# DNS settings

# DKIM record

#### WHAT IS THE DKIM RECORD?

DKIM is the abbreviation for DomainKeys Identified Mail. DKIM is not really a spam protection technology, it’s a cryptographic signature that our mail server (that is, not our own machine) digitally signs on sending, protecting it against unauthorized modifications. Spam protection will take effect if you enter a rule in the domain TXT record so that the host server will dismiss all unsigned mails to protect the (as all unsigned emails are, as a rule, fake). This is useful if few users only email through 1-2 servers.

<p class="callout info">Signatures with the DKIM key are executed by the sender server.</p>

DKIM signature is usually invisible to average users.

#### QUERYING DKIM RECORD

For example, you can use the nslookup command in Windows to access record DKIM, while under Linux the host command.

Example of a Windows-based nslookup query:

```
nslookup -q=TXT staff._domainkey.dotroll.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
staff._domainkey.dotroll.com    text =

        "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMGy34jPh1A9JPiDN+fHGuLPf0Kb0U752RW8UZti9F4/6BHZVm1aYCNG+QZfy4RAdYTW2uyajuQKigzNemNgAmm6FOEerc+pUFI3CFI3+KzkFcjErSPL6oeZYp1Gs43j3nYb0MJWJttFJZkKKLplPAKq4HccE52Uk3fs+qo4c9UQIDAQAB"
```

Example of Linux based host query:

```
host -t TXT staff._domainkey.dotroll.com
staff._domainkey.dotroll.com descriptive text "k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMGy34jPh1A9JPiDN+fHGuLPf0Kb0U752RW8UZti9F4/6BHZVm1aYCNG+QZfy4RAdYTW2uyajuQKigzNemNgAmm6FOEerc+pUFI3CFI3+KzkFcjErSPL6oeZYp1Gs43j3nYb0MJWJttFJZkKKLplPAKq4HccE52Uk3fs+qo4c9UQIDAQAB"
```

#### DKIM RECORD FORMAT

<div class="vc_row wpb_row vc_row-fluid" id="bkmrk-fields-name-descript"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper"><div class="wpb_text_column wpb_content_element "><div class="wpb_wrapper"><table><tbody><tr><td>**Fields name**</td><td>**Description**</td></tr><tr><td>v=</td><td>set to the record type, the value will typically be `DKIM1`. Required element.</td></tr><tr><td>k=</td><td>specifies the type of generated key, which can be `dsa` or `rsa`. Required element.</td></tr><tr><td>g=</td><td>you can enter the detail of the key. Not required element.</td></tr><tr><td>h=</td><td>an authorized HASH algorithm that can be any `SHA1` or `SHA256`. Not required element.</td></tr><tr><td>n=</td><td>can be added a comment. Not required element.</td></tr><tr><td>s=</td><td>define the service type. Not required element.</td></tr><tr><td>t=</td><td>the given key can be assigned to a single subdomain name. Not required element.</td></tr><tr><td>p=</td><td>you can enter the public key part of the generated key pair. Required element.</td></tr></tbody></table>

</div></div><div class="vc_message_box vc_message_box-standard vc_message_box-rounded vc_color-info vc_custom_1597751119274"><div class="vc_message_box-icon">  
</div><div class="ricsi info">Some service providers limit the length of the TXT record in 255 characters. If the received DKIM key is longer than 255 characters, the key can be truncated.</div></div></div></div></div></div>For example, the following DKIM key length is 411 characters:

```
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlDv2kr5/XYYmYzy1ynCe25/2AYsLaQtZMvKoXsa1W1qgFfKFKmMw6vhcuLkII8FA8gJG18p9wwoXoP5wNZZOC02u9rrgoZt8FsuQmO6b/QJKNSuHEECr6hVD+H9C9zS9ThuQk2qa3RtVO6apHCcw/DLpQ1DN14kNd7URNQlGZLKFgblGI1NwaCOLvUgqpFP/hOzk5veqG2qh50krPLrg6Lzjvd4pLx/5+n87yvLXian3ZAjcVZ1IqT9O7UQtPu1mwPbjBH+odpc6xF3ZUFUoHLDpgxYmwW3z7lD7vTLErgkhxpzEl1+xQwYKG8IM/ryO85cZ4ADRX7fqj/QUi1mzGwIDAQAB;
```

In this case, the key must be divided into two sections where the first part will be 254 characters long while the second part will contain the remaining 156 characters:

```
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlDv2kr5/XYYmYzy1ynCe25/2AYsLaQtZMvKoXsa1W1qgFfKFKmMw6vhcuLkII8FA8gJG18p9wwoXoP5wNZZOC02u9rrgoZt8FsuQmO6b/QJKNSuHEECr6hVD+H9C9zS9ThuQk2qa3RtVO6apHCcw/DLpQ1DN14kNd7URNQlGZLKFgblGI1NwaCOLvUgqpFP/"

"hOzk5veqG2qh50krPLrg6Lzjvd4pLx/5+n87yvLXian3ZAjcVZ1IqT9O7UQtPu1mwPbjBH+odpc6xF3ZUFUoHLDpgxYmwW3z7lD7vTLErgkhxpzEl1+xQwYKG8IM/ryO85cZ4ADRX7fqj/QUi1mzGwIDAQAB"
```

The DNS management interface can then be added, so that the subdomain name is given in the domain / subdomain box:

```
default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=..."
default._domainkey 14400 IN TXT "hOzk5ve..."
```

#### ADDING DKIM RECORD

1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Manage DNS**.
5. At the bottom of the page, click **Add**. 
    - In the first field, you can enter a subdomain name, or leave blank
    - the TTL value can be selected in the second field, but typically the default is 1 hour
    - select **DKIM** from the next drop-down list.
    - set the desired values
6. Then click **Save Changes**.

