1
0
mirror of https://github.com/StackExchange/dnscontrol.git synced 2024-05-11 05:55:12 +00:00

DOCS: Simplified the provider URLs (providers) (#2914)

This commit is contained in:
Jeffrey Cafferata
2024-04-18 15:43:50 +02:00
committed by GitHub
parent 0cd3c2fb92
commit 5078927e01
67 changed files with 220 additions and 168 deletions

View File

@ -0,0 +1,80 @@
"Akamai Edge DNS Provider" configures Akamai's
[Edge DNS](https://www.akamai.com/products/edge-dns) service.
This provider interacts with Edge DNS via the
[Edge DNS Zone Management API](https://techdocs.akamai.com/edge-dns/reference/edge-dns-api).
Before you can use this provider, you need to create an "API Client" with authorization to use the
[Edge DNS Zone Management API](https://techdocs.akamai.com/edge-dns/reference/edge-dns-api).
See the "Get Started" section of [Edge DNS Zone Management API](https://techdocs.akamai.com/edge-dns/reference/edge-dns-api),
which says, "To enable this API, choose the API service named DNS—Zone Record Management, and set the access level to READ-WRITE."
Follow directions at [Authenticate With EdgeGrid](https://www.akamai.com/developer) to generate
the required credentials.
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `AKAMAIEDGEDNS` along with the authentication fields.
Example:
{% code title="creds.json" %}
```json
{
"akamaiedgedns": {
"TYPE": "AKAMAIEDGEDNS",
"client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"host": "akaa-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxx.akamaiapis.net",
"access_token": "akaa-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"client_token": "akaa-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"contract_id": "X-XXXX",
"group_id": "NNNNNN"
}
}
```
{% endcode %}
## Usage
A new zone created by DNSControl:
```shell
dnscontrol create-domains
```
automatically creates SOA and authoritative NS records.
Akamai assigns a unique set of authoritative nameservers for each contract. These authorities should be
used as the NS records on all zones belonging to this contract.
The NS records for these authorities have a TTL of 86400.
Add:
{% code title="dnsconfig.js" %}
```javascript
NAMESERVER_TTL(86400)
```
{% endcode %}
modifier to the dnscontrol.js D() function so that DNSControl does not change the TTL of the authoritative NS records.
Example `dnsconfig.js`:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_AKAMAIEDGEDNS = NewDnsProvider("akamaiedgedns");
D("example.com", REG_NONE, DnsProvider(DSP_AKAMAIEDGEDNS),
NAMESERVER_TTL(86400),
AUTODNSSEC_ON,
AKAMAICDN("@", "www.preconfigured.edgesuite.net", TTL(20)),
A("foo", "1.2.3.4")
);
```
{% endcode %}
AKAMAICDN is a proprietary record type that is used to configure [Zone Apex Mapping](https://www.akamai.com/blog/security/edge-dns--zone-apex-mapping---dnssec).
The AKAMAICDN target must be preconfigured in the Akamai network.

View File

@ -0,0 +1,34 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `AUTODNS` along with
[username, password and a context](https://help.internetx.com/display/APIXMLEN/Authentication#Authentication-AuthenticationviaCredentials(username/password/context)).
Example:
{% code title="creds.json" %}
```json
{
"autodns": {
"TYPE": "AUTODNS",
"username": "autodns.service-account@example.com",
"password": "[***]",
"context": "33004"
}
}
```
{% endcode %}
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_AUTODNS = NewDnsProvider("autodns");
D("example.com", REG_NONE, DnsProvider(DSP_AUTODNS),
A("test", "1.2.3.4")
);
```
{% endcode %}

View File

@ -0,0 +1,290 @@
This provider uses the native DNS protocols. It uses the AXFR (RFC5936,
Zone Transfer Protocol) to retrieve the existing records and DDNS
(RFC2136, Dynamic Update) to make corrections. It can use TSIG (RFC2845) or
IP-based authentication (ACLs).
It is able to work with any standards-compliant
authoritative DNS server. It has been tested with
[BIND](https://www.isc.org/bind/), [Knot](https://www.knot-dns.cz/),
and [Yadifa](https://www.yadifa.eu/home).
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `AXFRDDNS`.
### Connection modes
Zone transfers default to TCP, DDNS updates default to UDP when
using this provider.
The following two parameters in `creds.json` allow switching
to TCP or TCP over TLS.
* `update-mode`: May contain `udp` (the default), `tcp`, or `tcp-tls`.
* `transfer-mode`: May contain `tcp` (the default), or `tcp-tls`.
### Authentication
Authentication information is included in the `creds.json` entry for
the provider:
* `transfer-key`: If this exists, the value is used to authenticate AXFR transfers.
* `update-key`: If this exists, the value is used to authenticate DDNS updates.
For instance, your `creds.json` might looks like:
{% code title="creds.json" %}
```json
{
"axfrddns": {
"TYPE": "AXFRDDNS",
"transfer-key": "hmac-sha256:transfer-key-id:Base64EncodedSecret=",
"update-key": "hmac-sha256:update-key-id:AnotherSecret="
}
}
```
{% endcode %}
If either key is missing, DNSControl defaults to IP-based ACL
authentication for that function. Including both keys is the most
secure option. Omitting both keys defaults to IP-based ACLs for all
operations, which is the least secure option.
If distinct zones require distinct keys, you will need to instantiate the
provider once for each key:
{% code title="dnsconfig.js" %}
```javascript
var DSP_AXFRDDNS_A = NewDnsProvider("axfrddns-a");
var DSP_AXFRDDNS_B = NewDnsProvider("axfrddns-b");
```
{% endcode %}
And update `creds.json` accordingly:
{% code title="creds.json" %}
```json
{
"axfrddns-a": {
"TYPE": "AXFRDDNS",
"transfer-key": "hmac-sha256:transfer-key-id:Base64EncodedSecret=",
"update-key": "hmac-sha256:update-key-id:AnotherSecret="
},
"axfrddns-b": {
"TYPE": "AXFRDDNS",
"transfer-key": "hmac-sha512:transfer-key-id-B:SmallSecret=",
"update-key": "hmac-sha512:update-key-id-B:YetAnotherSecret="
}
}
```
{% endcode %}
### Default nameservers
The AXFR+DDNS provider can be configured with a list of default
nameservers. They will be added to all the zones handled by the
provider.
This list can be provided either as metadata or in `creds.json`. Only
the later allows `get-zones` to work properly.
{% code title="dnsconfig.js" %}
```javascript
var DSP_AXFRDDNS = NewDnsProvider("axfrddns", {
"default_ns": [
"ns1.example.com.",
"ns2.example.com.",
"ns3.example.com.",
"ns4.example.com."
]
}
)
```
{% endcode %}
{% code title="creds.json" %}
```json
{
"axfrddns": {
"TYPE": "AXFRDDNS",
"nameservers": "ns1.example.com,ns2.example.com,ns3.example.com,ns4.example.com"
}
}
```
{% endcode %}
### Primary master
By default, the AXFR+DDNS provider will send the AXFR requests and the
DDNS updates to the first nameserver of the zone, usually known as the
"primary master". Typically, this is the first of the default
nameservers. Though, on some networks, the primary master is a private
node, hidden behind slaves, and it does not appear in the `NS` records
of the zone. In that case, the IP or the name of the primary server
must be provided in `creds.json`. With this option, a non-standard
port might be used.
{% code title="creds.json" %}
```json
{
"axfrddns": {
"TYPE": "AXFRDDNS",
"master": "10.20.30.40:5353"
}
}
```
{% endcode %}
When no nameserver appears in the zone, and no default nameservers nor
custom master are configured, the AXFR+DDNS provider will fail with
the following error message:
```text
[Error] AXFRDDNS: the nameservers list cannot be empty.
Please consider adding default `nameservers` or an explicit `master` in `creds.json`.
```
### Transfer/AXFR server
As mentioned above, the AXFR+DDNS provider will send AXFR requests to the
primary master for the zone. On some networks, the AXFR requests are handled
by a separate server to DDNS requests. Use the `transfer-server` option in
`creds.json`. If not specified, it falls back to the primary master.
{% code title="creds.json" %}
```json
{
"axfrddns": {
"TYPE": "AXFRDDNS",
"transfer-server": "233.252.0.0"
}
}
```
{% endcode %}
### Buggy DNS servers regarding CNAME updates
When modifying a CNAME record, or when replacing an A record by a
CNAME one in a single batched DDNS update, some DNS servers
(e.g. Knot) will incorrectly reject the update. For this particular
case, you might set the option `buggy-cname = "yes"` in `creds.json`.
The changes will then be split in two DDNS updates, applied
successively by the server. This will allow Knot to successfully apply
the changes, but you will loose the atomic-update property.
### Example: local testing
When testing `dnscontrol` against a local nameserver, you might use
the following minimal configuration:
{% code title="creds.json" %}
```json
{
"axfrddns": {
"TYPE": "AXFRDDNS",
"master": "127.0.0.1"
}
}
```
{% endcode %}
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DNS = NewDnsProvider("axfrddns", {
default_ns: [
"ns.example.com.",
],
});
D("example.com", REG_NONE, DnsProvider(DNS),
A("ns", "127.0.0.1")
)
```
{% endcode %}
## Server configuration examples
### Bind9
Here is a sample `named.conf` example for an authauritative server on
zone `example.com`. It uses a simple IP-based ACL for the AXFR
transfer and a conjunction of TSIG and IP-based ACL for the updates.
{% code title="named.conf" %}
```text
options {
listen-on { any; };
listen-on-v6 { any; };
allow-query { any; };
allow-notify { none; };
allow-recursion { none; };
allow-transfer { none; };
allow-update { none; };
allow-query-cache { none; };
};
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
allow-transfer { example-transfer; };
allow-update { example-update; };
};
## Allow transfer to anyone on our private network
acl example-transfer {
172.17.0.0/16;
};
## Allow update only from authenticated client on our private network
acl example-update {
! {
!172.17.0.0/16;
any;
};
key update-key-id;
};
key update-key-id {
algorithm HMAC-SHA256;
secret "AnotherSecret=";
};
```
{% endcode %}
## FYI: get-zones
When using `get-zones`, a custom master or a list of default
nameservers should be configured in `creds.json`.
THe AXFR+DDNS provider does not display DNSSec records. But, if any
DNSSec records is found in the zone, it will replace all of them with
a single placeholder record:
```text
__dnssec IN TXT "Domain has DNSSec records, not displayed here."
```
## FYI: create-domain
The AXFR+DDNS provider is not able to create domain.
## FYI: AUTODNSSEC
The AXFR+DDNS provider is not able to ask the DNS server to sign the zone. But, it is able to check whether the server seems to do so or not.
When AutoDNSSEC is enabled, the AXFR+DDNS provider will emit a warning when no RRSIG, DNSKEY or NSEC records are found in the zone.
When AutoDNSSEC is disabled, the AXFR+DDNS provider will emit a warning when RRSIG, DNSKEY or NSEC records are found in the zone.
When AutoDNSSEC is not enabled or disabled, no checking is done.
## FYI: MD5 Support
By default the used DNS Go package by miekg has deprecated supporting the (insecure) MD5 algorithm [https://github.com/miekg/dns/commit/93945c284489394b77653323d11d5de83a2a6fb5](https://github.com/miekg/dns/commit/93945c284489394b77653323d11d5de83a2a6fb5). Some providers like the Leibniz Supercomputing Centre (LRZ) located in Munich still use this algorithm to authenticate internal dynamic DNS updates. To compensate the lack of MD5 a custom MD5 TSIG Provider was added into DNSControl.

View File

@ -0,0 +1,75 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `AZURE_DNS`
along with the API credentials.
Example:
{% code title="creds.json" %}
```json
{
"azuredns_main": {
"TYPE": "AZURE_DNS",
"SubscriptionID": "AZURE_SUBSCRIPTION_ID",
"ResourceGroup": "AZURE_RESOURCE_GROUP",
"TenantID": "AZURE_TENANT_ID",
"ClientID": "AZURE_CLIENT_ID",
"ClientSecret": "AZURE_CLIENT_SECRET"
}
}
```
{% endcode %}
You can also use environment variables:
```shell
export AZURE_SUBSCRIPTION_ID=XXXXXXXXX
export AZURE_RESOURCE_GROUP=YYYYYYYYY
export AZURE_TENANT_ID=ZZZZZZZZ
export AZURE_CLIENT_ID=AAAAAAAAA
export AZURE_CLIENT_SECRET=BBBBBBBBB
```
{% code title="creds.json" %}
```json
{
"azuredns_main": {
"TYPE": "AZURE_DNS",
"SubscriptionID": "$AZURE_SUBSCRIPTION_ID",
"ResourceGroup": "$AZURE_RESOURCE_GROUP",
"ClientID": "$AZURE_CLIENT_ID",
"TenantID": "$AZURE_TENANT_ID",
"ClientSecret": "$AZURE_CLIENT_SECRET"
}
}
```
{% endcode %}
NOTE: The ResourceGroup is case sensitive.
## Metadata
This provider does not recognize any special metadata fields unique to Azure DNS.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_AZURE_MAIN = NewDnsProvider("azuredns_main");
D("example.com", REG_NONE, DnsProvider(DSP_AZURE_MAIN),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
DNSControl depends on a standard [Client credentials Authentication](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest) with permission to list, create and update hosted zones.
## New domains
If a domain does not exist in your Azure account, DNSControl will *not* automatically add it with the `push` command. You can do that either manually via the control panel, or via the command `dnscontrol create-domains` command.
## Caveats
The ResourceGroup is case sensitive.

View File

@ -0,0 +1,74 @@
## Configuration
This provider is for the [Azure Private DNS Service](https://learn.microsoft.com/en-us/azure/dns/private-dns-overview). This provider can only manage Azure Private DNS zones and will not manage public Azure DNS zones. To use this provider, add an entry to `creds.json` with `TYPE` set to `AZURE_PRIVATE_DNS`
along with the API credentials.
Example:
{% code title="creds.json" %}
```json
{
"azure_private_dns_main": {
"TYPE": "AZURE_PRIVATE_DNS",
"SubscriptionID": "AZURE_PRIVATE_SUBSCRIPTION_ID",
"ResourceGroup": "AZURE_PRIVATE_RESOURCE_GROUP",
"TenantID": "AZURE_PRIVATE_TENANT_ID",
"ClientID": "AZURE_PRIVATE_CLIENT_ID",
"ClientSecret": "AZURE_PRIVATE_CLIENT_SECRET"
}
}
```
{% endcode %}
You can also use environment variables:
```shell
export AZURE_SUBSCRIPTION_ID=XXXXXXXXX
export AZURE_RESOURCE_GROUP=YYYYYYYYY
export AZURE_TENANT_ID=ZZZZZZZZ
export AZURE_CLIENT_ID=AAAAAAAAA
export AZURE_CLIENT_SECRET=BBBBBBBBB
```
{% code title="creds.json" %}
```json
{
"azure_private_dns_main": {
"TYPE": "AZURE_PRIVATE_DNS",
"SubscriptionID": "$AZURE_PRIVATE_SUBSCRIPTION_ID",
"ResourceGroup": "$AZURE_PRIVATE_RESOURCE_GROUP",
"ClientID": "$AZURE_PRIVATE_CLIENT_ID",
"TenantID": "$AZURE_PRIVATE_TENANT_ID",
"ClientSecret": "$AZURE_PRIVATE_CLIENT_SECRET"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Azure Private DNS.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_AZURE_PRIVATE_MAIN = NewDnsProvider("azure_private_dns_main");
D("example.com", REG_NONE, DnsProvider(DSP_AZURE_PRIVATE_MAIN),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
DNSControl depends on a standard [Client credentials Authentication](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest) with permission to list, create and update private zones.
## New domains
If a domain does not exist in your Azure account, DNSControl will *not* automatically add it with the `push` command. You can do that manually via the control panel.
## Caveats
The ResourceGroup is case sensitive.

