diff --git a/.gitattributes b/.gitattributes
index 217326ab..7653b18b 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,6 +1,11 @@
+# Files not to include in .zip/.tar.gz archives
+#
+.git*           export-ignore
+
 # Handle line endings automatically for files detected as text
 # and leave all files detected as binary untouched.
 * text=auto
 
 # Make all text files lf formatted
 *     text eol=lf
+
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000..8317ebfb
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,9 @@
+*~
+*#
+*.swp
+*.tmp
+*.bak
+*.tdy
+*.tar.gz
+*.orig
+JSON.sh
diff --git a/Makefile b/Makefile
index 4f161264..d88e22c3 100644
--- a/Makefile
+++ b/Makefile
@@ -19,10 +19,9 @@ ifneq ($(strip $(DESTDIR)),)
 	mkdir -p $(DESTDIR)
 endif
 
-	install -Dm755 getssl $(DESTDIR)/usr/bin/getssl
-	
-	install -dm755 $(DESTDIR)/usr/share/getssl
-	cp -r *_scripts $(DESTDIR)/usr/share/getssl
+	install -Dvm755 getssl $(DESTDIR)/usr/bin/getssl
+	install -dvm755 $(DESTDIR)/usr/share/getssl
+	for dir in *_scripts; do install -dv $(DESTDIR)/usr/share/getssl/$$dir; install -pv $$dir/* $(DESTDIR)/usr/share/getssl/$$dir/; done
 
 .PHONY: install
 
diff --git a/README.md b/README.md
index 7ff8b2e3..454a3880 100644
--- a/README.md
+++ b/README.md
@@ -89,7 +89,7 @@ certificates to a remote server ( providing you have a ssh with key,
 sftp or ftp access to the remote server).
 
 ```getssl -h
-getssl ver. 2.35
+getssl ver. 2.36
 Obtain SSL certificates from the letsencrypt.org ACME server
 
 Usage: getssl [-h|--help] [-d|--debug] [-c|--create] [-f|--force] [-a|--all] [-q|--quiet] [-Q|--mute] [-u|--upgrade] [-k|--keep #] [-U|--nocheck] [-r|--revoke cert key] [-w working_dir] [--preferred-chain chain] domain   
@@ -107,6 +107,7 @@ Options:
   -u, --upgrade      Upgrade getssl if a more recent version is available - can be used with or without domain(s)
   -k, --keep     "#" Maximum number of old getssl versions to keep when upgrading
   -U, --nocheck      Do not check if a more recent version is available
+  -v  --version      Display current version of getssl
   -w working_dir "Working directory"
     --preferred-chain "chain" Use an alternate chain for the certificate
 ```
@@ -376,7 +377,7 @@ Usage: `getssl -r path/to/cert path/to/key [CA_server]`
 You need to specify both the certificate you want to revoke, and the
 account or private domain key which was used to sign / obtain the
 original certificate. The `CA_server` is an optional parameter and
-defaults to Let's Encrypt ("<https://acme-v01.api.letsencrypt.org>") as
+defaults to Let's Encrypt ("<https://acme-v02.api.letsencrypt.org>") as
 that is currently the only Certificate Authority using the ACME
 protocol.
 