# SPF records

#### WHAT IS THE SPF RECORD?

According to the original operation of the SMTP protocol, any computer could send an email with any sender address. As a result, spammers have a simple job as they can easily falsify the sender addresses (Return-Path headers). The SPF would remedy this by defining domain names by which servers can send a mail from the email address that belongs to that domain. This information must be published in the [TXT](https://admin.dotroll.com/knowledgebase/25/txt-record.html?swcfpc=1) record for that domain.

<p class="callout info">The SPF ignores a single important parameter in the SMTP operation of the email redirection. If a server is configured to redirect to a specific address and the server to which the mail is forwarded, it checks the SPF, then it will optionally reject a real mail as it is not transmitted by the server that was enabled in the SPF entry.</p>

Solution attempts have been created for this problem, but all of these can only work if all servers on the Internet implement them.

#### QUERYING SPF RECORD

For example, you can use the nslookup command in Windows to access record TXT, while under Linux the host command.

Example of a Windows-based nslookup query:

```
nslookup -q=TXT dotroll.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
dotroll.com     text =

        "v=spf1 mx a:staffmx.dotroll.com a:staffmx1.dotroll.com ip4:80.77.113.20 ip4:80.77.113.30 ip4:185.33.52.53 a:admin.dotroll.com a:online1.int.dotroll.com ~all"
```

Example of Linux based host query:

```
host -t TXT dotroll.com
dotroll.com descriptive text "v=spf1 mx a:staffmx.dotroll.com a:staffmx1.dotroll.com ip4:80.77.113.20 ip4:80.77.113.30 ip4:185.33.52.53 a:admin.dotroll.com a:online1.int.dotroll.com ~all"
```

#### SPF RECORD FORMAT

The SPF record always begins with `v=`. This indicates the SPF version used. Currently, version `spf1` must be configured, as this is the most common version of SPF that is understood by mail servers.

There may be one or more values after this version. These will determine which servers to send mail through the domain name.

Globally usable elements:

<table id="bkmrk-usable-elements-resu"><tbody><tr><td>**Usable elements**</td><td>**Result**</td><td>**Description**</td></tr><tr><td>+</td><td>Pass</td><td>Specifies the server through which you can send a mail, this is the default operating mode</td></tr><tr><td>–</td><td>Fail</td><td>Specifies the server through which no mail can be sent</td></tr><tr><td>~</td><td>SoftFail</td><td>Specifies the server through which you can not send mail but is temporarily enabled</td></tr><tr><td>?</td><td>Neutral</td><td>It determines that nothing can be said about validity</td></tr></tbody></table>

These elements can be used for the items listed in the table below.

<table id="bkmrk-usable-elements-desc"><tbody><tr><td>**Usable elements**</td><td>**Description**</td></tr><tr><td>ip4</td><td>IPv4 addresses can be specified in CIDR format that can deliver or forward the message through the domain name.</td></tr><tr><td>ip6</td><td>IPv6 addresses can be specified in CIDR format that can deliver or forward the message through the domain name.</td></tr><tr><td>a</td><td>You can specify any host name that you can send or forward through a domain name.</td></tr><tr><td>mx</td><td>You can enter any host server host name that you can send or forward through a domain name.</td></tr><tr><td>ptr</td><td>You can specify any host name that you can send or forward through a domain name. Its use is not recommended.</td></tr><tr><td>exists</td><td>If this value is set, the specified domain name records the record and if it finds a match between the specified IP addresses, it will allow the mail to be sent or forwarded via the domain name.</td></tr><tr><td>include</td><td>You can specify any additional domain name that can be delivered or forwarded via the domain name.</td></tr><tr><td>redirect</td><td>At the domain name, the current SPF record will be replaced by the SPF record of the domain name specified here.</td></tr><tr><td>exp</td><td>A brief explanation of what to do after a letter is rejected</td></tr><tr><td>all</td><td>This determines the strictness of the items set in the SPF record.</td></tr></tbody></table>

#### ADDING SPF RECORD

1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Manage DNS**.
5. At the bottom of the page, click **Add**. 
    - In the first field, you can enter a subdomain name, or leave blank
    - the TTL value can be selected in the second field, but typically the default is 1 hour
    - select **SPF** from the next drop-down list.
    - set the desired values
6. Then click **Save Changes**.

# How to create a DMARC record?

How to create a DMARC record? Once <acronym title="Sender Polciy Framework">SFP</acronym> and <acronym title="DomainKeys Identified Mail">DKIM</acronym> are in place, you configure DMARC by adding policies to your domain’s DNS records in the form of TXT records (just like with SPF or DKIM).

The TXT record name should be “\_dmarc.your-domain.com.” where “yourdomain.com” is replaced with your actual domain name (or subdomain).

