DNS record

Average processing time 1-2 minutes

Create, update, or delete a DNS record to configure how your site connects to the world.

📘
To delete a record, use terraform destroy.

On creation of a zone, Akamai automatically creates NS and SOA records for you. These are set with defaults. Review and update as necessary.

The sample declarations here are not exhaustive but show the most common record types. For guidance, the arguments table includes links to the RFC standards.

resource "akamai_dns_record" "my_record_type_a" {
    zone       = "example.org"
    name       = "www.example.org"
    recordtype = "A"
    ttl        = 86400
    target     = ["123.4.5.67"]
}

resource "akamai_dns_record" "my_record_type_cname" {
    zone       = "example.com"
    name       = "about.example.com"
    recordtype = "CNAME"
    ttl        = 1800
    target     = ["about-my-example.com"]
}

resource "akamai_dns_record" "my_record_type_ns" {
    zone       = "example.org"
    name       = "www.example.org"
    recordtype = "NS"
    ttl        = 86400
    target     = ["ns1.example.com", "ns2.example.com", "ns3.example.com"]
}

resource "akamai_dns_record" "my_record_type_soa" {
    zone          = "example.org"
    name          = "www.example.org"
    recordtype    = "SOA"
    ttl           = 86400
    name_server   = "ns1.example.com"
    email_address = "hostmaster.example.com"
    serial        = 19
    refresh       = 172800
    retry         = 900
    expiry        = 1209600
    nxdomain_ttl  = 3600
}

Argument reference

All record types need the base arguments. Add to those the arguments necessary for your record type.

Base

Argument	Required	Description
`name`	✔	The DNS record or owner name of the record's node.
`zone`	✔	The domain zone and any nested subdomains.
`recordtype`	✔	The DNS record type.
`ttl`	✔	The 32-bit signed integer for the time the resource record is cached. A value of `0` means that the resource record is not cached and is only used for the transaction in progress. This may be useful for extremely volatile data.

