How can I verify domain ownership before modifying DNS records with the API (or is this unnecessary?)

November 24, 2013 2.4k views
Sorry if this question is naive. I am building a virtual hosting control panel and using the Digital Ocean DNS API to allow customers to associate their domains with their host machine's IPs. Basically there will be a form where people can enter a domain name next to their host IP and press a button "create DNS record". What I can't figure out is how to verify that the new customer actually owns the domain if I already have an A record for that domain that was created by a previous customer. Or will the A record automatically go away if the domain expires or is transferred? I guess what I am trying to figure out is, it seems that sometimes a new customer may come along and need me to change the A record to point to his server, so I will need to delete/modify existing records. But how do I know he isn't just some guy trying to steal the domain? Again, sorry if there is something basic I am missing here. Thanks for your help. I am going to include the whole support exchange just for clarity and so I don't cover the same ground again and so my statements will make sense. >Hello! I'm sorry, but i can think of no easy way to programmatically verify that a person owns the domain. However, if it helps - our system will not let you use a domain that is already in use. Regards, Will Hello Will, I appreciate your help. So when you say it will not let you use a domain that is already in use, do you mean that I can't delete a DNS record with the API and then create a new one? The scenario is this: Customer A registers "". He goes into my control panel and enters "" into my form next to his IP and clicks "Create DNS record". My script uses the DNS API to create the A record that associates with his VM's IP address. Customer A then enters into his registrar's panel. A year later Customer B goes into his control panel, enters next to his VMs IP on the data entry form and clicks "Create DNS record". Am I correct in assuming that if Customer B now owns the domain, then the A record I previously created for Customer A will still exist (unless it was explicitly deleted)? And since Customer B now owns the domain, I need to use the API to delete the existing A record and create a new one pointing to Customer B's IP address? But if Customer B doesn't own the domain, and is just trying to take advantage of my control panel, then I must not delete the existing A record and replace it. So it seems, if I understand correctly (which quite possibly I do not), that I must have a way to verify that Customer B now owns the domain rather than Customer A. If this is so, how can I verify that? Thanks very much for your help. Reply: As i mentioned, there is no way that i can think of to programmatically verify domain ownership. The *only* mechanism that exists on our end is that if a domain is in use by a digital ocean account, it cannot be used by another digitalocean account. However, even that does not verify "ownership". Perhaps the community could offer you some suggestions via our forums: Regards, Will So am I to infer that I do indeed need to be concerned with verification of domain ownership before changing DNS records, and I should come up with a way to do it that is not automated? The reason I keep going back and forth is because I am not sure if there is really anything to be concerned about, but if there is, I don't know how to resolve it. Thanks for anyone that can help clarify this for me.
4 Answers
How can you create a DNS record for your customers if they have not pointed their domain to your or DigitalOcean's nameservers? If the customer is able to change their domain's nameservers, is that not verification enough that s/he owns (or, at a minimum, controls) that particular domain?
I am worried about the situation where the domain is _already_ pointed to Digital Ocean's nameservers and a customer who doesn't actually own the domain is using my control panel to attempt to create a DNS record pointing to his VPS's IP address. I don't think I can simply reject all of those types of attempts because it may be the case that the previous customer simply didn't delete his DNS record even though he no longer owns the domain. On the other hand I can't just accept any request to create a DNS record because then a customer could steal a domain from someone else.
The best way would be to email the WHOIS email address (e.g.'s registrant's email address is with a confirmation link and then create the DNS record. This way you can make sure it really is the domain's real owner.
Wow that sounds like an actual solution Kamal. Thanks!
Have another answer? Share your knowledge.