DNS 区域和记录概述Overview of DNS zones and records

此页说明域、DNS 区域和 DNS 记录和记录集的关键概念以及它们在 Azure DNS 中的受支持方式。This page explains the key concepts of domains, DNS zones, and DNS records and record sets, and how they are supported in Azure DNS.

域名Domain names

域名系统是域的层次结构。The Domain Name System is a hierarchy of domains. 该层次结构从名为“ . ”的“根”域开始。The hierarchy starts from the 'root' domain, whose name is simply '.'. 根域的下面是顶级域,例如“com”、“net”、“org”、“uk”或“jp”。Below this come top-level domains, such as 'com', 'net', 'org', 'uk' or 'jp'. 再往下是二级域,例如“org.uk”或“co.jp”。Below these are second-level domains, such as 'org.uk' or 'co.jp'. DNS 层次结构中的域遍布全球,由世界各地的 DNS 名称服务器托管。The domains in the DNS hierarchy are globally distributed, hosted by DNS name servers around the world.

域名注册机构是一个组织,可以通过该组织购买域名,例如“contoso.com”。A domain name registrar is an organization that allows you to purchase a domain name, such as 'contoso.com'. 购买域名便有权控制该域名下的 DNS 层次结构,例如可将名称“www.contoso.com”定向到公司网站。Purchasing a domain name gives you the right to control the DNS hierarchy under that name, for example allowing you to direct the name www.contoso.com to your company web site. 注册机构会代表用户在域自身的名称服务器中托管域,或者允许用户指定可选名称服务器。The registrar may host the domain in its own name servers on your behalf, or allow you to specify alternative name servers.

Azure DNS 提供全球分布的高可用性名称服务器基础结构,可将其用于托管域。Azure DNS provides a globally distributed, high-availability name server infrastructure, which you can use to host your domain. 通过在 Azure DNS 中托管域,用户可以使用与其他 Azure 服务相同的凭据、API、工具、计费和支持来管理 DNS 记录。By hosting your domains in Azure DNS, you can manage your DNS records with the same credentials, APIs, tools, billing, and support as your other Azure services.

Azure DNS 当前不支持购买域名。Azure DNS does not currently support purchasing of domain names. 如果想要购买域名,需要使用第三方域名注册机构。If you want to purchase a domain name, you need to use a third-party domain name registrar. 注册机构通常收取小额年费。The registrar typically charges a small annual fee. 然后,域可以托管在 Azure DNS 中以管理 DNS 记录。The domains can then be hosted in Azure DNS for management of DNS records. 有关详细信息,请参阅向 Azure DNS 委托域See Delegate a Domain to Azure DNS for details.

DNS 区域DNS zones

DNS 区域用来托管某个特定域的 DNS 记录。A DNS zone is used to host the DNS records for a particular domain. 若要开始在 Azure DNS 中托管域,需要为该域名创建 DNS 区域。To start hosting your domain in Azure DNS, you need to create a DNS zone for that domain name. 随后会在此 DNS 区域内为每个 DNS 记录创建域。Each DNS record for your domain is then created inside this DNS zone.

例如,域“contoso.com”可能包含几条 DNS 记录,如“mail.contoso.com”(用于邮件服务器)和“www.contoso.com”(用于网站)。For example, the domain 'contoso.com' may contain several DNS records, such as 'mail.contoso.com' (for a mail server) and 'www.contoso.com' (for a web site).

在 Azure DNS 中创建 DNS 区域时:When creating a DNS zone in Azure DNS:

  • 在资源组中,区域名称必须是唯一的,不能存在该域。The name of the zone must be unique within the resource group, and the zone must not exist already. 否则,操作会失败。Otherwise, the operation fails.
  • 可在不同资源组或不同 Azure 订阅中重复使用同一区域名称。The same zone name can be reused in a different resource group or a different Azure subscription.
  • 当多个区域共享相同的名称时,将为每个实例分配不同的名称服务器地址。Where multiple zones share the same name, each instance is assigned different name server addresses. 使用域名注册机构仅可配置一组地址。Only one set of addresses can be configured with the domain name registrar.

Note

不必拥有域名即可在 Azure DNS 中以该域名创建 DNS 区域。You do not have to own a domain name to create a DNS zone with that domain name in Azure DNS. 但是,需要拥有域才能通过域名注册机构将 Azure DNS 名称服务器配置为域名的正确名称服务器。However, you do need to own the domain to configure the Azure DNS name servers as the correct name servers for the domain name with the domain name registrar.

有关详细信息,请参阅 向 Azure DNS 委派域For more information, see Delegate a domain to Azure DNS.

