DNS parameter overview - Edge Security Acceleration - Alibaba Cloud Documentation Center

This document explains core DNS parameters, such as common record types, host records, and proxy status, to help you add DNS records.

Record type descriptions

ESA supports record types such as A/AAAA, CNAME, MX, TXT, SRV, NS, and CAA. Select the record type that fits your needs. The following table describes each type.

Record type	Description
A/AAAA	IPv4/IPv6 record. Maps a domain name to an IPv4 or IPv6 address.
CNAME	Alias record. Points a domain name to another domain name.
MX	Mail exchange record. Points a domain name to a mail server address.
TXT	Text record. An arbitrary, human-readable text DNS record.
SRV	A server resource record identifies a server that provides a specific service. This type of record is commonly used in Microsoft system directory management.
NS	Name server record. Delegates a subdomain to another DNS provider for resolution.
CAA	Certification Authority Authorization (CAA) resource record. Restricts which certification authorities (CAs) can issue certificates for a domain.
CERT	The CERT record publishes certificates and related security information associated with a DNS name in a publicly accessible location. This allows clients or other services to query and validate the information.
SMIMEA	The SMIMEA record is a DNS record used to publish associations for Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates. S/MIME is a standard for encrypting and digitally signing emails. It relies on a public key infrastructure (PKI) to provide email confidentiality and identity verification.
SSHFP	The SSHFP record stores the public key fingerprint of a Secure Shell (SSH) server in the Domain Name System (DNS). This record lets clients automatically authenticate the identity of a remote SSH server to reduce the risk of man-in-the-middle attacks.
TLSA	The TLSA record associates a transport layer security (TLS) certificate with a server that provides services on a specific port and transport protocol.
URI	Provides a method for mapping a domain name to a Uniform Resource Identifier (URI). This record type is defined in RFC 7553. It allows the DNS to participate in the URI resolution process and can link to the location of any service, information, or resource.

Parameters for adding records

When you add a DNS record, the required parameters vary by record type. Fill in the parameters based on the record type you select.

A/AAAA records

Add an A or AAAA record to point a domain name to an IPv4 or IPv6 address.

Parameter	Description
Record Type	Select A/AAAA.
Hostname	Generally refers to the prefix of a subdomain. For example, to add a record for the subdomain `www.example.com`, enter `www` in the Hostname field. To add a record for the root domain `example.com`, enter `@` (at sign) in the Hostname field. To match all other subdomains such as `.example.com`, enter `` in the Hostname field.
Proxy Status	If you enable Proxy Status, requests to this record are accelerated and protected by ESA. If you disable Proxy Status, ESA only provides DNS resolution for this record without acceleration and protection.
Record Value	The record value is an IP address. For example: `123.123.XXX.XXX`,`2001:0db8:86a3:08d3:1319:8a2e:XXXX:XXXX`. Separate multiple IP addresses with a comma`,`. You can enter IPv4 or IPv6 addresses.
Origin Host	ESA sends a resource request to the origin server, it uses the domain name from the user's request as the HOST header by default. For example, if a client request carries the Host `test.example.com`, ESA also sends `test.example.com` as the Host in its request to your origin server. If you need ESA to change the origin fetch Host, see Customize origin HOST.
TTL	The cache duration. A smaller value means that changes to the record take effect faster across different locations. The default value is Auto. Note You cannot adjust the TTL for DNS records with Proxied enabled.
Description	Optional. A custom comment.

CNAME records

Add a CNAME record to point a domain name to another domain name, which then resolves to an IP address.