View File

@ -0,0 +1,136 @@
This provider maintains a directory with a collection of .zone files
as appropriate for ISC BIND, and other systems that use the RFC 1035
zone-file format.
This provider does not generate or update the named.conf file, nor does it deploy the .zone files to the BIND master.
Both of those tasks are different at each site, so they are best done by a locally-written script.
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `BIND`.
Optional fields include:
* `directory`: Location of the zone files. Default: `zones` (in the current directory).
* `filenameformat`: The formula used to generate the zone filenames. The default is usually sufficient. Default: `"%U.zone"`
Example:
{% code title="creds.json" %}
```json
{
"bind": {
"TYPE": "BIND",
"directory": "myzones"
}
}
```
{% endcode %}
## Meta configuration
This provider accepts some optional metadata in the NewDnsProvider() call.
* `default_soa`: If no SOA record exists in a zone file, one will be created. The values of the new SOA are specified here.
* `default_ns`: Inject these NS records into the zone.
In this example we set the default SOA settings and NS records.
{% code title="dnsconfig.js" %}
```javascript
var DSP_BIND = NewDnsProvider("bind", {
"default_soa": {
"master": "ns1.example.com.",
"mbox": "spamtrap.example.com.",
"refresh": 3600,
"retry": 600,
"expire": 604800,
"minttl": 1440,
},
"default_ns": [
"ns1.example.com.",
"ns2.example.com.",
"ns3.example.com.",
"ns4.example.com."
]
})
```
{% endcode %}
# FYI: SOA Records
SOA records are a bit weird in DNSControl. Most providers auto-generate SOA records and do not permit any modifications. BIND is unique in that it requires users to manage the SOA records themselves.
Because BIND is unique, BIND's SOA support is kind of a hack. It leaves the SOA record alone, with 2 exceptions:
1. The serial number: If something in the zone changes, the serial number is incremented (see below).
2. Missing SOAs: If there is no SOA record in a zone (or the zone is being created for the first time), the SOA is created. The initial values are taken from the `default_soa` settings.
The `default_soa` values are only used when creating an SOA for the first time. The values are not used to update an SOA. Most people edit the SOA values by manually editing the zonefile or using the `SOA()` function.
# FYI: SOA serial numbers
DNSControl maintains beautiful zone serial numbers.
DNSControl tries to maintain the serial number as yyyymmddvv. The algorithm for increasing the serial number is to select the max of (current serial + 1) and (yyyymmdd00). If you use a number larger than today's date (say, 2099000099) DNSControl will simply increment it forever.
The good news is that DNSControl is smart enough to only increment a zone's serial number if something in the zone changed. It does not increment the serial number just because DNSControl ran.
DNSControl does not handle special serial number math such as "looping through zero" nor does it pay attention to the rules around the maximum delta permitted. Those are simply avoided because yyyymmdd99 fits in the first quadrant of the 32-bit serial number space. If you don't understand this paragraph consider yourself lucky; with DNSControl you don't need to.
# filenameformat
The `filenameformat` parameter specifies the file name to be used when
writing the zone file. The default (`%U.zone`) is acceptable in most cases: the
file name is the name as specified in the `D()` function plus ".zone".
The filenameformat is a string with a few printf-like `%` verbs:
* `%U` the domain name as specified in `D()`
* `%D` the domain name without any split horizon tag (the "example.com" part of "example.com!tag")
* `%T` the split horizon tag, or "" (the "tag" part of "example.com!tag")
* `%?x` this returns `x` if the split horizon tag is non-null, otherwise nothing. `x` can be any printable.
* `%%` `%`
* ordinary characters (not `%`) are copied unchanged to the output stream
* FYI: format strings must not end with an incomplete `%` or `%?`
Typical values:
* `%U.zone` (The default)
* `example.com.zone` or `example.com!tag.zone`
* `%T%*U%D.zone` (optional tag and `_` + domain + `.zone`)
* `tag_example.com.zone` or `example.com.zone`
* `db_%T%?_%D`
* `db_inside_example.com` or `db_example.com`
* `db_%D`
* `db_example.com`
The last example will generate the same name for both
`D("example.com!inside")` and `D("example.com!outside")`. This
assumes two BIND providers are configured in `creds.json`, each with
a different `directory` setting. Otherwise `dnscontrol` will write
both domains to the same file, flapping between the two back and
forth.
(new in v4.2.0) `dnscontrol push` will create subdirectories along the path to
the filename. This includes both the portion of the path created by the
`directory` setting and the `filenameformat` setting. The automatic creation of
subdirectories is disabled if `dnscontrol` is running as root for security
reasons.
# FYI: get-zones
The DNSControl `get-zones all` subcommand scans the directory for
any files named `*.zone` and assumes they are zone files.
```shell
dnscontrol get-zones --format=nameonly - BIND all
```
If `filenameformat` is defined, `dnscontrol` makes an guess at which
filenames are zones but doesn't try to hard to get it right, which is
mathematically impossible in some cases. Feel free to file an issue if
your format string doesn't work. I love a challenge!

View File

@ -0,0 +1,69 @@
# Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `BUNNY_DNS` along with
your [Bunny API Key](https://dash.bunny.net/account/settings).
Example:
{% code title="creds.json" %}
```json
{
"bunny_dns": {
"TYPE": "BUNNY_DNS",
"api_key": "your-bunny-api-key"
}
}
```
{% endcode %}
You can also use environment variables:
```shell
export BUNNY_DNS_API_KEY=XXXXXXXXX
```
{% code title="creds.json" %}
```json
{
"bunny_dns": {
"TYPE": "BUNNY_DNS",
"api_key": "$BUNNY_DNS_API_KEY"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Bunny DNS.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_BUNNY_DNS = NewDnsProvider("bunny_dns");
D("example.com", REG_NONE, DnsProvider(DSP_BUNNY_DNS),
A("test", "1.2.3.4")
);
```
{% endcode %}
# Activation
DNSControl depends on the [Bunny API](https://docs.bunny.net/reference/bunnynet-api-overview) to manage your DNS
records. You will need to generate an [API key](https://dash.bunny.net/account/settings) to use this provider.
## New domains
If a domain does not exist in your Bunny account, DNSControl will automatically add it with the `push` command.
## Caveats
- Bunny DNS does not support dual-hosting or configuring custom TTLs for NS records on the zone apex.
- While custom nameservers are properly recognized by this provider, it is currently not possible to configure them.
- Any custom record types like Script, Redirect, Flatten or Pull Zone are currently not supported by this provider. Such
records will be completely ignored by DNSControl and left as-is.

