Introduction to DNS-related parameters - Edge Security Acceleration

This topic introduces the types of DNS records and the parameters for adding DNS records.

Record types

ESA supports the following record types: A/AAAA, CNAME, MX, TXT, SRV, AAAA, NS, and CAA.

Record type	Description
A/AAAA	A/AAAA records map domain names to IPv4 or IPv6 addresses.
CNAME	A CNAME record maps a domain name to another domain name.
MX	MX records point domain names to mail server addresses.
TXT	TXT records in text format contain readable information.
SRV	Service records (SRV records) are used to identify specific services used by servers and commonly applied to directory management in Microsoft systems.
NS	NS records delegate subdomains to other DNS providers for resolution.
CAA	CAA records are used to specify which CAs are allowed to issue certificates for a domain name.
CERT	CERT records store certificates and related security information in a publicly accessible location. These records can be used by clients and other services for authentication.
SMIMEA	SMIMEA records associate S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates with domain names. S/MIME is a widely used standard for email encryption and digital signing. It uses PKI to encrypt and sign email messages.
SSHFP	SSHFP records store SSH public key fingerprints. SSH clients can use SSHFP records to verify the identity of a remote server, enhancing connection security.
TLSA	A TLSA (TLS Authentication) record allows you to associate a TLS certificate with a domain name's specific service and port.
URI	URI records map domain names to URIs. Defined in RFC 7553, this record type enables DNS to participate in URI resolution and can link to the locations of various services, information, and resources.

Parameters for adding records

When you add a DNS record, you must specify different parameters based on the record type.

A/AAAA record

You can add an A/AAAA record to point a domain name to an IPv4 or IPv6 address.

Parameter	Description
Record type	Select A/AAAA from the drop-down list.
Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain `www.example.com`, enter `www` for Hostname. If you want to add a record for the root domain `example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.`
Proxy Status	If you proxy the record, client requests intended for the proxied domain go to ESA points of presence (POPs) for acceleration and protection. If you disable proxy for the record, ESA only resolves the record.
Record Value	The record value can be one or more IPv4 or IPv6 addresses. Separate multiple IP addresses with commas (,). Example: `123.123.XXX.XXX`,`2001:0db8:86a3:08d3:1319:8a2e:0370:7344`
Origin Host	By default, the domain name in a client request is used as the Host request header when ESA retrieves resources from the origin server. If you want ESA to rewrite the Host header, refer to Origin host.
TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto. Note You cannot adjust the TTL for proxied DNS records.
Remarks	Optional. Custom remarks.

CNAME record

You can create a CNAME record to point a domain name to another one that resolves an IP address.

Parameter	Description
Record type	Select CNAME from the drop-down list.
Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain `www.example.com`, enter `www` for Hostname. If you want to add a record for the root domain `example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.`
Proxy status	If you proxy the record, client requests intended for the proxied domain go to ESA points of presence (POPs) for acceleration and protection. If you disable proxy for the record, ESA only resolves the record.
Record Value	Valid values are Domain Name, OSS, S3-ompatible, Load Balancer, and Origin Pool. Domain Name: You can configure a domain name as the origin address. Important The domain name that you specify must be different from your website domain name. Otherwise, a DNS resolution loop occurs and requests cannot be routed to the origin server. OSS: Make sure your resources have been stored in Alibaba Cloud Object Storage Service (OSS). You can select or enter the public domain name of an OSS bucket as the origin. Internal domain names such as `*.oss-cn-hangzhou.aliyuncs.com` are not allowed. Important If OSS is selected as the origin, you can set Access Type to Public Access, Private Access (Same-account), or Private Access (Cross-account). If you select Private Access (Same-account) or Private Access (Cross-account) for Access Type, you must configure authentication settings. For more information, see Configure an OSS origin server. Note For information about OSS endpoints and domain names, see Endpoints and domain names. Preferential pricing for traffic from OSS to ESA: Only when you select OSS as your origin, can you benefit from the preferential pricing for the traffic that is consumed to transfer data from OSS to ESA. For more information, visit the OSS pricing page. If you select Domain Name as your origin, Alibaba Cloud OSS identifies the traffic that is consumed to transfer data from OSS to ESA as outbound traffic over the Internet. This way, the unit price is higher. S3-compatible: You can configure the public address of an AWS S3 bucket as the origin address. You can select Public Access or Private Access from the Access Type section. If you set Private Access, you must configure authentication. For more information, see Configure the origin type to OSS. Load Balancer: You can select an existing load balancer from the drop-down list as the origin server. If no load balancers are available, create one by following instructions in Manage load balancers. Origin Pool**: You can select an existing origin pool from the drop-down list as the origin. If no pools are available, create one by following instructions in Create an origin pool.
Origin Host	When Record Value is domain name, load balancer, or origin pool, the value defaults to Match Requested Domain Name, which indicates that the client's requested domain name is used as the Host header in origin requests. When Record Value is OSS or S3-Compatible, the value defaults to Match Origin's Domain Name, which indicates that the origin's domain name is used as the Host header in origin requests.
TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto. Note You cannot adjust the TTL for proxied DNS records.
Remarks	Optional. Custom remarks.