diff --git a/dns_scripts/00GoDaddy-README.txt b/dns_scripts/00GoDaddy-README.txt
new file mode 100644
index 00000000..9973556e
--- /dev/null
+++ b/dns_scripts/00GoDaddy-README.txt
@@ -0,0 +1,63 @@
+Using GoDaddy DNS for LetsEncrypt domain validation.
+
+Quick guide to setting up getssl for domain validation of
+GoDaddy DNS domains.
+
+There are two prerequisites to using getssl with GoDaddy DNS:
+
+1) Obtain an API access key from developer.godaddy.com
+   At first sign-up, you will be required to take a "test" key.
+   This is NOT what you need.  Accept it, then get a "Production"
+   key.  At this writing, there is no charge - but you must have
+   a GoDaddy customer account.
+
+   You must get the API key for the account which owns the domain
+   that you want to get certificates for.  If the domains that you
+   manage are owned by more than one account, get a key for each.
+
+   The access key consists of a "Key" and a "Secret".  You need
+   both.
+
+2) Obtain JSON.sh - https://github.com/dominictarr/JSON.sh
+
+With those in hand, the installation procedure is:
+
+1) Put JSON.sh in the getssl DNS scripts directory 
+   Default: /usr/share/getssl/dns_scripts
+
+2) Open your config file (the global file in ~/.getssl/getssl.cfg
+   or the per-account file in ~/.getssl/example.net/getssl.cfg
+
+3) Set the following options:
+   VALIDATE_VIA_DNS="true"
+   DNS_ADD_COMMAND="/usr/share/getssl/dns_scripts/dns_add_godaddy"
+   DNS_DEL_COMMAND="/usr/share/getssl/dns_scripts/dns_del_godaddy"
+   # The API key for your account/this domain
+   export GODADDY_KEY="..." GODADDY_SECRET="..."
+   # The base domain name(s) in which the challege records are stored
+   # E.g. if www.example.net is in the example.net zone:
+   export GODADDY_BASE="example.com example.net"
+
+ 4) Set any other options that you wish (per the standard
+   directions.)  Use the test CA to make sure that
+   everything is setup correctly.
+
+That's it.  getssl example.net will now validate with DNS.
+
+To trace record additions and removals, run getssl as
+GODADDY_TRACE=Y getssl example.net
+
+There are additional options, which are documented in the
+*godaddy" files and dns_godaddy -h.
+
+Copyright (C) 2017, 2018 Timothe Litt  litt at acm _dot org
+
+This sofware may be freely used providing this notice is included with
+all copies.  The name of the author may not be used to endorse
+any other product or derivative work.  No warranty is provided
+and the user assumes all responsibility for use of this software.
+
+Report any issues to https://github.com/tlhackque/getssl/issues.
+
+Enjoy.
+
diff --git a/dns_scripts/dns_add_godaddy b/dns_scripts/dns_add_godaddy
index 835bb22e..f9be7453 100755
--- a/dns_scripts/dns_add_godaddy
+++ b/dns_scripts/dns_add_godaddy
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (2017) Timothe Litt  litt at acm _dot org
+# Copyright (C) 2017, 2018 Timothe Litt  litt at acm _dot org
 
 # Add token to GoDaddy dns using dns_godaddy
 
@@ -36,5 +36,6 @@ fi
 
 export GODADDY_KEY
 export GODADDY_SECRET
+export GODADDY_BASE
 
-$GODADDY_SCRIPT -q add "${fulldomain}" "_acme-challenge" "${token}"
+$GODADDY_SCRIPT -q add "${fulldomain}" "_acme-challenge.${fulldomain}." "${token}"
diff --git a/dns_scripts/dns_add_nsupdate b/dns_scripts/dns_add_nsupdate
index 98f5e7fb..2680d81f 100755
--- a/dns_scripts/dns_add_nsupdate
+++ b/dns_scripts/dns_add_nsupdate
@@ -21,8 +21,9 @@ if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
   options="-k ${DNS_NSUPDATE_KEYFILE}"
 fi
 
+cmd=
 if [ -n "${DNS_SERVER}" ]; then
-        cmd+="server ${DNS_SERVER}\n"
+  cmd+="server ${DNS_SERVER}\n"
 fi
 
 cmd+="update add  ${DNS_ZONE:-"_acme-challenge.${fulldomain}."} 300 in TXT \"${token}\"\n"
diff --git a/dns_scripts/dns_del_godaddy b/dns_scripts/dns_del_godaddy
index 1f17c352..4a3228f7 100755
--- a/dns_scripts/dns_del_godaddy
+++ b/dns_scripts/dns_del_godaddy
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (2017) Timothe Litt  litt at acm _dot org
+# Copyright (C) 2017,2018 Timothe Litt  litt at acm _dot org
 
 # Remove token from GoDaddy dns using dns_godaddy
 
@@ -24,7 +24,7 @@ token="$2"
 
 [ -z "$GODADDY_SCRIPT" ] && GODADDY_SCRIPT="/usr/share/getssl/dns_scripts/dns_godaddy"
 [[ "$GODADDY_SCRIPT" =~ ^~ ]] && \
-    eval 'GODADDY_SCRIPT=`readlink -nf ' "$GODADDY_SCRIPT" '`'
+    eval 'GODADDY_SCRIPT=`readlink -nf ' $GODADDY_SCRIPT '`'
 
 if ! [ -x "$GODADDY_SCRIPT" ]; then
     echo "$GODADDY_SCRIPT: not found.  Please install, softlink or set GODADDY_SCRIPT to its full path"
@@ -34,5 +34,6 @@ fi
 
 export GODADDY_KEY
 export GODADDY_SECRET
+export GODADDY_BASE
 
 $GODADDY_SCRIPT -q del "${fulldomain}" "_acme-challenge.${fulldomain}." "${token}"
diff --git a/dns_scripts/dns_del_nsupdate b/dns_scripts/dns_del_nsupdate
index c0432b62..fc5a254f 100755
--- a/dns_scripts/dns_del_nsupdate
+++ b/dns_scripts/dns_del_nsupdate
@@ -21,8 +21,9 @@ if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
   options="-k ${DNS_NSUPDATE_KEYFILE}"
 fi
 
