"Long-lived token" means API tokens for the management API (creating/
deleting zones, listing them, automating via Terraform-style flows),
not the TSIG keys for actual DNS updates. Every zone on every tier gets
its TSIG key — that's what powers the updates themselves. Free tier
manages zones via the dashboard; paid tiers add API tokens for
programmatic management.
You generate a short-lived token, update, then rotate it. For most home setups, a cron job every 5 minutes with a 10-minute token window is fine. The RFC 2136 path is the real reason to use this instead of the HTTP update protocols most DDNS services use.
"Long-lived token" means API tokens for the management API (creating/ deleting zones, listing them, automating via Terraform-style flows), not the TSIG keys for actual DNS updates. Every zone on every tier gets its TSIG key — that's what powers the updates themselves. Free tier manages zones via the dashboard; paid tiers add API tokens for programmatic management.
That really needs clarification, llms do get that wrong.
You generate a short-lived token, update, then rotate it. For most home setups, a cron job every 5 minutes with a 10-minute token window is fine. The RFC 2136 path is the real reason to use this instead of the HTTP update protocols most DDNS services use.