v4.28.2

Greetings DNS fans!

This is a bugfix release. BIND users discovered that "push" was regenerating zonefiles even when there was no change. The reason was that the %D verb was always "" (null string). Shout out to @ondohotola for quickly reporting this bug and confirming the workaround. A full fix is included in v4.28.2.

This release also includes some documentation and tool improvements.

Thanks to all contributors involved in this release! This is a community project and we couldn't do it without all of your contributions!

Sincerely,
--Tom Limoncelli

Monthly video call!

Everyone is invited to the Monthly DNSControl Community Video Conference Call on the 3rd Monday of each month. Join whether you are a new user with questions or an experienced developer that wants to discuss DNSControl internals... or anything in between! Meeting details on GitHub Discussions.

Changelog

Documentation:

• 986bc4c: DOCS: replace all NewRegistrar('ThirdParty') (#3889) (@SukkaW)

Dependencies:

• 08a6fa6: CHORE: Update deps, regenerate docs (#3902) (@tlimoncelli)

Other changes and improvements:

• 0ae4acc: BUGFIX: BIND %D not working after v4.28.0 (#3900) (@tlimoncelli)
• 865dad5: TOOLS: bin/generate-all.sh should skip .vscode (#3901) (@tlimoncelli)
• db27a1e: [docs] Refresh digital ocean provider docs (#3860) (@chicks-net)

Deprecation warnings

Warning

• REV() will switch from RFC2317 to RFC4183 in v5.0. This is a breaking change. Warnings are output if your configuration is affected. No date has been announced for v5.0. See https://docs.dnscontrol.org/language-reference/top-level-functions/revcompat
• NAMEDOTCOM and SOFTLAYER need maintainers! These providers have no maintainer. Maintainers respond to PRs and fix bugs in a timely manner, and try to stay on top of protocol changes.

Install

macOS and Linux

Install with Homebrew (recommended)

brew install dnscontrol

Using with Docker

You can use the Docker image from Docker hub or GitHub Container Registry.

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol preview

Anywhere else

Alternatively, you can install the latest binary (or the apt/rpm/deb/archlinux package) from this page.

Or, if you have Go installed, you can install the latest version of DNSControl with the following command:

go install github.com/StackExchange/dnscontrol/v4@main

Update

Update to the latest version depends on how you choose to install dnscontrol on your machine.

Update with Homebrew

brew upgrade dnscontrol

Alternatively, you can grab the latest binary (or the apt/rpm/deb package) from this page.

v4.28.1

Greetings DNS fans!

This release fixes a bug found shortly after v4.28.0 was released. It only affects users of the "split horizons" feature.

Version v4.28.0 was a big release with many changes. We still recommend exercising great caution before putting it into production. See the v4.28.0 release notes for testing advice. Please file a bug report if you find any issues.

Thanks to gvengel for reporting the bug so quickly.

Changelog

Other changes and improvements:

• a0288bd: bug(split horizon): Domains with split horizons not working (#3895) (@tlimoncelli)

Deprecation warnings

Warning

• REV() will switch from RFC2317 to RFC4183 in v5.0. This is a breaking change. Warnings are output if your configuration is affected. No date has been announced for v5.0. See https://docs.dnscontrol.org/language-reference/top-level-functions/revcompat
• NAMEDOTCOM and SOFTLAYER need maintainers! These providers have no maintainer. Maintainers respond to PRs and fix bugs in a timely manner, and try to stay on top of protocol changes.

Install

macOS and Linux

Install with Homebrew (recommended)

brew install dnscontrol

Using with Docker

You can use the Docker image from Docker hub or GitHub Container Registry.

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol preview

Anywhere else

Alternatively, you can install the latest binary (or the apt/rpm/deb/archlinux package) from this page.

Or, if you have Go installed, you can install the latest version of DNSControl with the following command:

go install github.com/StackExchange/dnscontrol/v4@main

Update

Update to the latest version depends on how you choose to install dnscontrol on your machine.

Update with Homebrew

brew upgrade dnscontrol

Alternatively, you can grab the latest binary (or the apt/rpm/deb package) from this page.

v4.28.0

Greetings DNS fans!

This release needs extra testing

WARNING: This release may be a little unstable. Test carefully before putting into production especially if you use IDN (Unicode in domain names) or Cloudflare redirects (CF_REDIRECT, CF_TEMP_REDIRECT, CF_SINGLE_REDIRECT), or the BIND "filenameformat" feature.

We're using the Github feature to mark this as a "pre-release". It will be labeled as non-production ready. It will be marked as production ready in a few weeks, or we may just skip to a .1 release if bugs are found.

Volunteer changes:

• We're sad to announce @Deraen and @philhug are stepping down as maintainers of the DIGITALOCEAN and OPENSRS respectively. We‚Äôre grateful for their past contributions and wish them well in their future endeavors.
• Applause all around to @chicks-net for stepping up to be the new maintainer of DIGITALOCEAN! We look forward to great things!
• We need a new maintainer for OPENSRS. If you are interested or have questions, please contact our official Liaison To Maintainers, @fm by opening an issue.

Monthly video call is Mon, Dec 15, 2025

Our next "Monthly DNSControl Community Video Conference Call" is on Monday, Dec 15. Join in whether you are a new user with questions or an experienced developer that wants to discuss DNSControl internals. More details at https://github.com/StackExchange/dnscontrol/discussions/3840. All are invited!

