ApertoDNS Protocol: A Modern Dynamic DNS Update Protocol

ApertoDNS Protocol: A Modern Dynamic DNS Update Protocol ApertoDNS

Italy support@apertodns.com

Operations and Management DNS Operations dynamic dns ddns dns update REST API ACME DNS-01 This document specifies the ApertoDNS Protocol, a modern RESTful protocol for dynamic DNS (DDNS) updates. It provides a secure, provider-agnostic alternative to legacy protocols, with native support for IPv4, IPv6, bulk updates, automatic IP detection, TXT record management for ACME DNS-01 challenges, and standardized authentication mechanisms. The protocol uses well-known URIs (RFC 8615), JSON payloads (RFC 8259), and bearer token authentication (RFC 6750) to enable interoperable dynamic DNS services across different providers.

Introduction Dynamic DNS (DDNS) services allow users with dynamically assigned IP addresses to maintain a consistent hostname that automatically updates when their IP address changes. This capability is essential for home users, small businesses, and IoT devices that need to be reachable despite lacking static IP addresses. While RFC 2136 defines DNS UPDATE for programmatic DNS modifications, most consumer-facing DDNS services use simpler HTTP-based protocols. The de facto standard for consumer DDNS emerged organically without formal specification. This lack of standardization has led to:

Inconsistent implementations across providers
Security vulnerabilities from ad-hoc designs
Limited feature sets (e.g., no native IPv6 support)
Vendor lock-in due to proprietary extensions
No formal capability negotiation

This document specifies the ApertoDNS Protocol as a modern, secure, and fully interoperable alternative designed for the current Internet landscape.

Protocol Versioning The protocol version specified in discovery responses (e.g., "1.3.0") refers to the semantic version of the protocol specification itself. This document represents the first IETF standardization of a protocol that has been in production use since 2024. The version number in the discovery endpoint reflects the feature set available, while the Internet-Draft version (e.g., "-01") tracks the IETF document revision process separately.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Goals The ApertoDNS Protocol is designed with the following goals:

Provider-agnostic: Any DDNS provider can implement this protocol using their own domain and branding
Secure by default: HTTPS required, bearer token authentication
Modern: JSON responses, proper HTTP semantics, native IPv6
Discoverable: Self-describing via discovery endpoint
Extensible: Capability negotiation allows future enhancements
Backward compatible: Optional legacy endpoint for existing clients

Terminology This document uses the following terms:

DDNS:: Dynamic DNS. A service that automatically updates DNS records when a client's IP address changes.
Provider:: An organization or service implementing this protocol to offer DDNS services to users.
Hostname:: A fully qualified domain name (FQDN) managed by the provider and associated with a user account.
Token:: An authentication credential issued by the provider, used to authorize API requests.
Auto-detection:: Server-side determination of the client's IP address from the incoming HTTP request, used when the client specifies "auto" as the IP value.
Client:: Software or device that makes requests to a DDNS provider to update DNS records.
A-label:: The ASCII-Compatible Encoding (ACE) form of an Internationalized Domain Name label, as defined in .
TXT Record:: A DNS resource record type used to store arbitrary text data, commonly used for domain verification and ACME DNS-01 challenges.
ACME DNS-01:: A challenge type defined in where domain ownership is proven by provisioning a DNS TXT record.

Protocol Overview The ApertoDNS Protocol is a RESTful API using JSON over HTTPS. All protocol endpoints are located under the well-known URI path /.well-known/apertodns/v1/.

Base URL Conforming implementations MUST serve all endpoints under: The use of well-known URIs ensures consistent endpoint discovery across providers.

Content Type All request and response bodies MUST use the application/json media type unless otherwise specified.

Response Format All responses MUST include a boolean success field at the top level: Or for errors:

Conformance Requirements This section defines the requirements for conforming implementations.

Conformance Levels This protocol defines two conformance levels:

Core Conformance:: A conforming implementation MUST implement the following endpoints: /info, /health, and /update. A conforming implementation MUST support bearer token authentication. A conforming implementation MUST serve all endpoints over HTTPS.
Full Conformance:: In addition to core conformance requirements, a fully conforming implementation MUST implement: /bulk-update, /status/{hostname}, and /domains endpoints.

Capability Advertisement Implementations MUST accurately advertise their capabilities in the /info endpoint response. Implementations MUST NOT advertise capabilities they do not support.

