reference

Record Type Reference

Complete reference of DNS record types — from A and AAAA to TLSA and HTTPS, with formats, examples, and usage notes

DNS record types A-Z

Every DNS record (Resource Record) has a name, type, class (almost always IN for Internet), TTL, and RDATA. This reference covers all commonly used record types with their wire format, example values, and practical usage notes.

Query type distribution

Based on analysis of 3.56 trillion DNS queries (Vercara UltraDNS, February 2024):

Record type	Share of queries
A	55.25%
AAAA	19.07%
HTTPS	6.88%
NS	5.68%
PTR	3.54%
Other	~9.58%

Address records

A (RFC 1035)

Maps a domain name to an IPv4 address (32-bit). The most fundamental record type.

example.com.    3600    IN    A    93.184.216.34

Multiple A records for the same name provide round-robin load balancing. The resolver rotates the order of addresses in responses.

AAAA (RFC 3596)

Maps a domain name to an IPv6 address (128-bit). Essential for IPv6 connectivity, growing steadily at 19% of queries.

example.com.    3600    IN    AAAA    2606:2800:220:1:248:1893:25c8:1946

Alias records

CNAME (RFC 1035)

Creates an alias from one domain name to another (the “canonical” name).

www.example.com.    3600    IN    CNAME    example.com.

Restrictions: A CNAME cannot coexist with other record types at the same name. This means you cannot use a CNAME at the zone apex (e.g., example.com) because the apex already has SOA and NS records.

Performance: Each CNAME hop adds one additional DNS round-trip to resolution. CNAME chains (A points to B points to C) multiply lookup latency.

DNAME (RFC 6672)

Delegates an entire subtree of the domain name tree to another domain. Where CNAME aliases a single name, DNAME aliases everything below it.

old.example.com.    3600    IN    DNAME    new.example.com.

A query for foo.old.example.com is rewritten to foo.new.example.com. Less commonly used than CNAME.

ALIAS / ANAME (vendor-specific)

Behaves like CNAME but works at the zone apex. Allows CDN or load balancer usage at the root domain (example.com). Not standardized in any RFC — implemented as vendor extensions by Cloudflare (CNAME flattening), Route 53 (Alias), DNSimple (ALIAS), and others.

Mail records

MX (RFC 1035)

Specifies mail servers responsible for accepting email for the domain, with a priority value.

example.com.    3600    IN    MX    10    mail.example.com.
example.com.    3600    IN    MX    20    backup.example.com.

Lower priority numbers indicate preferred servers. Multiple MX records provide failover — mail is delivered to the lowest-priority server that responds. See Email Authentication for how MX interacts with SPF, DKIM, and DMARC.

Name server and authority records

NS (RFC 1035)

Declares the authoritative name servers for a zone.

example.com.    86400    IN    NS    ns1.example.com.
example.com.    86400    IN    NS    ns2.example.com.

Typically 2-4 NS records per zone for redundancy. NS records at delegation points create the hierarchical zone structure of DNS. Represents 5.68% of DNS queries.

SOA (RFC 1035)

Start of Authority — contains administrative information about the zone. Required as the first record in every zone file. One per zone.

example.com.    86400    IN    SOA    ns1.example.com. admin.example.com. (
    2025021301    ; Serial (YYYYMMDDNN format)
    3600          ; Refresh (1 hour)
    900           ; Retry (15 minutes)
    1209600       ; Expire (2 weeks)
    86400         ; Minimum / Negative Cache TTL
)

Field	Purpose	Typical value
MNAME	Primary name server	`ns1.example.com.`
RNAME	Admin email (`.` replaces `@`)	`admin.example.com.`
Serial	Version number, incremented on changes	`2025021301`
Refresh	Secondary check interval	3600 (1 hour)
Retry	Retry interval after failed check	900 (15 minutes)
Expire	Max time secondary serves stale data	1209600 (2 weeks)
Minimum	Negative cache TTL	86400 (24 hours)

Reverse lookup records

PTR (RFC 1035)

Maps an IP address back to a domain name (reverse DNS). Uses the special in-addr.arpa (IPv4) and ip6.arpa (IPv6) zones. IP octets are reversed.

