What is the difference between A and AAAA records?

An A record maps a hostname to a 32-bit IPv4 address, while an AAAA record maps it to a 128-bit IPv6 address. A dual-stack host publishes both so clients can connect over whichever protocol they support.

Why can't I put a CNAME at the zone apex?

A CNAME cannot coexist with other records, but the apex must hold SOA and NS records, so a CNAME there is illegal. Use an ALIAS or ANAME pseudo-record from your provider, or the newer HTTPS record, to point the apex at a target.

How are SPF, DKIM and DMARC stored in DNS?

All three are published as TXT records. The dedicated SPF record type (99) is obsolete, so SPF policies, DKIM public keys and DMARC policies are all placed in TXT records at the appropriate names.

What does a CAA record do?

A CAA record lists which certificate authorities are allowed to issue TLS certificates for your domain. CAs must check it before issuance, which reduces the risk of unauthorized or mis-issued certificates.

What are the main DNSSEC record types?

DNSKEY publishes the zone's public keys, RRSIG holds the signatures over record sets, DS in the parent zone links to the child's key for the chain of trust, and NSEC/NSEC3 provide authenticated denial of existence.

DNS Record Types Reference

DNS record types reference

The Domain Name System stores far more than IP addresses. Each record type answers a specific question: where is this host (A/AAAA), what is its canonical name (CNAME), who handles its mail (MX), what text policies apply (TXT), which services exist (SRV), which CAs may issue certs (CAA), and how to validate signatures (DNSSEC types). Picking the right type, formatting its RDATA correctly, and setting a sensible TTL is the difference between a working domain and a broken one. Search the reference above by type, numeric code, or keyword.

How it works

Every DNS record has an owner name, a type, a class (almost always IN), a TTL, and type-specific RDATA. The TTL is a cache lifetime in seconds: low TTLs (300s) let you change records quickly at the cost of more queries, while high TTLs (a day or more) cache aggressively for stable records. Some types have structural rules — a CNAME cannot share a name with any other record and cannot sit at the zone apex, which is why providers offer ALIAS/ANAME or the newer HTTPS/SVCB records for apex pointing. DNSSEC layers cryptographic types on top: DNSKEY (public keys), RRSIG (signatures), DS (delegation hash in the parent), and NSEC/NSEC3 (authenticated denial of existence) together build a verifiable chain of trust.

Tips and examples

Lower a record’s TTL a day before a planned migration so resolvers pick up the change quickly, then raise it again once stable.
Keep SPF, DKIM, and DMARC as TXT records — the dedicated SPF type is obsolete and ignored.
Add a CAA record (issue "letsencrypt.org") to restrict which CAs can mint certs for your domain.
Prefer HTTPS/SVCB records to advertise ALPN, ports, and ECH; they let clients connect faster and more securely and solve apex aliasing cleanly.

DNS Record Types Reference

Email me this result

DNS record types reference

How it works

Tips and examples