These restrictions originate from DNS providers themselves, not from Entri. They are enforced through provider systems and APIs.
Common Limitation Types
Before diving into specific providers, here are the categories of limitations you may encounter:| Type | Description | Impact |
|---|---|---|
| MFA/Security | Passkeys, security keys, or device-based MFA not supported | User falls back to manual setup |
| Record Restrictions | TXT >255 chars, wildcards, or CNAME at root not supported | Specific record types fail |
| API Gaps | No automated replacement of existing records | Manual deletion required first |
| Login Methods | Social login (Google, Apple) not supported | Credential login required |
Provider-Specific Limitations
Amazon Route 53
- No separate hosted zones for subdomains
- Passkey/security key login not supported
- MFA setup is mandatory
ArubaIT
- DNS changes take up to 30 minutes to propagate
- Records cannot be updated during propagation window
Cloudflare
- Proxy mode: When enabled via Entri, applies to ALL records created through that flow (not individually configurable)
CrazyDomains
- Email verification may be required after extended inactivity
- Premium DNS required for TXT records
DreamHost
- Advanced domain protection plans require email verification on every login
- Some services auto-create DNS records that cannot be removed, even if they conflict
Dynadot
- Accounts may lock during repeated login attempts
- Repeated invalid credentials can trigger temporary lockouts
Gandi
- Account verification may be required
- Some domains use legacy nameservers that don’t support advanced DNS automation
GoDaddy
- TTL values: GoDaddy uses a fix TTL of X. If you need a custom TTL, please contact Entri support.
- Conflict limit: Only allows 3 flows with conflicting records. After that, triggers manual setup
- Parked A records: Tied to GoDaddy’s free products. Entri removes them automatically if they conflict with your records
GreenGeeks
- Domains pointing to expired or missing hosting cannot be managed
- DNS operations fail if hosting is inactive
Hosting.com
- Some domains require admin-level login access
InMotion
- Invalid password errors are only surfaced after MFA submission
O2switch
- Requires a cPanel password to be set for new hosting domains
One.com
- MFA: Uses a companion mobile app for two-factor authentication. This MFA method is not currently supported by Entri
- Users with app-based MFA will be redirected to manual setup
Papaki
- Nameservers must be manually configured before DNS automation is possible
Registro.br
- Domain in transition: When enabling advanced DNS for the first time, Registro.br may take up to 5 minutes to transition the domain. During this window, DNS operations will fail with a
RegistroDomainInTransitionerror. Retry after 5 minutes.
Shopify
- Passkey, social, and biometric logins not supported
- TXT records longer than 255 characters not supported
- Record values must be entered as FQDNs
- multiple A records at @ host is not supported
Simply
- Explicit permission from the account owner is required
Spaceship
- Domain location: Domain must be in “Web Hosting” section, not “SellerHub”. Domains listed under SellerHub cannot be configured automatically
- USB security key login not supported
Squarespace
- No automated replacement: If a record already exists, Entri redirects to manual setup
- Workaround: User must manually delete conflicting record first, then re-run Entri
NetworkSolutions.com, Bluehost.com, Hostgator.com
- Password reset required after long inactivity
- Migrated accounts may not be able to authenticate
Record-Specific Limitations
TXT Records >255 Characters
Not supported by:- Shopify
- WordPress.com
- Hover
Wildcard Records
Not supported by:- Strato
- Wix
- OVH
- LocaWeb
- OpenSRS
CNAME at Root (@)
Most providers don’t support CNAME records at the root domain due to DNS specification constraints. Some providers work around this using CNAME flattening, ALIAS, or ANAME records, but support varies and may have restrictions. See DNS Concepts for a detailed explanation. UsecheckDomain to detect support programmatically:
- Use A records pointing to your server’s IP
- Use Entri Secure with
secureRootDomain: true - Redirect root to www subdomain (
wwwRedirect: true)
Security-Related Limitations
Login Method Compatibility
Some providers don’t support all authentication methods. When a user attempts to log in with an unsupported method (such as passkeys, social login, or hardware security keys), Entri automatically redirects them to manual setup with clear instructions.If your users report being unexpectedly redirected to manual setup, verify they’re using standard credential-based login with app-based or SMS MFA.
Supported MFA Methods
Multi-factor authentication support varies by provider: Amazon Route 53- ✅ Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator)
- ✅ Email verification codes
- ❌ Other MFA methods trigger manual setup
- ✅ SMS text messages
- ✅ Authenticator apps
- ✅ Email verification codes
If a user has hardware security keys (YubiKey), passkeys, or device-based MFA enabled, they will be redirected to manual setup. Consider documenting this in your user-facing help content.
Domain Protection Features
The following can block automated DNS changes:- NameSilo: Domain Defender
- Reg123: Domain Protection setting
Troubleshooting
If a user encounters issues during automated setup:- Run
entri.checkDomain(domain, config)to verify provider detection and capabilities - Check provider health status
- Verify the user isn’t using an unsupported login method
- Check if domain protection features are enabled
- For TXT records, verify length is under 255 characters
- If all else fails, use
forceManualSetup: trueand provide clear instructions
Need Help?
If you encounter issues not listed here, contact Entri support with:- Domain name
- Provider name
- Error message or screenshot
- DNS records you’re trying to configure