What's in it:
- RFC 2136 / TSIG updates as a first-class path. FortiGate genericDDNS and MikroTik's /tool dns-update work natively — no custom client needed. HTTP API is also available for everything else.
- IPv6 end-to-end. Authoritative nameservers reachable over IPv6 (with AAAA glue published at the parent .dev zone), customer zones publish A and AAAA, and the platform works for IPv6-only clients.
- DNSSEC available on selected zones. With a single toggle.
- Bring your own domain via subdomain delegation. Point subdomain.yourcompany.com at our nameservers, manage normally.
- Hidden primary architecture: two geographically distributed secondaries (Sweden + Switzerland) verify TSIG locally and forward updates to a primary that doesn't take public traffic.
- Private-APN-friendly: we accept RFC 1918 and CGNAT addresses in records, which means cellular fleets on private APNs can use public DNS for stable hostnames pointing at internal IPs. Described in the fleet ops guide.
- A small Docker container (ghcr.io/33k-org/dynip-updater) for any docker-compose / Kubernetes / Coolify / Dokploy setup.
Background: 25 years of managed networking. DDNS was the part that broke or required tricks. Wanted one that didn't.
Stack: PowerDNS 4.8 authoritative, FastAPI backend, Postgres, Postfix for transactional mail, Cloudflare for the external surface and as a tunnel for the API. Live on dynip.dev. Paddle for billing. Free tier exists.
Happy to dig into architecture, the TSIG sync mechanism, per-zone DNSSEC handling, the hidden primary approach, or anything else.
I am not an expert in the domain of DDNS. Wanted to bring your attention to desec.io, in case you didn't knew about them. They offer a similar feature set like you mentioned (IPv6, DNSSEC, BYOD, ...). It is an open source project and they offer a very reliable free hosted service. As you said, they originated from the 2010-era (2014). I've used them for several years now and they bring everything to the table that I need.
For inspiration: They even have a feature that I use which I haven't spotted in your documentation (but maybe I just didn't looked close enough): Support for IPv6 prefix delegation. Routers that get assigned an IPv6 prefix from the ISP, can update the IPv6 prefix of arbitrary domains. In Europe this prefix is not static and rotated each time a new connection to the ISP is established. This feature allows the router to automatically update the IPv6 _prefix_ of selected domains. The host part of the IP is left untouched, but the network part is updated.
e.g.: /update?myipv6:nas.home.mydomain.tld=2003:e6:bee:affe::/56
And really, dynip came to be from fortinet/fortigate that have excellent support via their genericDDNS setup and things keep of of grew from there to what you see today.
And the subnet ipv6 sounds really interesting. Will need to check that out, sounds like that could be a feature request
i really had a bad time trying to get a letsencrypt certificate through the regular auth because it does require ports 80 and 443 tcp that by ISP blocks.
(you can get a letsencrypt cert through a TXT entry too, but most free DDNS´s providers dont seem to offer that)
Which was a bit confusing when I clicked the confirm-your-email link. No confirmation or status or anything.
Nameserver [ns1.dynip.dev] doesn't exist at the registry (Code 480)
Also, is there anycasting?
right now there is no anycast available, possible in the future
I still can not figure out any economical way to roll out anycast.
How did you set up PowerDNS? Single/multiple instances? One DB shared by many or multiple authoritative with one hidden primary?
if you register a zone and open the snippets quickly, there is a green notification saying tsig replication underway for x amount of seconds and until that happens RFC 2136 updates are not possible but the ones that use api are available right off the bat.
Doesn't that cause security issues by making it possible to put other people's private servers (that you want to do XSS-type attacks against) into your domains or something? I have a vague memory of it being a security no-no somehow.
The defense against this has to happen either on the resource you want to protect or in the browser.
< is there anything else you would like me to answer or is that good enough - GenericAI answer>
But jokes aside, words are difficult and also not my first language
Just more hidden cost of AI.. it's sufficiently hard to avoid these kinds of structural smells that I've gone back to just writing my own copy everywhere.
I just used the em dash twice, and have been doing so for 35 years. This is now supposedly a dead give-away for slop.
Call it slop when it's slop. When it's not total garbage, give it a rest.
Nice work, good luck.
The website is also vibecoded; at least partially - it has the exact same design choices like that purpleish blue colour scheme that Claude likes to spit out by default.
