
+                                                performSync: Boolean = false
  ): IO[ProcessingStatus] = {
    def isDnsMatch(dnsResult: List[RecordSet], recordSet: RecordSet, zoneName: String): Boolean =
      dnsResult.exists(matches(_, recordSet, zoneName))
@ -142,11 +189,11 @@ object RecordSetChangeHandler {
          if (existingRecords.isEmpty) ReadyToApply(change)
          else if (isDnsMatch(existingRecords, change.recordSet, change.zone.name))
            AlreadyApplied(change)
-          else Failure(change, "Incompatible record already exists in DNS.")
+          else Failure(change, incompatibleRecordFailureMessage)

        case RecordSetChangeType.Update =>
          if (isDnsMatch(existingRecords, change.recordSet, change.zone.name))
-            AlreadyApplied(change)
+          AlreadyApplied(change)
          else {
            // record must not exist in the DNS backend, or be synced if it exists
            val canApply = existingRecords.isEmpty ||
@ -156,14 +203,23 @@ object RecordSetChangeHandler {
            else
              Failure(
                change,
-                "This record set is out of sync with the DNS backend; " +
-                  "sync this zone before attempting to update this record set."
+                outOfSyncFailureMessage
              )
          }

        case RecordSetChangeType.Delete =>
          if (existingRecords.nonEmpty) ReadyToApply(change) // we have a record set, move forward
          else AlreadyApplied(change) // we did not find the record set, so already applied
+
+        case RecordSetChangeType.Sync =>
+          if (existingRecords.nonEmpty) {
+            Failure(
+              change,
+              outOfSyncFailureMessage
+            )
+          } else {
+            AlreadyApplied(change)
+          }
      }
    }

@ -175,7 +231,8 @@ object RecordSetChangeHandler {
              change,
              existingRecords,
              recordSetRepository,
-              recordChangeRepository
+              recordChangeRepository,
+              recordSetCacheRepository
            )
            processingStatus <- getProcessingStatus(change, dnsBackendRRSet)
          } yield processingStatus
@ -192,7 +249,8 @@ object RecordSetChangeHandler {
      conn: Backend,
      wildcardExists: Boolean,
      recordSetRepository: RecordSetRepository,
-      recordChangeRepository: RecordChangeRepository
+      recordChangeRepository: RecordChangeRepository,
+      recordSetCacheRepository: RecordSetCacheRepository
  )(
      implicit timer: Timer[IO]
  ): IO[ProcessorState] = {
@ -216,26 +274,54 @@ object RecordSetChangeHandler {
      val toRun =
        if (wildcardExists || state.change.recordSet.typ == RecordType.NS) IO.pure(skip) else orElse

-      toRun.flatMap(fsm(_, conn, wildcardExists, recordSetRepository, recordChangeRepository))
+      toRun.flatMap(
+        fsm(
+          _,
+          conn,
+          wildcardExists,
+          recordSetRepository,
+          recordChangeRepository,
+          recordSetCacheRepository
+        )
+      )
    }

    state match {
      case Pending(change) =>
        logger.info(s"CHANGE PENDING; ${getChangeLog(change)}")
        bypassValidation(Validated(change))(
-          orElse = validate(change, conn, recordSetRepository, recordChangeRepository)
+          orElse = validate(
+            change,
+            conn,
+            recordSetRepository,
+            recordChangeRepository,
+            recordSetCacheRepository
+          )
        )

      case Validated(change) =>
        logger.info(s"CHANGE VALIDATED; ${getChangeLog(change)}")
        apply(change, conn).flatMap(
-          fsm(_, conn, wildcardExists, recordSetRepository, recordChangeRepository)
+          fsm(
+            _,
+            conn,
+            wildcardExists,
+            recordSetRepository,
+            recordChangeRepository,
+            recordSetCacheRepository
+          )
        )

      case Applied(change) =>
        logger.info(s"CHANGE APPLIED; ${getChangeLog(change)}")
        bypassValidation(Verified(change.successful))(
-          orElse = verify(change, conn, recordSetRepository, recordChangeRepository)
+          orElse = verify(
+            change,
+            conn,
+            recordSetRepository,
+            recordChangeRepository,
+            recordSetCacheRepository
+          )
        )

      case Verified(change) =>
@ -254,10 +340,11 @@ object RecordSetChangeHandler {
  }

  private def syncAgainstDnsBackend(
-      change: RecordSetChange,
-      dnsBackendRRSet: List[RecordSet],
-      recordSetRepository: RecordSetRepository,
-      recordChangeRepository: RecordChangeRepository
+                                     change: RecordSetChange,
+                                     dnsBackendRRSet: List[RecordSet],
+                                     recordSetRepository: RecordSetRepository,
+                                     recordChangeRepository: RecordChangeRepository,
+                                     recordSetCacheRepository: RecordSetCacheRepository
  ): IO[List[RecordSet]] = {

    /*
@ -266,11 +353,12 @@ object RecordSetChangeHandler {
     * - Delete record from database for ADD request if exists in database but does not exist in DNS backend
     */
    def syncDnsBackendRRSet(
-        storedRRSet: Option[RecordSet],
-        dnsBackendRRSet: Option[RecordSet],
-        zone: Zone,
-        recordSetRepository: RecordSetRepository,
-        recordChangeRepository: RecordChangeRepository
+                             storedRRSet: Option[RecordSet],
+                             dnsBackendRRSet: Option[RecordSet],
+                             zone: Zone,
+                             recordSetRepository: RecordSetRepository,
+                             recordChangeRepository: RecordChangeRepository,
+                             recordSetCacheRepository: RecordSetCacheRepository
    ): IO[Unit] = {
      val recordSetToSync = (storedRRSet, dnsBackendRRSet) match {
        case (Some(savedRs), None) if change.changeType == RecordSetChangeType.Create =>
@ -286,10 +374,15 @@ object RecordSetChangeHandler {
      recordSetToSync
        .map { rsc =>
          val changeSet = ChangeSet(rsc)
-          for {
-            _ <- recordChangeRepository.save(changeSet)
-            _ <- recordSetRepository.apply(changeSet)
-          } yield ()
+
+          executeWithinTransaction { db: DB =>
+            for {
+              _ <-  recordSetRepository.apply(db, changeSet)
+              _ <-  recordChangeRepository.save(db, changeSet)
+              _ <-  recordSetCacheRepository.save(db, changeSet)
+
+            } yield ()
+          }
        }
        .getOrElse(IO.unit)
    }
@ -302,33 +395,49 @@ object RecordSetChangeHandler {
        dnsBackendRRSet.headOption,
        change.zone,
        recordSetRepository,
-        recordChangeRepository
+        recordChangeRepository,
+        recordSetCacheRepository
      )
    } yield dnsBackendRRSet
  }

  /* Step 1: Validate the change hasn't already been applied */
  private def validate(
-      change: RecordSetChange,
-      conn: Backend,
-      recordSetRepository: RecordSetRepository,
-      recordChangeRepository: RecordChangeRepository
+                        change: RecordSetChange,
+                        conn: Backend,
+                        recordSetRepository: RecordSetRepository,
+                        recordChangeRepository: RecordChangeRepository,
+                        recordSetCacheRepository: RecordSetCacheRepository
  ): IO[ProcessorState] =
    syncAndGetProcessingStatusFromDnsBackend(
      change,
      conn,
      recordSetRepository,
      recordChangeRepository,
-      true
+      recordSetCacheRepository
    ).map {
      case AlreadyApplied(_) => Completed(change.successful)
      case ReadyToApply(_) => Validated(change)
      case Failure(_, message) =>
-        Completed(
-          change.failed(
-            s"Failed validating update to DNS for change ${change.id}:${change.recordSet.name}: " + message
+        if(message == outOfSyncFailureMessage || message == incompatibleRecordFailureMessage){
+          Completed(
+            change.failed(
+              syncZoneMessage
+            )
          )
-        )
+        } else if (message == "referral") {
+          Completed(
+            change.failed(
+              recordConflictMessage
+            )
+          )
+        } else {
+          Completed(
+            change.failed(
+              s"""Failed validating update to DNS for change "${change.id}": "${change.recordSet.name}": """ + message
+            )
+          )
+        }
      case Retry(_) => Retrying(change)
    }

@ -352,19 +461,21 @@ object RecordSetChangeHandler {
      change: RecordSetChange,
      conn: Backend,
      recordSetRepository: RecordSetRepository,
-      recordChangeRepository: RecordChangeRepository
+      recordChangeRepository: RecordChangeRepository,
+      recordSetCacheRepository: RecordSetCacheRepository
  ): IO[ProcessorState] =
    syncAndGetProcessingStatusFromDnsBackend(
      change,
      conn,
      recordSetRepository,
-      recordChangeRepository
+      recordChangeRepository,
+      recordSetCacheRepository
    ).map {
      case AlreadyApplied(_) => Completed(change.successful)
      case Failure(_, message) =>
        Completed(
          change.failed(
-            s"Failed verifying update to DNS for change ${change.id}:${change.recordSet.name}: $message"
+            s"""Failed verifying update to DNS for change "${change.id}":"${change.recordSet.name}": $message"""
          )
        )
      case _ => Retrying(change)
--- a/modules/api/src/main/scala/vinyldns/api/engine/ZoneChangeHandler.scala
+++ b/modules/api/src/main/scala/vinyldns/api/engine/ZoneChangeHandler.scala
@ -17,14 +17,22 @@
 package vinyldns.api.engine

 import cats.effect.IO
-import vinyldns.core.domain.record.RecordSetRepository
+import org.slf4j.{Logger, LoggerFactory}
+import scalikejdbc.DB
+import vinyldns.api.engine.ZoneSyncHandler.executeWithinTransaction
+import vinyldns.core.domain.record.{RecordSetCacheRepository, RecordSetRepository}
 import vinyldns.core.domain.zone._

 object ZoneChangeHandler {
+
+  private implicit val logger: Logger = LoggerFactory.getLogger("vinyldns.engine.ZoneChangeHandler")
+
  def apply(
-      zoneRepository: ZoneRepository,
-      zoneChangeRepository: ZoneChangeRepository,
-      recordSetRepository: RecordSetRepository
+             zoneRepository: ZoneRepository,
+             zoneChangeRepository: ZoneChangeRepository,
+             recordSetRepository: RecordSetRepository,
+             recordSetCacheRepository: RecordSetCacheRepository,
+
  ): ZoneChange => IO[ZoneChange] =
    zoneChange =>
      zoneRepository.save(zoneChange.zone).flatMap {
@ -36,13 +44,21 @@ object ZoneChangeHandler {
            )
          )
        case Right(_) if zoneChange.changeType == ZoneChangeType.Delete =>
-          recordSetRepository
-            .deleteRecordSetsInZone(zoneChange.zone.id, zoneChange.zone.name)
+
+          executeWithinTransaction { db: DB =>
+            for {
+              _ <- recordSetRepository
+              .deleteRecordSetsInZone(db,zoneChange.zone.id, zoneChange.zone.name)
+              _ <- recordSetCacheRepository
+            .deleteRecordSetDataInZone(db,zoneChange.zone.id, zoneChange.zone.name)}
+            yield ()
+          }
            .attempt
            .flatMap { _ =>
              zoneChangeRepository.save(zoneChange.copy(status = ZoneChangeStatus.Synced))
            }
        case Right(_) =>
+          logger.info(s"Saving zone change with id: '${zoneChange.id}', zone name: '${zoneChange.zone.name}'")
          zoneChangeRepository.save(zoneChange.copy(status = ZoneChangeStatus.Synced))
      }
 }
--- a/modules/api/src/main/scala/vinyldns/api/engine/ZoneSyncHandler.scala
+++ b/modules/api/src/main/scala/vinyldns/api/engine/ZoneSyncHandler.scala
@ -18,35 +18,34 @@ package vinyldns.api.engine

 import cats.effect.{ContextShift, IO}
 import cats.syntax.all._
-import org.joda.time.DateTime
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import org.slf4j.{Logger, LoggerFactory}
+import scalikejdbc.DB
 import vinyldns.api.backend.dns.DnsConversions
 import vinyldns.api.domain.zone.{DnsZoneViewLoader, VinylDNSZoneViewLoader}
 import vinyldns.core.domain.backend.BackendResolver
 import vinyldns.core.domain.record._
-import vinyldns.core.domain.zone.{Zone, ZoneStatus}
+import vinyldns.core.domain.zone._
 import vinyldns.core.route.Monitored
-import vinyldns.core.domain.zone.{
-  ZoneChange,
-  ZoneChangeRepository,
-  ZoneChangeStatus,
-  ZoneRepository
-}
+import vinyldns.mysql.TransactionProvider
+import java.io.{PrintWriter, StringWriter}

