Google Cloud DNS × WAB Discovery

Enable or disable the WAB DNS Discovery TXT record on any Cloud DNS managed zone.

ℹ OAuth 2.0 Access Token required. Browser SigV4-style signing isn't supported by Cloud DNS — paste a short-lived OAuth access token instead. Generate one with: gcloud auth print-access-token

1. Authentication

OAuth 2.0 Access Token (short-lived, browser keeps in memory only)

Obtain via: gcloud auth print-access-token (with roles/dns.admin on the zone). Token expires in ~60 minutes — re-paste if needed.

2. Project & Zone

GCP Project ID

Managed Zone Name (not the DNS name)

Domain

Endpoint URL (blank = auto)

3. Actions

How it works

Fetch WAB record template (GET /api/discovery/provider/record-template) for TXT value.

Look up existing _wab TXT in the managed zone (GET …/managedZones/{zone}/rrsets).

Cloud DNS uses atomic changes: POST changes with {additions, deletions}. Enable = add (+ delete old if value differs). Disable = delete.

Confirm via /api/discovery/provider/status. Cloud DNS propagation is typically < 60 s.

Code Snippets

Node.js

gcloud CLI

Terraform

// npm install @google-cloud/dns
const { DNS } = require('@google-cloud/dns');
const dns = new DNS({ projectId: 'my-gcp-project' });

const ZONE   = 'example-com';
const DOMAIN = 'example.com';
const TXT_VAL = `"v=wab1; endpoint=https://${DOMAIN}/.well-known/wab.json"`;

const zone = dns.zone(ZONE);
const recordSet = zone.record('txt', { name: `_wab.${DOMAIN}.`, ttl: 3600, data: TXT_VAL });

async function enableWAB() {
  // delete any existing _wab TXT then add new
  const [records] = await zone.getRecords({ type: 'TXT', name: `_wab.${DOMAIN}.` });
  if (records.length) {
    await zone.deleteRecords(records);
  }
  await zone.addRecords([recordSet]);
  console.log('WAB Discovery ENABLED');
}

async function disableWAB() {
  const [records] = await zone.getRecords({ type: 'TXT', name: `_wab.${DOMAIN}.` });
  if (!records.length) return console.log('Already disabled');
  await zone.deleteRecords(records);
  console.log('WAB Discovery DISABLED');
}

enableWAB().catch(console.error);

# Enable: start a transaction, add record, execute
gcloud dns record-sets transaction start --zone=example-com
gcloud dns record-sets transaction add \
  '"v=wab1; endpoint=https://example.com/.well-known/wab.json"' \
  --name=_wab.example.com. --ttl=3600 --type=TXT --zone=example-com
gcloud dns record-sets transaction execute --zone=example-com

# Disable: remove the record
gcloud dns record-sets transaction start --zone=example-com
gcloud dns record-sets transaction remove \
  '"v=wab1; endpoint=https://example.com/.well-known/wab.json"' \
  --name=_wab.example.com. --ttl=3600 --type=TXT --zone=example-com
gcloud dns record-sets transaction execute --zone=example-com

resource "google_dns_record_set" "wab_discovery" {
  managed_zone = "example-com"
  name         = "_wab.example.com."
  type         = "TXT"
  ttl          = 3600
  rrdatas      = ["\"v=wab1; endpoint=https://example.com/.well-known/wab.json\""]
}

# Toggle: count = var.wab_enabled ? 1 : 0

Minimal IAM Role

Use a custom role with these permissions on the managed zone:

dns.changes.create
dns.changes.get
dns.resourceRecordSets.list
dns.resourceRecordSets.create
dns.resourceRecordSets.delete

← Provider Onboarding · Cloudflare · cPanel · Route 53 · Plesk · DNS Discovery