Research Findings

API Insights

• Namecheap DNS API uses POST with form parameters; responses are XML.


• Authentication: `ApiUser`, `ApiKey`, `UserName`, `ClientIp`. IP must be whitelisted.


• Commands: `dnsns.*` for DNS records; `domains.getList` for listing owned domains.


• Records include `ID`, `Type`, `Name`, `Value`, `TTL`, and `MXPref` for MX.


• Apex records use `HostName="@"`.


• TTL options: typical values are 60, 1800, 3600, etc.


• There is no direct “update record” command; to modify a single record you must either use `setHostRecords` (replace entire zone) or delete + add.


• Error responses include numeric codes and human‑readable text; common errors: duplicate record, invalid IP, rate limit.

Protocols & Data Mapping

• XML parsing in Go is straightforward with `encoding/xml`.


• MCP tools will map naturally: add_record → `dnsns.addHost`, list_records → `dnsns.getList`, etc.


• MX records require special handling: split `value` into priority and host.


• Domain parsing: need SLD and TLD for API calls. For accurate parsing across all TLDs, using `golang.org/x/net/publicsuffix` is advisable.

Operational Concerns

• Rate limiting: likely generous, but implement 1–2 QPS and retries to be safe.


• Logging: avoid logging credentials; log errors with context.


• Sandbox environment available at `https://api.sandbox.namecheap.com/xml.response` – use for development.


• Credentials via environment variables; can also use a `.env` file with a small loader.

Security

• IP whitelist is an effective control: only requests from authorized server IPs accepted.


• MCP over stdio limits exposure; but still keep API key secret.


• Consider mandating `MCP_SECRET` token for extra protection if the binary might be spawned by untrusted processes (unlikely).

Implementation Strategy

• Build incrementally: start with `domains.list` to prove auth, then `dns.list_records`, then add/create/delete.


• Use a simple `Client` struct that handles POST, XML, and error checks.


• MCP server: either use existing Go SDK or minimal custom JSON‑RPC; the latter is lightweight.


• Unit tests with mocked HTTP responses; integration tests against sandbox.

Open Items

• Domain splitting edge cases (multi‑part TLDs) – resolve with publicsuffix library.


• Confirm exact error code for duplicate record; handle gracefully.


• Decide on default TTL (3600 standard).


• Whether to support wildcard `*` names – yes, just pass through.