Here are common tags used in DMARC TXT records:

<table border="0" cellpadding="5" cellspacing="5" id="bkmrk-tag-name-required-pu"><tbody><tr><td>**Tag name**</td><td>**Required**</td><td>**Purpose**</td><td>**Sample**</td></tr><tr><td>v</td><td>required</td><td>Protocol version</td><td>v=DMARC1</td></tr><tr><td>p</td><td>required</td><td>Policy for domain</td><td>p=quarantine</td></tr><tr><td>sp</td><td>optional</td><td>Requested handling policy for subdomains</td><td>sp=reject</td></tr><tr><td>adkim</td><td>optional</td><td>Alignment mode for DKIM</td><td>adkim=s</td></tr><tr><td>aspf</td><td>optional</td><td>Alignment mode for SPF</td><td>aspf=r</td></tr><tr><td>pct</td><td>optional</td><td>% of messages subjected to filtering</td><td>pct=20</td></tr><tr><td>ruf</td><td>optional</td><td>Addresses to which message-specific forensic information is to be reported (comma-separated plain-text list of URIs).</td><td>ruf=mailto:authfail@your-domain.com</td></tr><tr><td>rua</td><td>optional</td><td>Reporting URI of aggregate reports</td><td>rua=mailto:aggrep@your-domain.com</td></tr><tr><td>fo</td><td>optional</td><td>Failure reporting format(s)</td><td>fo=0</td></tr><tr><td>ri</td><td>optional</td><td>Aggregate Reporting interval</td><td>ri=3600</td></tr></tbody></table>

Only the *v (version)* and *p (policy)* tags are required. Three possible policy settings, or message dispositions, are available:

- none – Take no action. Log affected messages on the daily report only.
- quarantine – Mark affected messages as spam.
- reject – Cancel the message at the SMTP layer.

Alignment mode (*aspf / adkim*) refers to the precision with which sender records are compared to SPF and DKIM signatures, with the two possible values being relaxed or strict. represented by “r” and “s” respectively. In short, relaxed allows partial matches, such as subdomains of a given domain, while strict requires an exact match.

Generally, the following settings are appropriate for the DMARC key:

```
_dmarc.your_domain_name.tld. IN TXT "v=DMARC1;p=none;sp=none;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400"
```

# NS record

#### WHAT IS THE AAAA RECORD?

The NS record is the shortened equivalent of NameServer. This record is used to provide a domain name server.

<div class="vc_row wpb_row vc_row-fluid" id="bkmrk-use-this-record-to-d"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper"><div class="wpb_text_column wpb_content_element "><div class="wpb_wrapper">  
</div></div><div class="vc_message_box vc_message_box-standard vc_message_box-rounded vc_color-info vc_custom_1597746873920"><div class="vc_message_box-icon">  
</div><div class="ricsi info">Use this record to determine which server name is a domain name or a name server of a subdomain name. It is recommended that you enter two nameservers so that the domain name zone can be accessed if, for any reason, one of the two name servers is unavailable.</div></div></div></div></div></div>#### GLUE RECORD

It is common that one of the name servers in the delegated zone is in the zone itself. The ns1.dotroll.com record is in the dotroll.com zone, but there is a need to go up one level in the .com zone, otherwise we will be trapped. That’s why we need to pick up a record-breaking record. Such a foreign A record is called a glue record.

#### QUERYING NS RECORD

For example, you can use the nslookup command in Windows to access record NS, while under Linux the host command.

Example of a Windows-based nslookup query:

```
nslookup -q=NS dotroll.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
dotroll.com     nameserver = ns1.dotroll.com
dotroll.com     nameserver = ns2.dotroll.com
```

Example of Linux based host query:

```
host -t NS dotroll.com
dotroll.com name server ns2.dotroll.com.
dotroll.com name server ns1.dotroll.com.
```

#### NS RECORD FORMAT

<table id="bkmrk-fields-name-descript"><tbody><tr><td>**Fields name**</td><td>**Description**</td></tr><tr><td>Name</td><td>this field contains the domain or subdomain name.</td></tr><tr><td>TTL</td><td>this field contains record lifetime in seconds. This is the time until the entry is stored in the resolver.</td></tr><tr><td>Address</td><td>contains the nameserver name.</td></tr></tbody></table>

#### ADDING NS RECORD

1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Manage DNS**.
5. At the bottom of the page, click **Add**. 
    - In the first field, you can enter a subdomain name, or leave blank
    - the TTL value can be selected in the second field, but typically the default is 1 hour
    - select **NS** from the next drop-down list.
    - enter the names server name in the last field.
6. Then click **Save Changes**.

# SRV record

#### WHAT IS THE SRV RECORD?

SRV corresponds to the abbreviation for SeRVer to help you find the availability of a particular service with a certain protocol for a domain. You can give more servers, define preferences, and specify which port the service is running.

<p class="callout info">It is similar to the record of the SRV record for the long-established MX record, in fact its generalization: it is possible to specify SRV records not only for correspondence but also for any service, which can be prioritized and weighted by parameters, and finally, what kind of protocol and port we provide given service.</p>

A domain name may have more SRV records.

#### EXAMPLE OF THE SRV RECORD

Two typical SRV records can be seen below:

```
_sip._tcp.example.com.   3600 IN    SRV 10       60     5060 bigbox.example.com.
_sip._udp.example.com.   3600 IN    SRV 10       20     5060 smallbox1.example.com.
```

#### SRV RECORD FORMAT

Prioritycontains the priority value

<table id="bkmrk-fields-name-descript"><tbody><tr><td>**Fields name**</td><td>**Description**</td></tr><tr><td>Name</td><td>In general, the symbolic name of the service (`_sip`) is provided, and the service is protocols (`_tcp` or `_udp`). This is followed by the domain or subdomain name.</td></tr><tr><td>TTL</td><td>this field contains record lifetime in seconds. This is the time until the entry is stored in the resolver.</td></tr><tr><td>Weight</td><td>contains the weight value</td></tr><tr><td>Port</td><td>contains the port on which the given service is available</td></tr><tr><td>SRV target</td><td>contains the target address</td></tr></tbody></table>

#### ADDING SRV RECORD

1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Manage DNS**.
5. At the bottom of the page, click **Add**. 
    - In the first field, you can enter a subdomain name, or leave blank
    - the TTL value can be selected in the second field, but typically the default is 1 hour
    - select **SRV** from the next drop-down list.
    - enter the priority
    - enter the weight
    - enter the port
    - enter the name of the service provider in the last field
6. Then click **Save Changes**.

# TXT record

#### WHAT IS THE TXT RECORD?

Any text information can be stored in the TXT record. TXT corresponds to the abbreviation for Text.

<p class="callout info">With TXT records, you can verify the domain name property rights for some services. The <acronym title="Sender Policy Framework">SPF</acronym>, <acronym title="Domain Keys">DK,</acronym> <acronym title="DomainKeys Identified Mail">DKIM</acronym> and <acronym title="Domain-based Message Authentication, Reporting and Conformance">DMARC</acronym> keys are published in TXT records.</p>

A domain name may have several TXT records.

#### QUERYING TXT RECORD

For example, you can use the nslookup command in Windows to access record TXT, while under Linux the host command.

Example of a Windows-based nslookup query:

```
nslookup -q=TXT dotroll.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
dotroll.com     text =

        "google-site-verification=NMkDYF4JGT5YCQTQKfHvfBTFeg_TOfsYjZIowHSpKFU"
dotroll.com     text =

        "yandex-verification: 66da9e054ee4bea9"
dotroll.com     text =

        "v=spf1 mx a:staffmx.dotroll.com a:staffmx1.dotroll.com ip4:80.77.113.20 ip4:80.77.113.30 ip4:185.33.52.53 a:admin.dotroll.com a:online1.int.dotroll.com ~all"
```

Example of Linux based host query:

```
host -t TXT dotroll.com
dotroll.com descriptive text "v=spf1 mx a:staffmx.dotroll.com a:staffmx1.dotroll.com ip4:80.77.113.20 ip4:80.77.113.30 ip4:185.33.52.53 a:admin.dotroll.com a:online1.int.dotroll.com ~all"
dotroll.com descriptive text "google-site-verification=NMkDYF4JGT5YCQTQKfHvfBTFeg_TOfsYjZIowHSpKFU"
dotroll.com descriptive text "yandex-verification: 66da9e054ee4bea9"
```

#### TXT RECORD FORMAT

<table id="bkmrk-fields-name-descript"><tbody><tr><td>**Fields name**</td><td>**Description**</td></tr><tr><td>Name</td><td>this field contains the domain or subdomain name.</td></tr><tr><td>TTL</td><td>this field contains record lifetime in seconds. This is the time until the entry is stored in the resolver.</td></tr><tr><td>TXT record</td><td>contains the text</td></tr></tbody></table>

#### ADDING TXT RECORD

1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Manage DNS**.
5. At the bottom of the page, click **Add**. 
    - In the first field, you can enter a subdomain name, or leave blank
    - the TTL value can be selected in the second field, but typically the default is 1 hour
    - select **TXT** from the next drop-down list.
    - enter the text in the last field.
6. Then click **Save Changes**.

# MX record

#### WHAT IS THE MX RECORD?

Using the MX record, you can enter a domain name by which server handles the mail. The MX record is the abbreviation for Mail eXcahnge.

<p class="callout info">The server address specified in the MX record can never be an IP address, it must always be a domain name. (for example, `staffmx.dotroll.com`) You must assign a priority to the MX record, which in the case of multiple records means the order in which the sending server attempts to send the message.</p>

<p class="callout danger">Incorrect setting of the MX record may result in no mail being sent to that domain name.</p>

For a domain name, you can set multiple MX records to increase the probability that the mail will be delivered to ensure redundancy.

#### QUERYING MX RECORD

For example, you can use the nslookup command in Windows to access record MX, while under Linux the host command.

Example of a Windows-based nslookup query:

```
nslookup -q=MX dotroll.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
dotroll.com     MX preference = 10, mail exchanger = staffmx.dotroll.com
```

Example of Linux based host query:

```
host -t MX dotroll.com
dotroll.com mail is handled by 10 staffmx.dotroll.com.
```

#### MX RECORD FORMAT

Priorityif multiple MX records are specified for the domain then the email will be sent to the priority with a lower priority (server)

<table id="bkmrk-fields-name-descript"><tbody><tr><td>**Fields name**</td><td>**Description**</td></tr><tr><td>Name</td><td>this field contains the domain or subdomain name.</td></tr><tr><td>TTL</td><td>this field contains record lifetime in seconds. This is the time until the entry is stored in the resolver.</td></tr><tr><td>Priority</td><td>if multiple TXT records are specified for the domain then the email will be sent to the priority with a lower priority (server)</td></tr><tr><td>Mail server exchange target</td><td>contains the mail server address (`staffmx.dotroll.com`).</td></tr></tbody></table>

#### ADDING MX RECORD

1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Manage DNS**.
5. At the bottom of the page, click **Add**. 
    - In the first field, you can enter a subdomain name, or leave blank
    - the TTL value can be selected in the second field, but typically the default is 1 hour
    - select **MX** from the next drop-down list.
    - enter the priority IP address in the last field.
    - enter the remote mail server address in the last field.
6. Then click **Save Changes**.

# CNAME record

#### WHAT IS A CNAME RECORD?

CNAME stands for Canonical Name. CNAME records can be used to alias one name to another.

<p class="callout info">For example, if you have a server where you keep all of your documents online, it might normally be accessed through `docs.example.com`. You may also want to access it through `documents.example.com`. One way to make this possible is to add a CNAME record that points `documents.example.com` to `docs.example.com`. When someone visits `documents.example.com`they will see the exact same content as `docs.example.com`.</p>

#### ADD A CNAME RECORD

1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Manage DNS**.
5. At the bottom of the page, click **Add**. 
    - In the first field, you can enter a subdomain name, or leave blank
    - the TTL value can be selected in the second field, but typically the default is 1 hour
    - select **CNAME** from the next drop-down list.
    - enter the destination host name in the last field.
6. Then click **Save Changes**.

