Sectigo.com
Shop Enterprise Partners Resources

Installing DNS connectors

Installation requirements

To install a DNS connector, the following requirements must be satisfied:

  • An SCM account and MRAO administrator permissions

  • Microsoft Windows Server 2016, 2019, or 2022 (64-bit) and local admin permissions to install the DNS connector

  • Hardware:

    • CPU — 1.4GHz 64-bit or 32-bit (minimum)

    • RAM — 2 GB (minimum)

  • Internet access:

    • Outbound network access to https://cbcc.enterprise.sectigo.com on TCP port 443

    • Outbound network access to https://dist.sectigo.com on TCP port 443

    • Outbound network access to the appropriate SCM instance on TCP port 443:

      • https://cert-manager.com

      • https://hard.cert-manager.com

      • https://eu.cert-manager.com

DNS provider requirements

In addition to the general prerequisites, there are requirements that must be met depending on which DNS provider you are using.

  • Cloudflare

  • Amazon Route 53

  • Azure DNS

  • GoDaddy DNS

  • Akamai Edge DNS

  • DNSimple

  • OVHcloud

The following requirements must be met before using a DNS connector with Cloudflare:

  • You have an active Cloudflare account.

  • You have outbound network access to the Cloudflare API endpoint.

  • You have created a Cloudflare API token provided with at least the following permissions:

    • Zone.Zone:Read

    • Zone.DNS:Edit

      For information about Cloudflare API tokens, see Create an API token.
Requires connector version 4.0 or later. For instructions on updating to the latest version, see Update a DNS connector.

The following requirements must be met before using a DNS connector with Amazon Route 53:

  • You have an active AWS account.

  • You have outbound network access to the Amazon Route 53 API endpoint.

  • You have an IAM user provided with at least the following permissions:

    • route53:ChangeResourceRecordSets

    • route53:ListHostedZones

    • route53:GetChange

  • You have generated the Access Key ID and Secret Access Key for the IAM user.

For more information on Amazon Route 53, see Amazon Route 53 Developer Guide.
Requires connector version 4.0 or later. For instructions on updating to the latest version, see Update a DNS connector.

The following requirements must be met before using a DNS connector with Azure DNS:

  • You have an active Azure account.

  • You have configured DNS zones.

  • You have outbound network access to the Azure REST API endpoint.

  • You have registered an application in Azure with at least the following permission.

    • DNS Zone Contributor

For more information on Azure DNS, see What is Azure DNS?.
Requires connector version 4.0 or later. For instructions on updating to the latest version, see Update a DNS connector.

The following requirements must be met before using a DNS connector with GoDaddy DNS:

  • You have an active GoDaddy account with access to the DNS API.

  • You have outbound network access to the GoDaddy DNS API endpoint.

  • You have created an API Key and Secret.

For more information on GoDaddy DNS, see Getting Started with GoDaddy API.
Requires connector version 4.0 or later. For instructions on updating to the latest version, see Update a DNS connector.

The following requirements must be met before using a DNS connector with Akamai DNS:

  • You have an active Akamai account.

  • You have outbound network access to the Akamai API endpoint.

  • You have created an API client with at least the following permission.

    • DNS—Zone Record Management with READ-WRITE

For more information on Akamai DNS, see Welcome to Edge DNS.
Requires connector version 4.0 or later. For instructions on updating to the latest version, see Update a DNS connector.

The following requirements must be met before using a DNS connector with DNSimple:

  • You have an active DNSimple account.

  • You have outbound network access to the DNSimple API endpoint.

  • You have generated an API access token with at least the following permission:

    • Zones:Full Access

For more information about DNSsimple, see DNSimple Developer Documentation.

The following requirements must be met before using a DNS connector with OVHcloud:

  • You have an active OVHcloud account.

  • You have outbound network access to the OVHcloud API endpoint.

  • You have registered an application in OVHcloud and created a Consumer Key with permission to access all appropriate endpoints.

For information about OVHcloud APIs, see First Steps with the OVHcloud APIs.

Add a DNS connector to SCM

  1. Navigate to Integrations  DNS Connectors and click the Add icon.

    DNS Connector Add icon

  2. In the Add DNS Connector dialog, provide a name to help identify the connector.

  3. (Optional) Provide comments with additional details about the connector.

