diff --git a/providers/dns/combell/combell.go b/providers/dns/combell/combell.go
new file mode 100644
index 0000000000..f83bbb9786
--- /dev/null
+++ b/providers/dns/combell/combell.go
@@ -0,0 +1,161 @@
+// Package combell implements a DNS provider for solving the DNS-01 challenge using Combell DNS.
+package combell
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/platform/config/env"
+	"github.com/go-acme/lego/v4/providers/dns/combell/internal"
+)
+
+const (
+	minTTL = 60
+	maxTTL = 8640
+)
+
+// Environment variables names.
+const (
+	envNamespace = "COMBELL_"
+
+	EnvAPIKey    = envNamespace + "API_KEY"
+	EnvAPISecret = envNamespace + "API_SECRET"
+
+	EnvTTL                = envNamespace + "TTL"
+	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
+	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+	EnvHTTPTimeout        = envNamespace + "HTTP_TIMEOUT"
+)
+
+// Config is used to configure the creation of the DNSProvider.
+type Config struct {
+	APIKey             string
+	APISecret          string
+	TTL                int
+	PropagationTimeout time.Duration
+	PollingInterval    time.Duration
+	HTTPClient         *http.Client
+}
+
+// NewDefaultConfig returns a default configuration for the DNSProvider.
+func NewDefaultConfig() *Config {
+	return &Config{
+		TTL:                env.GetOrDefaultInt(EnvTTL, 3600),
+		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, dns01.DefaultPropagationTimeout),
+		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
+		HTTPClient: &http.Client{
+			Timeout: env.GetOrDefaultSecond(EnvHTTPTimeout, 30*time.Second),
+		},
+	}
+}
+
+// DNSProvider implements the challenge.Provider interface.
+type DNSProvider struct {
+	config *Config
+	client *internal.Client
+}
+
+// NewDNSProvider returns a DNSProvider instance configured for Combell DNS.
+// Credentials must be passed in the environment variables:
+// COMBELL_API_KEY, COMBELL_API_SECRET.
+func NewDNSProvider() (*DNSProvider, error) {
+	values, err := env.Get(EnvAPIKey, EnvAPISecret)
+	if err != nil {
+		return nil, fmt.Errorf("combell: %w", err)
+	}
+
+	config := NewDefaultConfig()
+	config.APIKey = values[EnvAPIKey]
+	config.APISecret = values[EnvAPISecret]
+
+	return NewDNSProviderConfig(config)
+}
+
+// NewDNSProviderConfig return a DNSProvider instance configured for Combell DNS.
+func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
+	if config == nil {
+		return nil, errors.New("combell: the configuration of the DNS provider is nil")
+	}
+
+	if config.APIKey == "" || config.APISecret == "" {
+		return nil, errors.New("combell: some credentials information are missing")
+	}
+
+	if config.TTL < minTTL {
+		return nil, fmt.Errorf("combell: invalid TTL, TTL (%d) must be greater than %d", config.TTL, minTTL)
+	}
+
+	if config.TTL > maxTTL {
+		return nil, fmt.Errorf("combell: invalid TTL, TTL (%d) must be lower than %d", config.TTL, maxTTL)
+	}
+
+	client := internal.NewClient(config.APIKey, config.APISecret, config.HTTPClient)
+
+	return &DNSProvider{config: config, client: client}, nil
+}
+
+// Timeout returns the timeout and interval to use when checking for DNS propagation.
+// Adjusting here to cope with spikes in propagation times.
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+	return d.config.PropagationTimeout, d.config.PollingInterval
+}
+
+// Present creates a TXT record to fulfill the dns-01 challenge.
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("combell: could not find zone for domain %q (%s): %w", domain, info.EffectiveFQDN, err)
+	}
+
+	record := internal.Record{
+		Type:       "TXT",
+		RecordName: dns01.UnFqdn(strings.TrimSuffix(info.EffectiveFQDN, authZone)),
+		Content:    info.Value,
+		TTL:        d.config.TTL,
+	}
+
+	err = d.client.CreateRecord(context.Background(), authZone, record)
+	if err != nil {
+		return fmt.Errorf("combell: create record: %w", err)
+	}
+
+	return nil
+}
+
+// CleanUp removes the TXT record matching the specified parameters.
