DNS records are created within zones and contain some set of information related to the domain and, if applicable, its subdomains. You can choose from many different record types depending on the nature of the information the record contains or the specific configuration you are trying to achieve. For example, an NS record specifies one or more hostnames for the domain’s nameservers, an A (“address”) record defines the IPv4 addresses to domain-related endpoints, and a PTR record enables reverse lookup functionality.
On the NS1 platform, each record can be configured with one or more answers. Each answer within a record represents a specific data set with a unique format based on the record type.
NS1 supports a wide range of standard DNS record types, as well as record types that are unique to NS1. Most records can be manually created within a zone, but some are auto-generated in response to configuration changes or enabled features.
Note
Some record types are unique to the NS1 platform and are not included in outgoing zone transfers or BIND-compatible zone files exported from the NS1 platform.
The list below includes all record types supported by the NS1 platform. Some records are created manually, and others are auto-generated by the platform in response to a configuration change.
|
User-created records |
Auto-generated records |
|||
|---|---|---|---|---|
|
NSEC3PARAM |
||||
*Indicates an NS1-specific record type.
The following records are most popular among users on the NS1 platform.
(RFC 1035) The most common DNS record used, an A (or address) record maps a domain to an IPv4 address (e.g., 198.0.2.36) of the computer hosting the domain. All zones should contain at least one A record for users to access a website or application using its hostname.
Each answer within an A record specifies an IPv4 address corresponding to an endpoint to which you want to point DNS traffic. You can have multiple answers (in other words, multiple IPv4 addresses) configured within an A record to establish basic redundancy and failback.
(RFC 3596) AAAA records function in the same way as A records, except that they map domains to an IPv6 address (e.g., 2001:db8:85a3::8a2e:370:7334) of the computer hosting the domain.
Each answer contains one IPv6 address corresponding to an endpoint to which you want to point DNS traffic when they query the domain. You can have multiple answers (that is, multiple IPv6 addresses) within a single AAAA record to establish basic redundancy and failback.
(NS1-specific) ALIAS is a special record type that works like a CNAME record but can be used safely at the zone apex. On the NS1 platform, ALIAS records always resolve to A and AAAA records by running a DNS resolver in each of NS1’s PoPs. Resolution to the target is a completely internal process — DNS recursors making the query cannot differentiate between an ALIAS record and an A (or AAAA) record. An ALIAS record will always return one or more A or AAAA records. Since ALIAS is a pseudo-record, the response will never include the ALIAS record itself.
Note
ALIAS records allow for CNAME-like behavior at the zone apex, which is typically how they are used. Refer to this article to learn more about CNAME versus ALIAS records.
You can add an ALIAS record anywhere within a primary (or non-secondary) zone or secondary zone apex. You can adjust the behavior of the record lookup process on the NS1 platform by enabling or disabling the “Override address records” option when configuring the ALIAS record.
-
By default, the override option is disabled (as in, set to “false”). This means that, upon receiving an incoming query, the NS1 platform will first look for the A/AAAA record within the zone. The NS1 platform will search for the ALIAS record if it does not find an address record. Typically, this behavior is desired if the ALIAS record is added to a primary zone. In some advanced cases, it might make sense to leave this option disabled for ALIAS records on secondary zones — for example, if the ALIAS record should only apply to queries for either the A or AAAA record (but not both).
-
Alternatively, setting this option to “true” directs the NS1 platform to seek out the ALIAS record first, bypassing any existing address record. Typically, this behavior is desired if the ALIAS record is added to a secondary zone.
It’s important to note that NS1’s ALIAS records are not included in outgoing zone transfers as they are incompatible with other DNS providers, even if the other provider has their version of an ALIAS record.
Warning
You cannot create an ALIAS record within a DNSSEC-enabled zone. Note that if you add an ALIAS record to a non-DNSSEC-signed secondary zone, and then later enable DNSSEC on the corresponding primary zone, the resolution will fail.
Warning
ALIAS record resolution is slower than that of a linked record and may be slower than that of a CNAME record, depending on whether or not the domain is hosted on the NS1 platform. Refer to this article to learn more about ALIAS, CNAME, and linked records.
When configuring ALIAS records, you must indicate whether or not to override any existing address records within the zone during the lookup process. You do this by enabling or disabling the “Override address records” option in the portal or API.
-
By default, this option is disabled. In this case, NS1 will first attempt to locate the address records before seeking out the ALIAS record.
-
If enabled, the NS1 platform will bypass address records, seeking out the ALIAS record first.
