GuideReference
Guide

DNS record

akamai_dns_record

 Average processing time 1-2 minutes

Create, update, or delete a DNS record to configure how your site connects to the world.

📘

To delete a record, use terraform destroy.

On creation of a zone, Akamai automatically creates NS and SOA records for you. These are set with defaults. Review and update as necessary.

The sample declarations here are not exhaustive but show the most common record types. For guidance, the arguments table includes links to the RFC standards.

resource "akamai_dns_record" "my_record_type_a" {
    zone       = "example.org"
    name       = "www.example.org"
    recordtype = "A"
    ttl        = 86400
    target     = ["123.4.5.67"]
}
resource "akamai_dns_record" "my_record_type_cname" {
    zone       = "example.com"
    name       = "about.example.com"
    recordtype = "CNAME"
    ttl        = 1800
    target     = ["about-my-example.com"]
}
resource "akamai_dns_record" "my_record_type_ns" {
    zone       = "example.org"
    name       = "www.example.org"
    recordtype = "NS"
    ttl        = 86400
    target     = ["ns1.example.com", "ns2.example.com", "ns3.example.com"]
}
resource "akamai_dns_record" "my_record_type_soa" {
    zone          = "example.org"
    name          = "www.example.org"
    recordtype    = "SOA"
    ttl           = 86400
    name_server   = "ns1.example.com"
    email_address = "hostmaster.example.com"
    serial        = 19
    refresh       = 172800
    retry         = 900
    expiry        = 1209600
    nxdomain_ttl  = 3600
}

Argument reference

All record types need the base arguments. Add to those the arguments necessary for your record type.

Base

Argument Required Description
name The DNS record or owner name of the record's node.
zone The domain zone and any nested subdomains.
recordtype The DNS record type.
ttl The 32-bit signed integer for the time the resource record is cached.

A value of 0 means that the resource record is not cached and is only used for the transaction in progress. This may be useful for extremely volatile data.

Record types

Argument Required Description
A: RFC 1035
target One or more IPv4 addresses.
AAAA: RFC 3596
target One or more IPv6 addresses.
AFSDB: RFC 1183
target The domain name of the AFS cell server associated with the record.
subtype An integer that indicates the type of service provided by the host.
  • Minimum: 0
  • Maximum: 65535
AKAMAICDN
target A DNS name representing the selected edge hostname and domain.
CAA: RFC 6844
target One or more certificate authority authorizations. Each authorization contains three attributes: flags, property tag, and property value.

CERT: RFC 4398
type_value A numeric certificate type value.

When entering the certificate type, you can enter type_value, type_mnemonic, or both arguments. If you use both, type_mnemonic takes precedence.
type_mnemonic A mnemonic certificate type value.

When entering the certificate type, you can enter type_value, type_mnemonic, or both arguments. If you use both, type_mnemonic takes precedence.
keytag The computed key value embedded in the certificate.
algorithm The cryptographic algorithm used to create the signature.
certificate The Base64 encoded certificate file.
CNAME: RFC 1035
target A domain or owner name that specifies the canonical or primary name for the owner.
DNSKEY: RFC 4034
flags Bit 7 Zone Key flag.
  • Value of 0: Record holds some other type of DNS public key and must not be used to verify RRSIGs that cover RRsets.
  • Value of 1: Record holds a DNS zone key. The DNSKEY RR's owner must be the name of the zone.

