Reference: DNS record types
A DNS record is a subset of data within a zone file containing critical information about a domain. After creating a zone, you can add records to it that allow requesting clients to access application endpoints and services corresponding to the zone FQDN or one of its subdomains. The nature and format of the information, called "answers," contained within a record depends on the record type. For example, most zones contain an "address" (A or AAAA) record with at least one answer. For an A or AAAA record, each answer represents an IP addresses of an application host server. Without this information, the DNS resolution process will fail and requesting clients will not be able to access your application.
Whereas traditional DNS records only contain one answer, records in the IBM® NS1 Connect® may contain multiple answers. This makes it easier to manage records of the same type and apply traffic steering policies using the Filter Chain to identify the best answer to return to each requesting client based on certain conditions.
Some records are created automatically based on configuration changes, such as publishing a new zone or configuring a URL redirect. Other record types must be created manually or by importing a zone file. Also, while the majority of supported record types are BIND-compatible, some are specific to the NS1 Connect platform and, therefore, are not included in external zone transfers or exported zone files.
| User-created records | Auto-generated records | |||
|---|---|---|---|---|
| A | CERT | HTTPS | SPF | DNSKEY |
| AAAA | CNAME | MX | SRV | NS |
| AFSDB | CSYNC | NAPTR | SVCB | NSEC |
| ALIAS* | DHCID | PTR | TLSA | NSEC3 |
| CAA | DNAME | REDIRECT* (coming soon) | TXT | RRSIG |
| CDNSKEY | DS | RP | Linked* | SOA |
| CDS | HINFO | SMIMEA | ||
*Indicates an NS1-specific record type.
Common record types
Certain record types are used frequently as they serve a particularly critical role in the DNS lookup process, including:
- A or AAAA ("address") records contain the IPv4 or IPv6 addresses, respectively, of the application host servers. When you enter a web address in your browser search bar, the DNS resolver searches for the A or AAAA record for the domain you requested and shares the IP address(es) with your client (device) so it can locate the website host server containing the content you're looking for.
- CNAME records are commonly used to direct incoming queries for one domain (www.example.com) to another domain (example.com) for which the relevant records can be found. This prevents you from having to maintain identical sets of DNS records for multiple domains. Note that CNAME records cannot be used at the zone apex. In other words, they can apply only to a subdomain of the zone FQDN.
- ALIAS records are an NS1-specific record type that function similarly to CNAME records, but they can be used at the zone apex.
- NS ("nameserver") records are automatically generated when you publish a zone to a DNS network. When you publish a zone to the Managed DNS network, for example, the NS record is automatically populated with the hostnames of the authoritative DNS nameservers to which the zone is assigned. This is important information you must use to update the nameserver delegation for this domain at your domain registrar.
- SOA (start of authority) records are automatically generated when you create a zone, and they contain administrative information about the primary nameserver for the domain as well as a set of time-to-live (TTL) values that dictate how long DNS resolvers should store zone data in their cache before requesting updated information.
A record
(RFC 1035) The most common DNS record used, an A (or address) record maps a domain to an IPv4 address (e.g., 198.0.2.36) of the computer hosting the domain. All zones should contain at least one A record.
{
"zone": "example.com",
"domain": "sub.example.com",
"type": "A",
"answers": [
{
"answer": [
"198.0.2.36"
]
},
{
"answer": [
"198.0.2.37"
]
}
]
}AAAA record
(RFC 3596) AAAA records function in the same way as A records, except that they map domains to an IPv6 address (e.g., 2001:db8:85a3::8a2e:370:7334) of the computer hosting the domain.
Each answer contains one IPv6 address corresponding to an endpoint to which you want to point DNS traffic when they query the domain. You can have multiple answers (that is, multiple IPv6 addresses) within a single AAAA record to establish basic redundancy and failback.
{
"zone": "example.com",
"domain": "sub.example.com",
"type": "AAAA",
"answers": [
{
"answer": [
"2001:db8:85a3::8a2e:370:7334"
]
}
]
}AFSDB record
(RFC 1183) AFSDB records are used to connect domain names to Andrew File System (AFS) servers. AFS is similar to NFS but better suited to handle the latency of wide-area networks (WAN) and locally caches files. The AFSDB record is key to this operation — providing the location of the file database.
