diff --git a/acme.sh b/acme.sh
index 9ff54d32..e252fd51 100755
--- a/acme.sh
+++ b/acme.sh
@@ -1750,6 +1750,57 @@ _clearupwebbroot() {
 
 }
 
+_clearupdnsrr() {
+  [ "$1" -eq "1" ] || return 0
+  [ -n "$2"  ] || return 0
+  txtdomain="_acme-challenge.$2"
+
+  d_api=""
+  if [ -f "$LE_WORKING_DIR/$d/$_currentRoot" ] ; then
+    d_api="$LE_WORKING_DIR/$d/$_currentRoot"
+  elif [ -f "$LE_WORKING_DIR/$d/$_currentRoot.sh" ] ; then
+    d_api="$LE_WORKING_DIR/$d/$_currentRoot.sh"
+  elif [ -f "$LE_WORKING_DIR/$_currentRoot" ] ; then
+    d_api="$LE_WORKING_DIR/$_currentRoot"
+  elif [ -f "$LE_WORKING_DIR/$_currentRoot.sh" ] ; then
+    d_api="$LE_WORKING_DIR/$_currentRoot.sh"
+  elif [ -f "$LE_WORKING_DIR/dnsapi/$_currentRoot" ] ; then
+    d_api="$LE_WORKING_DIR/dnsapi/$_currentRoot"
+  elif [ -f "$LE_WORKING_DIR/dnsapi/$_currentRoot.sh" ] ; then
+    d_api="$LE_WORKING_DIR/dnsapi/$_currentRoot.sh"
+  fi
+  _debug d_api "$d_api"
+
+  if [ "$d_api" ] ; then
+    _info "Found domain api file: $d_api"
+  else
+    _err "Remove the following TXT record:"
+    _err "Domain: '$(__green $txtdomain)'"
+    _err "Please be aware that you prepend _acme-challenge. before your domain"
+    _err "so the resulting subdomain will be: $txtdomain"
+    return 0
+  fi
+
+  if ! . $d_api ; then
+    _err "Load file $d_api error. Please check your api file and try again."
+    return 1
+  fi
+
+  delcommand="${_currentRoot}_del"
+
+  if ! _exists $delcommand ; then
+    _err "It seems that your api file is not correct, it must have a function named: $delcommand"
+    return 1
+  fi
+
+  if ! $delcommand $txtdomain ; then
+    _err "Error del txt for domain:$txtdomain"
+    return 1
+  fi
+
+  return 0
+}
+
 _on_before_issue() {
   _debug _on_before_issue
   if _hasfield "$Le_Webroot" "$NO_VALUE" ; then
@@ -2385,6 +2436,7 @@ issue() {
     if ! _send_signed_request $uri "{\"resource\": \"challenge\", \"keyAuthorization\": \"$keyauthorization\"}" ; then
       _err "$d:Can not get challenge: $response"
       _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+      _clearupdnsrr $dnsadded $d
       _clearup
       _on_issue_err
       return 1
@@ -2393,6 +2445,7 @@ issue() {
     if [ ! -z "$code" ] && [ ! "$code" = '202' ] ; then
       _err "$d:Challenge error: $response"
       _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+      _clearupdnsrr $dnsadded $d
       _clearup
       _on_issue_err
       return 1
@@ -2408,6 +2461,7 @@ issue() {
       if [ "$waittimes" -ge "$MAX_RETRY_TIMES" ] ; then
         _err "$d:Timeout"
         _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+        _clearupdnsrr $dnsadded $d
         _clearup
         _on_issue_err
         return 1
@@ -2420,6 +2474,7 @@ issue() {
       if [ "$?" != "0" ] ; then
         _err "$d:Verify error:$response"
         _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+        _clearupdnsrr $dnsadded $d
         _clearup
         _on_issue_err
         return 1
@@ -2435,6 +2490,7 @@ issue() {
         _stopserver $serverproc
         serverproc=""
         _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+        _clearupdnsrr $dnsadded $d
         break;
       fi
       
