Add, modify, and delete records

You can manage DNS records for the Cloud DNS API by using either of two alternative API endpoints: Changes and ResourceRecordSets.

While the Changes API requires you to delete existing resource record sets to add new ones, you can use the ResourceRecordSets API to replace resource record sets.

This page describes how to make additions, deletions, and updates to a resource record set by using the Changes and ResourceRecordSets API and how to send the desired changes to the API by using the import, export, and transaction commands.

Before you begin

You must have already created a managed zone and completed the prerequisites for creating a zone.

You can add or remove DNS records in a record set by creating and executing a transaction that specifies the operations that you want to perform. A transaction is a group of one or more record changes that must be propagated together. The entire transaction either succeeds or fails, so your data is never left in an intermediate state.

For more information about DNS record types, see this list of supported DNS record types.

Add a record

When adding a record, you can add two values or strings to the record set for the same DNS name. When adding record sets, you must add a space between the first value and the second value.

Console

To create a record set, follow these steps:

  1. In the Google Cloud console, go to the Cloud DNS zones page.

    Go to Cloud DNS zones

  2. Click the name of the managed zone that you want to add the record to.

  3. On the Zone details page, click Add standard.

  4. On the Create record set page, in the DNS name field, enter the subdomain of the DNS zone—for example, mail. The trailing dot is automatically added at the end.

    To create a wildcard DNS record, enter an asterisk—for example, *.example.com.

  5. Select the Resource record type—for example, MX.

  6. In the TTL field, enter a numeric value for the resource record's time to live, which is the amount of time that it can be cached. This value must be a positive integer.

  7. From the TTL unit menu, select the unit of time—for example, 30 minutes.

  8. Depending on the resource record type that you have selected, populate the remaining fields.

  9. To enter additional information, click Add item.

  10. Click Create.

gcloud

  1. To start a transaction, use the gcloud dns record-sets transaction start command:

    gcloud dns record-sets transaction start \
       --zone=MANAGED_ZONE
    

    Replace MANAGED_ZONE with the name of the managed zone whose record sets you want to manage—for example, my-zone-name.

  2. To add a record set as part of a transaction, use the gcloud dns record-sets transaction add command:

    gcloud dns record-sets transaction add RR_DATA \
       --name=DNS_NAME \
       --ttl=TTL \
       --type=RECORD_TYPE \
       --zone=MANAGED_ZONE
    

    Replace the following:

    • RR_DATA: an arbitrary value associated with the resource record set—for example, 198.51.100.5; you can also enter multiple values, rrdata1 rrdata2 rrdata3—for example, 198.51.100.5 10.2.3.4...
    • DNS_NAME: the DNS or domain name of the record set to add—for example, test.example.com
    • TTL: the time to live (TTL) for the record set in number of seconds—for example, 300
    • RECORD_TYPE: the record type—for example, A.
    • MANAGED_ZONE: the name of the managed zone whose record sets you want to manage—for example, my-zone-name
  3. To execute the transaction, use the gcloud dns record-sets transaction execute command:

    gcloud dns record-sets transaction execute \
       --zone=MANAGED_ZONE
    
  4. To add a wildcard transaction, use the gcloud dns record-sets transaction add command:

    gcloud dns record-sets transaction add \
       --zone=MANAGED_ZONE \
       --name=WILDCARD_DNS_NAME \
       --type=RECORD_TYPE \
       --ttl=TTL
    

    Replace the following:

    • MANAGED_ZONE: the name of the managed zone whose record sets you want to manage—for example, my-zone-name
    • WILDCARD_DNS_NAME: the DNS or domain name of the record set that you want to add—for example, *.example.com. (note the trailing dot)
    • RECORD_TYPE: the record type—for example, CNAME.
    • TTL: the TTL for the record set in number of seconds—for example, 300

