Configuration reference

Providers options

List of options

aliyun
  • auth_key_id Specify access key id for authentication
  • auth_secret Specify access secret for authentication

Note

Aliyun Provider requires an access key id and access secret with full rights on dns. Better to use RAM on Aliyun cloud to create a specified user for the dns operation. The referrence for Aliyun DNS production: https://help.aliyun.com/product/29697.html

aurora
  • auth_api_key Specify api key for authentication
  • auth_secret_key Specify the secret key for authentication
azure
  • auth_client_id Specify the client id (aka application id) of the app registration
  • auth_client_secret Specify the client secret of the app registration
  • auth_tenant_id Specify the tenant id (aka directory id) of the app registration
  • auth_subscription_id Specify the subscription id attached to the resource group
  • resource_group Specify the resource group hosting the dns zone to edit

Note

The Azure provider orchestrates the DNS zones hosted in a resource group for a subscription in Microsoft Azure Cloud. To authenticate, an App registration must be created in an Azure Active Directory. This App registration must be granted Admin for API permissions to Domain.ReadWrite.All” to this Active Directory, and must have a usable Client secret.

cloudflare
  • auth_username Specify email address for authentication (for global api key only)
  • auth_token Specify token for authentication (global api key or api token)
  • zone_id Specify the zone id (if set, api token can be scoped to the target zone)

Note

There are two ways to provide an authentication granting edition to the target CloudFlare DNS zone. 1 - A Global API key, with –auth-username and –auth-token flags. 2 - An unscoped API token (permissions Zone:Zone(read) + Zone:DNS(edit) for all zones), with –auth-token flag. 3 - A scoped API token (permissions Zone:Zone(read) + Zone:DNS(edit) for one zone), with –auth-token and –zone-id flags.

cloudns
  • auth_id Specify user id for authentication
  • auth_subid Specify subuser id for authentication
  • auth_subuser Specify subuser name for authentication
  • auth_password Specify password for authentication
  • weight Specify the srv record weight
  • port Specify the srv record port
cloudxns
  • auth_username Specify api-key for authentication
  • auth_token Specify secret-key for authentication
conoha
  • auth_region Specify region. if empty, region ‘tyo1’ will be used.
  • auth_token Specify token for authentication. if empty, the username and password will be used to create a token.
  • auth_username Specify api username for authentication. only used if –auth-token is empty.
  • auth_password Specify api user password for authentication. only used if –auth-token is empty.
  • auth_tenant_id Specify tenand id for authentication. only used if –auth-token is empty.
constellix
  • auth_username Specify the api key username for authentication
  • auth_token Specify secret key for authenticate=
ddns
  • auth_token Specify the key used in format <alg>:<key_id>:<secret>
  • ddns_server Specify ip of the ddns server
digitalocean
  • auth_token Specify token for authentication
dinahosting
  • auth_username Specify username for authentication
  • auth_password Specify password for authentication
directadmin
  • auth_password Specify password for authentication (or login key for two-factor authentication)
  • auth_username Specify username for authentication
  • endpoint Specify the directadmin endpoint
dnsimple
  • auth_token Specify api token for authentication
  • auth_username Specify email address for authentication
  • auth_password Specify password for authentication
  • auth_2fa Specify two-factor auth token (otp) to use with email/password authentication
dnsmadeeasy
  • auth_username Specify username for authentication
  • auth_token Specify token for authentication
dnspark
  • auth_username Specify api key for authentication
  • auth_token Specify token for authentication
dnspod
  • auth_username Specify api id for authentication
  • auth_token Specify token for authentication
dreamhost
  • auth_token Specify api key for authentication
dynu
  • auth_token Specify api key for authentication
easydns
  • auth_username Specify username for authentication
  • auth_token Specify token for authentication
easyname
  • auth_username Specify username used to authenticate
  • auth_password Specify password used to authenticate

Note

A provider for Easyname DNS.