There's so much new in this release!

• New Providers!

  • VERCEL: Vercel (thanks @SukkaW!) daf5a7a: (#3379) (#3542) (#3887)
  • ALIDNS: Alibaba Cloud DNS (thanks @bytemain!) bcef7f5 (#3878)
  • HETZNER_V2: Herzner API v2 (thanks @das7pad) 1e67585 (#3837)
    • If you use HETZNER, please upgrade to HETZNER_V2.

• IDN support for domain names! c11a523 (#3879) (@tlimoncelli)

  • Internationalized domain name (IDN) support has been extended to include domain names! Previously Unicode was supported in labels but not domains. It now works everywhere (we hope). This code is very new. Please test before putting it into production. Please file bug reports with problems or suggestions. I don't use IDN myself so your feedback is extra important!
  • Thanks to everyone that offered suggestions about how to go about adding IDN support. There was a lively discussion in
    #2874 (shout out to @KaiSchwarz-cnic for explaining the conventions that other SDKs use). I haven't implemented all the IDN-related features discussed, but this is a good start.
  • It's impossible for me to test this with all providers, so please tread carefully, test before going into production, and submit bug reports!

• DNSControl now plays well with K8s's "external-dns" service! f1b30a1 (#3869) (@tridion)

  • Do you use K8s and find that DNSControl wants to remove DNS records created by the external-dns service? Sure, you can add IGNORE() statements ahead of time, but unless you are a time-traveler it's difficult to know what parameters to use. Plus, manual work? Yuck!
  • The new IGNORE_EXTERNAL_DNS() domain modifier automatically works around (ignores) DNS records created by the external-dns service.
  • Check out #3869 and the documentation for details.
  • Thanks to @tridion for taking the intiative to work out all the details of how the TXT registry works and extending DNSControl to utilize the protocol.

• AKAMAIEDGEDNS now supports ALIAS and AKAMAITLC records! 97209bc (#3836) (@gvengel)

• CLOUDFLAREAPI now supports LOC records ec9a9e2 (#3857) (@kevinji)

• GANDI_V5 and BIND now support the RP record. This is the first record type to use the new "RecordConfig v2" system (see below).

• INWX now runs concurrently! 6e42ccf (#3856) (@patschi)

• INWX fixed to support their unexpected data-type breaking-change! 9aad292 (#3855) (@patschi)

• The output of --report now includes details about what changed! 9d4cb30 (#3835) (@kevinneufeld)

And not to forget...

• It is no longer an error if creds.json is zero length. (#3844) (@tlimoncelli)
• @das7pad found that many providers may have a bug when used concurrently and has reached out to them with code fixes. This release includes improvements for CLOUDNS, DESEC, and ROUTE53. Thanks for taking the initiative to do this, @das7pad!
• @gvengel discovered the shoutrrr module we were using was no longer supported and took the initiative to find its replacement! Thanks, @gvengel!
• And much, much, more!

Thanks to all contributors involved in this release! This is a community project and we couldn't do it without all of your contributions!

Cloudflare's Page Rules are gone.

POTENTIAL BREAKING CHANGE:

Cloudflare is removing support for Page Rules and converting them to "Single Redirects". Earlier this year DNSControl added a mechanism where Page Rules were optionally transpiled into Single Redirect regular expressions.

This translation is no longer optional. All code for Page Rules has been removed. CF_TEMP_REDIRECT and CF_REDIRECT simply generate CF_SINGLE_REDIRECT records.

The first time you run "push" with the new release, DNSControl will change the "name" field (removing the "001,", "002,", .... prefix). Also, the order of the rules may change. The order can be managed in Cloudflare's dashboard, DNSControl will not affect the order. (Though, in the future we'd like for DNSControl to enforce ordering too.)

Please "preview" and verify the changes before running "push".

BIND "filenameformat" changes

POTENTIAL BREAKING CHANGE:

Implementing the IDN changes meant some potential breaking changes to the "filenameformat" string used in the BIND provider. I think (I hope!) that the only configurations that will break are ones with uppercase Unicode runes. That said, please review the "filenameformat" section of the BIND documentation for details.

RecordConfig v2 (big news!)

DNSControl stores each DNS Record in a structure called a "RecordConfig". The format of this record was showing its age. It consumes more memory as more record types are supported, it isn't flexible, it isn't very OO, and adding new record types is very difficult. In fact, the instructions for adding new types is many pages long. Worst of all, code for each record type is splattered all over the code base instead of being centralized to one place.

About a year ago I started working on prototypes that would fix these problems. There were many challenges. How could we make adding new record types super easy? How could we migrate a lot of the work done in JavaScript to the main Go code (which would make it easier to write unit tests and use more advanced debugging tools)? How could we do all that and not break old code?

The first 2 attempts were failures but I learned a lot. In particular I learned that it wasn't feasible to convert all the existing record types immediately and instead I could make the old and new system coexist. Converting older types could come later.

I'm excited to announce "RecordConfig v2"!