Terraform

resource "google_dns_managed_zone" "parent_zone" {
  name        = "sample-zone"
  dns_name    = "sample-zone.hashicorptest.com."
  description = "Test Description"
}

resource "google_dns_record_set" "default" {
  managed_zone = google_dns_managed_zone.parent_zone.name
  name         = "test-record.sample-zone.hashicorptest.com."
  type         = "A"
  rrdatas      = ["10.0.0.1", "10.1.0.1"]
  ttl          = 86400
}

API

To update a transaction with new resource record sets, use the changes.create method:

POST https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones/MANAGED_ZONE/changes
{
  "deletions": []
  "additions": [
    {
      "name": DNS_NAME,
      "type": RECORD_TYPE,
      "ttl": TTL,
      "rrdatas": [
        RR_DATA
      ]
    }
  ]
}

Replace the following:

  • PROJECT_ID: your project ID
  • MANAGED_ZONE: your managed zone name or ID
  • DNS_NAME: the DNS or domain name of the record set—for example, test.example.com. (note the trailing dot)
  • RECORD_TYPE: the record type
  • TTL: the time to live (TTL) for the record set in number of seconds—for example, 30
  • RR_DATA: an arbitrary value associated with the resource record set—for example, 198.51.100.5; you can also enter multiple values, rrdata1 rrdata2 rrdata3—for example, 198.51.100.5 10.2.3.4...

Remove a record

Console

To remove a record or record set, follow these steps:

  1. In the Google Cloud console, go to the Cloud DNS page.

    Go to Cloud DNS

  2. Click the zone name whose record set you want to delete. Records for the zone are listed on the Zone details page.

  3. Next to the record that you want to delete, select the checkbox.

  4. Click Delete record set.

gcloud

To remove a transaction, use the gcloud dns record-sets transaction remove command:

gcloud dns record-sets transaction remove RR_DATA \
    --name=DNS_NAME \
    --ttl=TTL \
    --type=RECORD_TYPE \
    --zone=MANAGED_ZONE
  

Replace the following:

  • RR_DATA: an arbitrary value associated with the resource record set—for example, 198.51.100.5; you can also enter multiple values, rrdata1 rrdata2 rrdata3—for example, 198.51.100.5 10.2.3.4...
  • DNS_NAME: the DNS or domain name of the record set to remove—for example, test.example.com
  • TTL: the TTL for the record set in number of seconds—for example, 30
  • RECORD_TYPE: the record type—for example, A.
  • MANAGED_ZONE: the name of the managed zone

To replace an existing record, run the remove command followed by the add command.

API

To update a transaction with deleted resource record sets, use the changes.create method:

POST https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones/MANAGED_ZONE/changes
{
  "deletions": [
    {
      "name": DNS_NAME,
      "type": RECORD_TYPE,
      "ttl": TTL,
      "rrdatas": [
        RR_DATA
      ]
    }
  ]
  "additions": []
}

Replace the following:

  • PROJECT_ID: your project ID
  • MANAGED_ZONE: your managed zone name or ID
  • DNS_NAME: the DNS or domain name of the record set—for example, test.example.com. (note the trailing dot)
  • RECORD_TYPE: the record type.
  • TTL: the TTL for the record set in number of seconds—for example, 30
  • RR_DATA: an arbitrary value associated with the resource record set—for example, 198.51.100.5; you can also enter multiple values, rrdata1 rrdata2 rrdata3—for example, 198.51.100.5 10.2.3.4...

Import and export record sets

To copy record sets into and out of a managed zone, you can use import and export. The formats that you can import from and export to are either BIND zone file format or YAML records format.

gcloud

  1. To import a record set, use the dns record-sets import command. The --zone-file-format flag tells import to expect a BIND zone-formatted file. If you omit this flag, import expects a YAML-formatted records file:

    gcloud dns record-sets import -z=examplezonename \
       --zone-file-format path-to-example-zone-file
    

    When you use the gcloud dns record-sets import command, specifying --replace-origin-ns replaces the NS records for the zone with the NS records specified in the zone file. These records must match the name servers assigned by Cloud DNS to host the zone. They must also match the NS records specified in the parent (delegating) zone. By default, Cloud DNS does not overwrite NS records. If you use this flag, you must verify that the NS records are correct. They must come from a prior export of the same zone assigned to the same name server by Cloud DNS.

