DNS providers
Per-provider authentication and required permissions for the 14 DNS providers CertAutoPilot speaks for DNS-01 challenge automation.
Zones
A zone binds a DNS apex to a credential. This is what CertAutoPilot consults when it has to publish a DNS-01 challenge for a name.
DNS-01 troubleshooting
A symptom-driven walk through the things that go wrong with DNS-01 โ propagation, restricted zones, stale records, NS-glue mismatches, and edge cases on registrar-provided DNS.
Propagation & resolver settings
How the DNS-01 propagation pre-check works, which resolvers it queries, and the org-wide knobs โ custom resolvers, allow-partial, skip-precheck, timeout and poll interval.
Cloudflare DNS
Cloudflare is the simplest DNS provider to wire up: a single scoped API token with permission to edit DNS records on your zone is all the backend needs. Propagation is fast (seconds), rate limits are generous for DNS-01 volumes.
AWS Route 53
Route 53 uses an IAM access key + secret scoped to a single hosted zone. The IAM policy below is the minimum needed for DNS-01 validation โ nothing more.
Google Cloud DNS
CertAutoPilot authenticates to Cloud DNS with a service-account key (JSON). The account needs the DNS Administrator role or a narrower custom role restricted to dns.changes.create and dns.resourceRecordSets.* on the managed zone.
Azure DNS
Authenticate to Azure DNS with a service-principal (app registration) scoped to the DNS zone. The backend supports public zones, private zones, and the Azure China / Government sovereign clouds.
DigitalOcean DNS
DigitalOcean uses a single Personal Access Token with Domains:Read and Domains:Write scopes. Propagation is fast (under 60 s); rate limits are per-token and very generous.
GoDaddy DNS
GoDaddy uses a Production API key + secret pair. The API is eligibility-gated โ accounts below certain tiers are refused, so verify access in a browser before wiring it up here.
AWS Lightsail DNS
Lightsail has its own DNS API distinct from Route 53 โ use this provider only if your zone lives in the Lightsail console, not if you registered your domain at Lightsail and delegated to Route 53.
UltraDNS
UltraDNS (Neustar / Vercara) uses HTTP Basic auth with a dedicated user account. Treat this as a machine account โ do not reuse operator credentials.
Akamai EdgeDNS
Akamai's EdgeDNS (formerly Fast DNS) uses the EdgeGrid authentication scheme โ four credentials from a single .edgerc file. Configure the credential with EdgeGrid-authenticated API access to the DNS Zone Administration API.
Hetzner DNS
Hetzner DNS Console (dns.hetzner.com) uses a single API token. Fast propagation and unlimited DNS-01 volumes make this a great option for labs and small-scale prod.
OVH DNS
OVH uses a three-part credential: Application Key, Application Secret, and a Consumer Key that binds the application to a specific user + scope. You also pick the regional API endpoint โ the same OVH account has separate endpoints per continent and product line.
Namecheap DNS
Namecheap's API is different from a typical REST: it uses an API user + API key pair, plus a required client IP allowlist on Namecheap's side. You have to whitelist the egress IP of your CertAutoPilot backend before any call will succeed.
RFC 2136 (Dynamic DNS)
Automate the DNS-01 challenge against a self-hosted DNS server (BIND, PowerDNS, Knot, or a Windows DNS zone) using RFC 2136 dynamic updates โ with nonsecure, TSIG shared-key, or GSS-TSIG authentication.
Windows DNS (WinRM)
Automate the DNS-01 challenge on a Windows DNS Server by writing the TXT record over WinRM/PowerShell โ works with AD-integrated 'Secure only' zones, with no TSIG or Kerberos setup on the host.