euserv
  • auth_username Specify email address for authentication
  • auth_password Specify password for authentication
exoscale
  • auth_key Specify api key for authentication
  • auth_secret Specify api secret for authentication
gandi
  • auth_token Specify gandi api key
  • api_protocol (optional) specify gandi api protocol to use: rpc (default) or rest
gehirn
  • auth_token Specify access token for authentication
  • auth_secret Specify access secret for authentication
glesys
  • auth_username Specify username (cl12345)
  • auth_token Specify api key
godaddy
  • auth_key Specify the key to access the api
  • auth_secret Specify the secret to access the api
googleclouddns
  • auth_service_account_info
    specify the service account info in the google json format: can be either the path of a file prefixed by ‘file::’ (eg. file::/tmp/service_account_info.json) or the base64 encoded content of this file prefixed by ‘base64::’ (eg. base64::eyjhbgcioyj…)

Note

The Google Cloud DNS provider requires the JSON file which contains the service account info to connect to the API. This service account must own the project role DNS > DNS administrator for the project associated to the DNS zone. You can create a new service account, associate a private key, and download its info through this url: https://console.cloud.google.com/iam-admin/serviceaccounts?authuser=2

gransy
  • auth_username Specify username for authentication
  • auth_password Specify password for authentication

Note

DNS manipulation provider for Gransy sites subreg.cz, regtons.com and regnames.eu.

gratisdns
  • auth_username Specify email address for authentication
  • auth_password Specify password for authentication
henet
  • auth_username Specify username for authentication
  • auth_password Specify password for authentication

Note

A provider for Hurricane Electric DNS.
NOTE: THIS DOES NOT WORK WITH 2-FACTOR AUTHENTICATION.
YOU MUST DISABLE IT IF YOU’D LIKE TO USE THIS PROVIDER.
hetzner
  • auth_token Specify hetzner dns api token
hostingde
  • auth_token Specify api key for authentication
hover
  • auth_username Specify username for authentication
  • auth_password Specify password for authentication
infoblox
  • auth_user Specify the user to access the infoblox wapi
  • auth_psw Specify the password to access the infoblox wapi
  • ib_view Specify dns view to manage at the infoblox
  • ib_host Specify infoblox host exposing the wapi
infomaniak
  • auth_token Specify the token

Note

Infomaniak Provider requires a token with domain scope. It can be generated for your Infomaniak account on the following URL: https://manager.infomaniak.com/v3/infomaniak-api

internetbs
  • auth_key Specify api key for authentication
  • auth_password Specify password for authentication
inwx
  • auth_username Specify username for authentication
  • auth_password Specify password for authentication
joker
  • auth_token Specify the api key to connect to the joker.com api

Note

The Joker.com provider requires a valid token for authentication. You can create one in the section ‘Manage Joker.com API access keys’ of ‘My Profile’ in your Joker.com account.

linode
  • auth_token Specify api key for authentication
linode4
  • auth_token Specify api key for authentication
localzone
  • filename Specify location of zone master file
luadns
  • auth_username Specify email address for authentication
  • auth_token Specify token for authentication
memset
  • auth_token Specify api key for authentication
misaka
  • auth_token Specify token for authentication
mythicbeasts
  • auth_username Specify api credentials username
  • auth_password Specify api credentials password
  • auth_token Specify api token for authentication

Note

There are two ways to provide an authentication granting access to the Mythic Beasts API 1 - With your API credentials (user/password), using –auth-username and –auth-password flags. 2 - With an API token, using –auth-token flags. These credentials and tokens must be generated using the Mythic Beasts API v2.

