The TLS Authentication record (TLSA) is used to associate a TLS server certificate or public key with the domain name where the record is found. With a TLSA record, you can store the fingerprint of a TLS/SSL certificate in the DNS of your domain.
TLSA records can only be trusted if DNSSEC is enabled on your domain.
TLSA record has the following components:
The TLSA Record has the following look in your DNS zone management page:
Host | Type | Points to: | TTL |
_port._protocol.host.domain.com | TLSA | 0 0 0 00000000000000000000000 | 1 Hour |
The usage of TLSA records is most commonly related to the DANE security protocol. Nowadays, when DNSSEC is no longer exotic, the new DANE (DNS-Based Authentication of Named Entities) comes in place. DANE gives you the option to make your DNS structure more secure. The TLSA resource record allows users to verify the certificate received from a website by querying for its information in DNS.
Go to your DNS zone management page and click on Add new record. For Type choose TLSA and type as follows:
*This hostname is used as an example.
ClouDNS provides full support for TLSA records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your TLSA records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.
Question: Can I use TLSA records if my domain's DNSSEC is disabled?
Answer: The certificate corresponds to the TLSA by DNSSEC technology. In case, your domain's DNSSEC is disabled, then the TLSA verification will fail.