View File

@ -0,0 +1,291 @@
This is the provider for [Cloudflare](https://www.cloudflare.com/).
## Important notes
* SPF records are silently converted to RecordType `TXT` as Cloudflare API fails otherwise. See [StackExchange/dnscontrol#446](https://github.com/StackExchange/dnscontrol/issues/446).
* This provider currently fails if there are more than 1000 corrections on one domain. This only affects "push". This usually when moving a domain with many records to Cloudflare. Try commenting out most records, then uncomment groups of 999. Typical updates are less than 1000 corrections and will not trigger this bug. See [StackExchange/dnscontrol#1440](https://github.com/StackExchange/dnscontrol/issues/1440).
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `CLOUDFLAREAPI`.
Optional fields include:
* `accountid` and `apitoken`: Authentication information
* `apikey` and `apiuser`: Old-style authentication
Example:
{% code title="creds.json" %}
```json
{
"cloudflare": {
"TYPE": "CLOUDFLAREAPI",
"accountid": "your-cloudflare-account-id",
"apitoken": "your-cloudflare-api-token"
}
}
```
{% endcode %}
# Authentication
The Cloudflare API supports two different authentication methods.
NOTE: You can not mix the two authentication methods. If you try, DNSControl will report an error.
## API Tokens (recommended)
The recommended (newer) method is to
provide a [Cloudflare API token](https://dash.cloudflare.com/profile/api-tokens).
This method is enabled by setting the `apitoken` value in `creds.json`:
{% code title="creds.json" %}
```json
{
"cloudflare": {
"TYPE": "CLOUDFLAREAPI",
"accountid": "your-cloudflare-account-id",
"apitoken": "your-cloudflare-api-token"
}
}
```
{% endcode %}
* `accountid` is found in the Cloudflare portal ("Account ID") on any "Website" page. Click on any site and you'll see the "Account ID" on the lower right side of the page.
* `apitoken` is something you must create. See [Cloudflare's documentation](https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys) for instructions on how to generate and configure permissions on API tokens. (Spoiler alert: [link](https://dash.cloudflare.com/profile/api-tokens). The token must be granted rights (authorization to do certain tasks) at a very granular level.
DNSControl requires the token to have the following permissions:
* Add: Read zones (`Zone → Zone → Read`)
* Add: Edit DNS records (`Zone → DNS → Edit`)
* Add: Enable SSL controls (`Zone → SSL and Certificates → Edit`)
* Editing Page Rules?
* Add: Edit Page Rules (`Zone → Page Rules → Edit`)
* Managing Cloudflare Workers? (if `manage_workers`: set to `true` or `CF_WORKER_ROUTE()` is in use.)
* Add: Edit Worker Scripts (`Account → Workers Scripts → Edit`)
* Add: Edit Worker Scripts (`Zone → Workers Routes → Edit`)
![Example permissions configuration](../assets/providers/cloudflareapi/example-permissions-configuration.png)
## Username+Key (not recommended)
The other (older, not recommended) method is to
provide your Cloudflare API username and access key.
This method is not recommended because these credentials give DNSControl access to everything (think of it as "super user" for your account).
This method is enabled by setting the `apikey` and `apiuser` values in `creds.json`:
{% code title="creds.json" %}
```json
{
"cloudflare": {
"TYPE": "CLOUDFLAREAPI",
"accountid": "your-cloudflare-account-id",
"apikey": "your-cloudflare-api-key",
"apiuser": "your-cloudflare-email-address"
}
}
```
{% endcode %}
* `accountid` (see above)
* `apiuser` is the email address associated with the account.
* `apikey` is found on [My Profile / API Tokens](https://dash.cloudflare.com/profile/api-tokens).
## Meta configuration
This provider accepts some optional metadata:
Record level metadata available:
* `cloudflare_proxy` ("on", "off", or "full")
Domain level metadata available:
* `cloudflare_proxy_default` ("on", "off", or "full")
* `cloudflare_universalssl` (unset to leave this setting unmanaged; otherwise use "on" or "off")
* NOTE: If "universal SSL" isn't working, verify the API key has `Zone → SSL and Certificates → Edit` permissions. See above.
Provider level metadata available:
* `ip_conversions`
* `manage_redirects`: set to `true` to manage page-rule based redirects
* `manage_workers`: set to `true` to manage cloud workers (`CF_WORKER_ROUTE`)
What does on/off/full mean?
* "off" disables the Cloudflare proxy
* "on" enables the Cloudflare proxy (turns on the "orange cloud")
* "full" is the same as "on" but also enables Railgun. DNSControl will prevent you from accidentally enabling "full" on a CNAME that points to an A record that is set to "off", as this is generally not desired.
You can also set the default proxy mode using `DEFAULTS()` function. For example:
{% code title="dnsconfig.js" %}
```javascript
DEFAULTS(
CF_PROXY_DEFAULT_OFF // turn proxy off when not specified otherwise
);
```
{% endcode %}
**Aliases:**
To make configuration files more readable and less prone to errors,
the following aliases are *pre-defined*:
{% code title="dnsconfig.js" %}
```javascript
// Meta settings for individual records.
var CF_PROXY_OFF = {"cloudflare_proxy": "off"}; // Proxy disabled.
var CF_PROXY_ON = {"cloudflare_proxy": "on"}; // Proxy enabled.
var CF_PROXY_FULL = {"cloudflare_proxy": "full"}; // Proxy+Railgun enabled.
// Per-domain meta settings:
// Proxy default off for entire domain (the default):
var CF_PROXY_DEFAULT_OFF = {"cloudflare_proxy_default": "off"};
// Proxy default on for entire domain:
var CF_PROXY_DEFAULT_ON = {"cloudflare_proxy_default": "on"};
// UniversalSSL off for entire domain:
var CF_UNIVERSALSSL_OFF = { cloudflare_universalssl: "off" };
// UniversalSSL on for entire domain:
var CF_UNIVERSALSSL_ON = { cloudflare_universalssl: "on" };
```
{% endcode %}
The following example shows how to set meta variables with and without aliases:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_CLOUDFLARE = NewDnsProvider("cloudflare");
D("example.com", REG_NONE, DnsProvider(DSP_CLOUDFLARE),
A("www1","1.2.3.11", CF_PROXY_ON), // turn proxy ON.
A("www2","1.2.3.12", CF_PROXY_OFF), // default is OFF, this is a no-op.
A("www3","1.2.3.13", {"cloudflare_proxy": "on"}) // Old format.
);
```
{% endcode %}
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_CLOUDFLARE = NewDnsProvider("cloudflare");
// Example domain where the CF proxy abides by the default (off).
D("example.com", REG_NONE, DnsProvider(DSP_CLOUDFLARE),
A("proxied", "1.2.3.4", CF_PROXY_ON),
A("notproxied", "1.2.3.5"),
A("another", "1.2.3.6", CF_PROXY_ON),
ALIAS("@", "www.example.com.", CF_PROXY_ON),
CNAME("myalias", "www.example.com.", CF_PROXY_ON)
);
// Example domain where the CF proxy default is set to "on":
D("example2.tld", REG_NONE, DnsProvider(DSP_CLOUDFLARE),
CF_PROXY_DEFAULT_ON, // Enable CF proxy for all items unless otherwise noted.
A("proxied", "1.2.3.4"),
A("notproxied", "1.2.3.5", CF_PROXY_OFF),
A("another", "1.2.3.6"),
ALIAS("@", "www.example2.tld."),
CNAME("myalias", "www.example2.tld.")
);
```
{% endcode %}
## New domains
If a domain does not exist in your Cloudflare account, DNSControl
will automatically add it when `dnscontrol push` is executed.
## Redirects
The Cloudflare provider can manage "Forwarding URL" Page Rules (redirects) for your domains. Simply use the `CF_REDIRECT` and `CF_TEMP_REDIRECT` functions to make redirects:
{% code title="dnsconfig.js" %}
```javascript
// chiphacker.com should redirect to electronics.stackexchange.com
var REG_NONE = NewRegistrar("none");
var DSP_CLOUDFLARE = NewDnsProvider("cloudflare", {"manage_redirects": true}); // enable manage_redirects
D("chiphacker.com", REG_NONE, DnsProvider(DSP_CLOUDFLARE),
// ...
// 302 for meta subdomain
CF_TEMP_REDIRECT("meta.chiphacker.com/*", "https://electronics.meta.stackexchange.com/$1"),
// 301 all subdomains and preserve path
CF_REDIRECT("*chiphacker.com/*", "https://electronics.stackexchange.com/$2"),
// A redirect must have A records with orange cloud on. Otherwise the HTTP/HTTPS request will never arrive at Cloudflare.
A("meta", "1.2.3.4", CF_PROXY_ON),
// ...
);
```
{% endcode %}
Notice a few details:
1. We need an A record with cloudflare proxy on, or the page rule will never run.
2. The IP address in those A records may be mostly irrelevant, as cloudflare should handle all requests (assuming some page rule matches).
3. Ordering matters for priority. CF_REDIRECT records will be added in the order they appear in your js. So put catch-alls at the bottom.
4. if _any_ `CF_REDIRECT` or `CF_TEMP_REDIRECT` functions are used then `dnscontrol` will manage _all_ "Forwarding URL" type Page Rules for the domain. Page Rule types other than "Forwarding URL" will be left alone. In other words, `dnscontrol` will delete any Forwarding URL it doesn't recognize. Be careful!
## Worker routes
The Cloudflare provider can manage Worker Routes for your domains. Simply use the `CF_WORKER_ROUTE` function passing the route pattern and the worker name:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_CLOUDFLARE = NewDnsProvider("cloudflare", {"manage_workers": true}); // enable managing worker routes
D("foo.com", REG_NONE, DnsProvider(DSP_CLOUDFLARE),
// Assign the patterns `api.foo.com/*` and `foo.com/api/*` to `my-worker` script.
CF_WORKER_ROUTE("api.foo.com/*", "my-worker"),
CF_WORKER_ROUTE("foo.com/api/*", "my-worker"),
);
```
{% endcode %}
The API key you use must be enabled to edit workers. In the portal, edit the API key,
under "Permissions" add "Account", "Workers Scripts", "Edit". Without this permission you may see errors that mention "failed fetching worker route list from cloudflare: bad status code from cloudflare: 403 not 200"
Please notice that if _any_ `CF_WORKER_ROUTE` function is used then `dnscontrol` will manage _all_
Worker Routes for the domain. To be clear: this means it will delete existing routes that
were created outside of DNSControl.
## Integration testing
The integration tests assume that Cloudflare Workers are enabled and the credentials used
have the required permissions listed above. The flag `-cfworkers=false` will disable tests related to Workers.
This flag is intended for use with legacy domains where the integration test credentials do not
have access to read/edit Workers. This flag will eventually go away.
```shell
cd integrationTest # NOTE: Not needed if already in that subdirectory
go test -v -verbose -provider CLOUDFLAREAPI -cfworkers=false
```
When `-cfworkers=false` is set, tests related to Workers are skipped. The Account ID is not required.
## Cloudflare special TTLs
Cloudflare plays tricks with TTLs. Cloudflare uses "1" to mean "auto-ttl";
which as far as we can tell means 300 seconds (5 minutes) with the option that
CloudFlare may dynamically adjust the actual TTL. In the Cloudflare API,
setting the TTL to 300 results in the TTL being set to 1.
If the TTL isn't set to 1, Cloudflare has a minimum of 1 minutes.
A TTL of 0 tells DNSControl to use the default TTL for that provider, which is 1.
In summary:
* TTL of 0, 1 and 300 are all the same ("auto TTL").
* TTL of 2-60 are all the same as 60.
* TTL of 61-299, and 301 to infinity are not magic.
Some of this is documented on the Cloudflare website's [Time to Live (TTL)](https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl/) page.

View File

@ -0,0 +1,84 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `CLOUDNS`
along with your [Api user ID and password](https://www.cloudns.net/wiki/article/42/).
Example:
{% code title="creds.json" %}
```json
{
"cloudns": {
"TYPE": "CLOUDNS",
"auth-id": "12345",
"sub-auth-id": "12345",
"auth-password": "your-password"
}
}
```
{% endcode %}
Current version of provider doesn't support `sub-auth-user`.
## Records
ClouDNS does support DS Record on subdomains (not the apex domain itself).
ClouDNS requires NS records exist for any DS records. No other records for
the same label may exist (A, MX, TXT, etc.). If DNSControl is adding NS and
DS records in the same update, the NS records will be inserted first.
## Metadata
This provider does not recognize any special metadata fields unique to ClouDNS.
## Web Redirects
ClouDNS supports ClouDNS-specific "WR record (web redirects)" for your domains.
Simply use the `CLOUDNS_WR` functions to make redirects like any other record:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_CLOUDNS = NewDnsProvider("cloudns");
D("example.com", REG_NONE, DnsProvider(DSP_CLOUDNS),
CLOUDNS_WR("@", "http://example.com/"),
CLOUDNS_WR("www", "http://example.com/")
)
```
{% endcode %}
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_CLOUDNS = NewDnsProvider("cloudns");
D("example.com", REG_NONE, DnsProvider(DSP_CLOUDNS),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
[Create Auth ID](https://www.cloudns.net/api-settings/). Only paid account can use API
## Caveats
ClouDNS does not allow all TTLs, only a specific subset of TTLs. By default, the following [TTLs are supported](https://www.cloudns.net/wiki/article/188/):
- 60 (1 minute)
- 300 (5 minutes)
- 900 (15 minutes)
- 1800 (30 minutes)
- 3600 (1 hour)
- 21600 (6 hours)
- 43200 (12 hours)
- 86400 (1 day)
- 172800 (2 days)
- 259200 (3 days)
- 604800 (1 week)
- 1209600 (2 weeks)
- 2419200 (4 weeks)
The provider will automatically round up your TTL to one of these values. For example, 350 seconds would become 900
seconds, but 300 seconds would stay 300 seconds.

View File

@ -0,0 +1,46 @@
DNSControl's CSC Global provider supports being a Registrar. Support for being a DNS Provider is not included, although CSC Global's API does provide for this so it could be implemented in the future.
{% hint style="info" %}
**NOTE**: Experimental support for being a DNS Provider is available.
However it is not recommended as updates take 5-7 minutes, and the
next update is not permitted until the previous update is complete.
Use it at your own risk. Consider it experimental and undocumented.
{% endhint %}
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `CSCGLOBAL`.
In your `creds.json` file, you must provide your API key and user/client token. You can optionally provide an comma separated list of email addresses to have CSC Global send updates to.
Example:
{% code title="creds.json" %}
```json
{
"cscglobal": {
"TYPE": "CSCGLOBAL",
"api-key": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"user-token": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
"notification_emails": "test@example.com,hostmaster@example.com"
}
}
```
{% endcode %}
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_CSCGLOBAL = NewRegistrar("cscglobal");
var DSP_BIND = NewDnsProvider("bind");
D("example.com", REG_CSCGLOBAL, DnsProvider(DSP_BIND),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
To get access to the [CSC Global API](https://www.cscglobal.com/cscglobal/docs/dbs/domainmanager/api-v2/) contact your account manager.

View File

@ -0,0 +1,46 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `DESEC`
along with a deSEC account auth token.
Example:
{% code title="creds.json" %}
```json
{
"desec": {
"TYPE": "DESEC",
"auth-token": "your-deSEC-auth-token"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to deSEC.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_DESEC = NewDnsProvider("desec");
D("example.com", REG_NONE, DnsProvider(DSP_DESEC),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
DNSControl depends on a deSEC account auth token.
This token can be obtained by [logging in via the deSEC API](https://desec.readthedocs.io/en/latest/auth/account.html#log-in).
{% hint style="warning" %}
deSEC enforces a daily limit of 300 RRset creation/deletion/modification per
domain. Large changes may have to be done over the course of a few days. The
integration test suite can not be run in a single session. See
[https://desec.readthedocs.io/en/latest/rate-limits.html#api-request-throttling](https://desec.readthedocs.io/en/latest/rate-limits.html#api-request-throttling)
{% endhint %}

View File

@ -0,0 +1,43 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `DIGITALOCEAN`
along with your [DigitalOcean OAuth Token](https://cloud.digitalocean.com/settings/applications).
Example:
{% code title="creds.json" %}
```json
{
"mydigitalocean": {
"TYPE": "DIGITALOCEAN",
"token": "your-digitalocean-ouath-token"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to DigitalOcean.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_DIGITALOCEAN = NewDnsProvider("mydigitalocean");
D("example.com", REG_NONE, DnsProvider(DSP_DIGITALOCEAN),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
[Create OAuth Token](https://cloud.digitalocean.com/settings/applications)
## Limitations
- Digitalocean DNS doesn't support `;` value with CAA-records ([DigitalOcean documentation](https://www.digitalocean.com/docs/networking/dns/how-to/create-caa-records/))
- While Digitalocean DNS supports TXT records with multiple strings,
their length is limited by the max API request of 512 octets.

View File

@ -0,0 +1,62 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `DNSIMPLE`
along with a DNSimple account access token.
You can also set the `baseurl` to use [DNSimple's free sandbox](https://developer.dnsimple.com/sandbox/) for testing.
Examples:
{% code title="creds.json" %}
```json
{
"dnsimple": {
"TYPE": "DNSIMPLE",
"token": "your-dnsimple-account-access-token"
},
"dnsimple_sandbox": {
"TYPE": "DNSIMPLE",
"baseurl": "https://api.sandbox.dnsimple.com",
"token": "your-sandbox-account-access-token"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to DNSimple.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_DNSIMPLE = NewRegistrar("dnsimple");
var DSP_DNSIMPLE = NewDnsProvider("dnsimple");
D("example.com", REG_DNSIMPLE, DnsProvider(DSP_DNSIMPLE),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
DNSControl depends on a DNSimple account access token.
## Caveats
### TXT record length
The DNSimple API supports TXT records of up to 1000 "characters" (assumed to
be octets, per DNS norms, not Unicode characters in an encoding).
See https://support.dnsimple.com/articles/txt-record/
## Development
### Debugging
Set `DNSIMPLE_DEBUG_HTTP` environment variable to `1` to dump all API calls made by this provider.

View File

@ -0,0 +1,61 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `DNSMADEEASY`
along with your `api_key` and `secret_key`. More info about authentication can be found in [DNS Made Easy API docs](https://api-docs.dnsmadeeasy.com/).
Example:
{% code title="creds.json" %}
```json
{
"dnsmadeeasy": {
"TYPE": "DNSMADEEASY",
"api_key": "1c1a3c91-4770-4ce7-96f4-54c0eb0e457a",
"secret_key": "e2268cde-2ccd-4668-a518-8aa8757a65a0"
}
}
```
{% endcode %}
## Records
ALIAS/ANAME records are supported.
This provider does not support HTTPRED records.
SPF records are ignored by this provider. Use TXT records instead.
## Metadata
This provider does not recognize any special metadata fields unique to DNS Made Easy.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_DNSMADEEASY = NewDnsProvider("dnsmadeeasy");
D("example.com", REG_NONE, DnsProvider(DSP_DNSMADEEASY),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
You can generate your `api_key` and `secret_key` in [Control Panel](https://cp.dnsmadeeasy.com/) in Account Information in Config menu.
API is only available for Business plan and higher plans.
## Caveats
### Global Traffic Director
Global Traffic Director feature is not supported.
## Development
### Debugging
Set `DNSMADEEASY_DEBUG_HTTP` environment variable to dump all API calls made by this provider.
### Testing
Set `sandbox` key to any non-empty value in credentials JSON alongside `api_key` and `secret_key` to make all API calls against DNS Made Easy sandbox environment.

View File

@ -0,0 +1,59 @@
This is a read-only/monitoring "registrar". It does a DNS NS lookup to confirm the nameserver servers are correct. This "registrar" is unable to update/correct the NS servers but will alert you if they are incorrect. A common use of this provider is when the domain is with a registrar that does not have an API.
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `DNSOVERHTTPS`.
{% code title="creds.json" %}
```json
{
"dohdefault": {
"TYPE": "DNSOVERHTTPS"
}
}
```
{% endcode %}
The DNS-over-HTTPS provider defaults to using Google Public DNS however you may configure an alternative RFC 8484 DoH provider using the `host` parameter.
Example:
{% code title="creds.json" %}
```json
{
"dohcloudflare": {
"TYPE": "DNSOVERHTTPS",
"host": "cloudflare-dns.com"
}
}
```
{% endcode %}
Some common DoH providers are:
* `cloudflare-dns.com` ([Cloudflare](https://developers.cloudflare.com/1.1.1.1/dns-over-https))
* `9.9.9.9` ([Quad9](https://www.quad9.net/about/))
* `dns.google` ([Google Public DNS](https://developers.google.com/speed/public-dns/docs/doh))
## Metadata
This provider does not recognize any special metadata fields unique to DOH.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_MONITOR = NewRegistrar("dohcloudflare");
D("example.com", REG_MONITOR,
NAMESERVER("ns1.example.com."),
NAMESERVER("ns2.example.com."),
);
```
{% endcode %}
{% hint style="info" %}
**NOTE**: This checks the NS records via a DNS query. It does not check the
registrar's delegation (i.e. the `Name Server:` field in whois). In theory
these are the same thing but there may be situations where they are not.
{% endhint %}