  2. To export a record set, use the dns record-sets export command. To specify that the record sets are exported into a BIND zone-formatted file, use the --zone-file-format flag. For example:

    example.com. 21600 IN NS ns-gcp-private.googledomains.com.
    example.com. 21600 IN SOA ns-gcp-private.googledomains.com.
    cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300
    host1.example.com. 300 IN A 192.0.2.91
    

    If you omit the --zone-file-format flag, export exports the record set into a YAML-formatted records file:

    gcloud dns record-sets export example.zone -z=examplezonename
    

    For example:

    ---
    kind: dns#resourceRecordSet
    name: example.com.
    rrdatas:
    - ns-gcp-private.googledomains.com.
    ttl: 21600
    type: NS
    ---
    kind: dns#resourceRecordSet
    name: example.com.
    rrdatas:
    - ns-gcp-private.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300
    ttl: 21600
    type: SOA
    ---
    kind: dns#resourceRecordSet
    name: host1.example.com.
    rrdatas:
    - 192.0.2.91
    ttl: 300
    type: A
    

Display the current record set

To display the current DNS records for your zone, use the gcloud dns record-sets list command:

gcloud

To display the current DNS records for your zone, use the gcloud dns record-sets list command:

gcloud dns record-sets list \
   --zone="myzonename"

The command outputs the JSON response for the resource record set for the first 100 records. You can specify these additional parameters:

  • --limit: maximum number of record sets to list
  • --name: only list record sets with this exact domain name
  • --type: only list records of this type; if present, the --name parameter must also be present

Create a resource record set

Console

To create a resource record set, follow these steps:

  1. In the Google Cloud console, go to the Cloud DNS page.

    Go to Cloud DNS

  2. Click the zone for which you want to create a resource record set.

  3. On the Zone details page, click Add standard.

  4. Enter the DNS name for the record set—for example, test.example.com.

  5. Select the resource record type.

  6. Enter the time to live (TTL) for the resource record set—for example, 30.

  7. Select the TTL unit—for example, minutes.

  8. Enter the details based on the record type that you have selected.

  9. Click Create.

gcloud

To create a resource record set, use the gcloud dns record-sets create command:

gcloud dns record-sets create RRSET_NAME \
    --rrdatas=RR_DATA \
    --ttl=TTL \
    --type=RRSET_TYPE \
    --zone=MANAGED_ZONE

Replace the following:

  • RRSET_NAME: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example, test.example.com
  • RR_DATA: an arbitrary value associated with the resource record set—for example, 198.51.100.5; you can also enter multiple values, rrdata1 rrdata2 rrdata3—for example, 198.51.100.5 10.2.3.4...
  • TTL: the TTL in seconds that the resolver caches this resource record set—for example, 30
  • RRSET_TYPE: the resource record type of this resource record set—for example, A.
  • MANAGED_ZONE: the managed zone that this resource record set is affiliated with—for example, my-zone-name; the name of this resource record set must have the DNS name of the managed zone as its suffix

API

To create a resource record set, use the resourceRecordSets.create method:

POST https://www.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones/MANAGED_ZONE/rrsets
{
    "name": RRSET_NAME,
    "type": RRSET_TYPE,
    "ttl": TTL,
    "rrdatas": RR_DATA
}

Replace the following:

  • PROJECT_ID: the ID of the project
  • MANAGED_ZONE: the managed zone that this resource record set is affiliated with—for example, my-zone-name; the name of this resource record set must have the DNS name of the managed zone as its suffix
  • RRSET_NAME: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example, test.example.com
  • RRSET_TYPE: the resource record type of this resource record set—for example, A
  • TTL: the TTL in seconds that the resolver caches this resource record set—for example, 30
  • RR_DATA: an arbitrary value associated with the resource record set—for example, 198.51.100.5; you can also enter multiple values, rrdata1 rrdata2 rrdata3—for example, 198.51.100.5 10.2.3.4...