# AAAA record

#### WHAT IS THE AAAA RECORD?

The AAAA record (also known as four-A records) determines the host’s IPv6 address. It works the same way as A record, the difference is the IP address type. Using AAAA records, IPv6 addresses for domain names can be used to identify computers. When you visit a webpage that can be tapped with an IPv6 record, you can use the client name resolution to find the IPv6 address for that domain name. Subsequently, the client sends the request to the IPv6 address specified in the AAAA record.

<p class="callout info">For example, you need to enter `dotroll.com` in the browser to access the DotRoll website. During the name resolution, the server for `dotroll.com` sends the record back to the name server, which in this case will be `2a00:c760:80:d07:2011:ffff:b921:3440`, and the browser will forward the commands for retrieving the contents of the web page to the `2a00:c760:80:d07:2011:ffff:b921:3440` IPv6 address.</p>

Records are the simplest DNS records and one of the primary records used in DNS servers.

In fact, more records can be given for a domain name, thus ensuring redundancy. Of course, several domain names may show the same IPv6 address.

#### QUERYING AAAA RECORD

For example, you can use the nslookup command in Windows to access record AAAA, while under Linux the host command.

Example of a Windows-based nslookup query:

```
nslookup -q=AAAA dotroll.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    dotroll.com
Address:  2a00:c760:80:d07:2011:ffff:b921:3440
```

Example of Linux based host query:

```
host -t AAAA dotroll.com
dotroll.com has IPv6 address 2a00:c760:80:d07:2011:ffff:b921:3440
```

#### AAAA RECORD FORMAT

<div class="vc_row wpb_row vc_row-fluid" id="bkmrk-fields-name-descript"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper"><div class="wpb_text_column wpb_content_element "><div class="wpb_wrapper"><table><tbody><tr><td>**Fields name**</td><td>**Description**</td></tr><tr><td>Name</td><td>this field contains the domain or subdomain name.</td></tr><tr><td>TTL</td><td>this field contains record lifetime in seconds. This is the time until the entry is stored in the resolver.</td></tr><tr><td>IPv6 Address</td><td>contains the colon-separated IPv6 address (`2a00:c760:80:d07:2011:ffff:b921:3440`).</td></tr></tbody></table>

</div></div></div></div></div></div>Adding AAAA record

<div class="vc_row wpb_row vc_row-fluid" id="bkmrk-sign-in-with%C2%A0https%3A%2F"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper"><div class="wpb_text_column wpb_content_element "><div class="wpb_wrapper">1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Manage DNS**.
5. At the bottom of the page, click **Add**. 
    - In the first field, you can enter a subdomain name, or leave blank
    - the TTL value can be selected in the second field, but typically the default is 1 hour
    - select **AAAA** from the next drop-down list.
    - enter the IPv6 address in the last field.
6. Then click **Save Changes**.

</div></div></div></div></div></div>

# A record

#### WHAT IS THE A RECORD?

A records can be used to assign computers to domain names using IP addresses. A record is an abbreviation for Address. When you visit a web site or send an email, you can use the client name resolution to find the IP address for that domain name. Subsequently, the client sends the request to the IP address specified in record A.

<p class="callout info">For example, you need to enter `dotroll.com` in the browser to access the DotRoll website. During the name resolution, the server for `dotroll.com` sends the record back to the name server, which in this case will be `185.33.52.64`, and the browser will forward the commands for retrieving the contents of the web page to the `185.33.52.64` IP address.</p>

Records are the simplest DNS records and one of the primary records used in DNS servers.

In fact, more records can be given for a domain name, thus ensuring redundancy. Of course, several domain names may show the same IP address.

#### QUERYING A RECORD

For example, you can use the nslookup command in Windows to access record A, while under Linux the host command.

Example of a Windows-based nslookup query:

```
nslookup -q=A dotroll.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    dotroll.com
Address:  185.33.52.64
```

Example of Linux based host query:

```
host -t A dotroll.com
dotroll.com has address 185.33.52.64
```

#### A RECORD FORMAT

<table id="bkmrk-fields-name-descript"><tbody><tr><td>**Fields name**</td><td>**Description**</td></tr><tr><td>Name</td><td>this field contains the domain or subdomain name.</td></tr><tr><td>TTL</td><td>this field contains record lifetime in seconds. This is the time until the entry is stored in the resolver.</td></tr><tr><td>IPv4 Address</td><td>this field contains an IPv4 address separated by dots (`185.33.52.64`).</td></tr></tbody></table>

#### ADDING A RECORD

1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Manage DNS**.
5. At the bottom of the page, click **Add**. 
    - In the first field, you can enter a subdomain name, or leave blank
    - the TTL value can be selected in the second field, but typically the default is 1 hour
    - select **A** from the next drop-down list.
    - enter the IP address in the last field.
6. Then click **Save Changes**.

# SOA record

#### WHAT IS THE SOA RECORD?

The SOA (Service of Authority) record defines the domain parameters. Each domain name must have a SOA record from now on that the domain name has been registered.

<p class="callout info">For example, if the domain of dotroll.com is delegated to DotRoll naming servers, we need to provide a SOA record for the dotroll.com domain name in authorativ DNS records. This record is automatically added to the domain names registered at DotRoll.</p>

#### QUERYING SOA RECORD

For example, you can use the nslookup command in Windows to access record SOA, while under Linux the host command.

