DNSCove

DNSCove guide

Quickstart: your first zone over the API

This walks the whole lifecycle of a DNSCove zone from the command line — create it, add records, prove you own the domain, and go live at the edge — using nothing but curl. Every call here is in the API reference; this guide is the narrative that strings them together.

DNSCove serves from two authoritative nameservers, ns1.dnscove.com and ns2.dnscove.org. A zone is only served once it is ACTIVE; a freshly created zone starts PENDING_VERIFICATION and is not answered by the edge until you prove control of the domain (below).

1. Get an API token

Sign in to the console with magic-link (no password), open API tokens, and create a tenant-admin token — it can create zones, manage records, and publish. Copy it once; the secret is shown only at creation.

export DNSCOVE=https://api.dnscove.com
export TOKEN=dnsc_1a2b3c4d5e6f7a8b_…   # the token you just minted
auth="Authorization: Bearer $TOKEN"

Least privilege. tenant-admin is root-equivalent. Once a zone exists you can mint a zone-admin token scoped to just that zone for record work, and an acme-dns01 token that can do nothing but solve certificate challenges. See machine tokens in the API reference.

2. Create a zone

curl -fsS -X POST "$DNSCOVE/api/zones" -H "$auth" \
  -d '{"origin":"example.com"}'
{
  "id": "Z1a2b3c4d5e6f70",
  "origin": "example.com.",
  "status": "PENDING_VERIFICATION",
  "ns": ["ns1.dnscove.com.", "ns2.dnscove.org."]
}

Keep the id — every record and token call is scoped to it.

export ZONE=Z1a2b3c4d5e6f70

3. Add records

Record sets are UPSERT by (name, type): the same call creates or replaces the set. Names are fully qualified with a trailing dot.

# A record for www
curl -fsS -X POST "$DNSCOVE/api/zones/$ZONE/rrsets" -H "$auth" -d '{
  "action": "UPSERT", "name": "www.example.com.", "type": "A",
  "ttl": 300, "records": ["192.0.2.10", "192.0.2.11"]
}'

# An apex ALIAS — point the root at a CDN or load balancer with no CNAME-at-apex
# problem. DNSCove resolves the target and keeps the apex A/AAAA fresh.
curl -fsS -X POST "$DNSCOVE/api/zones/$ZONE/rrsets" -H "$auth" -d '{
  "action": "UPSERT", "name": "example.com.", "type": "ALIAS",
  "ttl": 300, "records": ["d111111abcdef8.cloudfront.net."]
}'

Supported types: A, AAAA, CNAME, TXT, MX, SRV, CAA, NS, PTR, and DNSCove's apex-safe ALIAS. The apex SOA and apex NS are managed for you and can't be edited. A record change is accepted immediately but reaches the edge on the next publish (step 5).

4. Prove ownership and go live

DNSCove runs a shared nameserver set, so it will not answer for a domain until its owner proves control. There are two ways to do that — pick one.

Option A — verify with a TXT record (no-downtime, recommended for migrations)

Publish a single TXT record on the domain's current DNS, then verify. The zone activates and starts serving on ns1/ns2 before you touch your nameservers — so you can cut over with zero gap. Get the exact record the API tells you to publish, then call verify:

# The create/import response and a failed verify both return the exact record:
#   _dnscove-challenge.example.com.  TXT  "dnscove-site-verification=Z1a2b3c4d5e6f70"
curl -fsS -X POST "$DNSCOVE/api/zones/$ZONE/verify" -H "$auth"
{ "status": "ACTIVE", "verified": true, "served": true }

Once verified, point your registrar's nameservers at ns1.dnscove.com and ns2.dnscove.org whenever you're ready — DNSCove is already serving identical answers. This is the path the Route 53 migration guide uses end to end.

Option B — delegate first

If the domain is new (or you don't mind a brief cutover), point your registrar's nameservers at ns1.dnscove.com / ns2.dnscove.org first, then ask DNSCove to check the parent delegation. A successful check activates the zone automatically:

curl -fsS "$DNSCOVE/api/zones/$ZONE/delegation" -H "$auth"

5. Publish record changes

Zone activation publishes once. After that, record edits are staged in the control plane and reach the edge on the next publish:

curl -fsS -X POST "$DNSCOVE/api/publish" -H "$auth"

6. Confirm before you cut anything over

If you're moving off another provider, parity compares what DNSCove now serves against what's live in public DNS and tells you when it's safe to delete the old zone:

curl -fsS "$DNSCOVE/api/zones/$ZONE/parity" -H "$auth"
{ "parity": { "matches": true, "checked": 24, "mismatched": 0 }, "safe_to_delete": true }

Where to next