Parameter	Description
Record Type	Select CNAME.
Hostname	Generally refers to the prefix of a subdomain. For example, to add a record for the subdomain `www.example.com`, enter `www` in the Hostname field. To add a record for the root domain `example.com`, enter `@` (at sign) in the Hostname field. To match all other subdomains such as `.example.com`, enter `` in the Hostname field.
Proxy Status	If you enable Proxy Status, requests to this record are accelerated and protected by ESA. If you disable Proxy Status, ESA only provides DNS resolution for this record without acceleration and protection.
Record Value	For the record value, you can select Domain Name, OSS, S3-compatible, Load Balancer, or Origin Pool. Domain Name: Configure a domain name as the origin address. Note The origin domain name cannot be the same as the accelerated domain name. Otherwise, a resolution loop occurs, and origin fetch fails. OSS: If your resources are stored in Alibaba Cloud OSS, select or enter the public endpoint of an Alibaba Cloud OSS bucket as the origin. The internal endpoint of an OSS bucket is not supported. For example: `*.oss-cn-hangzhou.aliyuncs.com`. Note To get the public endpoint of an OSS bucket, see Endpoints. When you use OSS as the origin server, the Access Type supports three types: Public Access, Private Access (Same-account), and Private Access (Cross-account). If you set Access Type to Private Access (Same-account) or Private Access (Cross-account), you must also configure authentication information. For more information, see Use ESA to accelerate access to OSS resources. You can also achieve Private Access (Cross-account) without using a permanent security token using a Security Token Service (STS) temporary token. For more information, see How to implement cross-account origin fetch to a private OSS bucket. Discount for traffic from Alibaba Cloud ESA to Alibaba Cloud OSS: You must set the origin type to OSS in the console. This way, Alibaba Cloud OSS identifies the origin traffic from Alibaba Cloud ESA as "origin traffic" and applies a more favorable price. For more information, see the OSS pricing page. If you mistakenly set the origin type to Domain name in the console, Alibaba Cloud OSS identifies the origin traffic from Alibaba Cloud ESA as "outbound traffic over Internet". In this case, you will not receive the discounted price. S3-compatible: Configure the public endpoint of an AWS S3 bucket as the origin address. Access Type supports Public Access and Private Access. If you set Access Type to Private Access, you must also configure authentication information. For more information, see Use ESA to accelerate access to OSS resources. Load Balancer: Select an existing load balancer from the drop-down list as the origin. If you have not created a load balancer, see the Load balancer management section to create one. Origin Pool**: Select an existing origin pool from the drop-down list as the origin. If you have not created an origin pool, see the Create an origin pool section to create one.
Origin Host	If Record value/Origin is set to Domain name, Server Load Balancer, or Origin pool: The default configuration for Origin HOST is Follow request HOST. This means the HOST header from the client request is used as the origin HOST. If Record value/Origin is set to OSS or S3 compatible: The default configuration for Origin HOST is Follow origin domain name. This means the domain name of the origin server is used as the origin host.
TTL	The cache duration. A smaller value means that changes to the record take effect faster across different locations. The default value is Auto. Note You cannot adjust the TTL for DNS records with Proxied enabled.
Description	Optional. A custom comment.

MX records

To point a domain name to a mail server, add a mail exchange (MX) record.

Parameter	Description
Record Type	Select MX.
Hostname	Generally refers to the prefix of a subdomain. For example, to add a record for the subdomain `www.example.com`, enter `www` in the Hostname field. To add a record for the root domain `example.com`, enter `@` (at sign) in the Hostname field. To match all other subdomains such as `.example.com`, enter `` in the Hostname field.
Priority	Enter the priority as required by your mail registrar. A lower value indicates a higher priority.
Mail Server	Enter your mail server's domain name. For example: `mx.example.com`.
TTL	The cache duration. A smaller value means that changes to the record take effect faster across different locations. The default value is Auto.
Description	Optional. A custom comment.

TXT records

To associate a domain name with arbitrary, human-readable text—such as for verification or public information—add a text (TXT) record.

Parameter	Description
Record Type	Select TXT.
Hostname	Generally refers to the prefix of a subdomain. For example, to add a record for the subdomain `www.example.com`, enter `www` in the Hostname field. To add a record for the root domain `example.com`, enter `@` (at sign) in the Hostname field. To match all other subdomains such as `.example.com`, enter `` in the Hostname field.
Record Value	Enter the text data you need to point to.
TTL	The cache duration. A smaller value means that changes to the record take effect faster across different locations. The default value is Auto.
Description	Optional. A custom comment.