• It's easier to add new DNS types.
  • DNSControl's main code does almost all the work; the code for a specific type is minimized.
  • It consolidates almost all code for a record type to a single file (and paves a path to fix the remaining exceptions)
  • You only need to know Go, instead of also needing to know JavaScript.
  • New record types and "builders" can leverage Go's testing framework, which will make brittle features like LOC and SPF_BUILDER more stable in the future.
• It works side-by-side the old RecordConfig.
  • Older types require no code changes, new types use the new system.
  • There's an obvious path to migrate existing types to use the new system eventually.
• All normalization and validation happens earlier.
  • No longer does code have to worry whether a RecordConfig has been normalized or validated because all that happens right away. Code that accesses a RecordConfig is shorter as a result.
  • IDN handling is done properly, not as an after-thought
• It creates a path towards automatic code generation.
  • Imagine DNSControl supporting any newly standardized record types automatically!

In this release RP and CF_SINGLE_REDIRECT are the only record types that use v2. One is entirely new to DNSControl, the other is an old type that's been migrated. That proves the concept works. Converting existing types will happen over the next year.

The original RecordConfig was designed in 2014. We're 11+ years smarter both about how to best use Go and what is important (and not important) to DNSControl users.

All of this is below the surface. It doesn't affect the user's experience or the format of dnsconfig.js. However in the future users will appreciate new record types and "builders" being added more rapidly and with better stability.

This change was low risk in that not many users use RP or CF_SINGLE_REDIRECT. However the change did affect many areas of the code base so please test carefully before putting v4.28.0 into production.

Feedback is appreciated!

P.S. If you are interested in converting existing types to the new system, please ping me!

Changelog

Major features:

• c11a523: FEATURE: Fixing IDN support for domains (#3879) (@tlimoncelli)
• 4d29c2c: NEW FEATURE: Empty ...

v4.27.1

Greetings DNS fans!

• POWERDNS can now manage "varients". The tag you assign to the domain ("example.com!tagname") is used as the PowerDNS varient. A flag enables this.
• INWX's enforcement of the RFC 7505 prohibition of mixed regular/null MX records is now checked at "push" instead of "preview". In other words, we let the API decide if the records are valid instead of trying to emulate (i.e. guess) INWX's algorithm.
• NETCUP now supports TLSA, POWERDNS supports the "LUA" pseudo record type.
• ROUTE53 now supports RoleArn and ExternalId.
• DKIM_BUILDER() has been refactored to improve input validation and error handling.
• ...and many documentation updates.

FYI: There was no v4.27.0 release.

Thanks to all contributors involved in this release! This is a community project and we couldn't do it without all of your contributions!

Changelog

Provider-specific changes:

• c1b90d0: INWX: Let the API (not DNSControl) enforce the RFC 7505 prohibition of mixed regular/null MX records (#3805) (@eliheady)
• 6ef0648: NETCUP: add TLSA support (#3802) (@jpschley)
• 25dd06a: POWERDNS: Map dnscontrol Tags to powerdns Variants (#3803) (@pefeigl)
• 2a4e250: POWERDNS: New record type: LUA (#3815) (@eratzlaff)
• 8f13dd1: POWERDNS: Split horizon feature now enabled by flag (#3829) (@eratzlaff)
• a1e74eb: POWERDNS: Zone creation now abides by variant tags (#3830) (@eratzlaff)
• 24f602a: feat(Route53): Add support for RoleArn and ExternalId #3816 (#3817) (@kevinneufeld)

Documentation:

• f365902: DOCS: Add internals for ordering (#3811) (@blackshadev)

CI/CD:

• 70c1feb: Build(deps): Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#3806) (@dependabot[bot])
• 2df7a9d: Build(deps): Bump alpine from 3.22.1 to 3.22.2 (#3818) (@dependabot[bot])
• b7c4cac: fix(DKIM_BUILDER): allow empty pubkey (#3800) (@matteotrubini)
• d8aa890: refactor(DKIM_BUILDER): improve input validation and error handling (#3812) (@matteotrubini)

Dependencies:

• 60e5fa6: CHORE: Update dependencies (#3825) (@tlimoncelli)
• 71c2cc2: CHORE: Update dependencies (#3831) (@tlimoncelli)

Other changes and improvements:

• bfc2b26: CHORE: generate-all.sh (#3827) (@tlimoncelli)
• 237de6f: docs(backups) Emphasize the warning about BIND backups (#3799) (@tlimoncelli)

Deprecation warnings

Warning

• REV() will switch from RFC2317 to RFC4183 in v5.0. This is a breaking change. Warnings are output if your configuration is affected. No date has been announced for v5.0. See https://docs.dnscontrol.org/language-reference/top-level-functions/revcompat
• NAMEDOTCOM and SOFTLAYER need maintainers! These providers have no maintainer. Maintainers respond to PRs and fix bugs in a timely manner, and try to stay on top of protocol changes.

Install

macOS and Linux

Install with Homebrew (recommended)

brew install dnscontrol

Using with Docker

You can use the Docker image from Docker hub or GitHub Container Registry.

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol preview

Anywhere else

Alternatively, you can install the latest binary (or the apt/rpm/deb/archlinux package) from this page.

Or, if you have Go installed, you can install the latest version of DNSControl with the following command:

go install github.com/StackExchange/dnscontrol/v4@main

Update

Update to the latest version depends on how you choose to install dnscontrol on your machine.

