GoDaddy really lived up to its bad reputation and recently changed their API rules. The rules are simple: either you own 10 (or 50) domains, you pay $20/month, or you don’t get the API. I personally didn’t get any communication, and this broke my DDNS setup. I am clearly not the only one judging from what I found online. A company this big gating an API behind such a steep price… So I will repeat what many people said before me (being right): don’t. use. GoDaddy.

  • loudwhisper@infosec.pub
    cake
    OP
    link
    fedilink
    English
    arrow-up
    35
    ·
    4 months ago

    NameCheap

    WOW! I did not know that. I just checked and after a little search:

    We have certain requirements for activation to prevent system abuse. In order to have API enabled, your account should meet one of the following requirements:
    
    - have at least 20 domains under your account;
    - have at least $50 on your account balance;
    - have at least $50 spent within the last 2 years
    

    $50 in last 2 years is not much, but for those who renew for many years, it is still stupid.

    Ironically, Namecheap is what the people in https://github.com/navilg/godaddy-ddns/issues/32 migrated to!

    I really wish that domain registration was done in a different way, but even in current scenario, gutting features for such a basic service to extract a few bucks and risking losing customers…?

    • catloaf@lemm.ee
      link
      fedilink
      English
      arrow-up
      6
      ·
      4 months ago

      That can’t be right. I only had two domains (one now) and I’ve been using the API just fine. And basically any purchase will clear those dollar amounts.

      • loudwhisper@infosec.pub
        cake
        OP
        link
        fedilink
        English
        arrow-up
        8
        ·
        4 months ago

        I found it on their FAQ.

        Yes, it is generally less restrictive, but… I have 4 domains, and now I have renewed all of them for the maximum amount. They will all expire after 2033. So unless I decide to add more domains (which is unlikely), I won’t spend a cent in the next ~9 years. I wonder if they really enforce it as it is written or they consider still the renewal an expense “split” over the duration.

        Still, I really don’t understand. You can - and should - have proper rate limits on the API. You have API keys that uniquely identify the source, what is “the abuse” they are trying to prevent this way…?

        • loudwhisper@infosec.pub
          cake
          OP
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          That’s a very interesting gotcha. They don’t seem to support address ranges either. Unless once you add the whitelist the requests still work from any address (their documentation is ambiguous). This is even more confusing.

        • catloaf@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          4 months ago

          Not sure. Personally I only use it for Let’s Encrypt DNS challenges.