Request for DDNS-specific API authentication


#1

I’m very new to Cloudflare, so I could be missing something, but it appears to me that the only way to implement dynamic DNS through the Cloudflare API involves authenticating with account credentials that have full account access. This is a large security concern for DDNS implementation (consider a DDNS update script/client running on shared hosting, or running on a relative’s computer that you routinely access for remote desktop troubleshooting purposes). Compare this to Hurricane Electric’s free DNS hosting service which allows setting arbitrary or random keys (passwords) individually for each DDNS-enabled A/AAAA record which are used for authentication in HTTPS requests to update said records; they can’t be used for anything else. Also compare this to Google Domains’ synthetic DDNS records, where unique username and password pairs are generated per record, which are also used via HTTP requests to update said records, and also can’t be used for anything else. In both cases, the record-specific credentials are the only ones used to authenticate to the respective remote services, so if a DDNS script implementing these credentials were to be leaked, the impact would be minimal.

With the significant security advantage that record-specific credentials brings, I think implementing such a scheme is the right thing to do (at least for DDNS use).


Expanded availability of Multi-User access
#2

@Gerbil Cloudflare are looking into multi-user access, I’m sure they will implement separate api keys so you can update your dns. At the moment there’s no timescale or release date! Maybe it’s worth posting on the thread we have on here so the cloudflare team can see your feedback, As they want to see all different reasons/scenarios of what you would use it for.