Interoperability Implementations SHOULD accept requests from any conforming client. Implementations MUST NOT require proprietary extensions for basic DDNS functionality.

Authentication

Supported Methods Protected endpoints require authentication via one of the following methods:

Bearer Token (RECOMMENDED) : Authorization: Bearer {token}
API Key Header: X-API-Key: {token}
HTTP Basic (legacy only): Authorization: Basic {credentials}

Implementations MUST support bearer token authentication. Implementations MAY support additional methods.

Token Format Tokens SHOULD follow the format: Where:

{provider}: Provider identifier (e.g., "apertodns", "example")
{environment}: Token environment ("live", "test", "sandbox")
{random}: Cryptographically secure random string (minimum 32 characters recommended)

Example: apertodns_live_Kj8mP2xL9nQ4wR7vY1zA3bC6dE0fG5hI This format enables:

Easy identification of token source during debugging
Environment separation (production vs. testing)
Consistent token handling across providers

Token Transmission Tokens MUST be transmitted only in HTTP headers. Tokens MUST NOT appear in URLs, query parameters, or request bodies where they might be logged.

Endpoints

Discovery Endpoint (/info) The discovery endpoint returns provider information, capabilities, and configuration. This endpoint MUST NOT require authentication.

Response Fields

Field	Type	Required	Description
protocol	string	YES	MUST be "apertodns"
protocol_version	string	YES	Semantic version (e.g., "1.3.0")
provider	object	YES	Provider information
capabilities	object	YES	Supported features
authentication	object	YES	Supported auth methods
endpoints	object	YES	Available endpoint paths
rate_limits	object	NO	Rate limiting configuration
server_time	string	NO	Current server time (ISO 8601)

Capability Fields The capabilities object MUST include the following fields:

Field	Type	Description
ipv4	boolean	IPv4 address updates supported
ipv6	boolean	IPv6 address updates supported
auto_ip_detection	boolean	Automatic IP detection supported
bulk_update	boolean	Bulk update endpoint available
max_bulk_size	integer	Maximum hostnames per bulk request

The capabilities object MAY include the following OPTIONAL fields:

Field	Type	Description
webhooks	boolean	Provider-specific webhook support available
txt_records	boolean	TXT record management supported
txt_max_records	integer	Maximum TXT records per hostname (default: 5)

When webhooks is true, the provider offers webhook notifications for DNS update events such as IP address changes. The webhook API is implementation-specific and not standardized by this protocol version. Providers offering webhooks SHOULD document their webhook API separately. When txt_records is true, the provider supports TXT record management via the /txt endpoint. This capability enables ACME DNS-01 challenges for automated certificate issuance. The capabilities object MAY include additional fields for future extensions. Unknown capability fields SHOULD be ignored by clients.

Example Response

Health Endpoint (/health) Returns service health status. This endpoint MUST NOT require authentication and SHOULD be used for monitoring.

Example Response The status field MUST be one of: "healthy", "degraded", or "unhealthy".

Update Endpoint (/update) Updates DNS records for a single hostname. This endpoint MUST require authentication.

Request Fields

Field	Type	Required	Description
hostname	string	YES	Fully qualified domain name
ipv4	string	NO	IPv4 address or "auto"
ipv6	string	NO	IPv6 address or "auto"
ttl	integer	NO	Time to live in seconds (60-86400)

At least one of ipv4 or ipv6 SHOULD be provided. If neither is provided, implementations SHOULD use auto-detection for IPv4. The special value "auto" instructs the server to detect the client's IP address from the incoming request.

Auto-Detection Limitations Auto-detection is constrained by HTTP connection semantics: the server can only detect the address family used by the client's TCP connection. This is a fundamental characteristic of HTTP-based protocols, not a limitation specific to this specification. The following constraints apply:

If the client connects via IPv4: only IPv4 can be auto-detected
If the client connects via IPv6: only IPv6 can be auto-detected
Cross-family detection is not possible (e.g., detecting IPv4 address when connected via IPv6)

When a client requests auto-detection for an address family that does not match the connection's address family, the server MUST return an error with the appropriate error code (ipv4_auto_failed or ipv6_auto_failed). Clients requiring dual-stack updates (both IPv4 and IPv6) SHOULD use one of the following approaches:

Provide explicit IP addresses for both fields
Make separate update requests over each address family
Use auto-detection for the matching address family and provide an explicit address for the other

Example Request

Example Response The changed field indicates whether the IP address was actually modified (false if the new IP matches the existing record).

