SpipCP
DNS

Managed DNS providers

Use a managed DNS provider — Cloudflare, Bunny, Hetzner, deSEC, or Gcore — to hold your records without running servers. Pick one, add a credential, select it via the cascade, attach a domain.

A managed provider holds your DNS records for you. You already delegated your domain to its nameservers (that's Layer 1, done when you set the domain up there), so SpipCP only touches Layer 2: it writes the A/AAAA/CNAME/MX/TXT records (and the wildcard) through the provider's API. This is the least-effort path — no nameserver boxes to run.

Provider accounts live under Networking → Providers

The managed-provider account list is Networking → Providers. The self-hosted zone + record editor now lives only under Nameservers (one home each). The old Settings → DNS providers link still redirects here, so nothing is broken.

The Networking Providers tab
📷Networking → Providers — managed provider accounts (the cascade), each showing the cached zone count that drives the authority tier, plus the provider switchboard.img/dns-providers.avif
Networking → Providers — managed provider accounts (the cascade), each showing the cached zone count that drives the authority tier, plus the provider switchboard.

The Zones column (the zone-list cache)

Each managed account row shows a Zones count: how many zones that account is authoritative for. SpipCP caches this list per account so the zone-authority resolver can tell, without a live API call on every page, whether a hostname you attach is Connected (its zone is in one of your accounts) or External (it isn't). The cache refreshes when you create or update an account, when you Test it, when you click Refresh zones on the account's ⋮ menu, and on a daily sweep. If a refresh fails, the previously cached list is kept and a marks the row — staleness is advisory: the actual record write at attach time is always the source of truth. PowerDNS (self-hosted) accounts show self-hosted here — their zones are already known from your nameserver boxes.

Moving off US-hosted DNS

If you're here for GDPR or data ownership — getting your records off US-hosted infrastructure — you have managed EU options that cost nothing:

ProviderHostedCostWhy pick it
CloudflareUSFreeThe default many people already have. The only one with the orange-cloud proxy.
BunnyEU (Slovenia)FreeSimple, fast EU DNS.
HetznerGermanyFreeGerman DNS; natural fit if your servers are already at Hetzner.
deSECEU (non-profit)FreeGerman non-profit; DNSSEC on by default on every zone.
GcoreEU (Luxembourg)Free tierAnycast network with a usable free tier.

Picking any of Bunny, Hetzner, deSEC, or Gcore moves your records to EU-hosted DNS while staying fully managed. If you want to own the nameservers too (Layer 1), that's self-hosted DNS — more control, more responsibility.

Pick one, add a credential

Four steps. The first three are a one-time setup; the last you do per domain.

Choose a provider from the table above, based on where you want your records hosted.

Add the credential under Networking → Providers → Add account — name it, pick the provider, paste the provider's API token (and a Zone where the provider needs one). The connect dialog shows that provider's demarcation inline (wildcard automatic? proxy available?), so you see what you're getting before you save. SpipCP tests the token on connect. It is encrypted, write-only, and never reaches a node. Where to get each provider's token is in the DNS providers setup guide.

Select it at the right level (the cascade — below).

Attach a domain to a site with that provider — SpipCP creates the record for you. Full flow: Domains & SSL.

Select it via the cascade

You rarely pick an account per domain by hand. A DNS account cascades node → instance → domain, exactly like git accounts:

LevelWhere you set itWho inherits it
NodeA node's DNS tabevery instance + domain under that node
InstanceAn instance's DNS tabevery domain on that instance
DomainThe attach wizard / the domain rowjust that domain (the override)

A level left blank inherits from the one above. The most-specific set value wins: a domain override beats the instance default, which beats the node default. Change a node's default and every domain that never overrode follows automatically — no re-attach. Delete an account something pointed at and that reference falls back to "inherit the level above," never a broken pointer.

Mixed providers for compliance

Because the account resolves per domain, one node — even one instance — can serve domains on different providers at once. This is the headline compliance lever: keep the convenient default for most domains, and pin the regulated ones to an EU provider, without moving anything.

Example — Cloudflare by default, deSEC for the GDPR-sensitive site

Say a node hosts several sites. You set the node default to a Cloudflare account (fast, familiar) — so every domain inherits Cloudflare. Then, for the one client whose data must stay in the EU, you open that domain and set its override to a deSEC (EU, non-profit) account. Result:

  • shop.example.com, blog.example.comCloudflare (inherited from the node)
  • patients.clinic.eudeSEC (the per-domain override)

All on the same node, same instance. Switch the regulated domain's provider later and only that domain re-attaches — the rest never move. It works the other way too (EU default, one domain on Cloudflare), or per-instance (a whole tenant on one provider) — whatever your compliance boundary is.

There is no "one node = one DNS" restriction. The only single-purpose kind is a self-hosted nameserver box, which runs DNS and nothing else by design.

Attach a domain

Once an account resolves for the site, the provider shows up in the attach wizard. SpipCP picks the effective account (override → instance → node), writes the record for you, then runs the usual DNS verify → certificate → smoke test before going green. If no account resolves, that provider is disabled in the wizard with a link to Settings, so you never start a path that fails at attach.

The orange-cloud proxy is Cloudflare-only

The proxy toggle (Cloudflare's orange cloud) shows only for Cloudflare domains — it's a Cloudflare product (its edge that fronts your IP), not a DNS feature, so Bunny / Hetzner / deSEC / Gcore don't have it. With Cloudflare, SpipCP reads the record back from the API, so the proxy can stay on without failing the attach check.

Wildcards need a Caddy DNS module on the node

A *.example.com certificate needs the node's Caddy to write a TXT record through your provider's API (the ACME DNS-01 challenge), which requires the matching caddy-dns/<provider> module compiled into the Caddy on that node. If it's missing, the wizard tells you exactly which module to add rather than failing silently. A single hostname (no wildcard) needs no module. Self-hosted nameservers can now do wildcards too, via the caddy-dns/powerdns module — see SSL/TLS certificates.

Next steps

On this page