Configuration reference

Providers options

Providers available

Lexicon currently supports 88 providers:

aliyun	arvancloud	aurora	azure	cloudflare
cloudns	cloudxns	conoha	constellix	ddns
devnomads	digitalocean	dinahosting	directadmin	dnsimple
dnsmadeeasy	dnspark	dnspod	dnsservices	dreamhost
duckdns	dynu	easydns	easyname	euserv
exoscale	flexibleengine	gandi	gehirn	glesys
godaddy	googleclouddns	gransy	gratisdns	henet
hetzner	hostingde	hover	infoblox	infomaniak
internetbs	inwx	ionos	joker	linode
linode4	localzone	luadns	memset	misaka
mythicbeasts	namecheap	namecom	namesilo	netcup
nfsn	njalla	nsone	oci	onapp
online	ovh	plesk	pointhq	porkbun
powerdns	qcloud	rackspace	rage4	rcodezero
regfish	route53	safedns	sakuracloud	scaleway
softlayer	timeweb	transip	ultradns	valuedomain
vercel	vultr	wedos	yandex	yandexcloud
zeit	zilore	zonomi

List of options

aliyun

• auth_key_id Specify access key id for authentication

• auth_secret Specify access secret for authentication

Note

Aliyun Provider requires an access key id and access secret with full rights on dns. Better to use RAM on Aliyun cloud to create a specified user for the dns operation. The referrence for Aliyun DNS production: https://help.aliyun.com/product/29697.html

arvancloud

• auth_token Specify key for authentication (api key)

aurora

• auth_api_key Specify api key for authentication

• auth_secret_key Specify the secret key for authentication

azure

• auth_client_id Specify the client id (aka application id) of the app registration

• auth_client_secret Specify the client secret of the app registration

• auth_tenant_id Specify the tenant id (aka directory id) of the app registration

• auth_subscription_id Specify the subscription id attached to the resource group

• resource_group Specify the resource group hosting the dns zone to edit

Note

The Azure provider orchestrates the DNS zones hosted in a resource group for a subscription in Microsoft Azure Cloud. To authenticate, an App registration must be created in an Azure Active Directory. This App registration must be granted Admin for API permissions to Domain.ReadWrite.All” to this Active Directory, and must have a usable Client secret.

cloudflare

• auth_username Specify email address for authentication (for global api key only)

• auth_token Specify token for authentication (global api key or api token)

• zone_id Specify the zone id (if set, api token can be scoped to the target zone)

Note

There are two ways to provide an authentication granting edition to the target CloudFlare DNS zone.

1 - A Global API key, with –auth-username and –auth-token flags.

2 - An unscoped API token (permissions Zone:Zone(read) + Zone:DNS(edit) for all zones), with –auth-token flag.

3 - A scoped API token (permissions Zone:Zone(read) + Zone:DNS(edit) for one zone), with –auth-token and –zone-id flags. Finding zone_id value is explained in CloudFlare Doc

cloudns

• auth_id Specify user id for authentication

• auth_subid Specify subuser id for authentication

• auth_subuser Specify subuser name for authentication

• auth_password Specify password for authentication

• weight Specify the srv record weight

• port Specify the srv record port

cloudxns

• auth_username Specify api-key for authentication

• auth_token Specify secret-key for authentication

conoha

• auth_region Specify region. if empty, region ‘tyo1’ will be used.

• auth_token Specify token for authentication. if empty, the username and password will be used to create a token.

• auth_username Specify api username for authentication. only used if –auth-token is empty.

• auth_password Specify api user password for authentication. only used if –auth-token is empty.

• auth_tenant_id Specify tenand id for authentication. only used if –auth-token is empty.

constellix

• auth_username Specify the api key username for authentication

• auth_token Specify secret key for authenticate=

ddns

• auth_token Specify the key used in format <alg>:<key_id>:<secret>

• ddns_server Specify ip of the ddns server

devnomads

• auth_token Specify token for authentication.

digitalocean

• auth_token Specify token for authentication

dinahosting

• auth_username Specify username for authentication

• auth_password Specify password for authentication

directadmin

• auth_password Specify password for authentication (or login key for two-factor authentication)