NS records

To delegate a domain name to another DNS provider for resolution, add a name server (NS) record.

Parameter	Description
Record Type	Select NS.
Hostname	Generally refers to the prefix of a subdomain. For example, to add a record for the subdomain `www.example.com`, enter `www` in the Hostname field. To add a record for the root domain `example.com`, enter `@` (at sign) in the Hostname field. To match all other subdomains such as `.example.com`, enter `` in the Hostname field.
Record Value	Enter the domain name of the authoritative server you need to point to, such as `ns1.example.com`.
TTL	The cache duration. A smaller value means that changes to the record take effect faster across different locations. The default value is Auto.
Description	Optional. A custom comment.

SRV records

To point a domain name to a server that provides a specific service, such as directory management in Microsoft systems, add a service (SRV) record.

Parameter	Description
Record Type	Select SRV.
Hostname	Consists of a service name and a protocol type. Both the service name and protocol type must start with an underscore`_`. Supports lowercase letters, numbers, and hyphens`-`. The length cannot exceed 253 characters. The record must be in the format `_Service name._Protocol Type.Domain suffix`, such as `_sip._udp.example.cn`.
Priority	The priority of the record. A lower value indicates a higher priority.
Weight	The proportion of traffic the server receives. A higher value indicates a higher weight.
Port	Enter the network port number to listen on.
Target	Enter the domain name of the server, such as `srvhosname.example.com`.
TTL	The cache duration. A smaller value means that changes to the record take effect faster across different locations. The default value is Auto.
Description	Optional. A custom comment.

CAA records

A Certification Authority Authorization (CAA) record lets a domain owner specify which certification authorities (CAs) are authorized to issue SSL/TLS certificates for their domain. By configuring CAA records, you can enhance security and prevent unauthorized CAs from issuing certificates for your domain.

Parameter	Description
Record Type	Select CAA.
Hostname	Generally refers to the prefix of a subdomain. For example, to add a record for the subdomain `www.example.com`, enter `www` in the Hostname field. To add a record for the root domain `example.com`, enter `@` (at sign) in the Hostname field. To match all other subdomains such as `.example.com`, enter `` in the Hostname field.
Flag	An 8-bit unsigned integer flag field. It is typically used to control the inheritance and further processing of CAA records. A common value is0.
Tag	A tag field that indicates different CA policies. Common tags include the following: issue: Authorizes a specified CA to issue certificates. issuewild: Authorizes a specified CA to issue wildcard certificates. iodef: Specifies an email address or URI for violation reports. It is typically used to collect information about issuance violations.
TTL	The cache duration. A smaller value means that changes to the record take effect faster across different locations. The default value is Auto.
Description	Optional. A custom comment.

CERT records

To point a domain name to a public key certificate that clients or other services can query and validate, add a CERT record.

Parameter	Description
Record Type	Select CERT.
Hostname	Generally refers to the prefix of a subdomain. For example, to add a record for the subdomain `www.example.com`, enter `www` in the Hostname field. To add a record for the root domain `example.com`, enter `@` (at sign) in the Hostname field. To match all other subdomains such as `.example.com`, enter `` in the Hostname field.
Certificate Type	Indicates the type of certificate. The meaning varies with the number. The following are common certificate types and their corresponding numbers and descriptions: 0: Reserved field (not yet used) 1: PKIX (X.509 certificate) 2: SPKI (Simple Public Key Infrastructure) public key 3: PGP (OpenPGP certificate) 4: IPKIX (IPsec End Entity) 5: ISPKI (IPsec trusted third party) 6: IPGP (IPsec OpenPGP Key) 7: ACPKIX (Attribute Certificate PKIX) 8: IACPKIX (Attribute Certificate PKIX IPSEC) 252: URI (Uniform Resource Identifier) 253: OID (Object Identifier) These are only some common types. For a complete list of definitions or the latest updates, see the relevant RFC documents or other authoritative materials.
Key Tag	A tag associated with the certificate.
Algorithm	Indicates the algorithm used for public key encryption. These algorithms are usually represented by numbers. The following are common numbers and their corresponding encryption algorithms: 0: Unassigned or reserved 1: RSA public key encryption and signature algorithm (RSA) 2: MD2 digest algorithm with RSA encryption 3: MD4 digest algorithm with RSA encryption 4: MD5 digest algorithm with RSA encryption 5: SHA-1 digest algorithm with RSA encryption 6: DSA digital signature algorithm 7: ECDSA elliptic curve digital signature algorithm 8: SHA256 digest algorithm with RSA encryption 9: SHA384 digest algorithm with RSA encryption 10: SHA512 digest algorithm with RSA encryption 11: SHA224 digest algorithm with RSA encryption 12: Infrequently used or reserved This mapping is a common reference. The actual usage may vary depending on standards and implementations. In practice, always refer to the specific protocol documentation for accuracy.
Certificate (Base64-encoded)	The Base64-encoded certificate.
TTL	The cache duration. A smaller value means that changes to the record take effect faster across different locations. The default value is Auto.
Description	Optional. A custom comment.

