CertaDNS

Managed DNS Zones (BYOD)

Available on: Plus Pro Elite

1. What This Feature Does

Managed DNS Zones allows you to import your own domains (Bring Your Own Domain, or BYOD) into CertaDNS's DNS infrastructure. After verifying domain ownership via a DNS TXT record and delegating nameservers to ns1.certadns.com and ns2.certadns.com, your zone becomes fully managed by CertaDNS. Once active, you can create Dynamic DNS domains under the zone and manage additional DNS records including MX, TXT, CNAME, and NS record types.

Each zone supports up to 500 DNS records across all record types. The system tracks zone status (pending verification or verified), records the verification timestamp, and enforces plan-based limits on the total number of zones you can import. A and AAAA records are managed exclusively through the Dynamic DNS feature. All other supported record types are managed through the DNS Record Manager.

2. When You Should Use It

  • You own a domain registered at a third-party registrar and want to use CertaDNS as your authoritative DNS provider while retaining registrar control.
  • You need to create Dynamic DNS subdomains under your own branded domain instead of using a CertaDNS public zone.
  • You require full DNS record management capabilities including MX records for email, TXT records for domain verification, or CNAME records for service delegation.
  • You want to manage multiple subdomains and record types under a single parent domain through a unified interface.
  • You need to configure email authentication (SPF, DKIM, DMARC) or other TXT-based verification systems for your domain.

3. When You Should Not Use It

  • You do not own the domain: Zone import requires full control over DNS records at your current DNS provider to complete verification. You cannot import a domain you do not own.
  • Free plan account: This feature is unavailable on the Free plan. Use CertaDNS public zones for Dynamic DNS instead, or upgrade to Plus or higher.
  • You need instant activation: Zone verification requires creating a TXT record at your current provider, and nameserver delegation requires registrar changes that may take 24-48 hours to propagate globally.
  • You need more than 500 records per zone: Each zone has a hard limit of 500 DNS records. If you require more records, split your services across multiple zones or use a different DNS provider.
  • Domain is already in use as a CertaDNS public zone: You cannot import a zone that is already available as a public zone on the CertaDNS platform.

4. Prerequisites

  • An active CertaDNS account on the Plus, Pro, or Elite plan. Free plan users must upgrade before importing zones.
  • A registered domain name at a registrar where you have the ability to modify nameserver settings.
  • Access to your current DNS provider's control panel to create TXT records during the verification step.
  • The domain must not already be imported by another CertaDNS user or exist as a CertaDNS public zone.

5. How It Works (Brief)

When you submit a zone for import, CertaDNS generates a unique verification token. You create a TXT record at your current DNS provider with the name _certadns-verify.{zone} and the value certadns-verify={token}. After creating the record, you trigger verification through the dashboard. CertaDNS queries the TXT record to confirm ownership. Once verified, the system creates the zone in the database and in PowerDNS as a Master zone with default SOA and NS records.

After verification succeeds, you update your domain's nameservers at your registrar to point to ns1.certadns.com and ns2.certadns.com. Nameserver changes typically propagate within 24-48 hours but can take up to 72 hours depending on registrar processing times and TTL values on existing NS records. You can check delegation status using the Check Delegation tool in the dashboard.

Verification attempts are rate limited to 1 attempt per minute with a maximum of 10 total attempts per zone. If the maximum attempt limit is reached, the zone must be deleted and re-imported to generate a new verification token.

6. How to Use It

Importing a zone

  1. Navigate to Dashboard > DNS Zones.
  2. If this is your first time using Managed DNS Zones, the onboarding screen appears explaining the feature. Click Get Started to dismiss it.
  3. Click Import Zone in the top right. (This button is disabled if you have reached your plan's zone limit.)
  4. In the Import Zone section, click Show Prerequisites to expand the checklist if you need to review requirements.
  5. Enter your domain name in the Zone Name field. Do not include a trailing dot. The system automatically normalizes the input to lowercase and trims whitespace.
  6. Click Import Zone.
  7. The zone appears in the zone list with a yellow "Pending" verification badge.