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	ctx := context.Background()
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("combell: could not find zone for domain %q (%s): %w", domain, info.EffectiveFQDN, err)
+	}
+
+	request := &internal.GetRecordsRequest{
+		Type:       "TXT",
+		RecordName: dns01.UnFqdn(strings.TrimSuffix(info.EffectiveFQDN, authZone)),
+	}
+	records, err := d.client.GetRecords(ctx, authZone, request)
+	if err != nil {
+		return fmt.Errorf("combell: get records: %w", err)
+	}
+
+	for _, record := range records {
+		if record.Content == info.Value {
+			err = d.client.DeleteRecord(ctx, authZone, record.ID)
+			if err != nil {
+				return fmt.Errorf("combell: delete record: %w", err)
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/providers/dns/combell/combell.toml b/providers/dns/combell/combell.toml
new file mode 100644
index 0000000000..e780eb2873
--- /dev/null
+++ b/providers/dns/combell/combell.toml
@@ -0,0 +1,24 @@
+Name = "Combell"
+Description = ''''''
+URL = "https://www.combell.com/"
+Code = "combell"
+Since = "v4.20.0"
+
+Example = '''
+COMBELL_API_KEY=xxxxxxxxxxxxxxxxxxxxx \
+COMBELL_API_SECRET=yyyyyyyyyyyyyyyyyyyy \
+lego --email you@example.com --dns combell -d '*.example.com' -d example.com run
+'''
+
+[Configuration]
+  [Configuration.Credentials]
+    COMBELL_API_KEY = "The API key"
+    COMBELL_API_SECRET = "The API secret"
+  [Configuration.Additional]
+    COMBELL_POLLING_INTERVAL = "Time between DNS propagation check"
+    COMBELL_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
+    COMBELL_TTL = "The TTL of the TXT record used for the DNS challenge"
+    COMBELL_HTTP_TIMEOUT = "API request timeout"
+
+[Links]
+  API = "https://api.combell.com/v2/documentation"
diff --git a/providers/dns/combell/combell_test.go b/providers/dns/combell/combell_test.go
new file mode 100644
index 0000000000..b5ff3cb903
--- /dev/null
+++ b/providers/dns/combell/combell_test.go
@@ -0,0 +1,115 @@
+package combell
+
+import (
+	"testing"
+
+	"github.com/go-acme/lego/v4/platform/tester"
+	"github.com/stretchr/testify/require"
+)
+
+const envDomain = envNamespace + "DOMAIN"
+
+var envTest = tester.NewEnvTest(EnvAPIKey, EnvAPISecret).WithDomain(envDomain)
+
+func TestNewDNSProvider(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		envVars  map[string]string
+		expected string
+	}{
+		{
+			desc: "success",
+			envVars: map[string]string{
+				EnvAPIKey:    "key",
+				EnvAPISecret: "secret",
+			},
+		},
+		{
+			desc: "missing API key",
+			envVars: map[string]string{
+				EnvAPISecret: "secret",
+			},
+			expected: "combell: some credentials information are missing: COMBELL_API_KEY",
+		},
+		{
+			desc: "missing API secret",
+			envVars: map[string]string{
+				EnvAPIKey: "key",
+			},
+			expected: "combell: some credentials information are missing: COMBELL_API_SECRET",
+		},
+		{
+			desc:     "missing credentials",
+			envVars:  map[string]string{},
+			expected: "combell: some credentials information are missing: COMBELL_API_KEY,COMBELL_API_SECRET",
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			defer envTest.RestoreEnv()
+			envTest.ClearEnv()
+
+			envTest.Apply(test.envVars)
+
+			p, err := NewDNSProvider()
+
+			if test.expected == "" {
+				require.NoError(t, err)
+				require.NotNil(t, p)
+				require.NotNil(t, p.config)
+				require.NotNil(t, p.client)
+			} else {
+				require.EqualError(t, err, test.expected)
+			}
+		})
+	}
+}
+
+func TestNewDNSProviderConfig(t *testing.T) {
+	testCases := []struct {
+		desc      string
+		apiKey    string
+		apiSecret string
+		expected  string
+	}{
+		{
+			desc:      "success",
+			apiKey:    "key",
+			apiSecret: "secret",
+		},
+		{
+			desc:      "missing API key",
+			apiSecret: "secret",
+			expected:  "combell: some credentials information are missing",
+		},
+		{
+			desc:     "missing API secret",
+			apiKey:   "key",
+			expected: "combell: some credentials information are missing",
+		},
+		{
+			desc:     "missing credentials",
+			expected: "combell: some credentials information are missing",
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			config := NewDefaultConfig()
+			config.APIKey = test.apiKey
+			config.APISecret = test.apiSecret
+
+			p, err := NewDNSProviderConfig(config)
+
+			if test.expected == "" {
+				require.NoError(t, err)
+				require.NotNil(t, p)
+				require.NotNil(t, p.config)
+				require.NotNil(t, p.client)
+			} else {
+				require.EqualError(t, err, test.expected)
+			}
+		})
+	}
+}
diff --git a/providers/dns/combell/internal/client.go b/providers/dns/combell/internal/client.go
new file mode 100644
index 0000000000..e3a7d918f9
--- /dev/null
+++ b/providers/dns/combell/internal/client.go
@@ -0,0 +1,232 @@
+package internal
+
+import (
+	"bytes"
+	"context"
+	"crypto/hmac"
+	"crypto/md5"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/go-acme/lego/v4/providers/dns/internal/errutils"
+	querystring "github.com/google/go-querystring/query"
+	"github.com/hashicorp/go-retryablehttp"
+)
+
+const defaultBaseURL = "https://api.combell.com/v2"
+
+// Client a Combell DNS API client.
