Resource Record

from Wikipedia, the free encyclopedia

A resource record ( RR ) is the basic unit of information in the Domain Name System (DNS). It occurs in ASCII representation in zone files or in compressed form in DNS transport packets or DNS caches . Some RR types - so-called pseudo resource records - are only used in DNS transport packets.

RR format in zone files

The format shown here refers to the ASCII representation used in zone files. In caches or on the transport route, a form with the same content but compressed is used. There RR types are expressed by numbers between 1 and 255. The same applies to Class and TTL .

ASCII format: <name> [<ttl>] [<class>] <type> [<rdlength>] <rdata>

  • <name> The domain name of the object to which the resource record belongs
  • <ttl> time to live (in seconds). Validity of the resource record (optional)
  • <class> Protocol group to which the resource record belongs (optional)
  • <type> describes the type of the resource record
  • <rdlength> Length of the data that describe the resource record in more detail (optional)
  • <rdata> (resource data) Data that describe the resource record in more detail (for example an IP address for an A-RR, or a host name for an NS-RR)

For some types there are further fields that are placed immediately before <rdata> (see example below: MX). The optional components can be omitted in certain cases. The name server then automatically uses the last value of this component.

The allowed classes

In practice, IN is used almost without exception. The other classes are only of historical importance. By BIND servers CH is used occasionally to the version number to publish a name server.

The most important RR types

Type Value (decimal) Defining RFC description function
A. 1 RFC 1035 Address record Returns the 32 bit IPv4 address of a host. Most commonly used for assigning a host name to an IP address of the host, but is also used for DNSBLs , storing subnet masks and the like.
AAAA 28 RFC 3596 IPv6 address record Returns the 128 bit IPv6 address of a host. Most commonly used to map a host name to a host's IP address.
AFSDB 18th RFC 1183 AFS database record Resource record for the location of the Andrew File System's Cell Database Server . This RR is usually used by AFS clients to notify AFS cells outside of their local domain. A subtype of this RR is used by the now outdated DCE / DFS file system.
APL 42 RFC 3123 Address Prefix List Listing of address ranges, e.g. B. in CIDR format, for different address families. Introduced on a trial basis.
A6 Resource record of procedure A6 for partial address resolution under IPv6. Obsolete now.
CAA 257 RFC 6844 Certification Authority Authorization Certification Authority (CA) Blocking that restricts authorized CAs for a host or domain
CDNSKEY 60 RFC 7344 Child DNSKEY Child copy of a DNSKEY record in order to transfer it to its parent record
CDS 59 RFC 7344 Child DS Child copy of a DS record in order to transfer it to its parent record
CERT 37 RFC 4398 Certificate record Resource record for storing certificates such as PKIX , SPKI and PGP
CNAME 5 RFC 1035 Canonical name record Canonical name for a host (the domain with this RR is an alias)
DHCID 49 RFC 4701 DHCP identifier Used in conjunction with the FQDN option for DHCP .
DLV 32769 RFC 4431 DNSSEC Lookaside Validation record Used to publish DNSSEC Trust Anchors outside the DNS delegation chain . Uses the same format as the DS Record. RFC 5074 describes the type of use of these records.
DNAME 39 RFC 2672 Delegation name Alias ​​for a name and all of its subnames. Similar to CNAME, but instead of an alias only for a matching name, DNAME is responsible for entire domains. Similar to CNAME, the search in the DNS is continued by constantly trying to find the new name.
DNSKEY 48 RFC 4034 DNS key record Contains a public key assigned to the name and replaced the KEY type at DNSSEC in 2004 .
DS 43 RFC 4034 Delegation Signer Used to identify and chain DNSSEC-signed zones
GPOS Geographical position Geographical position, out of date.
HIP 55 RFC 5205 Host Identity Protocol Method of separating endpoint tagging and location functions from IP addresses .
HINFO 13 RFC 1035 Host information Information from the host such as processor type and operating system
IPSECKEY 45 RFC 4025 IPsec key Key entry that can be used with IPsec
ISDN ISDN ISDN number, is rarely used.
KEY 25th RFC 2535 and RFC 2930 Key record Contains a public key assigned to the name and has not been used by DNSSEC since 2004 .

