What is the most common TLSA configuration?

DANE-EE with SHA-256 of the public key (3 1 1) is most common. This pins the SHA-256 hash of the certificate's public key, allowing certificate renewal without changing DNS records.

What's the difference between TLSA and CAA records?

TLSA verifies presented certificates via DANE (checked by TLS clients). CAA restricts which CAs can issue certificates (checked by CAs). TLSA requires DNSSEC while CAA does not.

TLSA Record Security

Q: What is a TLSA record?

A TLSA record enables DNS-based Authentication of Named Entities (DANE), allowing domain owners to specify which TLS certificates are valid for their services. This provides an alternative to the traditional CA system.

Q: Does TLSA require DNSSEC?

Yes, TLSA records only work with DNSSEC. Without DNSSEC, an attacker could forge TLSA records to bypass the security benefits. The zone must be properly signed for DANE to work.

The TLSA record enables DNS-based Authentication of Named Entities (DANE), which allows domain owners to specify which TLS certificates are valid for their services. This provides an alternative or complement to the traditional CA system, reducing reliance on certificate authorities.

Look Up TLSA Records

Check TLSA records for any domain using our free DNS lookup tool.

Look Up TLSA Records →

What Is a TLSA Record?

TLSA records associate TLS certificates (or public keys) with domain names, allowing clients to verify that the certificate presented by a server is the one the domain owner intended. DANE-TLSA:

Pins certificates — Specifies exactly which certificates are valid
Bypasses CAs — Can validate certificates without CA trust
Requires DNSSEC — Must be used with a DNSSEC-signed zone
Protects against CA compromise — Attackers can't use fraudulent CA certs

DNSSEC Required

TLSA records only work with DNSSEC. Without DNSSEC, an attacker could forge TLSA records to bypass the security benefits.

TLSA Record Format

TLSA records are placed at a specific name format: _port._protocol.hostname

Example TLSA Record

_443._tcp.example.com.    3600    IN    TLSA    3 1 1 a5f8b3c2d1e0...

This pins the SHA-256 hash of the public key for HTTPS (port 443) on example.com.

TLSA Parameters

TLSA records have four fields after the record type:

Parameter	Values	Description
Usage	0, 1, 2, 3	How to use the certificate data
Selector	0, 1	What part of the certificate to match
Matching Type	0, 1, 2	How to match (exact, SHA-256, SHA-512)
Certificate Data	Hex string	The certificate or hash to match

Usage Field Values

Value	Name	Description
0	PKIX-TA	CA constraint (must chain to specified CA)
1	PKIX-EE	Service certificate constraint (must match + valid CA chain)
2	DANE-TA	Trust anchor assertion (pin a CA, no PKIX validation)
3	DANE-EE	Domain-issued certificate (pin exact cert, no CA needed)

Common TLSA Configurations

DANE-EE with SHA-256 of Public Key (Most Common)

_443._tcp.example.com.    TLSA    3 1 1 2bb9...hash...

Usage 3, Selector 1, Matching Type 1 = pin the SHA-256 hash of the certificate's public key.

DANE-TA (Pin a CA)

_443._tcp.example.com.    TLSA    2 0 1 a5f8...hash...

Pin the CA certificate (any cert issued by this CA is valid).

Multiple TLSA Records (Key Rotation)

_443._tcp.example.com.    TLSA    3 1 1 current_key_hash...
_443._tcp.example.com.    TLSA    3 1 1 next_key_hash...

TLSA for Email (DANE-SMTP)

TLSA is commonly used for email server security. For an MX server at mail.example.com on port 25:

_25._tcp.mail.example.com.    TLSA    3 1 1 hash...

This allows sending servers to verify they're connecting to the legitimate mail server.

Generating TLSA Records

You can generate TLSA records from your certificate:

# For full certificate hash
openssl x509 -in cert.pem -outform DER | sha256sum

# For public key only (selector 1)
openssl x509 -in cert.pem -noout -pubkey | \
  openssl pkey -pubin -outform DER | sha256sum

TLSA Best Practices

Use DANE-EE (3 1 1) — Most flexible; pins your key without CA dependency.
Pin the public key, not the certificate — Survives certificate renewal.
Plan for rotation — Add new TLSA records before changing certificates.
Ensure DNSSEC is working — TLSA is useless without valid DNSSEC.
Monitor expiration — Update TLSA records when certificates change.

TLSA vs CAA

Aspect	TLSA (DANE)	CAA
Purpose	Verify presented certificate	Restrict who can issue certificates
Checked by	TLS clients (browsers, mail servers)	Certificate Authorities
Requires DNSSEC	Yes	No
Adoption	Growing (esp. email)	Mandatory for CAs

Troubleshooting TLSA

Common issues and solutions:

TLSA validation failing — Verify the hash matches your current certificate.
DNSSEC errors — TLSA requires valid DNSSEC; check your chain.
Certificate changed — Update TLSA record to match new certificate.
Wrong port/protocol — Ensure the _port._tcp prefix matches your service.

Check Your TLSA Records

Use our DNS Record Finder to look up TLSA records for any domain.