View File

@ -0,0 +1,42 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `DOMAINNAMESHOP`
along with your [Domainnameshop Token and Secret](https://www.domeneshop.no/admin?view=api).
Example:
{% code title="creds.json" %}
```json
{
"mydomainnameshop": {
"TYPE": "DOMAINNAMESHOP",
"token": "your-domainnameshop-token",
"secret": "your-domainnameshop-secret"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Domainnameshop.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_DOMAINNAMESHOP = NewDnsProvider("mydomainnameshop");
D("example.com", REG_NONE, DnsProvider(DSP_DOMAINNAMESHOP),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
[Create API Token and secret](https://www.domeneshop.no/admin?view=api)
## Limitations
- Domainnameshop DNS only supports TTLs which are a multiple of 60.

View File

@ -0,0 +1,41 @@
DNSControl's Dynadot provider supports being a Registrar. Support for being a DNS Provider is not included, but could be added in the future.
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `DYNADOT`
along with `key` from the [Dynadot API](https://www.dynadot.com/account/domain/setting/api.html).
Example:
{% code title="creds.json" %}
```json
{
"dynadot": {
"TYPE": "DYNADOT",
"key": "API Key",
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Dynadot.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_DYNADOT = NewRegistrar("dynadot");
DOMAIN_ELSEWHERE("example.com", REG_DYNADOT, [
"ns1.example.net.",
"ns2.example.net.",
"ns3.example.net.",
]);
```
{% endcode %}
## Activation
You must [enable the Dynadot API](https://www.dynadot.com/account/domain/setting/api.html) for your account and whitelist the IP address of the machine that will run DNSControl.

View File

@ -0,0 +1,44 @@
DNSControl's easyname provider supports being a Registrar. Support for being a DNS Provider is not included, but could be added in the future.
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `EASYNAME`
along with [API-Access](https://my.easyname.com/en/account/api) information
Example:
{% code title="creds.json" %}
```json
{
"easyname": {
"TYPE": "EASYNAME",
"apikey": "API Key",
"authsalt": "API Authentication Salt",
"email": "example@example.com",
"signsalt": "API Signing Salt",
"userid": 12345
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to easyname.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_EASYNAME = NewRegistrar("easyname");
D("example.com", REG_EASYNAME,
NAMESERVER("ns1.example.com."),
NAMESERVER("ns2.example.com."),
);
```
{% endcode %}
## Activation
You must enable API-Access for your account.

View File

@ -0,0 +1,19 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `EXOSCALE`
along with your Exoscale credentials.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_EXOSCALE = NewDnsProvider("exoscale");
D("example.com", REG_NONE, DnsProvider(DSP_EXOSCALE),
A("test", "1.2.3.4")
);
```
{% endcode %}

View File

@ -0,0 +1,99 @@
`GANDI_V5` uses the v5 API and can act as a registrar provider
or a DNS provider. It is only able to work with domains
migrated to the new LiveDNS API, which should be all domains.
API keys are assigned to particular users. Go to User Settings,
"Manage the user account and security settings", the "Security"
tab, then regenerate the "Production API key".
* API Documentation: https://api.gandi.net/docs
* API Endpoint: https://api.gandi.net/
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `GANDI_V5`
along your Gandi.net API key. The [sharing_id](https://api.gandi.net/docs/reference/) is optional.
The `sharing_id` selects between different organizations which your account is
a member of; to manage domains in multiple organizations, you can use multiple
`creds.json` entries.
How to find the `sharing_id`: The sharing ID is the second hex string found in
the URL on the portal. Log into the Gandi website, click on "organizations" in
the leftnav, and click on the organization name. The URL will be something
like:
```text
https://admin.gandi.net/organizations/[not this hex string]/PLTS/[sharing id]/profile
```
Example:
{% code title="creds.json" %}
```json
{
"gandi": {
"TYPE": "GANDI_V5",
"apikey": "your-gandi-key",
"sharing_id": "your-sharing_id"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Gandi.
## Limitations
This provider does not support using `ALIAS` in combination with DNSSEC,
whether `AUTODNSSEC` or otherwise.
This provider only supports `ALIAS` on the `"@"` zone apex, not on any other
names.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_GANDI = NewRegistrar("gandi");
var DSP_GANDI = NewDnsProvider("gandi");
D("example.com", REG_GANDI, DnsProvider(DSP_GANDI),
A("test", "1.2.3.4")
);
```
{% endcode %}
If you are converting from the old "GANDI" provider,
simply change "GANDI" to "GANDI_V5" in `dnsconfig.js`.
Be sure to test with `dnscontrol preview` before running `dnscontrol push`.
## New domains
If a domain does not exist in your Gandi account, DNSControl will *not* automatically add it with the `create-domains` command. You'll need to do that via the web UI manually.
## Common errors
#### Error getting corrections
```text
Error getting corrections: 401: The server could not verify that you authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad api key), or your access token has expired
```
This is the error you'll see if your `apikey` in `creds.json` is wrong or invalid.
#### Domain does not exist in profile
```text
WARNING: Domain 'example.com' does not exist in the 'secname' profile and will be added automatically.
```
This error is caused by the internal `ListZones()` functions returning no domain names. This is usually because your `creds.json` information is pointing at an empty organization or no organization. The solution is to set
`sharing_id` in `creds.json`.
#### get-zones "nameonly" returns nothing
If a `dnscontrol get-zones --format=nameonly CredId - all` returns nothing,
this is usually because your `creds.json` information is pointing at an empty
organization or no organization. The solution is to set `sharing_id` in
`creds.json`.

View File

@ -0,0 +1,133 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `GCLOUD`.
For authentication you can either include a Service Account Key in the file or use Application Default Credentials (ADC)
### Using a Service Account Key
Copy the full JSON object into your `creds.json`. Newlines in the private key need to be replaced with `\n`.
Example:
{% code title="creds.json" %}
```json
{
"gcloud": {
"TYPE": "GCLOUD",
"type": "service_account",
"project_id": "mydnsproject",
"private_key_id": "0000000000000000000000000000000000000000",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADL00000000000000000OX\nih0DbxhiQ==\n-----END PRIVATE KEY-----\n",
"client_email": "dnscontrolacct@mydnsproject.iam.gserviceaccount.com",
"client_id": "000000000000000000000",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dnscontrolsdfsdfsdf%40craigdnstest.iam.gserviceaccount.com",
"name_server_set": "optional_name_server_set_name (contact your TAM)"
}
}
```
{% endcode %}
**Note**:
* Don't confuse the `TYPE` and `type` fields. `TYPE` is set to `GCLOUD` and specifies which provider type to use. `type` specifies the type of account in use.
* The JSON object that Google sends includes many, many fields. The `project_id`, `private_key`, and `client_email`, are the only fields that are required. The example above includes all fields.
* `name_server_set` is optional and requires special permission from your TAM at Google in order to setup (See [Name server sets](#name-server-sets) below)
See [the Activation section](#activation) for some tips on obtaining these credentials.
### Using Application Default Credentials
If you prefer to authenticate using ADC you only need to specify `project_id` in your `creds.json` file.
Example:
```json
{
"gcloud": {
"TYPE": "GCLOUD",
"project_id": "mydnsproject"
}
}
```
**Note:** To use ADC, make sure to not add any `private_key` value to your configuration as that will prevent DNSControl from attempting to use ADC.
## Metadata
This provider does not recognize any special metadata fields unique to google cloud dns.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NAMECOM = NewRegistrar("name.com");
var DSP_GCLOUD = NewDnsProvider("gcloud");
D("example.com", REG_NAMECOM, DnsProvider(DSP_GCLOUD),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
1. Go to your app-engine console and select the appropriate project.
2. Go to "API Manager > Credentials", and create a new "Service Account Key"
![Create new Service Accoun](../assets/gcloud/create-credentials-service-account-key.png)
3. Choose an existing user, or create a new one. The user requires the "DNS Administrator" role.
4. Download the JSON key and copy it into your `creds.json` under the name of your gcloud provider.
## New domains
If a domain does not exist in your Google Cloud DNS account, DNSControl
will *not* automatically add it with the `push` command. You'll need to do that via the
control panel manually or via the `create-domains` command.
## Name server sets
This optional feature lets you pin domains to a set of GCLOUD name servers. The `nameServerSet` field is exposed in their API but there is
currently no facility for creating a name server set. You need special permission from your technical account manager at Google and they
will enable it on your account, responding with a list of names to use in the `name_server_set` field above.
> `name_server_set` only applies on `create-domains` at the moment. Additional work needs to be done to support it during `push`
## Private Domains
This optional feature allows for the instantiation of Google Cloud DNS zones with the `Visibility` field set to `private` and with specific Google Cloud VPC Networks granted visibility to the zone.
Example:
{% code title="dnsconfig.js" %}
```javascript
var REG_NAMECOM = NewRegistrar("name.com");
var DSP_GCLOUD = NewDnsProvider("gcloud", {
"visibility": "private",
"networks": [
"https://www.googleapis.com/compute/v1/projects/mydnsproject/global/networks/myvpcnetwork",
"my2ndvpcnetwork"
]
});
D("example.tld", REG_NAMECOM, DnsProvider(DSP_GCLOUD),
A("test", "1.2.3.4")
);
```
{% endcode %}
> `visiblity` and `networks` only applies on `create-domains` at the moment. Neither setting is enforced by the provider after a zone is created. Additional work is required to support modifications to `networks` visibility during `push`, however the API will not permit `visibility` to be modified on an existing zone.
> `networks` may be specified using the network name if the VPC network exists in `project_id`
> multiple network urls may be specified in `networks`
> split horizon zones using the `GCLOUD` provider are currently only supported when the providers' credentials target separate `project_id` values
# Debugging credentials
You can test your `creds.json` entry with the command: `dnscontrol check-creds foo GCLOUD` where `foo` is the name of key used in `creds.json`. Error messages you might see:
* `googleapi: Error 403: Permission denied on resource project REDACTED., forbidden`
* Hint: `project_id` may be invalid.
* `private key should be a PEM or plain PKCS1 or PKCS8; parse error:`
* Hint: `private_key` may be invalid.
* `Response: {"error":"invalid_grant","error_description":"Invalid grant: account not found"}`
* Hint: `client_email` may be invalid.