Update with Homebrew

brew upgrade dnscontrol

Alternatively, you can grab the latest binary (or the apt/rpm/deb package) from this page.

v4.26.0

Greetings DNS fans!

Thanks to all contributors involved in this release! This is a community project and we couldn't do it without all of your contributions!

For many years users have complained that the validation messages don't report which line contains the error... and rightfully so! It's pretty difficult to debug a problem when you don't know where to look. Sadly the JavaScript interpreter we use doesn't make it easy. I finally found a way. It isn't clean nor pretty but it works! Sadly we can't extract the filename, but at least we're moving in the right direction.

Here's an example where the error is 5 chars into line 1882:

2025/10/10 13:34:44 ERROR: [line::1882:5]: MX example.com: target (mx.sendgrid.net) must end with a (.) [https://docs.dnscontrol.org/language-reference/why-the-dot]

Changelog

Major features:

• 3eddfcd: feat(validation): Validation errors now include the line number (#3788)
• a71b89e: NEW FEATURE: Add SMIMEA support for BIND and deSEC (#3786) (@ClusterJan)

Provider-specific changes:

• 9b32a2f: NAMECHEAP: Enable get-zones (#3775) (@willpower232)

Documentation:

• 2122390: DOCS: Fill some question marks for cloudns (#3767) (@louis-lau)

CI/CD:

• 2be2b0f: Build(deps): Bump actions/cache from 4.2.4 to 4.3.0 (#3776) (@dependabot[bot])
• 68edb2e: Build(deps): Bump tar-fs from 3.0.9 to 3.1.1 (#3783) (@dependabot[bot])

Dependencies:

• 30d91d5: CHORE: Update deps (#3782) (@tlimoncelli)
• db21e30: Update deps (#3790) (@tlimoncelli)

Other changes and improvements:

• 5f4e1ef: NS1: Fix NAPTR special case (#3785) (@tlimoncelli)
• 589cb77: CAA: Support issuemail / issuevmc tag in CAA builder (#3774) (@psuet)
  (@tlimoncelli)

Deprecation warnings

Warning

• REV() will switch from RFC2317 to RFC4183 in v5.0. This is a breaking change. Warnings are output if your configuration is affected. No date has been announced for v5.0. See https://docs.dnscontrol.org/language-reference/top-level-functions/revcompat
• NAMEDOTCOM and SOFTLAYER need maintainers! These providers have no maintainer. Maintainers respond to PRs and fix bugs in a timely manner, and try to stay on top of protocol changes.

Install

macOS and Linux

Install with Homebrew (recommended)

brew install dnscontrol

Using with Docker

You can use the Docker image from Docker hub or GitHub Container Registry.

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol preview

Anywhere else

Alternatively, you can install the latest binary (or the apt/rpm/deb/archlinux package) from this page.

Or, if you have Go installed, you can install the latest version of DNSControl with the following command:

go install github.com/StackExchange/dnscontrol/v4@main

Update

Update to the latest version depends on how you choose to install dnscontrol on your machine.

Update with Homebrew

brew upgrade dnscontrol

Alternatively, you can grab the latest binary (or the apt/rpm/deb package) from this page.

v4.25.0

Thanks to all contributors involved in this release! This is a community project and we couldn't do it without all of your contributions!

Two highlights in this release:

The ability to limit concurrency has been a frequent request. The --cmax flag now lets you control that. This is particularly useful for AXFRDDNS users who are frequently talking to DNS servers that protect themselves by limiting how many TCP connections they will accept at any given moment.

Users of the SPF optimizer will appreciate no longer having to update the spfcache.json file. Simply delete it and the SPF cache is disabled. It probably never was useful anyway.

Changelog

Major features:

• 850a2bd: FEATURE: "--cmax n" limits preview/push concurrency to n connections (#3764) (@tlimoncelli)
• f2ff95a: FEATURE: Optionally disable spfcache.json (#3765) (@tlimoncelli)
• f874b5f: FEATURE: Support RFC 9495 issuemail tag in CAA records (#3762) (@networkException)

Provider-specific changes:

• cca9a1e: DESEC: improve formatting of DS records on domain creation (#3766) (@eliheady)
• 9e77938: GANDI_V5: Increase API timeouts (#3770) (@tlimoncelli)

Documentation:

• 8b73de0: DOCS: Fix many minor typos (#3752) (@eliheady)

CI/CD:

• e14c804: Build(deps): Bump actions/setup-go from 5 to 6 (#3763) (@dependabot[bot])

Dependencies:

• 1abb11d: CHORE: Update dependencies (#3771) (@tlimoncelli)

Other changes and improvements:

• 3f8e09d: CHORE: Upgrade aws-sdk-go-v2 (#3759) (@tlimoncelli)
• b529bc6: CHORE: Upgrade github.com/failsafe-go/failsafe-go v0.6.9 to v0.7.0 (#3760) (@tlimoncelli)
• 6e0c7b1: Make native telegram alert text similar to shoutrrr (#3750) (@aminvakil)
• 3088ec6: Revert "Upgrade aws-sdk-go-v2" (@tlimoncelli)
• b933492: Upgrade aws-sdk-go-v2 (@tlimoncelli)

Deprecation warnings

Warning

• REV() will switch from RFC2317 to RFC4183 in v5.0. This is a breaking change. Warnings are output if your configuration is affected. No date has been announced for v5.0. See https://docs.dnscontrol.org/language-reference/top-level-functions/revcompat
• NAMEDOTCOM and SOFTLAYER need maintainers! These providers have no maintainer. Maintainers respond to PRs and fix bugs in a timely manner, and try to stay on top of protocol changes.