+type Client struct {
+	apiKey    string
+	apiSecret string
+
+	nonce *Nonce
+
+	httpClient *http.Client
+	baseURL    *url.URL
+}
+
+// NewClient creates a new Client.
+func NewClient(apiKey, apiSecret string, httpClient *http.Client) *Client {
+	baseURL, _ := url.Parse(defaultBaseURL)
+
+	retryClient := retryablehttp.NewClient()
+	retryClient.RetryMax = 5
+	if httpClient != nil {
+		retryClient.HTTPClient = httpClient
+	}
+	retryClient.Logger = log.Default()
+
+	return &Client{
+		apiKey:     apiKey,
+		apiSecret:  apiSecret,
+		httpClient: retryClient.StandardClient(),
+		baseURL:    baseURL,
+		nonce:      NewNonce(),
+	}
+}
+
+// GetRecords gets the records of a domain.
+// https://api.combell.com/v2/documentation#tag/DNS-records/paths/~1dns~1{domainName}~1records/get
+func (c Client) GetRecords(ctx context.Context, domainName string, request *GetRecordsRequest) ([]Record, error) {
+	endpoint := c.baseURL.JoinPath("dns", domainName, "records")
+
+	if request != nil {
+		values, err := querystring.Values(request)
+		if err != nil {
+			return nil, err
+		}
+
+		endpoint.RawQuery = values.Encode()
+	}
+
+	req, err := c.newJSONRequest(ctx, http.MethodGet, endpoint, nil)
+	if err != nil {
+		return nil, fmt.Errorf("create request: %w", err)
+	}
+
+	var results []Record
+
+	err = c.do(req, http.StatusOK, &results)
+	if err != nil {
+		return nil, err
+	}
+
+	return results, nil
+}
+
+// CreateRecord creates a record.
+// https://api.combell.com/v2/documentation#tag/DNS-records/paths/~1dns~1{domainName}~1records/post
+func (c Client) CreateRecord(ctx context.Context, domainName string, record Record) error {
+	endpoint := c.baseURL.JoinPath("dns", domainName, "records")
+
+	req, err := c.newJSONRequest(ctx, http.MethodPost, endpoint, record)
+	if err != nil {
+		return fmt.Errorf("create request: %w", err)
+	}
+
+	// TODO(ldez) the "Location" header contains a reference to the created record.
+
+	return c.do(req, http.StatusCreated, nil)
+}
+
+// GetRecord gets a specific record.
+// https://api.combell.com/v2/documentation#tag/DNS-records/paths/~1dns~1{domainName}~1records~1{recordId}/get
+func (c Client) GetRecord(ctx context.Context, domainName, recordID string) (*Record, error) {
+	endpoint := c.baseURL.JoinPath("dns", domainName, "records", recordID)
+
+	req, err := c.newJSONRequest(ctx, http.MethodGet, endpoint, nil)
+	if err != nil {
+		return nil, fmt.Errorf("create request: %w", err)
+	}
+
+	var result Record
+
+	err = c.do(req, http.StatusOK, &result)
+	if err != nil {
+		return nil, err
+	}
+
+	return &result, nil
+}
+
+// DeleteRecord deletes a record.