DNS 记录DNS records

记录名称Record names

在 Azure DNS 中,记录使用相对名称指定。In Azure DNS, records are specified by using relative names. 完全限定的域名 (FQDN) 包括区域名称,而相对域名则不包括。A fully qualified domain name (FQDN) includes the zone name, whereas a relative name does not. 例如,“contoso.com”区域中的相对记录名称“www”会提供完全限定的记录名称“www.contoso.com”。For example, the relative record name 'www' in the zone 'contoso.com' gives the fully qualified record name 'www.contoso.com'.

顶点记录是位于 DNS 区域的根(或顶点)中的 DNS 记录。An apex record is a DNS record at the root (or apex) of a DNS zone. 例如,在 DNS 区域“contoso.com”中,顶点记录还具有完全限定的名称“contoso.com”(有时称为裸域)。For example, in the DNS zone 'contoso.com', an apex record also has the fully qualified name 'contoso.com' (this is sometimes called a naked domain). 按照惯例,相对名称“@”用于表示顶点记录。By convention, the relative name '@' is used to represent apex records.

记录类型Record types

每个 DNS 记录都有一个名称和类型。Each DNS record has a name and a type. 这些记录根据其所包含的数据分为各种类型。Records are organized into various types according to the data they contain. 最常见的类型为“A”记录,这种记录将名称映射到 IPv4 地址。The most common type is an 'A' record, which maps a name to an IPv4 address. 另一种常见类型是“MX”记录,这种记录将名称映射到邮件服务器。Another common type is an 'MX' record, which maps a name to a mail server.

Azure DNS 支持所有常见 DNS 记录类型:A、AAAA、CAA、CNAME、MX、NS、PTR、SOA、SRV 和 TXT。Azure DNS supports all common DNS record types: A, AAAA, CAA, CNAME, MX, NS, PTR, SOA, SRV, and TXT. 请注意,SPF 记录使用 TXT 记录表示Note that SPF records are represented using TXT records.

记录集Record sets

有时,需要创建具有给定名称和类型的多个 DNS 记录。Sometimes you need to create more than one DNS record with a given name and type. 例如,假设在两个不同的 IP 地址上托管“www.contoso.com”网站。For example, suppose the 'www.contoso.com' web site is hosted on two different IP addresses. 该网站需要两个不同的 A 记录,每个 IP 地址一个。The website requires two different A records, one for each IP address. 这就是记录集的示例:Here is an example of a record set:

www.contoso.com.        3600    IN    A    134.170.185.46
www.contoso.com.        3600    IN    A    134.170.188.221

Azure DNS 使用记录集管理所有 DNS 记录。Azure DNS manages all DNS records using record sets. 记录集(也称为资源记录集)是某个区域中具有相同名称、相同类型的 DNS 记录的集合。A record set (also known as a resource record set) is the collection of DNS records in a zone that have the same name and are of the same type. 大多数记录集包含单个记录。Most record sets contain a single record. 但是,上面所示的示例一个记录集包含多个记录,这并不少见。However, examples like the one above, in which a record set contains more than one record, are not uncommon.

例如,假设已在区域“contoso.com”中创建 A 记录“www”,指向 IP 地址“134.170.185.46”(上述第一条记录)。For example, suppose you have already created an A record 'www' in the zone 'contoso.com', pointing to the IP address '134.170.185.46' (the first record above). 要创建第二条记录,应将此记录添加到现有记录集而非创建其他记录集。To create the second record you would add that record to the existing record set, rather than create an additional record set.

SOA 和 CNAME 记录类型例外。The SOA and CNAME record types are exceptions. 对于这些类型,DNS 标准不允许多个记录具有相同的名称,因此这些记录集仅可包含单个记录。The DNS standards don't permit multiple records with the same name for these types, therefore these record sets can only contain a single record.

生存时间Time-to-live

生存时间(或 TTL)指定客户端在重新查询之前缓存每个记录的时长。The time to live, or TTL, specifies how long each record is cached by clients before being requeried. 在上例中,TTL 为 3600 秒或 1 小时。In the above example, the TTL is 3600 seconds or 1 hour.

在 Azure DNS 中,TTL 针对记录集而非每个记录指定,因此同一个值适用于该记录集中的所有记录。In Azure DNS, the TTL is specified for the record set, not for each record, so the same value is used for all records within that record set. 可以指定介于 1 和 2,147,483,647 秒之间的任何 TTL 值。You can specify any TTL value between 1 and 2,147,483,647 seconds.