Optionally, you can also override the TTL of the target record with a value defined in the ALIAS record.
Each answer includes the domain or subdomain of an A or AAAA record to which this ALIAS record should resolve. In most cases, an ALIAS record will only contain one answer, but you can technically add multiple answers (in other words, specify multiple targets) if desired. In this case, the response will include all the IP addresses for the specified targets.
curl -X PUT -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/<zoneName>/<domain>/ALIAS -d '
{
"zone": "<zoneFQDN>",
"domain": "<zoneFQDN>",
"type": "ALIAS",
"override_address_records": false,
"answers": [
{
"answer": [
"<targetDomain>"
]
}
]
}'
{
"zone": "example.com",
"domain": "example.com",
"type": "ALIAS",
"answers": [
{
"answer": [
"new.example.com"
]
}
]
}
|
<zoneName> |
string |
(Required) The FQDN of the primary or secondary zone. |
|
<domain> |
string |
(Required) The record domain. When creating ALIAS records, this must be the same as the zone FQDN as these records are supported only at the zone apex. |
|
zone |
string |
(Required) The FQDN of the primary or secondary zone. |
|
domain |
string |
(Required) The record domain. When creating ALIAS records, this must be the same as the zone FQDN as these records are supported only at the zone apex. |
|
type |
string |
(Required) The type of zone you are creating. In this case, ALIAS. |
|
override_address_records |
boolean |
Indicates whether or not to override the address records, as in A and AAAA records, when responding to queries. By default, this is set to “false,” meaning NS1 will first attempt to answer queries with address records within the zone instead of using those generated by the ALIAS record. Set this value to “true” to skip address records and instead use the answers generated by the ALIAS records. (We recommend setting this value to “true” if creating this record within a secondary zone.) |
|
answers |
object |
(Required) An object containing all DNS answer(s) corresponding to this record. |
|
answer |
string |
(Required) For ALIAS records, the answer value is the domain or subdomain of an A or AAAA record to which this ALIAS record should resolve. |
(RFC 1035) A Canonical Name (CNAME) record maps one domain name (an alias) to another domain (the canonical name). There can be only one such canonical name for any one alias. That name should generally be a name that exists elsewhere in the DNS, though there are some rare applications for aliases with the accompanying canonical name undefined in the DNS. If DNSSEC is enabled, an alias name (prefix of a CNAME record domain) may have RRSIG and NSEC/NSEC3 records but may have no other data. Refer to this article for more information.
Note
Generally, CNAMEs should not be used at the zone apex or domain root.
Common use cases for a CNAME record include:
-
Specifying a unique hostname for specific network services, such as email or FTP, and redirecting that hostname to the root domain.
-
For hosted services, mapping a subdomain for individual customers on the service provider's domain (for example, company.hostname.com) and using the CNAME to point to the customer's preferred domain (for example, www.company.com).
-
Registering the same domain in several countries and creating CNAME records for each country's TLD.
-
Pointing multiple domains owned by a company back to the primary website.
The answer within a CNAME record represents the "real" or target domain for which this CNAME record is an alias.
(RFC 1035) Mail exchange (MX) records are used to direct emails sent to your domain. MX records, coupled with a mail server, provide organizations (employees, clients, etc.) with emails to the organization's domain, such as support@ns1.com. You can add multiple MX records with varying priorities if multiple mail servers are configured.
Each answer includes the hostname for a mail server (for example, mailhost1.example.com) and a priority (preference) number, which determines the sequence at which an email server receives emails.
(RFC 1035) Typically configured with your registrar, nameserver (NS) records are used to delegate a domain or subdomain to a set of nameservers. Nameservers, such as NS1’s Managed DNS nameservers, host all DNS data for a domain and tell all the other computers connected to the internet which records your domain holds. Therefore, setting the NS record is a critical step in getting your domains and servers online.
Note
When you create a new zone, an NS record is automatically created within the zone. The NS record contains one or more answers — each corresponding to the assigned nameservers within the relevant DNS network. If you do not select a network during zone creation (i.e., if you leave the zone "unpublished"), then an empty NS record is created within the zone.
Each answer within an NS record specifies a domain name for one or more authoritative nameservers. A single NS record may contain multiple answers (in other words, multiple nameservers) for a domain.
(RFC 4034) An NSEC record (sometimes referred to as the “next secure record”) is used to provide an authenticated denial of existence. It contains a link to the next domain name and the record types that exist for that domain. DNS resolvers use NSEC records to verify the non-existence of a record name and type as part of DNSSEC validation.