- Service subtype (integer) - A 16-bit integer representing the subtype. This value determines the protocol to use when attempting to connect to a cell’s server. A value of 1 indicates the host has an AFS version 3.0 volume location server for the named AFS cell. A value of 2 indicates the host has an authenticated nameserver holding the cell-root directory node for the named DCE/NCA cell.
- AF cell server (string) - Domain name of a host with a server for the cell.
{
"zone": "example.com",
"domain": "afsdbrecord.example.com",
"type": "AFSDB",
"answers": [
{
"answer": [1,"arecord.example.com"]
}
]
}ALIAS record
(NS1-specific) ALIAS is a special record type that works like a CNAME record but can be used safely at the zone apex. On the NS1 platform, ALIAS records always resolve to A and AAAA records by running a DNS resolver in each of NS1’s PoPs. Resolution to the target is a completely internal process — DNS recursors making the query cannot differentiate between an ALIAS record and an A (or AAAA) record. An ALIAS record will always return one or more A or AAAA records. Since ALIAS is a pseudo-record, the response will never include the ALIAS record itself.
You can add an ALIAS record anywhere within a primary (or non-secondary) zone or secondary zone apex. You can adjust the behavior of the record lookup process on the NS1 platform by enabling or disabling the “Override address records” option when configuring the ALIAS record.
- By default, the override option is disabled (as in, set to “false”). This means that, upon receiving an incoming query, the NS1 platform will first look for the A/AAAA record within the zone. The NS1 platform will search for the ALIAS record if it does not find an address record. Typically, this behavior is desired if the ALIAS record is added to a primary zone. In some advanced cases, it might make sense to leave this option disabled for ALIAS records on secondary zones — for example, if the ALIAS record should only apply to queries for either the A or AAAA record (but not both).
- Alternatively, setting this option to “true” directs the NS1 platform to seek out the ALIAS record first, bypassing any existing address record. Typically, this behavior is desired if the ALIAS record is added to a secondary zone.
It’s important to note that NS1’s ALIAS records are not included in outgoing zone transfers as they are incompatible with other DNS providers, even if the other provider has their version of an ALIAS record.
When configuring ALIAS records, you must indicate whether or not to override any existing address records within the zone during the lookup process. You do this by enabling or disabling the “Override address records” option in the portal or API.
- By default, this option is disabled. In this case, NS1 will first attempt to locate the address records before seeking out the ALIAS record.
- If enabled, the NS1 platform will bypass address records, seeking out the ALIAS record first.
Optionally, you can also override the TTL of the target record with a value defined in the ALIAS record.
Each answer includes the domain or subdomain of an A or AAAA record to which this ALIAS record should resolve. In most cases, an ALIAS record will only contain one answer, but you can technically add multiple answers (in other words, specify multiple targets) if desired. In this case, the response will include all the IP addresses for the specified targets.
curl -X PUT -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/<zoneName>/<domain>/ALIAS -d '
{
"zone": "<zoneFQDN>",
"domain": "<zoneFQDN>",
"type": "ALIAS",
"override_address_records": false,
"answers": [
{
"answer": [
"<targetDomain>"
]
}
]
}'
{
"zone": "example.com",
"domain": "example.com",
"type": "ALIAS",
"answers": [
{
"answer": [
"new.example.com"
]
}
]
}CAA record
(RFC 8659) Domain owners can use DNS Certification Authority Authorization (CAA) records to indicate one or more certificate authorities (CAs) allowed to issue SSL certificates for a domain. Before issuing a certificate, compliant CAs must check for the CAA record unless an exception specified in the relevant certificate policy (CP) or certification practices statement (CPS) applies. The CAA record prevents an unauthorized CA from issuing an SSL certificate for your domain.
The example below requests no certificates be issued for
caa.example.com by any issuer other than
letsencrypt.com.
{
"zone": "example.com",
"domain": "caa.example.com",
"type": "CAA",
"answers": [
{
"answer": [
0,
"issue",
"letsencrypt.org"
]
}
]
}The example below requests no certificates be issued for
caa.example.com by any issuer.
{
"zone": "example.com",
"domain": "caa.example.com",
"type": "CAA",
"answers": [
{
"answer": [
0,
"issue",
";"
]
}
]
}Refer to RFC 8659 for more details and examples.
