NEW PROVIDER: UniFi Network DNS provider (#4013)

## Summary

Add support for managing static DNS records on UniFi Network controllers
via the v2 API (Network 8.2+).

## Features

- **Supported record types:** A, AAAA, CNAME, MX, TXT, SRV, NS
- **Local access:** Direct connection to UniFi controller with optional
TLS verification skip for self-signed certs
- **Cloud access:** Remote management via UniFi Cloud Connector
(`api.ui.com`) - requires UniFi OS 5.0.3+
- **Domain filtering:** Automatically filters records by domain suffix
since UniFi stores all records flat

## Configuration

### Local Access
```json
{
  "unifi": {
    "TYPE": "UNIFI",
    "host": "https://192.168.1.1",
    "api_key": "your-api-key",
    "site": "default",
    "skip_tls_verify": "true"
  }
}
```

### Cloud Access
```json
{
  "unifi_cloud": {
    "TYPE": "UNIFI",
    "console_id": "your-console-id",
    "api_key": "cloud-api-key",
    "site": "default"
  }
}
```

## Usage Example

```javascript
var DNS_UNIFI = NewDnsProvider("unifi");

D("home.internal", REG_NONE, DnsProvider(DNS_UNIFI),
    A("server", "10.0.0.10"),
    CNAME("www", "server.home.internal."),
    MX("@", 10, "mail.home.internal."),
END);
```

## Testing

Tested using the OLD API (`/v2/api/site/{site}/static-dns`) via:
- **Local access:** UDM Pro (Network 10.0.162)
- **Cloud access:** Remote console via `api.ui.com` (Network 10.1.78)

All CRUD operations verified working on both access methods.

## References

-
[external-dns-unifi-webhook](https://github.com/kashalls/external-dns-unifi-webhook)
- API reference
- [UniFi Network API docs](https://developer.ui.com/network/)

---------

Co-authored-by: Tom Limoncelli <6293917+tlimoncelli@users.noreply.github.com>

Author: zupolgec

.github/workflows/pr_integration_tests.yml

@@ -52,7 +52,7 @@ jobs:
         Write-Host "Integration test providers: $Providers"
         echo "integration_test_providers=$(ConvertTo-Json -InputObject $Providers -Compress)" >> $env:GITHUB_OUTPUT
       env:
-        PROVIDERS: "['ALIDNS', 'AXFRDDNS', 'AXFRDDNS_DNSSEC', 'AZURE_DNS','BIND','BUNNY_DNS','CLOUDFLAREAPI','CLOUDNS','CNR','DIGITALOCEAN','FORTIGATE','GANDI_V5','GCLOUD','GIDINET','HEDNS','HETZNER_V2','HUAWEICLOUD','INWX','JOKER','MIKROTIK','MYTHICBEASTS', 'NAMEDOTCOM','NS1','POWERDNS','ROUTE53','SAKURACLOUD','TRANSIP']"
+        PROVIDERS: "['ALIDNS', 'AXFRDDNS', 'AXFRDDNS_DNSSEC', 'AZURE_DNS','BIND','BUNNY_DNS','CLOUDFLAREAPI','CLOUDNS','CNR','DIGITALOCEAN','FORTIGATE','GANDI_V5','GCLOUD','GIDINET','HEDNS','HETZNER_V2','HUAWEICLOUD','INWX','JOKER','MIKROTIK','MYTHICBEASTS', 'NAMEDOTCOM','NS1','POWERDNS','ROUTE53','SAKURACLOUD','TRANSIP','UNIFI']"
         ENV_CONTEXT: ${{ toJson(env) }}
         VARS_CONTEXT: ${{ toJson(vars) }}
         SECRETS_CONTEXT: ${{ toJson(secrets) }}
@@ -100,6 +100,7 @@ jobs:
       ROUTE53_DOMAIN: ${{ vars.ROUTE53_DOMAIN }}
       SAKURACLOUD_DOMAIN: ${{ vars.SAKURACLOUD_DOMAIN }}
       TRANSIP_DOMAIN: ${{ vars.TRANSIP_DOMAIN }}
+      UNIFI_DOMAIN: ${{ vars.UNIFI_DOMAIN }}
 
       # PROVIDER SECRET LIST
       # The above providers have additional env variables they
@@ -197,6 +198,11 @@ jobs:
       #
       TRANSIP_ACCOUNT_NAME: ${{ secrets.TRANSIP_ACCOUNT_NAME }}
       TRANSIP_PRIVATE_KEY: ${{ secrets.TRANSIP_PRIVATE_KEY }}
+      #
+      UNIFI_API_KEY: ${{ secrets.UNIFI_API_KEY }}
+      UNIFI_HOST: ${{ secrets.UNIFI_HOST }}
+      UNIFI_SITE: ${{ secrets.UNIFI_SITE }}
+      UNIFI_SKIP_TLS_VERIFY: ${{ secrets.UNIFI_SKIP_TLS_VERIFY }}
 