-object ZoneSyncHandler extends DnsConversions with Monitored {
+object ZoneSyncHandler extends DnsConversions with Monitored with TransactionProvider {

  private implicit val logger: Logger = LoggerFactory.getLogger("vinyldns.engine.ZoneSyncHandler")
  private implicit val cs: ContextShift[IO] =
    IO.contextShift(scala.concurrent.ExecutionContext.global)

  def apply(
-      recordSetRepository: RecordSetRepository,
-      recordChangeRepository: RecordChangeRepository,
-      zoneChangeRepository: ZoneChangeRepository,
-      zoneRepository: ZoneRepository,
-      backendResolver: BackendResolver,
-      maxZoneSize: Int,
-      vinyldnsLoader: (Zone, RecordSetRepository) => VinylDNSZoneViewLoader =
+             recordSetRepository: RecordSetRepository,
+             recordChangeRepository: RecordChangeRepository,
+             recordSetCacheRepository: RecordSetCacheRepository,
+             zoneChangeRepository: ZoneChangeRepository,
+             zoneRepository: ZoneRepository,
+             backendResolver: BackendResolver,
+             maxZoneSize: Int,
+             vinyldnsLoader: (Zone, RecordSetRepository, RecordSetCacheRepository) => VinylDNSZoneViewLoader =
        VinylDNSZoneViewLoader.apply
  ): ZoneChange => IO[ZoneChange] =
    zoneChange =>
@ -56,6 +55,7 @@ object ZoneSyncHandler extends DnsConversions with Monitored {
        syncChange <- runSync(
          recordSetRepository,
          recordChangeRepository,
+          recordSetCacheRepository,
          zoneChange,
          backendResolver,
          maxZoneSize,
@ -79,16 +79,18 @@ object ZoneSyncHandler extends DnsConversions with Monitored {
          )
        )
      case Right(_) =>
+        logger.info(s"Saving zone sync details for zone change with id: '${zoneChange.id}', zone name: '${zoneChange.zone.name}'")
        zoneChangeRepository.save(zoneChange)
    }

  def runSync(
-      recordSetRepository: RecordSetRepository,
-      recordChangeRepository: RecordChangeRepository,
-      zoneChange: ZoneChange,
-      backendResolver: BackendResolver,
-      maxZoneSize: Int,
-      vinyldnsLoader: (Zone, RecordSetRepository) => VinylDNSZoneViewLoader =
+               recordSetRepository: RecordSetRepository,
+               recordChangeRepository: RecordChangeRepository,
+               recordSetCacheRepository: RecordSetCacheRepository,
+               zoneChange: ZoneChange,
+               backendResolver: BackendResolver,
+               maxZoneSize: Int,
+               vinyldnsLoader: (Zone, RecordSetRepository, RecordSetCacheRepository) => VinylDNSZoneViewLoader =
        VinylDNSZoneViewLoader.apply
  ): IO[ZoneChange] =
    monitor("zone.sync") {
@ -100,12 +102,11 @@ object ZoneSyncHandler extends DnsConversions with Monitored {
            s"zone.sync.loadDnsView; zoneName='${zone.name}'; zoneChange='${zoneChange.id}'"
          )(dnsLoader.load())
        val vinyldnsView = time(s"zone.sync.loadVinylDNSView; zoneName='${zone.name}'")(
-          vinyldnsLoader(zone, recordSetRepository).load()
+          vinyldnsLoader(zone, recordSetRepository, recordSetCacheRepository).load()
        )
        val recordSetChanges = (dnsView, vinyldnsView).parTupled.map {
          case (dnsZoneView, vinylDnsZoneView) => vinylDnsZoneView.diff(dnsZoneView)
        }
-
        recordSetChanges.flatMap { allChanges =>
          val changesWithUserIds = allChanges.map(_.withUserId(zoneChange.userId))

@ -115,7 +116,7 @@ object ZoneSyncHandler extends DnsConversions with Monitored {
            )
            IO.pure(
              zoneChange.copy(
-                zone.copy(status = ZoneStatus.Active, latestSync = Some(DateTime.now)),
+                zone.copy(status = ZoneStatus.Active, latestSync = Some(Instant.now.truncatedTo(ChronoUnit.MILLIS))),
                status = ZoneChangeStatus.Synced
              )
            )
@ -143,32 +144,37 @@ object ZoneSyncHandler extends DnsConversions with Monitored {
            )
            val changeSet = ChangeSet(changesWithUserIds).copy(status = ChangeSetStatus.Applied)

-            // we want to make sure we write to both the change repo and record set repo
-            // at the same time as this can take a while
-            val saveRecordChanges = time(s"zone.sync.saveChanges; zoneName='${zone.name}'")(
-              recordChangeRepository.save(changeSet)
-            )
-            val saveRecordSets = time(s"zone.sync.saveRecordSets; zoneName='${zone.name}'")(
-              recordSetRepository.apply(changeSet)
-            )
+            executeWithinTransaction { db: DB =>
+              // we want to make sure we write to both the change repo and record set repo
+              // at the same time as this can take a while
+              val saveRecordChanges = time(s"zone.sync.saveChanges; zoneName='${zone.name}'")(
+                recordChangeRepository.save(db, changeSet)
+              )
+              val saveRecordSets = time(s"zone.sync.saveRecordSets; zoneName='${zone.name}'")(
+                recordSetRepository.apply(db, changeSet)
+              )
+              val saveRecordSetDatas = time(s"zone.sync.saveRecordSetDatas; zoneName='${zone.name}'")(
+                recordSetCacheRepository.save(db,changeSet)
+              )

-            // join together the results of saving both the record changes as well as the record sets
-            for {
-              _ <- saveRecordChanges
-              _ <- saveRecordSets
-            } yield zoneChange.copy(
-              zone.copy(status = ZoneStatus.Active, latestSync = Some(DateTime.now)),
-              status = ZoneChangeStatus.Synced
-            )
+              // join together the results of saving both the record changes as well as the record sets
+              for {
+                _ <- saveRecordChanges
+                _ <- saveRecordSets
+                _ <- saveRecordSetDatas
+              } yield zoneChange.copy(
+                zone.copy(status = ZoneStatus.Active, latestSync = Some(Instant.now.truncatedTo(ChronoUnit.MILLIS))),
+                status = ZoneChangeStatus.Synced
+              )
+            }
          }
        }
-      }
-    }.attempt
-      .map {
+      }.attempt.map {
        case Left(e: Throwable) =>
+          val errorMessage = new StringWriter
+          e.printStackTrace(new PrintWriter(errorMessage))
          logger.error(
-            s"Encountered error syncing ; zoneName='${zoneChange.zone.name}'; zoneChange='${zoneChange.id}'",
-            e
+            s"Encountered error syncing ; zoneName='${zoneChange.zone.name}'; zoneChange='${zoneChange.id}'. Error: ${errorMessage.toString.replaceAll("\n",";").replaceAll("\t"," ")}"
          )
          // We want to just move back to an active status, do not update latest sync
          zoneChange.copy(
@ -177,4 +183,5 @@ object ZoneSyncHandler extends DnsConversions with Monitored {
          )
        case Right(ok) => ok
      }
+    }
 }
--- a/modules/api/src/main/scala/vinyldns/api/notifier/email/EmailNotifier.scala
+++ b/modules/api/src/main/scala/vinyldns/api/notifier/email/EmailNotifier.scala
@ -18,45 +18,41 @@ package vinyldns.api.notifier.email

 import vinyldns.core.notifier.{Notification, Notifier}
 import cats.effect.IO
-import vinyldns.core.domain.batch.{
-  BatchChange,
-  BatchChangeApprovalStatus,
-  SingleAddChange,
-  SingleChange,
-  SingleDeleteRRSetChange
-}
-import vinyldns.core.domain.membership.UserRepository
-import vinyldns.core.domain.membership.User
+import cats.implicits._
+import cats.effect.IO
+import vinyldns.core.domain.batch.{BatchChange, BatchChangeApprovalStatus, SingleAddChange, SingleChange, SingleDeleteRRSetChange}
+import vinyldns.core.domain.membership.{GroupRepository, User, UserRepository}
 import org.slf4j.LoggerFactory
+
 import javax.mail.internet.{InternetAddress, MimeMessage}
 import javax.mail.{Address, Message, Session}
-
 import scala.util.Try
-import vinyldns.core.domain.record.AData
-import vinyldns.core.domain.record.AAAAData
-import vinyldns.core.domain.record.CNAMEData
-import vinyldns.core.domain.record.MXData
-import vinyldns.core.domain.record.TXTData
-import vinyldns.core.domain.record.PTRData
-import vinyldns.core.domain.record.RecordData
-import org.joda.time.format.DateTimeFormat
+import vinyldns.core.domain.record.{AAAAData, AData, CNAMEData, MXData, OwnerShipTransferStatus, PTRData, RecordData, RecordSetChange, TXTData}
+import vinyldns.core.domain.record.OwnerShipTransferStatus.OwnerShipTransferStatus
+
+import java.time.format.{DateTimeFormatter, FormatStyle}
 import vinyldns.core.domain.batch.BatchChangeStatus._
 import vinyldns.core.domain.batch.BatchChangeApprovalStatus._

-class EmailNotifier(config: EmailNotifierConfig, session: Session, userRepository: UserRepository)
+import java.time.ZoneId
+
+class EmailNotifier(config: EmailNotifierConfig, session: Session, userRepository: UserRepository, groupRepository: GroupRepository)
    extends Notifier {

-  private val logger = LoggerFactory.getLogger("EmailNotifier")
+  private val logger = LoggerFactory.getLogger(classOf[EmailNotifier])

  def notify(notification: Notification[_]): IO[Unit] =
    notification.change match {
      case bc: BatchChange => sendBatchChangeNotification(bc)
+      case rsc: RecordSetChange => sendRecordSetOwnerTransferNotification(rsc)
      case _ => IO.unit
    }

-  def send(addresses: Address*)(buildMessage: Message => Message): IO[Unit] = IO {
+
+  def send(toAddresses: Address*)(ccAddresses: Address*)(buildMessage: Message => Message): IO[Unit] = IO {
    val message = new MimeMessage(session)
-    message.setRecipients(Message.RecipientType.TO, addresses.toArray)
+    message.setRecipients(Message.RecipientType.TO, toAddresses.toArray)
+    message.setRecipients(Message.RecipientType.CC, ccAddresses.toArray)
    message.setFrom(config.from)
    buildMessage(message)
    message.saveChanges()
@ -66,10 +62,10 @@ class EmailNotifier(config: EmailNotifierConfig, session: Session, userRepositor
    transport.close()
  }

-  def sendBatchChangeNotification(bc: BatchChange): IO[Unit] =
+  def sendBatchChangeNotification(bc: BatchChange): IO[Unit] = {
    userRepository.getUser(bc.userId).flatMap {
-      case Some(UserWithEmail(email)) =>
-        send(email) { message =>
+      case Some(UserWithEmail(email))  =>
+        send(email)() { message =>
          message.setSubject(s"VinylDNS Batch change ${bc.id} results")
          message.setContent(formatBatchChange(bc), "text/html")
          message
@ -80,9 +76,58 @@ class EmailNotifier(config: EmailNotifierConfig, session: Session, userRepositor
            s"Unable to properly parse email for ${user.id}: ${user.email.getOrElse("<none>")}"
          )
        }
-      case None => IO { logger.warn(s"Unable to find user: ${bc.userId}") }
+      case None => IO {
+        logger.warn(s"Unable to find user: ${bc.userId}")
+      }
      case _ => IO.unit
    }
+  }
+
+  def sendRecordSetOwnerTransferNotification(rsc: RecordSetChange): IO[Unit] = {
+    for {
+      toGroup <- groupRepository.getGroup(rsc.recordSet.ownerGroupId.getOrElse("<none>"))
+      ccGroup <- groupRepository.getGroup(rsc.recordSet.recordSetGroupChange.map(_.requestedOwnerGroupId.getOrElse("<none>")).getOrElse("<none>"))
+      _ <- toGroup match {
+        case Some(group) =>
+          group.memberIds.toList.traverse { id =>
+            userRepository.getUser(id).flatMap {
+              case Some(UserWithEmail(toEmail)) =>
+                ccGroup match {
+                  case Some(ccg) =>
+                    ccg.memberIds.toList.traverse { id =>
+                        userRepository.getUser(id).flatMap {
+                          case Some(ccUser) =>
+                            val ccEmail = ccUser.email.getOrElse("<none>")
+                            send(toEmail)(new InternetAddress(ccEmail)) { message =>
+                              message.setSubject(s"VinylDNS RecordSet change ${rsc.id} results")
+                              message.setContent(formatRecordSetChange(rsc), "text/html")
+                              message
+                            }
+                          case None =>
+                            IO.unit
+                        }
+                      }
+                  case None => IO.unit
+                }
+              case Some(user: User) if user.email.isDefined =>
+                IO {
+                  logger.warn(
+                    s"Unable to properly parse email for ${user.id}: ${user.email.getOrElse("<none>")}"
+                  )
+                }
+              case None =>
+                IO {
+                  logger.warn(s"Unable to find user: ${rsc.userId}")
+                }
+              case _ =>
+                IO.unit
+            }
+          }
+        case None => IO.unit // Handle case where toGroup is None
+      }
+    } yield ()
+  }
+

  def formatBatchChange(bc: BatchChange): String = {
    val sb = new StringBuilder
@ -90,9 +135,9 @@ class EmailNotifier(config: EmailNotifierConfig, session: Session, userRepositor
    sb.append(s"""<h1>Batch Change Results</h1>
      | <b>Submitter:</b> ${bc.userName} <br/>
      | ${bc.comments.map(comments => s"<b>Description:</b> $comments</br>").getOrElse("")}
-      | <b>Created:</b> ${bc.createdTimestamp.toString(DateTimeFormat.fullDateTime)} <br/>
+      | <b>Created:</b> ${DateTimeFormatter.ofLocalizedDateTime(FormatStyle.FULL).withZone(ZoneId.systemDefault()).format(bc.createdTimestamp)} <br/>
      | <b>Id:</b> ${bc.id}<br/>
-      | <b>Status:</b> ${formatStatus(bc.approvalStatus, bc.status)}<br/>""".stripMargin)
+      | <b>Status:</b> ${formatBatchStatus(bc.approvalStatus, bc.status)}<br/>""".stripMargin)

    // For manually reviewed e-mails, add additional info; e-mails are not sent for pending batch changes
    if (bc.approvalStatus != AutoApproved) {
@ -102,7 +147,7 @@ class EmailNotifier(config: EmailNotifierConfig, session: Session, userRepositor
      bc.reviewTimestamp.foreach(
        reviewTimestamp =>
          sb.append(
-            s"<b>Time reviewed:</b> ${reviewTimestamp.toString(DateTimeFormat.fullDateTime)} <br/>"
+            s"<b>Time reviewed:</b> ${DateTimeFormatter.ofLocalizedDateTime(FormatStyle.FULL).withZone(ZoneId.systemDefault()).format(reviewTimestamp)} <br/>"
          )
      )
    }
@ -110,7 +155,7 @@ class EmailNotifier(config: EmailNotifierConfig, session: Session, userRepositor
    bc.cancelledTimestamp.foreach(
      cancelledTimestamp =>
        sb.append(
-          s"<b>Time cancelled:</b> ${cancelledTimestamp.toString(DateTimeFormat.fullDateTime)} <br/>"
+          s"<b>Time cancelled:</b> ${DateTimeFormatter.ofLocalizedDateTime(FormatStyle.FULL).withZone(ZoneId.systemDefault()).format(cancelledTimestamp)} <br/>"
        )
    )

@ -124,7 +169,8 @@ class EmailNotifier(config: EmailNotifierConfig, session: Session, userRepositor
    sb.toString
  }

-  def formatStatus(approval: BatchChangeApprovalStatus, status: BatchChangeStatus): String =
+
+  def formatBatchStatus(approval: BatchChangeApprovalStatus, status: BatchChangeStatus): String =
    (approval, status) match {
      case (ManuallyRejected, _) => "Rejected"
      case (BatchChangeApprovalStatus.PendingReview, _) => "Pending Review"
@ -132,6 +178,28 @@ class EmailNotifier(config: EmailNotifierConfig, session: Session, userRepositor
      case (_, status) => status.toString
    }

