A resource record ( RR ) is the basic unit of information in the Domain Name System (DNS). It occurs in ASCII representation in zone files or in compressed form in DNS transport packets or DNS caches . Some RR types - so-called pseudo resource records - are only used in DNS transport packets.
RR format in zone files
The format shown here refers to the ASCII representation used in zone files. In caches or on the transport route, a form with the same content but compressed is used. There RR types are expressed by numbers between 1 and 255. The same applies to Class and TTL .
<name> [<ttl>] [<class>] <type> [<rdlength>] <rdata>
- <name> The domain name of the object to which the resource record belongs
- <ttl> time to live (in seconds). Validity of the resource record (optional)
- <class> Protocol group to which the resource record belongs (optional)
- <type> describes the type of the resource record
- <rdlength> Length of the data that describe the resource record in more detail (optional)
- <rdata> (resource data) Data that describe the resource record in more detail (for example an IP address for an A-RR, or a host name for an NS-RR)
For some types there are further fields that are placed immediately before <rdata> (see example below: MX). The optional components can be omitted in certain cases. The name server then automatically uses the last value of this component.
The allowed classes
In practice, IN is used almost without exception. The other classes are only of historical importance. By BIND servers CH is used occasionally to the version number to publish a name server.
The most important RR types
|Type||Value (decimal)||Defining RFC||description||function|
|A.||1||RFC 1035||Address record||Returns the 32 bit IPv4 address of a host. Most commonly used for assigning a host name to an IP address of the host, but is also used for DNSBLs , storing subnet masks and the like.|
|AAAA||28||RFC 3596||IPv6 address record||Returns the 128 bit IPv6 address of a host. Most commonly used to map a host name to a host's IP address.|
|AFSDB||18th||RFC 1183||AFS database record||Resource record for the location of the Andrew File System's Cell Database Server . This RR is usually used by AFS clients to notify AFS cells outside of their local domain. A subtype of this RR is used by the now outdated DCE / DFS file system.|
|APL||42||RFC 3123||Address Prefix List||Listing of address ranges, e.g. B. in CIDR format, for different address families. Introduced on a trial basis.|
|A6||Resource record of procedure A6 for partial address resolution under IPv6. Obsolete now.|
|CAA||257||RFC 6844||Certification Authority Authorization||Certification Authority (CA) Blocking that restricts authorized CAs for a host or domain|
|CDNSKEY||60||RFC 7344||Child DNSKEY||Child copy of a DNSKEY record in order to transfer it to its parent record|
|CDS||59||RFC 7344||Child DS||Child copy of a DS record in order to transfer it to its parent record|
|CERT||37||RFC 4398||Certificate record||Resource record for storing certificates such as PKIX , SPKI and PGP|
|CNAME||5||RFC 1035||Canonical name record||Canonical name for a host (the domain with this RR is an alias)|
|DHCID||49||RFC 4701||DHCP identifier||Used in conjunction with the FQDN option for DHCP .|
|DLV||32769||RFC 4431||DNSSEC Lookaside Validation record||Used to publish DNSSEC Trust Anchors outside the DNS delegation chain . Uses the same format as the DS Record. RFC 5074 describes the type of use of these records.|
|DNAME||39||RFC 2672||Delegation name||Alias for a name and all of its subnames. Similar to CNAME, but instead of an alias only for a matching name, DNAME is responsible for entire domains. Similar to CNAME, the search in the DNS is continued by constantly trying to find the new name.|
|DNSKEY||48||RFC 4034||DNS key record||Contains a public key assigned to the name and replaced the KEY type at DNSSEC in 2004 .|
|DS||43||RFC 4034||Delegation Signer||Used to identify and chain DNSSEC-signed zones|
|GPOS||Geographical position||Geographical position, out of date.|
|HIP||55||RFC 5205||Host Identity Protocol||Method of separating endpoint tagging and location functions from IP addresses .|
|HINFO||13||RFC 1035||Host information||Information from the host such as processor type and operating system|
|IPSECKEY||45||RFC 4025||IPsec key||Key entry that can be used with IPsec|
|ISDN||ISDN||ISDN number, is rarely used.|
|KEY||25th||RFC 2535 and RFC 2930||Key record||Contains a public key assigned to the name and has not been used by DNSSEC since 2004 .