Note
NSEC records are automatically generated by the NS1 platform for DNSSEC-enabled zones. They cannot be created or modified manually.
(RFC 5155) The NSEC3 record provides authenticated denial of the existence of DNS records. It lists record types present at the original domain name of the NSEC3 record and includes the next hashed owner name in the hash order of the zone. NSEC3 records are similar to NSEC records, but NSEC3 uses cryptographically hashed record names to avoid the enumeration of the record names in a zone.
Note
NSEC3 records are only present for secondary zones and cannot be modified.
(RFC 1035) Often described as the opposite of an A record, pointer (PTR) records are used for reverse zone lookups. Whereas A records point the domain to an IP address, a PTR record points an IP to a domain. This is often used as spam verification with certain email programs to confirm a mail server is authorized to use the domain from which the email was sent. PTR records usually have to be defined by the owner of the IP address for your server — usually your server hosts. Many hosting companies will set this up for you when you set up a server.
After creating a reverse zone (for example, 2.0.192.in-addr.arpa), you can add a PTR record to the zone. For the record’s subdomain prefix, you can enter the final octet or character of the IP address for the server or leave this field blank to indicate an apex-level record.
Each answer within a PTR record specifies a fully qualified domain name (FQDN) to which queries to an IP address should point.
(RFC 1035, 2038) The Start of Authority (SOA) resource record contains administrative information about the zone that controls the zone transfer. The format of the zone transfer includes:
-
MNAME: The domain name of the name server that was the original or primary source of data for this zone
-
RNAME: A domain name corresponding to the email address of the person responsible for this zone
-
SERIAL: The unsigned 32-bit version number of the original copy of this zone. Zone transfers preserve this value
-
REFRESH: The amount of time before the zone should be refreshed.
-
RETRY: The amount of time that should elapse before a failed refresh is retried
-
EXPIRE: The maximum amount of time that can elapse before the zone is no longer authoritative
-
MINIMUM: The amount of time used to cache negative responses (NXD)
SOA records are generated automatically by the platform, but they do not appear in the list of records alongside others within the zone. You can modify SOA settings by editing the zone settings in the portal or via API.
(RFC 2782) Service locator (SRV) records are a way to use DNS to locate services for a specific domain. SRV records allow for built-in load balancing of multiple servers using the priority and weight values in the records.
Note
SRV record names follow a unique format. Refer to RFC 2782 for details.
Note
Alternatively, to configure load balancing between endpoints, you can use the NS1 Filter Chain — applying a Filter Chain configuration using the Priority and Weight filters for general balancing or using the Shed Load and Up filters to configure automatic load shedding.
Each answer within an SRV record corresponds to a hostname, containing the following fields:
-
Priority of target host integer A value indicating the priority of the target server. A server with a lower priority value will receive more traffic than other servers.
-
Relative weight for hosts with same priority integer A value indicating the weight of the target server. The server with the highest weight value will receive more traffic than other servers with the same priority.
-
TCP or UDP service port integer A 16-bit unsigned integer indicating the TCP or UDP port on the target server.
-
Host providing service integer Hostname of the target host (server).
(RFC 1035) Text (TXT) records allow you to contain any text-based information on a domain or subdomain. Applications can use this to collect information about a service — typically, SPF records, DomainKeys, and DKIM (two other email verification processes). TXT records may contain any information up to 255 characters per string. A single zone may contain multiple TXT records, and one TXT record may contain multiple answers.
Each answer within a TXT record is a string containing any human- or machine-readable data based on the specific use case for which you are creating a TXT record, depending on your use case.
(NS1-specific record type) URL forwarding (or URL redirecting) is a technique used to make a single web page available via multiple URLs. NS1 users can easily set up URL forwarding (HTTP redirects or masking) between zones. There are three types of URL redirects: Permanent (301), Temporary (302), or Masking.
-
Permanent (301): This type of redirect indicates to search engines that they should remove the old page from their database and replace it with the new target page. (Recommended for SEO)
-
Temporary (302): Less common, this type of redirect indicates to search engines that they should keep the old domain or page indexed as the redirect is only temporary. While both pages might appear in the search results, a temporary redirect suggests to the search engine that it should prefer the new target page.
-
Masking: This type of redirect preserves the redirected domain in the browser's address bar. This lets the user see the address they entered, even though the content displayed is coming from a different web page.
Optionally, URLFWD records may be configured with a custom path or query forwarding. Refer to this article for more information on creating and customizing URLFWD records.
While less common, the following record types are also supported by the NS1 platform.