CDNSKEY
(RFC 7344) The “child DNSKEY” (CDNSKEY) record type is used to enable DNSSEC on a child zone (i.e., subdelegation). Each record contains one or more DNSSEC keys required to sign zone data contained in this child zone.
- Flags (integer) - DNSSEC key type. Supported values: 256 (ZSK) and 257 (KSK)
- Protocol (integer) - Set to 3 to indicate this is a DNSSEC key, ensuring signature verification.
- Algorithm (integer) - Public key cryptographic algorithm. Refer to RFC 4304 for a list of DNSSEC algorithms. NS1 supports a value of 13 for DNSSEC keys.
- Public key (string) - Public DNSSEC key secret.
CDS record
(RFC 7344) The “child DS” (CDS) record type is used to enable DNSSEC on a child zone (i.e., subdelegation). Once created, the parent zone is notified of its existence, and, in response, the parent zone retrieves the CDS record and inserts the corresponding DS record data.
CERT record
(RFC 4398, 69446944) CERT records provide a space in the DNS for certificates and related certificate revocation lists (CRLs). These certificates verify the authenticity of the sending and receiving parties. The CRLs identify the certificates that are no longer valid.
For each answer, enter the type, keytag, algorithm, and certificate used to verify the authenticity of the sending and receiving parties.
The following example shows the request body required for creating or managing CERT records.
{
"zone": "example.com",
"domain": "certrecord.example.com",
"type": "CERT",
"answers": [
{
"answer": [
"OID" "12345" "PRIVATEOID" "AZwz/Q=="
]
}
]
}CNAME record
(RFC 1035) A Canonical Name (CNAME) record maps one domain name (an alias) to another domain (the canonical name). There can be only one such canonical name for any one alias. That name should generally be a name that exists elsewhere in the DNS, though there are some rare applications for aliases with the accompanying canonical name undefined in the DNS. If DNSSEC is enabled, an alias name (prefix of a CNAME record domain) may have RRSIG and NSEC/NSEC3 records but may have no other data. Refer to Comparing CNAME, ALIAS, and linked records for more information.
Common use cases for a CNAME record include:
- Specifying a unique hostname for specific network services, such as email or FTP, and redirecting that hostname to the root domain.
- For hosted services, mapping a subdomain for individual customers on the service provider's domain (for example, company.hostname.com) and using the CNAME to point to the customer's preferred domain (for example, www.company.com).
- Registering the same domain in several countries and creating CNAME records for each country's TLD.
- Pointing multiple domains owned by a company back to the primary website.
The answer within a CNAME record represents the "real" or target domain for which this CNAME record is an alias.
{
"zone": "example.com",
"domain": "company.example.com",
"type": "CNAME",
"answers": [
{
"answer": [
"company.com"
]
}
]
}CSYNC record
(RFC 7477) CSYNC records indicate which delegation records published by a child DNS operator should be processed by a parental agent and used to update the parent’s zone data. These types of records are published at the apex of the child zone, making it easier for operators to update their delegation records within the parent’s set quickly.
Typically, there are some record types expected to remain in sync across parent and child zones. Most commonly, these include the NS records and any necessary A or AAAA records (“glue records”). It can be a challenge for operators of child DNS zones to update delegation records quickly, particularly when managing a large, complex set of DNS zones. The CSYNC record presents an automated mechanism for signaling updates at the child zone that must be reflected in the parent zone data.
- SOA serial number (integer) - A 32-bit integer representing the serial number of the SOA
record from the child zone (that is, the SOA of the zone on which you are adding this CSYNC record).
This value can be set to an arbitrary number if you do not plan to set the
soaminimumflag. - Flags (integer) - A 16-bit integer of boolean flags defines operations that affect the
processing of the CSYNC record. A value of 1 indicates the “immediate” flag, meaning the CSYNC
record should be processed immediately. A value of 2 indicates the
soaminimumflag which requires an SOA serial number greater than the one specified to process the CSYNC record. - Types (string) - A simple bit-list (separated) indicating the DNS record types in the child zone should be processed by the parental agent to modify the DNS delegation records within the parent's zone for the child DNS operator. Supported record types to specify here include NS, A, and AAAA.
The following example shows the request body required for creating or managing CERT records.