  4. Specify the Delegation Mode based on the information in the following table.

    Field Description

    General

    When selected, the DNS connector is available for all organizations and departments.

    Customized

    When selected, the DNS connector is available for only the selected organizations and departments.

  5. Click Next.

  6. Copy the installation token for use during installation.

    DNS connector Installation Token
    If your installation fails, subsequent attempts require the use of a new registration token.

  7. Click the Windows installation package link.

  8. Click Save.

The connector should now be listed on the DNS Connectors page with a status of Pending.

Install a DNS connector

  • Windows

  • Windows ( CLI )

  1. (Optional) If required, move the SectigoDCS.msi file to the DNS connector machine.

  2. Right-click SectigoDCS.msi and click Install.

  3. In the setup wizard, click Next.

  4. Read the EULA, select I accept the terms in the License Agreement, and click Next.

  5. (Optional) Specify an installation location.

    If no destination folder is selected, the DNS connector and library will be installed in C:\Program Files\Sectigo Limited\SectigoDCS.

  6. Click Next, and paste the connector installation token.

    If needed, you can retrieve the installation token from the Edit DNS Connector dialog for your connector.

  7. Click Next.

  8. In the Proxy Settings window, select Direct Internet connection (no proxy), or select Manual proxy configuration and enter your configuration details based on the information provided in the following table.

    Field Description

    Address

    The IP address or the DNS name of the proxy server.

    Port

    The listening port of the proxy server.

    Username

    The username used to connect to the proxy server.

    Password

    The password used to connect to the proxy server.
    Click Test Connection to confirm your connection.

  9. Click Install.

  10. Click Yes to allow the installation to complete on the server.

  11. Click Finish.

The application’s configuration and log files are stored in C:\ProgramData\Sectigo Limited\SectigoDCS.

The connector should now be listed on the DNS Connectors page with a status of Connected.

  1. Open the Windows command prompt.

  2. In the command line, navigate to the download location of the installation package.

  3. Modify the installation command as needed.

    msiexec.exe /i /q SectigoDCS.msi TOKEN= PROXY_TYPE= PROXY_ADDR= PROXY_PORT= PROXY_USER= PROXY_PASSWORD=
    Unused options must be removed from the command.

    The command options are outlined in the following table.

    Option Description

    /i

    Initiates installation of the agent through the bootstrap application.

    /q

    Runs the installation in silent mode so no interaction is required.

    TOKEN

    The mandatory installation token.

    PROXY_TYPE

    Indicates whether you are using a proxy server.

    • 1 (Yes)

    • 0 (No)

    PROXY_ADDR

    The hostname or IP address of your proxy server.

    This option is required if you are using a proxy server.

    PROXY_PORT

    The port number used by your proxy server.

    This option is required if you are using a proxy server.

    PROXY_USER

    The username for accessing the proxy server.

    This option is required if your proxy server is configured to use credentials.

    PROXY_PASSWORD

    The password for accessing the proxy server if configured to use credentials.

    This option is required if your proxy server is configured to use credentials.

  4. Run the modified installation command.

The application’s configuration and log files are stored in C:\ProgramData\Sectigo Limited\SectigoDCS.

The connector should now be listed on the DNS Connectors page with a status of Connected.

Configure a DNS connector

Once installed, DNS connectors must be configured to connect to your DNS provider. Multiple DNS providers can be connected to a single connector.

  • Cloudflare

  • Amazon Route 53

  • Azure DNS

  • GoDaddy DNS

  • Akamai Edge DNS

  • DNSimple

  • OVHcloud

  1. In a command prompt window, navigate to the DNS connector install location.

  2. Add the Cloudflare provider.

    sectigo-dcs.exe provider add -type cloudflare -name "<yourProviderName>" -token "<yourCloudflareToken>"

    The command options are outlined in the following table.

    Option Description

    type

    The type of DNS provider that is being added.

    For Cloudflare, the value must be cloudflare.

    name

    The name used to represent the DNS provider in SCM.

    token

    The authentication token specific to your Cloudflare account. This token is required to authorize the DNS connector to interact with Cloudflare’s API on behalf of your account.