Install

macOS and Linux

Install with Homebrew (recommended)

brew install dnscontrol

Using with Docker

You can use the Docker image from Docker hub or GitHub Container Registry.

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol preview

Anywhere else

Alternatively, you can install the latest binary (or the apt/rpm/deb/archlinux package) from this page.

Or, if you have Go installed, you can install the latest version of DNSControl with the following command:

go install github.com/StackExchange/dnscontrol/v4@main

Update

Update to the latest version depends on how you choose to install dnscontrol on your machine.

Update with Homebrew

brew upgrade dnscontrol

Alternatively, you can grab the latest binary (or the apt/rpm/deb package) from this page.

v4.24.0

Thanks to all contributors involved in this release! This is a community project and we couldn't do it without all our contributors!

Changelog

Provider-specific changes:

• c858e8f: AXFRDDNS: Chunk large changes in multiple packets (#3732) (@Mynacol)
• 3799f8b: AXFRDDNS: Enable DNS compression for DDNS (#3730) (@Mynacol)
• 89ac03f: PORKBUN: Configurable retry parameters (#3746) (@jamesog)
• 2b2f9d9: REALTIMEREGISTER: Allow 0 prio for MX records (#3724) (@PJEilers)
• 43e7dd5: REALTIMEREGISTER: SRV prio 0 (#3725) (@PJEilers)

Documentation:

• a41e8d2: DOCS: AXFR+DDNS uses TCP by default (#3713) (@Mynacol)
• b2c88ac: DOCS: AdGuardHome feedback (#3701) (@cafferata)
• 9edeb73: DOCS: Added requested provider Yandex Cloud DNS (#3738) (@klemensn)
• 60bbab6: DOCS: Clarification on quotes in TXT record. (#3721) (@cafferata)

CI/CD:

• ccc164a: Build(deps): Bump actions/cache from 4.2.3 to 4.2.4 (#3722) (@dependabot[bot])
• b9b4d77: Build(deps): Bump actions/checkout from 4 to 5 (#3723) (@dependabot[bot])
• e423cc8: Build(deps): Bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 (#3743) (@dependabot[bot])

Dependencies:

• 45c98b9: CHORE: Update dependencies (#3747) (@tlimoncelli)
• 921f13e: CHORE: Update deps (#3714) (@tlimoncelli)
• 02ac788: CHORE: Update deps (#3745) (@tlimoncelli)
• 4ee1ed6: CHORE: upgrade deps, fix OPENPGPKEY test (#3726) (@tlimoncelli)

Other changes and improvements:

• e79c43f: DOCS/rtypes: consistently use pushd (#3719) (@tacerus)
• 8c8948e: NEW RECORD TYPE: OPENPGPKEY (basic) (#3718) (@tacerus)
• 3645e33: security fix: Prevent exposure of creds in debug output (#3733) (@tlimoncelli)

Deprecation warnings

Warning

• REV() will switch from RFC2317 to RFC4183 in v5.0. This is a breaking change. Warnings are output if your configuration is affected. No date has been announced for v5.0. See https://docs.dnscontrol.org/language-reference/top-level-functions/revcompat
• NAMEDOTCOM and SOFTLAYER need maintainers! These providers have no maintainer. Maintainers respond to PRs and fix bugs in a timely manner, and try to stay on top of protocol changes.

Install

macOS and Linux

Install with Homebrew (recommended)

brew install dnscontrol

Using with Docker

You can use the Docker image from Docker hub or GitHub Container Registry.

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol preview

Anywhere else

Alternatively, you can install the latest binary (or the apt/rpm/deb/archlinux package) from this page.

Or, if you have Go installed, you can install the latest version of DNSControl with the following command:

go install github.com/StackExchange/dnscontrol/v4@main

Update

Update to the latest version depends on how you choose to install dnscontrol on your machine.

Update with Homebrew

brew upgrade dnscontrol

Alternatively, you can grab the latest binary (or the apt/rpm/deb package) from this page.

v4.23.0

Greetings, DNS fans!

Breaking changes:

• The --populate-on-preview flag now defaults to false, which is safer and matches user expectation that preview never mutates (#3693) (@tlimoncelli)

Highlights

• NEW PROVIDER: Joker (Thanks @atrull!)
• NEW FEATURE: DKIM_BUILDER() (Thanks @costasd!)
• Zone creation and gathering is now more reliable and handles errors better (Thanks @gvengel!)
• Users now receive a warning if they use IGNORE() or NO_PURGE on providers that can not implement them reliably
• DIGITALOCEAN upgraded to use the "diff2" engine, which is more modern and makes IGNORE() and NO_PURGE reliable. (Thanks @Deraen!)
• FORTIGATE now handles NS and MX records (Thanks @KlettIT!)
• Tons of doc improvements (Thanks @cafferata!)

Thanks to all contributors involved in this release! This is a community project and we couldn't do it without all our contributors!

