Use when user configures DNS records, asks about A/AAAA/CNAME/MX/TXT/SRV/NS records, DNS resolution, TTL strategy, DNSSEC, DNS debugging (dig/nslookup), or cloud DNS (Route53, Cloud DNS, Cloudflare). Do NOT use for HTTP routing without DNS context, /etc/hosts file editing, or mDNS/service discovery in containers.
$ORIGIN example.com.
$TTL 3600
; SOA — zone metadata
@ IN SOA ns1.example.com. admin.example.com. (
2025010101 ; serial (YYYYMMDDNN)
3600 ; refresh
900 ; retry
1209600 ; expire
300 ; negative cache TTL
)
; Nameservers
@ IN NS ns1.example.com.
@ IN NS ns2.example.com.
; Address records
@ IN A 203.0.113.10
@ IN AAAA 2001:db8::10
www IN A 203.0.113.10
www IN AAAA 2001:db8::10
; CNAME — alias (never at apex)
blog IN CNAME www.example.com.
; MX — mail routing (priority then target)
@ IN MX 10 mail1.example.com.
@ IN MX 20 mail2.example.com.
; TXT — SPF, DKIM, verification
@ IN TXT "v=spf1 include:_spf.google.com -all"
; SRV — service discovery (_service._proto.name TTL class SRV priority weight port target)
_sip._tcp IN SRV 10 60 5060 sipserver.example.com.
; CAA — restrict certificate issuance
@ IN CAA 0 issue "letsencrypt.org"
@ IN CAA 0 issuewild ";"
; PTR — reverse DNS (in reverse zone)
; 10.113.0.203.in-addr.arpa. IN PTR example.com.
| Type | Purpose | Points To | At Apex? |
|---|---|---|---|
| A | IPv4 address | IP address | Yes |
| AAAA | IPv6 address | IP address | Yes |
| CNAME | Alias | Another hostname | No |
| MX | Mail routing | Hostname (not IP) | Yes |
| TXT | Arbitrary text | String (≤255 chars per segment) | Yes |
| SRV | Service location | Priority/weight/port/target | Yes |
| NS | Delegation | Nameserver hostname | Yes |
| SOA | Zone authority | Primary NS, admin email, timers | Yes |
| CAA | CA authorization | CA domain | Yes |
| PTR | Reverse lookup | Hostname | N/A |
| ALIAS/ANAME | Apex CNAME equivalent | Hostname (provider-specific) | Yes |
; Apex with A records
@ IN A 203.0.113.10
@ IN AAAA 2001:db8::10
; WWW as CNAME to apex (or separate A records)
www IN CNAME example.com.
For CDN/load balancer targets at apex, use provider-specific ALIAS records:
; Route53 Alias (configured via console/API, not zone file)
; Cloudflare: CNAME flattening handles this automatically
; Delegate dev.example.com to separate nameservers
dev IN NS ns1.dev-infra.example.com.
dev IN NS ns2.dev-infra.example.com.
@ IN MX 10 aspmx.l.google.com.
@ IN MX 20 alt1.aspmx.l.google.com.
@ IN MX 30 alt2.aspmx.l.google.com.
Set priority values in increments of 10 for flexibility. Lower number = higher priority.
Publish a single TXT record at the domain apex. Limit to 10 DNS lookups.
@ IN TXT "v=spf1 include:_spf.google.com include:mailgun.org -all"
-all (hard fail) for production domains.~all (soft fail) only during initial rollout.+all."v=spf1 -all"Publish the public key as a TXT record under selector._domainkey.domain:
google._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."
_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"
Rollout path: p=none → monitor reports → p=quarantine → p=reject.
Publish DNS TXT record:
_mta-sts IN TXT "v=STSv1; id=2025010101"
Host policy file at https://mta-sts.example.com/.well-known/mta-sts.txt: