DNS Record Types Reference

Every DNS record type with RDATA format, TTL notes and use cases.

Searchable DNS record type reference covering A, AAAA, CNAME, MX, TXT, SRV, CAA, DNSKEY, HTTPS and more, with RDATA format, TTL guidance and the RFC that defines each type. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is the difference between A and AAAA records?

An A record maps a hostname to a 32-bit IPv4 address, while an AAAA record maps it to a 128-bit IPv6 address. A dual-stack host publishes both so clients can connect over whichever protocol they support.

DNS record types reference

The Domain Name System stores far more than IP addresses. Each record type answers a specific question: where is this host (A/AAAA), what is its canonical name (CNAME), who handles its mail (MX), what text policies apply (TXT), which services exist (SRV), which CAs may issue certs (CAA), and how to validate signatures (DNSSEC types). Picking the right type, formatting its RDATA correctly, and setting a sensible TTL is the difference between a working domain and a broken one. Search the reference above by type, numeric code, or keyword.

How it works

Every DNS record has an owner name, a type, a class (almost always IN), a TTL, and type-specific RDATA. The TTL is a cache lifetime in seconds: low TTLs (300s) let you change records quickly at the cost of more queries, while high TTLs (a day or more) cache aggressively for stable records. Some types have structural rules — a CNAME cannot share a name with any other record and cannot sit at the zone apex, which is why providers offer ALIAS/ANAME or the newer HTTPS/SVCB records for apex pointing. DNSSEC layers cryptographic types on top: DNSKEY (public keys), RRSIG (signatures), DS (delegation hash in the parent), and NSEC/NSEC3 (authenticated denial of existence) together build a verifiable chain of trust.

Tips and examples

  • Lower a record’s TTL a day before a planned migration so resolvers pick up the change quickly, then raise it again once stable.
  • Keep SPF, DKIM, and DMARC as TXT records — the dedicated SPF type is obsolete and ignored.
  • Add a CAA record (issue "letsencrypt.org") to restrict which CAs can mint certs for your domain.
  • Prefer HTTPS/SVCB records to advertise ALPN, ports, and ECH; they let clients connect faster and more securely and solve apex aliasing cleanly.

Choosing the right type for common tasks

Many common DNS tasks have more than one record type that looks relevant. Here is how to pick the correct one:

Pointing a subdomain to an IP address. Use A for IPv4 and AAAA for IPv6. Publish both if your server is dual-stack so clients can choose the protocol they prefer.

Pointing a subdomain to another hostname (aliasing). Use CNAME if the subdomain has no other records and is not the zone apex. For apex aliasing — pointing example.com rather than www.example.com — use your provider’s ALIAS or ANAME record, or the standards-track HTTPS record type.

Routing email. MX records list mail servers with a numeric priority; lower numbers are tried first. Each MX target must resolve to an A/AAAA record — it cannot itself be a CNAME.

Email authentication. Three TXT records work together: v=spf1 ... at the bare domain for SPF, _domainkey.<selector>._domainkey.example.com TXT v=DKIM1; ... for DKIM public keys, and _dmarc.example.com TXT v=DMARC1; ... for DMARC policy.

Service discovery. SRV records advertise where a specific protocol runs, in the format _service._proto.name TTL IN SRV priority weight port target. XMPP, SIP, and CalDAV clients use these to find servers automatically.

Certificate authority restriction. A CAA record at the zone apex limits which certificate authorities may issue TLS certificates for your domain. Adding issue "letsencrypt.org" while omitting other issuers means only Let’s Encrypt may mint a certificate — other CAs are required to check and refuse.

DNSSEC record chain

If your zone is DNSSEC-signed, four additional record types appear alongside your normal records:

TypePurpose
DNSKEYZone’s public signing keys
RRSIGSignature over each record set
DSHash of child zone’s key, published in parent
NSEC / NSEC3Authenticated proof that a name does not exist

A validating resolver builds a chain of trust from the root (DS in root → DNSKEY in TLD → DS in TLD → DNSKEY in your zone) before accepting an answer as authentic.