+// https://api.combell.com/v2/documentation#tag/DNS-records/paths/~1dns~1{domainName}~1records~1{recordId}/delete
+func (c Client) DeleteRecord(ctx context.Context, domainName, recordID string) error {
+	endpoint := c.baseURL.JoinPath("dns", domainName, "records", recordID)
+
+	req, err := c.newJSONRequest(ctx, http.MethodDelete, endpoint, nil)
+	if err != nil {
+		return err
+	}
+
+	return c.do(req, http.StatusNoContent, nil)
+}
+
+func (c Client) do(req *http.Request, expectedStatus int, result any) error {
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return errutils.NewHTTPDoError(req, err)
+	}
+
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode != expectedStatus {
+		return parseError(req, resp)
+	}
+
+	if result == nil {
+		return nil
+	}
+
+	raw, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return errutils.NewReadResponseError(req, resp.StatusCode, err)
+	}
+
+	err = json.Unmarshal(raw, result)
+	if err != nil {
+		return errutils.NewUnmarshalError(req, resp.StatusCode, raw, err)
+	}
+
+	return nil
+}
+
+func (c Client) newJSONRequest(ctx context.Context, method string, endpoint *url.URL, payload any) (*http.Request, error) {
+	buf := new(bytes.Buffer)
+	var body []byte
+
+	if payload != nil {
+		var err error
+		body, err = json.Marshal(payload)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create request JSON body: %w", err)
+		}
+
+		buf = bytes.NewBuffer(body)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, method, endpoint.String(), buf)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create request: %w", err)
+	}
+
+	req.Header.Set("Accept", "application/json")
+
+	if payload != nil {
+		req.Header.Set("Content-Type", "application/json")
+	}
+
+	sign, err := c.sign(req, body)
+	if err != nil {
+		return nil, fmt.Errorf("request signature: %w", err)
+	}
+
+	req.Header.Set("Authorization", sign)
+
+	return req, nil
+}
+
+func (c Client) sign(req *http.Request, body []byte) (string, error) {
+	unix := time.Now().Unix()
+	nonce := c.nonce.Generate(10)
+
+	var encodedBody string
+	if len(body) > 0 {
+		sum := md5.Sum(body)
+		encodedBody = base64.StdEncoding.EncodeToString(sum[:])
+	}
+
+	h := hmac.New(sha256.New, []byte(c.apiSecret))
+	_, err := h.Write([]byte(
+		c.apiKey + strings.ToLower(req.Method) + url.QueryEscape(strings.ToLower(req.URL.RequestURI())) + strconv.FormatInt(unix, 10) + nonce + encodedBody),
+	)
+	if err != nil {
+		return "", err
+	}
+
+	hSign := base64.StdEncoding.EncodeToString(h.Sum(nil))
+
+	return fmt.Sprintf("hmac %s:%s:%s:%d", c.apiKey, hSign, nonce, unix), nil
+}
+
+func parseError(req *http.Request, resp *http.Response) error {
+	raw, _ := io.ReadAll(resp.Body)
+
+	var response APIError
+	err := json.Unmarshal(raw, &response)
+	if err != nil {
+		return errutils.NewUnexpectedStatusCodeError(req, resp.StatusCode, raw)
+	}
+
+	return fmt.Errorf("[status code %d] %w", resp.StatusCode, response)
+}
diff --git a/providers/dns/combell/internal/client_test.go b/providers/dns/combell/internal/client_test.go
new file mode 100644
index 0000000000..cd5614591c
--- /dev/null
+++ b/providers/dns/combell/internal/client_test.go
@@ -0,0 +1,153 @@
+package internal
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestClient_GetRecords(t *testing.T) {
+	client, mux := setup(t)
+
+	mux.HandleFunc("/dns/example.com/records", testHandler("./GetRecords.json", http.MethodGet, http.StatusOK))
+
+	records, err := client.GetRecords(context.Background(), "example.com", nil)
+	require.NoError(t, err)
+
+	expected := []Record{
+		{
+			ID:         "string",
+			Type:       "string",
+			RecordName: "string",
+			Content:    "string",
+			TTL:        3600,
+			Priority:   10,
+			Service:    "string",
+			Weight:     0,
+			Target:     "string",
+			Protocol:   "TCP",
+			Port:       0,
+		},
+	}
+	assert.Equal(t, expected, records)
+}
+
+func TestClient_GetRecord(t *testing.T) {
+	client, mux := setup(t)
+
+	mux.HandleFunc("/dns/example.com/records/123", testHandler("./GetRecord.json", http.MethodGet, http.StatusOK))
+
+	record, err := client.GetRecord(context.Background(), "example.com", "123")