通配符记录Wildcard records

Azure DNS 支持 通配符记录Azure DNS supports wildcard records. 具有匹配名称的任何查询都会返回通配符记录(除非存在与非通配符记录集更接近的匹配项)。Wildcard records are returned in response to any query with a matching name (unless there is a closer match from a non-wildcard record set). 对于除 NS 和 SOA 外的所有记录类型,Azure DNS 都支持通配符记录集。Azure DNS supports wildcard record sets for all record types except NS and SOA.

若要创建通配符记录集,请使用记录集名称“*”。To create a wildcard record set, use the record set name '*'. 或者,还可以使用将“*”作为最左边的标签的名称,例如,“*.foo”。Alternatively, you can also use a name with '*' as its left-most label, for example, '*.foo'.

CAA 记录CAA records

CAA 记录允许域所有者指定哪些证书颁发机构 (CA) 有权为其域颁发证书。CAA records allow domain owners to specify which Certificate Authorities (CAs) are authorized to issue certificates for their domain. 这使 CA 可以避免在某些情况下错误颁发证书。This allows CAs to avoid mis-issuing certificates in some circumstances. CAA 记录具有三个属性:CAA records have three properties:

  • Flags:这是一个介于 0 和 255 之间的整数,用于根据 RFC 表示具有特殊含义的关键标志Flags: This is an integer between 0 and 255, used to represent the critical flag that has special meaning per the RFC
  • Tag:一个 ASCII 字符串,可以是以下项之一:Tag: an ASCII string that can be one of the following:
    • issue:如果要指定有权颁发证书(所有类型)的 CA,请使用此项issue: use this if you want to specify CAs that are permitted to issue certs (all types)
    • issuewild:如果要指定有权颁发证书(通配型证书)的 CA,请使用此项issuewild: use this if you want to specify CAs that are permitted to issue certs (wildcard certs only)
    • iodef:指定对于未经授权的证书颁发请求,CA 可以向其发送通知的电子邮件地址或主机名iodef: specify an email address or hostname to which CAs can notify for unauthorized cert issue requests
  • Value:所选特定标记的值Value: the value for the specific Tag chosen

CNAME 记录CNAME records

CNAME 记录集不能与其他具有相同名称的记录集共存。CNAME record sets cannot coexist with other record sets with the same name. 例如,不能同时创建具有相对名称“www”的 CNAME 记录集和具有相对名称“www”的 A 记录。For example, you cannot create a CNAME record set with the relative name 'www' and an A record with the relative name 'www' at the same time.

由于区域顶点(名称 =“@”)始终包含创建区域时创建的 NS 和 SOA 记录集,因此不能在区域顶点创建 CNAME 记录集。Because the zone apex (name = '@') always contains the NS and SOA record sets that were created when the zone was created, you can't create a CNAME record set at the zone apex.

这些约束起源于 DNS 标准,并非 Azure DNS 的限制。These constraints arise from the DNS standards and are not limitations of Azure DNS.

NS 记录NS records

区域顶点(名称“@”)处的 NS 记录集随每个 DNS 区域自动创建,并在删除该区域时自动删除(不能单独删除)。The NS record set at the zone apex (name '@') is created automatically with each DNS zone, and is deleted automatically when the zone is deleted (it cannot be deleted separately).

此记录集包含分配给该区域的 Azure DNS 名称服务器名称。This record set contains the names of the Azure DNS name servers assigned to the zone. 可向此 NS 记录集添加其他名称服务器,从而支持与多个 DNS 提供商共同托管域。You can add additional name servers to this NS record set, to support co-hosting domains with more than one DNS provider. 还可修改此记录集的 TTL 和元数据。You can also modify the TTL and metadata for this record set. 但是,无法删除或修改预填充的 Azure DNS 名称服务器。However, you cannot remove or modify the pre-populated Azure DNS name servers.

这仅适用于区域顶点处的 NS 记录集。This applies only to the NS record set at the zone apex. 区域中的其他 NS 记录集(用于委派子区域)不受约束,可进行创建、修改和删除。Other NS record sets in your zone (as used to delegate child zones) can be created, modified, and deleted without constraint.

SOA 记录SOA records

SOA 记录集在每个区域(名称 =“@”)的顶点处自动创建,并在删除该区域时自动删除。A SOA record set is created automatically at the apex of each zone (name = '@'), and is deleted automatically when the zone is deleted. 无法单独创建或删除 SOA 记录。SOA records cannot be created or deleted separately.

用户可以修改 SOA 记录的所有属性,但“主机”属性除外,此属性预配置为引用 Azure DNS 所提供的主名称服务器名。You can modify all properties of the SOA record except for the 'host' property, which is pre-configured to refer to the primary name server name provided by Azure DNS.