Sincerely,
Tom

Changelog

Major features:

• c842eb2: NEW FEATURE: DKIM_BUILDER() adds a DKIM record builder (#3627) (@costasd)

Provider-specific changes:

• 58afc59: ADGUARDHOME: updated documentation with links to AGH pages (#3672) (@ishanjain28)
• 304ce4c: AXFRDDNS: Fix spurious AUTODNSSEC warnings (#3703) (@bgilmore)
• 8b8d677: CNR: nameserver corrections should be case insensitive (#3681) (@KaiSchwarz-cnic)
• 66e7fd4: DIGITALOCEAN: Enable DocDualHost feature (#3698) (@Deraen)
• 91c1436: DIGITALOCEAN: Use diff2 to implement digitalocean provider (#3695) (@Deraen)
• 3f4f9b8: DNSIMPLE: DOCS: handle multiple provider instances (#3678) (@philpennock)
• 570477f: DNSIMPLE: pedantic correctness fix for concurrency (#3677) (@philpennock)
• af5907a: DNSIMPLE: preview data is now gathered concurrently (CanConcur) (#3675) (@philpennock)
• a815bdc: FORTIGATE: Add NS and MX record support (#3671) (@KlettIT)
• 1e8d720: GCORE: update create zone call signature from latest SDK (#3712) (@xddxdd)
• ca64774: Joker: Implement DNS Provider (#3661) (@atrull)
• e84925b: Loopia: feature updates (#3686) (@systemcrash)

Documentation:

• 6cf9243: DOCS: Add link on homepage to test-a-branch (#3689) (@tlimoncelli)
• 088ea41: DOCS: Getting started get-zones (feedback) (#3700) (@cafferata)
• b0a57e5: DOCS: Improve docs and error messages related to apex domains (#3690) (@tlimoncelli)
• a9243aa: DOCS: Improve grammar/typos in AXFR+DDNS provider documentation (#3697) (@backeby)
• 7174d89: DOCS: Remove get-certs and MSDNS from release notes (#3669) (@gucci-on-fleek)
• 1f86d69: DOCS: Warn that "" should be "@" in error messages & docs. Update docs to suggest safer onboarding process. (#3691) (@tlimoncelli)
• ecbc499: DOCS: expand upon concurrency (#3676) (@philpennock)

CI/CD:

• edf3111: Build(deps): Bump alpine from 3.22.0 to 3.22.1 (#3705) (@dependabot[bot])
• f350185: CICD: Update PR instructions (#3688) (@tlimoncelli)

Dependencies:

• 953e386: CHORE: Update dependencies (@tlimoncelli)
• 33e87d9: CHORE: Update dependencies (#3711) (@tlimoncelli)

Other changes and improvements:

• 51b5056: Add docs (@tlimoncelli)
• 30fedaa: BUG: Improve error handling during zone population and gathering (#3694) (@gvengel)
• b947bdd: CHORE: generate-all.sh (#3699) (@tlimoncelli)
• 65a2a4f: Require Go 1.24 or higher (#3696) (@tlimoncelli)
• b578604: Revert "Add docs" (@tlimoncelli)
• 6105082: TESTING: Exempt 4 providers from NS_only_APEX test (#3687) (@tlimoncelli)
• 74f2005: The --populate-on-preview flag now defaults to false, which is safer (POSSIBLE BREAKING CHANGE) (#3693) (@tlimoncelli)
• 633196e: Warn if IGNORE() is unreliable for this provider (#3683) (@tlimoncelli)
• 78c2313: fmt (#3684) (@tlimoncelli)

Deprecation warnings

Warning

• REV() will switch from RFC2317 to RFC4183 in v5.0. This is a breaking change. Warnings are output if your configuration is affected. No date has been announced for v5.0. See https://docs.dnscontrol.org/language-reference/top-level-functions/revcompat
• NAMEDOTCOM and SOFTLAYER need maintainers! These providers have no maintainer. Maintainers respond to PRs and fix bugs in a timely manner, and try to stay on top of protocol changes.

Install

macOS and Linux

Install with Homebrew (recommended)

brew install dnscontrol

Using with Docker

You can use the Docker image from Docker hub or GitHub Container Registry.

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol preview

Anywhere else

Alternatively, you can install the latest binary (or the apt/rpm/deb/archlinux package) from this page.

Or, if you have Go installed, you can install the latest version of DNSControl with the following command:

go install github.com/StackExchange/dnscontrol/v4@main

Update

Update to the latest version depends on how you choose to install dnscontrol on your machine.

Update with Homebrew

brew upgrade dnscontrol

Alternatively, you can grab the latest binary (or the apt/rpm/deb package) from this page.

v4.22.0

Greetings, DNS fans!

This is a BIG release! You should do extra testing before you put this into production. MSDNS and get-certs are removed. 2 new providers added. Many, many, other improvements!

Breaking changes:

• get-certs subcommand is removed. It has been unsupported since December 2022 and warnings that it would be removed in July 2025 started about a year ago.
• MSDNS (ActiveDirectory DNS) provider has been removed, as it can no longer be supported.