{
"zone": "example.com",
"domain": "example.com",
"type": "CSYNC",
"answers": [
{
"answer": [
"1652223375", 3, "A NS AAAA"
]
}
]
}DHCID record
(RFC 7344) The “child DS” (CDS) record type is used to enable DNSSEC on a child zone (i.e., subdelegation). Once created, the parent zone is notified of its existence, and, in response, the parent zone retrieves the CDS record and inserts the corresponding DS record data.
DNAME record
(RFC 6672) Whereas a CNAME record defines an alias for a single domain or node, a Delegation Name (DNAME) record is used to create an alias (i.e., domain) for an entire subsection of the DNS namespace (i.e., a domain and all of its subdomains).
Add the "real" or target domain as an answer within this record. The DNAME record serves as an alias for the specified domain and all of its subdomains.
DNSKEY record
(RFC 4034) The DNSSEC key (DNSKEY) record stores public DNSSEC key data for a particular zone for use in the DNSSEC authentication process. In this process, a zone signs its authoritative record data using a private key and stores the corresponding public key in the DNSKEY record.
Each answer within a DNSKEY record contains data corresponding to a single DNSSEC key — including the flags, protocol, algorithm, and public key. DNSKEY answer data is auto-generated when you enable DNSSEC on an individual NS1 zone. Additional answers within the DNSKEY appear if you configure external DNSSEC key sets via API.
DNSKEY records are auto-generated when you enable DNSSEC online signing for a zone.
DS record
(RFC 4034) The DS record points to the relevant DNSKEY record to use in the DNSSEC authentication process for this zone.
Each answer within a DS record contains the following form fields:
-
Key tag
-
Algorithm
-
Digest type
-
Digest
HINFO record
(RFC 1035) Host information (HINFO) records are used to associate general information about a host’s CPU and OS with the host’s domain name. For example, if www.example.com was running Ubuntu 16.04 with a 3.2 GHz Intel CPU, this information can be made publicly available by creating a HINFO record with “PC-Intel-3200mhz” and “Ubuntu 16.04” in the CPU and OS fields, respectively. This information is used by services like FTP to determine the correct procedures for connecting to hosts based on their configuration.
Each answer includes the relevant host hardware data (e.g., CPU) and operating system.
HTTPS record
The HTTPS record is an SVCB-compatible record type designed specifically for the HTTP protocol. It can be used to enable CNAME-like functionality at the zone apex or for multi-CDN hosting. It signals to the requesting client that it can connect over a secure connection, skipping the initial unsecured request, and it advertises the HTTP versions supported by the website. In addition to the goals of an SVCB record, HTTPS records can be used to:
- Connect directly to HTTP/3 (QUIC transport) alternative endpoints.
- Obtain the Encrypted ClientHello (ECH) keys associated with an alternative endpoint.
- Support non-default TCP and UDP ports.
- Enable SRV-like benefits (such as apex delegation) for HTTP.
- Provide an HSTS-like indication (HSTS) signaling that the “https” scheme should be used instead of “http” for all HTTP requests to this host and port.
The format of an HTTPS record is nearly identical to an SVCB record except that, unlike SVCB, HTTPS records do not use the same structured name format as SRV records. This allows HTTPS records to be used at the zone apex. Like SVCB, HTTPS records can be configured to operate in two modes:
- In AliasMode, the record delegates operational control for a resource (as in, it aliases to another record name), allowing you to add or remove HTTPS records without requiring a change at the zone apex.
- In ServiceMode, the record binds configuration data for a service endpoint, advertising additional key-value parameters unique to each endpoint. The TargetName and SvcParams associate an alternative endpoint for the service with its connection parameters.
Placing both forms in a single record type allows clients to fetch the relevant information with a single query.
- SvcPriority (integer) - Priority of this record where lower values are prioritized. A value of 0 indicates "alias mode." All other values indicate "service mode."
- TargetName (string) - If in AliasMode, this is the alias target's fully-qualified domain name (FQDN). If in ServiceMode, this is the domain name of an alternate endpoint. If TargetName has the value ".", special rules apply. Refer to the RFC for details.
