Additional TLSA Value with API

pd8 · January 29, 2026, 8:15pm

Hi, can additional TLSA values be added to an existing subname with an API call?

The following only overwrites

/usr/bin/curl -sSLX PUT https://desec.io/api/v1/domains/*domain*/rrsets/
–header "Authorization: Token token”
–header “Content-Type: application/json” --data @- <<EOF
[
{“subname”: ”first subname”, “type”: “TLSA”, “ttl”: 3600, “records”: [“3 1 1 $tlsa_hash”]},
{“subname”: ”second subname”, “type”: “TLSA”, “ttl”: 3600, “records”: ["3 1 1 $tlsa_hash”]},
]
EOF

where $tlsa_hash is a defined shell variable.

fiwswe · January 30, 2026, 9:47am

Yes.

Note that the records field of the RRset is an array. Just add more array elements.

If you want to modify an existing RRset, see Modifying an RRset.

HTH
fiwswe

peter · January 30, 2026, 10:07am

There’s no API to add a record to an RRset. You can patch the RRset with the new record, but you will have to repeat the existing ones in the records array.

What’s shown on your screenshot is just a visual trick; the web interface actually does the same thing.

Stay secure,
Peter

pd8 · January 30, 2026, 3:16pm

Placing both the existing and new values in the records array, the error is:

[{“non_field_errors”:[“Same subname and type as in position(s) 1, but must be unique.”]},

This error is repeated for all elements in the records array. The request is formatted as (trying both PUT and PATCH):

/usr/bin/curl -sSLX PUT https://desec.io/api/v1/domains/*domain*/rrsets/
–header "Authorization: Token token”
–header “Content-Type: application/json” --data @- <<EOF
[
{“subname”: ”subname1”, “type”: “TLSA”, “ttl”: 3600, “records”: [“3 1 1 $existing_tlsa_hash1”]}{“subname”: ”subname1”, “type”: “TLSA”, “ttl”: 3600, “records”: [“3 1 1 $new_tlsa_hash1”]},
{“subname”: ”subname2”, “type”: “TLSA”, “ttl”: 3600, “records”: ["3 1 1 $existing_tlsa_hash2”]},{“subname”: ”subname2”, “type”: “TLSA”, “ttl”: 3600, “records”: ["3 1 1 $new_tlsa_hash2”]}
]
EOF

Thanks again.

black · January 30, 2026, 4:25pm

pd8:

/usr/bin/curl -sSLX PUT https://desec.io/api/v1/domains/*domain*/rrsets/
--header "Authorization: Token *token*”
--header “Content-Type: application/json” --data @- <<EOF
[
{“subname”: ”*subname1*”, “type”: “TLSA”, “ttl”: 3600, “records”: [“3 1 1 $existing_tlsa_hash1”]}{“subname”: ”*subname1*”, “type”: “TLSA”, “ttl”: 3600, “records”: [“3 1 1 $new_tlsa_hash1”]},
{“subname”: ”*subname2*”, “type”: “TLSA”, “ttl”: 3600, “records”: ["3 1 1 $existing_tlsa_hash2”]},{“subname”: ”*subname2*”, “type”: “TLSA”, “ttl”: 3600, “records”: ["3 1 1 $new_tlsa_hash2”]}
]
EOF

This is an attempt to set subname1 and subname2 twice and to two different values. You’ll need to merge both values into the records parameter, like so:

/usr/bin/curl -sSLX PUT https://desec.io/api/v1/domains/*domain*/rrsets/
--header "Authorization: Token *token*"
--header "Content-Type: application/json" --data @- <<EOF
[
{"subname": "*subname1*", "type": "TLSA", "ttl": 3600, "records": ["3 1 1 $existing_tlsa_hash1", "3 1 1 $new_tlsa_hash1"]},
{"subname": "*subname2*", "type": "TLSA", "ttl": 3600, "records": ["3 1 1 $existing_tlsa_hash2", "3 1 1 $new_tlsa_hash2"]}
]
EOF

pd8 · January 30, 2026, 4:46pm

This is the answer. Appreciate the discussion.