Other exciting news:

• New providers: ADGUARDHOME, FORTIGATE
• These providers now support concurency: LUADNS, MYTHICBEASTS, PORKBUN
• The --notify flag now makes errors visible to ease debugging
• The documentation list of providers is reorganized into smaller charts
• Many documentation fixes including many broken links now work
• The User-Agent now properly includes a version number
• Many, many, dependencies have been upgraded, including the newest PowerDNS and LUADNS SDKs.

Thanks to all contributors involved in this release! This is a community project and we couldn't do it without all our contributors!

Sincerely,
Tom

Changelog

Major features:

• d042b3e: FEATURE: --notify now makes errors visible to make debugging easier (#3614) (@hmoffatt)
• 3ea7ea8: FEATURE: Support ignoring the ech= parameter in HTTPS/SVCB RR types (#3485) (@gucci-on-fleek)
• e1830ab: NEW PROVIDER: ADGUARDHOME (#3638) (@ishanjain28)

Provider-specific changes:

• 855624a: DIGITALOCEAN: DOCS: update instructions for creating API token (#3617) (@hmoffatt)
• 5a2a53c: FORTIGATE: Fix init provider (#3654) (@KlettIT)
• e9b49e2: LUADNS: Support HTTPS record type, enable concurrency, adopt newest SDK (#3640) (@riku22)
• 4efa09b: MYTHICBEASTS: Mark as concurrent verified. (#3631) (@tomfitzhenry)
• e5eab4f: MYTHICBEASTS: Performance improvement: Use the OAuth2 client credentials protocol (#3629) (@tomfitzhenry)
• 75821a8: NS1: code reorganization (#3622) (@costasd)
• 4ce1935: PORKBUN: Improve retry handling, mark as concurrent (#3652) (@jamesog)
• 4672409: PORKBUN: fix SVCB params (#3650) (@imlonghao)

Documentation:

• 0d081ba: DOCS: RWTH provider is only available via the intranet (#3497) (#3623) (@MisterErwin)
• a8c41d9: DOCS: Added requested provider Sav.com (#3635) (@cafferata)
• 1a7cb20: DOCS: Added requested providers Scaleway (#3609) (@cafferata)
• 0a4162f: DOCS: How to add a requested provider (#3636) (@cafferata)
• 1f8b7d0: DOCS: Linkspector URI fixes (#3625) (@cafferata)
• e5f4d97: DOCS: [GitBook] Refactor structure to match URL paths and fix missing page links (#3613) (@cafferata)
• b2e3775: DOCS: add links to help jump to provider table anchors (#3619) (@chicks-net)

CI/CD:

• adfe033: Build(deps): Bump brace-expansion from 2.0.1 to 2.0.2 (#3632) (@dependabot[bot])
• 9fc9814: Build(deps): Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#3644) (@dependabot[bot])

Dependencies:

• 0d60e0c: CHORE: Update dependencies (#3643) (@tlimoncelli)
• 6fdbac7: CHORE: Update dependencies (#3659) (@tlimoncelli)
• f825243: CHORE: Update dependencies (#3666) (@tlimoncelli)
• b66251b: CHORE: update dependencies and fmt (#3655) (@tlimoncelli)

Other changes and improvements:

• 919ce24: BUG: Fix --notify on preview and on error (#3616) (@hmoffatt)
• 74e1bb5: BUG: Output better "version" string when running main.go directly (#3658) (@jamesog)
• cd8892f: BUG: User-Agent should include DNSControl version (#3653) (@jamesog)
• d37736e: CHORE: Linting (#3645) (@tlimoncelli)
• a0d04a1: CHORE: Remove "get-certs" command (#3657) (@tlimoncelli)
• 1ccd5eb: CHORE: Remove the MSDNS provider (#3656) (@tlimoncelli)
• a8a3ea7: CHORE: remove unused module pkg/acme (get-certs) (#3667) (@tlimoncelli)
• 3bdbb48: NEW PROVIDE: FORTIGATE (#3642) (@KlettIT)
• 874ba79: REFACTOR: Rename commands/zonecache.go (#3646) (@tlimoncelli)
• 8a6baa7: Reapply "CHORE: Remove the MSDNS provider (#3656)" (@tlimoncelli)
• 81a916c: Remove docs (@tlimoncelli)
• e0e610c: Remove docs (@tlimoncelli)
• e9f1360: Revert "CHORE: Remove the MSDNS provider (#3656)" (@tlimoncelli)
• 50e4bfb: Revert "Remove docs" (@tlimoncelli)
• c5e9cd1: Revert "Remove docs" (@tlimoncelli)
• 188343d: Revert "remove commands/getCerts.go" (@tlimoncelli)
• e3b6141: chore: update go-powerdns to v0.6.7 and adjust SOAEditAPI type (#3664) (@jpbede)
• 1fa31c7: remove commands/getCerts.go (@tlimoncelli)

Deprecation warnings

Warning

• REV() will switch from RFC2317 to RFC4183 in v5.0. This is a breaking change. Warnings are output if your configuration is affected. No date has been announced for v5.0. See https://docs.dnscontrol.org/language-reference/top-level-functions/revcompat
• MSDNS maintainer needed! Without a new volunteer, this DNS provider will lose support after April 2025. See #2878
• NAMEDOTCOM and SOFTLAYER need maintainers! These providers have no maintainer. Maintainers respond to PRs and fix bugs in a timely manner, and try to stay on top of protocol changes.
• get-certs/ACME support is frozen and will be removed without notice between now and July 2025. It has been unsupported since December 2022. If you don't use this feature, do not start. If you do use this feature, migrate ASAP. See discussion in issues/1400

Install

macOS and Linux

Install with Homebrew (recommended)

brew install dnscontrol

Using with Docker

You can use the Docker image from Docker hub or GitHub Container Registry.