SMIMEA records

The SMIMEA record publishes associations for Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates. S/MIME is a standard for encrypting and digitally signing emails and relies on a public key infrastructure (PKI) to provide email confidentiality and identity verification.

Parameter	Description
Record Type	Select SMIMEA.
Hostname	Generally refers to the prefix of a subdomain. For example, to add a record for the subdomain `www.example.com`, enter `www` in the Hostname field. To add a record for the root domain `example.com`, enter `@` (at sign) in the Hostname field. To match all other subdomains such as `.example.com`, enter `` in the Hostname field.
Usage	Specifies the purpose of the certificate. The meaning varies with the number. The following are common usage type values and their descriptions: 0: Reserved. This value is currently reserved and cannot be used. 1: S/MIME End-to-End Encryption. Indicates that the certificate is used for S/MIME end-to-end encryption. This certificate is used to encrypt emails sent to the recipient, ensuring that only the recipient can decrypt and read the content. 2: S/MIME Intermediary. Indicates a certificate for an S/MIME intermediary. This is typically used for enterprise mail servers that inspect, filter, or archive emails before forwarding them to the final recipient. 3: S/MIME Validation. Indicates that the certificate is used for S/MIME signature validation. This certificate is used to verify the sender's digital signature on an email to ensure its authenticity and integrity.
Selector	Specifies which part of the certificate data is included in the record. The meaning varies with the number. The following are common selector values and their descriptions: 0: Full certificate. Indicates that the entire X.509 certificate is included. 1: SubjectPublicKeyInfo. Indicates that only the public key information from the certificate is included.
Match Type	Specifies the matching type for the certificate association. The supported matching types are usually represented by the following numbers: 0: Full certificate. This means the entire certificate is stored in the record. 1: SHA-256 Hash. This means the SHA-256 hash of the certificate is stored in the record. 2: SHA-512 Hash. This means the SHA-512 hash of the certificate is stored in the record.
Certificate (Hexadecimal)	The Base64-encoded certificate association data.
TTL	The cache duration. A smaller value means that changes to the record take effect faster across different locations. The default value is Auto.
Description	Optional. A custom comment.

SSHFP records

The SSHFP record stores the public key fingerprint of a Secure Shell (SSH) server in the Domain Name System (DNS). This record enables clients to automatically authenticate the identity of a remote SSH server and reduce the risk of man-in-the-middle attacks.