Used only for SIG (0) ( RFC 2931 ) and TKEY ( RFC 2930 ). RFC 3445 excluded their use for application keys and restricted their use to DNSSEC. RFC 3755 marks DNSKEY as the replacement within DNSSEC. RFC 4025 names IPSECKEY as a replacement when using IPsec.
|KX||36||RFC 2230||Key eXchanger record||Used in some cryptographic systems (not including DNSSEC) to designate a key management agent for the associated domain name. This has nothing to do with DNS security. This entry is merely an information status indication rather than being tracked by IETF standards. It has always had limited development but is still in use.|
|LOC||29||RFC 1876||Location record||Lists a geographic location (location) that can be associated with a domain name.|
|MB||Mailbox domain name||Specifies a domain name in connection with a mailbox. Experimental|
|MD||Mail destination||No longer in use. Nowadays, MX is used.|
|MF||Mail forwarder||No longer in use. Nowadays, MX is used.|
|MG||Mail Group member||Experimental|
|MINFO||Mailbox or mail list information|
|MR||Mail Rename domain name||Experimental|
|MX||15th||RFC 1035 and RFC 7505||Mail eXchange record||Assigns the mail server responsible for this domain to a list of mail transfer agents .|
|NAPTR||35||RFC 3403||Naming Authority Pointer||An extension of the A Resource Record that allows the regular spelling of domain names. This can then be used in URIs , other domain names for looking up, etc.|
|NS||2||RFC 1035||Name server record||Host name of an authoritative name server. Transmits a DNS zone to use the specified name servers .|
|NSAP||2||Network Service Access Point|
|NSEC||47||RFC 4034||Next-Secure record||Concatenates DNS entries in DNSSEC signed zones and is used to prove that a name does not exist. Uses the same format as the NXT type, which was replaced in 2004 .|
|NSEC3||50||RFC 5155||NSEC record version 3 or NSEC hashed||Alternative to NSEC RR without zone enumeration problem (since 2008). Provides evidence that a name is missing without allowing a zone to be crossed.|
|NSEC3PARAM||51||RFC 5155||NSEC3 parameters||Parameter entry for NSEC3.|
|ZERO||Zero resource record||Experimental|
|NXT||Next Resource Record||Outdated. Has been replaced by the practically identical NSEC Resource Record.|
|OPT||RFC 2671||Resource Record option||Pseudo RR, marks a packet as an Extended DNS packet ( EDNS ), provides 16 additional flags and expands response codes by eight bytes (a total of three response codes can be accommodated in one packet).|
|PTR||12||RFC 1035||Pointer record||Domain Name Pointer to a canonical name for reverse mapping to assign names to IP addresses. In contrast to CNAME , DNS processing is terminated and only the name is returned. The most common general use of PTR is to implement reverse mappings, but it is also used for DNS-SD .|
|RP||17th||RFC 1183||Responsible person||Information about the person (s) responsible for the domain. Usually an email address with the '@' followed by a '.' was replaced.|
|RRSIG||46||RFC 4034||DNSSEC Signature||Includes a digital signature for the entry. Has been used by DNSSEC (= DNS Security ) since 2004 and replaces the SIG of the same format.|
|SIG||24||RFC 2535||Signature||Contains a digital signature that is used in SIG (0) ( RFC 2931 ) and TKEY ( RFC 2930 ). SIG is out of date and was used by DNSSEC (= DNS Security ) until 2004 . RFC 3755 names RRSIG as a replacement for SIG for use in DNSSEC.|
|SOA||6th||RFC 1035 and RFC 2308||Start of [a zone of] authority||Lists mandatory information about a DNS zone , including the primary name server , the domain administrator's email address, the domain serial number, and information about multiple timers related to the zone's update.|
|SPF||Sender Policy Framework (formerly Sender Permitted From )||The SPF entry is intended to prevent the falsification of the sender address of an email . It originated as a method to ward off spam . The record type is obsolete and has been replaced by TXT.|
|SRV||33||RFC 2782||Service locator||Generalizing entry on services offered. Is used by newer protocols instead of creating protocol-specific entries, as is the case with MX.|
|SSHFP||44||RFC 4255||SSH public key fingerprint||Publication of the fingerprints of SSH keys in the DNS to support the verification of the authenticity of a host. RFC 6594 defines the ECC SSH key and the SHA-256 hashes. Details can be found at the IANA SSHFP RR parameters registry .|