Record types

Argument	Required	Description
A: RFC 1035
`target`	✔	One or more IPv4 addresses.
AAAA: RFC 3596
`target`	✔	One or more IPv6 addresses.
AFSDB: RFC 1183
`target`	✔	The domain name of the AFS cell server associated with the record.
`subtype`	✔	An integer that indicates the type of service provided by the host. Minimum: `0` Maximum: `65535`
AKAMAICDN
`target`	✔	A DNS name representing the selected edge hostname and domain.
CAA: RFC 6844
`target`	✔	One or more certificate authority authorizations. Each authorization contains three attributes: flags, property tag, and property value.
CERT: RFC 4398
`type_value`	✔	A numeric certificate type value. When entering the certificate type, you can enter `type_value`, `type_mnemonic`, or both arguments. If you use both, `type_mnemonic` takes precedence.
`type_mnemonic`	✔	A mnemonic certificate type value. When entering the certificate type, you can enter `type_value`, `type_mnemonic`, or both arguments. If you use both, `type_mnemonic` takes precedence.
`keytag`	✔	The computed key value embedded in the certificate.
`algorithm`	✔	The cryptographic algorithm used to create the signature.
`certificate`	✔	The Base64 encoded certificate file.
CNAME: RFC 1035
`target`	✔	A domain or owner name that specifies the canonical or primary name for the owner.
DNSKEY: RFC 4034
`flags`	✔	Bit 7 Zone Key flag. Value of `0`: Record holds some other type of DNS public key and must not be used to verify RRSIGs that cover RRsets. Value of 1: Record holds a DNS zone key. The DNSKEY RR's owner must be the name of the zone. Bit 15 Security Entry Point flag. Value of `1`: Record holds a key intended for use as a secure entry point. Use this flag as a hint when zone signing or debugging software. Validators must not alter their behavior during the signature validation process in anyway when using this bit. A SEP bit setting also needs the Zone Key flag set to generate signatures legally and must not be used to verify RRSIGs that cover RRsets.
`protocol`	✔	Set to `3`. If not, the DNSKEY resource record is treated as invalid during signature verification.
`algorithm`	✔	The public key's cryptographic algorithm. This algorithm determines the format of the public key field.
`key`	✔	A Base64 encoded value representing the public key. The format used depends on the `algorithm`.
DS: RFC 4034
`keytag`	✔	The key tag of the DNSKEY record that the DS record refers to in network byte order.
`algorithm`	✔	The algorithm number of the DNSKEY resource record referred to in the DS record.
`digest_type`	✔	Identifies the algorithm used to construct the digest.
`digest`	✔	A Base16 encoded DS record includes a digest of the DNSKEY record it refers to. The digest is configured the canonical form of the DNSKEY record's fully qualified owner name with the DNSKEY RDATA, and then applying the digest algorithm.
HINFO: RFC 8482
`hardware`	✔	The type of hardware the host uses. A machine name or CPU type may be up to `40` characters long and include uppercase letters, digits, hyphens, and slashes, but the entry needs to start and to end with an uppercase letter.
`software`	✔	The type of software the host uses. A system name may be up to `40` characters long and include uppercase letters, digits, hyphens, and slashes, but the entry needs to start with an uppercase letter and end with an uppercase letter or a digit.
HTTPS: RFC 9460
`svc_priority`	✔	Service priority associated with endpoint. Minimum: `0`, enables alias mode Maximum: `65535`
`svc_params`	✔	Space separated list of endpoint parameters. Not allowed if service priority is `0`.
`target_name`	✔	Domain name of the service endpoint.
LOC: RFC 1876
`target`	✔	A geographical location associated with a domain name.
MX: RFC 1035 and RFC 7505
`target`	✔	One or more domain names that specify a host willing to act as a mail exchange for the owner name.
`priority`		The preference value given to this MX record in relation to all other MX records. When a mailer needs to send mail to a certain DNS domain, it first contacts a DNS server for that domain and retrieves all the MX records. It then contacts the mailer with the lowest preference value. This value is ignored if an embedded priority exists in the target.
`priority_increment`		An auto-priority increment when multiple targets are provided with no embedded priority.
NAPTR: RFC 3403
`order`	✔	A 16-bit unsigned integer specifying the order in which the NAPTR records need to be processed to ensure the correct ordering of rules. Low numbers are processed before high numbers. Once a NAPTR is found whose rule matches the target, the client shouldn't consider any NAPTRs with a higher value for order except for the `flagsnapter` field.
`preference`	✔	A 16-bit unsigned integer that specifies the order in which NAPTR records with equal order values are processed. Low numbers are processed before high numbers.
`flagsnaptr`	✔	A character string containing flags that control how fields in the record are rewritten and interpreted. Flags are single alphanumeric characters.
`service`	✔	Specifies the services available down this rewrite path.
`regexp`	✔	A regular expression string containing a substitution expression. This substitution expression is applied to the original client string in order to construct the next domain name to lookup.
`replacement`	✔	Depending on the value of the `flags` attribute, the next `NAME` to query for NAPTR, SRV, or address records. Enter a fully qualified domain name as the value.
NS: RFC 1035
`target`	✔	One or more domain names that specify authoritative hosts for the specified class and domain.