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.provider }}

.goreleaser.yml

@@ -38,7 +38,7 @@ changelog:
       regexp: "(?i)^.*(major|new provider|feature)[(\\w)]*:+.*$"
       order: 1
     - title: 'Provider-specific changes:'
-      regexp: "(?i)((adguardhome|akamaiedgedns|alidns|autodns|axfrddns|azure_dns|azure_private_dns|bind|bunny_dns|cloudflare|cloudflareapi|cloudns|cnr|cscglobal|desec|digitalocean|dnscale|dnsimple|dnsmadeeasy|dnsoverhttps|domainnameshop|dynadot|easyname|exoscale|fortigate|gandi_v5|gcloud|gcore|gidinet|hedns|hetzner|hetzner_v2|hostingde|huaweicloud|infomaniak|internetbs|inwx|joker|linode|loopia|luadns|mikrotik|mythicbeasts|namecheap|namedotcom|netcup|netlify|ns1|opensrs|oracle|ovh|packetframe|porkbun|powerdns|realtimeregister|route53|rwth|sakuracloud|softlayer|transip|vercel|vultr).*:)+.*"
+      regexp: "(?i)((adguardhome|akamaiedgedns|alidns|autodns|axfrddns|azure_dns|azure_private_dns|bind|bunny_dns|cloudflare|cloudflareapi|cloudns|cnr|cscglobal|desec|digitalocean|dnscale|dnsimple|dnsmadeeasy|dnsoverhttps|domainnameshop|dynadot|easyname|exoscale|fortigate|gandi_v5|gcloud|gcore|gidinet|hedns|hetzner|hetzner_v2|hostingde|huaweicloud|infomaniak|internetbs|inwx|joker|linode|loopia|luadns|mikrotik|mythicbeasts|namecheap|namedotcom|netcup|netlify|ns1|opensrs|oracle|ovh|packetframe|porkbun|powerdns|realtimeregister|route53|rwth|sakuracloud|softlayer|transip|unifi|vercel|vultr).*:)+.*"
       order: 2
     - title: 'Documentation:'
       regexp: "(?i)^.*(docs)[(\\w)]*:+.*$"

OWNERS

@@ -57,5 +57,6 @@ providers/rwth @mistererwin
 providers/sakuracloud @ttkzw
 # providers/softlayer NEEDS VOLUNTEER
 providers/transip @blackshadev
+providers/unifi @zupolgec
 providers/vercel @SukkaW
 providers/vultr @pgaskin

README.md

@@ -69,6 +69,7 @@ Currently supported DNS providers:
 - Sakura Cloud
 - SoftLayer
 - TransIP
+- UniFi Network
 - Vercel
 - Vultr
 

documentation/SUMMARY.md

@@ -180,6 +180,7 @@
 * [Sakura Cloud](provider/sakuracloud.md)
 * [SoftLayer DNS](provider/softlayer.md)
 * [TransIP](provider/transip.md)
+* [UniFi Network](provider/unifi.md)
 * [Vercel](provider/vercel.md)
 * [Vultr](provider/vultr.md)
 

documentation/provider/index.md

@@ -84,6 +84,7 @@ Jump to a table:
 | [`SAKURACLOUD`](sakuracloud.md) | ❌ | ✅ | ❌ |
 | [`SOFTLAYER`](softlayer.md) | ❌ | ✅ | ❌ |
 | [`TRANSIP`](transip.md) | ❌ | ✅ | ❌ |
+| [`UNIFI`](unifi.md) | ❌ | ✅ | ❌ |
 | [`VERCEL`](vercel.md) | ❌ | ✅ | ❌ |
 | [`VULTR`](vultr.md) | ❌ | ✅ | ❌ |
 
@@ -150,6 +151,7 @@ Jump to a table:
 | [`SAKURACLOUD`](sakuracloud.md) | ❔ | ❌ | ✅ | ✅ |
 | [`SOFTLAYER`](softlayer.md) | ❔ | ❔ | ❌ | ❔ |
 | [`TRANSIP`](transip.md) | ✅ | ❌ | ❌ | ✅ |
+| [`UNIFI`](unifi.md) | ❌ | ❔ | ❌ | ❌ |
 | [`VERCEL`](vercel.md) | ❔ | ❌ | ❌ | ❌ |
 | [`VULTR`](vultr.md) | ❔ | ❔ | ✅ | ✅ |
 
