product · DNS integrations

Every major DNS provider. One-click TXT record.

DNS is the boring, well-understood proof-of-control mechanism used by every certificate authority and domain-verification service. Quidnug uses the same pattern, with first-party integrations for the three big cloud DNS providers and a manual fallback that works with anyone.

Shipping day one

CF

Cloudflare

API token · zone-scoped

live

R53

AWS Route 53

IAM assume-role

live

GCP

Google Cloud DNS

OAuth · workload identity

live

Coming soon

NC

Namecheap

API key

planned

GD

GoDaddy

API key + secret

planned

PB

Porkbun

API key

planned

DO

DigitalOcean DNS

personal access token

planned

AZ

Azure DNS

service principal

planned

HE

Hurricane Electric

manual TXT

planned

TXT

Manual TXT paste

any registrar

always

How integrations work

We never see your zone, only the one TXT record we asked for.

01 · authorize

Scoped token or OAuth

Cloudflare issues an API token scoped to your zone. Route 53 uses an IAM role with ChangeResourceRecordSets narrowed to the specific zone and record name. Google uses workload identity. In all three cases we can add the TXT record and nothing else.

02 · write

One-shot record creation

On claim, we call the provider API once to create _quidnug-challenge.yourdomain.com TXT "<token>" with a 5-minute TTL. That's the only write we ever make on your zone.

03 · verify

Quorum across public resolvers

We never trust a single resolver, not even the one your integration writes through. We read the TXT record via Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9 9.9.9.9, and OpenDNS 208.67.222.222, and require 3-of-4 agreement on the exact token.

04 · optional delete

Leave or remove, your choice

Keeping the TXT record in place simplifies continuous re-verification. You can also ask us to delete it after initial verification; subsequent rechecks will fail harmlessly until the next renewal window.

05 · renew

Tier-dependent re-check cadence

Free tier: daily. Pro: hourly. Business: every 15 minutes. Governance: custom. If the record stops resolving, we publish a revocation edge and notify you; you have a grace period to restore before the signed attestation is fully withdrawn.

06 · revoke

Explicit disconnect

Revoke our access at any time from your provider's console. We'll notice on the next renewal attempt, degrade your badge to unverified, and preserve a read-only archive of past attestations.

Security properties

What we designed against.

Split-horizon DNS spoofing

An attacker who controls a single resolver (or a captive network) cannot trick validation into success. Four independent public resolvers must agree on the token.

Stale-record replay

Tokens are bound to the specific claim and expire after 15 minutes of inactivity. Replaying an old token against a new claim fails the scope check.

Provider API compromise

Tokens are zone-scoped and permission-narrowed so that a compromised integration credential can add one TXT record but cannot alter your MX, A, or NS records.

Quidnug-side compromise

The signed attestation edge is verifiable without us. Your customers hold the cryptographic artifact; we only hold the infrastructure that produced it.

Request a provider

We will prioritize based on customer demand.

Tell us which DNS provider you use when you sign up; we bump requests with paying customers to the front of the queue. All new provider integrations ship with the same security properties as the day-one integrations.

Join the waitlist How validation works Pricing