NSEC3: RFC 5155
`algorithm`	✔	The cryptographic hash algorithm used to construct the hash value.
`flags`	✔	Eight one-bit flags you can use to indicate different processing. All undefined flags must be zero.
`iterations`	✔	The number of additional times the hash function has been performed.
`salt`	✔	The Base16 encoded salt value, which is appended to the original owner name before hashing. Used to defend against pre-calculated dictionary attacks.
`next_hashed_owner_name`	✔	The next hashed owner name in hash order. This value is Base32 encoded in binary format. Given the ordered set of all hashed owner names, the hash of an owner name that immediately follows the owner name of the given NSEC3 RR.
`type_bitmaps`	✔	The resource record set types that exist at the original owner name of the NSEC3 RR.
NSEC3PARAM: RFC 5155
`algorithm`	✔	The cryptographic hash algorithm used to construct the hash-value.
`flags`	✔	Eight one-bit flags that can be used to indicate different processing. All undefined flags must be zero.
`iterations`	✔	The number of additional times the hash function has been performed.
`salt`	✔	The Base16 encoded salt value that's appended to the original owner name before hashing in order to defend against pre-calculated dictionary attacks.
PTR: RFC 1035
`target`	✔	The DNS name to which the record refers.
RP: RFC 1183
`mailbox`	✔	A domain name that specifies the mailbox for the responsible person.
`txt`	✔	A domain name for which TXT resource records exist.
RRSIG: RFC 4034
`type_covered`	✔	The resource record set type covered by this signature.
`algorithm`	✔	Identifies the cryptographic algorithm used to create the signature.
`original_ttl`	✔	The TTL of the covered record set as it appears in the authoritative zone.
`expiration`	✔	The date the signature's validity ends. The signature can't be used for authentication past this point in time.
`inception`	✔	The date the signature is valid. The signature can't be used for authentication prior to this point in time.
`keytag`	✔	The key tag value of the DNSKEY RR that validates this signature, in network byte order.
`signer`	✔	The owner of the DNSKEY resource record that validates this signature.
`signature`	✔	The Base64 encoded cryptographic signature that covers the RRSIG RDATA and covered record set. Format depends on the TSIG algorithm in use.
`labels`	✔	The number of labels in the original RRSIG RR owner name. Validated to determine if the answer was synthesized from a wildcard, and if so, it can be used to determine what owner name was used in generating the signature.
SOA: RFC 1035 and RFC 2308
`name_server`	✔	The original or primary data server's domain name.
`email_address`	✔	The responsible party's mailbox domain name.
`serial`	✔	The unsigned version number of the zone's original copy. Minimum: `0` Maximum: `214748364`
`refresh`	✔	The time interval before the zone should be refreshed. Minimum: `0` Maximum: `214748364`
`retry`	✔	The time interval that should elapse before a failed refresh is retried. Minimum: `0` Maximum: `214748364`
`expiry`	✔	The time value that specifies the upper limit on the time interval that can elapse before the zone is no longer authoritative. Minimum: `0` Maximum: `214748364`
`nxdomain_ttl`	✔	The unsigned minimum TTL that should be exported with any resource record from this zone. Minimum: `0` Maximum: `214748364`
SPF: RFC 7208
`target`	✔	Indicates which hosts are authorized to use a domain name for the `HELO` and `MAIL FROM` identities.
SRV: RFC 2782
`target`	✔	The domain name of the target host.
`priority`	✔	A 16-bit integer that specifies the preference given to this resource record among others at the same owner. Lower values are preferred.
`weight`	✔	The 16-bit unsigned integer in Network Byte Order that specifies a relative weight for entries with the same priority. The greater the weight, the greater the probability of selection. Minimum: `0` Maximum: `65535` To make the RR human-readable, set the value to `0` when there's no server selection to process.
`port`	✔	The 16-bit unsigned integer in Network Byte Order that specifies the service's target port. Minimum: `0` Maximum: `65535`
SSHFP: RFC 4255
`algorithm`	✔	Describes the algorithm of the public key. Assigned values: `0` is reserved `1` for `RSA` `2` for `DSS` `3` for `ECDSA`
`fingerprint_type`	✔	Describes the message-digest algorithm used to calculate the fingerprint of the public key. Assigned values: `0` is reserved `1` for `SHA-1` `2` for `SHA-256`
`fingerprint`	✔	The Base16 encoded fingerprint as calculated over the public key blob. The message-digest algorithm is presumed to produce an opaque octet string output, which is placed as-is in the `RDATA` fingerprint field.
SVCB: RFC 9460
`target_name`	✔	The domain name of the service endpoint.
`svc_priority`	✔	The service priority associated with endpoint. Minimum: `0`, enables alias mode Maximum: `65535`
`svc_params`	✔	A space-separated list of endpoint parameters. Not allowed if service priority is set to `0`.
TLSA: RFC 6698
`usage`	✔	Specifies the association used to match the certificate presented in the TLS handshake.
`selector`	✔	Specifies the part of the TLS certificate presented by the server that is matched against the association data.
`match_type`	✔	Specifies how the certificate association is presented.
`certificate`	✔	Specifies the certificate association data to be matched.
TXT: RFC 1035
`target`	✔	One or more character strings. TXT resource records hold descriptive text. The semantics of the text depends on the domain where it is found.