Hurricane Electric DNS
Important Note
Hurricane Electric does not currently expose an official JSON or XML API, and as such, this provider interacts directly with the web interface. Because there is no officially supported API, this provider may cease to function if Hurricane Electric changes their interface, and you should be willing to accept this possibility before relying on this provider.
Configuration
To use this provider, add an entry to creds.json with TYPE set to HEDNS along with your dns.he.net account username and password. These are the same username and password used to log in to the web interface.
{
"hedns": {
"TYPE": "HEDNS",
"username": "yourUsername",
"password": "yourPassword"
}
}Two factor authentication
If two-factor authentication has been enabled on your account you will also need to provide a valid TOTP code. This can also be done via an environment variable:
{
"hedns": {
"TYPE": "HEDNS",
"username": "yourUsername",
"password": "yourPassword",
"totp": "$HEDNS_TOTP"
}
}and then you can run
It is also possible to directly provide the shared TOTP secret using the key "totp-key" in creds.json. This secret is only available when first enabling two-factor authentication.
Security Warning:
Anyone with access to this
creds.jsonfile will have full access to your Hurricane Electric account and will be able to modify and delete your DNS entriesStoring the shared secret together with the password weakens two factor authentication because both factors are stored in a single place.
Persistent Sessions
Normally this provider will refresh authentication with each run of dnscontrol. This can lead to issues when using two-factor authentication if two runs occur within the time period of a single TOTP token (30 seconds), as reusing the same token is explicitly disallowed by RFC 6238 (TOTP).
To work around this limitation, if multiple requests need to be made, the option "session-file-path" can be set in creds.json, which is the directory where a .hedns-session file will be created. This can be used to allow reuse of an existing session between runs, without the need to re-authenticate.
This option is disabled by default when this key is not present,
Security Warning:
Anyone with access to this
.hedns-sessionfile will be able to use the existing session (until it expires) and have full access to your Hurricane Electric account and will be able to modify and delete your DNS entries.It should be stored in a location only trusted users can access.
Metadata
This provider supports the following record-level metadata:
HEDNS_DYNAMIC_ON
Enable Dynamic DNS on the record. The record will be assigned a DDNS key that can be used to update its value via the HE DDNS API (https://dyn.dns.he.net/nic/update).
HEDNS_DYNAMIC_OFF
Explicitly disable Dynamic DNS on the record. Warning: this will clear any associated DDNS key.
HEDNS_DDNS_KEY("key")
Enable Dynamic DNS and set a specific DDNS key (token) on the record. Implies HEDNS_DYNAMIC_ON.
Dynamic DNS behavior
When a record has Dynamic DNS enabled and is subsequently modified by dnscontrol (e.g. TTL change), the dynamic flag is preserved automatically. You do not need to re-specify
HEDNS_DYNAMIC_ONon every run unless you want to be explicit.If you do not specify any
HEDNS_DYNAMIC_*modifier on a record that is already dynamic on the provider, the dynamic state is inherited — the record stays dynamic.DDNS keys are write-only: dnscontrol will set the key you specify but cannot read back the current key from HE DNS. This means:
A key-only change (same record data, new key) requires changing another field (e.g. TTL) to trigger an update.
The
get-zonesexport will includeHEDNS_DYNAMIC_ONfor dynamic records but will not include the DDNS key.
Usage
An example configuration:
Last updated