• auth_username Specify username for authentication

• endpoint Specify the directadmin endpoint

dnsimple

• auth_token Specify api token for authentication

• auth_username Specify email address for authentication

• auth_password Specify password for authentication

• auth_2fa Specify two-factor auth token (otp) to use with email/password authentication

dnsmadeeasy

• auth_username Specify username for authentication

• auth_token Specify token for authentication

dnspark

• auth_username Specify api key for authentication

• auth_token Specify token for authentication

dnspod

• auth_username Specify api id for authentication

• auth_token Specify token for authentication

dnsservices

• auth_username Specify username for authentication

• auth_password Specify password for authentication

dreamhost

• auth_token Specify api key for authentication

duckdns

• auth_token Specify the account token for authentication

dynu

• auth_token Specify api key for authentication

easydns

• auth_username Specify username for authentication

• auth_token Specify token for authentication

easyname

• auth_username Specify username used to authenticate

• auth_password Specify password used to authenticate

Note

A provider for Easyname DNS.

euserv

• auth_username Specify email address for authentication

• auth_password Specify password for authentication

exoscale

• auth_key Specify api key for authentication

• auth_secret Specify api secret for authentication

flexibleengine

• auth_token Specify token for authentication

• zone_id Specify the zone id

gandi

• auth_token Specify gandi api key or personal access token

• api_protocol (optional) specify gandi api protocol to use: rpc (default) or rest

gehirn

• auth_token Specify access token for authentication

• auth_secret Specify access secret for authentication

glesys

• auth_username Specify username (cl12345)

• auth_token Specify api key

godaddy

• auth_key Specify the key to access the api

• auth_secret Specify the secret to access the api

googleclouddns

• auth_service_account_info

  specify the service account info in the google json format: can be either the path of a file prefixed by ‘file::’ (eg. file::/tmp/service_account_info.json) or the base64 encoded content of this file prefixed by ‘base64::’ (eg. base64::eyjhbgcioyj…)

Note

The Google Cloud DNS provider requires the JSON file which contains the service account info to connect to the API. This service account must own the project role DNS > DNS administrator for the project associated to the DNS zone. You can create a new service account, associate a private key, and download its info through this url: https://console.cloud.google.com/iam-admin/serviceaccounts?authuser=2

gransy

• auth_username Specify username for authentication

• auth_password Specify password for authentication

Note

DNS manipulation provider for Gransy sites subreg.cz, regtons.com and regnames.eu.

gratisdns

• auth_username Specify email address for authentication

• auth_password Specify password for authentication

henet

• auth_username Specify username for authentication

• auth_password Specify password for authentication

Note

A provider for Hurricane Electric DNS.

NOTE: THIS DOES NOT WORK WITH 2-FACTOR AUTHENTICATION.

YOU MUST DISABLE IT IF YOU’D LIKE TO USE THIS PROVIDER.

hetzner

• auth_token Specify hetzner dns api token

hostingde

• auth_token Specify api key for authentication

hover

• auth_username Specify username for authentication

• auth_password Specify password for authentication

• auth_totp_secret Specify base32-encoded shared secret to generate an otp for authentication

infoblox

• auth_user Specify the user to access the infoblox wapi

• auth_psw Specify the password to access the infoblox wapi

• ib_view Specify dns view to manage at the infoblox

• ib_host Specify infoblox host exposing the wapi

infomaniak

• auth_token Specify the token

Note

Infomaniak Provider requires a token with domain scope. It can be generated for your Infomaniak account on the following URL: https://manager.infomaniak.com/v3/infomaniak-api

internetbs

• auth_key Specify api key for authentication

• auth_password Specify password for authentication

inwx

• auth_username Specify username for authentication

• auth_password Specify password for authentication

ionos

• api_key Ionos api key: public prefix + period + key proper

joker

• auth_token Specify the api key to connect to the joker.com api

Note

The Joker.com provider requires a valid token for authentication. You can create one in the section ‘Manage Joker.com API access keys’ of ‘My Profile’ in your Joker.com account.

linode

• auth_token Specify api key for authentication

linode4

• auth_token Specify api key for authentication

localzone

• filename Specify location of zone master file

luadns

• auth_username Specify email address for authentication

• auth_token Specify token for authentication

memset

• auth_token Specify api key for authentication

misaka

• auth_token Specify token for authentication

mythicbeasts

• auth_username Specify api credentials username

• auth_password Specify api credentials password

• auth_token Specify api token for authentication

Note

There are two ways to provide an authentication granting access to the Mythic Beasts API 1 - With your API credentials (user/password), using –auth-username and –auth-password flags. 2 - With an API token, using –auth-token flags. These credentials and tokens must be generated using the Mythic Beasts API v2.

