What Is a TLSA Record

Learn how TLSA records enable DANE for certificate authentication, providing an alternative to traditional CA validation. Includes examples for the DNScale dashboard and API.

A TLSA (Transport Layer Security Authentication) record associates a TLS server certificate or public key with a domain name, enabling DANE (DNS-based Authentication of Named Entities). TLSA records provide an alternative or supplement to traditional Certificate Authority validation.

How TLSA Records Work

TLSA records specify what certificate or key a client should expect when connecting via TLS:

_443._tcp.example.com.    3600    TLSA    3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

This tells clients: "When connecting to example.com on port 443 via TCP, expect a certificate matching this SHA-256 hash."

Record Components

Component	Field	Description
Name	`_port._protocol.domain`	`_443._tcp.example.com`
Usage	Certificate usage type	`0`, `1`, `2`, or `3`
Selector	What to match	`0` (full cert) or `1` (public key)
Matching Type	Hash algorithm	`0` (exact), `1` (SHA-256), `2` (SHA-512)
Certificate Data	Hash or certificate	Hex-encoded data

Usage Values

Value	Name	Description
`0`	PKIX-TA	Must chain to specified CA + pass PKIX validation
`1`	PKIX-EE	End-entity cert must match + pass PKIX validation
`2`	DANE-TA	Must chain to specified trust anchor (no PKIX)
`3`	DANE-EE	End-entity cert must match exactly (no PKIX)

Selector Values

Value	Name	Description
`0`	Cert	Match full certificate
`1`	SPKI	Match SubjectPublicKeyInfo (public key only)

Matching Type Values

Value	Name	Description
`0`	Full	Exact match (full data, not hash)
`1`	SHA-256	SHA-256 hash of selected data
`2`	SHA-512	SHA-512 hash of selected data

Common Use Cases

Web Server DANE-EE (Recommended)

Self-sign validation using DNS:

_443._tcp.example.com.    3600    TLSA    3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Usage 3 + Selector 1 + SHA-256 is the most common configuration.

Mail Server (SMTP)

Secure email delivery with DANE:

_25._tcp.mail.example.com.      3600    TLSA    3 1 1 abc123...
_465._tcp.mail.example.com.     3600    TLSA    3 1 1 abc123...
_587._tcp.mail.example.com.     3600    TLSA    3 1 1 abc123...

XMPP Server

_5222._tcp.xmpp.example.com.    3600    TLSA    3 1 1 def456...
_5269._tcp.xmpp.example.com.    3600    TLSA    3 1 1 def456...

Multiple Certificates (Rollover)

During certificate renewal:

_443._tcp.example.com.    3600    TLSA    3 1 1 oldcerthash...
_443._tcp.example.com.    3600    TLSA    3 1 1 newcerthash...

Record Format

Field	Description	Example
Name	`_port._protocol.domain`	`_443._tcp.example.com`
Type	Record type	`TLSA`
Usage	Certificate usage	`3`
Selector	Data to match	`1`
Matching Type	Hash type	`1`
Certificate Data	Hash (hex)	`e3b0c44...`
TTL	Time to live (seconds)	`3600`

Generating TLSA Data

Using OpenSSL

Get SHA-256 hash of public key (selector=1, matching=1):

# From certificate file
openssl x509 -in cert.pem -noout -pubkey | \
  openssl pkey -pubin -outform DER | \
  openssl dgst -sha256 -binary | \
  xxd -p -c 256
 
# From live server
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -pubkey | \
  openssl pkey -pubin -outform DER | \
  openssl dgst -sha256 -binary | \
  xxd -p -c 256

Get SHA-256 hash of full certificate (selector=0, matching=1):

openssl x509 -in cert.pem -outform DER | \
  openssl dgst -sha256 -binary | \
  xxd -p -c 256

Using ldns-dane

ldns-dane create example.com 443 3 1 1

Adding a TLSA Record

Using the Dashboard

Navigate to your zone in the DNScale dashboard
Click Add Record
Configure the record:
- Name: Enter _443._tcp (or appropriate port/protocol)
- Type: Select TLSA
- Usage: Select the certificate usage (0-3)
- Selector: Choose Full cert (0) or Public key (1)
- Matching Type: Choose SHA-256 (1) or SHA-512 (2)
- Certificate Data: Enter the hex-encoded hash
- TTL: Set the cache duration (default: 3600)
Click Create Record

Using the API

Create a TLSA record:

curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "_443._tcp",
    "type": "TLSA",
    "content": "3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
    "ttl": 3600
  }'

Create TLSA for mail server:

curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "_25._tcp.mail",
    "type": "TLSA",
    "content": "3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
    "ttl": 3600
  }'

API Response:

{
  "status": "success",
  "data": {
    "message": "Record created successfully",
    "record": {
      "id": "encoded-record-id",
      "name": "_443._tcp.example.com.",
      "type": "TLSA",
      "content": "3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
      "ttl": 3600,
      "disabled": false
    }
  }
}

DANE Requirements

For DANE to work, your zone must:

Be DNSSEC-signed - TLSA records without DNSSEC provide no security benefit
Have correct TLSA records - Hash must match the actual certificate/key
Update records during certificate rotation - Add new hash before deploying new certificate

Certificate Rollover Process

Generate new certificate
Add TLSA record for new certificate hash
Wait for DNS propagation (at least TTL duration)
Deploy new certificate on server
Remove old TLSA record

# Step 2: Add new hash while keeping old
_443._tcp.example.com.    3600    TLSA    3 1 1 oldhash...
_443._tcp.example.com.    3600    TLSA    3 1 1 newhash...
 
# Step 5: Remove old hash
_443._tcp.example.com.    3600    TLSA    3 1 1 newhash...

Best Practices

Use DANE-EE (usage 3) - Simplest and most commonly deployed
Use selector 1 (SPKI) - Survives certificate renewal if key is reused
Use SHA-256 (matching type 1) - Standard and widely supported
Publish before deployment - Add TLSA records before deploying new certificates
Enable DNSSEC first - TLSA without DNSSEC is insecure
Keep multiple records during rollover - Prevent service interruption

Testing TLSA Records

# Query TLSA record
dig TLSA _443._tcp.example.com
 
# Verify with ldns
ldns-dane verify example.com 443
 
# Online tools
# - https://dane.sys4.de/
# - https://internet.nl/

CAA - Certificate authority authorization
TXT - Domain verification
SSHFP - SSH fingerprints (similar concept)

Conclusion

TLSA records enable DANE, providing DNS-based certificate validation that can supplement or replace traditional CA verification. When combined with DNSSEC, TLSA records offer strong protection against man-in-the-middle attacks. DNScale's intuitive interface makes configuring TLSA records straightforward, with dedicated fields for usage, selector, and matching type parameters.