+	require.NoError(t, err)
+
+	expected := &Record{
+		ID:         "string",
+		Type:       "string",
+		RecordName: "string",
+		Content:    "string",
+		TTL:        3600,
+		Priority:   10,
+		Service:    "string",
+		Weight:     0,
+		Target:     "string",
+		Protocol:   "TCP",
+		Port:       0,
+	}
+	assert.Equal(t, expected, record)
+}
+
+func TestClient_DeleteRecord(t *testing.T) {
+	client, mux := setup(t)
+
+	mux.HandleFunc("/dns/example.com/records/123", func(rw http.ResponseWriter, req *http.Request) {
+		rw.WriteHeader(http.StatusNoContent)
+	})
+
+	err := client.DeleteRecord(context.Background(), "example.com", "123")
+	require.NoError(t, err)
+}
+
+func TestClient_DeleteRecord_error(t *testing.T) {
+	client, mux := setup(t)
+
+	mux.HandleFunc("/dns/example.com/records/123", testHandler("./error.json", http.MethodDelete, http.StatusUnauthorized))
+
+	err := client.DeleteRecord(context.Background(), "example.com", "123")
+	require.Error(t, err)
+}
+
+func TestClient_sign(t *testing.T) {
+	client := NewClient("my_key", "my_secret", nil)
+
+	endpoint, err := url.Parse("https://localhost/v2/domains")
+	require.NoError(t, err)
+
+	query := endpoint.Query()
+	query.Set("skip", "0")
+	query.Set("take", "10")
+	endpoint.RawQuery = query.Encode()
+
+	req, err := http.NewRequest(http.MethodGet, endpoint.String(), nil)
+	require.NoError(t, err)
+
+	sign, err := client.sign(req, nil)
+	require.NoError(t, err)
+
+	assert.Regexp(t, `hmac my_key:[^:]+:[a-zA-Z]{10}:\d{10}`, sign)
+}
+
+func testHandler(filename string, method string, statusCode int) http.HandlerFunc {
+	return func(rw http.ResponseWriter, req *http.Request) {
+		if req.Method != method {
+			http.Error(rw, fmt.Sprintf("unsupported method: %s", req.Method), http.StatusMethodNotAllowed)
+			return
+		}
+
+		auth := req.Header.Get("Authorization")
+		if !strings.HasPrefix(auth, "hmac key:") {
+			http.Error(rw, "invalid Authorization header", http.StatusUnauthorized)
+			return
+		}
+
+		file, err := os.Open(filepath.Join("fixtures", filename))
+		if err != nil {
+			http.Error(rw, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		defer func() { _ = file.Close() }()
+
+		rw.WriteHeader(statusCode)
+
+		_, err = io.Copy(rw, file)
+		if err != nil {
+			http.Error(rw, err.Error(), http.StatusInternalServerError)
+			return
+		}
+	}
+}
+
+func setup(t *testing.T) (*Client, *http.ServeMux) {
+	t.Helper()
+
+	mux := http.NewServeMux()
+
+	server := httptest.NewServer(mux)
+	t.Cleanup(server.Close)
+
+	client := NewClient("key", "secret", nil)
+	client.httpClient = server.Client()
+	client.baseURL, _ = url.Parse(server.URL)
+
+	return client, mux
+}
diff --git a/providers/dns/combell/internal/fixtures/GetRecord.json b/providers/dns/combell/internal/fixtures/GetRecord.json
new file mode 100644
index 0000000000..901929c51c
--- /dev/null
+++ b/providers/dns/combell/internal/fixtures/GetRecord.json
@@ -0,0 +1,13 @@
+{
+  "id": "string",
+  "type": "string",
+  "record_name": "string",
+  "ttl": 3600,
+  "content": "string",
+  "priority": 10,
+  "service": "string",
+  "weight": 0,
+  "target": "string",
+  "protocol": "TCP",
+  "port": 0
+}
diff --git a/providers/dns/combell/internal/fixtures/GetRecords.json b/providers/dns/combell/internal/fixtures/GetRecords.json
new file mode 100644
index 0000000000..1d8c30529b
--- /dev/null
+++ b/providers/dns/combell/internal/fixtures/GetRecords.json
@@ -0,0 +1,15 @@
+[
+  {
+    "id": "string",
+    "type": "string",
+    "record_name": "string",
+    "ttl": 3600,
+    "content": "string",
+    "priority": 10,
+    "service": "string",
+    "weight": 0,
+    "target": "string",
+    "protocol": "TCP",
+    "port": 0
+  }
+]
diff --git a/providers/dns/combell/internal/fixtures/error.json b/providers/dns/combell/internal/fixtures/error.json
new file mode 100644
index 0000000000..41dad2f467
--- /dev/null
+++ b/providers/dns/combell/internal/fixtures/error.json
@@ -0,0 +1,4 @@
+{
+  "error_code": "auth_authorization_header_invalid_format",
+  "error_text": "The authorization header is in an invalid format."