Parameter	Description
Record Type	Select SSHFP.
Hostname	Generally refers to the prefix of a subdomain. For example, to add a record for the subdomain `www.example.com`, enter `www` in the Hostname field. To add a record for the root domain `example.com`, enter `@` (at sign) in the Hostname field. To match all other subdomains such as `.example.com`, enter `` in the Hostname field.
Algorithm	The algorithm type of the SSH key. The following are descriptions of common algorithms: 0: Unspecified 1: RSA (public key for the RSA encryption algorithm) 2: DSA (public key for the Digital Signature Algorithm) 3: ECDSA (public key for the Elliptic Curve Digital Signature Algorithm) 4: ED25519 (public key for the EdDSA algorithm)
Type	Stores the fingerprint of an SSH public key in the DNS to allow clients to authenticate the server's identity during public key authentication. An SSHFP record contains an Algorithm and a Fingerprint Type. The following are descriptions of common types: Algorithm 0: Reserved. Reserved for future use. 1: RSA. Indicates a public key for the RSA algorithm. 2: DSA. Indicates a public key for the DSA algorithm. 3: ECDSA. Indicates a public key for the ECDSA algorithm. 4: Ed25519. Indicates a public key for the Ed25519 algorithm. Fingerprint Type 0: Reserved. Reserved for future use. 1: SHA-1. Indicates a fingerprint generated using the SHA-1 algorithm. 2: SHA-256. Indicates a fingerprint generated using the SHA-256 algorithm.
Fingerprint (Hexadecimal)	The Base64-encoded fingerprint.
TTL	The cache duration. A smaller value means that changes to the record take effect faster across different locations. The default value is Auto.
Description	Optional. A custom comment.

TLSA records

The TLSA record associates a transport layer security (TLS) certificate with a server that provides services on a specific port and transport protocol.

Parameter	Description
Record Type	Select TLSA.
Hostname	Generally refers to the prefix of a subdomain. For example, to add a record for the subdomain `www.example.com`, enter `www` in the Hostname field. To add a record for the root domain `example.com`, enter `@` (at sign) in the Hostname field. To match all other subdomains such as `.example.com`, enter `` in the Hostname field.
Usage	Specifies how the TLSA record is used. The following are descriptions of common usage types: 0: PKIX-TA (CA constraint). Specifies that the TLS certificate is validated based on a Certificate Authority (CA) certificate chain, and the CA certificate is a trust anchor. 1. PKIX-EE (PKIX end-entity certificate): This indicates that TLS certificates are validated against the CA certificate chain by verifying the server's end-entity certificate. 2: DANE-TA (Trust anchor assertion). Specifies that the TLS certificate is trusted based on DNSSEC, and the public key in the TLSA record is a trust anchor. 3: DANE-EE (Domain-issued certificate). Specifies that the TLS certificate is trusted based on DNSSEC, and the server's end-entity certificate is validated.
Selector	Specifies which part of the certificate data is included in the record. The meaning varies with the number. The following are common selector values and their descriptions: 0: Full certificate. Indicates that the entire X.509 certificate is included. 1: SubjectPublicKeyInfo. Indicates that only the public key information from the certificate is included.
Match Type	Specifies the matching type for the certificate association. The supported matching types are usually represented by the following numbers: 0: Full certificate. This means the entire certificate is stored in the record. 1: SHA-256 Hash. This means the SHA-256 hash of the certificate is stored in the record. 2: SHA-512 Hash. This means the SHA-512 hash of the certificate is stored in the record.
Certificate (Hexadecimal)	The Base64-encoded data that is associated with the certificate.
TTL	The cache duration. A smaller value means that changes to the record take effect faster across different locations. The default value is Auto.
Description	Optional. A custom comment.

URI records

The URI record maps a domain name to a Uniform Resource Identifier (URI), as defined in RFC 7553. It allows DNS to participate in URI resolution and can link to the location of any service, information, or resource.

Parameter	Description
Record Type	Select URI.
Hostname	Generally refers to the prefix of a subdomain. For example, to add a record for the subdomain `www.example.com`, enter `www` in the Hostname field. To add a record for the root domain `example.com`, enter `@` (at sign) in the Hostname field. To match all other subdomains such as `.example.com`, enter `` in the Hostname field.
Priority	The priority. A lower value indicates a higher priority.
Weight	The weight. Used for load balancing among records with the same priority.
Target	The target URI (resource path). For example, `https://example.com/service`.
TTL	The cache duration. A smaller value means that changes to the record take effect faster across different locations. The default value is Auto.
Description	Optional. A custom comment.