List of DNS record types explained

This list of DNS record types is an overview of resource records (RRs) permissible in zone files of the Domain Name System (DNS). It also contains pseudo-RRs.

Resource records

TypeType id (decimal)Defining RFCDescriptionFunction

A

1RFC 1035[1] Address recordReturns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but it is also used for DNSBLs, storing subnet masks in RFC 1101, etc.

AAAA

28RFC 3596[2] IPv6 address recordReturns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host.

AFSDB

18RFC 1183AFS database recordLocation of database servers of an AFS cell. This record is commonly used by AFS clients to contact AFS cells outside their local domain. A subtype of this record is used by the obsolete DCE/DFS file system.

APL

42RFC 3123Address Prefix ListSpecify lists of address ranges, e.g. in CIDR format, for various address families. Experimental.

CAA

257Certification Authority AuthorizationDNS Certification Authority Authorization, constraining acceptable CAs for a host/domain

CDNSKEY

60RFC 7344Child copy of DNSKEY record, for transfer to parent

CDS

59RFC 7344Child DSChild copy of DS record, for transfer to parent

CERT

37RFC 4398Certificate recordStores PKIX, SPKI, PGP, etc.
CNAME5RFC 1035Canonical name recordAlias of one name to another: the DNS lookup will continue by retrying the lookup with the new name.

CSYNC

62RFC 7477Child-to-Parent SynchronizationSpecify a synchronization mechanism between a child and a parent DNS zone. Typical example is declaring the same NS records in the parent and the child zone

DHCID

49RFC 4701DHCP identifierUsed in conjunction with the FQDN option to DHCP

DLV

32769RFC 4431DNSSEC Lookaside Validation recordFor publishing DNSSEC trust anchors outside of the DNS delegation chain. Uses the same format as the DS record. RFC 5074 describes a way of using these records.

DNAME

39RFC 6672Delegation name recordAlias for a name and all its subnames, unlike CNAME, which is an alias for only the exact name. Like a CNAME record, the DNS lookup will continue by retrying the lookup with the new name.

DNSKEY

48RFC 4034DNS Key recordThe key record used in DNSSEC. Uses the same format as the KEY record.

DS

43RFC 4034Delegation signerThe record used to identify the DNSSEC signing key of a delegated zone
EUI48108RFC 7043MAC address (EUI-48)A 48-bit IEEE Extended Unique Identifier.
EUI64109RFC 7043MAC address (EUI-64)A 64-bit IEEE Extended Unique Identifier.

HINFO

13RFC 8482Host InformationProviding Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY

HIP

55RFC 8005Host Identity ProtocolMethod of separating the end-point identifier and locator roles of IP addresses.

HTTPS

65RFC 9460HTTPS BindingRR that improves performance for clients that need to resolve many resources to access a domain.

IPSECKEY

45RFC 4025IPsec KeyKey record that can be used with IPsec

KEY

25RFC 2535[3] and RFC 2930[4] Key recordUsed only for SIG(0) (RFC 2931) and TKEY (RFC 2930).[5] RFC 3445 eliminated their use for application keys and limited their use to DNSSEC.[6] RFC 3755 designates DNSKEY as the replacement within DNSSEC.[7] RFC 4025 designates IPSECKEY as the replacement for use with IPsec.[8]

KX

36RFC 2230Key Exchanger recordUsed with some cryptographic systems (not including DNSSEC) to identify a key management agent for the associated domain-name. Note that this has nothing to do with DNS Security. It is Informational status, rather than being on the IETF standards-track. It has always had limited deployment, but is still in use.
LOC29RFC 1876Location recordSpecifies a geographical location associated with a domain name
MX15RFC 1035 and RFC 7505Mail exchange recordList of mail exchange servers that accept email for a domain
NAPTR35RFC 3403Naming Authority PointerAllows regular-expression-based rewriting of domain names which can then be used as URIs, further domain names to lookups, etc.

NS

2RFC 1035Name server recordDelegates a DNS zone to use the given authoritative name servers

NSEC

47RFC 4034Next Secure recordPart of DNSSEC - used to prove a name does not exist. Uses the same format as the (obsolete) NXT record.