namecheap

• auth_token Specify api token for authentication

• auth_username Specify username for authentication

• auth_client_ip Client ip address to send to namecheap api calls

• auth_sandbox Whether to use the sandbox server

namecom

• auth_username Specify a username

• auth_token Specify an api token

namesilo

• auth_token Specify key for authentication

netcup

• auth_customer_id Specify customer number for authentication

• auth_api_key Specify api key for authentication

• auth_api_password Specify api password for authentication

nfsn

• auth_username Specify username used to authenticate

• auth_token Specify token used to authenticate

njalla

• auth_token Specify api token for authentication

nsone

• auth_token Specify token for authentication

oci

• auth_config_file The full path including filename to an oci configuration file.

• auth_profile The name of the profile to use (case-sensitive).

• auth_user The ocid of the user calling the api.

• auth_tenancy The ocid of your tenancy.

• auth_fingerprint The fingerprint for the public key that was added to the calling user.

• auth_key_content The full content of the calling user’s private signing key in pem format.

• auth_key_file The full path including filename to the calling user’s private signing key in pem format.

• auth_pass_phrase If the private key is encrypted, the pass phrase must be provided.

• auth_region An oci region identifier. select the closest region for best performance.

• auth_type Valid options are ‘api_key’ (default) or ‘instance_principal’.

Note

Oracle Cloud Infrastructure (OCI) DNS provider

onapp

• auth_username Specify email address of the onapp account

• auth_token Specify api key for the onapp account

• auth_server Specify url to the onapp control panel server

Note

The OnApp provider requires your OnApp account’s email address and API token, which can be found on your /profile page on the Control Panel interface. The server is your dashboard URL, with format like https://dashboard.youronapphost.org

online

• auth_token Specify private api token

ovh

• auth_entrypoint Specify the ovh entrypoint

• auth_application_key Specify the application key

• auth_application_secret Specify the application secret

• auth_consumer_key Specify the consumer key

Note

OVH Provider requires a token with full rights on /domain/. It can be generated for your OVH account on the following URL: https://api.ovh.com/createToken/index.cgi?GET=/domain/*&PUT=/domain/*&POST=/domain/*&DELETE=/domain/

plesk

• auth_username Specify username for authentication

• auth_password Specify password for authentication

• plesk_server Specify url to the plesk web ui, including the port

pointhq

• auth_username Specify email address for authentication

• auth_token Specify token for authentication

porkbun

• auth_key Specify api key for authentication

• auth_secret Specify secret api key for authentication

Note

To authenticate with Porkbun, you need both an API key and a secret API key. These can be created at porkbun.com/account/api .

powerdns

• auth_token Specify token for authentication

• pdns_server Uri for powerdns server

• pdns_server_id Server id to interact with

• pdns_disable_notify Disable slave notifications from master

qcloud

• secret_id Specify secret_id for authentication

• secret_key Specify secret_key for authentication

rackspace

• auth_account Specify account number for authentication

• auth_username Specify username for authentication. only used if –auth-token is empty.

• auth_api_key Specify api key for authentication. only used if –auth-token is empty.

• auth_token Specify token for authentication. if empty, the username and api key will be used to create a token.

• sleep_time Number of seconds to wait between update requests.

rage4

• auth_username Specify email address for authentication

• auth_token Specify token for authentication

rcodezero

• auth_token Specify token for authentication

regfish

• auth_api_key Specify api key for authentication

route53

• auth_access_key Specify access_key for authentication

• auth_access_secret Specify access_secret for authentication

• private_zone Indicates what kind of hosted zone to use. if true, use only private zones. if false, use only public zones

• zone_id The aws hostedzone id to use; e.g. ‘a1b2zabcdefghi’

• auth_username Alternative way to specify the access_key for authentication

• auth_token Alternative way to specify the access_secret for authentication

safedns

• auth_token Specify the api key to authenticate with

Note

SafeDNS provider requires an API key in all interactions. You can generate one for your account on the following URL: https://my.ukfast.co.uk/applications/index.php

sakuracloud

• auth_token Specify access token for authentication

• auth_secret Specify access secret for authentication

scaleway

• auth_secret_key Specify scaleway api key

softlayer

• auth_username Specify username for authentication

• auth_api_key Specify api private key for authentication

timeweb

• auth_token Specify api token for authentication

transip

• auth_username Specify username for authentication

• auth_api_key Specify the private key to use for api authentication, in pem format: can be either the path of the key file (eg. /tmp/key.pem) or the base64 encoded content of this file prefixed by ‘base64::’ (eg. base64::eyjhbgcioyj…)