+  def formatRecordSetChange(rsc: RecordSetChange): String = {
+
+          val sb = new StringBuilder
+          sb.append(s"""<h1>RecordSet Ownership Transfer</h1>
+                       | <b>Submitter:</b>  ${ userRepository.getUser(rsc.userId).map(_.get.userName)}
+                       | <b>Id:</b> ${rsc.id}<br/>
+                       | <b>Submitted time:</b> ${DateTimeFormatter.ofLocalizedDateTime(FormatStyle.FULL).withZone(ZoneId.systemDefault()).format(rsc.created)} <br/>
+                       | <b>OwnerShip Current Group:</b> ${rsc.recordSet.ownerGroupId.getOrElse("none")} <br/>
+                       | <b>OwnerShip Transfer Group:</b> ${rsc.recordSet.recordSetGroupChange.map(_.requestedOwnerGroupId.getOrElse("none")).getOrElse("none")} <br/>
+                       | <b>OwnerShip Transfer Status:</b> ${formatOwnerShipStatus(rsc.recordSet.recordSetGroupChange.map(_.ownerShipTransferStatus).get)}<br/>
+                 """.stripMargin)
+          sb.toString
+  }
+
+  def formatOwnerShipStatus(status: OwnerShipTransferStatus): String =
+          status match {
+            case OwnerShipTransferStatus.ManuallyRejected => "Rejected"
+            case OwnerShipTransferStatus.PendingReview => "Pending Review"
+            case OwnerShipTransferStatus.ManuallyApproved => "Approved"
+            case OwnerShipTransferStatus.Cancelled => "Cancelled"
+  }
+
  def formatSingleChange(sc: SingleChange, index: Int): String = sc match {
    case SingleAddChange(
        _,
--- a/modules/api/src/main/scala/vinyldns/api/notifier/email/EmailNotifierProvider.scala
+++ b/modules/api/src/main/scala/vinyldns/api/notifier/email/EmailNotifierProvider.scala
@ -17,7 +17,7 @@
 package vinyldns.api.notifier.email

 import vinyldns.core.notifier.{Notifier, NotifierConfig, NotifierProvider}
-import vinyldns.core.domain.membership.UserRepository
+import vinyldns.core.domain.membership.{GroupRepository, UserRepository}
 import pureconfig._
 import pureconfig.generic.auto._
 import pureconfig.module.catseffect.syntax._
@ -30,13 +30,13 @@ class EmailNotifierProvider extends NotifierProvider {
  private implicit val cs: ContextShift[IO] =
    IO.contextShift(scala.concurrent.ExecutionContext.global)

-  def load(config: NotifierConfig, userRepository: UserRepository): IO[Notifier] =
+  def load(config: NotifierConfig, userRepository: UserRepository, groupRepository: GroupRepository): IO[Notifier] =
    for {
      emailConfig <- Blocker[IO].use(
        ConfigSource.fromConfig(config.settings).loadF[IO, EmailNotifierConfig](_)
      )
      session <- createSession(emailConfig)
-    } yield new EmailNotifier(emailConfig, session, userRepository)
+    } yield new EmailNotifier(emailConfig, session, userRepository, groupRepository)

  def createSession(config: EmailNotifierConfig): IO[Session] = IO {
    Session.getInstance(config.smtp)
--- a/modules/api/src/main/scala/vinyldns/api/notifier/sns/SnsNotifier.scala
+++ b/modules/api/src/main/scala/vinyldns/api/notifier/sns/SnsNotifier.scala
@ -25,6 +25,7 @@ import org.slf4j.LoggerFactory
 import vinyldns.api.route.VinylDNSJsonProtocol
 import vinyldns.core.domain.batch.BatchChange
 import vinyldns.core.notifier.{Notification, Notifier}
+import java.io.{PrintWriter, StringWriter}

 class SnsNotifier(config: SnsNotifierConfig, sns: AmazonSNS)
    extends Notifier
@ -52,6 +53,8 @@ class SnsNotifier(config: SnsNotifierConfig, sns: AmazonSNS)
      sns.publish(request)
      logger.info(s"Sending batch change success; batchChange='${bc.id}'")
    }.handleErrorWith { e =>
-      IO(logger.error(s"Failed sending batch change; batchChange='${bc.id}'", e))
+      val errorMessage = new StringWriter
+      e.printStackTrace(new PrintWriter(errorMessage))
+      IO(logger.error(s"Failed sending batch change; batchChange='${bc.id}'. Error: ${errorMessage.toString.replaceAll("\n",";").replaceAll("\t"," ")}"))
    }.void
 }
--- a/modules/api/src/main/scala/vinyldns/api/notifier/sns/SnsNotifierProvider.scala
+++ b/modules/api/src/main/scala/vinyldns/api/notifier/sns/SnsNotifierProvider.scala
@ -17,7 +17,7 @@
 package vinyldns.api.notifier.sns

 import vinyldns.core.notifier.{Notifier, NotifierConfig, NotifierProvider}
-import vinyldns.core.domain.membership.UserRepository
+import vinyldns.core.domain.membership.{GroupRepository, UserRepository}
 import pureconfig._
 import pureconfig.generic.auto._
 import pureconfig.module.catseffect.syntax._
@ -35,7 +35,7 @@ class SnsNotifierProvider extends NotifierProvider {
    IO.contextShift(scala.concurrent.ExecutionContext.global)
  private val logger = LoggerFactory.getLogger(classOf[SnsNotifierProvider])

-  def load(config: NotifierConfig, userRepository: UserRepository): IO[Notifier] =
+  def load(config: NotifierConfig, userRepository: UserRepository, groupRepository: GroupRepository): IO[Notifier] =
    for {
      snsConfig <- Blocker[IO].use(
        ConfigSource.fromConfig(config.settings).loadF[IO, SnsNotifierConfig](_)
--- a/modules/api/src/main/scala/vinyldns/api/repository/ApiDataAccessor.scala
+++ b/modules/api/src/main/scala/vinyldns/api/repository/ApiDataAccessor.scala
@ -17,14 +17,9 @@
 package vinyldns.api.repository

 import vinyldns.core.domain.batch.BatchChangeRepository
-import vinyldns.core.domain.membership.{
-  GroupChangeRepository,
-  GroupRepository,
-  MembershipRepository,
-  UserRepository
-}
-import vinyldns.core.domain.record.{RecordChangeRepository, RecordSetRepository}
-import vinyldns.core.domain.zone.{ZoneChangeRepository, ZoneRepository}
+import vinyldns.core.domain.membership.{UserRepository, GroupChangeRepository, MembershipRepository, GroupRepository}
+import vinyldns.core.domain.record.{RecordChangeRepository, RecordSetCacheRepository, RecordSetRepository}
+import vinyldns.core.domain.zone.{ZoneRepository, ZoneChangeRepository}
 import vinyldns.core.repository.DataAccessor

 final case class ApiDataAccessor(
@ -34,6 +29,7 @@ final case class ApiDataAccessor(
    groupChangeRepository: GroupChangeRepository,
    recordSetRepository: RecordSetRepository,
    recordChangeRepository: RecordChangeRepository,
+    recordSetCacheRepository: RecordSetCacheRepository,
    zoneChangeRepository: ZoneChangeRepository,
    zoneRepository: ZoneRepository,
    batchChangeRepository: BatchChangeRepository
--- a/modules/api/src/main/scala/vinyldns/api/repository/ApiDataAccessorProvider.scala
+++ b/modules/api/src/main/scala/vinyldns/api/repository/ApiDataAccessorProvider.scala
@ -20,7 +20,11 @@ import cats.data.ValidatedNel
 import cats.implicits._
 import vinyldns.core.domain.batch.BatchChangeRepository
 import vinyldns.core.domain.membership._
-import vinyldns.core.domain.record.{RecordChangeRepository, RecordSetRepository}
+import vinyldns.core.domain.record.{
+  RecordChangeRepository,
+  RecordSetCacheRepository,
+  RecordSetRepository
+}
 import vinyldns.core.domain.zone.{ZoneChangeRepository, ZoneRepository}
 import vinyldns.core.repository.{DataAccessorProvider, DataStore, DataStoreConfig}
 import vinyldns.core.repository.DataStoreLoader.getRepoOf
@ -35,6 +39,7 @@ object ApiDataAccessorProvider extends DataAccessorProvider[ApiDataAccessor] {
      groupChange,
      recordSet,
      recordChange,
+      recordSetCache,
      zoneChange,
      zone,
      batchChange
@ -50,6 +55,7 @@ object ApiDataAccessorProvider extends DataAccessorProvider[ApiDataAccessor] {
      getRepoOf[GroupChangeRepository](dataStores, groupChange),
      getRepoOf[RecordSetRepository](dataStores, recordSet),
      getRepoOf[RecordChangeRepository](dataStores, recordChange),
+      getRepoOf[RecordSetCacheRepository](dataStores, recordSetCache),
      getRepoOf[ZoneChangeRepository](dataStores, zoneChange),
      getRepoOf[ZoneRepository](dataStores, zone),
      getRepoOf[BatchChangeRepository](dataStores, batchChange)
--- a/modules/api/src/main/scala/vinyldns/api/repository/TestDataLoader.scala
+++ b/modules/api/src/main/scala/vinyldns/api/repository/TestDataLoader.scala
@ -18,13 +18,17 @@ package vinyldns.api.repository

 import cats.effect.{ContextShift, IO}
 import cats.implicits._
-import org.joda.time.DateTime
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import org.slf4j.{Logger, LoggerFactory}
+import scalikejdbc.DB
+import vinyldns.core.domain.Encrypted
 import vinyldns.core.domain.membership._
 import vinyldns.core.domain.zone._
+import vinyldns.mysql.TransactionProvider

 // $COVERAGE-OFF$
-object TestDataLoader {
+object TestDataLoader extends TransactionProvider {

  private implicit val cs: ContextShift[IO] =
    IO.contextShift(scala.concurrent.ExecutionContext.global)
@ -34,9 +38,9 @@ object TestDataLoader {
  final val testUser = User(
    userName = "testuser",
    id = "testuser",
-    created = DateTime.now.secondOfDay().roundFloorCopy(),
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
    accessKey = "testUserAccessKey",
-    secretKey = "testUserSecretKey",
+    secretKey = Encrypted("testUserSecretKey"),
    firstName = Some("Test"),
    lastName = Some("User"),
    email = Some("test@test.com"),
@ -45,9 +49,9 @@ object TestDataLoader {
  final val okUser = User(
    userName = "ok",
    id = "ok",
-    created = DateTime.now.secondOfDay().roundFloorCopy(),
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
    accessKey = "okAccessKey",
-    secretKey = "okSecretKey",
+    secretKey = Encrypted("okSecretKey"),
    firstName = Some("ok"),
    lastName = Some("ok"),
    email = Some("test@test.com"),
@ -56,17 +60,17 @@ object TestDataLoader {
  final val dummyUser = User(
    userName = "dummy",
    id = "dummy",
-    created = DateTime.now.secondOfDay().roundFloorCopy(),
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
    accessKey = "dummyAccessKey",
-    secretKey = "dummySecretKey",
+    secretKey = Encrypted("dummySecretKey"),
    isTest = true
  )
  final val sharedZoneUser = User(
    userName = "sharedZoneUser",
    id = "sharedZoneUser",
-    created = DateTime.now.secondOfDay().roundFloorCopy(),
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
    accessKey = "sharedZoneUserAccessKey",
-    secretKey = "sharedZoneUserSecretKey",
+    secretKey = Encrypted("sharedZoneUserSecretKey"),
    firstName = Some("sharedZoneUser"),
    lastName = Some("sharedZoneUser"),
    email = Some("test@test.com"),
@ -75,9 +79,9 @@ object TestDataLoader {
  final val lockedUser = User(
    userName = "locked",
    id = "locked",
-    created = DateTime.now.secondOfDay().roundFloorCopy(),
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
    accessKey = "lockedAccessKey",
-    secretKey = "lockedSecretKey",
+    secretKey = Encrypted("lockedSecretKey"),
    firstName = Some("Locked"),
    lastName = Some("User"),
    email = Some("testlocked@test.com"),
@ -88,18 +92,18 @@ object TestDataLoader {
    User(
      userName = "name-dummy%03d".format(runner),
      id = "dummy%03d".format(runner),
-      created = DateTime.now.secondOfDay().roundFloorCopy(),
+      created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
      accessKey = "dummy",
-      secretKey = "dummy",
+      secretKey = Encrypted("dummy"),
      isTest = true
    )
  }
  final val listGroupUser = User(
    userName = "list-group-user",
    id = "list-group-user",
-    created = DateTime.now.secondOfDay().roundFloorCopy(),
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
    accessKey = "listGroupAccessKey",
-    secretKey = "listGroupSecretKey",
+    secretKey = Encrypted("listGroupSecretKey"),
    firstName = Some("list-group"),
    lastName = Some("list-group"),
    email = Some("test@test.com"),
@ -109,9 +113,9 @@ object TestDataLoader {
  final val listZonesUser = User(
    userName = "list-zones-user",
    id = "list-zones-user",
-    created = DateTime.now.secondOfDay().roundFloorCopy(),
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
    accessKey = "listZonesAccessKey",
-    secretKey = "listZonesSecretKey",
+    secretKey = Encrypted("listZonesSecretKey"),
    firstName = Some("list-zones"),
    lastName = Some("list-zones"),
    email = Some("test@test.com"),
@ -121,9 +125,9 @@ object TestDataLoader {
  final val zoneHistoryUser = User(
    userName = "history-user",
    id = "history-id",
-    created = DateTime.now.secondOfDay().roundFloorCopy(),
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
    accessKey = "history-key",
-    secretKey = "history-secret",
+    secretKey = Encrypted("history-secret"),
    firstName = Some("history-first"),
    lastName = Some("history-last"),
    email = Some("history@history.com"),
@ -133,9 +137,9 @@ object TestDataLoader {
  final val listRecordsUser = User(
    userName = "list-records-user",
    id = "list-records-user",
-    created = DateTime.now.secondOfDay().roundFloorCopy(),
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
    accessKey = "listRecordsAccessKey",
-    secretKey = "listRecordsSecretKey",
+    secretKey = Encrypted("listRecordsSecretKey"),
    firstName = Some("list-records"),
    lastName = Some("list-records"),
    email = Some("test@test.com"),
@ -145,9 +149,9 @@ object TestDataLoader {
  final val listBatchChangeSummariesUser = User(
    userName = "list-batch-summaries-user",
    id = "list-batch-summaries-id",
-    created = DateTime.now.secondOfDay().roundFloorCopy(),
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
    accessKey = "listBatchSummariesAccessKey",
-    secretKey = "listBatchSummariesSecretKey",
+    secretKey = Encrypted("listBatchSummariesSecretKey"),
    firstName = Some("list-batch-summaries"),
    lastName = Some("list-batch-summaries"),
    email = Some("test@test.com"),
@ -165,9 +169,9 @@ object TestDataLoader {
  final val listZeroBatchChangeSummariesUser = User(
    userName = "list-zero-summaries-user",
    id = "list-zero-summaries-id",
-    created = DateTime.now.secondOfDay().roundFloorCopy(),
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
    accessKey = "listZeroSummariesAccessKey",
-    secretKey = "listZeroSummariesSecretKey",
+    secretKey = Encrypted("listZeroSummariesSecretKey"),
    firstName = Some("list-zero-summaries"),
    lastName = Some("list-zero-summaries"),
    email = Some("test@test.com"),
@ -177,9 +181,9 @@ object TestDataLoader {
  final val supportUser = User(
    userName = "support-user",
    id = "support-user-id",
-    created = DateTime.now.secondOfDay().roundFloorCopy(),
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
    accessKey = "supportUserAccessKey",
-    secretKey = "supportUserSecretKey",
+    secretKey = Encrypted("supportUserSecretKey"),
    firstName = Some("support-user"),
    lastName = Some("support-user"),
    email = Some("test@test.com"),
@ -187,6 +191,19 @@ object TestDataLoader {
    isTest = true
  )