View File

@ -0,0 +1,40 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `GCORE`
along with a Gcore account API token.
Example:
{% code title="creds.json" %}
```json
{
"gcore": {
"TYPE": "GCORE",
"api-key": "your-gcore-api-key"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Gcore.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_GCORE = NewDnsProvider("gcore");
D("example.com", REG_NONE, DnsProvider(DSP_GCORE),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
DNSControl depends on a Gcore account API token.
You can obtain your API token on this page: <https://accounts.gcore.com/profile/api-tokens>

View File

@ -0,0 +1,117 @@
## Important Note
Hurricane Electric does not currently expose an official JSON or XML API, and as such, this provider interacts directly
with the web interface. Because there is no officially supported API, this provider may cease to function if Hurricane
Electric changes their interface, and you should be willing to accept this possibility before relying on this provider.
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `HEDNS`
along with
your `dns.he.net` account username and password. These are the same username
and password used to log in to the [web interface](https://dns.he.net).
{% code title="creds.json" %}
```json
{
"hedns": {
"TYPE": "HEDNS",
"username": "yourUsername",
"password": "yourPassword"
}
}
```
{% endcode %}
### Two factor authentication
If two-factor authentication has been enabled on your account you will also need to provide a valid TOTP code.
This can also be done via an environment variable:
{% code title="creds.json" %}
```json
{
"hedns": {
"TYPE": "HEDNS",
"username": "yourUsername",
"password": "yourPassword",
"totp": "$HEDNS_TOTP"
}
}
```
{% endcode %}
and then you can run
```shell
HEDNS_TOTP=12345 dnscontrol preview
```
It is also possible to directly provide the shared TOTP secret using the key "totp-key" in `creds.json`. This secret is
only available when first enabling two-factor authentication.
**Security Warning**:
* Anyone with access to this `creds.json` file will have *full* access to your Hurricane Electric account and will be
able to modify and delete your DNS entries
* Storing the shared secret together with the password weakens two factor authentication because both factors are stored
in a single place.
{% code title="creds.json" %}
```json
{
"hedns": {
"TYPE": "HEDNS",
"username": "yourUsername",
"password": "yourPassword",
"totp-key": "yourTOTPSharedSecret"
}
}
```
{% endcode %}
### Persistent Sessions
Normally this provider will refresh authentication with each run of dnscontrol. This can lead to issues when using
two-factor authentication if two runs occur within the time period of a single TOTP token (30 seconds), as reusing the
same token is explicitly disallowed by RFC 6238 (TOTP).
To work around this limitation, if multiple requests need to be made, the option `"session-file-path"` can be set in
`creds.json`, which is the directory where a `.hedns-session` file will be created. This can be used to allow reuse of an
existing session between runs, without the need to re-authenticate.
This option is disabled by default when this key is not present,
**Security Warning**:
* Anyone with access to this `.hedns-session` file will be able to use the existing session (until it expires) and have
*full* access to your Hurrican Electric account and will be able to modify and delete your DNS entries.
* It should be stored in a location only trusted users can access.
{% code title="creds.json" %}
```json
{
"hedns": {
"TYPE": "HEDNS",
"username": "yourUsername",
"password": "yourPassword",
"totp-key": "yourTOTPSharedSecret",
"session-file-path": "."
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Hurricane Electric DNS.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_HEDNS = NewDnsProvider("hedns");
D("example.com", REG_NONE, DnsProvider(DSP_HEDNS),
A("test", "1.2.3.4")
);
```
{% endcode %}

View File

@ -0,0 +1,100 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `HETZNER`
along with a [Hetzner API Key](https://dns.hetzner.com/settings/api-token).
Example:
{% code title="creds.json" %}
```json
{
"hetzner": {
"TYPE": "HETZNER",
"api_key": "your-api-key"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Hetzner
DNS Console.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_HETZNER = NewDnsProvider("hetzner");
D("example.com", REG_NONE, DnsProvider(DSP_HETZNER),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
Create a new API Key in the
[Hetzner DNS Console](https://dns.hetzner.com/settings/api-token).
## Caveats
### CAA
As of June 2022, the Hetzner DNS Console API does not accept spaces in CAA
records.
```text
0 issue "letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1234"
```
Removing the spaces might still work for any consumer of the record.
```text
0 issue "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1234"
```
### SOA
Hetzner DNS Console does not allow changing the SOA record via their API.
There is an alternative method using an import of a full BIND file, but this
approach does not play nice with incremental changes or ignored records.
At this time you cannot update SOA records via DNSControl.
### Rate Limiting
Hetzner is rate limiting requests quite heavily.
The rate limit and remaining quota is advertised in the API response headers.
DNSControl will burst through half of the quota, and then it spreads the
requests evenly throughout the remaining window. This allows you to move fast
and be able to revert accidental changes to the DNS config in a timely manner.
Every response from the Hetzner DNS Console API includes your limits:
```shell
curl --silent --include \
--header 'Auth-API-Token: ...' \
https://dns.hetzner.com/api/v1/zones
Access-Control-Allow-Origin *
Content-Type application/json; charset=utf-8
Date Sat, 01 Apr 2023 00:00:00 GMT
Ratelimit-Limit 42
Ratelimit-Remaining 33
Ratelimit-Reset 7
Vary Origin
X-Ratelimit-Limit-Minute 42
X-Ratelimit-Remaining-Minute 33
```
With the above values, DNSControl will not delay the next 12 requests (until it
hits `Ratelimit-Remaining: 21 # 42/2`) and then slow down requests with a
delay of `7s/22 ≈ 300ms` between requests (about 3 requests per second).
Performing these 12 requests might take longer than 7s, at which point the
quota resets and DNSControl will burst through the quota again.
DNSControl will retry rate-limited requests (status 429) and respect the
advertised `Retry-After` delay.

View File

@ -0,0 +1,120 @@
HEXONET is a leading developer and operator of domain names and DNS platforms.
Individual, service provider and registrars around the globe choose HEXONET for
domains and DNS because of our advanced technology, operational performance and
up-time, and most importantly for DNS expertise. DNSControl with HEXONET's DNS
marries DNS automation with an industry-leading DNS platform that supports DNSSEC,
PremiumDNS via Anycast Network, and nearly all of DNSControl's listed provider features.
This is based on API documents found at [https://wiki.hexonet.net/wiki/DNS_API](https://wiki.hexonet.net/wiki/DNS_API)
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `HEXONET`
along with your HEXONET login data.
Example:
{% code title="creds.json" %}
```json
{
"hexonet": {
"TYPE": "HEXONET",
"apilogin": "your-hexonet-account-id",
"apipassword": "your-hexonet-account-password",
"apientity": "LIVE", // for the LIVE system; use "OTE" for the OT&E system
"ipaddress": "172.31.3.16", // provide here your outgoing ip address
"debugmode": "0", // set it to "1" to get debug output of the communication with our Backend System API
}
}
```
{% endcode %}
Here a working example for our OT&E System:
{% code title="creds.json" %}
```json
{
"hexonet": {
"TYPE": "HEXONET",
"apilogin": "test.user",
"apipassword": "test.passw0rd",
"apientity": "OTE",
"debugmode": "0"
}
}
```
{% endcode %}
{% hint style="info" %}
**NOTE**: The above credentials are known to the public.
{% endhint %}
With the above hexonet entry in `creds.json`, you can run the
integration tests as follows:
```shell
dnscontrol get-zones --format=nameonly hexonet HEXONET all
```
```shell
# Review the output. Pick one domain and set HEXONET_DOMAIN.
export HEXONET_DOMAIN=yodream.com # Pick a domain name.
export HEXONET_ENTITY=OTE
export HEXONET_UID=test.user
export HEXONET_PW=test.passw0rd
cd integrationTest # NOTE: Not needed if already in that subdirectory
go test -v -verbose -provider HEXONET
```
## Usage
Here's an example DNS Configuration `dnsconfig.js` using our provider module.
Even though it shows how you use us as Domain Registrar AND DNS Provider, we don't force you to do that.
You are free to decide if you want to use both of our provider technology or just one of them.
{% code title="dnsconfig.js" %}
```javascript
var REG_HEXONET = NewRegistrar("hexonet");
var DSP_HEXONET = NewDnsProvider("hexonet");
// Set Default TTL for all RR to reflect our Backend API Default
// If you use additional DNS Providers, configure a default TTL
// per domain using the domain modifier DefaultTTL instead.
// also check this issue for [NAMESERVER TTL](https://github.com/StackExchange/dnscontrol/issues/176).
DEFAULTS(
{"ns_ttl":"3600"},
DefaultTTL(3600)
);
D("example.com", REG_HEXONET, DnsProvider(DSP_HEXONET),
NAMESERVER("ns1.ispapi.net"),
NAMESERVER("ns2.ispapi.net"),
NAMESERVER("ns3.ispapi.net"),
NAMESERVER("ns4.ispapi.net"),
A("elk1", "10.190.234.178"),
A("test", "56.123.54.12")
);
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to HEXONET.
## get-zones
`dnscontrol get-zones` is implemented for this provider. The list
includes both basic and premier zones.
## New domains
If a dnszone does not exist in your HEXONET account, DNSControl will *not* automatically add it with the `dnscontrol push` or `dnscontrol preview` command. You'll need to do that via the control panel manually or using the command `dnscontrol create-domains`.
This is because it could lead to unwanted costs on customer-side that we want to avoid.
## Debug Mode
As shown in the configuration examples above, this can be activated on demand and it can be used to check the API commands send to our system.
In general this is thought for our purpose to have an easy way to dive into issues. But if you're interested what's going on, feel free to activate it.
## IP Filter
In case you have ip filter settings made for your HEXONET account, please provide your outgoing ip address as shown in the configuration examples above.

View File

@ -0,0 +1,76 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `HOSTINGDE`
along with your [`authToken` and optionally an `ownerAccountId`](https://www.hosting.de/api/#requests-and-authentication).
Example:
{% code title="creds.json" %}
```json
{
"hosting.de": {
"TYPE": "HOSTINGDE",
"authToken": "YOUR_API_KEY"
}
}
```
{% endcode %}
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_HOSTINGDE = NewRegistrar("hosting.de");
var DSP_HOSTINGDE = NewDnsProvider("hosting.de");
D("example.com", REG_HOSTINGDE, DnsProvider(DSP_HOSTINGDE),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Using this provider with http.net and others
http.net and other DNS service providers use an API that is compatible with hosting.de's API.
Using them requires setting the `baseURL` and (optionally) overriding the default nameservers.
### Example http.net configuration
An example `creds.json` configuration:
{% code title="creds.json" %}
```json
{
"http.net": {
"TYPE": "HOSTINGDE",
"authToken": "YOUR_API_KEY",
"baseURL": "https://partner.http.net"
}
}
```
{% endcode %}
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_HTTPNET = NewRegistrar("http.net");
var DSP_HTTPNET = NewDnsProvider("http.net", {
"default_ns": [
"ns1.routing.net.",
"ns2.routing.net.",
"ns3.routing.net.",
],
});
```
{% endcode %}
#### Why this works
hosting.de has the concept of _nameserver sets_ but this provider does not implement it.
The `HOSTINGDE` provider **ignores the default nameserver set** defined in your account to avoid unintentional changes and consolidate the full configuration in DNSControl.
Instead, it uses hosting.de's nameservers (`ns1.hosting.de.`, `ns2.hosting.de.`, and `ns3.hosting.de.`) by default, regardless of your account settings.
Using the `default_ns` metadata, the default nameserver set can be overwritten.

View File

@ -0,0 +1,41 @@
DNSControl's Internet.bs provider supports being a Registrar. Support for being a DNS Provider is not included, but could be added in the future.
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `INTERNETBS`
along with an API key and account password.
Example:
{% code title="creds.json" %}
```json
{
"internetbs": {
"TYPE": "INTERNETBS",
"api-key": "your-api-key",
"password": "account-password"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Internet.bs.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_INTERNETBS = NewRegistrar("internetbs");
D("example.com", REG_INTERNETBS,
NAMESERVER("ns1.example.com."),
NAMESERVER("ns2.example.com."),
);
```
{% endcode %}
## Activation
Pay attention, you need to define white list of IP for API. But you always can change it on `My Profile > Reseller Settings`

View File

@ -0,0 +1,111 @@
INWX.de is a Berlin-based domain registrar.
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `INWX`
along with your INWX username and password.
**Example:**
{% code title="creds.json" %}
```json
{
"inwx": {
"TYPE": "INWX",
"password": "yourPassword",
"username": "yourUsername"
}
}
```
{% endcode %}
### Two-factor authentication
INWX supports two-factor authentication via TOTP and does not allow TOTP codes to be reused. This means that you will only be able to log into your INWX account once every 30 seconds.
You will hit this limitation in the following two scenarios:
* You run DNSControl twice very quickly (to e.g. first use preview and then push). Waiting for 30 seconds to pass between these two invocations will work fine though.
* You use INWX as both the registrar and the DNS provider. In this case, DNSControl will try to login twice too quickly and the second login will fail because a TOTP code will be reused. The only way to support this configuration is to use a INWX account without two-factor authentication.
If you cannot work around these two limitation it is possible to create and manage sub-account - with specific permission sets - dedicated for API access with two-factor
authentication disabled. This is possible at [inwx.de/en/account](https://www.inwx.de/en/account).
If two-factor authentication has been enabled you will also need to provide a valid TOTP number.
This can also be done via an environment variable:
{% code title="creds.json" %}
```json
{
"inwx": {
"TYPE": "INWX",
"username": "yourUsername",
"password": "yourPassword",
"totp": "$INWX_TOTP"
}
}
```
{% endcode %}
and then you can run
```shell
INWX_TOTP=12345 dnscontrol preview
```
It is also possible to directly provide the shared TOTP secret using the key "totp-key" in `creds.json`.
This secret is only shown once when two-factor authentication is enabled and you'll have to make sure to write it down then.
**Important Notes**:
* Anyone with access to this `creds.json` file will have *full* access to your INWX account and will be able to transfer and/or delete your domains
* Storing the shared secret together with the password weakens two-factor authentication because both factors are stored in a single place.
{% code title="creds.json" %}
```json
{
"inwx": {
"TYPE": "INWX",
"username": "yourUsername",
"password": "yourPassword",
"totp-key": "yourTOTPSharedSecret"
}
}
```
{% endcode %}
### Sandbox
You can optionally also specify sandbox with a value of 1 to redirect all requests to the sandbox API instead:
{% code title="creds.json" %}
```json
{
"inwx": {
"TYPE": "INWX",
"username": "yourUsername",
"password": "yourPassword",
"sandbox": "1"
}
}
```
{% endcode %}
If sandbox is omitted or set to any other value the production API will be used.
## Metadata
This provider does not recognize any special metadata fields unique to INWX.
## Usage
An example `dnsconfig.js` configuration file
for `example.com` registered with INWX
and delegated to Cloudflare:
{% code title="dnsconfig.js" %}
```javascript
var REG_INWX = NewRegistrar("inwx");
var DSP_CF = NewDnsProvider("cloudflare");
D("example.com", REG_INWX, DnsProvider(DSP_CF),
A("test", "1.2.3.4")
);
```
{% endcode %}

