DNS.live does this for its free web and DNS hosting [1]. All you need to do is sign any post/api call with the private key associated with the address in control of your handshake tld.
OAuth 1 I'd agree with that statement (it's use of crypto gave it more pitfalls), but basic OAuth 2 is really not that bad. It's a few fairly straight-forward HTTP requests.
An example is on github [2][3].
[1] https://dns.live/hosting.html
[2] Server: https://github.com/dnslive/dnslive-webserv
[3] Client: https://github.com/dnslive/dnslive-webhost