It's already perfectly possible to encode an X.509 certificate inside a DNS Record - look at the CERT
record type from RFC 4398.
The main reason it's not being done in anger much is because the transport mechanism isn't yet secure. This will change dramatically later this year when the root zone gets DNSSEC signed and as more and more TLDs support DNSSEC.
DNS query size (as mentioned elsewhere) is also a concern, although it's worth noting that the CERT RR
also allows you to simply store the URL from which the real X.509 certificate can be downloaded. At this point there's something of a chicken and egg problem, though...
TXT records are free-form text records and can be used for things like describing hosts. Can also be used for application specific goals, like DNSBL and SPF. Nowadays, they're widely used to accomplish both these goals.
SRV records are service records and are a kind of extension of MX records and are a little more complex than TXT records. While MX records are used to define which servers will handle the e-mail for a specific domain, giving different weights to different records, SRV records are used to provide things such as the protocol and the port. A SRV record has the following form:
_Service._Proto.Name TTL Class SRV Priority Weight Port Target
Service: the symbolic name of the desired service.
Proto: the transport protocol of the desired service; this is usually either TCP or UDP.
Name: the domain name for which this record is valid.
TTL: standard DNS time to live field.
Class: standard DNS class field (this is always IN).
Priority: the priority of the target host, lower value means more preferred.
Weight: A relative weight for records with the same priority.
Port: the TCP or UDP port on which the service is to be found.
Target: the canonical hostname of the machine providing the service.
One typical example of usage of SRV records is when using the XMPP protocol. For instance, if you have a foobar.com domain, the A record would be used to define the servers where your web contents are and the SRV records would be used to define where your XMPP server is. Typically, they will be located in different addresses.
More info about SRV records here.
Best Answer
The certificate must match the hostname, i.e. corresponding
A
record for the server. You could have individualklas1.example.com
&klas2.example.com
certificates or shared wildcard*.example.com
certificate, butexample.com
won't match.The
SRV
records don't need certificates as they are used only on DNS level for service discovery.