diff --git a/quovadis/quovadis.php b/quovadis/quovadis.php
index edbd28e9941d2774991d6ad4a437f37d71b12a7e..ecfe215c69843fd6919a216fe79faea4cfa52dee 100644
--- a/quovadis/quovadis.php
+++ b/quovadis/quovadis.php
@@ -15,6 +15,14 @@ function check_username($username) {
 	return is_array(posix_getpwnam($username));
 }
 
+/* from https://stackoverflow.com/questions/1755144/how-to-validate-domain-name-in-php/48801316 */
+
+function is_valid_domain_name($domain_name)
+{
+    return (preg_match("/^([a-z\d](-*[a-z\d])*)(\.([a-z\d](-*[a-z\d])*))*$/i", $domain_name) //valid chars check
+            && preg_match("/^.{1,253}$/", $domain_name) //overall length check
+            && preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $domain_name)   ); //length of each label
+}
 
 /**
 	*   Remove the first and last quote from a quoted string of text
@@ -270,18 +278,38 @@ $leaf->post('/update-challenge', function () use($leaf) {
 // 
 // to the contents of Challenge TXT
 // 
+    $config=get_config();
+
     $username = $leaf->request->get('username');
     $api_key = $leaf->request->get('api_key');
     $challenge = $leaf->request->get('challenge');
     $value = $leaf->request->get('value');
 
     // Check username is valid
-    
+    if ( !check_username($username) ) {
+        $leaf->response->json(["message" => $username." not valid"],200);
+	return;
+    }
+
     // Check API key
-    
+    if ( !check_api_key($config, $username, $api_key) ) {
+        $leaf->response->json(["message" => "API key for " .$username." not valid"],200);
+	return;
+    }
+
     // Sanity check challenge text
-    
+    //
+    $handle = $username . "-" . $challenge;
+    if ( !is_valid_domain_name($handle) ) {
+        $leaf->response->json(["message" => "Handle " .$handle." not valid"],200);
+	return;
+    }
+
     // Stick challenge value prefixed by username into DNS
+    $u = update_desec_txt($config, $handle, $value);
+    
+    $leaf->response->json(["message" => $handle." has been updated"],200);
+    
 });
 
 $leaf->run();