Terraform

resource "google_dns_managed_zone" "parent_zone" {
  name        = "sample-zone"
  dns_name    = "sample-zone.hashicorptest.com."
  description = "Test Description"
}

resource "google_dns_record_set" "default" {
  managed_zone = google_dns_managed_zone.parent_zone.name
  name         = "test-record.sample-zone.hashicorptest.com."
  type         = "A"
  rrdatas      = ["10.0.0.1", "10.1.0.1"]
  ttl          = 86400
}

View details of a resource record set

This procedure assumes that you have created a resource record set within the managed zone that uses the same name and type.

Console

To view the details of an existing resource record set, follow these steps:

  1. In the Google Cloud console, go to the Cloud DNS zones page.

    Go to Cloud DNS zones

  2. Click the zone for which you want to view the resource record set.

  3. The Zone details page lists the details of all the resource record sets in that zone.

gcloud

To view the details of an existing resource record set, use the gcloud dns record-sets describe command:

gcloud dns record-sets describe RRSET_NAME \
  --type=RRSET_TYPE \
  --zone=MANAGED_ZONE

Replace the following:

  • RRSET_NAME: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example, test.example.com
  • RRSET_TYPE: the resource record type of this resource record set—for example, A.
  • MANAGED_ZONE: the managed zone that this resource record set is affiliated with—for example, my-zone-name; the name of this resource record set must have the DNS name of the managed zone as its suffix

API

To get the details of an existing resource record set, use the resourceRecordSets.get method:

GET https://www.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones/MANAGED_ZONE/rrsets/RRSET_NAME/RRSET_TYPE

Replace the following:

  • PROJECT_ID: the ID of the project
  • MANAGED_ZONE: the managed zone that this resource record set is affiliated with—for example, my-zone-name; the name of this resource record set must have the DNS name of the managed zone as its suffix
  • RRSET_NAME: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example, test.example.com
  • RRSET_TYPE: the resource record type of this resource record set—for example, A.

Patch a resource record set

Console

To apply a partial update to an existing resource record set, follow these steps:

  1. In the Google Cloud console, go to the Cloud DNS zones page.

    Go to Cloud DNS zones

  2. Click the zone for which you want to update the resource record set.

  3. On the Zone details page, next to the resource record set that you want to update, click Edit.

  4. After making the necessary updates, click Save.

gcloud

To apply a partial update to an existing resource record set, use the gcloud dns record-sets update command:

gcloud dns record-sets update RRSET_NAME \
    --rrdatas=RR_DATA \
    --ttl=TTL \
    --type=RRSET_TYPE \
    --zone=MANAGED_ZONE

Replace the following:

  • RRSET_NAME: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example, test.example.com
  • RR_DATA: an arbitrary value associated with the resource record set—for example, 198.51.100.5; you can also enter multiple values, rrdata1 rrdata2 rrdata3—for example, 198.51.100.5 10.2.3.4...
  • TTL: the TTL in seconds that the resolver caches this resource record set—for example, 30
  • RRSET_TYPE: the resource record type of this resource record set—for example, A.
  • MANAGED_ZONE: the managed zone that this resource record set is affiliated with—for example, my-zone-name; the name of this resource record set must have the DNS name of the managed zone as its suffix

API

To apply a partial update to an existing resource record set, use the resourceRecordSets.patch method:

PATCH https://www.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones/MANAGED_ZONE/rrsets/RRSET_NAME/RRSET_TYPE
{
  "ttl": TTL,
  "rrdatas": RR_DATA,
  "update_mask": {
      "paths": ["rrset.ttl", "rrset.rrdatas"]
  }
}

Replace the following:

  • PROJECT_ID: the ID of the project
  • MANAGED_ZONE: the managed zone that this resource record set is affiliated with—for example, my-zone-name; the name of this resource record set must have the DNS name of the managed zone as its suffix
  • RRSET_NAME: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example, test.example.com
  • RRSET_TYPE: the resource record type of this resource record set—for example, A.
  • TTL: the TTL in seconds that the resolver caches this resource record set—for example, 30
  • RR_DATA: an arbitrary value associated with the resource record set—for example, 198.51.100.5; you can also enter multiple values, rrdata1 rrdata2 rrdata3—for example, 198.51.100.5 10.2.3.4...