  3. Verify the provider is added.

    sectigo-dcs.exe debug provider ping -name "<yourProviderName>"

  1. In a command prompt window, navigate to the DNS connector install location.

  2. Add the Amazon Route 53 provider.

    sectigo-dcs.exe provider add -type route53 -name "<yourProviderName>" -access-key-id "<yourAccessKeyID>" -region "<yourAWSRegion>" -secret-key "<yourSecretKey>" -session-token "<yourSessionToken>"

    The command options are outlined in the following table.

    Option Description

    type

    The type of DNS provider that is being added.

    For Amazon Route 53, the value must be route53.

    name

    The name used to represent the DNS provider in SCM.

    access-key-id

    The AWS access key ID generated for your AWS account. This key is used to authenticate API requests.

    region

    The AWS region where your Route 53 resources are located.

    Some examples of AWS region IDs include us-east-1, eu-west-1, and so on.

    secret-key

    The AWS secret access key generated for your AWS account. This key, along with the access key ID, is used to sign API requests.

    session-token

    (Optional) The session token for temporary security credentials. This is included if you are using temporary credentials from AWS STS (Security Token Service).

  3. Verify the provider is added.

    sectigo-dcs.exe debug provider ping -name "<yourProviderName>"

  1. In a command prompt window, navigate to the DNS connector install location.

  2. Add the Azure DNS provider.

    sectigo-dcs.exe provider add -type azure -name "<yourProviderName>" -resource-group "<yourResourceGroupName>" -subscription "<yourSubscriptionID>" -tenant-id "<yourTenantID>" -client-id "<yourClientID>" -client-secret "<yourClientSecret>"

    The command options are outlined in the following table.

    Option Description

    type

    The type of DNS provider that is being added.

    For Azure DNS, the value must be azure.

    name

    The name used to represent the DNS provider in SCM.

    resource-group

    The name of the Azure resource group that contains your DNS zone.

    subscription

    The Azure subscription ID associated with your account. This identifies your subscription within Azure.

    tenant-id

    The Microsoft Entra ID (formerly Azure Active Directory) tenant ID.

    client-id

    The client ID of the Microsoft Entra application. This is used for authentication.

    client-secret

    The client secret associated with the Microsoft Entra application. This is used for authentication.

  3. Verify the provider is added.

    sectigo-dcs.exe debug provider ping -name "<yourProviderName>"

  1. In a command prompt window, navigate to the DNS connector install location.

  2. Add the GoDaddy DNS provider.

    sectigo-dcs.exe provider add -type godaddy -name "<yourProviderName>" -api-key "<yourAPIKey>" -api-secret "<yourAPISecret>"

    The command options are outlined in the following table.

    Option Description

    type

    The type of DNS provider that is being added.

    For GoDaddy DNS, the value must be godaddy.

    name

    The name used to represent the DNS provider in SCM.

    api-key

    The API key generated from your GoDaddy account. This key is used to authenticate API requests.

    api-secret

    The API secret associated with your GoDaddy API key. This secret, along with the API key, is used to sign API requests.

  3. Verify the provider is added.

    sectigo-dcs.exe debug provider ping -name "<yourProviderName>"

  1. In a command prompt window, navigate to the DNS connector install location.

  2. Add the Akamai DNS provider.

    sectigo-dcs.exe provider add -type akamai -name "<yourProviderName>" -access-token "<yourAccessToken>" -client-secret "<yourClientSecret>" -client-token "<yourClientToken>" -host "<yourHost>"

    The command options are outlined in the following table.

    Option Description

    type

    The type of DNS provider that is being added.

    For Akamai Edge DNS, the value must be akamai.

    name

    The name used to represent the DNS provider in SCM.

    access-token

    The access token generated from your Akamai account. This token is used to authenticate API requests.

    client-secret

    The client secret associated with your Akamai API client. This secret, along with the client token, is used to sign API requests.

    client-token

    The client token generated from your Akamai account. This token, along with the client secret, is used to authenticate API requests.

    host

    The host URL for the Akamai API endpoint. This specifies the server to which API requests are sent.

