Extended DNS Records – SVR, DNAME and AAAA records
We continue looking at less commonly used DNS records, but we also look at the soon to be common AAAA record which is merely the IPV6 version of an A record. Before that, we will first examine the SRV and the rare DNAME records.
The SRV extended DNS record
SRV records are DNS entries that define a service ie the hostname and port number of a server for a specific service. Certain protocols such as SIP and XMPP often need SRV records to function properly. A SRV record looks like this:
_service._proto.name. TTL class SRV priority weight port target.
This can be broken down as follows:
- service: the symbolic name of the desired service.
- proto: the transport protocol of the desired service; this is usually either TCP or UDP.
- name: the domain name for which this record is valid, ending in a dot.
- TTL: standard DNS time to live field.
- class: standard DNS class field (this is always IN).
- priority: the priority of the target host, lower value means more preferred.
- weight: A relative weight for records with the same priority, higher value means more preferred.
- port: the TCP or UDP port on which the service is to be found.
- target: the canonical hostname of the machine providing the service, ending in a dot.
An example of a zone file entry for a SIP server may look as follows:
_sip._tcp.mydomain.co.za. 86400 IN SRV 0 5 5060 sipserver.voipprovider.co.za.
The TARGET hostname (in this case sipserver.voipprovider.co.za must resolve via an A or AAAA record and may not be a CNAME. This is the same as an MX record. The priority field is used to determine which server is used first if there are multiple entries for the same server.The weight is used in case multiple priorities with the same value are used to effect load-balancing. Query of the SRV can be done by requesting the type SRV – unlike SPF, DKIM or DMARC which are all TXT type records.
The DNAME extended DNS record
Unlike CNAME which is an alias for a single record ie www.domain.com is an alias for domain.com, DNAME redirects all records below it to the new domain. This is useful if you want to redirect an entire domain and all the subdomain requests associated with it to another domain as follows:
; zone fragment for example.com ; uses DNAME RR to re-direct to new domain, example.net $TTL 2d ; zone default = 2 days or 172800 seconds $ORIGIN example.com. ; zone apex RRs .... IN DNAME example.net. .... ; www and ftp RRs (or any other) are not required since they are ; BELOW DNAME (which is at the apex) ; any normal zone RRs from this point are IGNORED ; due to the presence of the DNAME ; they can be left in the zone file ; or they could be deleted
Any records below the DNAME entry are ignored.
The AAAA Record
The technical explanation of the AAAA record is that it a Resource Record (RR) type 28 which returns a 128-bit IPV6 address, most commonly used to map a hostname to an IPV6 address. An example:
The AAAA record is thus exactly the same as an A record, only for IPV6.
DNS is not as complicated as it is sometimes made out to be. Here is a list of the currently valid record types, courtesy of Wikipedia:
|Type id. (decimal)
|Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but it is also used for DNSBLs, storing subnet masks in RFC 1101, etc.
|IPv6 address record
|Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host.
|AFS database record
|Location of database servers of an AFS cell. This record is commonly used by AFS clients to contact AFS cells outside their local domain. A subtype of this record is used by the obsolete DCE/DFS file system.
|Address Prefix List
|Specify lists of address ranges, e.g. in CIDR format, for various address families. Experimental.
|Certification Authority Authorization
|DNS Certification Authority Authorization, constraining acceptable CAs for a host/domain
|Child copy of DNSKEY record, for transfer to the parent
|Child copy of DS record, for transfer to the parent
|Stores PKIX, SPKI, PGP, etc.
|Canonical name record
|Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name.
|Used in conjunction with the FQDN option to DHCP
|DNSSEC Lookaside Validation record
|For publishing DNSSEC trust anchors outside of the DNS delegation chain. Uses the same format as the DS record. RFC 5074 describes a way of using these records.
|Alias for a name and all its sub names, unlike CNAME, which is an alias for only the exact name. Like a CNAME record, the DNS lookup will continue by retrying the lookup with the new name.
|DNS Key record
|The key record used in DNSSEC. Uses the same format as the KEY record.
|The record used to identify the DNSSEC signing key of a delegated zone
|Host Identity Protocol
|Method of separating the end-point identifier and locator roles of IP addresses.
|Key record that can be used with IPsec
|RFC 2535 and RFC 2930
|Used only for SIG(0) (RFC 2931) and TKEY (RFC 2930). RFC 3445 eliminated their use for application keys and limited their use to DNSSEC. RFC 3755 designates DNSKEY as the replacement within DNSSEC. RFC 4025 designates IPSECKEY as the replacement for use with IPsec.
|Key Exchanger record
|Used with some cryptographic systems (not including DNSSEC) to identify a key management agent for the associated domain-name. Note that this has nothing to do with DNS Security. It is Informational status, rather than being on the IETF standards-track. It has always had limited deployment but is still in use.
|Specifies a geographical location associated with a domain name
|RFC 1035 and RFC 7505
|Mail exchange record
|Maps a domain name to a list of message transfer agents for that domain
|Naming Authority Pointer
|Allows regular-expression-based rewriting of domain names which can then be used as URIs, further domain names to lookups, etc.
|Delegates a DNS zone to use the given authoritative name servers
|Next Secure record
|Part of DNSSEC—used to prove a name does not exist. Uses the same format as the (obsolete) NXT record.
|Next Secure record version 3
|An extension to DNSSEC that allows proof of nonexistence for a name without permitting zonewalking
|Parameter record for use with NSEC3
|OpenPGP public key record
|A DNS-based Authentication of Named Entities (DANE) method for publishing and locating OpenPGP public keys in DNS for a specific email address using an OPENPGPKEY DNS resource record.
|Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD.
|Signature for a DNSSEC-secured recordset. Uses the same format as the SIG record.
|Information about the responsible person(s) for the domain. Usually an email address with the @ replaced by a .
|Signature record used in SIG(0) (RFC 2931) and TKEY (RFC 2930). RFC 3755 designated RRSIG as the replacement for SIG for use within DNSSEC.
|RFC 1035 and RFC 2308
|Start of [a zone of] authority record
|Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.
|Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
|SSH Public Key Fingerprint
|Resource record for publishing SSH public host key fingerprints in the DNS System, in order to aid in verifying the authenticity of the host. RFC 6594 defines ECC SSH keys and SHA-256 hashes. See the IANA SSHFP RR parameters registry for details.
|DNSSEC Trust Authorities
|Part of a deployment proposal for DNSSEC without a signed DNS root. See the IANA database and Weiler Spec for details. Uses the same format as the DS record.
|Transaction Key record
|A method of providing keying material to be used with TSIG that is encrypted under the public key in an accompanying KEY RR.
|TLSA certificate association
|A record for DANE. RFC 6698 defines “The TLSA DNS resource record is used to associate a TLS server certificate or public key with the domain name where the record is found, thus forming a ‘TLSA certificate association'”.
|Can be used to authenticate dynamic updates as coming from an approved client, or to authenticate responses as coming from an approved recursive name server similar to DNSSEC.
|Originally for arbitrary human-readable text in a DNS record. Since the early 1990s, however, this record more often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, DMARC, DNS-SD, etc.
|Uniform Resource Identifier
|Can be used for publishing mappings from hostnames to URIs.