namecheap
  • auth_token Specify api token for authentication
  • auth_username Specify username for authentication
  • auth_client_ip Client ip address to send to namecheap api calls
  • auth_sandbox Whether to use the sandbox server
namecom
  • auth_username Specify a username
  • auth_token Specify an api token
namesilo
  • auth_token Specify key for authentication
netcup
  • auth_customer_id Specify customer number for authentication
  • auth_api_key Specify api key for authentication
  • auth_api_password Specify api password for authentication
nfsn
  • auth_username Specify username used to authenticate
  • auth_token Specify token used to authenticate
njalla
  • auth_token Specify api token for authentication
nsone
  • auth_token Specify token for authentication
oci
  • auth_config_file The full path including filename to an oci configuration file.
  • auth_profile The name of the profile to use (case-sensitive).
  • auth_user The ocid of the user calling the api.
  • auth_tenancy The ocid of your tenancy.
  • auth_fingerprint The fingerprint for the public key that was added to the calling user.
  • auth_key_content The full content of the calling user’s private signing key in pem format.
  • auth_key_file The full path including filename to the calling user’s private signing key in pem format.
  • auth_pass_phrase If the private key is encrypted, the pass phrase must be provided.
  • auth_region An oci region identifier. select the closest region for best performance.
  • auth_type Valid options are ‘api_key’ (default) or ‘instance_principal’.

Note

Oracle Cloud Infrastructure (OCI) DNS provider

onapp
  • auth_username Specify email address of the onapp account
  • auth_token Specify api key for the onapp account
  • auth_server Specify url to the onapp control panel server

Note

The OnApp provider requires your OnApp account’s email address and API token, which can be found on your /profile page on the Control Panel interface. The server is your dashboard URL, with format like https://dashboard.youronapphost.org

online
  • auth_token Specify private api token
ovh
  • auth_entrypoint Specify the ovh entrypoint
  • auth_application_key Specify the application key
  • auth_application_secret Specify the application secret
  • auth_consumer_key Specify the consumer key

Note

OVH Provider requires a token with full rights on /domain/. It can be generated for your OVH account on the following URL: https://api.ovh.com/createToken/index.cgi?GET=/domain/*&PUT=/domain/*&POST=/domain/*&DELETE=/domain/

plesk
  • auth_username Specify username for authentication
  • auth_password Specify password for authentication
  • plesk_server Specify url to the plesk web ui, including the port
pointhq
  • auth_username Specify email address for authentication
  • auth_token Specify token for authentication
porkbun
  • auth_key Specify api key for authentication
  • auth_secret Specify secret api key for authentication

Note

To authenticate with Porkbun, you need both an API key and a secret API key. These can be created at porkbun.com/account/api .

powerdns
  • auth_token Specify token for authentication
  • pdns_server Uri for powerdns server
  • pdns_server_id Server id to interact with
  • pdns_disable_notify Disable slave notifications from master
rackspace
  • auth_account Specify account number for authentication
  • auth_username Specify username for authentication. only used if –auth-token is empty.
  • auth_api_key Specify api key for authentication. only used if –auth-token is empty.
  • auth_token Specify token for authentication. if empty, the username and api key will be used to create a token.
  • sleep_time Number of seconds to wait between update requests.
rage4
  • auth_username Specify email address for authentication
  • auth_token Specify token for authentication
rcodezero
  • auth_token Specify token for authentication
route53
  • auth_access_key Specify access_key for authentication
  • auth_access_secret Specify access_secret for authentication
  • private_zone Indicates what kind of hosted zone to use. if true, use only private zones. if false, use only public zones
  • zone_id The aws hostedzone id to use; e.g. ‘a1b2zabcdefghi’
  • auth_username Alternative way to specify the access_key for authentication
  • auth_token Alternative way to specify the access_secret for authentication
safedns
  • auth_token Specify the api key to authenticate with