(RFC 1183) AFSDB records are used to connect domain names to Andrew File System (AFS) servers. AFS is similar to NFS but better suited to handle the latency of wide-area networks (WAN) and locally caches files. The AFSDB record is key to this operation — providing the location of the file database.
Warning
This record is experimental and has been deprecated by most providers.Not all nameservers recognize or implement it, and it is usually replaced by the SRV record.
Each answer within an AFSDB record includes the following fields:
-
Service subtype (integer) - (Required) A 16-bit integer representing the subtype. This value determines the protocol to use when attempting to connect to a cell’s server. A value of 1 indicates the host has an AFS version 3.0 volume location server for the named AFS cell. A value of 2 indicates the host has an authenticated nameserver holding the cell-root directory node for the named DCE/NCA cell.
-
AF cell server (string) - (Required) Domain name of a host with a server for the cell.
{
"zone": "example.com",
"domain": "afsdbrecord.example.com",
"type": "AFSDB",
"answers": [
{
"answer": [1,"arecord.example.com"]
}
]
}
Each “answer” within an AFSDB record is an array. The first value in the array is an integer corresponding to the service subtype (either 1 or 2) and the second value is a string the domain name of the AFC cell server.
(RFC 8659) Domain owners can use DNS Certification Authority Authorization (CAA) records to indicate one or more certificate authorities (CAs) allowed to issue SSL certificates for a domain. Before issuing a certificate, compliant CAs must check for the CAA record unless an exception specified in the relevant certificate policy (CP) or certification practices statement (CPS) applies. The CAA record prevents an unauthorized CA from issuing an SSL certificate for your domain.
Multiple CAs may be permitted to issue SSL certificates for a single domain. In the NS1 platform, each CA is represented by an answer within the CAA record for that domain. Each answer contains the following configuration fields:
-
Flag integer An unsigned integer representing the critical flag with a specific meaning per RFC 6844. If the value is set to 1, the property is critical. A CA must not issue certificates for any FQDN if the relevant record answer for that FQDN contains a CAA critical property for an unknown or unsupported property tag.
-
Tag string Identifies the property being set by this record. Common values include issue, issuewild, and iodef. Refer to RFC 6844 for details.
-
Value string For the issue and issuewild tags, this is the domain of the CA that is authorized to issue certificates containing that FQDN. For iodef tags, this specifies a means of reporting certificate issue requests or cases of certificate issue for domains.
The example below requests no certificates be issued for caa.example.com by any issuer other than letsencrypt.com.
{
"zone": "example.com",
"domain": "caa.example.com",
"type": "CAA",
"answers": [
{
"answer": [
0,
"issue",
"letsencrypt.org"
]
}
]
}
The example below requests no certificates be issued for caa.example.com by any issuer.
{
"zone": "example.com",
"domain": "caa.example.com",
"type": "CAA",
"answers": [
{
"answer": [
0,
"issue",
";"
]
}
]
}
Refer to RFC 8659 for more details and examples.
(RFC 7344) The “child DNSKEY” (CDNSKEY) record type is used to enable DNSSEC on a child zone (i.e., subdelegation). Each record contains one or more DNSSEC keys required to sign zone data contained in this child zone.
Each answer corresponds to one DNSSEC key for the child zone and includes the following configuration fields:
-
Flags integer - (Required) An integer representing the DNSSEC key type. Supported values include 256 (for ZSK) and 257 (for KSK).
-
Protocol integer - (Required) Set this value to 3 to indicate this is a DNSSEC key, ensuring signature verification.
-
Algorithm integer - (Required) An integer representing the public key’s cryptographic algorithm. A list of DNSSEC algorithms can be found in RFC 4034. NS1 recognizes a value of 13 for DNSSEC keys.
-
Public key string - (Required) The public DNSSEC key secret.
(RFC 7344) The “child DS” (CDS) record type is used to enable DNSSEC on a child zone (i.e., subdelegation). Once created, the parent zone is notified of its existence, and, in response, the parent zone retrieves the CDS record and inserts the corresponding DS record data.
(RFC 4398, 69446944) CERT records provide a space in the DNS for certificates and related certificate revocation lists (CRLs). These certificates verify the authenticity of the sending and receiving parties. The CRLs identify the certificates that are no longer valid.
For each answer, enter the type, keytag, algorithm, and certificate used to verify the authenticity of the sending and receiving parties.
(RFC 7477) CSYNC records indicate which delegation records published by a child DNS operator should be processed by a parental agent and used to update the parent’s zone data. These types of records are published at the apex of the child zone, making it easier for operators to update their delegation records within the parent’s set quickly.