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol preview

Anywhere else

Alternatively, you can install the latest binary (or the apt/rpm/deb/archlinux package) from this page.

Or, if you have Go installed, you can install the latest version of DNSControl with the following command:

go install github.com/StackExchange/dnscontrol/v4@main

Update

Update to the latest version depends on how you choose to install dnscontrol on your machine.

Update with Homebrew

brew upgrade dnscontrol

Alternatively, you can grab the latest binary (or the apt/rpm/deb package) from this page.

v4.21.0

Greetings, DNS fans!

What's new? GCORE and NS1 now handle zone creation and listing better. I'm also excited to announce the new "providers page" (which is auto-generated). It is much more readable. Many people were involved in this change, with @chicks-net taking the lead and writing the code. View the results here: https://docs.dnscontrol.org/provider/index

There were many documentation updates and bugfixes.

Reminder: get-certs (cert renewals) and the MSDNS provider are scheduled to be removed in July 2025. See below.

Thanks to all contributors involved in this release! This is a community project and we couldn't do it without all our contributors!

Sincerely,
Tom

Changelog

Provider-specific changes:

• cdbd540: GANDI_V5: BUGFIX: Uppercase labels fail to update (#3582) (@tlimoncelli)
• 113c1ac: GCORE: Implement ListZones to allow auto create zones (#3588) (@xddxdd)
• 08a6af8: NS1: Add missing ListZones() (#3600) (@costasd)

Documentation:

• 87cd4f4: DOCS: generate smaller tables for feature matrix (2nd try) (#3589) (@chicks-net)
• 8c69cee: DOCS: Update providers and registrars list to latest (#3580) (@matteotrubini)
• 52e7caa: DOCS: Update reference to providers index in PR submission checklist (#3575) (@jbelien)
• e140acb: CNR: Update docs with proper Nameserver example (#3592) (@mejofi)
• 6e96b76: DOCS: Add Porkbun as supported registrar and update usage examples (#3578) (@matteotrubini)
• 1d148f4: DOCS: document redirect types (#3585) (@willpower232)

CI/CD:

• c32432e: BUILD: GoReleaser changelog dependencies regex (#3593) (@cafferata)
• 75a66e4: Build(deps): Bump alpine from 3.21.3 to 3.22.0 (#3599) (@dependabot[bot])
• bf5a425: Build(deps): Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.9.0 to 1.10.0 (#3595) (@dependabot[bot])
• d7d5a6b: Build(deps): Bump github.com/digitalocean/godo from 1.146.1 to 1.150.0 (#3596) (@dependabot[bot])
• b7df6d5: Build(deps): Bump github.com/huaweicloud/huaweicloud-sdk-go-v3 from 0.1.148 to 0.1.152 (#3598) (@dependabot[bot])
• cffa7e4: Build(deps): Bump github.com/mittwald/go-powerdns from 0.6.6 to 0.6.7 (#3594) (@dependabot[bot])
• 9af2e8a: Build(deps): Bump github.com/oracle/oci-go-sdk/v65 from 65.91.0 to 65.92.0 (#3597) (@dependabot[bot])
• 437e46f: Build(deps): Bump tar-fs from 3.0.8 to 3.0.9 (#3601) (@dependabot[bot])

Dependencies:

• 217f410: CHORE: Update dependencies (#3602) (@tlimoncelli)
• df7bf9f: CHORE: Update dependencies (#3604) (@tlimoncelli)

Deprecation warnings

Warning

• REV() will switch from RFC2317 to RFC4183 in v5.0. This is a breaking change. Warnings are output if your configuration is affected. No date has been announced for v5.0. See https://docs.dnscontrol.org/language-reference/top-level-functions/revcompat
• MSDNS maintainer needed! Without a new volunteer, this DNS provider will lose support after April 2025. See #2878
• NAMEDOTCOM and SOFTLAYER need maintainers! These providers have no maintainer. Maintainers respond to PRs and fix bugs in a timely manner, and try to stay on top of protocol changes.
• get-certs/ACME support is frozen and will be removed without notice between now and July 2025. It has been unsupported since December 2022. If you don't use this feature, do not start. If you do use this feature, migrate ASAP. See discussion in issues/1400

Install

macOS and Linux

Install with Homebrew (recommended)

brew install dnscontrol

Using with Docker

You can use the Docker image from Docker hub or GitHub Container Registry.

docker run --rm -it -v "$(pwd):/dns" ghcr.io/stackexchange/dnscontrol preview

Anywhere else

Alternatively, you can install the latest binary (or the apt/rpm/deb/archlinux package) from this page.

Or, if you have Go installed, you can install the latest version of DNSControl with the following command:

go install github.com/StackExchange/dnscontrol/v4@main

Update

Update to the latest version depends on how you choose to install dnscontrol on your machine.

Update with Homebrew

brew upgrade dnscontrol

Alternatively, you can grab the latest binary (or the apt/rpm/deb package) from this page.