+  final val superUser = User(
+    userName = "super-user",
+    id = "super-user-id",
+    created = Instant.now.truncatedTo(ChronoUnit.SECONDS),
+    accessKey = "superUserAccessKey",
+    secretKey = Encrypted("superUserSecretKey"),
+    firstName = Some("super-user"),
+    lastName = Some("super-user"),
+    email = Some("test@test.com"),
+    isSuper = true,
+    isTest = true
+  )
+
  final val sharedZoneGroup = Group(
    name = "testSharedZoneGroup",
    id = "shared-zone-group",
@ -237,15 +254,43 @@ object TestDataLoader {
  )

  def loadTestData(
-      userRepo: UserRepository,
-      groupRepo: GroupRepository,
-      zoneRepo: ZoneRepository,
-      membershipRepo: MembershipRepository
-  ): IO[Unit] =
+    userRepo: UserRepository,
+    groupRepo: GroupRepository,
+    zoneRepo: ZoneRepository,
+    membershipRepo: MembershipRepository
+  ): IO[Unit] = {
+
+    def saveMembersData(
+     groupId: String,
+     memberUserIds: Set[String],
+     isAdmin: Boolean
+    ): IO[Unit] = {
+      executeWithinTransaction { db: DB =>
+        for {
+          _ <- membershipRepo.saveMembers(
+            db: DB,
+            groupId = groupId,
+            memberUserIds = memberUserIds,
+            isAdmin = isAdmin
+          )
+        } yield ()
+      }
+    }
+
+    def saveGroupData(
+     group: Group
+    ): IO[Unit] = {
+      executeWithinTransaction { db: DB =>
+        for {
+          _ <- groupRepo.save(db, group)
+        } yield ()
+      }
+    }
+
    for {
      _ <- (testUser :: okUser :: dummyUser :: sharedZoneUser :: lockedUser :: listGroupUser :: listZonesUser ::
        listBatchChangeSummariesUser :: listZeroBatchChangeSummariesUser :: zoneHistoryUser :: supportUser ::
-        listRecordsUser :: listOfDummyUsers).map { user =>
+        superUser :: listRecordsUser :: listOfDummyUsers).map { user =>
        userRepo.save(user)
      }.parSequence
      // if the test shared zones exist already, clean them out
@ -267,32 +312,32 @@ object TestDataLoader {
        IO.unit
      }
      _ <- toDelete.map(zoneRepo.save).parSequence
-      _ <- groupRepo.save(sharedZoneGroup)
-      _ <- groupRepo.save(globalACLGroup)
-      _ <- groupRepo.save(anotherGlobalACLGroup)
-      _ <- groupRepo.save(duGroup)
-      _ <- groupRepo.save(listBatchChangeSummariesGroup)
-      _ <- membershipRepo.saveMembers(
+      _ <- saveGroupData(sharedZoneGroup)
+      _ <- saveGroupData(globalACLGroup)
+      _ <- saveGroupData(anotherGlobalACLGroup)
+      _ <- saveGroupData(duGroup)
+      _ <- saveGroupData(listBatchChangeSummariesGroup)
+      _ <- saveMembersData(
        groupId = "shared-zone-group",
        memberUserIds = Set(sharedZoneUser.id),
        isAdmin = true
      )
-      _ <- membershipRepo.saveMembers(
+      _ <- saveMembersData(
        groupId = "global-acl-group-id",
        memberUserIds = Set(okUser.id, dummyUser.id),
        isAdmin = true
      )
-      _ <- membershipRepo.saveMembers(
+      _ <- saveMembersData(
        groupId = "another-global-acl-group",
        memberUserIds = Set(testUser.id),
        isAdmin = true
      )
-      _ <- membershipRepo.saveMembers(
+      _ <- saveMembersData(
        groupId = duGroup.id,
        memberUserIds = duGroup.memberIds,
        isAdmin = true
      )
-      _ <- membershipRepo.saveMembers(
+      _ <- saveMembersData(
        groupId = listBatchChangeSummariesGroup.id,
        memberUserIds = listBatchChangeSummariesGroup.memberIds,
        isAdmin = true
@ -300,5 +345,6 @@ object TestDataLoader {
      _ <- zoneRepo.save(sharedZone)
      _ <- zoneRepo.save(nonTestSharedZone)
    } yield ()
+  }
 }
 // $COVERAGE-ON$
--- a/modules/api/src/main/scala/vinyldns/api/route/Aws4Authenticator.scala
+++ b/modules/api/src/main/scala/vinyldns/api/route/Aws4Authenticator.scala
@ -22,8 +22,8 @@ import javax.crypto.spec.SecretKeySpec
 import javax.crypto.{Mac, SecretKey}

 import akka.http.scaladsl.model.HttpRequest
-import org.joda.time.DateTime
-import org.joda.time.format.{DateTimeFormat, ISODateTimeFormat}
+import java.time.{Instant, ZoneId, ZonedDateTime}
+import java.time.format.DateTimeFormatter
 import org.slf4j.LoggerFactory

 import scala.collection.SortedSet
@ -60,23 +60,21 @@ class Aws4Authenticator {

  type Credentials = String

-  val iso8601Format =
-    ISODateTimeFormat.basicDateTimeNoMillis.withZoneUTC()
+  val iso8601Format = DateTimeFormatter.ofPattern("yyyyMMdd'T'HHmmssz").withZone(ZoneId.of("UTC"))

-  val rfc822Format =
-    DateTimeFormat.forPattern("EEE, d MMM yyyy HH:mm:ss z").withZoneUTC()
+  val rfc822Format = DateTimeFormatter.ofPattern("EEE, d MMM yyyy HH:mm:ss z").withZone(ZoneId.of("UTC"))

  val logger = LoggerFactory.getLogger("Aws4Authenticator")

-  def getDate(req: HttpRequest): Option[DateTime] = {
+  def getDate(req: HttpRequest): Option[Instant] = {
    val xAmzDate = getHeader(req, "X-Amz-Date")
    val dateHeader = getHeader(req, "Date")

    if (xAmzDate.isDefined) {
-      Try(iso8601Format.parseDateTime(xAmzDate.get)).toOption
+      Try(ZonedDateTime.parse(xAmzDate.get, iso8601Format).toInstant).toOption
    } else {
-      Try(iso8601Format.parseDateTime(dateHeader.get))
-        .orElse(Try(rfc822Format.parseDateTime(dateHeader.get)))
+      Try(ZonedDateTime.parse(dateHeader.get, iso8601Format).toInstant)
+        .orElse(Try(ZonedDateTime.parse(dateHeader.get, rfc822Format).toInstant))
        .toOption
    }
  }
@ -110,7 +108,7 @@ class Aws4Authenticator {
    ) = authorization
    val signedHeaders = Set() ++ signatureHeaders.split(';')
    // convert Date header to canonical form required by AWS
-    val dateTime = iso8601Format.print(getDate(req).get)
+    val dateTime = iso8601Format.format(getDate(req).get).replace("UTC", "Z")
    // get canonical headers, but only those that were in the signed set
    val headers = canonicalHeaders(req, signedHeaders).toSeq
    // create a canonical representation of the request
@ -118,17 +116,19 @@ class Aws4Authenticator {
    // calculate the sig using the generated signing key
    val signature = calculateSig(canonicalRequest, dateTime, signatureScope, secret)

-    // This is worthwhile during the upgrade to akka http and beyond as debugging auth issues is difficult
-    val sb = new StringBuilder
-    sb.append(s"SIGNATURE_SCOPE: $signatureScope\r\n")
-    sb.append(s"SIGNATURE_HEADERS: $signatureHeaders\r\n")
-    sb.append(s"SIGNED_HEADERS: $signedHeaders\r\n")
-    sb.append(s"DATE_TIME: $dateTime\r\n")
-    sb.append(s"HEADERS: $headers\r\n")
-    sb.append(s"CANONICAL_REQUEST: $canonicalRequest\r\n")
-    sb.append(s"SIGNATURE_RECEIVED: $signatureReceived\r\n")
-    sb.append(s"CALCULATED_SIGNATURE: $signature\r\n")
-    logger.info(sb.toString)
+    if (logger.isDebugEnabled) {
+      logger.debug(
+        s"""SIGNATURE_SCOPE: $signatureScope
+           |SIGNATURE_HEADERS: $signatureHeaders
+           |SIGNED_HEADERS: $signedHeaders
+           |DATE_TIME: $dateTime
+           |HEADERS: $headers
+           |CANONICAL_REQUEST: $canonicalRequest
+           |SIGNATURE_RECEIVED: $signatureReceived
+           |CALCULATED_SIGNATURE: $signature"""
+        .stripMargin
+      )
+    }

    signature.equals(signatureReceived)
  }
--- a/modules/api/src/main/scala/vinyldns/api/route/BatchChangeJsonProtocol.scala
+++ b/modules/api/src/main/scala/vinyldns/api/route/BatchChangeJsonProtocol.scala
@ -21,7 +21,7 @@ import cats.data.Validated._
 import org.json4s.JsonDSL._
 import org.json4s._
 import cats.implicits._
-import org.joda.time.DateTime
+import java.time.Instant
 import vinyldns.core.domain.{DomainValidationError, DomainValidationErrorType}
 import vinyldns.api.domain.batch.ChangeInputType._
 import vinyldns.api.domain.batch._
@ -33,6 +33,7 @@ trait BatchChangeJsonProtocol extends JsonValidation {

  val batchChangeSerializers = Seq(
    JsonEnumV(ChangeInputType),
+    JsonEnumV(RecordType),
    JsonEnumV(SingleChangeStatus),
    JsonEnumV(BatchChangeStatus),
    JsonEnumV(BatchChangeApprovalStatus),
@ -62,7 +63,7 @@ trait BatchChangeJsonProtocol extends JsonValidation {
        (js \ "comments").optional[String],
        changeList,
        (js \ "ownerGroupId").optional[String],
-        (js \ "scheduledTime").optional[DateTime]
+        (js \ "scheduledTime").optional[Instant]
      ).mapN(BatchChangeInput(_, _, _, _))
    }
  }
@ -87,6 +88,7 @@ trait BatchChangeJsonProtocol extends JsonValidation {
      (
        (js \ "inputName").required[String]("Missing BatchChangeInput.changes.inputName"),
        recordType,
+        (js \ "systemMessage").optional[String],
        (js \ "ttl").optional[Long],
        recordType.andThen(extractRecord(_, js \ "record"))
      ).mapN(AddChangeInput.apply)
@ -113,6 +115,7 @@ trait BatchChangeJsonProtocol extends JsonValidation {
      (
        (js \ "inputName").required[String]("Missing BatchChangeInput.changes.inputName"),
        recordType,
+        (js \ "systemMessage").optional[String],
        recordData
      ).mapN(DeleteRRSetChangeInput.apply)
    }
@ -248,8 +251,23 @@ trait BatchChangeJsonProtocol extends JsonValidation {
        js.required[MXData](
          "Missing BatchChangeInput.changes.record.preference and BatchChangeInput.changes.record.exchange"
        )
+      case NS => js.required[NSData]("Missing BatchChangeInput.changes.record.nsdname")
+      case SRV => js.required[SRVData](
+          "Missing BatchChangeInput.changes.record.priority and " +
+          "Missing BatchChangeInput.changes.record.weight and " +
+          "Missing BatchChangeInput.changes.record.port and " +
+          "Missing BatchChangeInput.changes.record.target"
+      )
+      case NAPTR => js.required[NAPTRData](
+        "Missing BatchChangeInput.changes.record.order and " +
+          "Missing BatchChangeInput.changes.record.preference and " +
+          "Missing BatchChangeInput.changes.record.flags and " +
+          "Missing BatchChangeInput.changes.record.service and " +
+          "Missing BatchChangeInput.changes.record.regexp and " +
+          "Missing BatchChangeInput.changes.record.replacement"
+      )
      case _ =>
-        s"Unsupported type $typ, valid types include: A, AAAA, CNAME, PTR, TXT, and MX".invalidNel
+        s"Unsupported type $typ, valid types include: A, AAAA, CNAME, PTR, TXT, MX, NS, SRV and NAPTR".invalidNel
    }
  }
 }
--- a/modules/api/src/main/scala/vinyldns/api/route/BatchChangeRouting.scala
+++ b/modules/api/src/main/scala/vinyldns/api/route/BatchChangeRouting.scala
@ -16,15 +16,16 @@

 package vinyldns.api.route

-import akka.http.scaladsl.model.StatusCodes
+import akka.http.scaladsl.model._
 import akka.http.scaladsl.server.{RejectionHandler, Route, ValidationRejection}
 import org.slf4j.{Logger, LoggerFactory}
-import vinyldns.api.config.ManualReviewConfig
-import vinyldns.core.domain.batch._
+import vinyldns.api.config.{LimitsConfig, ManualReviewConfig}
 import vinyldns.api.domain.batch._
+import vinyldns.core.domain.batch._

 class BatchChangeRoute(
    batchChangeService: BatchChangeServiceAlgebra,
+    limitsConfig: LimitsConfig,
    val vinylDNSAuthenticator: VinylDNSAuthenticator,
    manualReviewConfig: ManualReviewConfig
 ) extends VinylDNSJsonProtocol
@ -54,7 +55,7 @@ class BatchChangeRoute(
    case scnpd: ScheduledChangeNotDue => complete(StatusCodes.Forbidden, scnpd.message)
  }