@@ -2455,6 +2511,7 @@ issue() {
            fi
          fi
         _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+        _clearupdnsrr $dnsadded $d
         _clearup
         _on_issue_err
         return 1;
@@ -2465,6 +2522,7 @@ issue() {
       else
         _err "$d:Verify error:$response" 
         _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+        _clearupdnsrr $dnsadded $d
         _clearup
         _on_issue_err
         return 1
@@ -2843,7 +2901,7 @@ _installcert() {
     if [ -f "$Le_RealCertPath" ] && [ ! "$IS_RENEW" ] ; then
       cp "$Le_RealCertPath" "$Le_RealCertPath".bak
     fi
-    cat "$CERT_PATH" > "$Le_RealCertPath"
+    install -D -m0640 "$CERT_PATH" "$Le_RealCertPath"
   fi
   
   if [ "$Le_RealCACertPath" ] ; then
@@ -2856,7 +2914,7 @@ _installcert() {
       if [ -f "$Le_RealCACertPath" ] && [ ! "$IS_RENEW" ] ; then
         cp "$Le_RealCACertPath" "$Le_RealCACertPath".bak
       fi
-      cat "$CA_CERT_PATH" > "$Le_RealCACertPath"
+      install -D -m0640 "$CA_CERT_PATH" "$Le_RealCACertPath"
     fi
   fi
 
@@ -2867,7 +2925,7 @@ _installcert() {
     if [ -f "$Le_RealKeyPath" ] && [ ! "$IS_RENEW" ] ; then
       cp "$Le_RealKeyPath" "$Le_RealKeyPath".bak
     fi
-    cat "$CERT_KEY_PATH" > "$Le_RealKeyPath"
+    install -D -m0640 "$CERT_KEY_PATH" "$Le_RealKeyPath"
   fi
   
   if [ "$Le_RealFullChainPath" ] ; then
@@ -2876,7 +2934,7 @@ _installcert() {
     if [ -f "$Le_RealFullChainPath" ] && [ ! "$IS_RENEW" ] ; then
       cp "$Le_RealFullChainPath" "$Le_RealFullChainPath".bak
     fi
-    cat "$CERT_FULLCHAIN_PATH" > "$Le_RealFullChainPath"
+    install -D -m0640 "$CERT_FULLCHAIN_PATH" "$Le_RealFullChainPath"
   fi  
 
   if [ "$Le_ReloadCmd" ] ; then
@@ -3177,6 +3235,11 @@ _initconf() {
 #
 #GD_Secret=\"sADDsdasdfsdfdssdgdsf\"
 
+#######################
+#nsupdate:
+#NSUPDATE_KEY=\"/path/to/update.key\"
+#NSUPDATE_SERVER=\"192.168.0.1\"
+
 #######################
 #PowerDNS:
 #PDNS_Url=\"http://ns.example.com:8081\"
@@ -3243,9 +3306,7 @@ _installalias() {
 
   _envfile="$LE_WORKING_DIR/$PROJECT_ENTRY.env"
   if [ "$_upgrading" ] && [ "$_upgrading" = "1" ] ; then
-    echo "$(cat $_envfile)" | sed "s|^LE_WORKING_DIR.*$||" > "$_envfile"
-    echo "$(cat $_envfile)" | sed "s|^alias le.*$||" > "$_envfile"
-    echo "$(cat $_envfile)" | sed "s|^alias le.sh.*$||" > "$_envfile"
+    sed -i '/^LE_WORKING_DIR/d;/^alias le/d' "$_envfile"
   fi
 
   _setopt "$_envfile" "export LE_WORKING_DIR" "=" "\"$LE_WORKING_DIR\""
@@ -3281,7 +3342,7 @@ _installalias() {
 }
 
 # nocron
-install() {
+_install() {
 
   if [ -z "$LE_WORKING_DIR" ] ; then
     LE_WORKING_DIR="$DEFAULT_INSTALL_HOME"
@@ -3381,7 +3442,7 @@ install() {
 }
 
 # nocron
-uninstall() {
+_uninstall() {
   _nocron="$1"
   if [ -z "$_nocron" ] ; then
     uninstallcronjob
@@ -3390,20 +3451,17 @@ uninstall() {
 
   _profile="$(_detect_profile)"
   if [ "$_profile" ] ; then
-    text="$(cat $_profile)"
-    echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.env\"$||" > "$_profile"
+    sed -i "|/$LE_WORKING_DIR/$PROJECT_NAME\.env/d" "$_profile"
   fi
 
