A DNS record that maps a domain name to an IPv6 address. It is the IPv6 equivalent of an A record and becomes important when organisations need to support modern clients without breaking compatibility for older IPv4-only systems.
Expanded Definition
An AAAA record is a DNS resource record that maps a hostname to an IPv6 address. In practice, it serves the same naming function as an A record, but for IPv6-enabled networks, clients, and services that need to resolve addresses in the 128-bit address space. For NHI security, AAAA records matter because service endpoints, workload identities, and API front doors often depend on DNS resolution before authentication, routing, or certificate validation can occur.
Definitions are stable at the DNS layer, but operational usage in identity and infrastructure teams can vary. Some organisations treat AAAA records as a purely network concern, while others treat them as part of service exposure governance because they reveal where a workload is reachable. That distinction matters when DNS records are tied to secrets, certificates, or automated provisioning flows. The standards basis for DNS record behaviour is defined in RFC 3596, which formalises IPv6 address records for name resolution.
The most common misapplication is assuming that adding an AAAA record is harmless if IPv4 still exists, which occurs when dual-stack rollout is not tested against authentication, firewall, and application path dependencies.
Examples and Use Cases
Implementing AAAA records rigorously often introduces dual-stack operational overhead, requiring organisations to weigh broader IPv6 reachability against the risk of exposing incomplete or inconsistently secured services.
- A SaaS API publishes both A and AAAA records so modern clients can prefer IPv6 while older systems continue using IPv4.
- A workload running behind a load balancer uses AAAA records to support IPv6-only internal subnets and reduce NAT complexity.
- A service account depends on DNS-based service discovery; the AAAA record ensures IPv6 clients can reach the same endpoint without separate naming.
- An environment team reviews DNS exposure as part of the NHI lifecycle because records can reveal service locations that should align with certificate and token scope.
- Security engineers compare DNS publishing against guidance in the Ultimate Guide to NHIs and validate routing posture against NIST Cybersecurity Framework 2.0.
Used well, AAAA records support phased IPv6 adoption without forcing identity systems to change naming conventions. Used poorly, they can create hidden reachability paths that bypass the operational assumptions attached to legacy IPv4-only controls.
Why It Matters in NHI Security
AAAA records are not credentials, but they shape how non-human identities are discovered, reached, and monitored. A service account, automation job, or AI agent may authenticate correctly and still become vulnerable if its network endpoint is exposed through DNS in ways security teams did not intend. That is especially important in environments where secrets, certificates, and workload identities are distributed across CI/CD systems and service meshes. NHI Management Group has reported that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which makes endpoint exposure an identity security issue, not just a networking detail, in the Ultimate Guide to NHIs.
AAAA records also intersect with governance because they can change the blast radius of an exposed service. When teams introduce IPv6 without updating logging, allowlists, segmentation, or certificate lifecycles, identity visibility degrades quickly. The NIST Cybersecurity Framework 2.0 is useful here because it frames asset awareness, access control, and monitoring as a connected control set rather than isolated tasks.
Organisations typically encounter the risk only after a service is unexpectedly reachable over IPv6 during an incident, at which point the AAAA record becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | AAAA exposure affects who can reach a service endpoint over IPv6. |
| NIST CSF 2.0 | DE.CM-8 | DNS changes can alter the monitorable attack surface and service visibility. |
| OWASP Non-Human Identity Top 10 | DNS-published endpoints shape NHI exposure and workload reachability. |
Review AAAA-published services for reachability and restrict access to intended identities only.
