Table of content

Overview of the main DNS records.

SOA

The SOA record (Start Of Authority) indicates the server in charge for the zone (primary server), the technical contact address (hostmaster) as well the parameter managing the domain: serial number (serial), refresh delay (refresh), delay before a new retry (retry), expiration delay (expire), negative caching time (minimum).

1
2
3
4
5
6
example.com.    IN      SOA     ns1.example.com. hostmaster.example.com. (
                                2011040100      ; Serial
                                 2H             ; Refresh
                                 1H             ; Retry
                                 7D             ; Expire
                                 1D )           ; Minimum

If a dot (.) is present in the mail address, it is necessary to protect the dot by prefixing it with the anti-slash character (\).

E-mail Field in SOA
hostmaster@example.com hostmaster.example.com
john.doe@example.com john\.doe.example.com
Coding of e-mail address in SOA

NS

The NS records name servers to contact to obtain information on the zone, it generally includes the primary server (master), the other being the secondary servers (slave). A minimum of 2 servers is required (by the registrars) to manage to zone and ensure stability in case of failure of one of the servers.

1
2
                IN      NS      ns1.example.com.
                IN      NS      ns6.sample.net.

To obtain a good resilience toward a server or network failure, the following care can be taken in the server choice:

If the NS record used to delegate the domain is part of the domain, then it is also necessary to have in the delegation the corresponding A and AAAA records. It is called “glue”.

1
2
3
4
example.com.      IN  NS    ns1.example.com.     ; Server name used
                  IN  NS    ns6.sample.net.      ;   for the zone delegation
ns1.example.com.  IN  A     192.168.1.5          ; Additional glue necessary for a correct
                  IN  AAAA  2001:db8:0:1::5      ;   behaviour of the name resolution mecanism

The NS record must be resolved directly by an IP address (A or AAAA), a redirection using CNAME is forbidden (see: RFC1912).

MX

The MX record indicates by priority order the SMTP server to contact to send email to this domain. The lower the number, the higher the priority.

1
                IN      MX      10 mrelay1.example.com.

The MX record must be resolved directly by an IP address (A or AAAA), a redirection using CNAME is forbidden (see: RFC1912).

A

The A record creates a mapping from a name to the IPv4 address.

1
host            IN      A       192.168.1.5

AAAA

The AAAA record creates a mapping from a name to the IPv6 address. It is similar to the A record.

1
host            IN      AAAA    2001:db8:0:1::5

PTR

The PTR record has the opposite meaning of the A and `AAAA records in allowing to find from an IP address the corresponding name.

1
5		IN	PTR	host.example.com.

The creation of a PTR record is important for the correct configuration of services such as mail, ssh access, … Indeed, it is often used as a verification mechanism of the host identity

Reverse lookup validation
1
2
3
4
5
6
7
# Successful validation
192.168.1.5       --- PTR ---> host.example.com.
host.example.com. ---  A  ---> 192.168.1.5

# Problematic reverse lookup
10.10.1.5         --- PTR ---> host.example.com.
host.example.com. ---  A  ---> 192.168.1.5

CNAME

The CNAME record allows to create aliases or redirections. It is particularly useful when a host must be known from several names.

1
www		IN	CNAME	host

If a CNAME is used as an alias to create a service, it is necessary to ensure that the whole set of addresses (A and AAAA) declared allow to effectively access the service.

If we use the example above for a web service defined in the DNS by www and running on the server named host, the typical error is to define the IPv4 (A) and IPv6 (AAAA) addresses to access to the server named host and to only have the mentioned service listening on IPv4. This results in the service being declared as accessible using IPv6 even if it is not the case.

SPF

SPF record (Sender Policy Framework) allows to indicate which servers are officially authorised to send mail for the domain or host.

1
  		IN	SPF	"v=spf1 a:mrelay1.example.com ~all"

SSHFP

SSHFP record holds an SSH fingerprint. The DNS then allows to publish the fingerprint and make it available to various clients so that they can validate the authenticiy of the host on which they are connecting.

1
2
		IN	SSHFP	1 1 760b00b0656e5e7b15a6d9f3091dc6ad428015f1
		IN	SSHFP	2 1 d4beef568791c5074a66455d8d38ab7500dcb391

The following command, to run on the chosen server, allows to generate the records to put in the DNS, the keys taken into account being the server’s (by default: /etc/ssh/ssh_host_*_key.pub).

Generating SSHFP records
1
ssh-keygen -r ${HOSTNAME}

LOC

The LOC record allows to specify the geographical position: latitude, longitude, height, and sphere of uncertainty.

1
		IN	LOC	45 45 8.15 N 4 52 20.17 E 180m 5m 5m 5m