Security Relevant DNS Records

Published: 2023-09-06
Last Updated: 2023-09-06 20:24:03 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

DNS has a big security impact. DNS is partly responsible for your traffic reaching the correct host on the internet. But there is more to DNS than name resolution. I am going to mention a few security-relevant record types here, in no particular order:

I did add some records mentioned by@hquest on Twitter.

DNSSEC (DNSKEY, RRSIG, DS, NSEC3, and others...)

That is probably the most obvious security-related feature. DNSSEC is used to digitally sign DNS records. It protects the integrity of DNS responses. Note that DNSSEC does nothing to protect the confidentiality of the data. DNS requests are not affected by DNSSEC either. There are a few different records related to DNSSEC:

  • DNSKEY: DNS records used to retrieve the public key used to verify the DNS signatures.
  • RRSIG: Signature for a particular DNS records
  • DS: Hash of a key used to verify the key integrity.


While there was at one point a proposal for a dedicated SPF record type, these email security features all use TXT records. SPF designates authorized mail servers allowed to send email for a particular domain. DKIM offers public keys that can be used to verify DKIM signatures, and DMARC  records will indicate what to do with email that does not pass DKIM and/or SPF verification.


These TXT records are part of MTA-STS (Strict Transport Security). They are used to indicate that a mail server will support STARTTLS. Together with TLSRPT for reporting, the goal is to prevent downgrade attacks.


The "Certificate Authorization Authority" record will list certificate authorities that may issue certificates for a particular domain. Certificate authorities check this record before issuing a certificate. TLS clients, like browsers, will not verify this record. The CAA record may also include an email address to notify if a certificate request was rejected due to the CAA record.


This record type can assist in setting up an HTTPS connection. It may indicate supported HTTP versions. For security, it will indicate support for encrypted client hellos (ECH). But this feature has not been used much so far.


Used to advertise the fingerprint of TLS certificates. This record requires DNSSEC.

Any other record types I missed?

Johannes B. Ullrich, Ph.D. , Dean of Research,

Keywords: dns dnssec security
1 comment(s)



Diary Archives