NSEC3

50RFC 5155Next Secure record version 3An extension to DNSSEC that allows proof of nonexistence for a name without permitting zonewalking

NSEC3PARAM

51RFC 5155NSEC3 parametersParameter record for use with NSEC3
OPENPGPKEY61RFC 7929OpenPGP public key recordA DNS-based Authentication of Named Entities (DANE) method for publishing and locating OpenPGP public keys in DNS for a specific email address using an OPENPGPKEY DNS resource record.

PTR

12RFC 1035Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD.

RP

17RFC 1183Responsible PersonInformation about the responsible person(s) for the domain. Usually an email address with the @ replaced by a .

RRSIG

46RFC 4034DNSSEC signatureSignature for a DNSSEC-secured record set. Uses the same format as the SIG record.

SIG

24RFC 2535SignatureSignature record used in SIG(0) (RFC 2931) and TKEY (RFC 2930). RFC 3755 designated RRSIG as the replacement for SIG for use within DNSSEC.
SMIMEA53RFC 8162[9] S/MIME cert association[10] Associates an S/MIME certificate with a domain name for sender authentication.
SOA6RFC 1035 and RFC 2308[11] Start of [a zone of] authority recordSpecifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.
SRV33RFC 2782Service locatorGeneralized service location record, used for newer protocols instead of creating protocol-specific records such as MX.

SSHFP

44RFC 4255SSH Public Key FingerprintResource record for publishing SSH public host key fingerprints in the DNS, in order to aid in verifying the authenticity of the host. RFC 6594 defines ECC SSH keys and SHA-256 hashes. See the IANA SSHFP RR parameters registry for details.

SVCB

64RFC 9460Service BindingRR that improves performance for clients that need to resolve many resources to access a domain.

TA

32768DNSSEC Trust AuthoritiesPart of a deployment proposal for DNSSEC without a signed DNS root. See the IANA database and Weiler Spec for details. Uses the same format as the DS record.

TKEY

249RFC 2930Transaction Key recordA method of providing keying material to be used with TSIG that is encrypted under the public key in an accompanying KEY RR.[12]

TLSA

52RFC 6698TLSA certificate associationA record for DANE. RFC 6698 defines "The TLSA DNS resource record is used to associate a TLS server certificate or public key with the domain name where the record is found, thus forming a 'TLSA certificate association'".

TSIG

250RFC 2845Transaction SignatureCan be used to authenticate dynamic updates as coming from an approved client, or to authenticate responses as coming from an approved recursive name server[13] similar to DNSSEC.

TXT

16RFC 1035Text recordOriginally for arbitrary human-readable text in a DNS record. Since the early 1990s, however, this record more often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, DMARC, DNS-SD, etc.

URI

256RFC 7553Uniform Resource IdentifierCan be used for publishing mappings from hostnames to URIs.
WALLET262DocumentationCrypto-currency addressCan be used to expose crypto-currency wallet address associated with a domain name.

ZONEMD

63RFC 8976Message Digests for DNS ZonesProvides a cryptographic message digest over DNS zone data at rest.

Other types and pseudo-RRs

Other types of records simply provide some types of information (for example, an HINFO record gives a description of the type of computer/OS a host uses), or others return data used in experimental features. The "type" field is also used in the protocol for various operations.

TypeType id.Defining RFCDescriptionFunction
255RFC 1035All cached recordsReturns all records of all types known to the name server. If the name server does not have any information on the name, the request will be forwarded on. The records returned may not be complete. For example, if there is both an A and an MX for a name, but the name server has only the A record cached, only the A record will be returned. Usually referred to as ANY (e.g., in dig, Windows nslookup, and Wireshark). In 2019, RFC8482 [14] standards-track publication led many DNS providers, including Cloudflare,[15] to provide only minimal responses to "ANY" queries, instead of enumerating records.
AXFR252RFC 1035Authoritative Zone TransferTransfer entire zone file from the primary name server to secondary name servers.

IXFR

251RFC 1996Incremental Zone TransferRequests a zone transfer of the given zone but only differences from a previous serial number. This request may be ignored and a full (AXFR) sent in response if the authoritative server is unable to fulfill the request due to configuration or lack of required deltas.

