Google Domains DNS API Support? (not Google Cloud DNS)

jrddunbr · March 13, 2018, 12:45am

Hi all,

This has been answered to some varying degrees in some specific questions around the forum where people confuse Google Domains DNS with the Google Cloud DNS, but I figured I’d ask more generally and to the point.

Does anyone know of any kind of API or program for domains registered with “domains.google.com” to do the DNS queries that would be reqired soon for the wildcard certificates under ACMEv2?

I’m aware that you can manually enter the DNS challenges as TXT records, but I believe that you need to update those whenever your certificate expires, meaning that I would have to go in rather often and change the challenge strings. I’d also like to avoid setting up my own DNS server to handle these requests.

Thanks!

mnordhoff · March 13, 2018, 1:06am

As far as I know, Google Domains doesn't have an API that lets you change TXT records. The home page says:

Set up Dynamic DNS to keep your domain pointing to the same computer even when the IP address changes

So it has a simple dynamic DNS API that lets you edit A and probably AAAA records.

But I've seen no evidence that there's a more general API.

But I don't use Google Domains myself.

(Google Cloud DNS, of course, has a great API.)

jrddunbr · March 13, 2018, 1:24am

It’s actually well featured, so far as having available records.

Supported records are:

A
AAAA
CAA
CNAME
DS
MX
NS
PTR
SPF
SRV
SSHFP
TLSA
TXT

Here’s the relevant control panel… There are others but I see less and less relevant information.

I don’t think most of those are useful options besides the manual records unless I set up a DNS server of my own.

[Album] DNS settings

jrddunbr · March 13, 2018, 1:27am

This also exists, but is probably not of more help:

https://support.google.com/domains/answer/7179397?hl=en

jrddunbr · March 13, 2018, 1:35am

It does not appear to allow changng anything other than a single A record for Dynamic DNS, unfortunately.

https://support.google.com/domains/answer/6147083?hl=en

jrddunbr · March 13, 2018, 1:54am

Hmm, Google has a 24/7 support line for my account. I’ll ask them if there’s an API.

jrddunbr · March 13, 2018, 5:34pm

So I got a reply back:

Thank you for contacting Google Domains.

I'm afraid that Google Domains does not yet support API that allows you to automate or modify existing dns records on the domain's settings. However, if you're referring on adding TXT records from ACME v2, you may follow the steps below:

Login to Google Domains page.
Click DNS tab.
Scroll down to Custom resource records.
Add these records for TXT records.
Name: @
Type: Select TXT
TTL: 1h
Data: Txt records from ACME v2.

Click Add.

Please note that for DNS changes to take effect, it may take a propagation period of several minutes or up to 24-48 hours across the entire internet.

For further questions, feel free to reply to this email or visit the Google Domains contact us page.

I suppose that completely nerfs the possibility of having wildcard certs without manually entering the TXT records. I'm switching away from Google Domains, and I would recommend anyone else who wants automated DNS challenges or wildcard certificates to do the same.

That said, one can set up their own DNS server and then use that to do the challenges, but it's something that I believe the DNS provider should handle with an API, honestly. Much less work for the end user.

seffyroff · April 12, 2018, 4:57pm

This is most disappointing. I switched to Google Domains due to perceived confidence and trust in the Google brand and platform. I will move my domains elsewhere, where I can depend on a full feature set of API backed asset configuration tools.

mnordhoff · April 12, 2018, 5:09pm

You could use Google Domains plus Google Cloud DNS. It would be a different pricing model, but it has a good API.

(And you can use Google Domains with a third-party DNS service, or use Google Cloud DNS with a third-party registrar.)

danb35 · April 12, 2018, 6:14pm

...which is what acme-dns is designed for.

jvanasco · April 12, 2018, 6:52pm

It's actually not good for the end user, because these APIs rarely have safe permissions and ACLs. Most DNS APIs will allow the token to update A/MX records; many will even allow the token to transfer the domain away. This makes automatic renewal incredibly unsafe, as a compromised server would expose the plaintext token.

The best option in almost every case is to:

install acme-dns on a server you control (GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.)
CNAME your _acme-challenge text records onto the acme dns instance

jrddunbr · April 13, 2018, 12:36pm

That’s actually how I ended up doing it - I set up a delegated nameserver running bind9 and just did a cname.

Still, for the basic user, any kind of API would be nice. It’s not the most simple thing to set up your own DNS server for some users. I would even go so far as to say that a limited API that just integrates with LetsEncrypt and doesn’t let you do anything else would be good enough for the purpose, and not changing every kind of record that exists (so limit API access to just the acme_challenge TXT record).

It’s also worth mentioning that some ISP’s prohibit running your own DNS server. Not as many as it used to be, but still. Some ISP’s are afraid of dumb users with amplification attacks.

danb35 · April 13, 2018, 1:25pm

...which, again, is exactly what acme-dns is designed for. And it's pretty simple to set up.

cbrherms · May 1, 2018, 10:42am

After finding this out myself while looking at setting up wildcard certs, i moved my actual DNS records over to Cloudflare. Still using google domains as the actual registrar though

system · May 31, 2018, 10:42am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.