DNS record types reference
The Domain Name System stores far more than IP addresses. Each record type answers a specific question: where is this host (A/AAAA), what is its canonical name (CNAME), who handles its mail (MX), what text policies apply (TXT), which services exist (SRV), which CAs may issue certs (CAA), and how to validate signatures (DNSSEC types). Picking the right type, formatting its RDATA correctly, and setting a sensible TTL is the difference between a working domain and a broken one. Search the reference above by type, numeric code, or keyword.
How it works
Every DNS record has an owner name, a type, a class (almost always IN), a TTL, and type-specific RDATA. The TTL is a cache lifetime in seconds: low TTLs (300s) let you change records quickly at the cost of more queries, while high TTLs (a day or more) cache aggressively for stable records. Some types have structural rules — a CNAME cannot share a name with any other record and cannot sit at the zone apex, which is why providers offer ALIAS/ANAME or the newer HTTPS/SVCB records for apex pointing. DNSSEC layers cryptographic types on top: DNSKEY (public keys), RRSIG (signatures), DS (delegation hash in the parent), and NSEC/NSEC3 (authenticated denial of existence) together build a verifiable chain of trust.
Tips and examples
- Lower a record’s TTL a day before a planned migration so resolvers pick up the change quickly, then raise it again once stable.
- Keep SPF, DKIM, and DMARC as
TXTrecords — the dedicated SPF type is obsolete and ignored. - Add a
CAArecord (issue "letsencrypt.org") to restrict which CAs can mint certs for your domain. - Prefer
HTTPS/SVCBrecords to advertise ALPN, ports, and ECH; they let clients connect faster and more securely and solve apex aliasing cleanly.
Choosing the right type for common tasks
Many common DNS tasks have more than one record type that looks relevant. Here is how to pick the correct one:
Pointing a subdomain to an IP address. Use A for IPv4 and AAAA for IPv6. Publish both if your server is dual-stack so clients can choose the protocol they prefer.
Pointing a subdomain to another hostname (aliasing). Use CNAME if the subdomain has no other records and is not the zone apex. For apex aliasing — pointing example.com rather than www.example.com — use your provider’s ALIAS or ANAME record, or the standards-track HTTPS record type.
Routing email. MX records list mail servers with a numeric priority; lower numbers are tried first. Each MX target must resolve to an A/AAAA record — it cannot itself be a CNAME.
Email authentication. Three TXT records work together: v=spf1 ... at the bare domain for SPF, _domainkey.<selector>._domainkey.example.com TXT v=DKIM1; ... for DKIM public keys, and _dmarc.example.com TXT v=DMARC1; ... for DMARC policy.
Service discovery. SRV records advertise where a specific protocol runs, in the format _service._proto.name TTL IN SRV priority weight port target. XMPP, SIP, and CalDAV clients use these to find servers automatically.
Certificate authority restriction. A CAA record at the zone apex limits which certificate authorities may issue TLS certificates for your domain. Adding issue "letsencrypt.org" while omitting other issuers means only Let’s Encrypt may mint a certificate — other CAs are required to check and refuse.
DNSSEC record chain
If your zone is DNSSEC-signed, four additional record types appear alongside your normal records:
| Type | Purpose |
|---|---|
DNSKEY | Zone’s public signing keys |
RRSIG | Signature over each record set |
DS | Hash of child zone’s key, published in parent |
NSEC / NSEC3 | Authenticated proof that a name does not exist |
A validating resolver builds a chain of trust from the root (DS in root → DNSKEY in TLD → DS in TLD → DNSKEY in your zone) before accepting an answer as authentic.