-  final private val MAX_ITEMS_LIMIT: Int = 100
+  final private val MAX_ITEMS_LIMIT: Int = limitsConfig.BATCHCHANGE_ROUTING_MAX_ITEMS_LIMIT

  val batchChangeRoute: Route = {
    val standardBatchChangeRoutes = path("zones" / "batchrecordchanges") {
@ -69,22 +70,28 @@ class BatchChangeRoute(
          }
        }
      } ~
-        (get & monitor("Endpoint.listBatchChangeSummaries")) {
-          parameters(
-            "startFrom".as[Int].?,
-            "maxItems".as[Int].?(MAX_ITEMS_LIMIT),
-            "ignoreAccess".as[Boolean].?(false),
-            "approvalStatus".as[String].?
-          ) {
-            (
-                startFrom: Option[Int],
-                maxItems: Int,
-                ignoreAccess: Boolean,
-                approvalStatus: Option[String]
-            ) =>
-              {
-                val convertApprovalStatus = approvalStatus.flatMap(BatchChangeApprovalStatus.find)
-
+      (get & monitor("Endpoint.listBatchChangeSummaries")) {
+        parameters(
+          "userName".as[String].?,
+          "dateTimeRangeStart".as[String].?,
+          "dateTimeRangeEnd".as[String].?,
+          "startFrom".as[Int].?,
+          "maxItems".as[Int].?(MAX_ITEMS_LIMIT),
+          "ignoreAccess".as[Boolean].?(false),
+          "approvalStatus".as[String].?
+        ) {
+          (
+              userName: Option[String],
+              dateTimeRangeStart: Option[String],
+              dateTimeRangeEnd: Option[String],
+              startFrom: Option[Int],
+              maxItems: Int,
+              ignoreAccess: Boolean,
+              approvalStatus: Option[String]
+          ) =>
+            {
+              val convertApprovalStatus = approvalStatus.flatMap(BatchChangeApprovalStatus.find)
+              
                handleRejections(invalidQueryHandler) {
                  validate(
                    0 < maxItems && maxItems <= MAX_ITEMS_LIMIT,
@ -93,9 +100,14 @@ class BatchChangeRoute(
                    authenticateAndExecute(
                      batchChangeService.listBatchChangeSummaries(
                        _,
+                        userName,
+                        dateTimeRangeStart,
+                        dateTimeRangeEnd,
                        startFrom,
                        maxItems,
                        ignoreAccess,
+                        // TODO: Update batch status from None to its actual value when the feature is ready for release
+                        None,
                        convertApprovalStatus
                      )
                    ) { summaries =>
@ -104,9 +116,9 @@ class BatchChangeRoute(
                  }
                }
              }
-          }
+            }
        }
-    } ~
+      } ~
      path("zones" / "batchrecordchanges" / Segment) { id =>
        (get & monitor("Endpoint.getBatchChange")) {
          authenticateAndExecute(batchChangeService.getBatchChange(id, _)) { chg =>
--- a/modules/api/src/main/scala/vinyldns/api/route/DnsJsonProtocol.scala
+++ b/modules/api/src/main/scala/vinyldns/api/route/DnsJsonProtocol.scala
@ -17,20 +17,22 @@
 package vinyldns.api.route

 import java.util.UUID
-
 import cats.data._
 import cats.implicits._
-import org.joda.time.DateTime
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import org.json4s.JsonDSL._
 import org.json4s._
 import scodec.bits.{Bases, ByteVector}
 import vinyldns.api.domain.zone.{RecordSetGlobalInfo, RecordSetInfo, RecordSetListInfo}
 import vinyldns.core.domain.DomainHelpers.ensureTrailingDot
 import vinyldns.core.domain.DomainHelpers.removeWhitespace
-import vinyldns.core.domain.Fqdn
+import vinyldns.core.domain.{EncryptFromJson, Encrypted, Fqdn}
 import vinyldns.core.domain.record._
 import vinyldns.core.domain.zone._
 import vinyldns.core.Messages._
+import vinyldns.core.domain.record.OwnerShipTransferStatus
+import vinyldns.core.domain.record.OwnerShipTransferStatus.OwnerShipTransferStatus

 trait DnsJsonProtocol extends JsonValidation {
  import vinyldns.core.domain.record.RecordType._
@ -40,12 +42,15 @@ trait DnsJsonProtocol extends JsonValidation {
    UpdateZoneInputSerializer,
    ZoneConnectionSerializer,
    AlgorithmSerializer,
+    EncryptedSerializer,
    RecordSetSerializer,
+    ownerShipTransferSerializer,
    RecordSetListInfoSerializer,
    RecordSetGlobalInfoSerializer,
    RecordSetInfoSerializer,
    RecordSetChangeSerializer,
    JsonEnumV(ZoneStatus),
+    JsonEnumV(OwnerShipTransferStatus),
    JsonEnumV(ZoneChangeStatus),
    JsonEnumV(RecordSetStatus),
    JsonEnumV(RecordSetChangeStatus),
@ -53,6 +58,7 @@ trait DnsJsonProtocol extends JsonValidation {
    JsonEnumV(ZoneChangeType),
    JsonEnumV(RecordSetChangeType),
    JsonEnumV(NameSort),
+    JsonEnumV(RecordTypeSort),
    ASerializer,
    AAAASerializer,
    CNAMESerializer,
@ -78,12 +84,24 @@ trait DnsJsonProtocol extends JsonValidation {
        (js \ "userId").required[String]("Missing RecordSetChange.userId"),
        (js \ "changeType").required(RecordSetChangeType, "Missing RecordSetChange.changeType"),
        (js \ "status").default(RecordSetChangeStatus, RecordSetChangeStatus.Pending),
-        (js \ "created").default[DateTime](DateTime.now),
+        (js \ "created").default[Instant](Instant.now.truncatedTo(ChronoUnit.MILLIS)),
        (js \ "systemMessage").optional[String],
        (js \ "updates").optional[RecordSet],
        (js \ "id").default[String](UUID.randomUUID.toString),
        (js \ "singleBatchChangeIds").default[List[String]](List())
-      ).mapN(RecordSetChange.apply)
+        ).mapN(RecordSetChange.apply)
+
+    override def toJson(rs: RecordSetChange): JValue =
+      ("zone" -> Extraction.decompose(rs.zone)) ~
+        ("recordSet" -> Extraction.decompose(rs.recordSet)) ~
+        ("userId" -> rs.userId) ~
+        ("changeType" -> Extraction.decompose(rs.changeType)) ~
+        ("status" -> Extraction.decompose(rs.status)) ~
+        ("created" -> Extraction.decompose(rs.created)) ~
+        ("systemMessage" -> rs.systemMessage) ~
+        ("updates" -> Extraction.decompose(rs.updates)) ~
+        ("id" -> rs.id) ~
+        ("singleBatchChangeIds" -> Extraction.decompose(rs.singleBatchChangeIds))
  }

  case object CreateZoneInputSerializer extends ValidationSerializer[CreateZoneInput] {
@ -99,8 +117,10 @@ trait DnsJsonProtocol extends JsonValidation {
        (js \ "shared").default[Boolean](false),
        (js \ "acl").default[ZoneACL](ZoneACL()),
        (js \ "adminGroupId").required[String]("Missing Zone.adminGroupId"),
-        (js \ "backendId").optional[String]
-      ).mapN(CreateZoneInput.apply)
+        (js \ "backendId").optional[String],
+        (js \ "recurrenceSchedule").optional[String],
+        (js \ "scheduleRequestor").optional[String],
+        ).mapN(CreateZoneInput.apply)
  }

  case object UpdateZoneInputSerializer extends ValidationSerializer[UpdateZoneInput] {
@ -116,8 +136,10 @@ trait DnsJsonProtocol extends JsonValidation {
        (js \ "shared").default[Boolean](false),
        (js \ "acl").default[ZoneACL](ZoneACL()),
        (js \ "adminGroupId").required[String]("Missing Zone.adminGroupId"),
-        (js \ "backendId").optional[String]
-      ).mapN(UpdateZoneInput.apply)
+        (js \ "recurrenceSchedule").optional[String],
+        (js \ "scheduleRequestor").optional[String],
+        (js \ "backendId").optional[String],
+        ).mapN(UpdateZoneInput.apply)
  }

  case object AlgorithmSerializer extends ValidationSerializer[Algorithm] {
@ -130,18 +152,30 @@ trait DnsJsonProtocol extends JsonValidation {
    override def toJson(a: Algorithm): JValue = JString(a.name)
  }

+  case object EncryptedSerializer extends ValidationSerializer[Encrypted] {
+    override def fromJson(js: JValue): ValidatedNel[String, Encrypted] =
+      js match {
+        case JString(value) => EncryptFromJson.fromString(value).toValidatedNel
+        case _ => "Unsupported type for zone connection key, must be a string".invalidNel
+      }
+
+    override def toJson(a: Encrypted): JValue = JString(a.value)
+  }
+
  case object ZoneConnectionSerializer extends ValidationSerializer[ZoneConnection] {
    override def fromJson(js: JValue): ValidatedNel[String, ZoneConnection] =
      (
        (js \ "name").required[String]("Missing ZoneConnection.name"),
        (js \ "keyName").required[String]("Missing ZoneConnection.keyName"),
-        (js \ "key").required[String]("Missing ZoneConnection.key"),
+        (js \ "key").required[Encrypted]("Missing ZoneConnection.key"),
        (js \ "primaryServer").required[String]("Missing ZoneConnection.primaryServer"),
        (js \ "algorithm").default[Algorithm](Algorithm.HMAC_MD5)
-      ).mapN(ZoneConnection.apply)
+        ).mapN(ZoneConnection.apply)
  }

  def checkDomainNameLen(s: String): Boolean = s.length <= 255
+  def validateNaptrFlag(flag: String): Boolean = flag == "U" || flag  == "S" || flag  == "A" || flag  == "P"
+  def validateNaptrRegexp(regexp: String): Boolean = regexp.startsWith("!") && regexp.endsWith("!") || regexp == ""
  def nameContainsDots(s: String): Boolean = s.contains(".")
  def nameDoesNotContainSpaces(s: String): Boolean = !s.contains(" ")

@ -151,22 +185,22 @@ trait DnsJsonProtocol extends JsonValidation {
  // Adapted from https://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
  // As noted in comments, might fail in very unusual edge cases
  val ipv6Re =
-    """^(
-      #([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|
-      #([0-9a-fA-F]{1,4}:){1,7}:|
-      #([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|
-      #([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|
-      #([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|
-      #([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|
-      #([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|
-      #[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|
-      #:((:[0-9a-fA-F]{1,4}){1,7}|:)|
-      #fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|
-      #::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|
-      #(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|
-      #([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|
-      #(2[0-4]|1{0,1}[0-9]){0,1}[0-9])
-      #)$""".stripMargin('#').replaceAll("\n", "").r
+  """^(
+    #([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|
+    #([0-9a-fA-F]{1,4}:){1,7}:|
+    #([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|
+    #([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|
+    #([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|
+    #([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|
+    #([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|
+    #[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|
+    #:((:[0-9a-fA-F]{1,4}){1,7}|:)|
+    #fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|
+    #::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|
+    #(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|
+    #([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|
+    #(2[0-4]|1{0,1}[0-9]){0,1}[0-9])
+    #)$""".stripMargin('#').replaceAll("\n", "").r

  def ipv4Match(s: String): Boolean = ipv4Re.findFirstIn(s).isDefined
  def ipv6Match(s: String): Boolean = ipv6Re.findFirstIn(s).isDefined
@ -195,15 +229,16 @@ trait DnsJsonProtocol extends JsonValidation {
            "RecordSet.ttl must be a positive signed 32 bit number greater than or equal to 30" -> (_ >= 30)
          ),
        (js \ "status").default(RecordSetStatus, RecordSetStatus.Pending),
-        (js \ "created").default[DateTime](DateTime.now),
-        (js \ "updated").optional[DateTime],
+        (js \ "created").default[Instant](Instant.now.truncatedTo(ChronoUnit.MILLIS)),
+        (js \ "updated").optional[Instant],
        recordType
          .andThen(extractRecords(_, js \ "records")),
        (js \ "id").default[String](UUID.randomUUID().toString),
        (js \ "account").default[String]("system"),
        (js \ "ownerGroupId").optional[String],
+        (js \ "recordSetGroupChange").optional[OwnerShipTransfer],
        (js \ "fqdn").optional[String]
-      ).mapN(RecordSet.apply)
+        ).mapN(RecordSet.apply)

      // Put additional record set level checks below
      recordSetResult.checkIf(recordTypeGet == RecordType.CNAME)(
@ -226,15 +261,29 @@ trait DnsJsonProtocol extends JsonValidation {
        ("id" -> rs.id) ~
        ("account" -> rs.account) ~
        ("ownerGroupId" -> rs.ownerGroupId) ~
+        ("recordSetGroupChange" -> Extraction.decompose(rs.recordSetGroupChange)) ~
        ("fqdn" -> rs.fqdn)
  }