However had I not read your comment pitching it here, I'd have closed the tab on the landing page immediately. Sorry to be so direct, but it just looks like any vibe sloped page out there. I'm not saying it is, I haven't tried yet and your description here sounds good, but you might consider setting your page apart by putting some personality in it.
On another note, please don't create project specific HackerNews accounts.
> Don't have your username be that of your company or project. It creates a feeling of using HN for promotion and of not really participating as a person. You don't have to use your real name, just something to indicate that you're here as a human, not a brand. If you'd like to change your username, email hn@ycombinator.com.
However, if you want to self-host, not caring for reliability or ease of use: bind9 supports RFC 2136 DNS UPDATE and DNSSEC, too (haven't figured that out yet, though). For my setup I also wrote a small Go executable that translates HTTP requests, because my home router does not talk DNS UPDATE.
And yes, BIND allows for a lot of different things, RFC 2136 being one of them and I have been looking at multiple options before settling down on the current structure. I built a few test cases from my Fortigate (dynip came to be initially fortigate only with simple copy paste over dns internally)
And there are a few code examples that can be used internally on various hosts, windows or linux, there is even an arduino example if you have any iOT devcices lying around in your home lab. and Writing a Go executable is a good idea, look out under /docs for updates :)
Again, this guy <- happy
Have you considered something like https://github.com/hickory-dns/hickory-dns? Not that everything has to be built in Rust.
Mostly around classic BBS usage, namely bbs.io ... I do hope that .io is officially extended beyond what would normally be end of life.
So no. the auth token is just for the API and can be used as a bearer for the api, the TSIG are always valid unless the domain is deleted
the free tier allows for 5 zones and all get individual tsig keys and they are always active. no need to pay unless you start handling 100s of new zones, updates, delete etc. so there is a split between the two types of tokens. hope it is clear
Then Tailscale came out and I stopped caring about DDNS or CGNAT ever since.
Agree that the OpenWrt DDNS scripts are a bit of a pain with keys secrets but the snippets function actually take the guess / how-does-it-work work out of the equation so I am pretty happy with that
Your guide sounds obviously written by an LLM. I think that's okay, and you might have directed the LLM's work, but don't say you wrote it; this misrepresents the guide as more carefully crafted and authoritative than it really is.
Do you see an advantage or alternative benefits to also having a public dynamic DNS, because for me I am struggling to see any?
It would be nice to get something like that also with easy TLS setup.
Procrasticus...
Luckily I don't have to deal with CGNAT.
Looking into switching today :D
Check the snippets after you create a zone, hopefully less hacky scripts :D
Fortinet for example have a similar thing, you can within their web interface register a something.fortiddns.com or float-zone.com or others. but if you upgrade the fortigate with a newer model you need to get in touch with their support because the domain is locked to the old hardware.
syncology has their own, I mean there has never been more options, what I am doing is trying to bundle, connect and provide a platform for your own domains, that can support letsencrypt out of the box, that you can use multiple update paths with ipv6 if needed.
long reply, I am genuinely happy for the "why" questions as it allows me to speak about the platform :)
Just as a warning however the vibe coded website doesn't inspire confidence this isn't low quality auto generated AI slop and/or AI managed infra.
Looking into it of course this seems to not be the case, but just wanted to say, don't use generic looking theming that is default of all LLM-generating websites :)
With that said, I hope as well that it is a amazing idea, I am really happy with how it works and performs.
On the other hand, you being on this comment thread and answering questions competently is a huge boost to the project's credibility in my eyes! But once the link disappears from the front page, only one of these things will remain. :-)
It's not like pre-LLM you wouldnt go to Themeforest and see hundreds of designs that were all the same. Now they just call it AI slop, before it was just slop.
One example I used it for just a few days ago was to set up dual ipsec tunnels for redundancy in fortigate in a remote warehouse. with the snippets I can just add a byod domain and paste the config into the cli and ship the devices. when they connect it it dials up, updates the ip in the dashboard (with notification that it has changed) and the vpn tunnels comes up automatically. it is available as road warriors as well, or dialup ipsec tunnels but I want dual initiator functionality.
Maybe this reply isnt really what the site is for but rather a subset of what can be done.
have a look at https://dynip.dev/guides/ I tried to add substantial information on what can be done
Fun times :)
Thanks for being awwesome!
Last time I used DDNS i think was around 2012 in an NVR where I needed to access some cameras publicly.
The idea is not really to never expose anything, almost the opposite or at least understand where on the internet different things live and be able to address them globally