Delete a resource record set

Console

To delete an existing resource record set, follow these steps:

  1. In the Google Cloud console, go to the Cloud DNS zones page.

    Go to Cloud DNS zones

  2. Click the zone for which you want to delete the resource record set.

  3. On the Zone details page, next to the DNS name of the resource record set that you want to delete, select the checkbox.

  4. Click Delete record sets.

gcloud

To delete an existing resource record set, use the gcloud dns record-sets delete command:

gcloud dns record-sets delete RRSET_NAME \
    --type=RRSET_TYPE \
    --zone=MANAGED_ZONE

Replace the following:

  • RRSET_NAME: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example, test.example.com
  • RRSET_TYPE: the resource record type of this resource record set—for example, A.
  • MANAGED_ZONE: the managed zone that this resource record set is affiliated with—for example, my-zone-name; the name of this resource record set must have the DNS name of the managed zone as its suffix

API

To delete an existing resource record set, use the resourceRecordSets.delete method:

DELETE https://www.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones/MANAGED_ZONE/rrsets/RRSET_NAME/RRSET_TYPE

Replace the following:

  • PROJECT_ID: the ID of the project
  • MANAGED_ZONE: the managed zone that this resource record set is affiliated with—for example, my-zone-name; the name of this resource record set must have the DNS name of the managed zone as its suffix
  • RRSET_NAME: the DNS name that matches the incoming queries with this zone's DNS name as its suffix—for example, test.example.com
  • RRSET_TYPE: the resource record type of this resource record set—for example, A.

Select resource record types

For record type Enter
A

The host's numeric address, in IPv4 dotted decimal format. The A record type maps an IPv4 address to a domain name and determines where the requests for the domain name are directed—for example, 192.0.2.91.

AAAA

The host's numeric IP address, in IPv6 hexadecimal format. The AAAA (quad A) record type maps an IPv6 address to a domain name and determines where the requests for the domain name are directed—for example, 2001:db8::8bd:1002.

ALIAS(Preview)

The canonical name to resolve for incoming address queries—for example, example.my-cdn.net. When an A/AAAA query reaches an ALIAS record, the ALIAS's canonical name is resolved to determine the returned IP addresses. You can only add an ALIAS record at the apex of a domain.

CAA

The certificate authorities that are authorized to issue certificates for this domain—for example, ca.example.net.

Create a CAA record type to ensure that unauthorized CAs don't issue certificates to your domain.

CNAME

The DNS alias for an A record—for example, ftp.example.com is a DNS alias to www.example.com. In this example, ftp.example.com is a service present in the same server as www.example.com. Links pointing to ftp.example.com receive the A record of www.example.com.

You can also use the CNAME record type to point to an entirely different domain name—for example, altostrat.com is a DNS alias to www.example.com.

Sometimes, a name server responds with the CNAME record and the A record referred to by the CNAME value; this behavior is called CNAME chasing.

DNSKEY

The DNSSEC public key that the resolvers use to verify the authenticity of records using ZSK and KSK keys—for example, 7200 IN DNSKEY 256 3 8 AwEAAarQO0FTE/l6LEKFlZllJIwXuLGd3q5d8S8NH+ntOeIMN81A5wAI. In this example, 7200 is the TTL, 256 is the decimal representation of DNSKEY flags, 3 is the protocol indicator for DNSSEC, and 8 is the RSA/SHA-256 cryptographic algorithm used for the key.

You can only add this record type in a public and DNSSEC-enabled zone that is in the Transfer state. For more information, see Manage DNSSEC configuration.

