记录类型
| 代码 | 号码 | 定义的 RFC | 描述 | 功能 |
|---|---|---|---|---|
| A | 1 | RFC 1035 | IP 地址记录 | 传回一个 32 比特的 IPv4 地址,最常用于映射主机名称到 IP地址,但也用于DNSBL(RFC 1101)等。 |
| AAAA | 28 | RFC 3596 | IPv6 IP 地址记录 | 传回一个 128 比特的 IPv6 地址,最常用于映射主机名称到 IP 地址。 |
| AFSDB | 18 | RFC 1183 | AFS文件系统 | (Andrew File System)数据库核心的位置,于域名以外的 AFS 客户端常用来联系 AFS 核心。这个记录的子类型是被过时的的 DCE/DFS(DCE Distributed File System)所使用。 |
| APL | 42 | RFC 3123 | 地址前缀列表 | 指定地址列表的范围,例如:CIDR 格式为各个类型的地址(试验性)。 |
| CAA | 257 | RFC 6844 | 权威认证授权 | DNS认证机构授权,限制主机/域的可接受的CA |
| CDNSKEY | 60 | RFC 7344 | 子关键记录 | 关键记录记录的子版本,用于转移到父级 |
| CDS | 59 | RFC 7344 | 子委托签发者 | 委托签发者记录的子版本,用于转移到父级 |
| CERT | 37 | RFC 4398 | 证书记录 | 存储 PKIX、SPKI、PGP等。 |
| CNAME | 5 | RFC 1035 | 规范名称记录 | 一个主机名字的别名:域名系统将会继续尝试查找新的名字。 |
| DHCID | 49 | RFC 4701 | DHCP(动态主机设置协议)识别码 | 用于将 FQDN 选项结合至 DHCP。 |
| DLV | 32769 | RFC 4431 | DNSSEC(域名系统安全扩展)来源验证记录 | 为不在DNS委托者内发布DNSSEC的信任锚点,与 DS 记录使用相同的格式,RFC 5074 介绍了如何使用这些记录。 |
| DNAME | 39 | RFC 2672 | 代表名称 | DNAME 会为名称和其子名称产生别名,与 CNAME 不同,在其标签别名不会重复。但与 CNAME 记录相同的是,DNS将会继续尝试查找新的名字。 |
| DNSKEY | 48 | RFC 4034 | DNS 关键记录 | 于DNSSEC内使用的关键记录,与 KEY 使用相同格式。 |
| DS | 43 | RFC 4034 | 委托签发者 | 此记录用于鉴定DNSSEC已授权区域的签名密钥。 |
| HIP | 55 | RFC 5205 | 主机鉴定协议 | 将端点标识符及IP 地址定位的分开的方法。 |
| IPSECKEY | 45 | RFC 4025 | IPSEC 密钥 | 与 IPSEC 同时使用的密钥记录。 |
| KEY | 25 | RFC 2535[1]RFC 2930[2] | 关键记录 | 只用于 SIG(0)(RFC 2931)及 TKEY(RFC 2930)。[3]RFC 3455 否定其作为应用程序键及限制DNSSEC的使用。[4]RFC 3755 指定了 DNSKEY 作为DNSSEC的代替。[5] |
| LOC记录(LOC record) | 29 | RFC 1876 | 位置记录 | 将一个域名指定地理位置。 |
| MX记录(MX record) | 15 | RFC 1035 | 电邮交互记录 | 引导域名到该域名的邮件传输代理(MTA, Message Transfer Agents)列表。 |
| NAPTR记录(NAPTR record) | 35 | RFC 3403 | 命名管理指针 | 允许基于正则表达式的域名重写使其能够作为 URI、进一步域名查找等。 |
| NS | 2 | RFC 1035 | 名称服务器记录 | 委托DNS区域(DNS zone)使用已提供的权威域名服务器。 |
| NSEC | 47 | RFC 4034 | 下一代安全记录 | DNSSEC 的一部分 — 用来验证一个未存在的服务器,使用与 NXT(已过时)记录的格式。 |
| NSEC3 | 50 | RFC 5155 | NSEC 记录第三版 | 用作允许未经允许的区域行走以证明名称不存在性的 DNSSEC 扩展。 |
| NSEC3PARAM | 51 | RFC 5155 | NSEC3 参数 | 与 NSEC3 同时使用的参数记录。 |
| OPENPGPKEY | 61 | RFC 7929 | OpenPGP公钥记录 | 基于DNS的域名实体认证方法,用于使用OPENPGPKEY DNS资源记录在特定电子邮件地址的DNS中发布和定位OpenPGP公钥。 |
| PTR | 12 | RFC 1035 | 指针记录 | 引导至一个规范名称(Canonical Name)。与 CNAME 记录不同,DNS“不会”进行进程,只会传回名称。最常用来运行反向 DNS 查找,其他用途包括引作 DNS-SD。 |
| RRSIG | 46 | RFC 4034 | DNSSEC 证书 | DNSSEC 安全记录集证书,与 SIG 记录使用相同的格式。 |
| RP | 17 | RFC 1183 | 负责人 | 有关域名负责人的信息,电邮地址的 @ 通常写为 a。 |
| SIG | 24 | RFC 2535 | 证书 | SIG(0)(RFC 2931)及 TKEY(RFC 2930)使用的证书。[5]RFC 3755 designated RRSIG as the replacement for SIG for use within DNSSEC.[5] |
| SOA | 6 | RFC 1035 | 权威记录的起始 | 指定有关DNS区域的权威性信息,包含主要名称服务器、域名管理员的电邮地址、域名的流水式编号、和几个有关刷新区域的定时器。 |
| SPF | 99 | RFC 4408 | SPF 记录 | 作为 SPF 协议的一部分,优先作为先前在 TXT 存储 SPF 数据的临时做法,使用与先前在 TXT 存储的格式。 |
| SRV记录(SRV record) | 33 | RFC 2782 | 服务定位器 | 广义为服务定位记录,被新式协议使用而避免产生特定协议的记录,例如:MX 记录。 |
| SSHFP | 44 | RFC 4255 | SSH 公共密钥指纹 | DNS 系统用来发布 SSH 公共密钥指纹的资源记录,以用作辅助验证服务器的真实性。 |
| TA | 32768 | 无 | DNSSEC 信任当局 | DNSSEC 一部分无签订 DNS 根目录的部署提案,,使用与 DS 记录相同的格式[6][7]。 |