Verifying ownership

  1. After importing the zone, the verification instructions appear below the zone in the list. Note the TXT record name (_certadns-verify.{zone}) and value (certadns-verify={token}).
  2. Log in to your current DNS provider's control panel.
  3. Create a new TXT record:
    • Name/Host: _certadns-verify (or _certadns-verify.example.com if your provider requires the full FQDN)
    • Type: TXT
    • Value: The full certadns-verify={token} string provided in the dashboard
    • TTL: Default or lowest available (typically 300-3600 seconds)
  4. Save the record and wait for propagation. Most DNS providers propagate changes within 5-15 minutes.
  5. Return to the CertaDNS dashboard and click Verify Ownership for the zone.
  6. If verification succeeds, the badge changes to green "Verified" and the verification instructions disappear. If it fails, an error message explains why.

Delegating nameservers

  1. After successful verification, the zone card displays nameserver delegation instructions.
  2. Log in to your domain registrar's control panel.
  3. Locate the nameserver settings for your domain. This is often under "DNS Management", "Nameservers", or "Domain Settings".
  4. Change the nameservers to:
    • ns1.certadns.com
    • ns2.certadns.com
  5. Remove any existing nameservers. Most registrars require at least two nameservers.
  6. Save the changes at your registrar.
  7. Nameserver updates typically take 24-48 hours to propagate globally. You can check delegation status using the Check Delegation button on the zone card.

Checking delegation status

  1. On a verified zone's card, click Check Delegation.
  2. The system queries the current nameservers for your domain and displays them in a modal.
  3. If the nameservers match ns1.certadns.com and ns2.certadns.com, delegation is complete and a success message appears.
  4. If delegation is incomplete, the modal shows which nameservers are currently active and reminds you to update them at your registrar.

Managing DNS records on a zone

  1. On a verified zone's card, click Manage DNS Records.
  2. The DNS Record Manager opens, showing all existing records except A and AAAA records (which are managed through the Dynamic DNS feature).
  3. To add a record:
    • Enter the Name. Use @ for the zone root, * for a wildcard, or any subdomain (e.g., mail, _dmarc, subdomain.example).
    • Select the Type: MX, TXT, CNAME, or NS.
    • Enter the Content. For MX records, also enter a Priority.
    • Optionally set a TTL in seconds. Default is 3600.
    • Click Add Record.
  4. To delete a record, click the trash icon next to the record in the list and confirm.
  5. Records are created immediately in PowerDNS and propagate according to the TTL of the zone's SOA record.

Deleting a zone

  1. On the zone card, click the trash icon in the top right corner.
  2. If the zone contains any Dynamic DNS domains or DNS records, an error dialog appears listing the count and preventing deletion.
  3. Delete all domains and records associated with the zone first.
  4. Once the zone is empty, click the trash icon again and confirm deletion.
  5. The zone is removed from the database and PowerDNS. This action is permanent.

7. Inputs and Settings

FieldDescriptionConstraints
Zone Name The domain name to import. Automatically converted to lowercase, trimmed, and trailing dot removed. Minimum 3 characters. Must contain at least one dot. Only lowercase alphanumeric, dots, and hyphens. Regex: ^[a-z0-9.-]+$. Maximum 253 characters.
Record Name The hostname for the DNS record. @ represents the zone root. * creates a wildcard. Multi-level subdomains are supported. Maximum 63 characters per label. Full FQDN (name + zone) maximum 253 characters. Cannot create CNAME at a name that has other record types.
Record Type The DNS record type. Supported: MX, TXT, CNAME, NS. A and AAAA are managed via Dynamic DNS. Type cannot be changed after creation. Delete and recreate to change type.
Record Content The value of the DNS record. Format depends on record type (e.g., mail server for MX, arbitrary text for TXT, target hostname for CNAME). Maximum length varies by type. CNAME and NS must be valid hostnames. MX and CNAME targets must end with a dot or be relative to the zone.
Priority MX record priority. Lower values have higher priority. Required for MX records. Integer 0-65535. Default 10.
TTL Time to Live in seconds. Controls how long resolvers cache the record. Positive integer. Default 3600. Minimum typically 60, maximum 86400 (24 hours) recommended.