• auth_key_is_global Set this flag is the private key used is a global key with no ip whitelist restriction

ultradns

• auth_token Specify token for authentication; if not set –auth-token, –auth-password are used

• auth_username Specify username for authentication

• auth_password Specify password for authentication

valuedomain

• auth_token Specify youyr api token

Note

Value Domain requires a token to access its API. You can generate one for your account on the following URL: https://www.value-domain.com/vdapi/

vercel

• auth_token Specify your api token

Note

Vercel provider requires a token to access its API. You can generate one for your account on the following URL: https://vercel.com/account/tokens

vultr

• auth_token Specify token for authentication

wedos

• auth_username Specify email address for authentication

• auth_pass Specify password for wapi

yandex

• auth_token Specify pdd token (https://yandex.com/dev/domain/doc/concepts/access.html)

yandexcloud

• auth_token Specify the iam token (https://cloud.yandex.com/en/docs/dns/api-ref/authentication)

• dns_zone_id Specify the dns zone id (can be obtained from web interface)

• cloud_id Specify the cloud id (visible in the cloud selector in the web interface), might be needed if dns zone id is not set

• folder_id Specify the folder id (https://cloud.yandex.com/en/docs/resource-manager/operations/folder/get-id) might be needed if dns zone id is not set

zeit

• auth_token Specify your api token

Note

Vercel provider requires a token to access its API. You can generate one for your account on the following URL: https://vercel.com/account/tokens

zilore

• auth_key Specify the zilore api key to use

Note

Zilore API requires an API key that can be found in your Zilore profile, at the API tab. The API access is available only for paid plans.

zonomi

• auth_token Specify token for authentication

• auth_entrypoint Use zonomi or rimuhosting api

Passing provider options to Lexicon

There are three ways to pass a provider option to Lexicon (we suppose here that the provider option is named auth_token):

• by CLI flag: set the flag --auth-token to Lexicon while invoking it, for instance:

  $ lexicon cloudflare create domain.net TXT --name foo --content bar --auth-token YOUR_TOKEN
  

• by environment variable: set the environment variable LEXICON_CLOUDFLARE_AUTH_TOKEN, for instance:

  $ LEXICON_CLOUDFLARE_AUTH_TOKEN=YOUR_TOKEN lexicon cloudflare create domain.net TXT --name foo --content bar
  

• by configuration file: construct a configuration file containing the provider options, for instance:

  $ cat /path/to/config/lexicon.yml
  cloudflare:
    auth_token: YOUR_TOKEN
  $ lexicon --config-dir /path/to/config cloudflare create domain.net TXT --name foo --content bar
  

  Note

  Lexicon will look for two types of configuration files in the provided path to --config-dir (current workdir by default): a general configuration file named lexicon.yml and a provider-specific configuration file named lexicon_[PROVIDER_NAME].yml.

  For a general configuration file, provider options need be set under a key named after the provider:

  # /path/to/config/lexicon.yml
  cloudflare:
    auth_token: YOUR_TOKEN
  

  For a provider-specific configuration file, provider options need to be set at the root:

  # /path/to/config/lexicon_cloudflare.yml
  auth_token: YOUR_TOKEN
  

Passing general options to Lexicon

General options are options not specific to a provider, like delegated. They can be passed like the provider options (by CLI, by environment variable or by configuration file). Please note that for configuration file, options will be set at the root, and cannot be set in provider-specific configuration files.

# /path/to/config/lexicon.yml
delegated: domain.net
cloudflare:
  ...

The auto provider

The auto provider is a special provider. It resolves dynamically the actual provider to use based on the domain provided to Lexicon. To do so, it resolves the nameservers that serve the DNS zone for this domain, and find the relevant DNS provider based on an internal map that associates each DNS provider to its known nameservers.

Basically if domain.net is served by CloudFlare, and a TXT entry needs to be inserted in this domain, you can use the following command:

lexicon auto create domain.net TXT --name foo --content bar

The options specific to the actual provider that will be used still need to be set, by CLI flags, environment variables or configuration files. However for CLI, each option name will be prefixed with [ACTUAL_PROVIDER]- when passed to auto. For instance, the auth_token option for cloudflare will be passed using --cloudflare-auth-token.