DNS TLSA Record Explained — DANE Certificate Pinning
Learn how TLSA records enable DANE certificate pinning, binding TLS certificates to domain names via DNS. Covers usage types, DANE for SMTP and HTTPS, DNSSEC requirements, and OpenSSL examples.
What you'll learn
- Understand what TLSA records are and how DANE replaces traditional CA trust
- Learn the four TLSA fields (usage, selector, matching type, certificate data) and their values
- Generate TLSA record data using OpenSSL and verify records with dig
- Deploy DANE for SMTP email security and HTTPS certificate pinning
When your browser connects to a website over HTTPS, it trusts the certificate because a Certificate Authority (CA) vouched for it. But what if a CA is compromised, coerced, or simply makes a mistake? A rogue CA could issue a valid certificate for your domain without your knowledge, enabling man-in-the-middle attacks.
TLSA records solve this problem by publishing certificate information directly in DNS. Combined with DNSSEC, they enable DANE (DNS-Based Authentication of Named Entities) — a protocol that lets domain owners specify exactly which certificates are valid for their services, bypassing the traditional CA trust model entirely.
How DANE Works
Traditional TLS verification relies on a chain of trust rooted in Certificate Authorities. DANE adds a second verification path through DNS:
- A client wants to connect to
example.comon port 443 - It queries DNS for a TLSA record at
_443._tcp.example.com - The TLSA record contains a hash of the expected certificate or public key
- The client compares the server's actual certificate against the TLSA data
- If they match (and the DNSSEC chain validates), the connection is trusted
Because TLSA records are protected by DNSSEC, an attacker cannot forge them without breaking the DNSSEC signature chain. This means the domain owner — not a third-party CA — controls which certificates are trusted.
Tip: DANE does not replace TLS itself. It replaces or supplements the CA-based trust model. The encrypted connection still uses standard TLS.
Anatomy of a TLSA Record
A TLSA record has a specific owner name format and four data fields:
_443._tcp.example.com. 3600 IN TLSA 3 1 1 a]b2c3d4e5f6...The owner name encodes the port and protocol: _port._protocol.hostname. The four numeric fields control how the certificate is matched.
Field 1: Certificate Usage (0-3)
This is the most important field. It determines the trust model:
| Value | Name | What It Means |
|---|---|---|
| 0 | PKIX-TA | The certificate must chain to the specified CA and pass normal CA validation |
| 1 | PKIX-EE | The end-entity certificate must match and pass normal CA validation |
| 2 | DANE-TA | The certificate must chain to the specified trust anchor — CA validation is not required |
| 3 | DANE-EE | The end-entity certificate must match exactly — CA validation is not required |
Usage 3 (DANE-EE) is the most widely deployed because it gives the domain owner complete control. You do not need to involve any CA. Usage 2 (DANE-TA) is useful when you operate your own internal CA.
Usages 0 and 1 supplement traditional CA validation rather than replacing it. They constrain which CA or certificate is acceptable but still require a valid CA chain.
Field 2: Selector (0-1)
Determines what part of the certificate is matched:
| Value | Name | Description |
|---|---|---|
| 0 | Cert | Match against the full DER-encoded certificate |
| 1 | SPKI | Match against the SubjectPublicKeyInfo (public key only) |
Selector 1 (SPKI) is recommended in most cases. If you reuse the same key pair when renewing a certificate, the TLSA record does not need to change. With selector 0, every certificate renewal requires a TLSA update.
Field 3: Matching Type (0-2)
Determines how the comparison is made:
| Value | Name | Description |
|---|---|---|
| 0 | Full | Exact binary match (no hashing) |
| 1 | SHA-256 | SHA-256 hash of the selected data |
| 2 | SHA-512 | SHA-512 hash of the selected data |
Matching type 1 (SHA-256) is the standard choice. It produces a compact, fixed-length hash that is efficient to store and compare.
Field 4: Certificate Association Data
The hex-encoded hash (or full certificate data if matching type is 0) that the client compares against the server's actual certificate.
Tip: The most common TLSA configuration is
3 1 1— DANE-EE, public key selector, SHA-256 hash. This combination is simple, robust, and survives certificate renewals when you reuse your key pair.
Generating TLSA Record Data with OpenSSL
You need to extract the appropriate hash from your certificate or server. The commands differ based on your selector and matching type choices.