当对区域中的记录进行更改时,SOA 记录中的区域序列号不会自动更新。The zone serial number in the SOA record is not updated automatically when changes are made to the records in the zone. 如果需要,可以通过编辑 SOA 记录手动进行更新。It can be updated manually by editing the SOA record, if necessary.

SPF 记录SPF records

发送方策略框架 (SPF) 记录用于指定可以代表域名发送电子邮件的电子邮件服务器。Sender policy framework (SPF) records are used to specify which email servers can send email on behalf of a domain name. 正确配置 SPF 记录非常重要,可防止收件人将你的电子邮件标记为“垃圾邮件”。Correct configuration of SPF records is important to prevent recipients from marking your email as junk.

DNS RFC 最初引入了新的 SPF 记录类型来支持此方案。The DNS RFCs originally introduced a new SPF record type to support this scenario. 为了支持旧名称服务器,还允许它们使用 TXT 记录类型指定 SPF 记录。To support older name servers, they also allowed the use of the TXT record type to specify SPF records. 这种不明确性导致混乱,已通过 RFC 7208 得到解决。This ambiguity led to confusion, which was resolved by RFC 7208. 它指出必须使用 TXT 记录类型创建 SPF 记录。It states that SPF records must be created by using the TXT record type. 它还指出 SPF 记录类型已弃用。It also states that the SPF record type is deprecated.

SPF 记录受 Azure DNS 支持且必须使用 TXT 记录类型创建。SPF records are supported by Azure DNS and must be created by using the TXT record type. 不支持已过时的 SPF 记录类型。The obsolete SPF record type isn't supported. 导入 DNS 区域文件时,使用 SPF 记录类型的任何 SPF 记录将转换为 TXT 记录类型。When you import a DNS zone file, any SPF records that use the SPF record type are converted to the TXT record type.

SRV 记录SRV records

多种服务使用 SRV 记录指定服务器位置。SRV records are used by various services to specify server locations. 在 Azure DNS 中指定 SRV 记录时:When specifying an SRV record in Azure DNS:

  • 服务 和协议 必须指定为前面带下划线的记录集名称的一部分。The service and protocol must be specified as part of the record set name, prefixed with underscores. 例如,“_sip._tcp.name”。For example, '_sip._tcp.name'. 对于区域顶点处的记录,无需在记录名称中指定“@”,只需使用服务和协议,例如“_sip._tcp”。For a record at the zone apex, there is no need to specify '@' in the record name, simply use the service and protocol, for example '_sip._tcp'.
  • 将 priority 、weight 、port 和 target 指定为记录集中每个记录的参数。The priority, weight, port, and target are specified as parameters of each record in the record set.

TXT 记录TXT records

TXT 记录用于将域名映射到任意文本字符串。TXT records are used to map domain names to arbitrary text strings. 它们在多个应用程序中使用,特别是与电子邮件配置相关(如发件人策略框架 (SPF)域密钥识别邮件 (DKIM))。They are used in multiple applications, in particular related to email configuration, such as the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

DNS 标准允许单个 TXT 记录包含多个字符串,其中每个字符串的长度可以最多为 254 个字符。The DNS standards permit a single TXT record to contain multiple strings, each of which may be up to 254 characters in length. 使用多个字符串时,它们由客户端连接在一起,被视为单个字符串。Where multiple strings are used, they are concatenated by clients and treated as a single string.

调用 Azure DNS REST API 时,需要单独指定每个 TXT 字符串。When calling the Azure DNS REST API, you need to specify each TXT string separately. 使用 Azure 门户、PowerShell 或 CLI 接口时,应对每个记录指定单个字符串(这会在需要时自动划分为 254 个字符的段)。When using the Azure portal, PowerShell or CLI interfaces you should specify a single string per record, which is automatically divided into 254-character segments if necessary.

DNS 记录中的多个字符串不应与 TXT 记录集的多个 TXT 记录混淆。The multiple strings in a DNS record should not be confused with the multiple TXT records in a TXT record set. TXT 记录集可以包含多个记录,其中每个 可以包含多个字符串。A TXT record set can contain multiple records, each of which can contain multiple strings. Azure DNS 在每个 TXT 记录集(跨所有合并的记录)中支持总长度最多 1024 个字符。Azure DNS supports a total string length of up to 1024 characters in each TXT record set (across all records combined).