|TA||32768||-||DNSSEC Trust Authorities||Part of a development proposal for DNSSEC without a signed DNS root. For details see the IANA database and the Weiler specifications . TA uses the same format as the DS Resource Record .|
|TKEY||249||RFC 2930||Secret Key||A method to provide articles for keys that can be used with TSIG and that is encrypted there within the public key with the accompanying KEY resource record .|
|TLSA||52||RFC 6698||TLSA certificate association||Entry required for the DNS-based Authentication of Named Entities (DANE) protocol , which is used to secure data traffic. RFC 6698 defines the use of the TLSA Resource Record (RR) as the connection of a TLS server certificate or a public key with the domain name where the entry is found. The connection therefore creates a 'TLSA certificate connection'.|
|TSIG||250||RFC 2845||Transaction Signature||Similar to DNSSEC, it can be used to authenticate dynamic updates as if they were coming from a shared client or to authenticate responses as if they were coming from a shared recursive name server.|
|TXT||16||RFC 1035||Text record||Originally conceived for freely definable and human readable text in DNS entries. However, since the early 1990s this entry often includes a. also machine-readable data as specified in RFC 1464 , Sender Policy Framework (SPF) , DomainKeys , DMARC (Domain-based Message Authentication, Reporting and Conformance), DNS-SD and Google Site Verification.|
|URI||256||RFC 7553||Uniform Resource Identifier||Used to publish mappings of hostnames to URIs.|
|WKS||RFC 0974||Well known service||Used in mail forwarding and stores information about network services (such as SMTP ) that a given domain name supports.|
|X25||RFC 1356||X.25 address||Specifies the encapsulation of IP and other network layer protocols over X.25 networks. Seldom used.|
test.example.com. 3600 IN A 172.30.0.7 IN TXT "für DNS-Test" abc 1800 IN MX 10 test.example.com. dns1 NS nameserver.example.org. 126.96.36.199.in-addr.arpa. PTR test.example.com.
- Paul Mockapetris : RFC 1035: Domain Names - Implementation and Specification . Network Working Group of the IETF ( Internet Engineering Task Force ). November 1987. Retrieved February 20, 2015.
- RFC 3596: DNS Extensions to Support IP Version 6 . The Internet Society . October 2003. Retrieved February 20, 2015.
- RFC 2535 , §3
- RFC 3445 , §1. "The KEY RR was defined in [ RFC 2930 ] ..."
- RFC 2931 , §2.4. "SIG (0) on the other hand, uses public key authentication, where the public keys are stored in DNS as KEY RRs and a private key is stored at the signer."
- RFC 3445 , §1. "DNSSEC will be the only allowable sub-type for the KEY RR ..."
- RFC 3755 , §3. “DNSKEY will be the replacement for KEY, with the mnemonic indicating that these keys are not for application use, per [RFC3445]. RRSIG (Resource Record SIGnature) will replace SIG, and NSEC (Next SECure) will replace NXT. These new types completely replace the old types, except that SIG (0) [RFC2931] and TKEY [RFC2930] will continue to use SIG and KEY. "
- RFC 4025 , abstract. "This record replaces the functionality of the sub-type # 4 of the KEY Resource Record, which has been obsoleted by RFC 3445. "
- RFC 2671 , §4. "An OPT is called a pseudo-RR because it pertains to a particular transport level message and not to any actual DNS data."
- The minimum field of SOA record is redefined to be the TTL of NXDOMAIN reply in RFC 2308 .
- RFC 2930 , §6. "... the keying material is sent within the key data field of a TKEY RR encrypted under the public key in an accompanying KEY RR [ RFC 2535 ]."
- P. Hoffman, VPN Consortium: RFC 6698: The DNS-Based Authentication of Named Entities (DANE), Transport Layer Security (TLS) Protocol: TLSA . Network Working Group of the IETF ( Internet Engineering Task Force ). August 2012. Retrieved February 20, 2015. “The TLSA DNS resource record is used to associate a TLS server certificate or public key with the domain name where the record is found, thus forming a 'TLSA certificate association'”
- Craig Partridge, CSNET CIC BBN Laboratories Inc: RFC 0974: MAIL ROUTING AND THE DOMAIN SYSTEM . January 1986. Retrieved February 20, 2015. “[…] the Well Known Service (WKS) RR, which stores information about network services (such as SMTP) supports a given domain name.”