Used only for SIG (0) ( RFC 2931 ) and TKEY ( RFC 2930 ). RFC 3445 excluded their use for application keys and restricted their use to DNSSEC. RFC 3755 marks DNSKEY as the replacement within DNSSEC. RFC 4025 names IPSECKEY as a replacement when using IPsec.

KX 36 RFC 2230 Key eXchanger record Used in some cryptographic systems (not including DNSSEC) to designate a key management agent for the associated domain name. This has nothing to do with DNS security. This entry is merely an information status indication rather than being tracked by IETF standards. It has always had limited development but is still in use.
LOC 29 RFC 1876 Location record Lists a geographic location (location) that can be associated with a domain name.
MB Mailbox domain name Specifies a domain name in connection with a mailbox. Experimental
MD Mail destination No longer in use. Nowadays, MX is used.
MF Mail forwarder No longer in use. Nowadays, MX is used.
MG Mail Group member Experimental
MINFO Mailbox or mail list information
MR Mail Rename domain name Experimental
MX 15th RFC 1035 and RFC 7505 Mail eXchange record Assigns the mail server responsible for this domain to a list of mail transfer agents .
NAPTR 35 RFC 3403 Naming Authority Pointer An extension of the A Resource Record that allows the regular spelling of domain names. This can then be used in URIs , other domain names for looking up, etc.
NS 2 RFC 1035 Name server record Host name of an authoritative name server. Transmits a DNS zone to use the specified name servers .
NSAP 2 Network Service Access Point
NSEC 47 RFC 4034 Next-Secure record Concatenates DNS entries in DNSSEC signed zones and is used to prove that a name does not exist. Uses the same format as the NXT type, which was replaced in 2004 .
NSEC3 50 RFC 5155 NSEC record version 3 or NSEC hashed Alternative to NSEC RR without zone enumeration problem (since 2008). Provides evidence that a name is missing without allowing a zone to be crossed.
NSEC3PARAM 51 RFC 5155 NSEC3 parameters Parameter entry for NSEC3.
ZERO Zero resource record Experimental
NXT Next Resource Record Outdated. Has been replaced by the practically identical NSEC Resource Record.
OPT RFC 2671 Resource Record option Pseudo RR, marks a packet as an Extended DNS packet ( EDNS ), provides 16 additional flags and expands response codes by eight bytes (a total of three response codes can be accommodated in one packet).
PTR 12 RFC 1035 Pointer record Domain Name Pointer to a canonical name for reverse mapping to assign names to IP addresses. In contrast to CNAME , DNS processing is terminated and only the name is returned. The most common general use of PTR is to implement reverse mappings, but it is also used for DNS-SD .
RP 17th RFC 1183 Responsible person Information about the person (s) responsible for the domain. Usually an email address with the '@' followed by a '.' was replaced.
RRSIG 46 RFC 4034 DNSSEC Signature Includes a digital signature for the entry. Has been used by DNSSEC (= DNS Security ) since 2004 and replaces the SIG of the same format.
SIG 24 RFC 2535 Signature Contains a digital signature that is used in SIG (0) ( RFC 2931 ) and TKEY ( RFC 2930 ). SIG is out of date and was used by DNSSEC (= DNS Security ) until 2004 . RFC 3755 names RRSIG as a replacement for SIG for use in DNSSEC.
SOA 6th RFC 1035 and RFC 2308 Start of [a zone of] authority Lists mandatory information about a DNS zone , including the primary name server , the domain administrator's email address, the domain serial number, and information about multiple timers related to the zone's update.
SPF Sender Policy Framework (formerly Sender Permitted From ) The SPF entry is intended to prevent the falsification of the sender address of an email . It originated as a method to ward off spam . The record type is obsolete and has been replaced by TXT.
SRV 33 RFC 2782 Service locator Generalizing entry on services offered. Is used by newer protocols instead of creating protocol-specific entries, as is the case with MX.
SSHFP 44 RFC 4255 SSH public key fingerprint Publication of the fingerprints of SSH keys in the DNS to support the verification of the authenticity of a host. RFC 6594 defines the ECC SSH key and the SHA-256 hashes. Details can be found at the IANA SSHFP RR parameters registry .
TA 32768 - DNSSEC Trust Authorities Part of a development proposal for DNSSEC without a signed DNS root. For details see the IANA database and the Weiler specifications . TA uses the same format as the DS Resource Record .
TKEY 249 RFC 2930 Secret Key A method to provide articles for keys that can be used with TSIG and that is encrypted there within the public key with the accompanying KEY resource record .
TLSA 52 RFC 6698 TLSA certificate association Entry required for the DNS-based Authentication of Named Entities (DANE) protocol , which is used to secure data traffic. RFC 6698 defines the use of the TLSA Resource Record (RR) as the connection of a TLS server certificate or a public key with the domain name where the entry is found. The connection therefore creates a 'TLSA certificate connection'.
TSIG 250 RFC 2845 Transaction Signature Similar to DNSSEC, it can be used to authenticate dynamic updates as if they were coming from a shared client or to authenticate responses as if they were coming from a shared recursive name server.
TXT 16 RFC 1035 Text record Originally conceived for freely definable and human readable text in DNS entries. However, since the early 1990s this entry often includes a. also machine-readable data as specified in RFC 1464 , Sender Policy Framework (SPF) , DomainKeys , DMARC (Domain-based Message Authentication, Reporting and Conformance), DNS-SD and Google Site Verification.
URI 256 RFC 7553 Uniform Resource Identifier Used to publish mappings of hostnames to URIs.
WKS RFC 0974 Well known service Used in mail forwarding and stores information about network services (such as SMTP ) that a given domain name supports.
X25 RFC 1356 X.25 address Specifies the encapsulation of IP and other network layer protocols over X.25 networks. Seldom used.