+cmd=
 if [ -n "${DNS_SERVER}" ]; then
-        cmd+="server ${DNS_SERVER}\n"
+  cmd+="server ${DNS_SERVER}\n"
 fi
 
 cmd+="update delete  ${DNS_ZONE:-"_acme-challenge.${fulldomain}."} 300 in TXT \"${token}\"\n"
diff --git a/dns_scripts/dns_godaddy b/dns_scripts/dns_godaddy
old mode 100644
new mode 100755
index 7c36d19c..0d41e6a1
--- a/dns_scripts/dns_godaddy
+++ b/dns_scripts/dns_godaddy
@@ -1,8 +1,8 @@
 #!/bin/bash
 
-# Copyright (2017) Timothe Litt  litt at acm _dot org
+# Copyright (C) 2017,2018 Timothe Litt  litt at acm _dot org
 
-VERSION="1.0.1"
+VERSION="1.0.3"
 PROG="`basename $0`"
 
 # This script is used to update TXT records in GoDaddy DNS server
@@ -31,6 +31,7 @@ DEBUG="$GODADDY_DEBUG"
 
 while getopts 'dhj:k:s:t:qv' opt; do
     case $opt in
+        b) GODADDY_BASE="$OPTARG"                      ;;
         d) DEBUG="Y"                                   ;;
         j) JSON="$OPTARG"                              ;;
         k) GODADDY_KEY="$OPTARG"                       ;;
@@ -72,6 +73,9 @@ Arguments:
     For minimal trace output (to override -q), define GODADDY_TRACE="y".
 
 Options
+    -b    Domain name(s) in which challenge records are stored
+          E.g. often, www.example.net is stored in example.net.
+          Default from GODADDY_BASE
     -d    Provide debugging output - all requests and responses
     -h    This help.
     -j:   Location of JSON.sh Default `dirname $0`/JSON.sh, or
@@ -84,6 +88,7 @@ Options
     All output, except for this help text, is to stderr.
 
 Environment variables
+    GODADDY_BASE    Domain name(s) in which challenge records are stored
     GODADDY_JSON    location of the JSOH.sh script
     GODADDY_KEY     default API key
     GODADDY_SCRIPT  location of this script, default location of JSON.sh
@@ -92,7 +97,7 @@ Environment variables
     GODADDY_TFILE   appends protocol trace to file. Overrides -t
 
 BUGS
-    Due to a limitation of the gOdADDY API, deleting the last TXT record
+    Due to a limitation of the GoDaddy API, deleting the last TXT record
     would be too risky for my taste.  So in that case, I replace it with
     _dummy.record_.domain.  TXT "Ihis record is not used".  This record is
     not automatically deleted by this script, though it's perfectly OK to
@@ -155,6 +160,7 @@ if [ -z "$name" ]; then
     echo "'name' parameter is required, see -h" >&2
     exit 3
 fi
+! [[ "$name" =~ [.]$ ]] && name="${name}.${domain}."
 data="$4"
 if [ -z "$data" ]; then
     echo "'data' parameter is required, see -h" >&2
@@ -206,7 +212,23 @@ if [ "$op" = "add" ]; then
 
     while [[ "$domain" =~ [^.]+\.[^.]+ ]]; do
 
-        url="$API/$domain/records/TXT/$name"
+        reqname="$name"
+        # The API doesn't trim the base domain from the name (it used to)
+        # If specified, remove any listed base.
+        if [ -n "$GODADDY_BASE" ]; then
+            for GDB in $GODADDY_BASE; do
+                gdb="`echo "$GDB" | sed -e's/\\.$//;s/\\./\\\\./g;'`"
+                gdb="^(.+)\\.$gdb\\.?$"
+                if [[ "$name" =~ $gdb ]]; then
+                    reqname="${BASH_REMATCH[1]}"
+                    break;
+                fi
+            done
+        else
+            eval 'reqname="$''{name%'"'.$domain.'}"'"'
+        fi
+
+        url="$API/$domain/records/TXT/$reqname"
 
         request='[{"data":"'$data'","ttl":'$ttl'}]'
         [ -n "$DEBUG" ] && cat >&2 <<EOF
@@ -332,10 +354,14 @@ Old TXT RRSET:
 $current
 EOF
 