Example of a Windows-based nslookup query:

```
nslookup -q=SOA dotroll.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
dotroll.com
        primary name server = ns1.dotroll.com
        responsible mail addr = hostmaster.dotroll.com
        serial  = 2018071701
        refresh = 86400 (1 day)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 600 (10 mins)
```

Example of Linux based host query:

```
host -t SOA dotroll.com
dotroll.com has SOA record ns1.dotroll.com. hostmaster.dotroll.com. 2018071701 86400 7200 604800 600
```

#### SOA RECORD FORMAT

<table id="bkmrk-fields-name-descript"><tbody><tr><td>**Fields name**</td><td>**Description**</td></tr><tr><td>ns1.dotroll.com</td><td>Primary name server.</td></tr><tr><td>hostmaster.dotroll.com</td><td>Admin contact e-mail address. Replace the first dot with an @.</td></tr><tr><td>2018071701</td><td>Serial number. Increment this, if the domain has been modified.</td></tr><tr><td>86400</td><td>Refresh time. The secondary NS tries to download the zone every this many seconds.</td></tr><tr><td>7200</td><td>Retry time. The secondary NS retries to download the zone after this many seconds in case of failure.</td></tr><tr><td>604800</td><td>Expiry. The secondary NS forgets the zone after this time.</td></tr><tr><td>600</td><td>Minimum TTL. Negative cache time. The <acronym title="The DNS resolver is the server that searches for the DNS name IP address in the DNS system. This is usually done by our Internet service provider.">DNS resolver</acronym> uses this time to cache negative responses.</td></tr></tbody></table>

#### EDITING SOA RECORD

1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Manage DNS**.
5. In the block at the top of the page, you can modify certain items in the SOA record. 
    - You can adjust the record TTL value, Refresh time, Retry, Maturity, and Minimum TTL.
6. Once you’ve made the settings, click the **Save Changes** buttonat the bottom of the page.

# TTL

The TTL (Time To Live) is a general term in IT referring to the expiry of an item.

- [TTL in DNS records](https://dotroll.com/en/knowledge-base/books/dns-settings/page/ttl-dns)

# TTL (DNS)

A DNS record’s TTL (Time To Live) sets the time the record may be cached. During this time, clients don’t ask the authoritative server for information. Frequent values vary from 1 hour to 1 day. Very small TTL values (below 300s) may be ignored by resolvers.

It is important to note, that TTL values are stored per-record, not per-zone (domain).

#### DNS UPDATES

A DNS entry will be resolved for the client by a DNS resolver. A DNS update can have the following effects:

- - If the resolver was not asked the record before the update, it performs a recursion and returns the new value.
    - If the resolver was asked the record before the update and the record did not exist at that time, the negative cache TTL is in effect. (This is the last parameter of the SOA record.) The client will be returned a *servfail*.
    - If the resolver was asked the record before the update and the record did exist at that time, the record’s TTL value is in effect. The client will be returned to the old setting.

# DNS resolver

A DNS resolver is the server doing a recursive lookup on behalf of a client. Most ISP’s (Internet Service Providers) have at least one.

# DNSSEC

<div id="bkmrk-by-default%2C-dns-entr"><section class="wpb-content-wrapper">By default, DNS entries in domain names are not encrypted during a simple query, so they may be denied access to or change the response. DNSSEC uses a cryptographic procedure to sign the domain names zone to give you a credible response that a third party can not access, can not modify it.

<p class="callout danger">Using the DNSSEC settings incorrectly for the domain name may result in the domain name being inoperable.</p>

#### WHAT IS THE DNSSEC?

DNSSEC stands for the abbreviation of Domain Name System Security Extensions. Essentially, an extension of DNS that is intended to improve security vulnerabilities and vulnerabilities in the creation of DNS.

#### OPERATION OF DNSSEC

DNSSEC protects against data forgery by adding digital signatures to DNS records during queries. When querying domain names signed with DNSSEC, the digital signature stored in the name server set at the domain name is authenticated to ensure that the data stored in the zone during the period between the query and the response has not changed. Using DNSSEC, you can ensure that you actually query the web page that the visitor has typed into the browser’s address bar.

DNSSEC uses the public or secret key authentication. Public keys can be digitized in DNS as RRSIG type, these records can be retrieved the same way as any other type of record. The secret keys belonging to the domain names are stored by the name server and, during a query, they also send back the signed data with the secret key to the interviewee, who can unlock it using the public key. In case a third party interferes with the query and modifies the data sent in the response, it will not be possible to reverse it with the public key when decrypting it, but the recipient will know that it is fake.

DNSSEC does not encrypt data – in the absence of algorithms – but only ensures that the data you are querying is genuine. As a result, DNSSEC can not be used, for example, to prevent DDoS attack.

#### MANAGE DNSSEC KEYS

Naturally, like any cryptographic procedure, the private and open keys used for DNSSEC are also known and can be broken up over time. In order to make it easier to know the keys used and then to crack it, an additional key has been introduced. For DNSSEC, the <acronym title="Key Signing Key">KSK</acronym> and <acronym title="Zone Signing Key">ZSK</acronym> keys are used. The <acronym title="Key Signing Key">KSK</acronym> keys are relatively rarely changed, but the <acronym title="Zone Signing Key">ZSK</acronym> keys often, ensuring that a possible break is much more time consuming, and this makes it more difficult.

<table><tbody><tr><td>Key type</td><td>Key description</td></tr><tr><td><acronym title="Key Signing Key">KSK</acronym></td><td>Use this to sign the zone signing key</td></tr><tr><td><acronym title="Zone Signing Key">ZSK</acronym></td><td>which means that each record is signed</td></tr></tbody></table>

####  

#### TROUBLESHOOTING DNSSEC

Use the following pages to check the correct setting for DNSSEC:

- [Verisign DNSSEC Debugger](https://dnssec-analyzer.verisignlabs.com/ "Verisign DNSSEC Debugger")
- [DNSViz](https://dnsviz.net/ "DNSViz")

</section></div><div id="bkmrk-"></div>

# Setup the domain redirect

When registering a domain name if you have not provided unique name servers or the domain name has not been added to the hosting service, our system will generate a default zone.

