Merge pull request #289834 from greg-lindsay/dns-dnssec

DNSSEC record types

Author: v-regandowner

articles/dns/dns-faq.yml

@@ -79,7 +79,7 @@ sections:
       - question: |
           Does Azure DNS support Domain Name System Security Extensions (DNSSEC)?
         answer: |
-          Yes. See [DNSSEC overview](dnssec.md).
+          Yes. Azure Public DNS supports DNSSEC. For more information, see [DNSSEC overview](dnssec.md).
           
       - question: |
           Does Azure DNS support zone transfers (AXFR/IXFR)?

articles/dns/dns-zones-records.md

@@ -6,7 +6,7 @@ ms.assetid: be4580d7-aa1b-4b6b-89a3-0991c0cda897
 ms.service: azure-dns
 ms.topic: concept-article
 ms.custom: H1Hack27Feb2017
-ms.date: 10/30/2024
+ms.date: 11/04/2024
 ms.author: greglin
 ---
 
@@ -102,6 +102,16 @@ When calling the Azure DNS REST API, you need to specify each TXT string separat
 
 The multiple strings in a DNS record shouldn't be confused with the multiple TXT records in a TXT record set.  A TXT record set can contain multiple records, *each of which* can contain multiple strings.  Azure DNS supports a total string length of up to 4096 characters in each TXT record set (across all records combined).
 
+### DS records
+
+The delegation signer (DS) record is a [DNSSEC](dnssec.md) resource record type that is used to secure a delegation. To create a DS record in a zone, the zone must first be signed with DNSSEC.
+
+### TLSA records
+
+A TLSA (Transport Layer Security Authentication) record is used to associate a TLS server certificate or public key with the domain name where the record is found. A TLSA record links the public key (a TLS server certificate) to the domain name, providing an additional layer of security for TLS connections. 
+
+To use TLSA records effectively, [DNSSEC](dnssec.md) must be enabled on your domain. This ensures that the TLSA records can be trusted and properly validated
+
 ## Tags and metadata
 
 ### Tags

includes/dns-about-records-include.md

@@ -2,32 +2,36 @@
 author: vhorne
 ms.service: azure-dns
 ms.topic: include
-ms.date: 11/25/2018
+ms.date: 11/04/2024
 ms.author: victorh
 ---
 ### Record names
 
-In Azure DNS, records are specified by using relative names. A *fully qualified* domain name (FQDN) includes the zone name, whereas a *relative* name does not. For example, the relative record name `www` in the zone `contoso.com` gives the fully qualified record name `www.contoso.com`.
+In Azure DNS, records are specified by using relative names. A *fully qualified* domain name (FQDN) includes the zone name, whereas a *relative* name doesn't. For example, the relative record name `www` in the zone `contoso.com` gives the fully qualified record name `www.contoso.com`.
 
-An *apex* record is a DNS record at the root (or *apex*) of a DNS zone. For example, in the DNS zone `contoso.com`, an apex record also has the fully qualified name `contoso.com` (this is sometimes called a *naked* domain).  By convention, the relative name '\@' is used to represent apex records.
+An *apex* record is a DNS record at the root (or *apex*) of a DNS zone. For example, in the DNS zone `contoso.com`, an apex record also has the fully qualified name `contoso.com` (this is sometimes called a *naked* domain). By convention, the relative name '\@' is used to represent apex records.
 
 ### Record types
 
 Each DNS record has a name and a type. Records are organized into various types according to the data they contain. The most common type is an 'A' record, which maps a name to an IPv4 address. Another common type is an 'MX' record, which maps a name to a mail server.
 
 Azure DNS supports all common DNS record types: A, AAAA, CAA, CNAME, MX, NS, PTR, SOA, SRV, and TXT. Note that [SPF records are represented using TXT records](../articles/dns/dns-zones-records.md#spf-records).
 
+Additional record types are supported if the zone is signed with DNS Security Extensions ([DNSSEC](/azure/dns/dnssec)), such as Delegation Signer (DS) and Transport Layer Security Authentication (TLSA) resource records. 
+
+DNSSEC resource record types such as DNSKEY, RRSIG, and NSEC3 records are added automatically when a zone is signed with DNSSEC. These types of DNSSEC resource records can't be created or modified after zone signing.
+
 ### Record sets
 
-Sometimes you need to create more than one DNS record with a given name and type. For example, suppose the 'www.contoso.com' web site is hosted on two different IP addresses. The website requires two different A records, one for each IP address. Here is an example of a record set:
+Sometimes you need to create more than one DNS record with a given name and type. For example, suppose the 'www.contoso.com' web site is hosted on two different IP addresses. The website requires two different A records, one for each IP address. Here's an example of a record set:
 
 ```dns
 www.contoso.com.        3600    IN    A    134.170.185.46
 www.contoso.com.        3600    IN    A    134.170.188.221
 ```
 
-Azure DNS manages all DNS records using *record sets*. A record set (also known as a *resource* record set) is the collection of DNS records in a zone that have the same name and are of the same type. Most record sets contain a single record. However, examples like the one above, in which a record set contains more than one record, are not uncommon.
+Azure DNS manages all DNS records using *record sets*. A record set (also known as a *resource* record set) is the collection of DNS records in a zone that have the same name and are of the same type. Most record sets contain a single record. However, examples like the one above, in which a record set contains more than one record, aren't uncommon.
 
-For example, suppose you have already created an A record 'www' in the zone 'contoso.com', pointing to the IP address '134.170.185.46' (the first record above).  To create the second record you would add that record to the existing record set, rather than create an additional record set.
+For example, suppose you have already created an A record 'www' in the zone 'contoso.com', pointing to the IP address '134.170.185.46' (the first record above). To create the second record you would add that record to the existing record set, rather than create an additional record set.
 
-The SOA and CNAME record types are exceptions. The DNS standards don't permit multiple records with the same name for these types, therefore these record sets can only contain a single record.
+The SOA and CNAME record types are exceptions. The DNS standards don't permit multiple records with the same name for these types, therefore these record sets can only contain a single record.