ops@toolbox:~$ dnsrecordtypes --run

DNS Record Types

Searchable reference of DNS record types with practical notes.

TypeNamePurpose & notes
AAddressHostname → IPv4. The workhorse. Multiple A records = simple round-robin.
AAAAIPv6 AddressHostname → IPv6. Serve both A and AAAA for dual-stack ("happy eyeballs" prefers v6).
CNAMECanonical nameAlias to another hostname. Cannot coexist with other records at the same name, which is why apex domains can't use CNAME (see ALIAS below).
MXMail exchangerWhere email for the domain is delivered; lower preference number wins. Points at a hostname, never an IP.
TXTTextFree-form strings. Hosts SPF ("v=spf1 …"), DKIM keys, DMARC policies (at _dmarc.domain), and domain-ownership verification tokens.
NSName serverDelegates the zone to authoritative servers. Must match at parent and child, or resolution gets flaky.
SOAStart of authorityZone metadata: primary NS, admin contact, serial number, refresh/retry/expire timers. The serial must increase on every change for secondaries to update.
PTRPointerIP → hostname (reverse DNS), stored under in-addr.arpa / ip6.arpa. Mail servers without matching forward/reverse DNS get their mail rejected.
SRVService_service._proto.domain → priority, weight, port, target. Used by LDAP, Kerberos, SIP, XMPP; how AD clients find domain controllers.
CAACA authorizationWhich certificate authorities may issue for the domain (e.g. 0 issue "letsencrypt.org"). CAs are required to check it.
SVCB / HTTPSService bindingModern records advertising HTTP/3 support, alt endpoints and ECH parameters; the HTTPS type also fixes the apex-CNAME problem for web.
NAPTRNaming authority pointerRegex-based rewriting for SIP/ENUM telephony routing. Rare outside VoIP.
DSDelegation signerDNSSEC: hash of the child zone's key, placed in the parent zone to build the chain of trust.
DNSKEYDNSSEC keyThe zone's public signing keys (KSK/ZSK). Paired with RRSIG signatures on every record set.
TLSADANEPins a TLS certificate or CA to a service via DNSSEC (_443._tcp.host). Mostly used for SMTP transport security.
ALIAS/ANAMEApex aliasProvider-specific pseudo-record: CNAME-like behaviour at the zone apex, resolved server-side. Not a standard type, portability varies.
SSHFPSSH fingerprintPublishes host key fingerprints so SSH can verify hosts via DNSSEC instead of trust-on-first-use.

Using this table

Filter by type or keyword, spf, reverse, mail. The list covers what appears in real zones and real interview questions, rather than the full IANA registry of historical types.

The rules that cause tickets

Three restrictions explain most DNS misconfiguration. A CNAME excludes all other data at the same name, so the zone apex, which must hold SOA and NS records, cannot be a CNAME; that's why example.com pointing at a load balancer hostname needs a provider ALIAS or the newer HTTPS record. MX and NS must target hostnames with A/AAAA records, never IPs and never CNAMEs (it often works, but it violates the RFC and some resolvers care). And TTLs are promises: a 24-hour TTL means yesterday's value can be served for a day after you change it, lower the TTL before a migration, not during the outage.

Email lives in TXT

Deliverability is now effectively mandatory DNS work: an SPF record listing permitted senders, a DKIM public key under selector._domainkey, and a DMARC policy at _dmarc telling receivers what to do on failure. Missing any of the three lands mail in spam at the large providers. Verify with dig TXT example.com, dig TXT _dmarc.example.com, and remember SPF has a hard limit of 10 DNS lookups, exceeding it via nested includes silently breaks enforcement.

Related tools

HTTP Headers Reference
Searchable reference of the HTTP request and response headers that matter in operations.
Linux Signals Reference
kill -9 and friends: every signal a sysadmin meets, with default actions and notes.
tar Command Examples
The tar invocations you actually need: create, extract, list, compress, exclude.
rsync Command Examples
The rsync invocations that matter: mirror, dry-run, delete, resume, bandwidth limits.