- SvcParams (string or array) - (Optional) If in ServiceMode, this is a
whitespace-separated list of parameter key-value pairs (
SvcParamKey=SvcParamValue) or a standaloneSvcParamKeydescribing the alternate endpoint defined byTargetName. Common SvcParamKeys include:- application layer protocol negotiation (ALPN) - "h2” means HTTP/2 over TLS, "h3” means HTTP/3 or
QUIC (e.g.,
"alpn"="h2"). - port - TCP or UDP port to reach the alternative endpoint (e.g.,
"port"=80). - IPv4 and IPv6 hints: IP addresses clients can use to reach the service (e.g.,
"ipv4hint"="192.0.2.1""ipv6hint"="2001:db8:122:344::33").
For a complete list of SvcParams, refer to https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml.
- application layer protocol negotiation (ALPN) - "h2” means HTTP/2 over TLS, "h3” means HTTP/3 or
QUIC (e.g.,
The following example shows an HTTPS record configuration operating in AliasMode. In this case, web traffic for “example.com” is redirected to “example.net”.
{
"zone": "example.com",
"domain": "example.com",
"type": "HTTPS",
"answers": [
{
"answer": [
0, "example.net."
]
}
]
}
The following example shows an HTTPS record configuration operating in ServiceMode. It advertises support for the HTTP/3 and HTTP/2 protocols for the example.com origin. When a client connects, it will try HTTP/3 if supported; otherwise, it will try HTTP/2.
{
"zone": "example.com",
"domain": "example.com",
"type": "HTTPS",
"answers": [
{
"answer": [
1 . alpn="h3,h2"
]
}
]
}NATPR record
(RFC 3403) Naming Authority Pointer (NAPTR) records are most commonly used with internet telephony (or VoIP) services. They can be used to map telephone numbers and email addresses for VoIP users to SIP servers via SRV records to initiate calls.
Each answer within an NAPTR record contains the following:
- Order for answer processing
- A 16-bit unsigned integer specifying the order in which the NAPTR records MUST be processed to ensure the correct ordering of rules. Low numbers are processed before high numbers, and once a NAPTR is found whose rule "matches" the target, the client MUST NOT consider any NAPTRs with a higher value for order (except as noted below for the Flags field).
- Preference (if others have equal order values)
- A 16-bit unsigned integer that specifies the order in which NAPTR records with equal "order" values SHOULD be processed, low numbers being processed before high numbers. This is similar to the preference field in an MX record, and is used so domain administrators can direct clients towards more capable hosts or lighter-weight protocols. A client may look at records with higher preference values if it has a good reason to do so, such as not understanding the preferred protocol or service. The important difference between Order and Preference is that once a match is found, the client MUST NOT consider records with a different order. However, they MAY process records with the same Order but different Preferences. In other words, the preference is used to give weight to rules that are considered the same from an authority standpoint but not from a simple load-balancing standpoint.
- Flags
- At this time only four flags, "S", "A", "U", and "P", are defined in the RFC. The "S", "A" and "U" flags denote a terminal lookup, meaning that this NAPTR record is the last one and that the flag determines what the next stage should be. The "S" flag means that the next lookup should be for SRV records. "A" means that the next lookup should be for either an A or AAAA record. The "U" flag means that the next step is not a DNS lookup but that the output of the Regexp field is an URI that adheres to the 'absoluteURI' production found in the ABNF of RFC 2396. Since there may be applications that use NAPTR to also look up aspects of URIs, be aware that this may cause loop conditions. The "P" flag says that the remainder of the application side algorithm shall be carried out in a Protocol-specific fashion. The new set of rules is identified by the protocol specified in the Services field.
- Service(s) available down rewrite path
- Specifies the service(s) available down this rewrite path. It may also specify the particular protocol that is used to talk with a service. A protocol MUST be specified if the flags field states that the NAPTR is terminal.
NS record
(RFC 1035) Typically configured with your registrar, nameserver (NS) records are used to delegate a domain or subdomain to a set of nameservers. Nameservers, such as NS1’s Managed DNS nameservers, host all DNS data for a domain and tell all the other computers connected to the internet which records your domain holds. Therefore, setting the NS record is a critical step in getting your domains and servers online.
Each answer within an NS record specifies a domain name for one or more authoritative nameservers. A single NS record may contain multiple answers (in other words, multiple nameservers) for a domain.
{
"zone": "example.com",
"domain": "sub.example.com",
"type": "NS",
"answers": [
{
"answer": [
"ns1.sub.example.com"
]
},
{
"answer": [
"ns2.sub.example.com"
]
}
]
}NSEC record
(RFC 4034) An NSEC record (sometimes referred to as the “next secure record”) is used to provide an authenticated denial of existence. It contains a link to the next domain name and the record types that exist for that domain. DNS resolvers use NSEC records to verify the non-existence of a record name and type as part of DNSSEC validation.