Auto-Detection Failure Response When auto-detection fails due to address family mismatch:

Bulk Update Endpoint (/bulk-update) Updates multiple hostnames in a single request. Providers advertising bulk_update: true in capabilities MUST implement this endpoint.

Example Request

Example Response

Status Endpoint (/status/{hostname}) Returns current DNS record status for a hostname.

Example Response

Domains Endpoint (/domains) Returns list of domains and hostnames available to the authenticated user.

Example Response

TXT Record Endpoint (/txt) The TXT record endpoint enables management of DNS TXT records, primarily for ACME DNS-01 challenges used in automated certificate issuance. Providers advertising txt_records: true in capabilities MUST implement this endpoint.

Design Rationale TXT record management is designed to support wildcard certificate issuance, which requires multiple simultaneous TXT records during the ACME validation process. The protocol supports:

Accumulation: Multiple TXT values can coexist for the same hostname prefix (e.g., _acme-challenge.example.com)
Selective deletion: Individual TXT values can be removed without affecting others
Automatic cleanup: Providers MAY implement TTL-based expiration for TXT records

Set TXT Record (POST) Creates or adds a TXT record value for the specified hostname. Multiple calls with different values MUST accumulate (not replace) TXT records for the same hostname, up to the provider's limit.

Request Fields

Field	Type	Required	Description
hostname	string	YES	FQDN for the TXT record
value	string	YES	TXT record value (max 255 chars)
ttl	integer	NO	Time to live in seconds (default: 60)

Example Request

Example Response The record_count field indicates the total number of TXT values currently stored for this hostname after the operation.

Delete TXT Record (DELETE) Removes a specific TXT record value. If value is omitted, ALL TXT records for the hostname are removed.

Request Fields

Field	Type	Required	Description
hostname	string	YES	FQDN of the TXT record
value	string	NO	Specific value to delete (omit to delete all)

Example Request (selective deletion)

Example Response

Get TXT Records (GET) Returns all TXT record values for a hostname.

Example Response

Error Handling

HTTP Status Codes Implementations MUST use appropriate HTTP status codes as defined in :

Status	Usage
200	Successful request
400	Invalid request (bad hostname, invalid IP)
401	Missing or invalid authentication
403	Not authorized for requested resource
404	Resource not found
429	Rate limit exceeded
500	Server error

Error Response Format

Standard Error Codes

Code	HTTP Status	Description
unauthorized	401	Missing authentication
invalid_token	401	Invalid or expired token
forbidden	403	Not authorized for resource
not_found	404	Hostname not found
rate_limited	429	Too many requests
invalid_hostname	400	Invalid hostname format
invalid_ip	400	Invalid IP address format
hostname_not_owned	403	User does not own hostname
ipv4_auto_failed	400	Cannot auto-detect IPv4 from IPv6 connection
ipv6_auto_failed	400	Cannot auto-detect IPv6 from IPv4 connection
validation_error	400	Request validation failed
invalid_ttl	400	TTL value out of acceptable range
txt_not_supported	400	Provider does not support TXT records
txt_limit_exceeded	400	Maximum TXT records per hostname exceeded
txt_invalid_name	400	TXT hostname must use allowed prefix
txt_value_too_long	400	TXT value exceeds 255 characters

Rate Limiting Headers When rate limiting is applied, responses SHOULD include:

Retry-After: Seconds until rate limit resets
X-RateLimit-Limit: Maximum requests per window
X-RateLimit-Remaining: Remaining requests in window
X-RateLimit-Reset: Unix timestamp when window resets

Legacy Compatibility For backward compatibility with existing DDNS clients, providers MAY implement:

Legacy Response Codes Responses MUST be plain text (not JSON):

Response	Meaning
good {ip}	Update successful
nochg {ip}	No change needed
badauth	Authentication failed
notfqdn	Invalid hostname
nohost	Hostname not found
abuse	Account blocked

This endpoint is provided for compatibility only. New implementations SHOULD use the modern JSON endpoints.