If you want to change a domain name’s name after you register your domain name, you can simply make it through the online interface.

Domain Name To modify your record, you must clear the current records in the zone file so that you fill in the domain name with only the new A record that you have set. Otherwise, if you enter the domain name in a browser, you will be randomly assigned either the parking page in the default zone file or the content uploaded under the IP address you have set.

#### SETUP A RECORD WITHOUT WWW SUBDOMAIN

- Delete both your \*.yourdomain.tld and your www.yourdomain.tld record using the **Delete** button at the end of each row.
- Next, click the **Add** button at the bottom right. The field for recording a new record is displayed at the bottom of the page.
- If you want to redirect only the blank without www, leave the first field empty.
- In the second down list, you can set the TTL for that record. Here is generally a good baseline value of 1 hour.
- You can select the type of record from the next drop-down list.
- From the drop-down list, select **Redirect**, and then from the next drop-down list, select Redirect type.
- In the next box, type the address where you want to control the domain name.

#### EDIT A WWW SUBDOMAIN AND REDIRECT

Setting the www subdomain name to a plain A record is similar.

- Click the **Add** button at the bottom right. The field for recording a new record is displayed at the bottom of the page
- Type in the first field **www**
- In the second down list, you can set the TTL for that record. Here is generally a good baseline value of 1 hour.
- You can select the type of record from the next drop-down list.
- From the drop-down list, select **Redirect**, and then from the next drop-down list, select Redirect type.
- In the next box, type the address where you want to control the domain name.

As a last step, click the **Save Changes** button.

# Redirect

The domain name is set to a A record. This A record redirects us to the URL set on the web interface.

There are currently two types of redirects:

<div id="bkmrk-http%3A-in-this-case%2C-">- **HTTP**: In this case, the visitor to the page will be redirected to the specified address and the URL will be overwritten in the browser. So the address of the new web page will appear in the browser bar. (This is what we recommend because search engines like this kind of redirection)
- **FRAME**: In that case, the page you are redirected will be loaded into an iFrame, leaving the original page title in the browser’s title bar. (We do not recommend this because iFrame is not popular with search engines and it is not sure that the page you are loading will work properly.)

</div><div id="bkmrk-"></div>

# Why can I only set an IP address in an A record

<div id="bkmrk-an-a-record-is-a-gen"><div class="kb-article-content">An A record is a generic pointer for your domain, which resolves a domain name to an IP address. If the DNS server supports it, you may add multiple A records to one domain for load balancing purposes. (The TTL must be set low in order for this to work.)</div></div><div id="bkmrk-"></div>

# Can I use my free hosting plan, but use an other e-mail provider?

<div id="bkmrk-yes%2C-the-domain-name"><div class="kb-article-content">Yes, the domain name MX records can be configured independently of the storage settings.</div></div><div id="bkmrk-"></div>

# CNAME at the root of the domain

The [DNS](https://dotroll.com/en/knowledge-base/books/dns-settings "Category: DNS") administration interface doesn’t allow it to be added to the root of the domain because the CNAME (canonical name) is not only a redirection of the record A, but also the full domain name. If a CNAME record could be created for the domain, it would also move the [NS](https://dotroll.com/en/knowledge-base/books/dns-settings/page/ns-record) and [SOA](https://dotroll.com/en/knowledge-base/books/dns-settings/page/soa-record) records elsewhere, which would be equivalent to making the domain unusable.

# Setup the hosting nameservers

You can modify the name servers of the domain name at [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1 "https://admin.dotroll.com").

1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Nameservers**
5. Once the page has been loaded, select **Use webhosting nameservers**.
6. Click **Change Nameservers** button.

If you have a technical problem setting up the name server, it will indicate our page at the top of the page.

The set-up time will take up to 24 to 48 hours, so the domain name will only work properly.

# Use own nameservers

To avoid the flapping due to the missing technical settings, please advise using the name servers provided by DotRoll.

After that, the name servers are freely changeable, but in the .hu domain endings the name server settings must comply with the [technical check](http://www.domain.hu/domain/English/regcheck/ "http://www.domain.hu/domain/English/regcheck/").

# Modify nameservers

You can modify the name servers of the domain name at [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1 "https://admin.dotroll.com").

1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/?swcfpc=1) with your username and password
2. In the top menu bar, click the **Domains** / **My Domains** menu.
3. Select the domain name for which you want to make the change and then click on it.
4. In the **Manage** box on the left, select **Nameservers**
5. Once the page has been loaded, select **Use custom nameservers (enter below)** and enter the new name servers.
6. Click **Change Nameservers** button.

If you have a technical problem setting up the name server, it will indicate our page at the top of the page.

The set-up time will take up to 24 to 48 hours, so the domain name will only work properly.