| TKEY记录(TKEY record) | 249 | RFC 2930 | 秘密密钥记录 | 为TSIG提供密钥材料的其中一类方法,that is 在公共密钥下加密的 accompanying KEY RR。[8] |
| TSIG | 250 | RFC 2845 | 交易证书 | 用以认证动态更新(Dynamic DNS)是来自合法的客户端,或与 DNSSEC 一样是验证回应是否来自合法的递归名称服务器。[9] |
| TXT | 16 | RFC 1035 | 文本记录 | 最初是为任意可读的文本 DNS 记录。自1990年起,些记录更经常地带有机读数据,以 RFC 1464 指定:机会性加密(opportunistic encryption)、Sender Policy Framework(虽然这个临时使用的 TXT 记录在 SPF 记录推出后不被推荐)、DomainKeys、DNS-SD等。 |
| URI | 256 | RFC 7553 | 统一资源标识符 | 可用于发布从主机名到URI的映射。 |
其他类型及伪资源记录
其他类型的资源记录简单地提供一些类型的消息(如:HINFO 记录提供电脑或操作系统的类型),或传回实验中之功能的数据。“type”字段也使用于其他协议作各种操作。
| 代码 | 号码 | 定义的 RFC | 描述 | 功能 |
|---|---|---|---|---|
| * | 255 | RFC 1035 | 所有缓存的记录 | 传回所有服务器已知类型的记录。如果服务器未有任何关于名称的记录,该请求将被转发。而传回的记录未必完全完成,例如:当一个名称有 A 及 MX 类型的记录时,但服务器已缓存了 A 记录,就只有 A 记录会被传回。 |
| AXFR | 252 | RFC 1035 | 全域转移 | 由主域名服务器转移整个区域文件至二级域名服务器。 |
| IXFR | 251 | RFC 1995 | 增量区域转移 | 请求只有与先前流水式编号不同的特定区域的区域转移。此请求有机会被拒绝,如果权威服务器由于配置或缺乏必要的数据而无法履行请求,一个完整的(AXFR)会被发送以作回应。 |
| OPT | 41 | RFC 2671 | 选项 | 这是一个“伪 DNS记录类型”以支持 EDNS。 |
过时的记录类型
发展呈现废弃一些最初定义的记录类型。从 IANA 的记录可见,一些记录类型由于一些原因而被限制其使用、一些被标示为明显过时的、有些是为了隐藏的服务、有些是为了旧版本的服务、有的有特别记录指出它们是“不正确的”。
- 由 RFC 973 定义为过时:MD(3)、MF (4)、MAILA (254)
- 为了发布邮件列表订户的 DNS 记录:MB(7)、MG(8)、MR(9)、MINFO(14)、MAILB (253)。 在 RFC 883 标明的意图是为了让 MB 代替 SMTP VRFY 指令、MG 代替 SMTP EXPN 指令、及让 MR 代替“551 User Not Local”SMTP 错误。其后,RFC 2505 提议将 VRFY 及 EXPN 指令两者停用,使利用 MB 及 MG 永远不可能获得通过。
- 在 RFC 1123 不提议使用“not to be relied upon”(RFC 1127 有更多的信息):WKS(11)[10]
- 错误: NB(32)、NBSTAT(33)(自 RFC 1002);号码现已分配给 NIMLOC 及 SRV。
- 由 RFC 1035 定义为过时:NULL(10)(RFC 883 定义“完成查询”(操作码二及可能是三)有在使用此记录,后来 RFC 1035 重新分配操作码二为“状态”及保留操作码三)。
- 定义为早期的 IPv6 但其后由 RFC 3363 降级为试验性:A6(38)
- 由 DNSSEC 更新(RFC 3755) 定义为过时:NXT(30)。同一时间,为 KEY 及 SIG 域名的适用性限制为不包括 DNSSEC。
- 第一版 DNSSEC(RFC 2230、RFC 2065)的一部分,现已过时:KX(36)
- 目前没有任何显著的应用程序使用:HINFO(13)、RP(17)、X25(19)、ISDN(20)、RT(21)、NSAP(22)、NSAP-PTR(23)、PX(26)、EID(31)、NIMLOC(32)、ATMA(34)、APL(42)
- 由 Kitchen Sink 互联网草案,但从未达至 RFC 水平:SINK(40)
- 一个 LOC 记录更有限的早期版本:GPOS(27)
- IANA 保留,及后未有 RFC 记录它们 [1] 而支持已由 BIND 于九零年初移除:UINFO(100), UID(101)、GID(102)、UNSPEC(103)
RP(17) 可能被使用于有关指定的主机的不同联系点、子网域其他 SOA 记录不包含的域名级别的人类可读信息。
From wiki :
Resource records
| Type | Type id. (decimal) | Defining RFC | Description | Function |
|---|---|---|---|---|
| A | 1 | RFC 1035[1] | Address record | Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but it is also used for DNSBLs, storing subnet masks in RFC 1101, etc. |
| AAAA | 28 | RFC 3596[2] | IPv6 address record | Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host. |
| AFSDB | 18 | RFC 1183 | AFS database record | Location of database servers of an AFS cell. This record is commonly used by AFS clients to contact AFS cells outside their local domain. A subtype of this record is used by the obsolete DCE/DFS file system. |
| APL | 42 | RFC 3123 | Address Prefix List | Specify lists of address ranges, e.g. in CIDR format, for various address families. Experimental. |
| CAA | 257 | RFC 6844 | Certification Authority Authorization | DNS Certification Authority Authorization, constraining acceptable CAs for a host/domain |