DS

The DNSSEC key fingerprint for a secure delegated zone—for example, 7200 IN DS 31523 5 1 c8761ba5defc26ac7b78e076d7c47fa9f86b9fba. In this example, 7200 is the TTL, 31523 is the keytag, 5 is the algorithm, and 1 is the digest type.

You can only add this record type in a public zone. This record type does not activate DNSSEC for a delegated zone unless you enable (and activate) DNSSEC for this zone. DNSSEC is not enabled by default for zones.

HTTPS, SVCB

The service priority (SvcPriority), which is 0 for aliases and 1-65535 for service descriptions, TargetName ("." if same as the owner name), and service parameters (SvcParams), consisting of key=value pairs describing the target endpoint, separated by spaces. For more details, see the draft specification.

IPSECVPNKEY

The IPsec public VPN key. The IPSECVPNKEY record type enables opportunistic encryption through IPsec tunnels—for example, 10 1 2 192.0.2.1 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt==.

You can only add this record type in a public zone.

MX

A preference number and DNS name of a mail exchange server that receives emails on behalf of your domain. SMTP servers prefer servers with lower preference numbers. 0 is the lowest preference number that you can enter.

For example: 1 mail.example.com.

Ensure that there is a space between the preference number and the DNS name. The MX record that you enter must end with a period or trailing dot (.).

You can create multiple records with different priorities to configure backup mail servers or use the same priority to distribute the load across multiple mail servers.

For example, to direct your email to your Google Workspace account, enter the following:

  • 1 ASPMX.L.GOOGLE.COM.
  • 5 ALT1.ASPMX.L.GOOGLE.COM.
  • 5 ALT2.ASPMX.L.GOOGLE.COM.

NAPTR

The name authority pointer rules used for mapping Uniform Resource Names (URN) by Dynamic Delegation Discovery System (DDDS) applications—for example, 100 10 "u" "sip+E2U" "!^.*$!sip:information@example.com!i". For more information, see RFC 3403.

The NAPTR record type is used by DDDS applications to convert or replace one value with another to find a URN.

NS

The DNS name of the authoritative name server that provides DNS services for your domain or subdomain. Your NS records must match the name servers for your zone—for example, ns-1.example.com.

PTR

The Fully Qualified Domain Name (FQDN) or the canonical name of the domain that maps to an IP address—for example, server-1.example.com.

The PTR record type is typically used for reverse lookups.

SPF

The SPF record set type is deprecated. Use TXT records starting with v=spf1 instead. SPF type records are not used by modern email software.

SRV

The data that specifies the location, that is, the hostname and port number, of servers for a particular service—for example, 0 1 587 mail.example.com.

For more information, see RFC 2782.

SSHFP

The SSH server algorithm number, fingerprint type number, and key fingerprint—for example, 2 1 123456789abcdef67890123456789abcdef67890.

Use this record type only if you have enabled DNSSEC for this zone.

TLSA

The DNS-based Authentication of Named Entities (DANE) TLSA Certificate Association information.

A TLSA record contains information used to validate X.509 certificates (such as certificates used by HTTPS) without depending on one of a preconfigured set of certificate authorities (CAs) signing them—for example, 1 1 2 92003ba34942dc74152e2f2c408d29ec. In this example, 1 is the protocol indicator for DNSSEC, 1 is the public key, and 2 is the RSA/SHA-256 cryptographic algorithm used for the key.

Use this record type only if you have enabled DNSSEC for this zone.

TXT

Text data, which can contain arbitrary text and can also be used to define machine-readable data, such as security or abuse prevention information.

A TXT record may contain one or more text strings; the maximum length of each string is 255 characters. If your record data is more than 255 bytes, divide your record into 255-byte strings and enclose each string in quotation marks—for example, "String one 255 bytes" "String two 255 bytes".

Mail agents and other software agents concatenate multiple strings.

Enclose each string in quotation marks—for example, "Hello world" "Bye world".

Each TXT record has a 1000-character limit. If you need to increase this limit, contact Google Cloud support.

What's next