digitalocean-dns-zoneslisted

# DigitalOcean DNS Zones Operational skill for managing DigitalOcean DNS through doctl, the REST API, and the Terraform provider. Covers the traps that appear most often when migrating zones in or out of Cloudflare — especially apex CNAME handling, trailing-dot semantics, and the account-wide token model that differs from Cloudflare's scoped tokens. ## When to invoke **Symptoms:** - Apex hostname (`example.com`) refuses to take a CNAME — the provider errors or the record silently misbehaves. - A Terraform CNAME resolves to a doubled FQDN like `api.example.com.example.com`. - Need a wildcard cert (`*.example.com`) with a DNS-01 ACME challenge on a DO-hosted zone. - Migrating a zone to or from Cloudflare and unsure which records need manual attention. - Deciding whether to use doctl, the raw API, or the Terraform provider for a given task. - Token handling for DO DNS in CI — needs guidance on secret management. ## Cross-cutting rules These rules apply to every section below. Read them before acting. 1. **`DIGITALOCEAN_ACCESS_TOKEN` is account-wide.** Unlike Cloudflare, DigitalOcean has no zone-scoped token model. A token that can edit DNS can touch every domain in the account. Treat it as a high-value secret: store it in a secrets manager or CI secret, never echo it into shared shell history or CI logs. This is an explicit difference from the `cloudflare-dns-zones` skill's "scope tokens to the minimum" rule — on DigitalOcean you cannot scope below the account level. 2.