# Modify DNS settings for domain names using the webhosting nameservers

<p class="callout info">If the affected domain name is set to **cns1.dotroll.com** and **cns2.dotroll.com** or **ns1.webspacecontrol.com** and **ns2.webspacecontrol.com** name servers, you can change the domain name’s DNS settings as described below.</p>

<p class="callout danger"> If the affected domain name uses **ns1.dotroll.com** and **ns2.dotroll.com** name servers, you can modify the domain name DNS settings based on the Modify DNS settings for domain names using the default name server article.</p>

#### QUERY NAME SERVERS

You can query the name names that are currently set for the domain name as follows:

You can use the nslookup command on Windows:

```
nslookup -q=NS webspacecontrol.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
webspacecontrol.com     nameserver = ns1.webspacecontrol.com
webspacecontrol.com     nameserver = ns2.webspacecontrol.com
```

Under Linux use the host command:

```
host -t NS webspacecontrol.com
webspacecontrol.com name server ns2.webspacecontrol.com.
webspacecontrol.com name server ns1.webspacecontrol.com.
```

#### MODIFY ZONE ON THE:

When you use a webhosting nameservers, you can change the DNS settings for that domain name in two ways:

##### CPANEL INTERFACE

<div class="wpb_text_column wpb_content_element " id="bkmrk-sign-in-with%C2%A0https%3A%2F"><div class="wpb_wrapper">1. 1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/clientarea.php?swcfpc=1 "https://admin.dotroll.com") with your username and password.
    2. Then, in the top menu bar, click **Services** / **My Services**.
    3. Select the hosting service that is assigned to your domain name as **Addon domain** or **Alias** and click on it.
    4. On the page that appears, at the left of the **One Click Login** box, select **cPanel**.
    5. Your browser will open a new tab in the **cPanel** interface. In the search box at the top of the page, type the word “zone”, and then click the item below.
    6. On the page, select or locate the domain name that you want to change the DNS zone, then click **Manage**.
    7. On the page you have the option: 
        1. to modify an existing record or go to the new **Add Record** button.

</div></div>##### ONLINE INTERFACE

<div class="wpb_text_column wpb_content_element " id="bkmrk-sign-in-with%C2%A0https%3A%2F-1"><div class="wpb_wrapper">1. 1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/clientarea.php?swcfpc=1 "https://admin.dotroll.com") with your username and password.
    2. Then, in the top menu bar, click **Domains** / **My Domains**.
    3. Select the domain name that you want to change and click on it.
    4. On the left, in **Manage box**, select the **Manage DNS** element.
    5. On the **Manage DNS**page you can: 
        1. to modify an existing record
        2. or you can add a new record. Use the **Add** button at the bottom of this page.
    6. When you’ve made the settings, click **Save Changes**.

</div></div>#### SUPPORTED DNS RECORDS

If you add a new record, the following record types are currently supported:

<div class="wpb_text_column wpb_content_element " id="bkmrk-a-aaaa-cname-mx-txt-"><div class="wpb_wrapper">- - 1. - A
            - AAAA
            - CNAME
            - MX
            - TXT
            - SRV
            - NS
            - CAA
            - DMARC
            - SPF
            - DKIM

</div></div>

# Verify Google Domain ownership on the Search Console interface

Google has made Domain Property available in the Google Search Console, and the previously used Property Sets feature has been discontinued. Domain Property is similar to the former Property Sets, but with the new interface, multiple URLs can be managed as one, so the interface can be used to view the relevant domain name data on the Google Search Console. So, the protocols (http, https), and subdomain names like www or mobile subdomain will be accessible and viewable through a single interface.

If you have previously registered a domain name in the Google Search Console, it will migrate automatically. If you want to add a new domain name to the Google Search Console interface, you need to set up DNS-based authentication for the domain name. This essentially means that for the domain name concerned, a TXT record must be set in the name server currently used for the domain name.

You can find a detailed description of the TXT record setting in the following Knowledge Base article:

[**Adding TXT record**](https://dotroll.com/en/knowledge-base/txt-record/?swcfpc=1)

For more information about Google Domain Property, please see the following links:

[**Announcing domain-wide data in Search Console**](https://webmasters.googleblog.com/2019/02/announcing-domain-wide-data-in-search.html "Announcing domain-wide data in Search Console")

[**Add a website property – Search Console Help**](https://support.google.com/webmasters/answer/34592 "Add a website property - Search Console Help")

# Modify DNS settings for domain names using the default name server

<p class="callout info">If the affected domain name is set to **ns1.dotroll.com** and **ns2.dotroll.com** name servers, you can change the domain name’s DNS settings as described below.</p>

<p class="callout danger">If the affected domain name is set to **cns1.dotroll.com** and **cns2.dotroll.com** or **ns1.webspacecontrol.com** and **ns2.webspacecontrol.com** name servers, you can change the domain name’s DNS settings based on the Modify DNS settings for domain names using the web hosting nameservers.</p>

<div class="wpb_text_column wpb_content_element " id="bkmrk-"><div class="wpb_wrapper">  
</div></div>#### QUERY NAME SERVERS

You can query the name names that are currently set for the domain name as follows:

You can use the nslookup command on Windows:

```
nslookup -q=NS dotroll.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
dotroll.com     nameserver = ns1.dotroll.com
dotroll.com     nameserver = ns2.dotroll.com
```

Under Linux use the host command:

```
host -t NS dotroll.com
dotroll.com name server ns2.dotroll.com.
dotroll.com name server ns1.dotroll.com.
```

#### MODIFY ZONE

<div class="vc_row wpb_row vc_row-fluid" id="bkmrk-sign-in-with%C2%A0https%3A%2F"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper"><div class="wpb_text_column wpb_content_element "><div class="wpb_wrapper">1. Sign in with [https://admin.dotroll.com](https://admin.dotroll.com/clientarea.php?swcfpc=1 "https://admin.dotroll.com") with your username and password.
2. Then, in the top menu bar, click **Domains** / **My Domains**.
3. Select the domain name that you want to change and click on it.
4. On the left, in **Manage box**, select the **Manage DNS** element.
5. On the **Manage DNS** page you can: 
    1. to modify an existing record
    2. or you can add a new record. Use the **Add** button at the bottom of this page.
6. When you’ve made the settings, click **Save Changes**.

</div></div></div></div></div></div>