The TLS Authentication record (TLSA) is used to associate a TLS server certificate or public key with the domain name where the record is found. With a TLSA record, you can store the fingerprint of a TLS/SSL certificate in the DNS of your domain. This DNS record provides an additional layer of validation and verification for TLS connections, ensuring that users can authenticate the server they are connecting to.
TLSA records can only be trusted if DNSSEC is enabled on your domain.
TLSA record has the following components:
The TLSA Record has the following look in your ClouDNS Control Panel:
| Host | Type | Points to: | TTL |
| _port._protocol.host.domain.com | TLSA | 0 0 0 00000000000000000000000 | 1 Hour |
The usage of TLSA records is most commonly related to the DANE security protocol. Nowadays, when DNSSEC is no longer exotic, the new DANE (DNS-Based Authentication of Named Entities) comes in place. DANE gives you the option to make your DNS structure more secure. The TLSA resource record allows users to verify the certificate received from a website by querying for its information in DNS.
Go to your DNS zone management page and click on Add new record. For Type choose TLSA and type as follows:
*This hostname is used as an example.
In Windows, the TLSA record type cannot be looked up easily because neither Nslookup nor Powershell's Resolve-DnsName has support for it.
Nevertheless, you have the option to install WSL (Windows Subsystem for Linux) and then follow the Linux/macOS instructions below, or you can use an online lookup tool like ClouDNS Free DNS tool to check your TLSA record.
If you are a Linux/macOS user, you can open the Terminal and check your TLSA record via DIG. Here is an example:
$ dig example.com TLSA
Then the information about TLSA records will appear.
ClouDNS provides full support for TLSA records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your TLSA records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.
Question: Can I use TLSA records if my domain's DNSSEC is disabled?
Answer: The certificate corresponds to the TLSA by DNSSEC technology. In case, your domain's DNSSEC is disabled, then the TLSA verification will fail.
Question: How often should TLSA records be updated?
Answer: TLSA records should be updated whenever there are changes to the TLS certificate. This includes certificate renewals, replacements, or changes to the hashing algorithms or matching types. You can keep an eye on your TLS certificate with SSL/TLS monitoring check.
Question: Do TLSA records replace traditional certificate validation methods?
Answer: TLSA records do not replace traditional certificate validation methods but provide an additional layer of validation. They complement existing practices and strengthen the overall security of TLS connections.
Question: Can I use multiple TLSA records for a single domain?
Answer: Yes, multiple TLSA records can be used for a single domain. This allows for more flexibility in certificate validation, such as using different hash algorithms or multiple certificates for different purposes.