Note

SafeDNS provider requires an API key in all interactions. You can generate one for your account on the following URL: https://my.ukfast.co.uk/applications/index.php

sakuracloud
  • auth_token Specify access token for authentication
  • auth_secret Specify access secret for authentication
softlayer
  • auth_username Specify username for authentication
  • auth_api_key Specify api private key for authentication
transip
  • auth_username Specify username for authentication
  • auth_api_key Specify the private key to use for api authentication, in pem format: can be either the path of the key file (eg. /tmp/key.pem) or the base64 encoded content of this file prefixed by ‘base64::’ (eg. base64::eyjhbgcioyj…)
  • auth_key_is_global Set this flag is the private key used is a global key with no ip whitelist restriction
ultradns
  • auth_token Specify token for authentication; if not set –auth-token, –auth-password are used
  • auth_username Specify username for authentication
  • auth_password Specify password for authentication
valuedomain
  • auth_token Specify youyr api token

Note

Value Domain requires a token to access its API. You can generate one for your account on the following URL: https://www.value-domain.com/vdapi/

vercel
  • auth_token Specify your api token

Note

Vercel provider requires a token to access its API. You can generate one for your account on the following URL: https://vercel.com/account/tokens

vultr
  • auth_token Specify token for authentication
webgo
  • auth_username Specify username for authentication
  • auth_password Specify password for authentication

Note

A provider for Webgo.

yandex
yandexcloud
zeit
  • auth_token Specify your api token

Note

Vercel provider requires a token to access its API. You can generate one for your account on the following URL: https://vercel.com/account/tokens

zilore
  • auth_key Specify the zilore api key to use

Note

Zilore API requires an API key that can be found in your Zilore profile, at the API tab. The API access is available only for paid plans.

zonomi
  • auth_token Specify token for authentication
  • auth_entrypoint Use zonomi or rimuhosting api

Passing provider options to Lexicon

There are three ways to pass a provider option to Lexicon (we suppose here that the provider option is named auth_token):

  • by CLI flag: set the flag --auth-token to Lexicon while invoking it, for instance:

    $ lexicon cloudflare create domain.net TXT --name foo --content bar --auth-token YOUR_TOKEN
    
  • by environment variable: set the environment variable LEXICON_CLOUDFLARE_AUTH_TOKEN, for instance:

    $ LEXICON_CLOUDFLARE_AUTH_TOKEN=YOUR_TOKEN cloudflare create domain.net TXT --name foo --content bar
    
  • by configuration file: construct a configuration file containing the provider options, for instance:

    $ cat /path/to/config/lexicon.yml
    cloudflare:
      auth_token: YOUR_TOKEN
    $ lexicon cloudflare create domain.net TXT --name foo --content bar --config-dir /path/to/config
    

    Note

    Lexicon will look for two types of configuration files in the provided path to --config-dir (current workdir by default): a general configuration file named lexicon.yml and a provider-specific configuration file named lexicon_[PROVIDER_NAME].yml.

    For a general configuration file, provider options need be set under a key named after the provider:

    # /path/to/config/lexicon.yml
    cloudflare:
      auth_token: YOUR_TOKEN
    

    For a provider-specific configuration file, provider options need to be set at the root:

    # /path/to/config/lexicon_cloudflare.yml
    auth_token: YOUR_TOKEN
    

Passing general options to Lexicon

General options are options not specific to a provider, like delegated. They can be passed like the provider options (by CLI, by environment variable or by configuration file). Please note that for configuration file, options will be set at the root, and cannot be set in provider-specific configuration files.

# /path/to/config/lexicon.yml
delegated: domain.net
cloudflare:
  ...

The auto provider

The auto provider is a special provider. It resolves dynamically the actual provider to use based on the domain provided to Lexicon. To do so, it resolves the nameservers that serve the DNS zone for this domain, and find the relevant DNS provider based on an internal map that associates each DNS provider to its known nameservers.

Basically if domain.net is served by CloudFlare, and a TXT entry needs to be inserted in this domain, you can use the following command:

lexicon auto create domain.net TXT --name foo --content bar

The options specific to the actual provider that will be used still need to be set, by CLI flags, environment variables or configuration files. However for CLI, each option name will be prefixed with [ACTUAL_PROVIDER]- when passed to auto. For instance, the auth_token option for cloudflare will be passed using --cloudflare-auth-token.