Comparison with RFC 2136 RFC 2136 defines DNS UPDATE, a protocol for dynamic updates to DNS zones. The ApertoDNS Protocol differs in several key aspects:

Aspect	RFC 2136	ApertoDNS Protocol
Transport	DNS (UDP/TCP)	HTTPS
Format	DNS wire format	JSON
Auth	TSIG/SIG(0)	Bearer tokens
Discovery	None	/info endpoint
IPv6	Supported	Native support
Bulk ops	Per-message	Dedicated endpoint

The ApertoDNS Protocol is designed for consumer DDNS services where simplicity and HTTP integration are priorities, while RFC 2136 is suited for direct DNS zone manipulation.

Security Considerations

Transport Security All endpoints MUST be served over HTTPS using TLS 1.2 or higher. Implementations MUST NOT support plaintext HTTP for any protocol endpoint. Implementations SHOULD support TLS 1.3 and SHOULD disable older cipher suites known to be weak.

Token Security

Tokens MUST be generated using cryptographically secure random number generators (CSPRNG)
Tokens SHOULD have configurable expiration
Providers SHOULD support token revocation
Tokens MUST NOT be logged in server access logs
Tokens MUST NOT appear in URLs or error messages

Hostname Validation Before processing any update request, implementations MUST verify that the authenticated user owns or has permission to modify the requested hostname. Failure to validate ownership could allow unauthorized DNS modifications.

Rate Limiting Providers SHOULD implement rate limiting to prevent:

Brute-force token guessing
Denial of service attacks
Excessive DNS propagation load

Rate limits SHOULD be advertised in the discovery endpoint and communicated via response headers.

DNS Rebinding Prevention Implementations MUST validate that IP addresses in update requests are not private, loopback, or link-local addresses unless explicitly configured to allow such addresses.

Input Validation All user input MUST be validated:

Hostnames MUST conform to DNS naming rules
IP addresses MUST be valid IPv4 or IPv6 format
TTL values MUST be within acceptable ranges
TXT values MUST NOT exceed 255 characters

TXT Record Abuse Prevention TXT records can potentially be abused for:

DNS tunneling: Encoding data in TXT records for covert communication
Data exfiltration: Using DNS queries to leak sensitive data
Resource exhaustion: Creating excessive TXT records

Implementations MUST implement safeguards:

Limit TXT value length to 255 characters (DNS standard)
Limit number of TXT records per hostname (default: 5)
Restrict TXT hostnames to approved prefixes (e.g., _acme-challenge.)
Implement rate limiting on TXT operations
Consider automatic expiration of TXT records (recommended: 24 hours)

Internationalized Domain Names When handling Internationalized Domain Names (IDNs), the following requirements apply as specified in :

Clients SHOULD convert IDN hostnames to their A-label (ASCII Compatible Encoding) form before sending requests
Servers MUST accept hostnames in A-label form
Servers MAY accept hostnames in U-label (Unicode) form and convert them to A-labels internally
Servers MUST store and return hostnames in a consistent form

For example, a client wishing to update the hostname "例え.example.com" SHOULD send the request with the A-label form "xn--r8jz45g.example.com". Implementations that accept U-label input MUST perform IDNA2008 validation as specified in before processing the request.

Privacy Considerations This section addresses privacy considerations as recommended by .

Data Minimization Providers SHOULD minimize the collection and retention of personal data. Specifically:

IP address history SHOULD have configurable retention periods
Update timestamps MAY be retained for operational purposes
Providers SHOULD document their data retention policies

User Control Users SHOULD have mechanisms to:

View their stored data
Delete their accounts and associated data
Export their data in a portable format

Traffic Analysis DDNS updates inherently reveal:

That a user's IP address has changed
The timing of IP address changes
The association between a hostname and IP address

Providers should be aware that this information could be used to track user behavior or network changes.

Encryption All communications MUST be encrypted via HTTPS, preventing passive observation of update requests and tokens.

IANA Considerations

Well-Known URI Registration This document requests registration of the following well-known URI suffix:

URI Suffix:: apertodns
Change Controller:: IETF
Specification Document:: This document
Related Information:: None

The well-known URI /.well-known/apertodns/ is used as the base path for all protocol endpoints.