Zone validation rules

Zones submitted for import are validated against the following rules:

  • Converted to lowercase automatically
  • Leading and trailing whitespace removed
  • Trailing dot removed if present
  • Must be at least 3 characters long
  • Must contain at least one dot (e.g., example.com, not localhost)
  • Only lowercase letters, digits, dots, and hyphens allowed
  • Cannot start or end with a dot or hyphen
  • Cannot import a zone that exists as a public CertaDNS zone
  • Cannot import a zone already owned by another user

8. Outputs and Results

Zone card display

Each imported zone is displayed as a card showing:

ElementDescription
Zone NameThe domain name in large, prominent text.
Verification BadgeGreen "Verified" or yellow "Pending". Pending zones show verification instructions.
Record CountTotal number of DNS records (including DDNS domains). Format: "N records" or "N / 500 records" when approaching limit.
Manage DNS Records LinkOpens the DNS Record Manager. Only visible on verified zones.
Verification InstructionsTXT record details and Verify Ownership button. Only visible on pending zones.
Delegation InstructionsNameserver details and Check Delegation button. Only visible on verified zones.
Delete ButtonTrash icon in top right. Disabled if zone has domains or records.

Verification attempt tracking

Each verification attempt is tracked and counted. The zone card displays remaining attempts:

  • Initial state: 10 attempts available
  • After each failed verification: counter decrements
  • Rate limit: minimum 60 seconds between attempts
  • At 0 attempts: verification is locked and the zone must be deleted and re-imported

API responses

The zone list endpoint returns:

{
  "zones": [
    {
      "id": 123,
      "zone": "example.com",
      "verified": true,
      "verification_token": null,
      "created_at": "2026-01-15T10:30:00Z",
      "verified_at": "2026-01-15T10:45:00Z",
      "record_count": 12
    }
  ],
  "max_zones": 5,
  "effective_plan": "pro"
}

The delegation check endpoint returns:

{
  "zone": "example.com",
  "current_nameservers": ["ns1.certadns.com.", "ns2.certadns.com."],
  "is_delegated": true,
  "required_nameservers": ["ns1.certadns.com.", "ns2.certadns.com."]
}

9. How to Interpret Results

Normal

  • Zone shows green "Verified" badge. The zone was successfully verified and created in PowerDNS.
  • Delegation check returns is_delegated: true and both required nameservers appear in current_nameservers. The zone is fully active and authoritative.
  • Record count is displayed and below 500. The zone has available capacity for additional records.
  • DNS Record Manager shows all non-DDNS records. A and AAAA records do not appear because they are managed through the Dynamic DNS feature.

Unexpected or worth investigating

  • Verification fails repeatedly: Check that the TXT record was created with the exact name and value shown in the dashboard. Ensure there are no extra spaces, quotes, or formatting characters. Use a DNS lookup tool (e.g., dig TXT _certadns-verify.example.com) to confirm the record is visible externally.
  • Delegation check shows old nameservers: Nameserver changes can take 24-48 hours to propagate. If more than 72 hours have passed, verify the changes were saved correctly at your registrar and check if there is a registrar lock preventing nameserver updates.
  • Delegation check shows only one nameserver: Both ns1.certadns.com and ns2.certadns.com must be configured. Some registrars require exactly two nameservers. Remove any third-party nameservers and ensure only the CertaDNS nameservers remain.
  • Zone appears verified but delegation check fails: Verification and delegation are separate steps. Verification confirms you own the domain. Delegation makes CertaDNS the authoritative DNS provider. Both must be completed for the zone to be fully functional.

Common interpretation mistakes

  • Expecting instant nameserver propagation: Nameserver changes are cached by DNS resolvers according to the TTL of the NS records at your previous DNS provider. Propagation typically takes 24-48 hours but can extend to 72 hours.
  • Confusing verification with delegation: Verification proves you own the domain by checking a TXT record. Delegation transfers DNS authority to CertaDNS by changing nameservers at the registrar. Both steps are required.
  • Not understanding record count limits: The 500 record limit includes all record types and all Dynamic DNS domains created under the zone. Each DDNS domain counts as one record toward the limit.

10. Common Issues and Explanations

"Zone import requires Plus, Pro or Elite subscription" error

Zone import is unavailable on the Free plan. Upgrade to Plus (2 zones), Pro (5 zones), or Elite (15 zones) to use this feature.

"You have reached your maximum of N imported zones" error

You have imported the maximum number of zones for your plan. Delete unused zones or upgrade to a higher tier. Limits: Plus=2, Pro=5, Elite=15.

"This zone is already available as a public zone" error

The domain you are trying to import is already offered as a public zone on the CertaDNS platform (e.g., certadns.com, ddns.example). You cannot import public zones. Use a different domain you own.