Usage 3, Selector 1, Matching Type 1 (Recommended)
Hash the public key with SHA-256:
# From a certificate file
openssl x509 -in cert.pem -noout -pubkey | \
openssl pkey -pubin -outform DER | \
openssl dgst -sha256 -binary | \
xxd -p -c 256Output example:
8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286dFrom a Live Server
# Extract TLSA data from a running server
echo | openssl s_client -connect example.com:443 2>/dev/null | \
openssl x509 -noout -pubkey | \
openssl pkey -pubin -outform DER | \
openssl dgst -sha256 -binary | \
xxd -p -c 256Usage 3, Selector 0, Matching Type 1
Hash the full certificate with SHA-256:
openssl x509 -in cert.pem -outform DER | \
openssl dgst -sha256 -binary | \
xxd -p -c 256Usage 3, Selector 1, Matching Type 2
Hash the public key with SHA-512:
openssl x509 -in cert.pem -noout -pubkey | \
openssl pkey -pubin -outform DER | \
openssl dgst -sha512 -binary | \
xxd -p -c 256Using ldns-dane
If you have ldns installed, you can generate the full TLSA record in one command:
ldns-dane create example.com 443 3 1 1DANE for SMTP (RFC 7672)
DANE for SMTP is where TLSA records have gained the most real-world traction. Traditional SMTP encryption is opportunistic — a mail server advertises STARTTLS support, but a man-in-the-middle can strip the STARTTLS offer and force plaintext delivery. DANE for SMTP solves this.
How It Works
- A sending mail server looks up the MX record for the recipient domain
- Before connecting, it queries the TLSA record for the MX hostname on port 25
- If a TLSA record exists and is DNSSEC-validated, the sender requires TLS with the specified certificate
- STARTTLS stripping attacks become impossible — the sender knows TLS is mandatory
SMTP TLSA Record Example
For a mail server at mail.example.com:
; MX record pointing to the mail server
example.com. 3600 IN MX 10 mail.example.com.
; TLSA record for SMTP on port 25
_25._tcp.mail.example.com. 3600 IN TLSA 3 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
; Also cover submission ports if applicable
_587._tcp.mail.example.com. 3600 IN TLSA 3 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
_465._tcp.mail.example.com. 3600 IN TLSA 3 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286dTip: DANE for SMTP is already supported by major mail providers including Gmail (receiving side), Comcast, and many European ISPs. Publishing TLSA records for your mail server protects inbound email from interception.
Why DANE Is Gaining Traction for Email
Email is uniquely vulnerable because SMTP connections between servers are typically opportunistic TLS — encryption is attempted but not enforced. DANE changes this by making TLS mandatory when TLSA records are present. Combined with SPF, DKIM, and DMARC for sender authentication, DANE provides encryption enforcement that the email ecosystem has lacked for decades.
Several factors drive adoption:
- MTA-STS is an alternative to DANE but requires HTTPS infrastructure and has a trust-on-first-use weakness
- Dutch and German government mandates require DANE for government email systems
- Let's Encrypt makes certificates free, removing the cost barrier to deploying TLS on mail servers
- Postfix, Exim, and other major MTAs have built-in DANE support
DANE for HTTPS
While DANE was originally designed for all TLS services, browser adoption for HTTPS has been slow. Browsers have not implemented native DANE validation because it requires DNSSEC, which adds latency to page loads. However, DANE for HTTPS is valuable in contexts where:
- You operate internal services and control the client software
- You use a browser extension that performs DANE validation
- You want defense-in-depth alongside CAA records
HTTPS TLSA Record Example
_443._tcp.www.example.com. 3600 IN TLSA 3 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286dTip: Even if browsers do not validate TLSA records natively, publishing them signals that you take certificate security seriously and provides a verification path for automated monitoring tools.
The DNSSEC Requirement
TLSA records without DNSSEC provide zero security benefit. Here is why:
Without DNSSEC, an attacker performing a DNS spoofing attack can forge both the TLSA record and the server certificate. The client would see a matching pair and trust the connection. DNSSEC prevents this by cryptographically signing DNS responses, ensuring that TLSA data has not been tampered with.
Before deploying TLSA records:
- Sign your zone with DNSSEC — this is a prerequisite, not optional
- Verify the DNSSEC chain — use
dig +dnssecto confirm signatures are valid - Monitor DNSSEC validity — expired signatures will break DANE validation and cause connection failures
# Verify DNSSEC is working for your domain
dig +dnssec example.com SOA
# Check TLSA record has valid DNSSEC signatures
dig +dnssec TLSA _443._tcp.example.comIf the ad (Authenticated Data) flag appears in the response, the DNSSEC chain is valid.