View File

@ -0,0 +1,58 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `LINODE`
along with your [Linode Personal Access Token](https://cloud.linode.com/profile/tokens).
Example:
{% code title="creds.json" %}
```json
{
"linode": {
"TYPE": "LINODE",
"token": "your-linode-personal-access-token"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Linode.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_LINODE = NewDnsProvider("linode");
D("example.com", REG_NONE, DnsProvider(DSP_LINODE),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
[Create Personal Access Token](https://cloud.linode.com/profile/tokens)
## Caveats
Linode does not allow all TTLs, but only a specific subset of TTLs. The following TTLs are supported
([source](https://www.linode.com/docs/api/domains/#domains-list__responses)):
- 0 (Default, currently equivalent to 1209600, or 14 days)
- 300
- 3600
- 7200
- 14400
- 28800
- 57600
- 86400
- 172800
- 345600
- 604800
- 1209600
- 2419200
The provider will automatically round up your TTL to one of these values. For example, 600 seconds would become 3600
seconds, but 300 seconds would stay 300 seconds.

View File

@ -0,0 +1,230 @@
Loopia is a 💩 provider of DNS. Using DNSControl hides some of the 💩.
If you are stuck with Loopia, hopefully this will reduce the pain.
They provide DNS services, both as a registrar, and a provider.
They provide support in English and other regional variants (Norwegian, Serbian, Swedish).
This plugin is based on API documents found at
[https://www.loopia.com/api/](https://www.loopia.com/api/)
and by observing API responses. Hat tip to GitHub @hazzeh whose code for the
LEGO Loopia implementation was helpful.
Sadly the Loopia API has some problems:
* API calls are limited to 60 calls per minute. If you go above this,
you will have to wait before you can make changes.
* When rate-limited, you will not receive a single HTTP
error: The errors propagate from the back-end, with no headers, or
Retry-After or anything useful.
* There are no guarantees of idempotency from their API.
## Unimplemented API methods
* `removeDomain` is not implemented for safety reasons. Should you wish to remove
a domain, do so from the Loopia control panel.
* `addDomain`
* `transferDomain` (to Loopia)
This effectively means that this plugin does not access registrar functions.
## Errors
You may occasionally see this error
```text
HTTP Post Error: Post "https://api.loopia.se/RPCSERV": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
```
The API endpoint didn't answer. Try again. 🤷
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `LOOPIA`
along with your Loopia API login credentials.
Example:
{% code title="creds.json" %}
```json
{
"loopia": {
"TYPE": "LOOPIA",
"username": "your-loopia-api-account-id@loopiaapi",
"password": "your-loopia-api-account-password",
"debug": "true" // Set to true for extra debug output. Remove or set to false to prevent extra debug output.
}
}
```
{% endcode %}
### Variables
* `username` - string - your @loopiaapi created username
* `password` - string - your loopia API password
* `debug` - string - Set to true for extra debug output. Remove or set to false to prevent extra debug output.
* `rate_limit_per` - string - See [Rate Limiting](#rate-limiting) below.
* `region` - string - See [Regions](#regions) below.
* `modify_name_servers` - string - See [Modify Name Servers](#modify-name-servers) below.
* `fetch_apex_ns_entries` - string - See [Fetch NS Entries](#fetch-apex-ns-entries) below.
There is no test endpoint. Fly free, grasshopper.
Turning on debug will show the XML requests and responses, and include the
username and password from your `creds.json` file. If you want to share these,
like for a GitHub issue, be sure to redact those from the XML.
### Fetch Apex NS Entries
`creds.json` setting: `fetch_apex_ns_entries`
... or use locally hard-coded variables:
```go
defaultNS1 = "ns1.loopia.se."
defaultNS2 = "ns2.loopia.se."
```
API calls to loopia can be expensive time-wise. Set this to "false" (off) to
skip the API call to fetch the apex (`@`) entries, and use Loopia's default NS
servers.
This setting defaults to "true" (on).
### Modify Name Servers
`creds.json` setting: `modify_name_servers`
Setting this to "true" (on) allows you to modify NS entries.
Loopia is weird. NS entries are inaccessible in the control panel. But you can see them.
Perhaps dnscontrol added an NS that you cannot delete now? Toggle this setting to
"true" in order to treat all NS entries as any other - making them accessible
to modification. Beware the consequences of changing from default NS entries. Likely
nothing will happen since the glue records provided won't match those in the domain,
and you will need to manually inform Loopia of this so they can update the glue records.
In short: enable this setting to be able to delete NS entries. No `NS()` in your
`dnsconfig.js`? Existing ones will be deleted. Have some `NS()` or `NAMESERVER()`
entries? They'll be added.
This setting defaults to "false" (off).
### Regions
`creds.json` setting: `region`
Loopia operate in a few regions. Norway (`no`), Serbia (`rs`), Sweden (`se`).
For the parameter `region`, specify one of `no`, `rs`, `se`, or omit, or leave empty for the default `se` Sweden.
As of writing, `no` was broken 💩 and produced:
```text
HTTP Post Error: Post "https://api.loopia.no/RPCSERV": x509: “*.loopia.rs” certificate name does not match input
```
### Rate Limiting
`creds.json` setting: `rate_limit_per`
Loopia rate limits requests to 60 per minute.
From their [web-site](https://www.loopia.com/api/rate_limiting/):
```text
You can make up to 60 calls per minute to LoopiaAPI. Of those, a maximum of 15 can be domain searches.
```
Depending on how many requests you make, you may encounter a limit. Modification
of each DNS record requires at least one API call. 🤦
Example: If the rate is 60/min and you make two requests every second, the 31st
request will be rejected. You will then have to wait for 29 seconds, until the
first requests age reaches one minute. At that time, it will be dropped from
the calculation, and you can make another request. One second later, and
generally every time an old requests age falls out of the sliding window
counting interval, you can make another request.
Your per minute quota is 60 requests and in your settings you
specified `Minute`. DNSControl will perform at most one request per second.
DNSControl will emit a warning in case it breaches the quota.
The setting `rate_limit_per` controls this behavior and accepts
a case-insensitive value of
- `Hour`
- `Minute`
- `Second`
The default for `rate_limit_per` is `Second`.
In your `creds.json` for all `LOOPIA` provider entries:
{% code title="creds.json" %}
```json
{
"loopia": {
"TYPE": "LOOPIA",
"username": "your-loopia-api-account-id@loopiaapi",
"password": "your-loopia-api-account-password",
"debug": "true", // Set to true for extra debug output. Remove or set to false to prevent extra debug output.
"rate_limit_per": "Minute"
}
}
```
{% endcode %}
## Usage
Here's an example DNS Configuration `dnsconfig.js` using the provider module.
Even though it shows how you use Loopia as Domain Registrar AND DNS Provider,
you're not forced to do that (thank god).
{% code title="dnsconfig.js" %}
```javascript
var REG_LOOPIA = NewRegistrar("loopia");
var DSP_LOOPIA = NewDnsProvider("loopia");
// Set Default TTL for all RR to reflect our Backend API Default
// If you use additional DNS Providers, configure a default TTL
// per domain using the domain modifier DefaultTTL instead.
DEFAULTS(
NAMESERVER_TTL(3600),
DefaultTTL(3600)
);
D("example.com", REG_LOOPIA, DnsProvider(DSP_LOOPIA),
//NAMESERVER("ns1.loopia.se."), //default
//NAMESERVER("ns2.loopia.se."), //default
A("elk1", "192.0.2.1"),
A("test", "192.0.2.2")
);
```
{% endcode %}
## Special notes about newer standards
Loopia does not yet support [RFC7505](https://www.rfc-editor.org/rfc/rfc7505), so null `MX` records are
currently prohibited.
Until such a time when they do begin to support this, Loopias
`auditrecords.go` code prohibits this.
## Metadata
This provider does not recognize any special metadata fields unique to LOOPIA.
## get-zones
`dnscontrol get-zones` is implemented for this provider.
## New domains
If a dnszone does not exist in your LOOPIA account, DNSControl will *not* automatically add it with the `dnscontrol push` or `dnscontrol preview` command. You'll need to do that via the control panel manually or using the command `dnscontrol create-domains`.
This is because it could lead to unwanted costs on customer-side that you may want to avoid.
## Debug Mode
As shown in the configuration examples above, this can be activated on demand and it can be used to check the API commands sent to Loopia.

View File

@ -0,0 +1,44 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `LUADNS`
along with your [email and API key](https://www.luadns.com/api.html#authentication).
Example:
{% code title="creds.json" %}
```json
{
"luadns": {
"TYPE": "LUADNS",
"email": "your-email",
"apikey": "your-api-key"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to LuaDNS.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_LUADNS = NewDnsProvider("luadns");
D("example.com", REG_NONE, DnsProvider(DSP_LUADNS),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
[Create API key](https://api.luadns.com/api_keys).
## Caveats
- LuaDNS cannot change the default nameserver TTL in `nameserver_ttl`, it is forced to fixed at 86400("1d").
This is not the case if you are using vanity nameservers.
- This provider does not currently support the "FORWARD" and "REDIRECT" record types.
- The API is available on the LuaDNS free plan, but due to the limit of 30 records, some tests will fail when doing integration tests.

View File

@ -0,0 +1,60 @@
This provider updates a Microsoft DNS server.
It interacts with the server via PowerShell commands. As a result, DNSControl
must be run on Windows and will automatically disable itself when run on
non-Windows systems.
DNSControl will use `New-PSSession` to execute the commands remotely if
`computername` is set in `creds.json` (see below).
# Caveats
* Two systems updating a zone is never a good idea. If Windows Dynamic
DNS and DNSControl are both updating a zone, there will be
unhappiness. DNSControl will blindly remove the dynamic records
unless precautions such as `IGNORE*` and `NO_PURGE` are in use.
# Running on Non-Windows systems
Currently this driver disables itself when run on Non-Windows systems.
It should be possible for non-Windows hosts with PowerShell Core installed to
execute commands remotely via SSH. The module used to talk to PowerShell
supports this. It should be easy to implement. Volunteers requested.
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `MSDNS`
along with other settings:
* `dnsserver`: (optional) the name of the Microsoft DNS Server to communicate with.
* `psusername`: (optional) the username to connect to the PowerShell PSSession host.
* `pspassword`: (optional) the password to connect to the PowerShell PSSession host.
Example:
{% code title="creds.json" %}
```json
{
"msdns": {
"TYPE": "MSDNS",
"dnsserver": "ny-dc01",
"psusername": "mywindowsusername",
"pspassword": "mysupersecurepassword"
}
}
```
{% endcode %}
An example DNS configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_MSDNS = NewDnsProvider("msdns");
D("example.com", REG_NONE, DnsProvider(DSP_MSDNS),
A("test", "1.2.3.4")
)
```
{% endcode %}

View File

@ -0,0 +1,39 @@
This is the provider for [Mythic Beasts](https://www.mythic-beasts.com/) using its [Primary DNS API v2](https://www.mythic-beasts.com/support/api/dnsv2).
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `MYTHICBEASTS` along with a Mythic Beasts API key ID and secret.
Example:
{% code title="creds.json" %}
```json
{
"mythicbeasts": {
"TYPE": "MYTHICBEASTS",
"keyID": "xxxxxxx",
"secret": "xxxxxx"
}
}
```
{% endcode %}
## Usage
For each domain:
* Domains must be added in the [web UI](https://www.mythic-beasts.com/customer/domains), and have DNS enabled.
* In Mythic Beasts' DNS management web UI, new domains will have set a default DNS template of "Mythic Beasts nameservers only". You must set this to "None".
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_MYTHIC = NewDnsProvider("mythicbeasts");
D("example.com", REG_NONE, DnsProvider(DSP_MYTHIC),
A("test", "1.2.3.4")
);
```
{% endcode %}

View File

@ -0,0 +1,79 @@
This is the provider for [Namecheap](https://www.namecheap.com/).
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `NAMECHEAP`
along with your Namecheap API username and key:
Example:
{% code title="creds.json" %}
```json
{
"namecheap": {
"TYPE": "NAMECHEAP",
"apikey": "yourApiKeyFromNameCheap",
"apiuser": "yourUsername"
}
}
```
{% endcode %}
You can optionally specify BaseURL to use a different endpoint - typically the
sandbox:
{% code title="creds.json" %}
```json
{
"namecheapSandbox": {
"TYPE": "NAMECHEAP",
"apikey": "yourApiKeyFromNameCheap",
"apiuser": "yourUsername",
"BaseURL": "https://api.sandbox.namecheap.com/xml.response"
}
}
```
{% endcode %}
if BaseURL is omitted, the production namecheap URL is assumed.
## Metadata
This provider does not recognize any special metadata fields unique to
Namecheap.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NAMECHEAP = NewRegistrar("namecheap");
var DSP_BIND = NewDnsProvider("bind");
D("example.com", REG_NAMECHEAP, DnsProvider(DSP_BIND),
A("test", "1.2.3.4")
);
```
{% endcode %}
Namecheap provides custom redirect records URL, URL301, and FRAME. These
records can be used like any other record:
{% code title="dnsconfig.js" %}
```javascript
var REG_NAMECHEAP = NewRegistrar("namecheap");
var DSP_NAMECHEAP = NewDnsProvider("namecheap");
D("example.com", REG_NAMECHEAP, DnsProvider(DSP_NAMECHEAP),
URL("@", "http://example.com/"),
URL("www", "http://example.com/"),
URL301("backup", "http://backup.example.com/")
)
```
{% endcode %}
## Activation
In order to activate API functionality on your Namecheap account, you must
enable it for your account and wait for their review process. More information
on enabling API access is [located
here](https://www.namecheap.com/support/api/intro.aspx).

View File

@ -0,0 +1,109 @@
{% hint style="info" %}
**NOTE**: This provider is currently has no maintainer. We are looking for
a volunteer. If this provider breaks it may be disabled or removed if
it can not be easily fixed.
{% endhint %}
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `NAMEDOTCOM`
along with your name.com API username and access token:
Example:
{% code title="creds.json" %}
```json
{
"name.com": {
"TYPE": "NAMEDOTCOM",
"apikey": "yourApiKeyFromName.com",
"apiuser": "yourUsername"
}
}
```
{% endcode %}
There is another key name `apiurl` but it is optional and defaults to the correct value. If you want to use the test environment ("OT&E"), then add this:
"apiurl": "https://api.dev.name.com",
export NAMEDOTCOM_URL='api.name.com'
## Metadata
This provider does not recognize any special metadata fields unique to name.com.
## Usage
An example `dnsconfig.js` configuration with NAMEDOTCOM
as the registrar and DNS service provider:
{% code title="dnsconfig.js" %}
```javascript
var REG_NAMECOM = NewRegistrar("name.com");
var DSP_NAMECOM = NewDnsProvider("name.com");
D("example.com", REG_NAMECOM, DnsProvider(DSP_NAMECOM),
A("test", "1.2.3.4")
);
```
{% endcode %}
An example `dnsconfig.js` configuration with NAMEDOTCOM
as the registrar and DNS only, DNS hosted elsewhere:
{% code title="dnsconfig.js" %}
```javascript
var REG_NAMECOM = NewRegistrar("name.com");
var DSP_R53 = NewDnsProvider("r53");
D("example.com", REG_NAMECOM, DnsProvider(DSP_R53),
A("test","1.2.3.4")
);
```
{% endcode %}
{% hint style="info" %}
**NOTE**: name.com does not allow control over the NS records of your zones via the api. It is not recommended to use name.com's dns provider unless it is your only dns host.
{% endhint %}
## Activation
In order to activate API functionality on your Name.com account, you must apply to the API program. The application form is [located here](https://www.name.com/reseller/apply). It usually takes a few days to get a response. After you are accepted, you should receive your API token via email.
## Tips and error messages
### invalid character '<'
```text
integration_test.go:140: api returned unexpected response: invalid character '<' looking for beginning of value
```
This error means an invalid URL is being used to reach the API
endpoint. It usually means a setting is `api.name.com/api` when
`api.name.com` is correct (i.e. remove the `/api`).
In integration tests:
* Wrong: `export NAMEDOTCOM_URL='api.name.com/api'`
* Right: `export NAMEDOTCOM_URL='api.name.com'`
In production, the `apiurl` setting in `creds.json` is wrong. You can
simply leave this option out and use the default, which is correct.
TODO(tlim): Improve the error message. (Volunteer needed!)
### dial tcp: lookup https: no such host
```text
integration_test.go:81: Failed getting nameservers Get https://https//api.name.com/api/v4/domains/stackosphere.com?: dial tcp: lookup https: no such host
```
When running integration tests, this error
means you included the `https://` in the `NAMEDOTCOM_URL` variable.
You meant to do something like `export NAMEDOTCOM_URL='api.name.com' instead.
In production, the `apiurl` setting in `creds.json` needs to be
adjusted. You can simply leave this option out and use the default,
which is correct. If you are using the EO&T system, leave the
protocol (`http://`) off the URL.

View File

@ -0,0 +1,38 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `NETCUP`
along with your [api key, password and your customer number](https://www.netcup-wiki.de/wiki/CCP_API#Authentifizierung).
Example:
{% code title="creds.json" %}
```json
{
"netcup": {
"TYPE": "NETCUP",
"api-key": "abc12345",
"api-password": "abc12345",
"customer-number": "123456"
}
}
```
{% endcode %}
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_NETCUP = NewDnsProvider("netcup");
D("example.com", REG_NONE, DnsProvider(DSP_NETCUP),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Caveats
Netcup does not allow any TTLs to be set for individual records. Thus in
the diff/preview it will always show a TTL of 0. `NS` records are also
not currently supported.

View File

@ -0,0 +1,44 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `NETLIFY`
along with a Netlify account personal access token. You can also optionally add an
account slug. This is _typically_ your username on Netlify.
Examples:
{% code title="creds.json" %}
```json
{
"netlify": {
"TYPE": "NETLIFY",
"token": "your-netlify-account-access-token",
"slug": "account-slug" // this is optional
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Netlify.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NETLIFY = NewRegistrar("netlify");
var DSP_NETLIFY = NewDnsProvider("netlify");
D("example.com", REG_NETLIFY, DnsProvider(DSP_NETLIFY),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
DNSControl depends on a Netlify account personal access token.
## Caveats
Empty MX records are not supported.

