DNS records overview

The host's numeric IP address, in IPv4 dotted decimal format. The A record type maps an IPv4 address to a domain name and determines where the requests for the domain name are directed— for example, 192.0.2.91.

The host's numeric IP address, in IPv6 hexadecimal format. The AAAA (quad A) record type maps an IPv6 address to a domain name and determines where the requests for the domain name are directed—for example, 2001:db8::8bd:1002.

Alias record (Preview), which maps an alias domain name to a canonical name at the zone apex. An alias record is also called an ANAME record or CNAME flattening.

You can configure alias records by using the gcloud CLI or the Cloud DNS API. You cannot configure alias records by using the Cloud de Confiance console.

An alias record is also called an ANAME record or CNAME flattening.

The certificate authorities that are authorized to issue certificates for this domain—for example, ca.example.net.

Create a CAA record type to ensure that unauthorized CAs don't issue certificates to your domain.

The DNS alias for an A record—for example, ftp.example.com is a DNS alias to www.example.com. In this example, ftp.example.com is a service present in the same server as www.example.com. Links pointing to ftp.example.com receive the A record of www.example.com.

You can also use the CNAME record type to point to an entirely different domain name—for example, altostrat.com is a DNS alias to www.example.com.

Sometimes, a name server responds with the CNAME record and the A record referred to by the CNAME value; this behavior is called CNAME chasing.

If you encounter issues while creating a CNAME record, see CNAME record defined in a private zone not working .

The DNSSEC public key that the resolvers use to verify the authenticity of records using ZSK and KSK keys.

For example, 7200 IN DNSKEY 256 3 8 AwEAAarQO0FTE/l6LEKFlZllJIwXuLGd3q5d8S8NH+ntOeIMN81A5wAI.

In this example, 7200 is the TTL, 256 is the decimal representation of DNSKEY flags, 3 is the protocol indicator for DNSSEC, and 8 is the RSA/SHA-256 cryptographic algorithm used for the key.

You can only add this record type in a public and DNSSEC-enabled zone that is in the Transfer state. For more information, see Manage DNSSEC configuration.

The DNSSEC key fingerprint for a secure delegated zone.

For example, 7200 IN DS 31523 5 1 c8761ba5defc26ac7b78e076d7c47fa9f86b9fba. In this example, 7200 is the TTL, 31523 is the keytag, 5 is the algorithm, and 1 is the digest type.

You can only add this record type in a public zone. This record type does not activate DNSSEC for a delegated zone unless you enable (and activate) DNSSEC for this zone. DNSSEC is not enabled by default for zones.

HTTPS Service Binding record, which allows an origin to indicate multiple alternative endpoints, each with associated parameters. This record also redirects HTTP to HTTPS.

For example, 1 . alpn=h2, h3 where 1 is the service priority (SvcPriority) which is 0 for aliases and 1-65535 for service descriptions, . is the TargetName ("." if same as the owner name), and alpn=h2, h3 are the service parameters (SvcParams) consisting of key-value pairs describing the target endpoint, separated by spaces.

The HTTPS record type is based on the more general SVCB record type and uses the same value format.

IPsec tunnel gateway data and public keys for IPsec-capable clients to enable opportunistic encryption.

For example, 10 1 2 192.0.2.1 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt== where 10 is the precedence with lower values having higher priority, 1 is the gateway type, 2 is the algorithm type, and 192.0.2.1 is the gateway.

For more information, see RFC 4025.

A preference number and DNS name of a mail exchange server that receives emails on behalf of your domain.

For example: 1 mail.example.com. where 1 is the preference number.

SMTP servers prefer servers with lower preference numbers with 0 being the lowest preference number you can enter.

The MX record you enter must end with a dot (.).

You can create multiple records with different priorities to configure backup mail servers or use the same priority to distribute the load across multiple mail servers.

For example, to direct your email to your Google Workspace account, enter the following: 1 SMTP.GOOGLE.COM.

The DNS name of the authoritative name server that provides DNS services for your domain or subdomain. Your NS records must match the name servers for your zone—for example, ns-1.example.com.

Start of authority record, which specifies authoritative information about a DNS zone. An SOA record is created for you when you create your managed zone. You can modify the record as needed (for example, you can change the serial number to an arbitrary number to support date-based versioning).

For example, ns-cloud-c1.googledomains.com. cloud-dns-hostmaster.google.com 1 21600 3600 259200 300 where ns-cloud-c1.googledomains.com. is the MNAME, cloud-dns-hostmaster.google.com is the RNAME, 1 is the SERIAL, 21600 is the REFRESH, 3600 is RETRY, 259200 is EXPIRE, and 300 is the MINIMUM.

For more information, see RFC 1035.

The SPF record type is deprecated. Use TXT records starting with v=spf1 instead. SPF type records are not used by modern email software.

The data which specifies the location (the hostname and port number) of servers for a particular service.

For example, 0 1 587 mail.example.com where 0 is the priority of the target host, 1 is the weight, and 587 is the port number.

For more information, see RFC 2782.

SSH fingerprint for SSH clients to validate the public keys of SSH servers.

For example, 2 1 123456789abcdef67890123456789abcdef67890 where 2 is the SSH server algorithm number, 1 is the fingerprint type number, and 123456789abcdef67890123456789abcdef67890 is the fingerprint.

Service Binding record, which allows a logical service to indicate multiple alternative endpoints, each with associated parameters.

For example, 0 alias-target.example.com where 0 is the service priority (SvcPriority) which is 0 for aliases and 1-65535 for service descriptions.

For HTTPS origins, see the HTTPS record type.

The DNS-based Authentication of Named Entities (DANE) TLSA Certificate Association information.

A TLSA record contains information used to validate X.509 certificates (such as certificates used by HTTPS) without depending on one of a preconfigured set of certificate authorities (CAs) signing them.

For example, 1 1 2 92003ba34942dc74152e2f2c408d29ec. In this example, the first 1 is the protocol indicator for DNSSEC, the second 1 is the public key, and 2 is the RSA/SHA-256 cryptographic algorithm used for the key.

Only use this record type if you have enabled DNSSEC for the zone.

Text record, which can contain arbitrary text and can also be used to define machine-readable data, such as security or abuse prevention information.

A TXT record may contain one or more text strings; the maximum length of each string is 255 characters. If your record data is more than 255 bytes, divide your record into 255-byte strings and enclose each string in quotation marks—for example, "String one 255 bytes" "String two 255 bytes".

Mail agents and other software agents concatenate multiple strings.

Enclose each string in quotation marks—for example, "Hello world" "Bye world".

Each TXT record has a 1000-character limit. If you need to increase this limit, contact Cloud de Confiance by S3NS support.