MX record

You can add a mail exchanger (MX) record to point a domain name to a mail server address.

Parameter	Description
Record type	Select MX from the drop-down list.
Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain `www.example.com`, enter `www` for Hostname. If you want to add a record for the root domain `example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.`
Priority	Enter the priority according to the requirements of the email registrar. A lower value indicates a higher priority.
Mail Server	Enter the domain name of your mail server. Example: `mx.example.com`.
TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
Remarks	Optional. Custom remarks.

TXT record

You can add a TXT record to associate human-readable text, such as public information or verification information, with a domain name.

Parameter	Description
Record type	Select TXT from the drop-down list.
Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain `www.example.com`, enter `www` for Hostname. If you want to add a record for the root domain `example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.`
Record Value	Enter the text that you want to associate with the domain name.
TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
Remarks	Optional. Custom remarks.

NS record

If you want to delegate your domain to other DNS providers for resolution, you can add a nameserver (NS) record.

Parameter	Description
Record type	Select NS from the drop-down list.
Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain `www.example.com`, enter `www` for Hostname. If you want to add a record for the root domain `example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.`
Record Value	Enter the domain name of the authoritative server that you want to point to, such as `ns1.example.com`.
TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
Remarks	Optional. Custom remarks.

SRV record

If you want to point a domain name to a server that provides specific services, such as directory management of Microsoft systems, you can add an SRV record.

Parameter	Description
Record type	Select SRV from the drop-down list.
Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain `www.example.com`, enter `www` for Hostname. If you want to add a record for the root domain `example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.`
Priority	The priority of the record. A lower value indicates a higher priority.
Weight	The weight of the server, which controls the volume of traffic received by the server. A larger value indicates a higher weight and more traffic received by the server.
Port	The network port for listening.
Target	The domain name of the server. Example: `srvhosname.example.com`.
TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
Remarks	Optional. Custom remarks.

CAA record

Certification Authority Authorization (CAA) records are used to specify which certificate authorities (CAs) are allowed to issue SSL certificates for a domain. By configuring a CAA record, you can prevent unauthorized CAs from issuing certificates for your domain.

Parameter	Description
Record type	Select CAA from the drop-down list.
Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain `www.example.com`, enter `www` for Hostname. If you want to add a record for the root domain `example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.`
Flag	An 8-bit unsigned integer that controls how CAs process the CAA record. The most commonly used value is 0.
Tag	The behavior associated with the record. Common tags: issue: authorizes a specified CA to issue certificates for your domain. issuewild: authorizes a specified CA to issue wildcard certificates for your domain. iodef: specifies an email address or URI where a CA can report policy violations. This tag is typically used to collect information about unauthorized certificate issuance.
CA Domain Name	The value of Tag. In most cases, the value is the domain name of the CA or the report URI.
TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
Remarks	Optional. Custom remarks.

CERT record

If you want to point a domain name to the location where a public-key certificate is stored, you can add a CERT record. CERT records can be used by clients and other services for authentication.

Parameter	Description
Record type	Select CERT from the drop-down list.
Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain `www.example.com`, enter `www` for Hostname. If you want to add a record for the root domain `example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.`
Certificate Type	Different values correspond to different certificate types. Examples: 0: a reserved field. 1: PKIX (X.509). 2: Simple public key infrastructure (SPKI). 3: PGP (OpenPGP). 4: IPKIX (IPsec End Entity). 5: ISPKI (IPsec-trusted third party). 6: IPGP (IPsec OpenPGP Key). 7: ACPKIX (PKIX Attribute Certificate). 8: IACPKIX (PKIX IPSEC Attribute Certificate). 252: URI. 253: Object Identifier (OID). We list only some common certificate types. For complete definitions and the latest updates, refer to the relevant RFC documentation or other authoritative sources.
Key Tag	The tag related to the certificate.
Algorithm	The algorithm that is used to encrypt the public key, which is represented by digits. Examples: 0: a reserved field. 1: RSA. 2: MD2/RSA. 3: MD4/RSA. 4: MD5/RSA. 5: SHA-1/RSA. 6: Digital Signature Algorithm (DSA). 7: Elliptic Curve Digital Signature Algorithm (ECDSA). 8: SHA-256/RSA. 9: SHA-384/RSA. 10: SHA-512/RSA. 11: SHA-224/RSA. 12: a not commonly used algorithm. The preceding mappings are only for common reference and may vary with different standards and implementations. In practice, make sure that you refer to authoritative documentation of the specific protocol.
Certificate (Base64-encoded)	The Base64-encoded certificate file.
TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
Remarks	Optional. Custom remarks.