标记和元数据Tags and metadata

TagsTags

标记是名称/值列表,Azure 资源管理器利用它们来标记资源。Tags are a list of name-value pairs and are used by Azure Resource Manager to label resources. Azure 资源管理器使用标记来启用 Azure 帐单的筛选视图,并支持设置需要标记的策略。Azure Resource Manager uses tags to enable filtered views of your Azure bill, and also enables you to set a policy on which tags are required. 有关标记的详细信息,请参阅 使用标记来组织 Azure 资源For more information about tags, see Using tags to organize your Azure resources.

Azure DNS 支持使用 DNS 区域资源上的 Azure 资源管理器标记。Azure DNS supports using Azure Resource Manager tags on DNS zone resources. 它不支持 DNS 记录集的标记,不过作为替代方法,在 DNS 记录集上支持“元数据”,如下所述。It does not support tags on DNS record sets, although as an alternative 'metadata' is supported on DNS record sets as explained below.

MetadataMetadata

作为记录集标记的替代方法,Azure DNS 支持使用“元数据”批注记录集。As an alternative to record set tags, Azure DNS supports annotating record sets using 'metadata'. 与标记相类似,通过元数据可将名称/值对与每个记录集相关联。Similar to tags, metadata enables you to associate name-value pairs with each record set. 这非常有用,例如可用于记录每个记录集的用途。This can be useful, for example to record the purpose of each record set. 与标记不同的是,元数据不能用于提供 Azure 帐单的筛选视图,且不能在 Azure 资源管理器策略中指定。Unlike tags, metadata cannot be used to provide a filtered view of your Azure bill and cannot be specified in an Azure Resource Manager policy.

EtagEtags

假设两个人或两个进程尝试同时修改一条 DNS 记录。Suppose two people or two processes try to modify a DNS record at the same time. 哪一个占先?Which one wins? 占先方是否知道他们/它们覆盖了其他人/进程创建的更改?And does the winner know that they've overwritten changes created by someone else?

Azure DNS 使用 Etag 来安全地处理对同一资源的并发更改。Azure DNS uses Etags to handle concurrent changes to the same resource safely. Etag 与 Azure 资源管理器“标记”不同。Etags are separate from Azure Resource Manager 'Tags'. 每个 DNS 资源(区域或记录集)都有与其相关联的 Etag。Each DNS resource (zone or record set) has an Etag associated with it. 只要检索资源,就会检索其 Etag。Whenever a resource is retrieved, its Etag is also retrieved. 当更新资源时,可以选择传递回 Etag 的选项以便 Azure DNS 可以验证服务器上的 Etag 是否匹配。When updating a resource, you can choose to pass back the Etag so Azure DNS can verify that the Etag on the server matches. 由于对资源的每次更新都会导致重新生成 Etag,Etag 不匹配表示发生了并发更改。Since each update to a resource results in the Etag being regenerated, an Etag mismatch indicates a concurrent change has occurred. 当创建新的资源时也可以使用 Etag,以确保该资源不存在。Etags can also be used when creating a new resource to ensure that the resource does not already exist.

默认情况下,Azure DNS PowerShell 使用 Etag 来阻止对区域和记录集的并发更改。By default, Azure DNS PowerShell uses Etags to block concurrent changes to zones and record sets. 可选 -Overwrite 开关可用于取消 Etag 检查,这种情况下会覆盖发生的所有并发更改。The optional -Overwrite switch can be used to suppress Etag checks, in which case any concurrent changes that have occurred are overwritten.

Etag 是在 Azure DNS REST API 级别使用 HTTP 标头指定的。At the level of the Azure DNS REST API, Etags are specified using HTTP headers. 下表给出了它们的行为:Their behavior is given in the following table:

标头Header 行为Behavior
None PUT 始终成功(没有 Etag 检查)PUT always succeeds (no Etag checks)
If-match <etag>If-match <etag> 只有当资源存在并且 Etag 匹配时,PUT 才会成功PUT only succeeds if resource exists and Etag matches
If-match *If-match * 只有当资源存在时,PUT 才会成功PUT only succeeds if resource exists
If-none-match *If-none-match * 只有当资源不存在时,PUT 才会成功PUT only succeeds if resource does not exist

限制Limits

使用 Azure DNS 时,以下默认限制适用:The following default limits apply when using Azure DNS:

公共 DNS 区域Public DNS zones

资源Resource 默认限制Default limit
每个订阅的公共 DNS 区域数Public DNS Zones per subscription 250 1250 1
每个公共 DNS 区域的记录集数Record sets per public DNS zone 10,000 110,000 1
公共 DNS 区域中每个记录集的记录数Records per record set in public DNS zone 20 个20

1如果需要增加这些限制,请与 Azure 支持部门联系。1If you need to increase these limits, contact Azure Support.

后续步骤Next steps