References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. HTTP Semantics The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. The OAuth 2.0 Authorization Framework: Bearer Token Usage This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK] Well-Known Uniform Resource Identifiers (URIs) This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes. In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry. The JavaScript Object Notation (JSON) Data Interchange Format JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. Internationalized Domain Names in Applications (IDNA): Protocol This document is the revised protocol definition for Internationalized Domain Names (IDNs). The rationale for changes, the relationship to the older specification, and important terminology are provided in other documents. This document specifies the protocol mechanism, called Internationalized Domain Names in Applications (IDNA), for registering and looking up IDNs in a way that does not require changes to the DNS itself. IDNA is only meant for processing domain names, not free text. [STANDARDS-TRACK] Automatic Certificate Management Environment (ACME) Public Key Infrastructure using X.509 (PKIX) certificates are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certification authorities (CAs) in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. As of this writing, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation. Informative References Dynamic Updates in the Domain Name System (DNS UPDATE) Using this specification of the UPDATE opcode, it is possible to add or delete RRs or RRsets from a specified zone. Prerequisites are specified separately from update operations, and can specify a dependency upon either the previous existence or nonexistence of an RRset, or the existence of a single RR. [STANDARDS-TRACK] Privacy Considerations for Internet Protocols This document offers guidance for developing privacy considerations for inclusion in protocol specifications. It aims to make designers, implementers, and users of Internet protocols aware of privacy-related design choices. It suggests that whether any individual RFC warrants a specific privacy considerations section will depend on the document's content.

Acknowledgments Thanks to the dynamic DNS community for decades of service enabling home users and small businesses to maintain stable hostnames with dynamic IP addresses. Thanks to the IETF DNSOP working group participants for their review and feedback on this specification.

Implementation Status Note to RFC Editor: Please remove this appendix before publication. This section records the status of known implementations of the protocol defined by this specification.

ApertoDNS

Organization:: ApertoDNS
Implementation:: Reference implementation
Description:: Full protocol support including all endpoints, bulk updates, webhooks, and legacy compatibility
Level of Maturity:: Production
Coverage:: Complete
Licensing:: Proprietary service, open protocol
Contact:: support@apertodns.com
URL:: https://apertodns.com

OpenAPI Specification A complete OpenAPI 3.0.3 specification for this protocol is available at: https://github.com/apertodns/apertodns-protocol/blob/main/openapi.yaml This specification can be used to:

Generate client libraries in various programming languages
Create interactive API documentation
Validate implementations for conformance

Example Update Flow The following illustrates a typical update flow:

Client discovers provider capabilities: ~~~ GET /.well-known/apertodns/v1/info ~~~
Client authenticates and requests update: ~~~ POST /.well-known/apertodns/v1/update Authorization: Bearer example_live_abc123 Content-Type: application/json {"hostname": "home.example.com", "ipv4": "auto"} ~~~
Provider validates token and hostname ownership
Provider updates DNS record
Provider returns result: ~~~json { "success": true, "data": { "hostname": "home.example.com", "ipv4": "203.0.113.50", "changed": true } } ~~~
DNS propagates the new record

Changes from Legacy DDNS Protocols For implementers familiar with legacy HTTP-based DDNS protocols (commonly referred to as "dyndns2" in client implementations such as ddclient), key differences include:

JSON responses instead of plain text
Bearer token authentication instead of HTTP Basic
Explicit capability negotiation via /info endpoint
Dedicated endpoints for different operations
Standardized error codes and response formats
Native IPv6 support with separate fields
Bulk update support for multiple hostnames
Well-known URI path for consistent discovery

Changes from -00 This section summarizes changes from draft-ferro-dnsop-apertodns-protocol-00:

Version 1.2.3 Changes

Added ipv4_auto_failed and ipv6_auto_failed error codes to Section 8.3 (Standard Error Codes)
Added "Auto-Detection Limitations" subsection to Section 7.3 (Update Endpoint) documenting HTTP connection semantics constraints
Added validation_error and invalid_ttl error codes
Added example response for auto-detection failure
Updated protocol version in examples from "1.2.0" to "1.3.0"
Added acknowledgment of IETF DNSOP working group

Version 1.3.0 Changes (TXT Records)

Added TXT record management endpoint (/txt) for ACME DNS-01 challenges
Added txt_records and txt_max_records capability fields
Added TXT-related error codes: txt_not_supported, txt_limit_exceeded, txt_invalid_name, txt_value_too_long
Added "TXT Record Abuse Prevention" section to Security Considerations
Added RFC 8555 (ACME) to normative references
Added TXT Record and ACME DNS-01 terminology definitions
Updated protocol version to 1.3.0