@@ -211,6 +213,7 @@ Jump to a table:
 | [`SAKURACLOUD`](sakuracloud.md) | ✅ | ❌ | ❌ | ✅ | ❌ |
 | [`SOFTLAYER`](softlayer.md) | ❔ | ❔ | ❌ | ❔ | ❔ |
 | [`TRANSIP`](transip.md) | ✅ | ❌ | ❌ | ❌ | ❌ |
+| [`UNIFI`](unifi.md) | ❌ | ❔ | ❌ | ❌ | ❔ |
 | [`VERCEL`](vercel.md) | ✅ | ❌ | ❌ | ❌ | ❌ |
 | [`VULTR`](vultr.md) | ❌ | ❔ | ❌ | ❌ | ❔ |
 
@@ -271,6 +274,7 @@ Jump to a table:
 | [`SAKURACLOUD`](sakuracloud.md) | ❌ | ❌ | ✅ | ✅ |
 | [`SOFTLAYER`](softlayer.md) | ❔ | ❔ | ✅ | ❔ |
 | [`TRANSIP`](transip.md) | ❌ | ✅ | ✅ | ❌ |
+| [`UNIFI`](unifi.md) | ❔ | ❔ | ✅ | ❔ |
 | [`VERCEL`](vercel.md) | ❌ | ❌ | ✅ | ❌ |
 | [`VULTR`](vultr.md) | ❔ | ❔ | ✅ | ❔ |
 
@@ -328,6 +332,7 @@ Jump to a table:
 | [`RWTH`](rwth.md) | ✅ | ❔ | ❔ | ✅ | ❌ |
 | [`SAKURACLOUD`](sakuracloud.md) | ✅ | ✅ | ❔ | ❌ | ❌ |
 | [`TRANSIP`](transip.md) | ✅ | ❌ | ❔ | ✅ | ✅ |
+| [`UNIFI`](unifi.md) | ❌ | ❔ | ❔ | ❌ | ❌ |
 | [`VERCEL`](vercel.md) | ✅ | ✅ | ❔ | ❌ | ❌ |
 | [`VULTR`](vultr.md) | ✅ | ❔ | ❔ | ✅ | ❌ |
 