Examples        3600  IN  A
                                IN  TXT     "für DNS-Test"
 abc                      1800  IN  MX  10
 dns1                               NS           PTR

Individual evidence

  1. a b c d e f g h Paul Mockapetris : RFC 1035: Domain Names - Implementation and Specification . Network Working Group of the IETF ( Internet Engineering Task Force ). November 1987. Retrieved February 20, 2015.
  2. RFC 3596: DNS Extensions to Support IP Version 6 . The Internet Society . October 2003. Retrieved February 20, 2015.
  3. RFC 2535 , §3
  4. RFC 3445 , §1. "The KEY RR was defined in [ RFC 2930 ] ..."
  5. RFC 2931 , §2.4. "SIG (0) on the other hand, uses public key authentication, where the public keys are stored in DNS as KEY RRs and a private key is stored at the signer."
  6. RFC 3445 , §1. "DNSSEC will be the only allowable sub-type for the KEY RR ..."
  7. a b c RFC 3755 , §3. “DNSKEY will be the replacement for KEY, with the mnemonic indicating that these keys are not for application use, per [RFC3445]. RRSIG (Resource Record SIGnature) will replace SIG, and NSEC (Next SECure) will replace NXT. These new types completely replace the old types, except that SIG (0) [RFC2931] and TKEY [RFC2930] will continue to use SIG and KEY. "
  8. RFC 4025 , abstract. "This record replaces the functionality of the sub-type # 4 of the KEY Resource Record, which has been obsoleted by RFC 3445. "
  9. RFC 2671 , §4. "An OPT is called a pseudo-RR because it pertains to a particular transport level message and not to any actual DNS data."
  10. The minimum field of SOA record is redefined to be the TTL of NXDOMAIN reply in RFC 2308 .
  11. RFC 2930 , §6. "... the keying material is sent within the key data field of a TKEY RR encrypted under the public key in an accompanying KEY RR [ RFC 2535 ]."
  12. P. Hoffman, VPN Consortium: RFC 6698: The DNS-Based Authentication of Named Entities (DANE), Transport Layer Security (TLS) Protocol: TLSA . Network Working Group of the IETF ( Internet Engineering Task Force ). August 2012. Retrieved February 20, 2015. “The TLSA DNS resource record is used to associate a TLS server certificate or public key with the domain name where the record is found, thus forming a 'TLSA certificate association'”
  13. ^ A b Craig Partridge, CSNET CIC BBN Laboratories Inc: RFC 0974: MAIL ROUTING AND THE DOMAIN SYSTEM . January 1986. Retrieved February 20, 2015. “[…] the Well Known Service (WKS) RR, which stores information about network services (such as SMTP) supports a given domain name.”