Typically, there are some record types expected to remain in sync across parent and child zones. Most commonly, these include the NS records and any necessary A or AAAA records (“glue records”). It can be a challenge for operators of child DNS zones to update delegation records quickly, particularly when managing a large, complex set of DNS zones. The CSYNC record presents an automated mechanism for signaling updates at the child zone that must be reflected in the parent zone data.
Each answer within a CSYNC record contains the following fields:
-
SOA serial number integer A 32-bit integer representing the serial number of the SOA record from the child zone (that is, the SOA of the zone on which you are adding this CSYNC record). This value can be set to an arbitrary number if you do not plan to set the “soaminimum” flag.
-
Flags integer A 16-bit integer of boolean flags defines operations that affect the processing of the CSYNC record. A value of 1 indicates the “immediate” flag, meaning the CSYNC record should be processed immediately. A value of 2 indicates the “soaminimum” flag which requires an SOA serial number greater than the one specified to process the CSYNC record.
-
Types string A simple bit-list (separated) indicating the DNS record types in the child zone should be processed by the parental agent to modify the DNS delegation records within the parent's zone for the child DNS operator. Supported record types to specify here include NS, A, and AAAA.
(RFC 4701) DHCID records are referenced by DHCP clients or servers to associate a DHCP client’s identity with a DNS name so that multiple DHCP clients and servers may deterministically perform dynamic DNS updates to the same zone.
(RFC 6672) Whereas a CNAME record defines an alias for a single domain or node, a Delegation Name (DNAME) record is used to create an alias (i.e., domain) for an entire subsection of the DNS namespace (i.e., a domain and all of its subdomains).
(RFC 4034) The DNSSEC key (DNSKEY) record stores public DNSSEC key data for a particular zone for use in the DNSSEC authentication process. In this process, a zone signs its authoritative record data using a private key and stores the corresponding public key in the DNSKEY record.
DNSKEY records are auto-generated when you enable DNSSEC online signing for a given NS1 zone and populated with data generated by NS1.
Note
If you are migrating DNSSEC-enabled zones between DNS providers or would like to configure multi-signer DNSSEC functionality, you can configure multiple external DNSSEC key sets, which will appear as additional answers within the DNSKEY record.
Each answer within a DNSKEY record contains data corresponding to a single DNSSEC key — including the flags, protocol, algorithm, and public key. DNSKEY answer data is auto-generated when you enable DNSSEC on an individual NS1 zone. Additional answers within the DNSKEY appear if you configure external DNSSEC key sets via API.
There are different API methods used to enable internal DNSSEC online signing for an individual zone versus managing multiple external DNSSEC keys. Refer to the NS1 API documentation for details.
(RFC 4034) The DS record points to the relevant DNSKEY record to use in the DNSSEC authentication process for this zone.
(RFC 1035) Host information (HINFO) records are used to associate general information about a host’s CPU and OS with the host’s domain name. For example, if www.example.com was running Ubuntu 16.04 with a 3.2 GHz Intel CPU, this information can be made publicly available by creating a HINFO record with “PC-Intel-3200mhz” and “Ubuntu 16.04” in the CPU and OS fields, respectively. This information is used by services like FTP to determine the correct procedures for connecting to hosts based on their configuration.
Note
SVCB and HTTPS record types will soon advance from an IETF draft document to an IETF standards-track RFC. Even though these record types are still going through the standards process, there is already widespread support among both open source and proprietary DNS libraries and web browsers.
The HTTPS record is an SVCB-compatible record type designed specifically for the HTTP protocol. This record type can be used to enable CNAME-like functionality at the zone apex or for multi-CDN hosting. It signals to the client that it can connect over a secure connection, skipping the initial unsecured request, and it advertises the different HTTP versions supported by the website.
In addition to those listed under the SVCB record description, goals specific to the HTTPS record type include:
-
Connecting directly to HTTP/3 (QUIC transport) alternative endpoints
-
Obtaining the Encrypted ClientHello (ECH) keys associated with an alternative endpoint
-
Supporting non-default TCP and UDP ports
-
Enabling SRV-like benefits (such as apex delegation) for HTTP
-
Providing an HSTS-like indication (HSTS) signaling that the “https” scheme should be used instead of “http” for all HTTP requests to this host and port.
The format of an HTTPS record is identical to that of an SVCB record — the difference being that SVCB records use the same structured name format as SRV records, whereas HTTPS records do not. Without these domain name restrictions, HTTPS records can be used at the zone apex.
