> ## Documentation Index
> Fetch the complete documentation index at: https://developers.entri.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Provider Limitations

> Known constraints and behaviors by DNS provider that may affect automated configuration

Some DNS providers enforce restrictions through their APIs, security policies, or implementations that limit what Entri can configure automatically. Understanding these limitations helps you anticipate issues and plan accordingly.

<Note>
  These restrictions originate from DNS providers themselves, not from Entri. They are enforced through provider systems and APIs.
</Note>

## Common Limitation Types

Before diving into specific providers, here are the categories of limitations you may encounter:

| Type                    | Description                                                | Impact                          |
| ----------------------- | ---------------------------------------------------------- | ------------------------------- |
| **MFA/Security**        | Passkeys, security keys, or device-based MFA not supported | User falls back to manual setup |
| **Record Restrictions** | TXT >255 chars, wildcards, or CNAME at root not supported  | Specific record types fail      |
| **API Gaps**            | No automated replacement of existing records               | Manual deletion required first  |
| **Login Methods**       | Social login (Google, Apple) not supported                 | Credential login required       |

## Provider-Specific Limitations

### Amazon Route 53

* No separate hosted zones for subdomains
* Passkey/security key login not supported
* MFA setup is mandatory

### ArubaIT

* DNS changes take up to 30 minutes to propagate
* Records cannot be updated during propagation window

### Cloudflare

* **Proxy mode**: When enabled via Entri, applies to ALL records created through that flow (not individually configurable)

### CrazyDomains

* Email verification may be required after extended inactivity
* Premium DNS required for TXT records

### DreamHost

* Advanced domain protection plans require email verification on every login
* Some services auto-create DNS records that cannot be removed, even if they conflict

### Dynadot

* Accounts may lock during repeated login attempts
* Repeated invalid credentials can trigger temporary lockouts

### Gandi

* Account verification may be required
* Some domains use legacy nameservers that don't support advanced DNS automation

### GoDaddy

* **TTL values**: GoDaddy uses a fix TTL of X. If you need a custom TTL, please contact Entri support.
* **Conflict limit**: Only allows 3 flows with conflicting records. After that, triggers manual setup
* **Parked A records**: Tied to GoDaddy's free products. Entri removes them automatically if they conflict with your records

### GreenGeeks

* Domains pointing to expired or missing hosting cannot be managed
* DNS operations fail if hosting is inactive

### Hosting.com

* Some domains require admin-level login access

### InMotion

* Invalid password errors are only surfaced after MFA submission

### O2switch

* Requires a cPanel password to be set for new hosting domains

### One.com

* **MFA**: Uses a companion mobile app for two-factor authentication. This MFA method is not currently supported by Entri
* Users with app-based MFA will be redirected to manual setup

### Papaki

* Nameservers must be manually configured before DNS automation is possible

### Registro.br

* **Domain in transition**: When enabling advanced DNS for the first time, Registro.br may take up to 5 minutes to transition the domain. During this window, DNS operations will fail with a `RegistroDomainInTransition` error. Retry after 5 minutes.

### Shopify

* Passkey, social, and biometric logins not supported
* TXT records longer than 255 characters not supported
* Record values must be entered as FQDNs
* multiple A records at @ host is not supported

### Simply

* Explicit permission from the account owner is required

### Spaceship

* **Domain location**: Domain must be in "Web Hosting" section, not "SellerHub". Domains listed under SellerHub cannot be configured automatically
* USB security key login not supported

### Squarespace

* **No automated replacement**: If a record already exists, Entri redirects to manual setup
* **Workaround**: User must manually delete conflicting record first, then re-run Entri

### NetworkSolutions.com, Bluehost.com, Hostgator.com

* Password reset required after long inactivity
* Migrated accounts may not be able to authenticate

### Record-Specific Limitations

#### TXT Records >255 Characters

Not supported by:

* Shopify
* WordPress.com
* Hover

**Workaround**: Split the record if your application supports it, or use manual setup.

#### Wildcard Records

Not supported by:

* Strato
* Wix
* OVH
* LocaWeb
* OpenSRS

#### CNAME at Root (@)

Most providers don't support CNAME records at the root domain due to DNS specification constraints. Some providers work around this using CNAME flattening, ALIAS, or ANAME records, but support varies and may have restrictions. See [DNS Concepts](/dns-concepts#cname-at-root-the-technical-limitation) for a detailed explanation.

Use `checkDomain` to detect support programmatically:

```javascript theme={null}
const result = await entri.checkDomain("example.com", config);

if (result.cnameFlattening) {
  // Provider supports CNAME at root
}
```

**Workarounds for providers without support:**

1. Use A records pointing to your server's IP
2. Use [Entri Secure](/ssl-provisioning) with `secureRootDomain: true`
3. Redirect root to www subdomain (`wwwRedirect: true`)

## Security-Related Limitations

### Login Method Compatibility

Some providers don't support all authentication methods. When a user attempts to log in with an unsupported method (such as passkeys, social login, or hardware security keys), Entri automatically redirects them to manual setup with clear instructions.

<Note>
  If your users report being unexpectedly redirected to manual setup, verify they're using standard credential-based login with app-based or SMS MFA.
</Note>

### Supported MFA Methods

Multi-factor authentication support varies by provider:

**Amazon Route 53**

* ✅ Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator)
* ✅ Email verification codes
* ❌ Other MFA methods trigger manual setup

**All Other Providers**

* ✅ SMS text messages
* ✅ Authenticator apps
* ✅ Email verification codes

<Note>
  If a user has hardware security keys (YubiKey), passkeys, or device-based MFA enabled, they will be redirected to manual setup. Consider documenting this in your user-facing help content.
</Note>

### Domain Protection Features

The following can block automated DNS changes:

* **NameSilo**: Domain Defender
* **Reg123**: Domain Protection setting

Users with these features enabled will be redirected to manual setup.

## Troubleshooting

If a user encounters issues during automated setup:

1. Run `entri.checkDomain(domain, config)` to verify provider detection and capabilities
2. Check [provider health status](/api-reference#provider-health)
3. Verify the user isn't using an unsupported login method
4. Check if domain protection features are enabled
5. For TXT records, verify length is under 255 characters
6. If all else fails, use `forceManualSetup: true` and provide clear instructions

## Need Help?

If you encounter issues not listed here, contact Entri support with:

* Domain name
* Provider name
* Error message or screenshot
* DNS records you're trying to configure