NSEC3 record
(RFC 5155) The NSEC3 record provides authenticated denial of the existence of DNS records. It lists record types present at the original domain name of the NSEC3 record and includes the next hashed owner name in the hash order of the zone. NSEC3 records are similar to NSEC records, but NSEC3 uses cryptographically hashed record names to avoid the enumeration of the record names in a zone.
MX record
(RFC 1035) Mail exchange (MX) records are used to direct emails sent to your domain. MX records, coupled with a mail server, provide organizations (employees, clients, etc.) with emails to the organization's domain. You can add multiple MX records with varying priorities if multiple mail servers are configured.
Each answer includes the hostname for a mail server (for example, mailhost1.example.com) and a priority (preference) number, which determines the sequence at which an email server receives emails.
{
"zone": "example.com",
"domain": "example.com",
"type": "MX",
"answers": [
{
"answer": [
1,
"mailhost1.example.com"
]
}
]
}PTR record
(RFC 1035) Often described as the opposite of an A record, pointer (PTR) records are used for reverse zone lookups. Whereas A records point the domain to an IP address, a PTR record points an IP to a domain. This is often used as spam verification with certain email programs to confirm a mail server is authorized to use the domain from which the email was sent. PTR records usually have to be defined by the owner of the IP address for your server — usually your server hosts. Many hosting companies will set this up for you when you set up a server.
After creating a reverse zone (for example, 2.0.192.in-addr.arpa), you can add a PTR record to the zone. For the record’s subdomain prefix, you can enter the final octet or character of the IP address for the server or leave this field blank to indicate an apex-level record.
Each answer within a PTR record specifies a fully qualified domain name (FQDN) to which queries to an IP address should point.
{
"zone": "2.0.192.in-addr.arpa",
"domain": "2.0.192.in-addr.arpa",
"type": "PTR",
"answers": [
{
"answer": [
"www.example.com"
]
}
]
}SOA record
(RFC 1035, 2038) The Start of Authority (SOA) resource record contains administrative information about the zone that controls the zone transfer. The format of the zone transfer includes:
- MNAME - The domain name of the name server that was the original or primary source of data for this zone.
- RNAME - A domain name corresponding to the email address of the person responsible for this zone.
- SERIAL - The unsigned 32-bit version number of the original copy of this zone. Zone transfers preserve this value.
- REFRESH - The amount of time before the zone should be refreshed.
- RETRY - The amount of time that should elapse before a failed refresh is retried.
- EXPIRE - The maximum amount of time that can elapse before the zone is no longer authoritative.
- MINIMUM - The amount of time used to cache negative responses (NXD).
SOA records are generated automatically by the platform, but they do not appear in the list of records alongside others within the zone. You can modify SOA settings by editing the zone settings in the portal or via API.
SRV record
(RFC 2782) Service locator (SRV) records are a way to use DNS to locate services for a specific domain. SRV records allow for built-in load balancing of multiple servers using the priority and weight values in the records.
Each answer within an SRV record corresponds to a hostname, containing the following fields:
| Name | Type | Description |
|---|---|---|
| Priority of target host | Integer | A value indicating the priority of the target server. A server with a lower priority value will receive more traffic than other servers. |
| Relative weight for hosts with same priority | Integer | A value indicating the weight of the target server. The server with the highest weight value will receive more traffic than other servers with the same priority. |
| TCP or UDP service port | Integer | A 16-bit unsigned integer indicating the TCP or UDP port on the target server. |
| Host providing service | Integer | Hostname of the target host (server). |
{
"zone": "example.com",
"domain": "_discard._tcp.example.com",
"type": "SRV",
"answers": [
{
"answer": [
1, 100, 9, "server.example.com"
]
}
]
}REDIRECT record
Specific to the NS1 Connect platform and auto-generated after creating a URL redirect configuration, the REDIRECT record type replaces the URLFWD record to enable URL redirects over HTTP or HTTPS. Refer to URL redirects for details.
RP record
(RFC 1183) Typically, the "responsible person" record contains information about the person responsible for the domain. It is usually an email address where the "@" sign is replaced by a period (.).