SMIMEA record

SMIMEA records associate Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates with domain names. S/MIME is a widely used standard for email encryption and digital signing. It uses public key infrastructure (PKI) to encrypt and sign email messages.

Parameter	Description
Record type	Select SMIMEA from the drop-down list.
Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain `www.example.com`, enter `www` for Hostname. If you want to add a record for the root domain `example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.`
Usage	The purpose of the certificate. Different values correspond to different purposes. Examples: 0: a reserved field. 1: used for S/MIME end-to-end encryption. The certificate is used to encrypt a message sent to the recipient to ensure that only the recipient can decrypt and read the message. 2: used by an S/MIME intermediary. The certificate is typically used by enterprise mail servers, which can be used to check, filter, or archive messages before forwarding them to the final recipient. 3: used for S/MIME signature validation. The certificate is used to verify the digital signature of the sender on the message to ensure the authenticity and integrity of the message.
Selector	Specifies which part of the certificate is included in the record. Different values correspond to different meanings. Examples: 0: the entire certificate (X.509). Indicates that a complete X.509 certificate is included. 1: only the public key (SubjectPublicKeyInfo). Indicates that only the public key information in the certificate is included.
Match Type	The match type associated with the certificate. Examples: 0: The entire certificate is stored in the record. 1: The SHA-256 hash of the certificate is stored in the record. 2: The SHA-512 hash of the certificate is stored in the record.
Certificate (Hexadecimal)	The Base64-encoded certificate data.
TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
Remarks	Optional. Custom remarks.

SSHFP record

SSHFP records store SSH public key fingerprints. SSH clients can use SSHFP records to verify the identity of a remote server, enhancing connection security.

Parameter	Description
Record type	Select SSHFP from the drop-down list.
Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain `www.example.com`, enter `www` for Hostname. If you want to add a record for the root domain `example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.`
Algorithm	The algorithm of the SSH key. Examples: 0: a reserved field. 1: RSA. 2: DSA. 3: ECDSA. 4: Ed25519 (EdDSA).
Type	The fingerprint type. The fingerprint of an SSH public key allows the client to verify the server identity by cross-referencing the public key fingerprint of the server with the one stored in DNS. SSHFP records contain the algorithm type (Algorithm) and fingerprint type (Fingerprint Type). Examples: Algorithm type 0: a reserved field. Not applicable for any valid use, the value is reserved for future use. 1: RSA. Represents a public key that uses the RSA algorithm. 2: DSA. Indicates the public key that uses the DSA algorithm. 3: ECDSA. Represents a public key that uses the ECDSA algorithm. 4: Ed25519. Indicates the public key that uses the Ed25519 algorithm. Fingerprint Type 0: A reserved field. Not applicable for any valid use, the value is reserved for future use. 1: The fingerprint generated by using SHA-1. 2: The fingerprint generated by using SHA-256.
Fingerprint (Hexadecimal)	The Base64-encoded fingerprint.
TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
Remarks	Optional. Custom remarks.

TLSA record

A TLS Authentication (TLSA) record allows you to associate a TLS certificate with the specific service and port of a domain name.

Parameter	Description
Record type	Select TLSA from the drop-down list.
Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain `www.example.com`, enter `www` for Hostname. If you want to add a record for the root domain `example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.`
Usage	The usage of the TLSA record. Examples: 0: PKIX-TA, indicating that the TLS certificate is validated by using a CA certificate chain, and the CA certificate serves as the trust anchor. 1: PKIX-EE, indicating that the TLS certificate is validated by using a CA certificate chain and the final entity certificate of the server is validated. 2: DANE-TA, indicating that the TLS certificate is validated by using DNSSEC and the public key in the TLSA record is the trust anchor. 3: DANE-EE, indicating that the TLS certificate is validated by using DNSSEC and the final entity certificate of the server is validated.
Selector	Specifies which part of the certificate is included in the record. Different values correspond to different meanings. Examples: 0: the entire certificate (X.509). Indicates that a complete X.509 certificate is included. 1: only the public key (SubjectPublicKeyInfo). Indicates that only the public key information in the certificate is included.
Match Item	The match type associated with the certificate. Examples: 0: The entire certificate is stored in the record. 1: The SHA-256 hash of the certificate is stored in the record. 2: The SHA-512 hash of the certificate is stored in the record.
Certificate (Hexadecimal)	The Base64-encoded certificate data.
TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
Remarks	Optional. Custom remarks.

URI record

A URI record maps a domain name to a URI. Defined in RFC 7553, this record type enables DNS to participate in URI resolution and can link to the locations of various services, information, and resources.

Parameter	Description
Record type	Select URI from the drop-down list.
Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain `www.example.com`, enter `www` for Hostname. If you want to add a record for the root domain `example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.`
Priority	A smaller value indicates a higher priority.
Weight	The relative weight for records with the same priority. A higher value means more preferred.
Target	The target URI. Example: `https://example.com/service`.
TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
Remarks	Optional. Custom remarks.