View File

@ -0,0 +1,34 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `NS1`
along with your NS1 api key.
Example:
{% code title="creds.json" %}
```json
{
"ns1": {
"TYPE": "NS1",
"api_token": "your-ns1-token"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to NS1.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_NS1 = NewDnsProvider("ns1");
D("example.com", REG_NONE, DnsProvider(DSP_NS1),
A("test", "1.2.3.4")
);
```
{% endcode %}

View File

@ -0,0 +1,19 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `OpenSRS`
along with your OpenSRS credentials.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_OPENSRS = NewDnsProvider("opensrs");
D("example.com", REG_NONE, DnsProvider(DSP_OPENSRS),
A("test", "1.2.3.4")
);
```
{% endcode %}

View File

@ -0,0 +1,44 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `ORACLE`
along with other authentication parameters.
Create an API key through the Oracle Cloud portal, and provide the user OCID, tenancy OCID, key fingerprint, region, and the contents of the private key.
The OCID of the compartment DNS resources should be put in can also optionally be provided.
Example:
{% code title="creds.json" %}
```json
{
"oracle": {
"TYPE": "ORACLE",
"compartment": "$ORACLE_COMPARTMENT",
"fingerprint": "$ORACLE_FINGERPRINT",
"private_key": "$ORACLE_PRIVATE_KEY",
"region": "$ORACLE_REGION",
"tenancy_ocid": "$ORACLE_TENANCY_OCID",
"user_ocid": "$ORACLE_USER_OCID"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Oracle Cloud.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_ORACLE = NewDnsProvider("oracle");
D("example.com", REG_NONE, DnsProvider(DSP_ORACLE),
NAMESERVER_TTL(86400),
A("test", "1.2.3.4")
);
```
{% endcode %}

View File

@ -0,0 +1,155 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `OVH`
along with a OVH app-key, app-secret-key, consumer-key and optionally endpoint.
Example:
{% code title="creds.json" %}
```json
{
"ovh": {
"TYPE": "OVH",
"app-key": "your app key",
"app-secret-key": "your app secret key",
"consumer-key": "your consumer key",
"endpoint": "eu"
}
}
```
{% endcode %}
See [the Activation section](#activation) for details on obtaining these credentials.
`endpoint` can take the following values:
* `eu` (the default), for connecting to the OVH European endpoint
* `ca` for connecting to OVH Canada API endpoint
* `us` for connecting to the OVH USA API endpoint
* an url for connecting to a different endpoint than the ones above
## Metadata
This provider does not recognize any special metadata fields unique to OVH.
## Usage
An example configuration: (DNS hosted with OVH):
{% code title="dnsconfig.js" %}
```javascript
var REG_OVH = NewRegistrar("ovh");
var DSP_OVH = NewDnsProvider("ovh");
D("example.com", REG_OVH, DnsProvider(DSP_OVH),
A("test", "1.2.3.4")
);
```
{% endcode %}
An example configuration: (Registrar only. DNS hosted elsewhere)
{% code title="dnsconfig.js" %}
```javascript
var REG_OVH = NewRegistrar("ovh");
var DSP_R53 = NewDnsProvider("r53");
D("example.com", REG_OVH, DnsProvider(DSP_R53),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
To obtain the OVH keys, one need to register an app at OVH by following the
[OVH API Getting Started](https://docs.ovh.com/gb/en/customer/first-steps-with-ovh-api/)
It consist in declaring the app at https://eu.api.ovh.com/createApp/
which gives the `app-key` and `app-secret-key`. If your domains and zones are located in another region, see below for the correct url to use.
Once done, to obtain the `consumer-key` it is necessary to authorize the just created app
to access the data in a specific account:
```shell
curl -XPOST -H"X-Ovh-Application: <you-app-key>" -H "Content-type: application/json" https://eu.api.ovh.com/1.0/auth/credential -d'{
"accessRules": [
{
"method": "DELETE",
"path": "/domain/zone/*"
},
{
"method": "GET",
"path": "/domain/zone/*"
},
{
"method": "POST",
"path": "/domain/zone/*"
},
{
"method": "PUT",
"path": "/domain/zone/*"
},
{
"method": "GET",
"path": "/domain/*"
},
{
"method": "PUT",
"path": "/domain/*"
},
{
"method": "POST",
"path": "/domain/*/nameServers/update"
}
]
}'
```
It should return something akin to:
{% code title="creds.json" %}
```json
{
"validationUrl": "https://eu.api.ovh.com/auth/?credentialToken=<long-token>",
"consumerKey": "<your-consumer-key>",
"state": "pendingValidation"
}
```
{% endcode %}
Open the "validationUrl" in a browser and log in with your OVH account. This will link the app with your account,
authorizing it to access your zones and domains.
Do not forget to fill the `consumer-key` of your `creds.json`.
For accessing the other international endpoints such as US and CA, change the `https://eu.api.ovh.com` used above to one of the following:
* Canada endpoint: `https://ca.api.ovh.com`
* US endpoint: `https://api.us.ovhcloud.com`
Do not forget to fill the `endpoint` of your `creds.json` if you use an endpoint different than the EU one.
## New domains
If a domain does not exist in your OVH account, DNSControl
will *not* automatically add it. You'll need to do that via the
control panel manually.
## Dual providers scenario
OVH now allows to host DNS zone for a domain that is not registered in their registrar (see: https://www.ovh.com/manager/web/#/zone). The following dual providers scenario are supported:
| registrar | zone | working? |
|:---------:|:-----------:|:--------:|
| OVH | other | √ |
| OVH | OVH + other | √ |
| other | OVH | √ |
## Caveats
* OVH doesn't allow resetting the zone to the OVH DNS through the API. If for any reasons OVH NS entries were
removed the only way to add them back is by using the OVH Control Panel (in the DNS Servers tab, click on the "Reset the
DNS servers" button.
* There may be a slight delay (1-10 minutes) before your modifications appear in the OVH Control Panel. However it seems that it's only cosmetic - the changes are indeed available at the DNS servers. You can confirm that the changes are taken into account by OVH by choosing "Change in text format", and see in the BIND compatible format that your changes are indeed there. And you can confirm by directly asking the DNS servers (e.g. with `dig`).
* OVH enforces the [Restrictions on valid hostnames](https://en.wikipedia.org/wiki/Hostname#Syntax). A hostname with an underscore ("_") will cause the following error `FAILURE! OVHcloud API error (status code 400): Client::BadRequest: "Invalid domain name, underscore not allowed"`

View File

@ -0,0 +1,34 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `PACKETFRAME`
along with your Packetframe Token which can be extracted from the `token` cookie on packetframe.com
Example:
{% code title="creds.json" %}
```json
{
"packetframe": {
"TYPE": "PACKETFRAME",
"token": "your-packetframe-token"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Packetframe.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_PACKETFRAME = NewDnsProvider("packetframe");
D("example.com", REG_NONE, DnsProvider(DSP_PACKETFRAME),
A("test", "1.2.3.4")
);
```
{% endcode %}

View File

@ -0,0 +1,37 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `PORKBUN`
along with your `api_key` and `secret_key`. More info about authentication can be found in [Getting started with the Porkbun API](https://kb.porkbun.com/article/190-getting-started-with-the-porkbun-api).
Example:
{% code title="creds.json" %}
```json
{
"porkbun": {
"TYPE": "PORKBUN",
"api_key": "your-porkbun-api-key",
"secret_key": "your-porkbun-secret-key",
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Porkbun.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_PORKBUN = NewDnsProvider("porkbun");
D("example.com", REG_NONE, DnsProvider(DSP_PORKBUN),
A("test", "1.2.3.4")
);
```
{% endcode %}

View File

@ -0,0 +1,64 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `POWERDNS`
along with your [API URL, API Key and Server ID](https://doc.powerdns.com/authoritative/http-api/index.html).
In most cases the Server id is `localhost`.
Example:
{% code title="creds.json" %}
```json
{
"powerdns": {
"TYPE": "POWERDNS",
"apiKey": "your-key",
"apiUrl": "http://localhost",
"serverName": "localhost"
}
}
```
{% endcode %}
## Metadata
Following metadata are available:
{% code title="dnsconfig.js" %}
```javascript
{
'default_ns': [
'a.example.com.',
'b.example.com.'
],
'dnssec_on_create': false,
'zone_kind': 'Native',
}
```
{% endcode %}
- `default_ns` sets the nameserver which are used
- `dnssec_on_create` specifies if DNSSEC should be enabled when creating zones
- `zone_kind` is the type that will be used when creating the zone.
<br>Can be one of `Native`, `Master` or `Slave`, when not specified it defaults to `Native`.
<br>Please see [PowerDNS documentation](https://doc.powerdns.com/authoritative/modes-of-operation.html) for explanation of the kinds.
<br>**Note that these tokens are case-sensitive!**
- `soa_edit_api` is the default SOA serial method that is used for zone created with the API
<br> Can be one of `DEFAULT`, `INCREASE`, `EPOCH`, `SOA-EDIT` or `SOA-EDIT-INCREASE`, default format is YYYYMMDD01.
<br>Please see [PowerDNS SOA-EDIT-DNSUPDATE documentation](https://doc.powerdns.com/authoritative/dnsupdate.html#soa-edit-dnsupdate-settings) for explanation of the kinds.
<br>**Note that these tokens are case-sensitive!**
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_POWERDNS = NewDnsProvider("powerdns");
D("example.com", REG_NONE, DnsProvider(DSP_POWERDNS),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
See the [PowerDNS documentation](https://doc.powerdns.com/authoritative/http-api/index.html) how the API can be enabled.