-# Remove the desired record.  The name must be relative.
+# Remove the desired record.  The name must be relative. Order varies.
 
 eval 'name="$''{name%'"'.$domain.'}"'"'
 
+match="$(printf '"name":"%s","data":"%s","ttl":' "$name" "$data")"
+cmd="$(printf 'echo %s%s%s | grep -v %s%s%s' "'" "$current" "'" "'" "$match" "'")"
+eval 'new="$('"$cmd"')"'
+
 match="$(printf '"data":"%s","name":"%s","ttl":' "$data" "$name")"
 cmd="$(printf 'echo %s%s%s | grep -v %s%s%s' "'" "$current" "'" "'" "$match" "'")"
 eval 'new="$('"$cmd"')"'
diff --git a/getssl b/getssl
index bbc7afd7..6ba65236 100755
--- a/getssl
+++ b/getssl
@@ -259,6 +259,7 @@
 # 2021-02-15 ADD ftp explicit SSL with curl for upload the challenge (CoolMischa)
 # 2021-02-18 Add FULL_CHAIN_INCLUDE_ROOT
 # 2021-03-25 Fix DNS challenge completion check if CNAMEs on different NS are used (sideeffect42)(2.35)
+# 2021-05-08 Merge from tlhackque/getssl: GoDaddy, split-view, tempfile permissions fixes, --version(2.36)
 # ----------------------------------------------------------------------------------------
 
 case :$SHELLOPTS: in
@@ -267,7 +268,7 @@ esac
 
 PROGNAME=${0##*/}
 PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)"
-VERSION="2.35"
+VERSION="2.36"
 
 # defaults
 ACCOUNT_KEY_LENGTH=4096
@@ -307,8 +308,9 @@ WORKING_DIR_CANDIDATES=("/etc/getssl" "${PROGDIR}/conf" "${PROGDIR}/.getssl" "${
 
 # Variables used when validating using a DNS entry
 VALIDATE_VIA_DNS=""             # Set this to "true" to enable DNS validation
-AUTH_DNS_SERVER=""              # Use this DNS server to check the challenge token has been set
-PUBLIC_DNS_SERVER=""            # Use this DNS server to find the authoritative DNS servers for the domain
+export AUTH_DNS_SERVER=""       # Use this DNS server to check the challenge token has been set
+export DNS_CHECK_OPTIONS=""     # Options (such as TSIG file) required by DNS_CHECK_FUNC
+export PUBLIC_DNS_SERVER=""     # Use this DNS server to find the authoritative DNS servers for the domain
 CHECK_ALL_AUTH_DNS="false"      # Check the challenge token has been set on all authoritative DNS servers
 CHECK_PUBLIC_DNS_SERVER="true"  # Check the public DNS server as well as the authoritative DNS servers
 DNS_ADD_COMMAND=""              # Use this command/script to add the challenge token to the DNS entries for the domain
@@ -336,7 +338,7 @@ _UPGRADE_CHECK=1
 _USE_DEBUG=0
 _ONLY_CHECK_CONFIG=0
 config_errors="false"
-LANG=C
+export LANG=C
 API=1
 
 # store copy of original command in case of upgrading script and re-running
@@ -613,7 +615,7 @@ check_config() { # check the config files for all obvious errors
     rsa|prime256v1|secp384r1|secp521r1)
       debug "checked PRIVATE_KEY_ALG " ;;
     *)
-      info "${DOMAIN}: invalid PRIVATE_KEY_ALG - $PRIVATE_KEY_ALG"
+      info "${DOMAIN}: invalid PRIVATE_KEY_ALG - '$PRIVATE_KEY_ALG'"
       config_errors=true ;;
   esac
   if [[ "$DUAL_RSA_ECDSA" == "true" ]] && [[ "$PRIVATE_KEY_ALG" == "rsa" ]]; then
@@ -669,32 +671,32 @@ check_config() { # check the config files for all obvious errors
         config_errors=true
       fi
 