"This zone is already registered by another user" error

Another CertaDNS user has already imported and verified this domain. Each zone can only be imported once across the entire platform. If you believe you are the legitimate owner, contact support.

Verification fails with "TXT record not found"

The verification system could not locate the TXT record at _certadns-verify.{zone}. Ensure the record was created with the correct name. Some DNS providers require the full FQDN (e.g., _certadns-verify.example.com) instead of just the subdomain (_certadns-verify). Wait 5-15 minutes after creating the record to allow for propagation.

Verification fails with "TXT record value mismatch"

The TXT record exists but the value does not match the expected token. Copy the full certadns-verify={token} string from the dashboard and paste it exactly into the TXT record value field. Do not add quotes, spaces, or modify the token.

"Please wait N seconds before retrying" error on verification

Verification attempts are rate limited to 1 per minute. Wait the indicated number of seconds before clicking Verify Ownership again. This prevents abuse and ensures DNS propagation has time to complete between attempts.

"Maximum verification attempts exceeded" error

You have used all 10 verification attempts for this zone. The zone must be deleted and re-imported to generate a new verification token. Before re-importing, confirm the TXT record is correctly configured to avoid exceeding the limit again.

Cannot delete zone: "This zone has N active domains"

Zones with Dynamic DNS domains cannot be deleted. Navigate to the Domains page, filter by the zone name, and delete all domains under this zone first. Then return to the DNS Zones page and delete the zone.

Cannot delete zone: "This zone has N DNS records"

Zones with DNS records cannot be deleted. Click Manage DNS Records on the zone card and delete all records. The record count must reach 0 before the zone can be deleted.

Cannot create CNAME: "CNAME conflicts with existing record"

A CNAME record cannot coexist with other record types at the same name. If you have an MX, TXT, or NS record at mail.example.com, you cannot create a CNAME at mail.example.com. Delete the conflicting records or choose a different name for the CNAME.

Record count approaching 500 limit

Each zone supports a maximum of 500 DNS records including DDNS domains. When the count exceeds approximately 480, a warning appears. Delete unused domains or records to free capacity. If you require more than 500 records, consider splitting services across multiple zones or using a different DNS provider for high-volume zones.

11. Limits and Constraints

ConstraintFreePlusProElite
Maximum imported zones02515
Records per zoneN/A500500500
Supported record typesN/AMX, TXT, CNAME, NSMX, TXT, CNAME, NSMX, TXT, CNAME, NS
Verification attemptsN/A101010
Verification rate limitN/A1 per minute1 per minute1 per minute

Zone-level constraints

  • Zone name minimum length: 3 characters
  • Zone name maximum length: 253 characters
  • Zone name must contain at least one dot
  • Zone name character set: lowercase alphanumeric, dots, hyphens only
  • Cannot import a zone that is already a public CertaDNS zone
  • Cannot import a zone owned by another user

Record-level constraints

  • Record name maximum length: 63 characters per label
  • Full FQDN (name + zone) maximum length: 253 characters
  • CNAME records cannot coexist with other record types at the same name
  • A and AAAA records are managed exclusively through Dynamic DNS and do not appear in the DNS Record Manager
  • Default TTL: 3600 seconds (configurable per record)
  • TTL recommended range: 60 seconds minimum, 86400 seconds (24 hours) maximum

PowerDNS zone configuration

Zones are created in PowerDNS with the following default settings:

  • Zone Kind: Master
  • Account: user-{user_id}
  • Default SOA record: ns1.certadns.com. admin.certadns.com. {SERIAL} 10800 3600 604800 86400
  • Default NS records: ns1.certadns.com. and ns2.certadns.com. with TTL 86400
  • SOA serial format: Unix timestamp

12. Related Features

  • Dynamic DNS Domains — Create DDNS subdomains under your imported zones to use your own branded domain for dynamic IP updates.
  • DNS Record Management — Manage MX, TXT, CNAME, and NS records on your imported zones through the unified record manager.
  • Vanity Nameservers — Use custom nameserver hostnames (e.g., ns1.yourdomain.com) instead of ns1.certadns.com. Elite plan only.
  • SSL Certificates — Issue free Let's Encrypt SSL certificates for domains and subdomains under your imported zones.
  • Email Authentication — Configure SPF, DKIM, and DMARC records on your zones to authenticate outbound email and prevent spoofing.
  • DNS Analytics — View query volume, geographic distribution, and traffic patterns for your imported zones.