documentation/provider/unifi.md

@@ -0,0 +1,188 @@
+This is the provider for [UniFi Network](https://ui.com/), Ubiquiti's network management platform.
+
+UniFi Network includes a local DNS server that can be managed via its API. This provider allows DNSControl to manage DNS records on your UniFi Network controller.
+
+## Configuration
+
+To use this provider, add an entry to `creds.json` with `TYPE` set to `UNIFI` along with your connection details.
+
+### Configuration parameters
+
+| Parameter | Required | Description |
+|-----------|----------|-------------|
+| `TYPE` | Yes | Must be set to `UNIFI` |
+| `api_key` | Yes | UniFi API key |
+| `host` | Yes* | Controller address for local access (e.g., `https://192.168.1.1`) |
+| `console_id` | Yes* | Console ID for cloud access via ui.com |
+| `site` | No | Site name (defaults to `default`) |
+| `api_version` | No | API version: `auto`, `new`, or `legacy` (defaults to `auto`) |
+| `skip_tls_verify` | No | Set to `true` to skip TLS certificate verification |
+| `debug` | No | Set to `true` to enable debug output |
+
+*Either `host` or `console_id` is required, but not both.
+
+### Local access example
+
+Use `host` to connect directly to your UniFi controller:
+
+{% code title="creds.json" %}
+```json
+{
+  "unifi": {
+    "TYPE": "UNIFI",
+    "host": "https://192.168.1.1",
+    "api_key": "your-api-key",
+    "site": "default"
+  }
+}
+```
+{% endcode %}
+
+### Cloud access example
+
+Use `console_id` to connect via UniFi Cloud (ui.com):
+
+{% code title="creds.json" %}
+```json
+{
+  "unifi": {
+    "TYPE": "UNIFI",
+    "console_id": "28704E24-XXXX-XXXX-XXXX-XXXXXXXXXXXX:1234567890",
+    "api_key": "your-api-key",
+    "site": "default"
+  }
+}
+```
+{% endcode %}
+
+The `console_id` can be found in the URL when accessing your console via https://unifi.ui.com.
+
+## API versions
+
+UniFi Network has two different DNS APIs. The provider supports both and can auto-detect which one to use.
+
+### Legacy API
+
+- **Availability**: UniFi Network 8.x and later
+- **Endpoint**: `/proxy/network/v2/api/site/{site}/static-dns`
+- **Features**: Basic CRUD operations, update requires delete + create
+- **Record types**: A, AAAA, CNAME, MX, TXT, SRV, NS
+
+### New API
+
+- **Availability**: UniFi Network 10.1+ (currently in Early Access)
+- **Endpoint**: `/proxy/network/integration/v1/sites/{siteId}/dns/policies`
+- **Features**: Full CRUD with native update support
+- **Record types**: A, AAAA, CNAME, MX, TXT, SRV
+
+### Choosing an API version
+
+The `api_version` parameter controls which API to use:
+
+| Value | Behavior |
+|-------|----------|
+| `auto` (default) | Auto-detect: tries new API first, falls back to legacy |
+| `new` | Force new API (requires UniFi Network 10.1+) |
+| `legacy` | Force legacy API (works with UniFi Network 8.x+) |
+
+**Recommendation**: Use `auto` (the default) for maximum compatibility. The provider will automatically use the best available API for your controller version.
+
+{% code title="creds.json" %}
+```json
+{
+  "unifi": {
+    "TYPE": "UNIFI",
+    "host": "https://192.168.1.1",
+    "api_key": "your-api-key",
+    "api_version": "auto"
+  }
+}
+```
+{% endcode %}
+
+## Metadata
+
+This provider does not recognize any special metadata fields unique to UniFi.
+
+## Usage
+
+An example configuration:
+
+{% code title="dnsconfig.js" %}
+```javascript
+var REG_NONE = NewRegistrar("none");
+var DSP_UNIFI = NewDnsProvider("unifi");
+
+D("example.lan", REG_NONE, DnsProvider(DSP_UNIFI),
+    A("server", "192.168.1.10"),
+    AAAA("server", "fd00::10"),
+    CNAME("www", "server.example.lan."),
+    MX("@", 10, "mail.example.lan."),
+    TXT("@", "v=spf1 mx -all"),
+    SRV("_http._tcp", 0, 0, 80, "server.example.lan."),
+);
+```
+{% endcode %}
+
+## Activation
+
+To create an API key for DNSControl:
+
+1. Log in to your UniFi controller
+2. Navigate to **Settings** > **Admins & Users**
+3. Click on your user profile or create a dedicated API user
+4. Generate an API key with appropriate permissions
+5. Copy the API key to your `creds.json`
+
+For cloud access, you can also generate API keys at https://unifi.ui.com under your account settings.
+
+## Supported record types
+
+| Type | Legacy API | New API |
+|------|------------|---------|
+| A | Yes | Yes |
+| AAAA | Yes | Yes |
+| CNAME | Yes | Yes |
+| MX | Yes | Yes |
+| TXT | Yes | Yes |
+| SRV | Yes | Yes |
+| NS | Yes | No |
+
+## Limitations
+
+### No zone concept
+
+UniFi Network stores DNS records flat, without the concept of zones. DNSControl filters records by domain suffix to simulate zone management. This means:
+
+- `dnscontrol get-zones` is not supported
+- Creating new domains is not supported (records are added directly)
+
+### Wildcard CNAMEs
+
+UniFi does not support wildcard CNAME records. Attempting to create a `*.example.com` CNAME will result in an error.
+
+### TTL handling
+
+- If TTL is not specified, the provider uses a default of 300 seconds
+- TTL support varies by record type in the legacy API (MX and TXT records may ignore TTL)
+
+### Self-signed certificates
+
+If your UniFi controller uses a self-signed certificate, set `skip_tls_verify` to `true`:
+
+{% code title="creds.json" %}
+```json
+{
+  "unifi": {
+    "TYPE": "UNIFI",
+    "host": "https://192.168.1.1",
+    "api_key": "your-api-key",
+    "skip_tls_verify": "true"
+  }
+}
+```
+{% endcode %}
+
+### Concurrent operations
+
+The provider does not support concurrent API operations. Changes are applied sequentially to ensure reliability.

integrationTest/profiles.json

@@ -360,6 +360,15 @@
     "TYPE": "TRANSIP",
     "domain": "$TRANSIP_DOMAIN"
   },
+  "UNIFI": {
+    "TYPE": "UNIFI",
+    "api_key": "$UNIFI_API_KEY",
+    "domain": "$UNIFI_DOMAIN",
+    "host": "$UNIFI_HOST",
+    "knownFailures": "26,43",
+    "site": "$UNIFI_SITE",
+    "skip_tls_verify": "$UNIFI_SKIP_TLS_VERIFY"
+  },
   "VERCEL": {
     "TYPE": "VERCEL",
     "api_token": "$VERCEL_API_TOKEN",

pkg/providers/_all/all.go

@@ -62,6 +62,7 @@ import (
 	_ "github.com/StackExchange/dnscontrol/v4/providers/sakuracloud"
 	_ "github.com/StackExchange/dnscontrol/v4/providers/softlayer"
 	_ "github.com/StackExchange/dnscontrol/v4/providers/transip"
+	_ "github.com/StackExchange/dnscontrol/v4/providers/unifi"
 	_ "github.com/StackExchange/dnscontrol/v4/providers/vercel"
 	_ "github.com/StackExchange/dnscontrol/v4/providers/vultr"
 )