-      # check domain exists using all DNS utilities
+      # check domain exists using all DNS utilities. DNS_CHECK_OPTIONS may bind IP address or provide TSIG
       found_ip=false
       if [[ -n "$HAS_DIG_OR_DRILL" ]]; then
-        debug "DNS lookup using $HAS_DIG_OR_DRILL ${d}"
-        if [[ "$($HAS_DIG_OR_DRILL -t SOA "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then
+        debug "DNS lookup using $HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS ${d}"
+        if [[ "$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -t SOA "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then
           found_ip=true
-        elif [[ "$($HAS_DIG_OR_DRILL -t A "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then
+        elif [[ "$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -t A "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then
           found_ip=true
-        elif [[ "$($HAS_DIG_OR_DRILL -t AAAA "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then
+        elif [[ "$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -t AAAA "${d}"|grep -c -i "^${d}")" -ge 1 ]]; then
           found_ip=true
         fi
       fi
 
       if [[ "$HAS_HOST" == "true" ]]; then
         debug "DNS lookup using host ${d}"
-        if [[ "$(host "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then
+        if [[ "$(host $DNS_CHECK_OPTIONS "${d}" |grep -c -i "^${d}")" -ge 1 ]]; then
           found_ip=true
         fi
       fi
 
       if [[ "$HAS_NSLOOKUP" == "true" ]]; then
         debug "DNS lookup using nslookup -query AAAA ${d}"
-        if [[ "$(nslookup -query=AAAA "${d}"|grep -c -i "^${d}.*has AAAA address")" -ge 1 ]]; then
+        if [[ "$(nslookup $DNS_CHECK_OPTIONS -query=AAAA "${d}"|grep -c -i "^${d}.*has AAAA address")" -ge 1 ]]; then
           debug "found IPv6 record for ${d}"
           found_ip=true
-        elif [[ "$(nslookup "${d}"| grep -c ^Name)" -ge 1 ]]; then
+        elif [[ "$(nslookup $DNS_CHECK_OPTIONS "${d}"| grep -c ^Name)" -ge 1 ]]; then
           debug "found IPv4 record for ${d}"
           found_ip=true
         fi
@@ -1387,16 +1389,16 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
     fi
 
     # Check if domain is a CNAME, first
-    test_output "Using $HAS_DIG_OR_DRILL CNAME"
+    test_output "Using $HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS CNAME"
 
     # Two options here; either dig CNAME will return the CNAME and the NS or just the CNAME
-    debug Checking for CNAME using "$HAS_DIG_OR_DRILL CNAME $gad_d $gad_s"
-    res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" $gad_s| grep "^$gad_d")
+    debug Checking for CNAME using "$HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS CNAME $gad_d $gad_s"
+    res=$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS CNAME "$gad_d" $gad_s| grep "^$gad_d")
     cname=$(echo "$res"| awk '$4 ~ "CNAME" {print $5}' |sed 's/\.$//g')
 
     if [[ $_TEST_SKIP_CNAME_CALL == 0 ]]; then
       debug Checking if CNAME result contains NS records
-      res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" $gad_s| grep -E "IN\W(NS|SOA)\W")
+      res=$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS CNAME "$gad_d" $gad_s| grep -E "IN\W(NS|SOA)\W")
     else
       res=
     fi
@@ -1410,21 +1412,21 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
     # Use SOA +trace to find the name server
     if [[ -z "$res" ]] && [[ $_TEST_SKIP_SOA_CALL == 0 ]]; then
       if [[ "$HAS_DIG_OR_DRILL" == "drill" ]]; then
-        debug Using "$HAS_DIG_OR_DRILL -T $gad_d $gad_s" to find primary nameserver
-        test_output "Using $HAS_DIG_OR_DRILL SOA"
-        res=$($HAS_DIG_OR_DRILL -T SOA "$gad_d" $gad_s 2>/dev/null | grep "IN\WNS\W")
+        debug Using "$HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -T $gad_d $gad_s" to find primary nameserver
+        test_output "Using $HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS SOA"
+        res=$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS -T SOA "$gad_d" $gad_s 2>/dev/null | grep "IN\WNS\W")
       else
-        debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d $gad_s" to find primary nameserver
-        test_output "Using $HAS_DIG_OR_DRILL SOA"
-        res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" $gad_s 2>/dev/null | grep "IN\WNS\W")
+        debug Using "$HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS SOA +trace +nocomments $gad_d $gad_s" to find primary nameserver
+        test_output "Using $HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS SOA"
+        res=$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS SOA +trace +nocomments "$gad_d" $gad_s 2>/dev/null | grep "IN\WNS\W")
       fi
     fi
 