   _csh_profile="$HOME/.cshrc"
   if [ -f "$_csh_profile" ] ; then
-    text="$(cat $_csh_profile)"
-    echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" > "$_csh_profile"
+    sed -i "|/$LE_WORKING_DIR/$PROJECT_NAME\.csh/d" "$_csh_profile"
   fi
   
   _tcsh_profile="$HOME/.tcshrc"
   if [ -f "$_tcsh_profile" ] ; then
-    text="$(cat $_tcsh_profile)"
-    echo "$text" | sed "s|^.*\"$LE_WORKING_DIR/$PROJECT_NAME.csh\"$||" > "$_tcsh_profile"
+    sed -i "|/$LE_WORKING_DIR/$PROJECT_NAME\.csh/d" "$_tcsh_profile"
   fi
   
   rm -f $LE_WORKING_DIR/$PROJECT_ENTRY
@@ -3556,7 +3614,7 @@ _installOnline() {
   )
 }
 
-upgrade() {
+_upgrade() {
   if (
     _initpath
     export LE_WORKING_DIR
@@ -3986,9 +4044,9 @@ _process() {
   fi
 
   case "${_CMD}" in
-    install) install "$_nocron" ;;
-    uninstall) uninstall "$_nocron" ;;
-    upgrade) upgrade ;;
+    install) _install "$_nocron" ;;
+    uninstall) _uninstall "$_nocron" ;;
+    upgrade) _upgrade ;;
     issue)
       issue  "$_webroot"  "$_domain" "$_altdomains" "$_keylength" "$_certpath" "$_keypath" "$_capath" "$_reloadcmd" "$_fullchainpath" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
       ;;
diff --git a/dnsapi/dns_cf.sh b/dnsapi/dns_cf.sh
index 19d95c1a..67c7c7e5 100755
--- a/dnsapi/dns_cf.sh
+++ b/dnsapi/dns_cf.sh
@@ -11,6 +11,11 @@ CF_Api="https://api.cloudflare.com/client/v4"
 
 ########  Public functions #####################
 
+dns_cf_del(){
+  _err "Not implemented!"
+  return 1
+}
+
 #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_cf_add(){
   fulldomain=$1
diff --git a/dnsapi/dns_cx.sh b/dnsapi/dns_cx.sh
index 1a2e04e7..6069207c 100755
--- a/dnsapi/dns_cx.sh
+++ b/dnsapi/dns_cx.sh
@@ -13,6 +13,11 @@ CX_Api="https://www.cloudxns.net/api2"
 #REST_API
 ########  Public functions #####################
 
+dns_cx_del(){
+  _err "Not implemented!"
+  return 1
+}
+
 #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_cx_add() {
   fulldomain=$1
diff --git a/dnsapi/dns_dp.sh b/dnsapi/dns_dp.sh
index 49e8c77f..397ae9a9 100755
--- a/dnsapi/dns_dp.sh
+++ b/dnsapi/dns_dp.sh
@@ -13,6 +13,11 @@ DP_Api="https://dnsapi.cn"
 #REST_API
 ########  Public functions #####################
 
+dns_dp_del(){
+  _err "Not implemented!"
+  return 1
+}
+
 #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_dp_add() {
   fulldomain=$1
diff --git a/dnsapi/dns_gd.sh b/dnsapi/dns_gd.sh
index c25de32d..58787643 100755
--- a/dnsapi/dns_gd.sh
+++ b/dnsapi/dns_gd.sh
@@ -11,6 +11,11 @@ GD_Api="https://api.godaddy.com/v1"
 
 ########  Public functions #####################
 
+dns_gd_del(){
+  _err "Not implemented!"
+  return 1
+}
+
 #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_gd_add(){
   fulldomain=$1
diff --git a/dnsapi/dns_lexicon.sh b/dnsapi/dns_lexicon.sh
index 5e78a2d9..88311ca0 100755
--- a/dnsapi/dns_lexicon.sh
+++ b/dnsapi/dns_lexicon.sh
@@ -9,6 +9,11 @@ wiki="https://github.com/Neilpang/acme.sh/wiki/How-to-use-lexicon-dns-api"
 
