TLSA Record Security
The TLSA record enables DNS-based Authentication of Named Entities (DANE), which allows domain owners to specify which TLS certificates are valid for their services. This provides an alternative or complement to the traditional CA system, reducing reliance on certificate authorities.
Look Up TLSA Records
Check TLSA records for any domain using our free DNS lookup tool.
Look Up TLSA Records →What Is a TLSA Record?
TLSA records associate TLS certificates (or public keys) with domain names, allowing clients to verify that the certificate presented by a server is the one the domain owner intended. DANE-TLSA:
- Pins certificates — Specifies exactly which certificates are valid
- Bypasses CAs — Can validate certificates without CA trust
- Requires DNSSEC — Must be used with a DNSSEC-signed zone
- Protects against CA compromise — Attackers can't use fraudulent CA certs
DNSSEC Required
TLSA records only work with DNSSEC. Without DNSSEC, an attacker could forge TLSA records to bypass the security benefits.
TLSA Record Format
TLSA records are placed at a specific name format: _port._protocol.hostname
Example TLSA Record
_443._tcp.example.com. 3600 IN TLSA 3 1 1 a5f8b3c2d1e0...This pins the SHA-256 hash of the public key for HTTPS (port 443) on example.com.
TLSA Parameters
TLSA records have four fields after the record type:
| Parameter | Values | Description |
|---|---|---|
| Usage | 0, 1, 2, 3 | How to use the certificate data |
| Selector | 0, 1 | What part of the certificate to match |
| Matching Type | 0, 1, 2 | How to match (exact, SHA-256, SHA-512) |
| Certificate Data | Hex string | The certificate or hash to match |
Usage Field Values
| Value | Name | Description |
|---|---|---|
| 0 | PKIX-TA | CA constraint (must chain to specified CA) |
| 1 | PKIX-EE | Service certificate constraint (must match + valid CA chain) |
| 2 | DANE-TA | Trust anchor assertion (pin a CA, no PKIX validation) |
| 3 | DANE-EE | Domain-issued certificate (pin exact cert, no CA needed) |
Common TLSA Configurations
DANE-EE with SHA-256 of Public Key (Most Common)
_443._tcp.example.com. TLSA 3 1 1 2bb9...hash...Usage 3, Selector 1, Matching Type 1 = pin the SHA-256 hash of the certificate's public key.
DANE-TA (Pin a CA)
_443._tcp.example.com. TLSA 2 0 1 a5f8...hash...Pin the CA certificate (any cert issued by this CA is valid).
Multiple TLSA Records (Key Rotation)
_443._tcp.example.com. TLSA 3 1 1 current_key_hash...
_443._tcp.example.com. TLSA 3 1 1 next_key_hash...TLSA for Email (DANE-SMTP)
TLSA is commonly used for email server security. For an MX server at mail.example.com on port 25:
_25._tcp.mail.example.com. TLSA 3 1 1 hash...This allows sending servers to verify they're connecting to the legitimate mail server.
Generating TLSA Records
You can generate TLSA records from your certificate:
# For full certificate hash
openssl x509 -in cert.pem -outform DER | sha256sum
# For public key only (selector 1)
openssl x509 -in cert.pem -noout -pubkey | \
openssl pkey -pubin -outform DER | sha256sumTLSA Best Practices
- Use DANE-EE (3 1 1) — Most flexible; pins your key without CA dependency.
- Pin the public key, not the certificate — Survives certificate renewal.
- Plan for rotation — Add new TLSA records before changing certificates.
- Ensure DNSSEC is working — TLSA is useless without valid DNSSEC.
- Monitor expiration — Update TLSA records when certificates change.
TLSA vs CAA
| Aspect | TLSA (DANE) | CAA |
|---|---|---|
| Purpose | Verify presented certificate | Restrict who can issue certificates |
| Checked by | TLS clients (browsers, mail servers) | Certificate Authorities |
| Requires DNSSEC | Yes | No |
| Adoption | Growing (esp. email) | Mandatory for CAs |
Troubleshooting TLSA
Common issues and solutions:
- TLSA validation failing — Verify the hash matches your current certificate.
- DNSSEC errors — TLSA requires valid DNSSEC; check your chain.
- Certificate changed — Update TLSA record to match new certificate.
- Wrong port/protocol — Ensure the _port._tcp prefix matches your service.
Monitor Your DANE Configuration
DNS Explorer validates TLSA records, checks DNSSEC status, and alerts you before certificate changes break DANE.
Start free DNS Explorer trial14-day full-feature trial
Check Your TLSA Records
Use our DNS Record Finder to look up TLSA records for any domain.
Look Up TLSA Records →Related Record Types
- CAA Record — Certificate authority authorization
- DNSKEY Record — DNSSEC zone signing
- DS Record — DNSSEC delegation
- SSHFP Record — SSH key fingerprints