     # Query for NS records
     if [[ -z "$res" ]]; then
-      test_output "Using $HAS_DIG_OR_DRILL NS"
-      debug Using "$HAS_DIG_OR_DRILL NS $gad_d $gad_s" to find primary nameserver
-      res=$($HAS_DIG_OR_DRILL NS "$gad_d" $gad_s | grep -E "IN\W(NS|SOA)\W")
+      test_output "Using $HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS NS"
+      debug Using "$HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS NS $gad_d $gad_s" to find primary nameserver
+      res=$($HAS_DIG_OR_DRILL $DNS_CHECK_OPTIONS NS "$gad_d" $gad_s | grep -E "IN\W(NS|SOA)\W")
     fi
 
     if [[ -n "$res" ]]; then
@@ -1464,10 +1466,10 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
     gad_d="$orig_gad_d"
     debug Using "host -t NS" to find primary name server for "$gad_d"
     if [[ -z "$gad_s" ]]; then
-      res=$(host -t NS "$gad_d"| grep "name server")
+      res=$(host $DNS_CHECK_OPTIONS -t NS "$gad_d"| grep "name server")
     else
       # shellcheck disable=SC2086
-      res=$(host -t NS "$gad_d" $gad_s| grep "name server")
+      res=$(host $DNS_CHECK_OPTIONS -t NS "$gad_d" $gad_s| grep "name server")
     fi
     if [[ -n "$res" ]]; then
       all_auth_dns_servers=$(echo "$res" | awk '{print $4}' | sed 's/\.$//g'|tr '\n' ' ')
@@ -1487,9 +1489,9 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
 
   if [[ "$HAS_NSLOOKUP" == "true" ]]; then
     gad_d="$orig_gad_d"
-    debug Using "nslookup -debug -type=soa -type=ns $gad_d $gad_s" to find primary name server
+    debug Using "nslookup $DNS_CHECK_OPTIONS -debug -type=soa -type=ns $gad_d $gad_s" to find primary name server
     # shellcheck disable=SC2086
-    res=$(nslookup -debug -type=soa -type=ns "$gad_d" ${gad_s})
+    res=$(nslookup $DNS_CHECK_OPTIONS -debug -type=soa -type=ns "$gad_d" ${gad_s})
 
     if [[ "$(echo "$res" | grep -c "Non-authoritative")" -gt 0 ]]; then
       # this is a Non-authoritative server, need to check for an authoritative one.
@@ -1505,7 +1507,7 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
       fi
 
       # shellcheck disable=SC2086
-      res=$(nslookup -debug -type=soa -type=ns "$gad_d" ${gad_s})
+      res=$(nslookup $DNS_CHECK_OPTIONS -debug -type=soa -type=ns "$gad_d" ${gad_s})
     fi
 
     if [[ "$(echo "$res" | grep -c "canonical name")" -gt 0 ]]; then
@@ -1521,7 +1523,7 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n
 
     # shellcheck disable=SC2086
     # not quoting gad_s fixes the nslookup: couldn't get address for '': not found warning (#332)
-    all_auth_dns_servers=$(nslookup -debug -type=soa -type=ns "$gad_d" $gad_s \
+    all_auth_dns_servers=$(nslookup $DNS_CHECK_OPTIONS -debug -type=soa -type=ns "$gad_d" $gad_s \
                           | awk '$1 ~ "nameserver" {print $3}' \
                           | sed 's/\.$//g'| tr '\n' ' ')
 
@@ -1549,6 +1551,7 @@ get_certificate() { # get certificate for csr, if all domains validated.
   gc_fullchain=$4   # The filename for the fullchain
 
   der=$(openssl req -in "$gc_csr" -outform DER | urlbase64)
+
   if [[ $API -eq 1 ]]; then
     send_signed_request "$URL_new_cert" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"
     # convert certificate information into correct format and save to file.
@@ -1757,6 +1760,7 @@ help_message() { # print out the help message
 	  -u, --upgrade      Upgrade getssl if a more recent version is available - can be used with or without domain(s)
 	  -k, --keep     "#" Maximum number of old getssl versions to keep when upgrading
 	  -U, --nocheck      Do not check if a more recent version is available
+	  -v  --version      Display current version of $PROGNAME
 	  -w working_dir "Working directory"
     --preferred-chain "chain" Use an alternate chain for the certificate
 