+
+  case object ownerShipTransferSerializer extends ValidationSerializer[OwnerShipTransfer] {
+    override def fromJson(js: JValue): ValidatedNel[String, OwnerShipTransfer] =
+      (
+        (js \ "ownerShipTransferStatus").required[OwnerShipTransferStatus]("Missing ownerShipTransfer.ownerShipTransferStatus"),
+        (js \ "requestedOwnerGroupId").optional[String],
+        ).mapN(OwnerShipTransfer.apply)
+
+    override def toJson(rsa: OwnerShipTransfer): JValue =
+      ("ownerShipTransferStatus" -> Extraction.decompose(rsa.ownerShipTransferStatus)) ~
+        ("requestedOwnerGroupId" -> Extraction.decompose(rsa.requestedOwnerGroupId))
+  }
+
  case object RecordSetListInfoSerializer extends ValidationSerializer[RecordSetListInfo] {
    override def fromJson(js: JValue): ValidatedNel[String, RecordSetListInfo] =
      (
        RecordSetInfoSerializer.fromJson(js),
        (js \ "accessLevel").required[AccessLevel.AccessLevel]("Missing RecordSet.zoneId")
-      ).mapN(RecordSetListInfo.apply)
+        ).mapN(RecordSetListInfo.apply)

    override def toJson(rs: RecordSetListInfo): JValue =
      ("type" -> Extraction.decompose(rs.typ)) ~
@ -250,6 +299,7 @@ trait DnsJsonProtocol extends JsonValidation {
        ("accessLevel" -> rs.accessLevel.toString) ~
        ("ownerGroupId" -> rs.ownerGroupId) ~
        ("ownerGroupName" -> rs.ownerGroupName) ~
+        ("recordSetGroupChange" -> Extraction.decompose(rs.recordSetGroupChange)) ~
        ("fqdn" -> rs.fqdn)
  }

@ -271,6 +321,7 @@ trait DnsJsonProtocol extends JsonValidation {
        ("account" -> rs.account) ~
        ("ownerGroupId" -> rs.ownerGroupId) ~
        ("ownerGroupName" -> rs.ownerGroupName) ~
+        ("recordSetGroupChange" -> Extraction.decompose(rs.recordSetGroupChange)) ~
        ("fqdn" -> rs.fqdn)
  }

@ -281,7 +332,7 @@ trait DnsJsonProtocol extends JsonValidation {
        (js \ "zoneName").required[String]("Missing Zone.name"),
        (js \ "zoneShared").required[Boolean]("Missing Zone.shared"),
        (js \ "ownerGroupName").optional[String]
-      ).mapN(RecordSetGlobalInfo.apply)
+        ).mapN(RecordSetGlobalInfo.apply)

    override def toJson(rs: RecordSetGlobalInfo): JValue =
      ("type" -> Extraction.decompose(rs.typ)) ~
@ -296,6 +347,7 @@ trait DnsJsonProtocol extends JsonValidation {
        ("account" -> rs.account) ~
        ("ownerGroupId" -> rs.ownerGroupId) ~
        ("ownerGroupName" -> rs.ownerGroupName) ~
+        ("recordSetGroupChange" -> Extraction.decompose(rs.recordSetGroupChange)) ~
        ("fqdn" -> rs.fqdn) ~
        ("zoneName" -> rs.zoneName) ~
        ("zoneShared" -> rs.zoneShared)
@ -365,7 +417,7 @@ trait DnsJsonProtocol extends JsonValidation {
            "MX.exchange must be less than 255 characters" -> checkDomainNameLen
          )
          .map(Fqdn.apply)
-      ).mapN(MXData.apply)
+        ).mapN(MXData.apply)
  }

  case object NSSerializer extends ValidationSerializer[NSData] {
@ -431,7 +483,7 @@ trait DnsJsonProtocol extends JsonValidation {
          .check(
            "SOA.minimum must be an unsigned 32 bit number" -> (i => i <= 4294967295L && i >= 0)
          )
-      ).mapN(SOAData.apply)
+        ).mapN(SOAData.apply)
  }

  case object SPFSerializer extends ValidationSerializer[SPFData] {
@ -468,7 +520,7 @@ trait DnsJsonProtocol extends JsonValidation {
            "SRV.target must be less than 255 characters" -> checkDomainNameLen
          )
          .map(Fqdn.apply)
-      ).mapN(SRVData.apply)
+        ).mapN(SRVData.apply)
  }

  case object NAPTRSerializer extends ValidationSerializer[NAPTRData] {
@ -487,7 +539,7 @@ trait DnsJsonProtocol extends JsonValidation {
        (js \ "flags")
          .required[String]("Missing NAPTR.flags")
          .check(
-            "NAPTR.flags must be less than 2 characters" -> (_.length < 2)
+            "Invalid NAPTR.flag. Valid NAPTR flag value must be U, S, A or P" -> validateNaptrFlag
          ),
        (js \ "service")
          .required[String]("Missing NAPTR.service")
@ -497,16 +549,16 @@ trait DnsJsonProtocol extends JsonValidation {
        (js \ "regexp")
          .required[String]("Missing NAPTR.regexp")
          .check(
-            "NAPTR.regexp must be less than 255 characters" -> checkDomainNameLen
+            "Invalid NAPTR.regexp. Valid NAPTR regexp value must start and end with '!' or can be empty" -> validateNaptrRegexp
          ),
-        // should also check regex validity
+
        (js \ "replacement")
          .required[String]("Missing NAPTR.replacement")
          .check(
            "NAPTR.replacement must be less than 255 characters" -> checkDomainNameLen
          )
          .map(Fqdn.apply)
-      ).mapN(NAPTRData.apply)
+        ).mapN(NAPTRData.apply)
  }

  case object SSHFPSerializer extends ValidationSerializer[SSHFPData] {
@ -523,7 +575,7 @@ trait DnsJsonProtocol extends JsonValidation {
            "SSHFP.type must be an unsigned 8 bit number" -> (i => i <= 255 && i >= 0)
          ),
        (js \ "fingerprint").required[String]("Missing SSHFP.fingerprint")
-      ).mapN(SSHFPData.apply)
+        ).mapN(SSHFPData.apply)

    // necessary because type != typ
    override def toJson(rr: SSHFPData): JValue =
@ -561,7 +613,7 @@ trait DnsJsonProtocol extends JsonValidation {
            case Some(v) => v.validNel
            case None => "Could not convert digest to valid hex".invalidNel
          }
-      ).mapN(DSData.apply)
+        ).mapN(DSData.apply)

    override def toJson(rr: DSData): JValue =
      ("keytag" -> Extraction.decompose(rr.keyTag)) ~
--- a/modules/api/src/main/scala/vinyldns/api/route/JsonValidation.scala
+++ b/modules/api/src/main/scala/vinyldns/api/route/JsonValidation.scala
@ -23,7 +23,8 @@ import cats.data._
 import cats.implicits._
 import com.fasterxml.jackson.core.JsonParseException
 import de.heikoseeberger.akkahttpjson4s.Json4sSupport
-import org.joda.time.DateTime
+import java.util.Date
+import java.time.Instant
 import org.json4s.JsonDSL._
 import org.json4s._
 import org.json4s.ext._
@ -33,29 +34,16 @@ import scala.reflect.ClassTag

 case class JsonErrors(errors: List[String])

-// TODO: An update to json4s changed the date time formatting.  In order to stay compatible, had to
-// revert the date time formatting here.  When changing to circe (updating to java8 instant),
-// be sure to check the format of date time
-object VinylDateParser {
-  def parse(s: String, format: Formats): Long =
-    format.dateFormat
-      .parse(s)
-      .map(_.getTime)
-      .getOrElse(
-        throw new MappingException(
-          s"Invalid date format $s; provide the date format as YYYY-MM-DDTHH:MM:SSZ"
-        )
-      )
-}
 case object VinylDateTimeSerializer
-    extends CustomSerializer[DateTime](
+    extends CustomSerializer[Instant](
      format =>
        (
          {
-            case JString(s) => new DateTime(VinylDateParser.parse(s, format))
+            case JInt(s) => Instant.ofEpochMilli(s.longValue())
+            case JString(s) => Instant.ofEpochMilli(format.dateFormat.parse(s).map(_.getTime).getOrElse(0L))
            case JNull => null
          }, {
-            case d: DateTime => JString(format.dateFormat.format(d.toDate))
+            case d: Instant => JString(format.dateFormat.format(Date.from(d)))
          }
        )
    )
@ -65,7 +53,7 @@ trait JsonValidationSupport extends Json4sSupport {
  import scala.collection._

  // this is where you define all serializers, custom and validating serializers
-  val serializers: Traversable[Serializer[_]]
+  val serializers: Iterable[Serializer[_]]

  // TODO: needed in order to stay backward compatible for date time formatting,
  // should be removed when we upgrade json libs
@ -87,7 +75,7 @@ trait JsonValidationSupport extends Json4sSupport {
    * @return An adjusted Formats without the serializer passed in
    */
  private[route] def adjustedFormats(ser: Serializer[_]) =
-    DefaultFormats ++ JodaTimeSerializers.all ++ serializers.filterNot(_.equals(ser))
+    DefaultFormats ++ JavaTimeSerializers.all ++ serializers.filterNot(_.equals(ser))

  implicit def json4sJacksonFormats: Formats = DefaultFormats ++ dtSerializers ++ serializers
 }
--- a/modules/api/src/main/scala/vinyldns/api/route/MembershipJsonProtocol.scala
+++ b/modules/api/src/main/scala/vinyldns/api/route/MembershipJsonProtocol.scala
@ -17,11 +17,12 @@
 package vinyldns.api.route

 import java.util.UUID
-
 import cats.data._
 import cats.implicits._
-import org.joda.time.DateTime
+import java.time.Instant
+import java.time.temporal.ChronoUnit
 import org.json4s._
+import org.json4s.JsonDSL._
 import vinyldns.api.domain.membership._
 import vinyldns.core.domain.membership.{Group, GroupChangeType, GroupStatus, LockStatus}

@ -92,7 +93,7 @@ trait MembershipJsonProtocol extends JsonValidation {
        (js \ "email").required[String]("Missing Group.email"),
        (js \ "description").optional[String],
        (js \ "id").default[String](UUID.randomUUID().toString),
-        (js \ "created").default[DateTime](DateTime.now),
+        (js \ "created").default[Instant](Instant.now.truncatedTo(ChronoUnit.MILLIS)),
        (js \ "status").default(GroupStatus, GroupStatus.Active),
        (js \ "memberIds").default[Set[String]](Set.empty),
        (js \ "adminUserIds").default[Set[String]](Set.empty)
@ -100,28 +101,52 @@ trait MembershipJsonProtocol extends JsonValidation {
  }

  case object GroupInfoSerializer extends ValidationSerializer[GroupInfo] {
-    override def fromJson(js: JValue): ValidatedNel[String, GroupInfo] =
+    override def fromJson(js: JValue): ValidatedNel[String, GroupInfo] = {
      (
        (js \ "id").default[String](UUID.randomUUID().toString),
        (js \ "name").required[String]("Missing Group.name"),
        (js \ "email").required[String]("Missing Group.email"),
        (js \ "description").optional[String],
-        (js \ "created").default[DateTime](DateTime.now),
+        (js \ "created").default[Instant](Instant.now.truncatedTo(ChronoUnit.MILLIS)),
        (js \ "status").default(GroupStatus, GroupStatus.Active),
        (js \ "members").default[Set[UserId]](Set.empty),
        (js \ "admins").default[Set[UserId]](Set.empty)
      ).mapN(GroupInfo.apply)
+    }
+
+    override def toJson(gi: GroupInfo): JValue =
+      ("id" -> gi.id) ~
+      ("name" -> gi.name) ~
+      ("email" -> gi.email) ~
+      ("description" -> gi.description) ~
+      ("created" -> Extraction.decompose(gi.created)) ~
+      ("status" -> Extraction.decompose(gi.status)) ~
+      ("members" -> Extraction.decompose(gi.members)) ~
+      ("admins" -> Extraction.decompose(gi.admins))
  }

  case object GroupChangeInfoSerializer extends ValidationSerializer[GroupChangeInfo] {
-    override def fromJson(js: JValue): ValidatedNel[String, GroupChangeInfo] =
+    override def fromJson(js: JValue): ValidatedNel[String, GroupChangeInfo] = {
      (
        (js \ "newGroup").required[GroupInfo]("Missing new group"),
        (js \ "changeType").required(GroupChangeType, "Missing change type"),
        (js \ "userId").required[String]("Missing userId"),
        (js \ "oldGroup").optional[GroupInfo],
        (js \ "id").default[String](UUID.randomUUID().toString),
-        (js \ "created").default[String](DateTime.now.getMillis.toString)
+        (js \ "created").default[Instant](Instant.now.truncatedTo(ChronoUnit.MILLIS)),
+        (js \ "userName").required[String]("Missing userName"),
+        (js \ "groupChangeMessage").required[String]("Missing groupChangeMessage"),
      ).mapN(GroupChangeInfo.apply)
+    }
+
+    override def toJson(gci: GroupChangeInfo): JValue =
+      ("newGroup" -> Extraction.decompose(gci.newGroup)) ~
+      ("changeType" -> Extraction.decompose(gci.changeType)) ~
+      ("userId" -> gci.userId) ~
+      ("oldGroup" -> Extraction.decompose(gci.oldGroup)) ~
+      ("id" -> gci.id) ~
+      ("created" -> gci.created.toString) ~
+      ("userName" -> gci.userName) ~
+      ("groupChangeMessage" -> gci.groupChangeMessage)
  }
 }
--- a/modules/api/src/main/scala/vinyldns/api/route/MembershipRouting.scala
+++ b/modules/api/src/main/scala/vinyldns/api/route/MembershipRouting.scala
@ -19,6 +19,7 @@ package vinyldns.api.route
 import akka.http.scaladsl.model.StatusCodes
 import akka.http.scaladsl.server._
 import org.slf4j.{Logger, LoggerFactory}
+import vinyldns.api.config.LimitsConfig
 import vinyldns.api.domain.membership._
 import vinyldns.api.domain.zone.NotAuthorizedError
 import vinyldns.api.route.MembershipJsonProtocol.{CreateGroupInput, UpdateGroupInput}
@ -26,12 +27,15 @@ import vinyldns.core.domain.membership.{Group, LockStatus}

 class MembershipRoute(
    membershipService: MembershipServiceAlgebra,
+    limitsConfig: LimitsConfig,
    val vinylDNSAuthenticator: VinylDNSAuthenticator
 ) extends VinylDNSJsonProtocol
    with VinylDNSDirectives[Throwable] {
-  final private val DEFAULT_MAX_ITEMS: Int = 100
-  final private val MAX_ITEMS_LIMIT: Int = 1000
-  final private val MAX_GROUPS_LIST_LIMIT: Int = 1500
+
+  final private val DEFAULT_MAX_ITEMS: Int = limitsConfig.MEMBERSHIP_ROUTING_DEFAULT_MAX_ITEMS
+  final private val MAX_ITEMS_LIMIT: Int = limitsConfig.MEMBERSHIP_ROUTING_MAX_ITEMS_LIMIT
+  final private val MAX_GROUPS_LIST_LIMIT: Int =
+    limitsConfig.MEMBERSHIP_ROUTING_MAX_GROUPS_LIST_LIMIT