Each answer includes the email address of the person responsible for this domain name and the domain within which the corresponding TXT record exists. Note that you must replace the @ symbol in the email address with a period (.).
RRSIG record
(RFC 4034) DNSSEC uses public key cryptography to sign and authenticate DNS records. Digital signatures are stored in RRSIG records and are used in the DNSSEC authentication process. A validator can use the RRSIG record data to authenticate records from the zone. RRSIG records contain the signature for a DNS record with a particular name, class, and type. It specifies a validity interval for the signature and uses the algorithm, the signer’s name, and the key tag to identify the DNSKEY record containing the public key that a validator can use to verify the signature.
SMIMEA record
(RFC 8162) The SMIMEA record is used to associate an end entity certificate or public key with an associated email address, thus forming a “SMIMEA certificate association.” It allows an application or service to obtain a S/MIME certificate or public key and use it for verifying a digital signature or encrypting a message to the public key. The DNS answer must pass DNSSEC validation.
- Certificate usage (integer) - A value defined in a new IANA registry from 0-3 indicating
the association used to match the certificate in the TLS handshake.
- CA constraint - A value of 0 indicates a certificate authority certificate or its public key. This method limits which CA can be used to issue certificates for a given service on a host. The presented certificate MUST pass PKIX certification path validation, and a CA certificate that matches the TLSA record MUST be included as part of a valid certification path.
- Service certification constraint - A value of 1 indicates an end entity certificate or its public key. This method limits which end entity certificate can be used by a given service on a host.
- Trust anchor assertion - A value of 2 indicates a certificate or its public key to be used as a trust anchor when validating the end entity certificate. This method is used if the domain issues certificates under its own certificate authority.
- Domain-issued certificate - A value of 3 indicates a certificate or its public key that must be matched by the end entity certificate, allowing a domain name administrator to issue certificates for a domain without involving a third-party VCA.
- Selector (integer) - A value from 0-1 specifying which part of the TLS certificate presented by the server will be matched against the association data.
- Matching type field (integer) - A value from 0-1 specifying how the certificate association is presented.
- Certificate association data (string) - The "certificate association data" to be matched.
{
"zone": "example.com",
"domain": "example.com",
"type": "SMIMEA",
"answers": [
{
"answer": [
0, 0, 1, "d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971"
]
}
]
}SPF record
(RFC 4408, 7208) Sender Policy Framework (SPF) records are used during email verification to
prevent your domain name from being used by spammers or malicious users. Simply creating an SPF
record on your main domain with the content: v=spf1 ip4:198.0.2.201 a -all
(replacing the IP address with your mail server’s IP address) will tell email receivers that your
mail server is the only server allowed to send emails from your domain. All emails received from
other servers will be rejected or marked as spam. You can specify multiple IPv4 addresses as
individual answers in the SPF record if you have multiple mail servers.
Each answer corresponds to a single mail server's sender policy framework configuration. In each answer field, enter the following: v=spf1 ip4:198.0.2.201 a ~all replacing 198.0.2.201 with the IPv4 address for your server.
{
"zone": "example.com",
"domain": "example.com",
"type": "SPF",
"answers": [
{
"answer": [
"v=spf1 ip4:198.0.2.201 a ~all"
]
}
]
}SVCB record
Designed to address issues around service discovery, a new family of "service-binding" (SVCB) record types provides clients with complete instructions to access a service. Providing this information avoids transient connection to a suboptimal endpoint, negotiates a preferred protocol, and offers relevant public keys — helping to improve performance and privacy.
SVCB and HTTPS (an SVCB-compatible record type) records allow clients to resolve a single additional DNS record in a way that:
- Specifies targets (or alternative endpoints) that are authoritative for the service, along with associated parameters.
- Does not assume all alternative endpoints have the same parameters or capabilities or that the same entity operates them.
- Enables CNAME-like functionality at a zone apex for participating protocols and generally allows delegation of operational authority for an origin within the DNS to an alternate name. See "SVCB vs. HTTPS" below for more information about configuring CNAME-like functionality using both record types.
Note that, in addition to the goals listed above, you can use HTTPS records can be used for configurations specific to the HTTP protocol. Refer to "HTTPS record" for details.