Certificate Rollover with DANE
Certificate renewal is the most operationally sensitive aspect of DANE. If you update your certificate but forget to update the TLSA record, clients that validate DANE will refuse to connect.
Safe Rollover Process
- Generate the new certificate (or obtain it from your CA)
- Compute the TLSA hash for the new certificate
- Add the new TLSA record alongside the existing one
- Wait for DNS propagation — at least one full TTL period
- Deploy the new certificate on your server
- Remove the old TLSA record after another TTL period
; During rollover — both records exist simultaneously
_443._tcp.example.com. 3600 IN TLSA 3 1 1 oldcerthash...
_443._tcp.example.com. 3600 IN TLSA 3 1 1 newcerthash...Tip: Using selector 1 (SPKI) with key reuse eliminates the need for TLSA updates during routine certificate renewals. The public key stays the same even when the certificate changes. This is especially useful with Let's Encrypt certificates that renew every 90 days.
Querying TLSA Records with dig
# Query TLSA record for HTTPS
dig TLSA _443._tcp.example.com
# Query TLSA record for SMTP
dig TLSA _25._tcp.mail.example.com
# Short output
dig TLSA _443._tcp.example.com +short
# Returns: 3 1 1 8D02536C887482BC34FF54E41D2BA659...
# With DNSSEC validation
dig +dnssec TLSA _443._tcp.example.com
# Against a specific nameserver
dig TLSA _443._tcp.example.com @ns1.dnscale.eu
# Verify with ldns-dane
ldns-dane verify example.com 443Common Mistakes
-
Deploying TLSA without DNSSEC: The record exists but provides no security. An attacker can spoof both the certificate and the TLSA record. Always enable DNSSEC first.
-
Updating the certificate without updating TLSA: Clients that validate DANE see a mismatch and refuse to connect. Always add the new TLSA record before deploying a new certificate.
-
Using selector 0 with frequent renewals: If you hash the full certificate (selector 0), every renewal requires a TLSA update. Use selector 1 (SPKI) with key reuse to avoid this.
-
Wrong port or protocol in the owner name: A TLSA record at
_443._tcp.example.comdoes not protect_443._tcp.www.example.com. Each hostname and port combination needs its own TLSA record. -
Forgetting submission ports: If your mail server accepts connections on ports 25, 465, and 587, you need TLSA records for each port.
-
Ignoring TTL during rollover: If your TLSA TTL is 86400 seconds (24 hours), you must wait at least 24 hours after publishing the new TLSA record before deploying the new certificate. Cached old TLSA data will cause validation failures.
-
Not monitoring DNSSEC expiry: DNSSEC signatures have expiration dates. If your zone signatures expire, all DANE validation fails and services become unreachable for validating clients.
TLSA vs CAA: Complementary Security
CAA records and TLSA records serve different but complementary purposes:
| Feature | CAA | TLSA |
|---|---|---|
| Purpose | Controls which CAs can issue certificates | Specifies which certificates clients should trust |
| Enforcement | By CAs during issuance | By clients during connection |
| Requires DNSSEC | No | Yes |
| Protects against | Unauthorized certificate issuance | Man-in-the-middle attacks |
Use both for defense-in-depth: CAA prevents unauthorized issuance, and TLSA ensures clients only trust the correct certificate even if a rogue certificate is issued.
Related Record Types
- CAA Record — Controls which CAs can issue certificates for your domain
- MX Record — Mail server designation, used with DANE for SMTP
- SSHFP Record — Similar concept for SSH host key verification
- SPF, DKIM, DMARC — Email authentication that complements DANE encryption
- SSL/TLS Certificates — Understanding the certificates TLSA records pin
- DNSSEC — Required for TLSA records to provide security
- DNS Record Types — Overview of all DNS record types
- What is DNS — Fundamentals of the Domain Name System
Conclusion
TLSA records and DANE represent a fundamental shift in how TLS trust can work — moving authority from centralized Certificate Authorities to domain owners via DNS. While browser adoption remains limited, DANE for SMTP is already protecting email in transit across a growing portion of the internet. The combination of DNSSEC-signed zones and TLSA records provides cryptographic proof of which certificates are valid, eliminating entire classes of man-in-the-middle attacks. If you operate a mail server, deploying DANE with a 3 1 1 TLSA record on port 25 is one of the most impactful security improvements you can make today.
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free