34.216.184.93.in-addr.arpa.    3600    IN    PTR    www.example.com.

Used for reverse DNS lookups, email server verification, logging, and anti-spam checks. Represents 3.54% of queries.

Text records

TXT (RFC 1035)

Stores arbitrary text data associated with a domain. Originally intended for human-readable notes, now heavily used for machine-readable verification and policy records.

example.com.    3600    IN    TXT    "v=spf1 include:_spf.google.com ~all"

Common TXT record uses:

SPF: Email sender verification (v=spf1 ...)
DKIM: Email signing public keys (v=DKIM1; ...)
DMARC: Email authentication policy (v=DMARC1; ...)
Domain verification: Google, Microsoft, and other services use TXT records to verify domain ownership
BIMI: Brand indicators for email (v=BIMI1; ...)

TXT RDATA is one or more character strings. Each string is limited to 255 bytes, but multiple strings are concatenated. Long records (like DKIM keys) span multiple strings.

Service discovery records

SRV (RFC 2782)

Specifies the host and port for specific services.

_sip._tcp.example.com.    86400    IN    SRV    10 60 5060 sipserver.example.com.

Format: _service._protocol.name TTL class SRV priority weight port target

Field	Purpose
Priority	Lower value = more preferred (like MX)
Weight	Load balancing among same-priority records
Port	TCP or UDP port number
Target	FQDN of the host providing the service

Used by SIP (VoIP), XMPP (chat), LDAP, Kerberos, Active Directory, Minecraft, and Kubernetes.

DNSSEC records

DNSKEY (RFC 4034)

Contains the public key used to verify DNSSEC signatures. Published in the zone. Flags: 256 for Zone Signing Key (ZSK), 257 for Key Signing Key (KSK).

DS (RFC 4034)

Delegation Signer — a hash of a child zone’s DNSKEY, published in the parent zone. Establishes the chain of trust between parent and child. Contains key tag, algorithm, digest type, and digest.

RRSIG (RFC 4034)

Contains a digital signature over a set of DNS records (RRset). Every signed RRset has an accompanying RRSIG. Resolvers verify the signature using the corresponding DNSKEY.

NSEC (RFC 4034)

Proves the non-existence of a DNS name or record type by listing the next existing name in canonical order. Enables authenticated denial of existence.

NSEC3 (RFC 5155)

Like NSEC but uses hashed names to prevent zone enumeration (zone walking). Uses SHA-1 hashing with a salt and iteration count.

NSEC3PARAM (RFC 5155)

Stores the parameters for NSEC3 hashing. Published in the zone to inform authoritative servers how to generate NSEC3 records.

Modern records

HTTPS (RFC 9460)

Provides connection parameters for HTTPS services, including ALPN protocols, ECH config, and IP hints. Now represents 6.88% of all DNS queries.

example.com.    300    IN    HTTPS    1 . alpn="h2,h3" ipv4hint="93.184.216.34"

Enables browsers to connect faster by learning about HTTP/2, HTTP/3, Encrypted Client Hello, and alternative IP addresses in a single DNS query.

SVCB (RFC 9460)

Generic Service Binding record — HTTPS is a specific variant. General-purpose service parameter discovery for any protocol.

CAA (RFC 8659)

Certificate Authority Authorization — specifies which CAs are authorized to issue SSL/TLS certificates for the domain.

example.com.    3600    IN    CAA    0 issue "letsencrypt.org"
example.com.    3600    IN    CAA    0 issuewild "letsencrypt.org"
example.com.    3600    IN    CAA    0 iodef "mailto:security@example.com"

Tags: issue (standard certificates), issuewild (wildcard certificates), iodef (violation reporting).

Other notable records

TLSA (RFC 6698)

Stores TLS certificate associations for DANE. Binds TLS certificates to domain names via DNS rather than relying solely on CA trust. Requires DNSSEC.

_443._tcp.example.com.    3600    IN    TLSA    3 1 1 abc123...

Related Resources

Record Types

Dns Message Format

Glossary