DynDNS and Let's Encrypt using custom domain

Hello community.

At the moment my domain is hosted at a small provider that allows me to change DNS settings. It is also possible to use one subdomain as a DynDNS and it gets updated by the router (Fritz Box). My issue is that I would like to get a wildcard certificate from LetsEncrypt, but in order to renew the cert I would have to edit TXT records manually every 3 months.

It seems that the DynDNS service from deSEC allows me to update the DynDNS host using my Fritz Box and that there are already tools to get LetsEncrypt certificates. Does this also work with the managed DNS service and my own domain?

Thanks for the help!

Dear ProXy,

yes, this is possible. Just create an account for managed DNS with your domain. On the confirmation page, there will be instructions on how to tell your registrar that you are using deSEC now.

Apply for lower minimum TTL Use custom domain

You can use your router to dynamically update the IPv4 and/or IPv6 address of any deSEC domain in your account by using the domain name as username and your access token as password. However, for managed DNS domains, the default TTL of your domain will be 3600s, which will make it unstable for use as dynamic DNS. (The default TTL for *.dedyn.io domains is 60s.) Our dynDNS interface will therefore inform you that the domain is “not eligible for dynamic updates” when you attempt an IP update. To solve this problem, you can apply for a lower TTL for your managed domain with the deSEC support at support@desec.io. Asking for a lower TTL is no longer necessary. The dynDNS update interface will now always use a TTL of 60s, even with custom domains.

Advanced case: dynDNS with subdomains of a custom domain

A more complicated scenario is when as an example, example.com is your domain, and you want to use home.example.com for your dynamic DNS. In this case, please follow these steps: (Let’s assume $TOKEN is your account access token. I’m using httpie in this example.)

  1. Create example.com in your deSEC account, provide the DS records and NS records to your domain registrar:
    http POST https://desec.io/api/v1/domains/ Authorization:"Token $TOKEN" name="example.com"
  2. Create home.example.com in your deSEC account and note the DS records:
    http POST https://desec.io/api/v1/domains/ Authorization:"Token $TOKEN" name="home.example.com"
  3. To start using home.example.com, create the following delegation records in your example.com domain:
    • DS records from step 2:
      http POST https://desec.io/api/v1/domains/example.com/rrsets/ Authorization:"Token $TOKEN" subname="home" ttl=3600 records:='[<insert DS records as output from step 2>]' type="DS"
    • NS records: ns1.desec.io. and ns2.desec.org. (note the trailing dot).
      http POST https://desec.io/api/v1/domains/example.com/rrsets/ Authorization:"Token $TOKEN" subname="home" ttl=3600 records:='["ns1.desec.io.","ns2.desec.org."]' type="NS"
  4. Configure your router to send dynamic DNS updates to https://update.dedyn.io with username home.example.com and your access token as password.
  5. Ask deSEC support to decrease TTL for home.example.com. (obsolete)
  6. Verify that DNSSEC is setup correctly with DNSSEC Analyzer


2021-04-07: Edit to reflect that it is no longer necessary to apply for reduced minimum TTL.

What about setting up a CNAME from the managed DNS domain to a *.dedyn.io domain? Then the lower TTL will still apply for IP address updates, right?

That’s correct! Note, however, that it is not possible to set a CNAME record on the zone apex (= the domain itself). CNAME records require a non-empty subname as the DNS specification allows setting them on subdomains only.

Stay secure,

Dear Nils,
I have followed Steps 1-6 of your guide. How do i know that the update skript i working? I have configured it on my Ubiquiti UniFi USG. I hade to use something under “Service” so I choose “dyndns” of the alternatives given.

Hi b-earl,

Welcome to deSEC! :slight_smile:

You can look up your IP records using the nslookup command (on your computer in a terminal window), or using other web sites such as DNS Lookup - Check All DNS records for any domain - whatsmydns.net.

Stay secure,