@@ -2515,6 +2519,19 @@ write_getssl_template() { # write out the main template file
 	#VALIDATE_VIA_DNS="true"
 	#DNS_ADD_COMMAND=
 	#DNS_DEL_COMMAND=
+
+        # Unusual configurations (especially split views) may require these.
+        # If you have a mixture, these can go in the per-domain getssl.cfg.
+        #
+        # If you must use an external DNS Server (e.g. due to split views)
+        # Specify it here.  Otherwise, the default is to find the zone master.
+        # The default will usually work.
+        # PUBLIC_DNS_SERVER="8.8.8.8"
+
+        # If getssl is unable to determine the authoritative nameserver for a domain
+        # it will as you to enter AUTH_DNS_SERVER.  This is a server that
+        # can answer queries for the zone - a master or a slave, not a recursive server.
+        # AUTH_DNS_SERVER="10.0.0.14"
 	_EOF_getssl_
 }
 
@@ -2537,6 +2554,8 @@ while [[ -n ${1+defined} ]]; do
   case $1 in
     -h | --help)
       help_message; graceful_exit ;;
+    -v | --version)
+      echo "$PROGNAME V$VERSION"; graceful_exit ;;
     -d | --debug)
       _USE_DEBUG=1 ;;
     -c | --create)
@@ -2681,6 +2700,12 @@ if [[ -s "$WORKING_DIR/getssl.cfg" ]]; then
   . "$WORKING_DIR/getssl.cfg"
 fi
 
+if [[ -n "$DNS_CHECK_FUNC" ]]; then
+  requires "${DNS_CHECK_FUNC}"
+else
+  requires nslookup drill dig host DNS_CHECK_FUNC
+fi
+
 # Define defaults for variables not set in the main config.
 ACCOUNT_KEY="${ACCOUNT_KEY:=$WORKING_DIR/account.key}"
 DOMAIN_STORAGE="${DOMAIN_STORAGE:=$WORKING_DIR}"
@@ -2771,6 +2796,7 @@ if [[ ${_CREATE_CONFIG} -eq 1 ]]; then
       info "Adding SANS=$EX_SANS from certificate installed on ${DOMAIN##\*.} to new configuration file"
     fi
     write_domain_template "$DOMAIN_DIR/getssl.cfg"
+    info "created domain config file in $DOMAIN_DIR/getssl.cfg"
   fi
   TEMP_DIR="$DOMAIN_DIR/tmp"
   # end of "-c|--create" option, so exit
@@ -2910,11 +2936,15 @@ if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then
           copy_file_to_location "full pem" \
                                 "$TEMP_DIR/${DOMAIN}_chain.pem" \
                                 "$DOMAIN_CHAIN_LOCATION"
+          umask 077
           cat "$DOMAIN_DIR/${DOMAIN}.key" "$CERT_FILE" > "$TEMP_DIR/${DOMAIN}_K_C.pem"
+          umask "$ORIG_UMASK"
           copy_file_to_location "private key and domain cert pem" \
                                 "$TEMP_DIR/${DOMAIN}_K_C.pem"  \
                                 "$DOMAIN_KEY_CERT_LOCATION"
+          umask 077
           cat "$DOMAIN_DIR/${DOMAIN}.key" "$CERT_FILE" "$CA_CERT" > "$TEMP_DIR/${DOMAIN}.pem"
+          umask "$ORIG_UMASK"
           copy_file_to_location "full pem" \
                                 "$TEMP_DIR/${DOMAIN}.pem"  \
                                 "$DOMAIN_PEM_LOCATION"
diff --git a/test/u1-test-get_auth_dns-dig.bats b/test/u1-test-get_auth_dns-dig.bats
index 6e64e68d..471732fb 100644
--- a/test/u1-test-get_auth_dns-dig.bats
+++ b/test/u1-test-get_auth_dns-dig.bats
@@ -61,7 +61,7 @@ teardown() {
     # Assert that we've found the primary_ns server
     assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org'
     # Assert that we had to use dig NS
-    assert_line --partial 'Using dig NS'
+    assert_line --regexp 'Using dig.* NS'
 
     # Check all Authoritive DNS servers are returned if requested
     CHECK_ALL_AUTH_DNS=true
@@ -89,8 +89,8 @@ teardown() {
     assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org'
 
