Today in the computer world almost 100% works with API. DNS servers are no exception, for example with PowerDNS without surprise there is an API but let’s explore what works very well since years: DNSUpdate with its little RFC2136.


In 2022 many ISPs do not provide fixed IPv4 or IPv6. So it changes regularly depending on a power cut or more from your operator. There are many online services to do this job via an API, maybe even your registrar. But when you host your own DNS, it is easier to use nsupdate which is often already installed on your machine when you need to dig into the question. Otherwise it is present for example via the bind9-dnsutils package under debian.

So we will make a small script that will get its ipv4 and v6 public and update them, here on the server :

ORIG_IPv4=$(dig +short a $HOST
ORIG_IPv6=$(dig +short aaaa $HOST
IPv4=$(curl -4
IPv6=$(curl -6
SERVER=$(dig +short aaaa

if [ "$ORIG_IPv4" != "$IPv4" ] || [ "$ORIG_IPv6" != "$IPv6" ];

nsupdate -y '<algo ici hmac-sha512>:<tsig name>:<ma clef TSIG base64>' <<!
server $SERVER 53
zone $DOMAIN
update delete $HOST. A
update delete $HOST. AAAA
update add $HOST. 3600 A $IPv4
update add $HOST. 3600 AAAA $IPv6


Let’s Encrypt

A second use case I use is to obtain a let’s encrypt certificate via a DNS challenge. My own ACME is again something simple but robust: dehydrated

With dehydrated it’s possible to add a hook in config HOOK=/etc/dehydrated/hook/

This script need to call two function deploy_challenge() :

deploy_challenge() {
  nsupdate -y '<algo ici hmac-sha512>:<tsig name>:<ma clef TSIG base64>' <<!
  server fd00::42:3 53
  zone ${DOMAIN}
  update add _acme-challenge.${DOMAIN} 60 TXT ${TOKEN_VALUE}
  sleep 3

and clean_challenge() :

clean_challenge() {
  nsupdate -y '<algo ici hmac-sha512>:<tsig name>:<ma clef TSIG base64>' <<!
  server fd00::42:3 53
  zone ${DOMAIN}
  update delete _acme-challenge.${DOMAIN} TXT ${TOKEN_VALUE}

The DNS server ( is fd00::42:3 in private ipv6 address (vpn wireguard tunnel)


Let’s go to the server side setup now. Without surprise I will show you how it is done with PowerDNS.


All exchanges are done securely with TSIG RFC2845

You have to generate it on your master by specifying the algorithm hmac-sha512 and a name:

pdnsutil generate-tsig-key hmac-sha512

We can finely authorize domain by domain, the right that we will put on this key, for example the right to make changes in the zone (dnsupdate) or to transfer this zone (axfr).

pdnsutil show-zone

On the metadata side we can see:

Zone has following allowed TSIG key(s):
Metadata items:


Let’s add the authorization to do dnsupdate by whitelisting an IP. In /etc/powerdns/pdns.d/dnsupdate.conf :


A small restart of powerdns and tada!