View File

@ -0,0 +1,48 @@
[realtimeregister.com](https://realtimeregister.com) is a domain registrar based in the Netherlands.
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `REALTIMEREGISTER`
along with your API-key. Further configuration includes a flag indicating BASIC or PREMIUM DNS-service and a flag
indicating the use of the sandbox environment
**Example:**
{% code title="creds.json" %}
```json
{
"realtimeregister": {
"TYPE": "REALTIMEREGISTER",
"apikey": "abcdefghijklmnopqrstuvwxyz1234567890",
"sandbox" : "0",
"premium" : "0"
}
}
```
{% endcode %}
If sandbox is omitted or set to any other value than "1" the production API will be used.
If premium is set to "1", you will only be able to update zones using Premium DNS. If it is omitted or set to any other value, you
will only be able to update zones using Basic DNS.
**Important Notes**:
* It is recommended to create a 'DNSControl' user in your account settings with limited permissions
(i.e. VIEW_DNS_ZONE, CREATE_DNS_ZONE, UPDATE_DNS_ZONE, VIEW_DOMAIN, UPDATE_DOMAIN), otherwise anyone with
access to this `creds.json` file might have *full* access to your RTR account and will be able to transfer or delete your domains.
## Metadata
This provider does not recognize any special metadata fields unique to Realtime Register.
## Usage
An example `dnsconfig.js` configuration file
{% code title="dnsconfig.js" %}
```javascript
var REG_RTR = NewRegistrar("realtimeregister");
var DSP_RTR = NewDnsProvider("realtimeregister");
D("example.com", REG_RTR, DnsProvider(DSP_RTR),
A("test", "1.2.3.4")
);
```
{% endcode %}

View File

@ -0,0 +1,254 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `ROUTE53`
along with API credentials.
Example:
{% code title="creds.json" %}
```json
{
"r53_main": {
"TYPE": "ROUTE53",
"DelegationSet": "optional-delegation-set-id",
"KeyId": "your-aws-key",
"SecretKey": "your-aws-secret-key",
"Token": "optional-sts-token"
}
}
```
{% endcode %}
Alternatively you can also use environment variables. This is discouraged unless your environment provides them already.
```shell
export AWS_ACCESS_KEY_ID=XXXXXXXXX
export AWS_SECRET_ACCESS_KEY=YYYYYYYYY
export AWS_SESSION_TOKEN=ZZZZZZZZ
```
{% code title="creds.json" %}
```json
{
"r53_main": {
"TYPE": "ROUTE53",
"KeyId": "$AWS_ACCESS_KEY_ID",
"SecretKey": "$AWS_SECRET_ACCESS_KEY"
}
}
```
{% endcode %}
Alternatively, this provider supports [named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html). In that case export the following variable:
```shell
export AWS_PROFILE=ZZZZZZZZ
```
and provide a minimal entry in `creds.json`:
Example:
{% code title="creds.json" %}
```json
{
"r53_main": {
"TYPE": "ROUTE53"
}
}
```
{% endcode %}
You can find some other ways to authenticate to Route53 in the [go sdk configuration](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html).
## Metadata
This provider does not recognize any special metadata fields unique to route 53.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_R53 = NewDnsProvider("r53_main");
D("example.com", REG_NONE, DnsProvider(DSP_R53),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Split horizon
This provider supports split horizons using the [`R53_ZONE()`](../language-reference/record-modifiers/R53_ZONE.md) domain function.
In this example the domain `testzone.net` appears in the same account twice,
each with different zone IDs specified using [`R53_ZONE()`](../language-reference/record-modifiers/R53_ZONE.md).
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_R53 = NewDnsProvider("r53_main");
D("testzone.net!private", REG_NONE,
DnsProvider(DSP_R53),
R53_ZONE("Z111111111JCCCP1V7UW"),
TXT("me", "private testzone.net"),
);
D("testzone.net!public", REG_NONE,
DnsProvider(DSP_R53),
R53_ZONE("Z222222222INNG98SHJQ2"),
TXT("me", "public testzone.net"),
);
```
{% endcode %}
## Activation
DNSControl depends on a standard [AWS access key](https://aws.amazon.com/developers/access-keys/) with permission to list, create and update hosted zones. If you do not have the permissions required you will receive the following error message `Check your credentials, your not authorized to perform actions on Route 53 AWS Service`.
You can apply the `AmazonRoute53FullAccess` policy however this includes access to many other areas of AWS. The minimum permissions required are as follows:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:CreateHostedZone",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:UpdateHostedZoneComment"
],
"Resource": "*"
}
]
}
```
If Route53 is also your registrar, you will need `route53domains:UpdateDomainNameservers` and `route53domains:GetDomainDetail` as well and possibly others.
## New domains
If a domain does not exist in your Route53 account, DNSControl will *not* automatically add it with the `push` command. You can do that either manually via the control panel, or via the command `dnscontrol create-domains` command.
## Delegation Sets
Creation of new delegation sets are not supported by this code. However, if you have a delegation set already created, ala:
```shell
aws route53 create-reusable-delegation-set --caller-reference "foo"
{
"Location": "https://route53.amazonaws.com/2013-04-01/delegationset/12312312123",
"DelegationSet": {
"Id": "/delegationset/12312312123",
"CallerReference": "foo",
"NameServers": [
"ns-1056.awsdns-04.org",
"ns-215.awsdns-26.com",
"ns-1686.awsdns-18.co.uk",
"ns-970.awsdns-57.net"
]
}
}
```
You can then reference the DelegationSet.Id in your `r53_main` block (with your other credentials) to have all created domains placed in that
delegation set. Note that you you only want the portion of the `Id` after the `/delegationset/` (the `12312312123` in the example above).
> Delegation sets only apply during `create-domains` at the moment. Further work needs to be done to have them apply during `push`.
## Caveats
### Route53 errors if it is not the DnsProvider
This code may not function properly if a domain has R53 as a Registrar
but not as a DnsProvider. The situation is described in
[PR#155](https://github.com/StackExchange/dnscontrol/pull/155).
In this situation you will see a message like: (This output assumes the `--full` flag)
```text
----- Registrar: r53_main
Error getting corrections: AccessDeniedException: User: arn:aws:iam::868399730840:user/dnscontrol is not authorized to perform: route53domains:GetDomainDetail
status code: 400, request id: 48b534a1-7902-11e7-afa6-a3fffd2ce139
Done. 1 corrections.
```
If this happens to you, we'd appreciate it if you could help us fix the code. In the meanwhile, you can give the account additional IAM permissions so that it can do DNS-related actions, or simply use `NewRegistrar(..., "NONE")` for now.
### Bug when converting new zones
You will see some weirdness if:
1. A CNAME was created using the web UI
2. The CNAME's target does NOT end with a dot.
What you will see: When DNSControl tries to update such records, R53
only updates the first one. For example if DNSControl is updating 3
such records, you will need to run `dnscontrol push` three times for
all three records to update. Each time DNSControl is sending three
modify requests but only the first is executed. After all such
records are modified by DNSControl, everything works as expected.
We believe this is a bug with R53.
This is only a problem for users converting old zones to DNSControl.
{% hint style="info" %}
**NOTE**: When converting zones that include such records, the `get-zones`
command will generate `CNAME()` records without the trailing dot. You
should manually add the dot. Run `dnscontrol preview` as normal to
check your work. However when you run `dnscontrol push` you'll find
you have to run it multiple times, each time one of those corrections
executes and the others do not. Once all such records are replaced
this problem disappears.
{% endhint %}
More info is available in [#891](https://github.com/StackExchange/dnscontrol/issues/891).
## Error messages
### Creds key mismatch
```shell
dnscontrol preview
Creating r53 dns provider: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
```
This means that the `creds.json` entry isn't found. Either there is no entry, or the entry name doesn't match the first parameter in the `NewDnsProvider()` call. In the above example, note
that the string `r53_main` is specified in `NewDnsProvider("r53_main")` and that is the exact key used in the creds file above.
### Invalid KeyId
```shell
dnscontrol preview
Creating r53_main dns provider: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: 8c006a24-e7df-11e7-9162-01963394e1df
```
This means the KeyId is unknown to AWS.
### Invalid SecretKey
```shell
dnscontrol preview
Creating r53_main dns provider: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
status code: 403, request id: 9171d89a-e7df-11e7-8586-cbea3ea4e710
```
This means the SecretKey is incorrect. It may be a quoting issue.
### Incomplete Signature
```shell
dnscontrol preview
IncompleteSignature: 'ABCDEFGHIJKLMNOPQRST/20200118/us-east-1/route53/aws4_request' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential= ABCDEFGHIJKLMNOPQRST/20200118/us-east-1/route53/aws4_request, SignedHeaders=host;x-amz-date, Signature=571c0b13205669a338f0fb9f351dc03c7016c8737c738081bc885c68378ad877'.
status code: 403, request id: 12a34b5c-d678-9e01-f2gh-3456i7jk89lm
```
This means a space is present in one or more of the credential values.

View File

@ -0,0 +1,39 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `RWTH`
along with your [API Token](https://noc-portal.rz.rwth-aachen.de/dns-admin/en/api_tokens).
Example:
{% code title="creds.json" %}
```json
{
"rwth": {
"TYPE": "RWTH",
"api_token": "bQGz0DOi0AkTzG...="
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to it.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_RWTH = NewDnsProvider("rwth");
D("example.rwth-aachen.de", REG_NONE, DnsProvider(DSP_RWTH),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Caveats
The default TTL is not automatically fetched, as the API does not provide such an endpoint.
The RWTH deploys zones every 15 minutes, so it might take some time for changes to take effect.

View File

@ -0,0 +1,59 @@
{% hint style="info" %}
**NOTE**: This provider is currently has no maintainer. We are looking for
a volunteer. If this provider breaks it may be disabled or removed if
it can not be easily fixed.
{% endhint %}
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `SOFTLAYER`
along with authentication fields.
Authenticating with SoftLayer requires at least a `username` and `api_key` for authentication. It can also optionally take a `timeout` and `endpoint_url` parameter however these are optional and will use standard defaults if not provided.
Example:
{% code title="creds.json" %}
```json
{
"softlayer": {
"TYPE": "SOFTLAYER",
"api_key": "mysecretapikey",
"username": "myusername"
}
}
```
{% endcode %}
To maintain compatibility with existing softlayer CLI services these can also be provided by the `SL_USERNAME` and `SL_API_KEY` environment variables or specified in the `~/.softlayer`, but this is discouraged. More information about these methods can be found at [the softlayer-go library documentation](https://github.com/softlayer/softlayer-go#sessions).
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_SOFTLAYER = NewDnsProvider("softlayer");
D("example.com", REG_NONE, DnsProvider(DSP_SOFTLAYER),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to SoftLayer dns.
For compatibility with the pre-generated NAMESERVER fields it's recommended to set the NS TTL to 86400 such as:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_SOFTLAYER = NewDnsProvider("softlayer");
D("example.com", REG_NONE, DnsProvider(SOFTLAYER),
NAMESERVER_TTL(86400),
A("test", "1.2.3.4")
);
```
{% endcode %}

View File

@ -0,0 +1,97 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `TRANSIP`
along with your TransIP credentials.
### Key Pairs
You can login with your `AccountName` and a `PrivateKey` which can be generated in the [TransIP control panel](https://www.transip.nl/cp/account/api/). The `PrivateKey` is a stringified version of the Private Key given by the API, see the example below, each newline is replaced by "\n".
Example:
{% code title="creds.json" %}
```json
{
"transip": {
"TYPE": "TRANSIP",
"AccountName": "your-account-name",
"PrivateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp\nwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5\n1s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQABAoGAFijko56+qGyN8M0RVyaRAXz++xTqHBLh\n3tx4VgMtrQ+WEgCjhoTwo23KMBAuJGSYnRmoBZM3lMfTKevIkAidPExvYCdm5dYq3XToLkkLv5L2\npIIVOFMDG+KESnAFV7l2c+cnzRMW0+b6f8mR1CJzZuxVLL6Q02fvLi55/mbSYxECQQDeAw6fiIQX\nGukBI4eMZZt4nscy2o12KyYner3VpoeE+Np2q+Z3pvAMd/aNzQ/W9WaI+NRfcxUJrmfPwIGm63il\nAkEAxCL5HQb2bQr4ByorcMWm/hEP2MZzROV73yF41hPsRC9m66KrheO9HPTJuo3/9s5p+sqGxOlF\nL0NDt4SkosjgGwJAFklyR1uZ/wPJjj611cdBcztlPdqoxssQGnh85BzCj/u3WqBpE2vjvyyvyI5k\nX6zk7S0ljKtt2jny2+00VsBerQJBAJGC1Mg5Oydo5NwD6BiROrPxGo2bpTbu/fhrT8ebHkTz2epl\nU9VQQSQzY1oZMVX8i1m5WUTLPz2yLJIBQVdXqhMCQBGoiuSoSjafUhV7i1cEGpb88h5NBYZzWXGZ\n37sJ5QsW+sJyoNde3xH8vdXhzU7eT82D6X/scw9RZz+/6rCJ4p0=\n-----END RSA PRIVATE KEY-----"
}
}
```
{% endcode %}
### Access tokens
Or you can choose to have an `AccessToken` as credential. These can be generated in the [TransIP control panel](https://www.transip.nl/cp/account/api/) and have a limited lifetime
{% code title="creds.json" %}
```json
{
"transip": {
"TYPE": "TRANSIP",
"AccessToken": "your-transip-personal-access-token"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to TransIP.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var REG_NONE = NewRegistrar("none");
var DSP_TRANSIP = NewDnsProvider("transip");
D("example.com", REG_NONE, DnsProvider(DSP_TRANSIP),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
TransIP depends on a TransIP personal access token.
## Limitations
> "When multiple or none of the current DNS entries matches, the response will be an error with http status code 406." — _[TransIP - REST API - Update single DNS entry](https://api.transip.nl/rest/docs.html#domains-dns-patch)_
This makes it not possible, for example, to update a [`CAA()`](../language-reference/domain-modifiers/CAA.md) record in one update. Instead, the old DNS entry is deleted and the replacement is added. You'll see `[1/2]` and `[2/2]` in the DNSControl output whenever this happens.
### Example with a `CAA_BUILDER()`
{% code title="dnsconfig.js" %}
```diff
CAA_BUILDER({
label: '@',
iodef: 'mailto:info@cafferata.dev',
+ iodef_critical: true,
issue: [
'letsencrypt.org',
],
issuewild: 'none',
}),
```
{% endcode %}
```shell
dnscontrol push --domains cafferata.dev
```
```shell
******************** Domain: cafferata.dev
2 corrections (transip)
#1: [1/2] delete: ± MODIFY cafferata.dev CAA (0 iodef "mailto:info@cafferata.dev" ttl=86400) -> (128 iodef "mailto:info@cafferata.dev" ttl=86400)
SUCCESS!
#2: [2/2] create: ± MODIFY cafferata.dev CAA (0 iodef "mailto:info@cafferata.dev" ttl=86400) -> (128 iodef "mailto:info@cafferata.dev" ttl=86400)
SUCCESS!
Done. 2 corrections.
```

View File

@ -0,0 +1,39 @@
## Configuration
To use this provider, add an entry to `creds.json` with `TYPE` set to `VULTR`
along with a Vultr personal access token.
Example:
{% code title="creds.json" %}
```json
{
"vultr": {
"TYPE": "VULTR",
"token": "your-vultr-personal-access-token"
}
}
```
{% endcode %}
## Metadata
This provider does not recognize any special metadata fields unique to Vultr.
## Usage
An example configuration:
{% code title="dnsconfig.js" %}
```javascript
var DSP_VULTR = NewDnsProvider("vultr");
D("example.com", REG_DNSIMPLE, DnsProvider(DSP_VULTR),
A("test", "1.2.3.4")
);
```
{% endcode %}
## Activation
Vultr depends on a Vultr personal access token.