     # Assert that we had to use dig NS
-    assert_line --partial 'Using dig SOA'
-    refute_line --partial 'Using dig NS'
+    assert_line --regexp 'Using dig.* SOA'
+    refute_line --regexp 'Using dig.* NS'
 
     # Check all Authoritive DNS servers are returned if requested
     CHECK_ALL_AUTH_DNS=true
@@ -125,8 +125,8 @@ teardown() {
     assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com'
 
     # Assert that we found a CNAME and use dig NS
-    assert_line --partial 'Using dig CNAME'
-    assert_line --partial 'Using dig NS'
+    assert_line --regexp 'Using dig.* CNAME'
+    assert_line --regexp 'Using dig.* NS'
 
     # Check all Authoritive DNS servers are returned if requested
     CHECK_ALL_AUTH_DNS=true
@@ -168,8 +168,8 @@ teardown() {
     assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org'
 
     # Assert that we found a CNAME but didn't use dig NS
-    assert_line --partial 'Using dig CNAME'
-    refute_line --partial 'Using dig NS'
+    assert_line --regexp 'Using dig.* CNAME'
+    refute_line --regexp 'Using dig.* NS'
 
     # Check all Authoritive DNS servers are returned if requested
     CHECK_ALL_AUTH_DNS=true
diff --git a/test/u2-test-get_auth_dns-drill.bats b/test/u2-test-get_auth_dns-drill.bats
index 33b22778..434a9b5e 100644
--- a/test/u2-test-get_auth_dns-drill.bats
+++ b/test/u2-test-get_auth_dns-drill.bats
@@ -67,7 +67,7 @@ teardown() {
     # Assert that we've found the primary_ns server
     assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org'
     # Assert that we had to use drill NS
-    assert_line --partial 'Using drill NS'
+    assert_line --regexp 'Using drill.* NS'
 
     # Check all Authoritive DNS servers are returned if requested
     CHECK_ALL_AUTH_DNS=true
@@ -100,8 +100,8 @@ teardown() {
     assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org'
 
     # Assert that we had to use drill NS
-    assert_line --partial 'Using drill SOA'
-    refute_line --partial 'Using drill NS'
+    assert_line --regexp 'Using drill.* SOA'
+    refute_line --regexp 'Using drill.* NS'
 
     # Check all Authoritive DNS servers are returned if requested
     CHECK_ALL_AUTH_DNS=true
@@ -141,8 +141,8 @@ teardown() {
     assert_output --regexp 'set primary_ns = ns.*\.awsdns.*\.com'
 
     # Assert that we found a CNAME and use drill NS
-    assert_line --partial 'Using drill CNAME'
-    assert_line --partial 'Using drill NS'
+    assert_line --regexp 'Using drill.* CNAME'
+    assert_line --regexp 'Using drill.* NS'
 
     # Check all Authoritive DNS servers are returned if requested
     CHECK_ALL_AUTH_DNS=true
@@ -192,8 +192,8 @@ teardown() {
     assert_output --regexp 'set primary_ns = ns[1-4]+\.duckdns\.org'
 
     # Assert that we found a CNAME but didn't use drill NS
-    assert_line --partial 'Using drill CNAME'
-    refute_line --partial 'Using drill NS'
+    assert_line --regexp 'Using drill.* CNAME'
+    refute_line --regexp 'Using drill.* NS'
 
     # Check all Authoritive DNS servers are returned if requested
     CHECK_ALL_AUTH_DNS=true
diff --git a/test/u5-test-get_auth_dns-no-root-servers.bats b/test/u5-test-get_auth_dns-no-root-servers.bats
index b88fd413..d218eb90 100644
--- a/test/u5-test-get_auth_dns-no-root-servers.bats
+++ b/test/u5-test-get_auth_dns-no-root-servers.bats
@@ -60,7 +60,7 @@ teardown() {
     # Assert that we've found the primary_ns server
     assert_output --regexp 'set primary_ns = '
     # Assert that we had to use dig NS
-    assert_line --partial 'Using dig NS'
+    assert_line --regexp 'Using dig.* NS'
 
     # Check we didn't include any root servers
     refute_line --partial 'root-servers.net'
@@ -89,7 +89,7 @@ teardown() {
     # Assert that we've found the primary_ns server
     assert_output --regexp 'set primary_ns = '
     # Assert that we had to use dig SOA
-    assert_line --partial 'Using dig SOA'
+    assert_line --regexp 'Using dig.* SOA'
 
     # Check we didn't include any root servers
     refute_line --partial 'root-servers.net'