| CDNSKEY | 60 | RFC 7344 | Child DNSKEY | Child copy of DNSKEY record, for transfer to parent |
| CDS | 59 | RFC 7344 | Child DS | Child copy of DS record, for transfer to parent |
| CERT | 37 | RFC 4398 | Certificate record | Stores PKIX, SPKI, PGP, etc. |
| CNAME | 5 | RFC 1035[1] | Canonical name record | Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name. |
| DHCID | 49 | RFC 4701 | DHCP identifier | Used in conjunction with the FQDN option to DHCP |
| DLV | 32769 | RFC 4431 | DNSSEC Lookaside Validation record | For publishing DNSSEC trust anchors outside of the DNS delegation chain. Uses the same format as the DS record. RFC 5074 describes a way of using these records. |
| DNAME | 39 | RFC 6672 | Alias for a name and all its subnames, unlike CNAME, which is an alias for only the exact name. Like a CNAME record, the DNS lookup will continue by retrying the lookup with the new name. | |
| DNSKEY | 48 | RFC 4034 | DNS Key record | The key record used in DNSSEC. Uses the same format as the KEY record. |
| DS | 43 | RFC 4034 | Delegation signer | The record used to identify the DNSSEC signing key of a delegated zone |
| HIP | 55 | RFC 8005 | Host Identity Protocol | Method of separating the end-point identifier and locator roles of IP addresses. |
| IPSECKEY | 45 | RFC 4025 | IPsec Key | Key record that can be used with IPsec |
| KEY | 25 | RFC 2535[3] and RFC 2930[4] | Key record | Used only for SIG(0) (RFC 2931) and TKEY (RFC 2930).[5] RFC 3445 eliminated their use for application keys and limited their use to DNSSEC.[6] RFC 3755 designates DNSKEY as the replacement within DNSSEC.[7] RFC 4025 designates IPSECKEY as the replacement for use with IPsec.[8] |
| KX | 36 | RFC 2230 | Key Exchanger record | Used with some cryptographic systems (not including DNSSEC) to identify a key management agent for the associated domain-name. Note that this has nothing to do with DNS Security. It is Informational status, rather than being on the IETF standards-track. It has always had limited deployment, but is still in use. |
| LOC | 29 | RFC 1876 | Location record | Specifies a geographical location associated with a domain name |
| MX | 15 | RFC 1035[1] and RFC 7505 | Mail exchange record | Maps a domain name to a list of message transfer agents for that domain |
| NAPTR | 35 | RFC 3403 | Naming Authority Pointer | Allows regular-expression-based rewriting of domain names which can then be used as URIs, further domain names to lookups, etc. |
| NS | 2 | RFC 1035[1] | Name server record | Delegates a DNS zone to use the given authoritative name servers |
| NSEC | 47 | RFC 4034 | Next Secure record | Part of DNSSEC—used to prove a name does not exist. Uses the same format as the (obsolete) NXT record. |
| NSEC3 | 50 | RFC 5155 | Next Secure record version 3 | An extension to DNSSEC that allows proof of nonexistence for a name without permitting zonewalking |