The format of SVCB and HTTPS records is identical. The difference is that the name of the SVCB record uses the same structured format as SRV records, whereas the HTTPS record does not. When configuring SVCB records, you create a record for each service with a special name syntax, whereas HTTPS records do not have the same domain name restrictions. HTTPS records can exist at the zone apex.
Each SVCB record specifies alternative endpoints that are authoritative for a service and the unique parameters associated with each endpoint. The record operates in two modes:
- In AliasMode, the record delegates operational control for a resource (as in, it aliases to another record name, similar to CNAME functionality). This mode allows you to add or remove SVCB records without requiring a corresponding change at the zone apex.
- In ServiceMode, the record binds together configuration data for a service endpoint, advertising additional key-value parameters unique to each endpoint. The TargetName and SvcParams associate an alternative endpoint for the service with its connection parameters.
Placing both forms in a single record type allows clients to fetch the relevant information with a single query.
The SVCB record's domain name typically includes the network service (or
port) and the protocol (_port._protocol.subdomain). For example,
_postgresql._tcp.example.net.
- SvcPriority (integer) - Priority of this record where lower values are prioritized. A value of 0 indicates "alias mode." All other values indicate "service mode."
- TargetName (string) - If in AliasMode, this is the alias target's fully-qualified domain name (FQDN). If in ServiceMode, this is the domain name of an alternate endpoint. If TargetName has the value ".", special rules apply. Refer to the RFC for details.
- SvcParams (string or array) - (Optional) For a complete list of SvcParams, refer to https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml.
The following example shows an SVCB record configuration operating
in AliasMode. If a client queries "_8080._foo.example.com", the platform responds with
foosvc.example.net, indicating the client should refer to that domain for
service.
{
"zone": "example.com",
"domain": "_8080._foo.example.com",
"type": "SVCB",
"answers": [
{
"answer": [
0, "foosvc.example.net."
]
}
]
}The following example shows an SVCB record configuration operating in ServiceMode. If a client queries "_8080._bar.example.com", NS1 returns the relevant service bindings. The client will use this data to connect.
{
"zone": "example.com",
"domain": "_8080._bar.example.com",
"type": "SVCB",
"answers": [
{
"answer": [
0, ".", "port"=8888
]
}
]
}TLSA record
(RFC 6698) This record type is used to associate a transport layer security (TLS) server certificate or public key with the domain name (zone) within which this record is located, thus forming a “TLSA certificate association.”
- Certificate usage (integer) - A value defined in a new IANA registry from 0-3 indicating
the association used to match the certificate in the TLS handshake.
- CA constraint - A value of 0 indicates a certificate authority certificate or its public key. This method limits which CA can be used to issue certificates for a given service on a host. The presented certificate MUST pass PKIX certification path validation, and a CA certificate that matches the TLSA record MUST be included as part of a valid certification path.
- Service certification constraint - A value of 1 indicates an end entity certificate or its public key. This method limits which end entity certificate can be used by a given service on a host.
- Trust anchor assertion - A value of 2 indicates a certificate or its public key to be used as a trust anchor when validating the end entity certificate. This method is used if the domain issues certificates under its own certificate authority.
- Domain-issued certificate - A value of 3 indicates a certificate or its public key that must be matched by the end entity certificate, allowing a domain name administrator to issue certificates for a domain without involving a third-party VCA.
- Selector (integer) - A value from 0-1 specifying which part of the TLS certificate presented by the server will be matched against the association data.
- Matching type field (integer) - A value from 0-1 specifying how the certificate association is presented.
- Certificate association data (string) - The "certificate association data" to be matched.
{
"zone": "example.com",
"domain": "example.com",
"type": "TLSA",
"answers": [
{
"answer": [
0, 0, 1, "d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971"
]
}
]
}TXT record
(RFC 1035) Text (TXT) records allow you to contain any text-based information on a domain or subdomain. Applications can use this to collect information about a service — typically, SPF records, DomainKeys, and DKIM (two other email verification processes). TXT records may contain any information up to 255 characters per string. A single zone may contain multiple TXT records, and one TXT record may contain multiple answers.
Each answer within a TXT record is a string containing any human- or machine-readable data based on the specific use case for which you are creating a TXT record, depending on your use case.
{
"zone": "example.com",
"domain": "example.com",
"type": "TXT",
"answers": [
{
"answer": [
"string"
]
}
]
}