Each HTTPS record specifies alternative endpoints that are authoritative for a service, as well as the unique parameters associated with each endpoint. Like SVCB, HTTPS records can be configured to operate in two modes: AliasMode or ServiceMode. The record operates in two modes:
-
In AliasMode, the record delegates operational control for a resource (as in, it aliases to another record name, similar to CNAME functionality). This mode allows you to add or remove HTTPS records without requiring a corresponding change at the zone apex.
-
In ServiceMode, the record binds together configuration data for a service endpoint, advertising additional key-value parameters unique to each endpoint. The TargetName and SvcParams associate an alternative endpoint for the service with its connection parameters.
Placing both forms in a single record type allows clients to fetch the relevant information with a single query.
|
SvcPriority integer |
(Required) Indicates the priority of this record relative to others with lower values preferred. A value of 0 indicates AliasMode. All other values indicate the record is operating in ServiceMode. |
|
TargetName string |
(Required) If in AliasMode, this is the alias target's fully-qualified domain name (FQDN). If in ServiceMode, this is the domain name of an alternate endpoint. If TargetName has the value ".", special rules apply. Please refer to the RFC for details. |
|
SvcParams string or array |
(Optional) If in ServiceMode, this is a whitespace-separated list of parameter key-value pairs (
For a complete list of SvcParams, refer to https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml. |
The following example shows an HTTPS record configuration operating in AliasMode. In this case, web traffic for “example.com” is redirected to “example.net”.
{
"zone": "example.com",
"domain": "example.com",
"type": "HTTPS",
"answers": [
{
"answer": [
0, "example.net."
]
}
]
}
The following example shows an HTTPS record configuration operating in ServiceMode. It advertises support for the HTTP/3 and HTTP/2 protocols for the example.com origin. When a client connects, it will try HTTP/3 if supported; otherwise, it will try HTTP/2.
{
"zone": "example.com",
"domain": "example.com",
"type": "HTTPS",
"answers": [
{
"answer": [
1 . alpn="h3,h2"
]
}
]
}
(RFC 3403) Naming Authority Pointer (NAPTR) records are most commonly used with internet telephony (or VoIP) services. They can be used to map telephone numbers and email addresses for VoIP users to SIP servers via SRV records to initiate calls.
For each answer, enter the following information:
-
Order for answer processing - A 16-bit unsigned integer specifying the order in which the NAPTR records MUST be processed to ensure the correct ordering of rules. Low numbers are processed before high numbers, and once a NAPTR is found whose rule "matches" the target, the client MUST NOT consider any NAPTRs with a higher value for order (except as noted below for the Flags field).
-
Preference (if others have equal order values) - A 16-bit unsigned integer that specifies the order in which NAPTR records with equal "order" values SHOULD be processed, low numbers being processed before high numbers. This is similar to the preference field in an MX record, and is used so domain administrators can direct clients towards more capable hosts or lighter-weight protocols. A client may look at records with higher preference values if it has a good reason to do so, such as not understanding the preferred protocol or service. The important difference between Order and Preference is that once a match is found, the client MUST NOT consider records with a different order. However, they MAY process records with the same Order but different Preferences. In other words, the preference is used to give weight to rules that are considered the same from an authority standpoint but not from a simple load-balancing standpoint.
-
Flags - At this time only four flags, "S", "A", "U", and "P", are defined in the RFC. The "S", "A" and "U" flags denote a terminal lookup, meaning that this NAPTR record is the last one and that the flag determines what the next stage should be. The "S" flag means that the next lookup should be for SRV records. "A" means that the next lookup should be for either an A or AAAA record. The "U" flag means that the next step is not a DNS lookup but that the output of the Regexp field is an URI that adheres to the 'absoluteURI' production found in the ABNF of RFC 2396. Since there may be applications that use NAPTR to also look up aspects of URIs, be aware that this may cause loop conditions. The "P" flag says that the remainder of the application side algorithm shall be carried out in a Protocol-specific fashion. The new set of rules is identified by the protocol specified in the Services field.
-
Service(s) available down rewrite path - Specifies the service(s) available down this rewrite path. It may also specify the particular protocol that is used to talk with a service. A protocol MUST be specified if the flags field states that the NAPTR is terminal. If a protocol is specified, but the flags field does not state that the NAPTR is terminal, the next
(RFC 1183) Typically, the "responsible person" record contains information about the person responsible for the domain. It is usually an email address where the "@" sign is replaced by a period (.).