  def getRoutes: Route = membershipRoute

@ -41,9 +45,11 @@ class MembershipRoute(
    case GroupNotFoundError(msg) => complete(StatusCodes.NotFound, msg)
    case NotAuthorizedError(msg) => complete(StatusCodes.Forbidden, msg)
    case GroupAlreadyExistsError(msg) => complete(StatusCodes.Conflict, msg)
+    case GroupValidationError(msg) => complete(StatusCodes.BadRequest, msg)
    case InvalidGroupError(msg) => complete(StatusCodes.BadRequest, msg)
    case UserNotFoundError(msg) => complete(StatusCodes.NotFound, msg)
    case InvalidGroupRequestError(msg) => complete(StatusCodes.BadRequest, msg)
+    case EmailValidationError(msg) => complete(StatusCodes.BadRequest, msg)
  }

  val membershipRoute: Route = path("groups" / Segment) { groupId =>
@ -75,16 +81,18 @@ class MembershipRoute(
      } ~
        (get & monitor("Endpoint.listMyGroups")) {
          parameters(
-            "startFrom".?,
+            "startFrom".as[String].?,
            "maxItems".as[Int].?(DEFAULT_MAX_ITEMS),
            "groupNameFilter".?,
-            "ignoreAccess".as[Boolean].?(false)
+            "ignoreAccess".as[Boolean].?(false),
+            "abridged".as[Boolean].?(false),
          ) {
            (
                startFrom: Option[String],
                maxItems: Int,
                groupNameFilter: Option[String],
-                ignoreAccess: Boolean
+                ignoreAccess: Boolean,
+                abridged: Boolean
            ) =>
              {
                handleRejections(invalidQueryHandler) {
@ -97,7 +105,7 @@ class MembershipRoute(
                  ) {
                    authenticateAndExecute(
                      membershipService
-                        .listMyGroups(groupNameFilter, startFrom, maxItems, _, ignoreAccess)
+                        .listMyGroups(groupNameFilter, startFrom, maxItems, _, ignoreAccess, abridged)
                    ) { groups =>
                      complete(StatusCodes.OK, groups)
                    }
@ -154,8 +162,8 @@ class MembershipRoute(
    } ~
    path("groups" / Segment / "activity") { groupId =>
      (get & monitor("Endpoint.groupActivity")) {
-        parameters("startFrom".?, "maxItems".as[Int].?(DEFAULT_MAX_ITEMS)) {
-          (startFrom: Option[String], maxItems: Int) =>
+        parameters("startFrom".as[Int].?, "maxItems".as[Int].?(DEFAULT_MAX_ITEMS)) {
+          (startFrom: Option[Int], maxItems: Int) =>
            handleRejections(invalidQueryHandler) {
              validate(
                0 < maxItems && maxItems <= MAX_ITEMS_LIMIT,
@ -172,6 +180,20 @@ class MembershipRoute(
        }
      }
    } ~
+    path("groups" / "change" / Segment) { groupChangeId =>
+      (get & monitor("Endpoint.groupSingleChange")) {
+        authenticateAndExecute(membershipService.getGroupChange(groupChangeId, _)) { groupChange =>
+          complete(StatusCodes.OK, groupChange)
+        }
+      }
+    } ~
+    path("groups" / "valid" / "domains") {
+      (get & monitor("Endpoint.validdomains")) {
+        authenticateAndExecute(membershipService.listEmailDomains) { emailDomains =>
+          complete(StatusCodes.OK, emailDomains)
+        }
+      }
+    } ~
    path("users" / Segment / "lock") { id =>
      (put & monitor("Endpoint.lockUser")) {
        authenticateAndExecute(membershipService.updateUserLockStatus(id, LockStatus.Locked, _)) {
@ -187,6 +209,14 @@ class MembershipRoute(
            complete(StatusCodes.OK, UserInfo(user))
        }
      }
+    } ~
+    path("users" / Segment) { id =>
+      (get & monitor("Endpoint.getUser")) {
+        authenticateAndExecute(membershipService.getUserDetails(id, _)) {
+          user =>
+            complete(StatusCodes.OK, user)
+        }
+      }
    }

  private val invalidQueryHandler = RejectionHandler
--- a/modules/api/src/main/scala/vinyldns/api/route/RecordSetRouting.scala
+++ b/modules/api/src/main/scala/vinyldns/api/route/RecordSetRouting.scala
@ -22,10 +22,12 @@ import akka.util.Timeout
 import org.slf4j.{Logger, LoggerFactory}
 import vinyldns.api.Interfaces._
 import vinyldns.api.domain.record.RecordSetServiceAlgebra
+import vinyldns.api.config.LimitsConfig
 import vinyldns.api.domain.zone._
 import vinyldns.core.domain.record.NameSort.NameSort
 import vinyldns.core.domain.record.RecordType.RecordType
-import vinyldns.core.domain.record.{NameSort, RecordSet, RecordType}
+import vinyldns.core.domain.record.RecordTypeSort.RecordTypeSort
+import vinyldns.core.domain.record.{NameSort, RecordSet, RecordType, RecordTypeSort}
 import vinyldns.core.domain.zone.ZoneCommandResult

 import scala.concurrent.duration._
@ -33,38 +35,40 @@ import scala.concurrent.duration._
 case class GetRecordSetResponse(recordSet: RecordSetInfo)

 case class ListGlobalRecordSetsResponse(
-    recordSets: List[RecordSetGlobalInfo],
-    startFrom: Option[String] = None,
-    nextId: Option[String] = None,
-    maxItems: Option[Int] = None,
-    recordNameFilter: String,
-    recordTypeFilter: Option[Set[RecordType]] = None,
-    recordOwnerGroupFilter: Option[String] = None,
-    nameSort: NameSort
-)
+                                         recordSets: List[RecordSetGlobalInfo],
+                                         startFrom: Option[String] = None,
+                                         nextId: Option[String] = None,
+                                         maxItems: Option[Int] = None,
+                                         recordNameFilter: String,
+                                         recordTypeFilter: Option[Set[RecordType]] = None,
+                                         recordOwnerGroupFilter: Option[String] = None,
+                                         nameSort: NameSort
+                                       )

 case class ListRecordSetsByZoneResponse(
-    recordSets: List[RecordSetListInfo],
-    startFrom: Option[String] = None,
-    nextId: Option[String] = None,
-    maxItems: Option[Int] = None,
-    recordNameFilter: Option[String] = None,
-    recordTypeFilter: Option[Set[RecordType]] = None,
-    recordOwnerGroupFilter: Option[String] = None,
-    nameSort: NameSort
-)
+                                         recordSets: List[RecordSetListInfo],
+                                         startFrom: Option[String] = None,
+                                         nextId: Option[String] = None,
+                                         maxItems: Option[Int] = None,
+                                         recordNameFilter: Option[String] = None,
+                                         recordTypeFilter: Option[Set[RecordType]] = None,
+                                         recordOwnerGroupFilter: Option[String] = None,
+                                         nameSort: NameSort,
+                                         recordTypeSort: RecordTypeSort
+                                       )

 class RecordSetRoute(
-    recordSetService: RecordSetServiceAlgebra,
-    val vinylDNSAuthenticator: VinylDNSAuthenticator
-) extends VinylDNSJsonProtocol
-    with VinylDNSDirectives[Throwable] {
+                      recordSetService: RecordSetServiceAlgebra,
+                      limitsConfig: LimitsConfig,
+                      val vinylDNSAuthenticator: VinylDNSAuthenticator
+                    ) extends VinylDNSJsonProtocol
+  with VinylDNSDirectives[Throwable] {

  def getRoutes: Route = recordSetRoute

  def logger: Logger = LoggerFactory.getLogger(classOf[RecordSetRoute])

-  final private val DEFAULT_MAX_ITEMS: Int = 100
+  final private val DEFAULT_MAX_ITEMS: Int = limitsConfig.RECORDSET_ROUTING_DEFAULT_MAX_ITEMS

  // Timeout must be long enough to allow the cluster to form
  implicit val rsCmdTimeout: Timeout = Timeout(10.seconds)
@ -98,15 +102,17 @@ class RecordSetRoute(
          "recordNameFilter".?,
          "recordTypeFilter".?,
          "recordOwnerGroupFilter".?,
-          "nameSort".as[String].?("ASC")
+          "nameSort".as[String].?("ASC"),
+          "recordTypeSort".as[String].?("None")
        ) {
          (
-              startFrom: Option[String],
-              maxItems: Int,
-              recordNameFilter: Option[String],
-              recordTypeFilter: Option[String],
-              recordOwnerGroupFilter: Option[String],
-              nameSort: String
+            startFrom: Option[String],
+            maxItems: Int,
+            recordNameFilter: Option[String],
+            recordTypeFilter: Option[String],
+            recordOwnerGroupFilter: Option[String],
+            nameSort: String,
+            recordTypeSort: String
          ) =>
            val convertedRecordTypeFilter = convertRecordTypeFilter(recordTypeFilter)
            handleRejections(invalidQueryHandler) {
@ -124,8 +130,9 @@ class RecordSetRoute(
                      convertedRecordTypeFilter,
                      recordOwnerGroupFilter,
                      NameSort.find(nameSort),
-                      _
-                    )
+                      _,
+                      RecordTypeSort.find(recordTypeSort),
+                )
                ) { rsResponse =>
                  complete(StatusCodes.OK, rsResponse)
                }
@ -142,15 +149,17 @@ class RecordSetRoute(
          "recordNameFilter".as[String],
          "recordTypeFilter".?,
          "recordOwnerGroupFilter".?,
-          "nameSort".as[String].?("ASC")
+          "nameSort".as[String].?("ASC"),
+          "recordTypeSort".as[String].?("NONE")
        ) {
          (
-              startFrom: Option[String],
-              maxItems: Int,
-              recordNameFilter: String,
-              recordTypeFilter: Option[String],
-              recordOwnerGroupFilter: Option[String],
-              nameSort: String
+            startFrom: Option[String],
+            maxItems: Int,
+            recordNameFilter: String,
+            recordTypeFilter: Option[String],
+            recordOwnerGroupFilter: Option[String],
+            nameSort: String,
+            recordTypeSort: String
          ) =>
            val convertedRecordTypeFilter = convertRecordTypeFilter(recordTypeFilter)
            handleRejections(invalidQueryHandler) {
@ -160,14 +169,15 @@ class RecordSetRoute(
              ) {
                authenticateAndExecute(
                  recordSetService
-                    .listRecordSets(
+                    .searchRecordSets(
                      startFrom,
                      Some(maxItems),
                      recordNameFilter,
                      convertedRecordTypeFilter,
                      recordOwnerGroupFilter,
                      NameSort.find(nameSort),
-                      _
+                      _,
+                      RecordTypeSort.find(recordTypeSort)
                    )
                ) { rsResponse =>
                  complete(StatusCodes.OK, rsResponse)
@ -177,6 +187,13 @@ class RecordSetRoute(
        }
      }
    } ~
+    path("zones" / Segment / "recordsetcount") { zoneId =>
+      (get & monitor("Endpoint.getRecordSetCount")) {
+        authenticateAndExecute(recordSetService.getRecordSetCount(zoneId, _)) { count =>
+          complete(StatusCodes.OK, count)
+        }
+      }
+    } ~
    path("zones" / Segment / "recordsets" / Segment) { (zoneId, rsId) =>
      (get & monitor("Endpoint.getRecordSetByZone")) {
        authenticateAndExecute(recordSetService.getRecordSetByZone(rsId, zoneId, _)) { rs =>
@ -213,8 +230,8 @@ class RecordSetRoute(
    } ~
    path("zones" / Segment / "recordsetchanges") { zoneId =>
      (get & monitor("Endpoint.listRecordSetChanges")) {
-        parameters("startFrom".?, "maxItems".as[Int].?(DEFAULT_MAX_ITEMS)) {
-          (startFrom: Option[String], maxItems: Int) =>
+        parameters("startFrom".as[Int].?, "maxItems".as[Int].?(DEFAULT_MAX_ITEMS)) {
+          (startFrom: Option[Int], maxItems: Int) =>
            handleRejections(invalidQueryHandler) {
              validate(
                check = 0 < maxItems && maxItems <= DEFAULT_MAX_ITEMS,
@ -231,6 +248,52 @@ class RecordSetRoute(
            }
        }
      }
+    } ~
+    path("recordsetchange" / "history") {
+      (get & monitor("Endpoint.listRecordSetChangeHistory")) {
+        parameters("zoneId".as[String].?, "startFrom".as[Int].?, "maxItems".as[Int].?(DEFAULT_MAX_ITEMS), "fqdn".as[String].?, "recordType".as[String].?) {
+          (zoneId: Option[String], startFrom: Option[Int], maxItems: Int, fqdn: Option[String], recordType: Option[String]) =>
+            handleRejections(invalidQueryHandler) {
+              val errorMessage = if(fqdn.isEmpty || recordType.isEmpty || zoneId.isEmpty) {
+                "recordType, fqdn and zoneId cannot be empty"
+              } else {
+                s"maxItems was $maxItems, maxItems must be between 0 exclusive " +
+                  s"and $DEFAULT_MAX_ITEMS inclusive"
+              }
+              val isValid = (0 < maxItems && maxItems <= DEFAULT_MAX_ITEMS) && (fqdn.nonEmpty && recordType.nonEmpty && zoneId.nonEmpty)
+              validate(
+                check = isValid,
+                errorMsg = errorMessage
+              ){
+                authenticateAndExecute(
+                  recordSetService
+                    .listRecordSetChangeHistory(zoneId, startFrom, maxItems, fqdn, RecordType.find(recordType.get), _)
+                ) { changes =>
+                  complete(StatusCodes.OK, changes)
+                }
+              }
+            }
+        }
+      }
+    } ~
+    path("metrics" / "health" / "zones" / Segment / "recordsetchangesfailure") {zoneId =>
+      (get & monitor("Endpoint.listFailedRecordSetChanges")) {
+        parameters("startFrom".as[Int].?(0), "maxItems".as[Int].?(DEFAULT_MAX_ITEMS)) {
+          (startFrom: Int, maxItems: Int) =>
+            handleRejections(invalidQueryHandler) {
+              validate(
+                check = 0 < maxItems && maxItems <= DEFAULT_MAX_ITEMS,
+                errorMsg = s"maxItems was $maxItems, maxItems must be between 0 exclusive " +
+                  s"and $DEFAULT_MAX_ITEMS inclusive"
+              ){
+                authenticateAndExecute(recordSetService.listFailedRecordSetChanges(_, Some(zoneId), startFrom, maxItems)) {
+                  changes =>
+                    complete(StatusCodes.OK, changes)
+                }
+              }
+            }
+        }
+      }
    }

  private val invalidQueryHandler = RejectionHandler
--- a/modules/api/src/main/scala/vinyldns/api/route/StatusRouting.scala
+++ b/modules/api/src/main/scala/vinyldns/api/route/StatusRouting.scala
@ -17,10 +17,15 @@
 package vinyldns.api.route

 import akka.http.scaladsl.model.StatusCodes
-import akka.http.scaladsl.server.Directives
+import akka.http.scaladsl.server.Route
 import akka.util.Timeout
 import cats.effect.IO
 import fs2.concurrent.SignallingRef
+import org.slf4j.{Logger, LoggerFactory}
+import vinyldns.api.Interfaces.{EitherImprovements, Result, ensuring}
+import vinyldns.api.config.ServerConfig
+import vinyldns.api.domain.zone.NotAuthorizedError
+import vinyldns.core.domain.auth.AuthPrincipal

 import scala.concurrent.duration._

@ -31,39 +36,63 @@ final case class CurrentStatus(
    version: String
 )

