What is TLSA record?

The TLS Authentication record (TLSA) is used to associate a TLS server certificate or public key with the domain name where the record is found. With a TLSA record, you can store the fingerprint of a TLS/SSL certificate in the DNS of your domain.

TLSA records can only be trusted if DNSSEC is enabled on your domain.

TLSA record has the following components:

  • Port number: The port number that the TLS server listens on.
  • Protocol: The protocol used (udp, tcp, sctp).
  • Hostname: Hostname of the TLS server. In most cases, the TLSA record is applied for a specific hostname of the domain.

The TLSA Record has the following look in your DNS zone management page:

Host Type Points to: TTL
_port._protocol.host.domain.com TLSA 0 0 0 00000000000000000000000 1 Hour

Why do you need a TLSA record?

The usage of TLSA records is most commonly related to the DANE security protocol. Nowadays, when DNSSEC is no longer exotic, the new DANE (DNS-Based Authentication of Named Entities) comes in place. DANE gives you the option to make your DNS structure more secure. The TLSA resource record allows users to verify the certificate received from a website by querying for its information in DNS.

How to create a DNS TLSA record?

Go to your DNS zone management page and click on Add new record. For Type choose TLSA and type as follows:

  • Type: TLSA
  • TTL: 1 Hour
  • Host: _port._protocol e.g.: _100._tcp*
  • Usage: (From 0 to 3) It specifies the provided association that will be used to match the certificate presented in the TLS handshake
  • Selector: (From 0 to 1) It specifies which part of the TLS certificate presented by the server will be matched against the association data
  • Matching-Type: (From 0 to 2) It specifies how the certificate association is presented.
  • Points to: Hash value.

*This hostname is used as an example.

How to add a TLSA Record - Step by Step video:

How to start managing TLSA records for your domain name?

  1. Open free account from here - free forever
  2. Verify your e-mail address
  3. Log into your control panel
  4. Create new Master DNS from the [add new] button - read more here
  5. Add the TLSA records you need as it is described in this article

Support of TLSA records

ClouDNS provides full support for TLSA records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your TLSA records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.


Question: Can I use TLSA records if my domain's DNSSEC is disabled?

Answer: The certificate corresponds to the TLSA by DNSSEC technology. In case, your domain's DNSSEC is disabled, then the TLSA verification will fail.

Last modified: 2021-07-01
Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more