Bit 15 Security Entry Point flag.
  • Value of 1: Record holds a key intended for use as a secure entry point. Use this flag as a hint when zone signing or debugging software. Validators must not alter their behavior during the signature validation process in anyway when using this bit. A SEP bit setting also needs the Zone Key flag set to generate signatures legally and must not be used to verify RRSIGs that cover RRsets.
protocol Set to 3. If not, the DNSKEY resource record is treated as invalid during signature verification.
algorithm The public key's cryptographic algorithm. This algorithm determines the format of the public key field.
key A Base64 encoded value representing the public key. The format used depends on the algorithm.
DS: RFC 4034
keytag The key tag of the DNSKEY record that the DS record refers to in network byte order.
algorithm The algorithm number of the DNSKEY resource record referred to in the DS record.
digest_type Identifies the algorithm used to construct the digest.
digest A Base16 encoded DS record includes a digest of the DNSKEY record it refers to. The digest is configured the canonical form of the DNSKEY record's fully qualified owner name with the DNSKEY RDATA, and then applying the digest algorithm.
HINFO: RFC 8482
hardware The type of hardware the host uses. A machine name or CPU type may be up to 40 characters long and include uppercase letters, digits, hyphens, and slashes, but the entry needs to start and to end with an uppercase letter.
software The type of software the host uses. A system name may be up to 40 characters long and include uppercase letters, digits, hyphens, and slashes, but the entry needs to start with an uppercase letter and end with an uppercase letter or a digit.
HTTPS: RFC 9460
svc_priority Service priority associated with endpoint.
  • Minimum: 0, enables alias mode
  • Maximum: 65535
svc_params Space separated list of endpoint parameters. Not allowed if service priority is 0.
target_name Domain name of the service endpoint.
LOC: RFC 1876
target A geographical location associated with a domain name.
MX: RFC 1035 and RFC 7505
target One or more domain names that specify a host willing to act as a mail exchange for the owner name.
priority The preference value given to this MX record in relation to all other MX records. When a mailer needs to send mail to a certain DNS domain, it first contacts a DNS server for that domain and retrieves all the MX records. It then contacts the mailer with the lowest preference value. This value is ignored if an embedded priority exists in the target.
priority_increment An auto-priority increment when multiple targets are provided with no embedded priority.
NAPTR: RFC 3403
order A 16-bit unsigned integer specifying the order in which the NAPTR records need to be processed to ensure the correct ordering of rules. Low numbers are processed before high numbers. Once a NAPTR is found whose rule matches the target, the client shouldn't consider any NAPTRs with a higher value for order except for the flagsnapter field.
preference A 16-bit unsigned integer that specifies the order in which NAPTR records with equal order values are processed. Low numbers are processed before high numbers.
flagsnaptr A character string containing flags that control how fields in the record are rewritten and interpreted. Flags are single alphanumeric characters.
service Specifies the services available down this rewrite path.
regexp A regular expression string containing a substitution expression. This substitution expression is applied to the original client string in order to construct the next domain name to lookup.
replacement Depending on the value of the flags attribute, the next NAME to query for NAPTR, SRV, or address records. Enter a fully qualified domain name as the value.
NS: RFC 1035
target One or more domain names that specify authoritative hosts for the specified class and domain.
NSEC3: RFC 5155
algorithm The cryptographic hash algorithm used to construct the hash value.
flags Eight one-bit flags you can use to indicate different processing. All undefined flags must be zero.
iterations The number of additional times the hash function has been performed.
salt The Base16 encoded salt value, which is appended to the original owner name before hashing. Used to defend against pre-calculated dictionary attacks.
next_hashed_owner_name The next hashed owner name in hash order. This value is Base32 encoded in binary format. Given the ordered set of all hashed owner names, the hash of an owner name that immediately follows the owner name of the given NSEC3 RR.
type_bitmaps The resource record set types that exist at the original owner name of the NSEC3 RR.
NSEC3PARAM: RFC 5155
algorithm The cryptographic hash algorithm used to construct the hash-value.
flags Eight one-bit flags that can be used to indicate different processing. All undefined flags must be zero.
iterations The number of additional times the hash function has been performed.
salt The Base16 encoded salt value that's appended to the original owner name before hashing in order to defend against pre-calculated dictionary attacks.
PTR: RFC 1035
target The DNS name to which the record refers.
RP: RFC 1183
mailbox A domain name that specifies the mailbox for the responsible person.
txt A domain name for which TXT resource records exist.
RRSIG: RFC 4034
type_covered The resource record set type covered by this signature.
algorithm Identifies the cryptographic algorithm used to create the signature.
original_ttl The TTL of the covered record set as it appears in the authoritative zone.
expiration The date the signature's validity ends. The signature can't be used for authentication past this point in time.
inception The date the signature is valid. The signature can't be used for authentication prior to this point in time.
keytag The key tag value of the DNSKEY RR that validates this signature, in network byte order.
signer The owner of the DNSKEY resource record that validates this signature.
signature The Base64 encoded cryptographic signature that covers the RRSIG RDATA and covered record set. Format depends on the TSIG algorithm in use.
labels The number of labels in the original RRSIG RR owner name. Validated to determine if the answer was synthesized from a wildcard, and if so, it can be used to determine what owner name was used in generating the signature.
SOA: RFC 1035 and RFC 2308
name_server The original or primary data server's domain name.
email_address The responsible party's mailbox domain name.
serial The unsigned version number of the zone's original copy.
  • Minimum: 0
  • Maximum: 214748364
refresh The time interval before the zone should be refreshed.
  • Minimum: 0
  • Maximum: 214748364
retry The time interval that should elapse before a failed refresh is retried.
  • Minimum: 0
  • Maximum: 214748364
expiry The time value that specifies the upper limit on the time interval that can elapse before the zone is no longer authoritative.
  • Minimum: 0
  • Maximum: 214748364
nxdomain_ttl The unsigned minimum TTL that should be exported with any resource record from this zone.
  • Minimum: 0
  • Maximum: 214748364
SPF: RFC 7208
target Indicates which hosts are authorized to use a domain name for the HELO and MAIL FROM identities.
SRV: RFC 2782
target The domain name of the target host.
priority A 16-bit integer that specifies the preference given to this resource record among others at the same owner. Lower values are preferred.
weight The 16-bit unsigned integer in Network Byte Order that specifies a relative weight for entries with the same priority. The greater the weight, the greater the probability of selection.
  • Minimum: 0
  • Maximum: 65535
To make the RR human-readable, set the value to 0 when there's no server selection to process.
port The 16-bit unsigned integer in Network Byte Order that specifies the service's target port.
  • Minimum: 0
  • Maximum: 65535
SSHFP: RFC 4255
algorithm Describes the algorithm of the public key. Assigned values:
  • 0 is reserved
  • 1 for RSA
  • 2 for DSS
  • 3 for ECDSA
fingerprint_type Describes the message-digest algorithm used to calculate the fingerprint of the public key. Assigned values:
  • 0 is reserved
  • 1 for SHA-1
  • 2 for SHA-256
fingerprint The Base16 encoded fingerprint as calculated over the public key blob. The message-digest algorithm is presumed to produce an opaque octet string output, which is placed as-is in the RDATA fingerprint field.
SVCB: RFC 9460
target_name The domain name of the service endpoint.
svc_priority The service priority associated with endpoint.
  • Minimum: 0, enables alias mode
  • Maximum: 65535
svc_params A space-separated list of endpoint parameters. Not allowed if service priority is set to 0.
TLSA: RFC 6698
usage Specifies the association used to match the certificate presented in the TLS handshake.
selector Specifies the part of the TLS certificate presented by the server that is matched against the association data.
match_type Specifies how the certificate association is presented.
certificate Specifies the certificate association data to be matched.
TXT: RFC 1035
target One or more character strings. TXT resource records hold descriptive text. The semantics of the text depends on the domain where it is found.