+}
diff --git a/providers/dns/combell/internal/nonce.go b/providers/dns/combell/internal/nonce.go
new file mode 100644
index 0000000000..7870db382b
--- /dev/null
+++ b/providers/dns/combell/internal/nonce.go
@@ -0,0 +1,43 @@
+package internal
+
+import (
+	"math/rand"
+	"strings"
+	"time"
+)
+
+const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
+
+const (
+	letterIndexBits = 6                      // 6 bits to represent a letter index
+	letterIndexMask = 1<<letterIndexBits - 1 // All 1-bits, as many as letterIndexBits
+	letterIndexMax  = 63 / letterIndexBits   // # of letter indices fitting in 63 bits
+)
+
+type Nonce struct {
+	src rand.Source
+}
+
+func NewNonce() *Nonce {
+	return &Nonce{
+		src: rand.NewSource(time.Now().UnixNano()),
+	}
+}
+
+func (c Nonce) Generate(length int) string {
+	sb := strings.Builder{}
+	sb.Grow(length)
+	for i, cache, remain := length-1, c.src.Int63(), letterIndexMax; i >= 0; {
+		if remain == 0 {
+			cache, remain = c.src.Int63(), letterIndexMax
+		}
+		if idx := int(cache & letterIndexMask); idx < len(letterBytes) {
+			sb.WriteByte(letterBytes[idx])
+			i--
+		}
+		cache >>= letterIndexBits
+		remain--
+	}
+
+	return sb.String()
+}
diff --git a/providers/dns/combell/internal/nonce_test.go b/providers/dns/combell/internal/nonce_test.go
new file mode 100644
index 0000000000..e5a42827f9
--- /dev/null
+++ b/providers/dns/combell/internal/nonce_test.go
@@ -0,0 +1,40 @@
+package internal
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNonce_Generate(t *testing.T) {
+	nonce := NewNonce()
+
+	testCases := []struct {
+		desc   string
+		length int
+	}{
+		{
+			desc:   "one letter",
+			length: 1,
+		},
+		{
+			desc:   "10 letters",
+			length: 10,
+		},
+		{
+			desc:   "100 letters",
+			length: 100,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			result := nonce.Generate(test.length)
+			assert.Len(t, result, test.length)
+			assert.Regexp(t, `[a-zA-Z]+`, result)
+		})
+	}
+}
diff --git a/providers/dns/combell/internal/types.go b/providers/dns/combell/internal/types.go
new file mode 100644
index 0000000000..bd57deed68
--- /dev/null
+++ b/providers/dns/combell/internal/types.go
@@ -0,0 +1,34 @@
+package internal
+
+import "fmt"
+
+type Record struct {
+	ID         string `json:"id"`
+	Type       string `json:"type,omitempty"`
+	RecordName string `json:"record_name,omitempty"`
+	Content    string `json:"content,omitempty"`
+	TTL        int    `json:"ttl,omitempty"`
+	Priority   int    `json:"priority,omitempty"`
+	Service    string `json:"service,omitempty"`
+	Weight     int    `json:"weight,omitempty"`
+	Target     string `json:"target,omitempty"`
+	Protocol   string `json:"protocol,omitempty"`
+	Port       int    `json:"port,omitempty"`
+}
+
+type GetRecordsRequest struct {
+	Skip       int    `url:"skip,omitempty"`
+	Take       int    `url:"take,omitempty"`
+	Type       string `url:"type,omitempty"`
+	RecordName string `url:"record_name,omitempty"`
+	Service    string `url:"service,omitempty"`
+}
+
+type APIError struct {
+	ErrorCode string `json:"error_code"`
+	ErrorText string `json:"error_text"`
+}
+
+func (a APIError) Error() string {
+	return fmt.Sprintf("%s: %s", a.ErrorCode, a.ErrorText)
+}