What is TLSA record?

The TLS Authentication record (TLSA) is used to associate a TLS server certificate or public key with the domain name where the record is found. With a TLSA record, you can store the fingerprint of a TLS/SSL certificate in the DNS of your domain. This DNS record provides an additional layer of validation and verification for TLS connections, ensuring that users can authenticate the server they are connecting to.

TLSA records can only be trusted if DNSSEC is enabled on your domain.

TLSA record has the following components:

  • Port number: The port number that the TLS server listens on.
  • Protocol: The protocol used (UDP, TCP, SCTP).
  • Hostname: Hostname of the TLS server. In most cases, the TLSA record is applied for a specific hostname of the domain.

The TLSA Record has the following look in your ClouDNS Control Panel:

Host Type Points to: TTL
_port._protocol.host.domain.com TLSA 0 0 0 00000000000000000000000 1 Hour

Why do you need a TLSA record?

The usage of TLSA records is most commonly related to the DANE security protocol. Nowadays, when DNSSEC is no longer exotic, the new DANE (DNS-Based Authentication of Named Entities) comes in place. DANE gives you the option to make your DNS structure more secure. The TLSA resource record allows users to verify the certificate received from a website by querying for its information in DNS.

How to create a DNS TLSA record?

Go to your DNS zone management page and click on Add new record. For Type choose TLSA and type as follows:

  • Type: TLSA
  • TTL: 1 Hour
  • Host: _port._protocol e.g.: _100._tcp*
  • Usage: (From 0 to 3) It specifies the provided association that will be used to match the certificate presented in the TLS handshake
  • Selector: (From 0 to 1) It specifies which part of the TLS certificate presented by the server will be matched against the association data
  • Matching-Type: (From 0 to 2) It specifies how the certificate association is presented.
  • Points to: Hash value.

*This hostname is used as an example.

How to add a TLSA Record - Step by Step video:

How to check my TLSA record?

In Windows, the TLSA record type cannot be looked up easily because neither Nslookup nor Powershell's Resolve-DnsName has support for it. 

Nevertheless, you have the option to install WSL (Windows Subsystem for Linux) and then follow the Linux/macOS instructions below, or you can use an online lookup tool like ClouDNS Free DNS tool to check your TLSA record.

If you are a Linux/macOS user, you can open the Terminal and check your TLSA record via DIG. Here is an example:

$ dig example.com TLSA

Then the information about TLSA records will appear.

How to start managing TLSA records for your domain name?

  1. Open free account from here - free forever
  2. Verify your e-mail address
  3. Log into your control panel
  4. Create new Master DNS from the [add new] button - read more here
  5. Add the TLSA records you need as it is described in this article

Support of TLSA records

ClouDNS provides full support for TLSA records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your TLSA records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.


Question: Can I use TLSA records if my domain's DNSSEC is disabled?

Answer: The certificate corresponds to the TLSA by DNSSEC technology. In case, your domain's DNSSEC is disabled, then the TLSA verification will fail.

Question: How often should TLSA records be updated?

Answer: TLSA records should be updated whenever there are changes to the TLS certificate. This includes certificate renewals, replacements, or changes to the hashing algorithms or matching types. You can keep an eye on your TLS certificate with SSL/TLS monitoring check.

Question: Do TLSA records replace traditional certificate validation methods? 

Answer: TLSA records do not replace traditional certificate validation methods but provide an additional layer of validation. They complement existing practices and strengthen the overall security of TLS connections.

Question: Can I use multiple TLSA records for a single domain?

Answer: Yes, multiple TLSA records can be used for a single domain. This allows for more flexibility in certificate validation, such as using different hash algorithms or multiple certificates for different purposes.

Last modified: 2024-02-08
Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more