Skip to content

DNS API Dev Guide

Olle Gustafsson edited this page Nov 26, 2019 · 28 revisions

Guide for developing a dns api for

This guide is to help any developer interested to build a brand new DNS API for

Some useful tips

  1. It's normal to run into errors, so do use --debug 2 when testing. For e.g., --issue --debug 2 -d --dns dns_myapi
  2. It's normal to burst rate limits for letsencrypt, so do use --staging when testing. For e.g., --issue --staging --debug 2 -d --dns dns_myapi Read issue 1787 for details. Remember to remove --staging after testing.

Let's assume your api name is myapi, and you will use your api like:

export MYAPI_Username=myname
export MYAPI_Password=mypass --issue -d  --dns  dns_myapi

Here we go:

1. The cloudflare dns api is a recommended reference:

2. The script file name must be

The file name must be in this format:, in this example, it should be

3. The file can be placed in folder, or in subfolder.

If you want to contribute your script to project, it must be placed in folder.

If you just want to use your script on your machine, you can put it in or folders. searches the script files in either the home dir( or in the dnsapi subfolder(

4. The file shebang must be sh not bash is a unix shell script, not just a bash script.

If you want to contribute your script, the shebang must be:

#!/usr/bin/env sh

After the installation, could change the shebang to bash to get a better performance if you have bash on your machine.

Of course, if you just use it on your own, it can be any valid shebang on your machine. It could be sh or bash, it's up to you.

5. There must be 2 functions in your script:

# Usage: add   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
# Used to add txt record
dns_myapi_add() { }

# Usage: fulldomain txtvalue
# Used to remove the txt record after validation
dns_myapi_rm() { }

Actually, the dns_myapi_add() is required, but dns_myapi_rm() is optional. You can just write the add function at the beginning for testing purpose, it's highly recommended to implement the rm function too. Otherwise your txt records will increase 1 every 2 months.

6. Guide for the add function

Steps when you write the dns_myapi_add() function:

1. Get the full domain and the txt record:

dns_myapi_add() {


2. You must save your username and password in the add function:

The credentials such as username, password, api key or api token etc, must be saved, so that can renew the cert automatically in future. It will reuse the credentials automatically.

dns_myapi_add() {

  MYAPI_Username="${MYAPI_Username:-$(_readaccountconf_mutable MYAPI_Username)}"
  MYAPI_Password="${MYAPI_Password:-$(_readaccountconf_mutable MYAPI_Password)}"
  if [ -z "$MYAPI_Username" ] || [ -z "$MYAPI_Password" ]; then
    _err "You don't specify cloudflare api key and email yet."
    _err "Please create you key and try again."
    return 1

  #save the credentials to the account conf file.
  _saveaccountconf_mutable MYAPI_Username "$MYAPI_Username"
  _saveaccountconf_mutable MYAPI_Password "$MYAPI_Password"


3. Detect which part is your root zone.

The full domain could be in one of the following formats:


For most of the dns providers, you must determine which part is the domain root zone( or, and which part is the sub domain(_acme-challenge or _acme-challenge.www)

You can not just split the full domain, and get the first part as sub domain, and the rest as root zone. Please make sure you can handle all the formats above.

A good practice is to list all your root zones through your dns api, then compare and detect which part is the root zone. Then the rest is the sub domain.


dns_myapi_add() {

  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1


4. Call your dns api to add txt record.

Most of the dns providers provide a http api or REST api.

So, you can just use http GET/POST/PUT/DELETE method to call their api to add/remove txt record. defined two functions to make http GET/POST/PUT/DELETE connections.


_get() {}
_post() {}

You can use them directly.

Please take care that the _post() function can send POST/PUT/DELETE request, not just POST.


Do not use curl or wget directly in your script.

Note: Wildcard certificates require two TXT values. When implementing the method make sure that you append the value instead of replacing it

dig -t txt should return

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35476
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4000
;        IN TXT

;; ANSWER SECTION: 3600 IN TXT "tye6yGOxJEffnXDzZKNJjOHSsCFtKwU_5L0ykmY8CzE" 3600 IN TXT "XhVGx_0VVeR5yiaGLHHXrRl2sAbZhI7IugMSdbfR4go"

5. Additional HTTP headers.

Your HTTP method call may require additional headers for Authorization, ContentType, Accept, Cookies, etc. for the DNS providers api to add/remove the txt record. You can export _Hn (_H1, _H2, _H3, etc.) environment variables with the HTTP header needed:


  mycredentials="$(printf "%s" "$myusername:$mypassword" | _base64)"

  export _H1="Authorization: Basic $mycredentials"
  export _H2="ContentType: application/json"


Just number the _Hn in the order that you need the headers. Please review these few examples for inspiration.

This is only way to pass the equivalent wget's --user and --password and curl's --user parameters.

6. Process the api response.

The api response could be in text, json or xml format. Here are a lot of functions to process strings:



You can use sed, grep, cut, paste etc, Do not use awk at all.

7. Guide for the rm function.

The steps is same as the add function.

Please take care that the rm function and add function are called in 2 different isolated sub shell. So, you can not pass any env vars from the add function to the rm function.

You must re-do all the preparations of the add function here too.


8. Please also check this bug to support V2 wildcard cert:

9. Update the docs to include your dns api usage.

please append your api at last:

10. Please create a new issue for future bugs

Please report a new issue here: "Report bugs to xxxx dns api"

And please watch to that issue. Any future bug will be reported there.


Style Guidelines uses shellcheck for new commits and also enforces style guidelines.
To avoid the most common travis failures:

  • Use indentation with 2 spaces
  • remove trailing spaces
  • Doublequote variables (use echo _debug "txtvalue=$txtvalue" instead of _debug txtvalue=$txtvalue)
  • Always check the travis results after a commit
  • Consider using shellcheck ( before commiting
You can’t perform that action at this time.