DynIP – Dynamic DNS with RFC 2136, IPv6, DNSSEC, and BYOD

DynIP is a modern Dynamic DNS service featuring 60-second propagation, RFC 2136 TSIG support, native IPv6, and default DNSSEC, tailored for homelabs and infrastructure teams.
60-second updates. Generous free tier. RFC 2136 TSIG. Bring your own domain. DNSSEC. For homelabs, edge routers, and infrastructure teams.
Most DDNS providers cache for 30 minutes. DynIP propagates in under a minute end-to-end. Your router sends an update, your hostname resolves correctly worldwide within ~60 seconds.
60s TTL · NOTIFY-driven · Multi-region nameservers
RFC 2136 TSIG means your FortiGate, MikroTik, OPNsense, OpenWRT, or any router that speaks DNS UPDATE works out of the box. No proprietary clients. No vendor lock-in.
RFC 2136 TSIG · REST API · UDP/53 native
Modern ISPs increasingly give you native IPv6 alongside CGNATed IPv4. DynIP supports both: update A and AAAA records side-by-side, run IPv6-only zones, or both. Built for the network you have today and the network you'll have tomorrow.
AAAA records · Dual-stack · IPv6-only support · DNSSEC by default
Set New Password
Password Recovery
Two-Factor Authentication
Access Control
{{ snippetData.domain }}
{{ snippetData.key }}
{{ generatedSnippet }}
â {{ subscription.locked_zones_count }} zone(s) locked
Your plan was downgraded. The oldest {{ subscription.max_domains }} zone(s) stay active; the rest are locked and can't receive IP updates. Subscribe again or delete excess zones to unlock.
Issuing a Let's Encrypt certificate for
{{ dnssecPrompt.zone }}
requires DNSSEC to be active on this zone.
We'll automatically:
{{ dnssecPrompt.parentZone }}
)This is a one-time setup. Your zone stays signed afterward, which is recommended anyway.
Estimated time: 30 seconds.
Enabling DNSSEC{{ dnssecPrompt.parentZone ? ' and publishing DS in ' + dnssecPrompt.parentZone : '' }}...
1. Create a Zone: Type your device name, select your preferred base domain, and click Create Zone.
2. Get the Config: Click the Snippets button next to your new domain.
3. Deploy: Select your device type and copy the generated configuration block directly into your router's CLI.
Note: IPv4 and IPv6 (Dual-Stack) are detected and updated automatically based on the incoming connection.
| Domain & Tools | Current IP | TSIG Secret | DNSSEC | SSL Cert | |---|---|---|---|---| | {{ zone.name }} â Locked | {{ zone.ip }} Sync: {{ formatSyncTime(zone.last_sync) }} | | Unavailable | | | No domains registered. Create one above to get started. |
Bring your own domain to DynIP. Once added, you can provision dynamic subdomains under your own namespace.
{{ dom.verifyStatus === 'success' ? 'Delegation Active:' : 'Required Registrar Action:' }}
{{ dom.verifyStatus === 'success' ? 'Your namespace is successfully secured and routing traffic to DynIP.' : 'To activate this namespace, create BOTH NS (Name Server) records at your domain registrar. Single-NS delegation will be rejected:' }}
Instantly update your selected zones to match this device's current external IP address.
Programmatically register new zones with your current session token. Send a POST
request to the /register
endpoint.
curl -X POST "{{ backendUrl }}/register?subdomain=my-new-router&base_domain={{ baseDomains[0] }}" \
-H "Authorization: Bearer {{ token }}"
Session tokens expire on logout â use an API token below for long-running automation.
API tokens are a Pro feature
Long-lived tokens for automation: monitoring scripts, CI pipelines, MSP integrations. Tokens don't expire when you log out.
Upgrade to Pro →Long-lived tokens for automation. Each token can be scoped read-only or full access, and revoked at any time.
| Name | Token | Scope | Last used | Expires | Action | |---|---|---|---|---|---| | {{ t.name }} | {{ t.token_prefix }} | {{ t.scope === 'read' ? 'Read-only' : 'Full' }} | {{ t.last_used_at ? formatPlanDate(t.last_used_at) : 'Never' }} | {{ t.expires_at ? formatPlanDate(t.expires_at) : 'Never' }} |
Tokens are shown once at creation â store them in a password manager or secrets vault.
{{ apiTokenModal.error }}
This token won't be shown again. Store it somewhere secure (1Password, Bitwarden, your CI's secrets manager).
{{ apiTokenModal.created.token }}
This overrides email 2FA.
Upgrade your account security by requiring a time-based code from Google Authenticator or another TOTP app when you sign in.
Open Google Authenticator, Authy, or your preferred 2FA app and scan this code.
Permanently delete your account, all DNS zones you have created, and any TLS certificates issued to them. This cannot be undone or reversed by support.
This action cannot be undone. Deletion will:
If you have an active paid subscription, please cancel it first via your account billing area.
Source: Hacker News

















