DNS Records

A Record

AAAA Record

AFSDB Record

CAA Record

CERT Record

CNAME Record

DHCID Record

DNAME Record

DNSSEC

DNSKEY Record

DS Record

HINFO Record

HTTPS Record

KEY Record

LOC Record

MX Record

NAPTR Record

NS Record

OPENPGPKEY Record

PTR Record

RP Record

SMIMEA Record

SOA Record

SPF Record

SSHFP Record

SRV Record

SVCB Record

TLSA Record

TXT Record

URI Record

What is a CERT record?

CERT records store certificates and related revocation lists for cryptographic keys associated with a domain name or user. Defined in RFC 4398, CERT records allow certificates (such as X.509 or PGP) to be published in DNS, making them discoverable by applications that need to verify the identity of a host or user.

CERT record format

A typical CERT record looks like the following in standard BIND format:

$ORIGIN dynu.biz.
host 3600 IN CERT PKIX 0 0 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ==

An anatomy of the CERT record host 3600 IN CERT PKIX 0 0 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ== looks like the below:

Host Label	TTL	Record Class	Record Type	Certificate Type	Key Tag	Algorithm	Certificate
host.dynu.biz.	3600	IN	CERT	PKIX	0	0	MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ==

Host Label
The name of the owner of this certificate record. This is typically the fully qualified domain name (FQDN) of the host or the email address owner whose certificate is being published.

TTL
The time-to-live in seconds. It specifies how long a resolver is supposed to cache or remember the DNS query before the query expires and a new one needs to be done.

Record Class
Mainly 3 classes of DNS records exist:

• IN (Internet) – default and generally what internet uses.
• CH (Chaosnet) – used for querying DNS server versions.
• HS (Hesiod) – uses DNS functionality to provide access to databases of information that change infrequently.

Record Type
The record format is defined using this field. Common record types are A, AAAA, CNAME, CAA, TXT etc. In the case of a CERT record, the record type is CERT.

Certificate Type
Identifies the format of the certificate or CRL stored in the record. Can be specified as a mnemonic or numeric value.

• 1 / PKIX – X.509 certificate as per the PKIX profile of X.509 (the most common format used on the internet, e.g. TLS/SSL certificates).
• 2 / SPKI – Simple Public Key Infrastructure certificate.
• 3 / PGP – OpenPGP packet containing a key or signed key.
• 4 / IPKIX – URL pointing to a PKIX certificate.
• 5 / ISPKI – URL pointing to an SPKI certificate.
• 6 / IPGP – Fingerprint and optional URL pointing to an OpenPGP packet.
• 7 / ACPKIX – Attribute certificate as per the PKIX profile.
• 8 / IACPKIX – URL pointing to an ACPKIX certificate.
• 253 / URI – URI private certificate type.
• 254 / OID – OID private certificate type.

Key Tag
A numeric value used to help identify the DNSSEC key associated with this certificate, if applicable. Set to 0 if no key tag is relevant (e.g. when the certificate type is not DNSSEC-related or no DNSKEY record is associated).

Algorithm
Identifies the cryptographic algorithm used with the key referenced by the Key Tag field. Uses the same algorithm numbering as DNSSEC (see IANA DNSSEC Algorithm Numbers). Common values include:

• 0 – No algorithm or not applicable.
• 5 – RSA/SHA-1.
• 8 – RSA/SHA-256.
• 13 – ECDSA Curve P-256 with SHA-256.
• 14 – ECDSA Curve P-384 with SHA-384.

Certificate
The certificate, CRL, or other data associated with the certificate type, encoded in Base64. The exact content depends on the Certificate Type field:

• For PKIX, this is a DER-encoded X.509 certificate in Base64.
• For PGP, this is a Base64-encoded OpenPGP packet.
• For IPKIX, ISPKI, or IPGP, this contains a URL rather than the raw certificate data.

CERT record glossary

X.509
A standard defining the format of public key certificates. X.509 certificates are used in many internet protocols, including TLS/SSL, to verify the identity of a host or user.

PKIX
Public Key Infrastructure using X.509 – the IETF profile of the X.509 standard used for certificates on the internet. PKIX certificates are the most common certificate type stored in CERT records.

PGP
Pretty Good Privacy – an encryption program and associated certificate format. CERT records with type PGP can store an OpenPGP public key, enabling DNS-based key discovery for encrypted email or file signing.

CRL
Certificate Revocation List – a list of certificates that have been revoked before their expiration date. CERT records can also be used to publish CRLs in DNS.

DER
Distinguished Encoding Rules – a binary encoding format for ASN.1 data structures such as X.509 certificates. DER-encoded certificates are the standard format used when storing PKIX data in a CERT record.

BIND
Berkeley Internet Name Daemon – is the most commonly used DNS software on the Internet and Dynu observes BIND format.