13. Registrar-Specific Instructions

Below are step-by-step nameserver delegation guides for common registrars. After verification succeeds, follow the instructions for your registrar to complete delegation.

Namecheap

  1. Log in to your Namecheap account at namecheap.com.
  2. Navigate to Domain List in the left sidebar.
  3. Click Manage next to the domain you verified.
  4. Scroll to the Nameservers section.
  5. Select Custom DNS from the dropdown.
  6. Enter ns1.certadns.com in the first nameserver field.
  7. Enter ns2.certadns.com in the second nameserver field.
  8. Remove any additional nameserver fields by clicking the trash icon.
  9. Click the green checkmark to save. Changes propagate in 24-48 hours.

GoDaddy

  1. Log in to your GoDaddy account at godaddy.com.
  2. Click your profile icon and select My Products.
  3. Scroll to Domains and click DNS next to your domain.
  4. Scroll to the Nameservers section and click Change.
  5. Select I'll use my own nameservers.
  6. Remove all existing nameservers by clicking the trash icon next to each.
  7. Click Add Nameserver and enter ns1.certadns.com.
  8. Click Add Nameserver again and enter ns2.certadns.com.
  9. Click Save.
  10. Confirm the change in the dialog. Propagation takes 24-48 hours.

Cloudflare

  1. Log in to your Cloudflare account at cloudflare.com.
  2. Select the domain from your account overview.
  3. Navigate to DNS in the left sidebar.
  4. Scroll to the Cloudflare Nameservers section at the bottom of the page.
  5. Click Change or Custom Nameservers (available on Business and Enterprise plans only).
  6. If you are on a Free or Pro plan, you must remove the domain from Cloudflare and re-add it at your registrar with CertaDNS nameservers. Cloudflare does not support custom nameservers on lower-tier plans.
  7. For Business/Enterprise: Enter ns1.certadns.com and ns2.certadns.com as custom nameservers.
  8. Click Save.
  9. Warning: Changing nameservers disables Cloudflare's proxy and caching features. Your domain will resolve directly through CertaDNS without Cloudflare's CDN.
Cloudflare Proxy Warning: When you delegate nameservers to CertaDNS, Cloudflare's orange-cloud proxy feature is disabled. Traffic will not pass through Cloudflare's CDN or DDoS protection. If you require Cloudflare's proxy, consider using a CNAME setup instead of full nameserver delegation.

Google Domains (now Squarespace Domains)

  1. Log in to your Squarespace account at domains.squarespace.com (formerly Google Domains).
  2. Click on the domain you verified.
  3. Navigate to DNS in the left sidebar.
  4. Scroll to Name servers and click Change.
  5. Select Use custom name servers.
  6. Enter ns1.certadns.com in the first field.
  7. Enter ns2.certadns.com in the second field.
  8. Click Save. Propagation takes 24-48 hours.

Generic registrar (for registrars not listed above)

  1. Log in to your domain registrar's control panel.
  2. Locate the domain management or DNS settings section. Common labels: "Domain Settings", "DNS Management", "Nameservers", "Name Server Settings".
  3. Find the nameserver configuration area. This may be labeled "Nameservers", "Custom Nameservers", or "DNS Settings".
  4. Select the option to use custom or third-party nameservers (as opposed to the registrar's default nameservers).
  5. Remove all existing nameservers.
  6. Add ns1.certadns.com as the first nameserver.
  7. Add ns2.certadns.com as the second nameserver.
  8. Ensure no other nameservers are listed. Most registrars require exactly two nameservers.
  9. Save the changes. The registrar may display a confirmation message or send a confirmation email.
  10. Wait 24-48 hours for global propagation. Use the Check Delegation tool in the CertaDNS dashboard to verify completion.
Propagation Time: Nameserver changes are cached by DNS resolvers worldwide according to the TTL of your old NS records. While most changes propagate within 24 hours, some resolvers may cache old nameservers for up to 48-72 hours. You can verify delegation at any time using the Check Delegation tool on your zone card.

More in Managed DNS

DNS Record Management
Vanity Nameservers

Still stuck?

If this article didn't resolve your issue, get in touch and we'll help.

Contact support