| NSEC3PARAM | 51 | RFC 5155 | NSEC3 parameters | Parameter record for use with NSEC3 |
| OPENPGPKEY | 61 | RFC 7929 | OpenPGP public key record | A DNS-based Authentication of Named Entities (DANE) method for publishing and locating OpenPGP public keys in DNS for a specific email address using an OPENPGPKEY DNS resource record. |
| PTR | 12 | RFC 1035[1] | Pointer record | Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD. |
| RRSIG | 46 | RFC 4034 | DNSSEC signature | Signature for a DNSSEC-secured record set. Uses the same format as the SIG record. |
| RP | 17 | RFC 1183 | Responsible Person | Information about the responsible person(s) for the domain. Usually an email address with the @ replaced by a . |
| SIG | 24 | RFC 2535 | Signature | Signature record used in SIG(0) (RFC 2931) and TKEY (RFC 2930).[7] RFC 3755 designated RRSIG as the replacement for SIG for use within DNSSEC.[7] |
| SOA | 6 | RFC 1035[1] and RFC 2308[9] | Start of [a zone of] authority record | Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone. |
| SRV | 33 | RFC 2782 | Service locator | Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX. |
| SSHFP | 44 | RFC 4255 | SSH Public Key Fingerprint | Resource record for publishing SSH public host key fingerprints in the DNS System, in order to aid in verifying the authenticity of the host. RFC 6594 defines ECC SSH keys and SHA-256 hashes. See the IANA SSHFP RR parameters registry for details. |
| TA | 32768 | N/A | DNSSEC Trust Authorities | Part of a deployment proposal for DNSSEC without a signed DNS root. See the IANA database and Weiler Spec for details. Uses the same format as the DS record. |
| TKEY | 249 | RFC 2930 | Transaction Key record | A method of providing keying material to be used with TSIG that is encrypted under the public key in an accompanying KEY RR.[10] |
| TLSA | 52 | RFC 6698 | TLSA certificate association | A record for DANE. RFC 6698 defines "The TLSA DNS resource record is used to associate a TLS server certificate or public key with the domain name where the record is found, thus forming a 'TLSA certificate association'". |
| TSIG | 250 | RFC 2845 | Transaction Signature | Can be used to authenticate dynamic updates as coming from an approved client, or to authenticate responses as coming from an approved recursive name server[11] similar to DNSSEC. |
| TXT | 16 | RFC 1035[1] | Text record | Originally for arbitrary human-readable text in a DNS record. Since the early 1990s, however, this record more often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, DMARC, DNS-SD, etc. |
| URI | 256 | RFC 7553 | Uniform Resource Identifier | Can be used for publishing mappings from hostnames to URIs. |
Other types and pseudo resource records
Other types of records simply provide some types of information (for example, an HINFO record gives a description of the type of computer/OS a host uses), or others return data used in experimental features. The "type" field is also used in the protocol for various operations.