 ########  Public functions #####################
 
+dns_lexicon_del(){
+  _err "Not implemented!"
+  return 1
+}
+
 #Usage: add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_lexicon_add() {
   fulldomain=$1
diff --git a/dnsapi/dns_myapi.sh b/dnsapi/dns_myapi.sh
index a29b9ff1..86f0de8c 100755
--- a/dnsapi/dns_myapi.sh
+++ b/dnsapi/dns_myapi.sh
@@ -18,6 +18,11 @@ dns_myapi_add() {
   return 1;
 }
 
+#Usage: dns_myapi_del   _acme-challenge.www.domain.com
+dns_myapi_del(){
+  _err "Not implemented!"
+  return 1
+}
 
 
 
@@ -49,4 +54,4 @@ _debug2() {
     _debug "$@"
   fi
   return
-}
\ No newline at end of file
+}
diff --git a/dnsapi/dns_nsupdate.sh b/dnsapi/dns_nsupdate.sh
new file mode 100755
index 00000000..76637de5
--- /dev/null
+++ b/dnsapi/dns_nsupdate.sh
@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+
+
+########  Public functions #####################
+
+#Usage: dns_nsupdate_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_nsupdate_add() {
+  fulldomain=$1
+  txtvalue=$2
+  _checkKeyFile || return 1
+  NSUPDATE_SERVER=${NSUPDATE_SERVER:-localhost}
+  tmp=$(mktemp --tmpdir acme_nsupdate.XXXXXX)
+  cat > ${tmp} <<EOF
+server ${NSUPDATE_SERVER}
+update add ${fulldomain}. 60 in txt "${txtvalue}"
+send
+EOF
+  _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
+  nsupdate -k ${NSUPDATE_KEY} ${tmp}
+  if [ $? -ne 0 ]; then
+    _err "error updating domain, see ${tmp} for details"
+    return 1
+  fi
+  rm -f ${tmp}
+  
+  return 0
+}
+
+#Usage: dns_nsupdate_del   _acme-challenge.www.domain.com
+dns_nsupdate_del() {
+  fulldomain=$1
+  _checkKeyFile || return 1
+  NSUPDATE_SERVER=${NSUPDATE_SERVER:-localhost}
+  tmp=$(mktemp --tmpdir acme_nsupdate.XXXXXX)
+  cat > ${tmp} <<EOF
+server ${NSUPDATE_SERVER}
+update delete ${fulldomain}. txt
+send
+EOF
+  _info "removing ${fulldomain}. txt"
+  nsupdate -k ${NSUPDATE_KEY} ${tmp}
+  if [ $? -ne 0 ]; then
+    _err "error updating domain, see ${tmp} for details"
+    return 1
+  fi
+  rm -f ${tmp}
+
+  return 0
+}
+
+
+####################  Private functions bellow ##################################
+
+_checkKeyFile() {
+  if [ -z "${NSUPDATE_KEY}" ]; then
+    _err "you must specify a path to the nsupdate key file"
+    return 1
+  fi
+  if [ ! -r "${NSUPDATE_KEY}" ]; then
+    _err "key ${NSUPDATE_KEY} is unreadable"
+    return 1
+  fi
+}
+
+_info() {
+  if [ -z "$2" ] ; then
+    echo "[$(date)] $1"
+  else
+    echo "[$(date)] $1='$2'"
+  fi
+}
+
+_err() {
+  _info "$@" >&2
+  return 1
+}
+
+_debug() {
+  if [ -z "$DEBUG" ] ; then
+    return
+  fi
+  _err "$@"
+  return 0
+}
+
+_debug2() {
+  if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ] ; then
+    _debug "$@"
+  fi
+  return
+}
diff --git a/dnsapi/dns_ovh.sh b/dnsapi/dns_ovh.sh
index 443aec6f..66435b56 100755
--- a/dnsapi/dns_ovh.sh
+++ b/dnsapi/dns_ovh.sh
@@ -86,6 +86,11 @@ _ovh_get_api() {
 
 ########  Public functions #####################
 
+dns_ovh_del(){
+  _err "Not implemented!"
+  return 1
+}
+
 #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_ovh_add(){
   fulldomain=$1
diff --git a/foo b/foo
new file mode 100644
index 00000000..9daeafb9
--- /dev/null
+++ b/foo
@@ -0,0 +1 @@
+test