  3. Verify the provider is added.

    sectigo-dcs.exe debug provider ping -name "<yourProviderName>"

  1. In a command prompt window, navigate to the DNS connector install location.

  2. Add the DNSimple DNS provider.

    sectigo-dcs.exe provider add -type dnsimple -name "<yourProviderName>" -access-token "<yourAccessToken>" -account-id "<yourAccountID>"

    The command options are outlined in the following table.

    Option Description

    type

    The type of DNS provider that is being added.

    For DNSimple DNS, the value must be dnsimple.

    name

    The name used to represent the DNS provider in SCM.

    access-token

    The access token generated from your DNSimple account. This token is used to authenticate API requests.

    account-id

    The account ID associated with your DNSimple account. This ID is used to specify which account the API requests should be applied to.

  3. Verify the provider is added.

    sectigo-dcs.exe debug provider ping -name "<yourProviderName>"

  1. In a command prompt window, navigate to the DNS connector install location.

  2. Add the OVHcloud provider.

    sectigo-dcs.exe provider add -type ovh -name "<yourProviderName>" -endpoint <yourOVHendpoint> -app-key "<yourAPIkey>" -app-secret "<yourAppSecret>" -consumer-key "<yourConsumerKey>"

    The command options are outlined in the following table.

    Option Description

    type

    The type of DNS provider that is being added.

    For OVHcloud, the value must be ovh.

    name

    The name used to represent the DNS provider in SCM.

    endpoint

    The OVH region ID indicating where your services are hosted.

    Some examples of OVHcloud region IDs include ovh-eu, ovh-ca, and ovh-us.

    app-key

    The Application Key (AK) provided by OVHcloud when you register your application. This key is used to identify your application in API requests.

    app-secret

    The Application Secret (AS) provided by OVHcloud alongside the Application Key. This secret, along with the application key, is used to sign API requests.

    consumer-key

    The Consumer Key (CK) obtained after authenticating your application with OVHcloud’s API using your Application Key and Application Secret. This key grants your application permission to make API requests on behalf of a user’s account.

  3. Verify the provider is added.

    sectigo-dcs.exe debug provider ping -name "<yourProviderName>"

You can view additional CLI commands with the help command.

sectigo-dcs provider help

Restore a DNS connector

DNS connectors that are offline for over 30 days may lose the ability to connect to SCM. In most cases, this connectivity can be restored by doing the following:

  1. Log in to SCM.

  2. Navigate to Integrations  DNS Connectors.

  3. Select the connector to be restored, and click Restore.

  4. Click OK.

  5. Save the displayed token, and close the Restore Connector dialog.

  6. In a command prompt window, navigate to the DNS connector install location.

  7. Restore the connector.

    register -token <registration_token> -force

Update a DNS connector

  1. Log in to SCM.

  2. From the left-hand menu, select About.

  3. Click the Download DNS Connector icon.

  4. (Optional) If required, move the SectigoDCS.msi file to the DNS connector machine.

  5. Right-click SectigoDCS.msi and click Install.

    The package automatically recognizes that there’s an existing version of the DNS connector and initiates an update instead of a new install.

  6. Read the EULA, select I accept the terms in the License Agreement, and click Next.

  7. (Optional) Specify an installation location.

  8. Click Next, Install, and Close.

Uninstall a DNS connector

  1. In Windows, navigate to Settings  Apps & features.

  2. Search for Sectigo.

  3. Select the Sectigo DNS Connector and click Uninstall.

  4. (Optional) Delete the files and logs associated with the DNS connector.

    1. Navigate to C:\ProgramData\Sectigo Limited.

    2. Delete the SectigoDCS folder.

      This cannot be undone. Only delete this folder if you want to completely remove all files and logs related to the DNS Connector.

  5. In SCM, navigate to Integrations  DNS Connectors.

  6. Select the connector you want to delete.

  7. Click the Delete icon.

  8. Click Delete.

DNS connector service commands

Command Description

Start

Start a DNS connector:

sc start SectigoDCS

Stop

Stop a DNS connector:

sc stop SectigoDCS

Query

Query the status of a DNS connector:

sc query SectigoDCS