| Type | Type id. | Defining RFC | Description | Function |
|---|---|---|---|---|
| * | 255 | RFC 1035[1] | All cached records | Returns all records of all types known to the name server. If the name server does not have any information on the name, the request will be forwarded on. The records returned may not be complete. For example, if there is both an A and an MX for a name, but the name server has only the A record cached, only the A record will be returned. Sometimes referred to as "ANY", for example in Windows nslookup and Wireshark. |
| AXFR | 252 | RFC 1035[1] | Authoritative Zone Transfer | Transfer entire zone file from the master name server to secondary name servers. |
| IXFR | 251 | RFC 1996 | Incremental Zone Transfer | Requests a zone transfer of the given zone but only differences from a previous serial number. This request may be ignored and a full (AXFR) sent in response if the authoritative server is unable to fulfill the request due to configuration or lack of required deltas. |
| OPT | 41 | RFC 6891 | Option | This is a "pseudo DNS record type" needed to support EDNS |
Obsolete record types
Progress has rendered some of the originally defined record-types obsolete. Of the records listed at IANA, some have limited use, for various reasons. Some are marked obsolete in the list, some are for very obscure services, some are for older versions of services, and some have special notes saying they are "not right".
| Type | Type id. | Defining RFC | Obsoleted by | Description |
|---|---|---|---|---|
| MD
MF MAILA |
3
4 254 |
RFC 973 | Obsoleted by: 1034, 1035 | Obsoleted by RFC 973: MD(3), MF (4), MAILA (254) |
| MB
MG MR MINFO MAILB |
7
8 9 14 253 |
RFC 883, RFC 2505 | Obsoleted by: 1034, 1035
Obsoleted by: 2050 |
Records to publish mailing list subscriber lists in the DNS: MB(7), MG(8), MR(9), MINFO(14), MAILB (253). The intent, as specified by RFC 883, was for MB to replace the SMTP VRFY command, MG to replace the SMTP EXPN command, and MR to replace the "551 User Not Local" SMTP error. Later, RFC 2505 recommended that both the VRFY and EXPN commands be disabled, making the use of MB and MG unlikely to ever be adopted. |
| WKS | 11 | RFC 1123 | Declared "not to be relied upon" by RFC 1123 (with further information in RFC 1127): WKS(11)[12] | |
| NB
NBSTAT |
32
33 |
RFC 1002 | Mistakes: NB(32), NBSTAT(33) (from RFC 1002); the numbers are now assigned to NIMLOC and SRV. | |
| NULL | 0 | RFC 883 | RFC 1035 | Obsoleted by RFC 1035: NULL(10) (RFC 883 defined "completion queries" (opcode 2 and maybe 3) which used this record, RFC 1035 later reassigned opcode 2 to be "status" and reserved opcode 3.) |
| A6 | 38 | RFC 3363 | RFC 6563 | Defined as part of early IPv6 but downgraded to experimental by RFC 3363: A6(38), Later downgraded to historic in RFC 6563. |
| NXT
KEY SIG |
30
-- -- |
RFC 3755 | RFC 4034 | Obsoleted by DNSSEC updates (RFC 3755): NXT(30). At the same time, the domain of applicability for KEY and SIG was also limited to not include DNSSEC use. |
| RFC 2065 | Part of the first version of DNSSEC (RFC 2065). | |||
| HINFO | 13 | Not in current use by any notable application | ||
| RP | 17 | RP may be used for certain human-readable information regarding a different contact point for a specific host, subnet, or other domain level label separate than that used in the SOA record. | ||
| X25 | 19 | Not in current use by any notable application | ||
| ISDN
RT NSAP |
20
21 22 |
Not in current use by any notable application | ||
| NSAP-PTR
PX EID |
23
26 31 |
Not in current use by any notable application | ||
| NIMLOC
ATMA APL |
32
34 42 |
Not in current use by any notable application | ||
| SINK | 40 | Defined by the Kitchen Sink internet draft, but never made it to RFC status: SINK(40) | ||
| GPOS | 27 | A more limited early version of the LOC record: GPOS(27) | ||
| UINFO
UID GID UNSPEC |
100
101 102 103 |
IANA reserved, no RFC documented them [1] and support was removed from BIND in the early 90s: UINFO(100), UID(101), GID(102), UNSPEC(103) | ||
| SPF | 99 | RFC 4408 | SPF(99) (from RFC 4408) was specified as part of the Sender Policy Framework protocol as an alternative to storing SPF data in TXT records, using the same format. It was later found that the majority of SPF deployments lack proper support for this record type, and support for it was discontinued in RFC 7208.[13][14] |