How can I verify domain ownership before modifying DNS records with the API (or is this unnecessary?)

  • Posted on November 24, 2013
  • ithkuilAsked by ithkuil

Sorry if this question is naive. I am building a virtual hosting control panel and using the Digital Ocean DNS API to allow customers to associate their domains with their host machine’s IPs. Basically there will be a form where people can enter a domain name next to their host IP and press a button “create DNS record”.

What I can’t figure out is how to verify that the new customer actually owns the domain if I already have an A record for that domain that was created by a previous customer. Or will the A record automatically go away if the domain expires or is transferred?

I guess what I am trying to figure out is, it seems that sometimes a new customer may come along and need me to change the A record to point to his server, so I will need to delete/modify existing records. But how do I know he isn’t just some guy trying to steal the domain?

Again, sorry if there is something basic I am missing here. Thanks for your help.

I am going to include the whole support exchange just for clarity and so I don’t cover the same ground again and so my statements will make sense.


I’m sorry, but i can think of no easy way to programmatically verify that a person owns the domain.

However, if it helps - our system will not let you use a domain that is already in use.

Regards, Will

Hello Will, I appreciate your help. So when you say it will not let you use a domain that is already in use, do you mean that I can’t delete a DNS record with the API and then create a new one?

The scenario is this: Customer A registers “”. He goes into my control panel and enters “” into my form next to his IP and clicks “Create DNS record”. My script uses the DNS API to create the A record that associates with his VM’s IP address. Customer A then enters into his registrar’s panel.

A year later Customer B goes into his control panel, enters next to his VMs IP on the data entry form and clicks “Create DNS record”. Am I correct in assuming that if Customer B now owns the domain, then the A record I previously created for Customer A will still exist (unless it was explicitly deleted)? And since Customer B now owns the domain, I need to use the API to delete the existing A record and create a new one pointing to Customer B’s IP address?

But if Customer B doesn’t own the domain, and is just trying to take advantage of my control panel, then I must not delete the existing A record and replace it. So it seems, if I understand correctly (which quite possibly I do not), that I must have a way to verify that Customer B now owns the domain rather than Customer A. If this is so, how can I verify that?

Thanks very much for your help.


As i mentioned, there is no way that i can think of to programmatically verify domain ownership.

The only mechanism that exists on our end is that if a domain is in use by a digital ocean account, it cannot be used by another digitalocean account. However, even that does not verify “ownership”.

Perhaps the community could offer you some suggestions via our forums:

Regards, Will

So am I to infer that I do indeed need to be concerned with verification of domain ownership before changing DNS records, and I should come up with a way to do it that is not automated? The reason I keep going back and forth is because I am not sure if there is really anything to be concerned about, but if there is, I don’t know how to resolve it.

Thanks for anyone that can help clarify this for me.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

git thêm [–verbose | -v] [–dry-run | -n] [–force | -f] [- liên tục | -i] [–patch | -p] [–edit | -e] [- [no-] tất cả | - [no-] bỏ qua-loại bỏ | [–doãn | -u]] [–tích ý để thêm | -N] [- refresh] [–ignore-errors] [- bỏ qua-mất tích] [–chmod = (+ | -) x] [-] [<pathspec> …]

Wow that sounds like an actual solution Kamal. Thanks!

The best way would be to email the WHOIS email address (e.g.’s registrant’s email address is with a confirmation link and <em>then</em> create the DNS record. This way you can make sure it really is the domain’s real owner.