OPT

41RFC 6891OptionThis is a pseudo-record type needed to support EDNS.

Obsolete record types

Progress has rendered some of the originally defined record-types obsolete.Of the records listed at IANA, some have limited use, for various reasons. Some are marked obsolete in the list, some are for very obscure services, some are for older versions of services, and some have special notes saying they are "not right".

TypeType id.
(decimal)
Defining RFCObsoleted byDescription
MD3RFC 883RFC 973Mail destination (MD) and mail forwarder (MF) records; MAILA is not an actual record type, but a query type which returns MF and/or MD records. RFC 973 replaced these records with the MX record.
MF 4
MAILA254
MB7RFC 883Not formally obsoleted. Unlikely to be ever adopted (RFC 2505).MB, MG, MR, and MINFO are records to publish subscriber mailing lists. MAILB is a query code which returns one of those records. The intent was for MB and MG to replace the SMTP VRFY and EXPN commands. MR was to replace the "551 User Not Local" SMTP error. Later, RFC 2505 recommended that both VRFY and EXPN be disabled, making MB and MG unnecessary. They were classified as experimental by RFC 1035.
MG8
MR9
MINFO14
MAILB253
WKS11RFC 883, RFC 1035Declared as "not to be relied upon" by RFC 1123 (more in RFC 1127).Record to describe well-known services supported by a host. Not used in practice. The current recommendation and practice is to determine whether a service is supported on an IP address by trying to connect to it. SMTP is even prohibited from using WKS records in MX processing.[16]
NB32RFC 1002Mistakes (from RFC 1002); the numbers are now assigned to NIMLOC and SRV.
NBSTAT33
NULL10RFC 883RFC 1035Obsoleted by RFC 1035. RFC 883 defined "completion queries" (opcode 2 and maybe 3) which used this record. RFC 1035 later reassigned opcode 2 to be "status" and reserved opcode 3.
A638RFC 2874RFC 6563Defined as part of early IPv6 but downgraded to experimental by RFC 3363; later downgraded to historic by RFC 6563.
NXT30RFC 2065RFC 3755Part of the first version of DNSSEC (RFC 2065). NXT was obsoleted by DNSSEC updates (RFC 3755). At the same time, the domain of applicability for KEY and SIG was also limited to not include DNSSEC use.
KEY25
SIG24
HINFO13RFC 883Unobsoleted by RFC 8482. Currently used by Cloudflare in response to queries of the type ANY.[17] Record intended to provide information about host CPU type and operating system. It was intended to allow protocols to optimize processing when communicating with similar peers.
RP17RFC 1183RP may be used for certain human-readable information regarding a different contact point for a specific host, subnet, or other domain level label separate than that used in the SOA record.
X2519Not in current use by any notable application
ISDN20Not in current use by any notable application
RT21Not in current use by any notable application
NSAP22RFC 1706Not in current use by any notable application
NSAP-PTR23Not in current use by any notable application
PX26RFC 2163Not in current use by any notable application
EID31Defined by the Nimrod DNS Internet Draft, but never made it to RFC status. Not in current use by any notable application
NIMLOC32
ATMA34Defined by The ATM Forum Committee.[18]
APL42RFC 3123Specify lists of address ranges, e.g. in CIDR format, for various address families. Experimental.
SINK40Defined by the Kitchen Sink Internet Draft, but never made it to RFC status
GPOS27RFC 1712A more limited early version of the LOC record
UINFO100IANA reserved, no RFC documented them https://web.archive.org/web/20080611185015/http://www.ops.ietf.org/lists/namedroppers/namedroppers.2004/msg00949.html and support was removed from BIND in the early 90s.
UID101
GID102
UNSPEC103
SPF99RFC 4408RFC 7208Specified as part of the Sender Policy Framework protocol as an alternative to storing SPF data in TXT records, using the same format. It was discontinued in RFC 7208 due to widespread lack of support.[19] [20]
NINFO56Used to provide status information about a zone. Requested for the IETF draft "The Zone Status (ZS) DNS Resource Record" in 2008. Expired without adoption.[21]
RKEY57Used for encryption of NAPTR records. Requested for the IETF draft "The RKEY DNS Resource Record" in 2008. Expired without adoption.[22]
TALINK58Defined by the DNSSEC Trust Anchor History Service Internet Draft, but never made it to RFC status
NID104RFC 6742Not in use by any notable application and marked as "experimental"
L32105
L64106
LP107
DOA259Defined by the DOA over DNS Internet Draft, but never made it to RFC status