(RFC 4034) DNSSEC uses public key cryptography to sign and authenticate DNS records. Digital signatures are stored in RRSIG records and are used in the DNSSEC authentication process. A validator can use the RRSIG record data to authenticate records from the zone. RRSIG records contain the signature for a DNS record with a particular name, class, and type. It specifies a validity interval for the signature and uses the algorithm, the signer’s name, and the key tag to identify the DNSKEY record containing the public key that a validator can use to verify the signature.
Note
RRSIG records are automatically generated by the NS1 platform for DNSSEC-enabled zones. They cannot be created or modified manually.
(RFC 8162) The SMIMEA record is used to associate an end entity certificate or public key with an associated email address, thus forming a “SMIMEA certificate association.” It allows an application or service to obtain a S/MIME certificate or public key and use it for verifying a digital signature or encrypting a message to the public key. The DNS answer must pass DNSSEC validation.
The answer format of the SMIMEA record is the same as a TLSA record as defined in RFC 6698, section 2.1. Each answer includes the following fields:
-
Certificate usage - A value from 0-3 specifying the provided association that will be used to match the certificate presented in the TLS handshake. This value is defined in a new IANA registry.
-
CA constraint - A value of 0 is used to specify a CA certificate or the public key of such a certificate that MUST be found in any of the PKIX certification paths for the end entity certificate given by the server in TLS. This method limits which CA can be used to issue certificates for a given service on a host. The presented certificate MUST pass PKIX certification path validation, and a CA certificate that matches the TLSA record MUST be included as part of a valid certification path.
-
Service certification constraint - A value of 1 is used to specify an end entity certificate, or the public key of such a certificate, that MUST be matched with the end entity certificate given by the server in TLS. This method limits which end entity certificate can be used by a given service on a host.
-
Trust anchor assertion - A value of 2 is used to specify a certificate, or the public key of such certificate, that MUST be used as the trust anchor when validating the end entity certificate given by the server in TLS. This method is used, for example, if the domain issues its own certificates under its own CA that is not expected to be in the end users' collection of trust anchors.
-
Domain-issued certificate - A value of 3 is used to specify a certificate, or the public key of such a certificate, that MUST match the end entity certificate given by the server in TLS. This method allows a domain name administrator to issue certificates for a domain without involving a third-party CA.
-
-
Selector - A value from 0-1 specifying which part of the TLS certificate presented by the server will be matched against the association data.
-
Matching Type Field - A value from 0-1 specifying how the certificate association is presented.
-
Certificate association data - Specifies the "certificate association data" to be matched.
(RFC 4408, 7208) Sender Policy Framework (SPF) records are used during email verification to prevent your domain name from being used by spammers or malicious users. Simply creating an SPF record on your main domain with the content: v=spf1 ip4:198.0.2.201 a -all (replacing the IP address with your mail server’s IP address) will tell email receivers that your mail server is the only server allowed to send emails from your domain. All emails received from other servers will be rejected or marked as spam. You can specify multiple IPv4 addresses as individual answers in the SPF record if you have multiple mail servers.
Note
While NS1 supports SPF records, we recommend using a TXT record instead for new configurations. This is the more generally accepted practice today. Often, mail servers will define both an SPF and TXT record to ensure compatibility.
Each answer corresponds to a single mail server's sender policy framework configuration. In each answer field, enter the following: v=spf1 ip4:198.0.2.201 a ~all replacing 198.0.2.201 with the IPv4 address for your server.
Note
SVCB and HTTPS record types will soon advance from an IETF draft document to an IETF standards-track RFC. Even though these record types are still going through the standards process, there is already widespread support among both open source and proprietary DNS libraries and web browsers.
Designed to address issues around service discovery, a new family of "service-binding" (SVCB) record types provides clients with complete instructions to access a service. Providing this information avoids transient connection to a suboptimal endpoint, negotiates a preferred protocol, and offers relevant public keys — helping to improve performance and privacy.
SVCB and HTTPS (an SVCB-compatible record type) records allow clients to resolve a single additional DNS record in a way that:
-
Specifies targets (or alternative endpoints) that are authoritative for the service, along with associated parameters,
-
Does not assume all alternative endpoints have the same parameters or capabilities or that the same entity operates them,
-
Enables CNAME-like functionality at a zone apex for participating protocols and generally allows delegation of operational authority for an origin within the DNS to an alternate name. See "SVCB vs. HTTPS" below for more information about configuring CNAME-like functionality using both record types.