-trait StatusRoute extends Directives {
-  this: VinylDNSJsonProtocol =>
+class StatusRoute(
+  serverConfig: ServerConfig,
+  val vinylDNSAuthenticator: VinylDNSAuthenticator,
+  val processingDisabled: SignallingRef[IO, Boolean]
+) extends VinylDNSJsonProtocol
+  with VinylDNSDirectives[Throwable] {

-  implicit val timeout = Timeout(10.seconds)
+  def getRoutes: Route = statusRoute

-  def processingDisabled: SignallingRef[IO, Boolean]
+  implicit val timeout: Timeout = Timeout(10.seconds)

-  def statusRoute(color: String, version: String, keyName: String) =
+  def logger: Logger = LoggerFactory.getLogger(classOf[StatusRoute])
+
+  def handleErrors(e: Throwable): PartialFunction[Throwable, Route] = {
+    case NotAuthorizedError(msg) => complete(StatusCodes.Forbidden, msg)
+  }
+
+  def postStatus(isProcessingDisabled: Boolean, authPrincipal: AuthPrincipal): Result[Boolean] = {
+    for {
+      _ <- isAdmin(authPrincipal).toResult
+      isDisabled = isProcessingDisabled
+    } yield isDisabled
+  }
+
+  def isAdmin(authPrincipal: AuthPrincipal): Either[Throwable, Unit] =
+    ensuring(NotAuthorizedError(s"Not authorized. User '${authPrincipal.signedInUser.userName}' cannot make the requested change.")) {
+      authPrincipal.isSystemAdmin
+    }
+
+  val statusRoute: Route =
    (get & path("status")) {
      onSuccess(processingDisabled.get.unsafeToFuture()) { isProcessingDisabled =>
        complete(
          StatusCodes.OK,
          CurrentStatus(
            isProcessingDisabled,
-            color,
-            keyName,
-            version
+            serverConfig.color,
+            serverConfig.keyName,
+            serverConfig.version
          )
        )
      }
    } ~
      (post & path("status")) {
        parameters("processingDisabled".as[Boolean]) { isProcessingDisabled =>
-          onSuccess(processingDisabled.set(isProcessingDisabled).unsafeToFuture()) {
-            complete(
-              StatusCodes.OK,
-              CurrentStatus(
-                isProcessingDisabled,
-                color,
-                keyName,
-                version
+          authenticateAndExecute(postStatus(isProcessingDisabled, _)){ isProcessingDisabled =>
+            onSuccess(processingDisabled.set(isProcessingDisabled).unsafeToFuture()) {
+              complete(
+                StatusCodes.OK,
+                CurrentStatus(
+                  isProcessingDisabled,
+                  serverConfig.color,
+                  serverConfig.keyName,
+                  serverConfig.version
+                )
              )
-            )
+            }
          }
        }
      }
--- a/modules/api/src/main/scala/vinyldns/api/route/VinylDNSService.scala
+++ b/modules/api/src/main/scala/vinyldns/api/route/VinylDNSService.scala
@ -22,7 +22,7 @@ import cats.effect.IO
 import fs2.concurrent.SignallingRef
 import io.prometheus.client.CollectorRegistry
 import org.json4s.MappingException
-import vinyldns.api.config.VinylDNSConfig
+import vinyldns.api.config.{LimitsConfig, VinylDNSConfig}
 import vinyldns.api.domain.auth.AuthPrincipalProvider
 import vinyldns.api.domain.batch.BatchChangeServiceAlgebra
 import vinyldns.api.domain.membership.MembershipServiceAlgebra
@ -57,6 +57,7 @@ object VinylDNSService {
 // $COVERAGE-OFF$
 class VinylDNSService(
    val membershipService: MembershipServiceAlgebra,
+    val limits: LimitsConfig,
    val processingDisabled: SignallingRef[IO, Boolean],
    val zoneService: ZoneServiceAlgebra,
    val healthService: HealthService,
@ -68,7 +69,6 @@ class VinylDNSService(
 ) extends PingRoute
    with HealthCheckRoute
    with BlueGreenRoute
-    with StatusRoute
    with PrometheusRoute
    with VinylDNSJsonProtocol
    with RequestLogging {
@ -84,37 +84,41 @@ class VinylDNSService(
    )

  val zoneRoute: Route =
-    new ZoneRoute(zoneService, vinylDNSAuthenticator, vinyldnsConfig.crypto).getRoutes
-  val recordSetRoute: Route = new RecordSetRoute(recordSetService, vinylDNSAuthenticator).getRoutes
+    new ZoneRoute(zoneService, limits, vinylDNSAuthenticator, vinyldnsConfig.crypto).getRoutes
+  val recordSetRoute: Route =
+    new RecordSetRoute(recordSetService, limits, vinylDNSAuthenticator).getRoutes
  val membershipRoute: Route =
-    new MembershipRoute(membershipService, vinylDNSAuthenticator).getRoutes
+    new MembershipRoute(membershipService, limits, vinylDNSAuthenticator).getRoutes
  val batchChangeRoute: Route =
    new BatchChangeRoute(
      batchChangeService,
+      limits,
      vinylDNSAuthenticator,
      vinyldnsConfig.manualReviewConfig
    ).getRoutes
+  val statusRoute: Route =
+    new StatusRoute(
+      vinyldnsConfig.serverConfig,
+      vinylDNSAuthenticator,
+      processingDisabled
+    ).getRoutes

  val unloggedUris = Seq(
    Uri.Path("/health"),
    Uri.Path("/color"),
    Uri.Path("/ping"),
-    Uri.Path("/status"),
    Uri.Path("/metrics/prometheus")
  )
  val unloggedRoutes: Route = healthCheckRoute ~ pingRoute ~ colorRoute(
    vinyldnsConfig.serverConfig.color
-  ) ~ statusRoute(
-    vinyldnsConfig.serverConfig.color,
-    vinyldnsConfig.serverConfig.version,
-    vinyldnsConfig.serverConfig.keyName
  ) ~ prometheusRoute

  val allRoutes: Route = unloggedRoutes ~
    batchChangeRoute ~
    zoneRoute ~
    recordSetRoute ~
-    membershipRoute
+    membershipRoute ~
+    statusRoute

  val vinyldnsRoutes: Route = logRequestResult(requestLogger(unloggedUris))(allRoutes)

--- a/modules/api/src/main/scala/vinyldns/api/route/ZoneRouting.scala
+++ b/modules/api/src/main/scala/vinyldns/api/route/ZoneRouting.scala
@ -20,6 +20,8 @@ import akka.http.scaladsl.model.StatusCodes
 import akka.http.scaladsl.server._
 import akka.util.Timeout
 import org.slf4j.{Logger, LoggerFactory}
+import vinyldns.api.config.LimitsConfig
+import vinyldns.api.domain.membership.EmailValidationError
 import vinyldns.api.domain.zone._
 import vinyldns.core.crypto.CryptoAlgebra
 import vinyldns.core.domain.zone._
@ -27,10 +29,12 @@ import vinyldns.core.domain.zone._
 import scala.concurrent.duration._

 case class GetZoneResponse(zone: ZoneInfo)
+case class GetZoneDetailsResponse(zone: ZoneDetails)
 case class ZoneRejected(zone: Zone, errors: List[String])

 class ZoneRoute(
    zoneService: ZoneServiceAlgebra,
+    limitsConfig: LimitsConfig,
    val vinylDNSAuthenticator: VinylDNSAuthenticator,
    crypto: CryptoAlgebra
 ) extends VinylDNSJsonProtocol
@ -40,8 +44,8 @@ class ZoneRoute(

  def logger: Logger = LoggerFactory.getLogger(classOf[ZoneRoute])

-  final private val DEFAULT_MAX_ITEMS: Int = 100
-  final private val MAX_ITEMS_LIMIT: Int = 100
+  final private val DEFAULT_MAX_ITEMS: Int = limitsConfig.ZONE_ROUTING_DEFAULT_MAX_ITEMS
+  final private val MAX_ITEMS_LIMIT: Int = limitsConfig.ZONE_ROUTING_MAX_ITEMS_LIMIT

  // Timeout must be long enough to allow the cluster to form
  implicit val zoneCmdTimeout: Timeout = Timeout(10.seconds)
@ -60,6 +64,7 @@ class ZoneRoute(
    case RecentSyncError(msg) => complete(StatusCodes.Forbidden, msg)
    case ZoneInactiveError(msg) => complete(StatusCodes.BadRequest, msg)
    case InvalidRequest(msg) => complete(StatusCodes.BadRequest, msg)
+    case EmailValidationError(msg) => complete(StatusCodes.BadRequest, msg)
  }

  val zoneRoute: Route = path("zones") {
@ -76,13 +81,17 @@ class ZoneRoute(
          "nameFilter".?,
          "startFrom".as[String].?,
          "maxItems".as[Int].?(DEFAULT_MAX_ITEMS),
-          "ignoreAccess".as[Boolean].?(false)
+          "searchByAdminGroup".as[Boolean].?(false),
+          "ignoreAccess".as[Boolean].?(false),
+          "includeReverse".as[Boolean].?(true)
        ) {
          (
              nameFilter: Option[String],
              startFrom: Option[String],
              maxItems: Int,
-              ignoreAccess: Boolean
+              searchByAdminGroup: Boolean,
+              ignoreAccess: Boolean,
+              includeReverse: Boolean
          ) =>
            {
              handleRejections(invalidQueryHandler) {
@ -92,7 +101,7 @@ class ZoneRoute(
                ) {
                  authenticateAndExecute(
                    zoneService
-                      .listZones(_, nameFilter, startFrom, maxItems, ignoreAccess)
+                      .listZones(_, nameFilter, startFrom, maxItems, searchByAdminGroup, ignoreAccess, includeReverse)
                  ) { result =>
                    complete(StatusCodes.OK, result)
                  }
@ -102,6 +111,38 @@ class ZoneRoute(
        }
      }
  } ~
+    path("zones" / "deleted" / "changes") {
+      (get & monitor("Endpoint.listDeletedZones")) {
+        parameters(
+          "nameFilter".?,
+          "startFrom".as[String].?,
+          "maxItems".as[Int].?(DEFAULT_MAX_ITEMS),
+          "ignoreAccess".as[Boolean].?(false)
+        ) {
+          (
+            nameFilter: Option[String],
+            startFrom: Option[String],
+            maxItems: Int,
+            ignoreAccess: Boolean
+          ) =>
+          {
+            handleRejections(invalidQueryHandler) {
+              validate(
+                0 < maxItems && maxItems <= MAX_ITEMS_LIMIT,
+                s"maxItems was $maxItems, maxItems must be between 0 and $MAX_ITEMS_LIMIT"
+              ) {
+                authenticateAndExecute(
+                  zoneService
+                    .listDeletedZones(_, nameFilter, startFrom, maxItems, ignoreAccess)
+                ) { result =>
+                  complete(StatusCodes.OK, result)
+                }
+              }
+            }
+          }
+        }
+      }
+    } ~
    path("zones" / "backendids") {
      (get & monitor("Endpoint.getBackendIds")) {
        authenticateAndExecute(_ => zoneService.getBackendIds()) { ids =>
@ -134,6 +175,13 @@ class ZoneRoute(
          }
        }
    } ~
+    path("zones" / Segment / "details") { id =>
+      (get & monitor("Endpoint.getCommonZoneDetails")) {
+        authenticateAndExecute(zoneService.getCommonZoneDetails(id, _)) { zone =>
+          complete(StatusCodes.OK, GetZoneDetailsResponse(zone))
+        }
+      }
+    } ~
    path("zones" / Segment / "sync") { id =>
      (post & monitor("Endpoint.syncZone")) {
        authenticateAndExecute(zoneService.syncZone(id, _)) { chg =>
@ -159,6 +207,24 @@ class ZoneRoute(
        }
      }
    } ~
+    path("metrics" / "health" / "zonechangesfailure") {
+      (get & monitor("Endpoint.listFailedZoneChanges")) {
+        parameters("startFrom".as[Int].?(0), "maxItems".as[Int].?(DEFAULT_MAX_ITEMS)) {
+          (startFrom: Int, maxItems: Int) =>
+            handleRejections(invalidQueryHandler) {
+              validate(
+                0 < maxItems && maxItems <= DEFAULT_MAX_ITEMS,
+                s"maxItems was $maxItems, maxItems must be between 0 exclusive and $DEFAULT_MAX_ITEMS inclusive"
+              ) {
+                authenticateAndExecute(zoneService.listFailedZoneChanges(_, startFrom, maxItems)) {
+                  changes =>
+                    complete(StatusCodes.OK, changes)
+                }
+              }
+            }
+        }
+      }
+    } ~
    path("zones" / Segment / "acl" / "rules") { id =>
      (put & monitor("Endpoint.addZoneACLRule")) {
        authenticateAndExecuteWithEntity[ZoneCommandResult, ACLRuleInfo](
--- a/Show More
+++ b/Show More