Further reading

Notes and References

  1. Web site: RFC 1035: Domain Names - Implementation and Specification . Network Working Group of the IETF (Internet Engineering Task Force) . Paul Mockapetris . Paul Mockapetris . 12 . November 1987 .
  2. Web site: RFC 3596: DNS Extensions to Support IP Version 6 . . October 2003 . https://web.archive.org/web/20210414192537/https://tools.ietf.org/html/rfc3596 . 14 April 2021 . dead.
  3. RFC 2535, §3
  4. RFC 3445, §1. "The KEY RR was defined in RFC 2930..."
  5. RFC 2931, §2.4. "SIG(0) on the other hand, uses public key authentication, where the public keys are stored in DNS as KEY RRs and a private key is stored at the signer."
  6. RFC 3445, §1. "DNSSEC will be the only allowable sub-type for the KEY RR..."
  7. RFC 3755, §3. "DNSKEY will be the replacement for KEY, with the mnemonic indicating that these keys are not for application use, per RFC3445. RRSIG (Resource Record SIGnature) will replace SIG, and NSEC (Next SECure) will replace NXT. These new types completely replace the old types, except that SIG(0) RFC2931 and TKEY RFC2930 will continue to use SIG and KEY."
  8. RFC 4025, Abstract. "This record replaces the functionality of the sub-type #4 of the KEY Resource Record, which has been obsoleted by RFC 3445."
  9. Web site: RFC 8162 - Using Secure DNS to Associate Certificates with Domain Names for S/MIME . . May 2017 . 10.17487/RFC8162 . 17 October 2018. Hoffman . P. . Schlyter . J. .
  10. Web site: Domain Name System (DNS) Parameters . . September 2018 . 17 October 2018.
  11. The minimum field of SOA record is redefined to be the TTL of NXDOMAIN reply in RFC 2308.
  12. RFC 2930, §6. "... the keying material is sent within the key data field of a TKEY RR encrypted under the public key in an accompanying KEY RR RFC 2535."
  13. RFC 2845, abstract
  14. News: RFC 8482: Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY . . J. Abley, Afilias, O. Gudmundsson, M. Majkowski, Cloudflare Inc., E. Hunt, ISC . Ietf Datatracker . January 2019 .
  15. Web site: What happened next: the deprecation of ANY . . 19 September 2021 . 16 March 2019.
  16. RFC 1123 sections 2.2, 5.2.12, 6.1.3.6
  17. Web site: What happened next: the deprecation of ANY . . 9 March 2019 . 13 April 2016.
  18. Web site: ATM Name System, V2.0. July 2000. ATM Forum Technical Committee. https://web.archive.org/web/20190314135249/http://www.broadband-forum.org/ftp/pub/approved-specs/af-dans-0152.000.pdf. dead. 2019-03-14. 14 March 2019.
  19. Resolution of the Sender Policy Framework (SPF) and Sender ID Experiments. 6686. A. Background on the RRTYPE Issue. M.. Kucherawy. July 2012. IETF. August 31, 2013.
  20. Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. 7208. 3.1. The SPF DNS Record Type. S.. Kitterman. April 2014. IETF. 26 April 2014.
  21. News: Reid . Jim . draft-reid-dnsext-zs-01 - The Zone Status (ZS) DNS Resource Record . Ietf Datatracker . . 9 March 2019 . 4 July 2008.
  22. News: Reid . Jim . Schlyter . Jakob . Timms . Ben . draft-reid-dnsext-rkey-00 - The RKEY DNS Resource Record . Ietf Datatracker . . 9 March 2019 . 4 July 2008.