Note that, in addition to the goals listed above, you can use HTTPS records can be used for configurations specific to the HTTP protocol. Refer to "HTTPS record" for details.
The format of SVCB and HTTPS records is identical. The difference is that the name of the SVCB record uses the same structured format as SRV records, whereas the HTTPS record does not. When configuring SVCB records, you create a record for each service with a special name syntax, whereas HTTPS records do not have the same domain name restrictions. HTTPS records can exist at the zone apex.
Note
As an SVCB-compatible record type, the HTTPS record is specific to the HTTP protocol. It can signal to the client that it can connect over a secure connection (bypassing the initial unsecured request), as well as advertise the different HTTP versions supported by the website. For domains with HTTPS origins, refer to the HTTPS record type.
Each SVCB record specifies alternative endpoints that are authoritative for a service and the unique parameters associated with each endpoint. The record operates in two modes:
-
In AliasMode, the record delegates operational control for a resource (as in, it aliases to another record name, similar to CNAME functionality). This mode allows you to add or remove SVCB records without requiring a corresponding change at the zone apex.
-
In ServiceMode, the record binds together configuration data for a service endpoint, advertising additional key-value parameters unique to each endpoint. The TargetName and SvcParams associate an alternative endpoint for the service with its connection parameters.
Placing both forms in a single record type allows clients to fetch the relevant information with a single query.
The SVCB record's domain name typically includes the network service (or port) and the protocol (_port._protocol.subdomain). For example, _postgresql._tcp.example.net.
|
SvcPriority integer |
(Required) Indicates the priority of this record relative to others with lower values preferred. A value of 0 indicates AliasMode. All other values indicate the record is operating in ServiceMode. |
|
TargetName string |
(Required) If in AliasMode, this is the alias target's fully-qualified domain name (FQDN). If in ServiceMode, this is the domain name of an alternate endpoint. If TargetName has the value ".", special rules apply. Please refer to the RFC for details. |
|
SvcParams string or array |
(Optional) If in ServiceMode, this is a whitespace-separated list of parameter key-value pairs (
For a complete list of SvcParams, refer to https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml. |
The following example shows an SVCB record configuration operating in AliasMode. If a client queries "_8080._foo.example.com", NS1 responds with foosvc.example.net, indicating the client should refer to that domain for service.
{
"zone": "example.com",
"domain": "_8080._foo.example.com",
"type": "SVCB",
"answers": [
{
"answer": [
0, "foosvc.example.net."
]
}
]
}
The following example shows an SVCB record configuration operating in ServiceMode. If a client queries "_8080._bar.example.com", NS1 returns the relevant service bindings. The client will use this data to connect.
{
"zone": "example.com",
"domain": "_8080._bar.example.com",
"type": "SVCB",
"answers": [
{
"answer": [
0, ".", "port"=8888
]
}
]
}
(RFC 6698) This record type is used to associate a transport layer security (TLS) server certificate or public key with the domain name (i.e., zone) within which this record is located, thus forming a “TLSA certificate association.”
Each answer within the TLSA record includes the following fields:
-
Certificate usage - A value from 0-3 specifying the provided association that will be used to match the certificate presented in the TLS handshake. This value is defined in a new IANA registry.
-
CA constraint - A value of 0 is used to specify a CA certificate or the public key of such a certificate that MUST be found in any of the PKIX certification paths for the end entity certificate given by the server in TLS. This method limits which CA can be used to issue certificates for a given service on a host. The presented certificate MUST pass PKIX certification path validation, and a CA certificate that matches the TLSA record MUST be included as part of a valid certification path.
-
Service certification constraint - A value of 1 is used to specify an end entity certificate, or the public key of such a certificate, that MUST be matched with the end entity certificate given by the server in TLS. This method limits which end entity certificate can be used by a given service on a host.
-
Trust anchor assertion - A value of 2 is used to specify a certificate, or the public key of such certificate, that MUST be used as the trust anchor when validating the end entity certificate given by the server in TLS. This method is used, for example, if the domain issues its own certificates under its own CA that is not expected to be in the end users' collection of trust anchors.
-
Domain-issued certificate - A value of 3 is used to specify a certificate, or the public key of such a certificate, that MUST match the end entity certificate given by the server in TLS. This method allows a domain name administrator to issue certificates for a domain without involving a third-party CA.
-
-
Selector - A value from 0-1 specifying which part of the TLS certificate presented by the server will be matched against the association data.
-
Matching Type Field - A value from 0-1 specifying how the certificate association is presented.
-
Certificate association data - Specifies the "certificate association data" to be matched.