What is TLSA record?

The TLS Authentication record (TLSA) is used to associate a TLS server certificate or public key with the domain name where the record is found. With a TLSA record, you can store the fingerprint of a TLS/SSL certificate in the DNS of your domain.

TLSA records can only be trusted if DNSSEC is enabled on your domain.

TLSA record has the following components:

  • Port number: The port number that the TLS server listens on.
  • Protocol: The protocol used (udp, tcp, sctp).
  • Hostname: Hostname of the TLS server. Most cases, the TLSA record is applied for a specific hostname of the domain.

The TLSA Record has the following look in your DNS zone management page:

Host Type Points to: TTL
_port._protocol.host.domain.com TLSA 0 0 0 00000000000000000000000 1 Hour

How to add it?

Go to your DNS zone management page and click on “Add new record”. For "Type" choose "TLSA" and type as follows:

  • Type: TLSA
  • TTL: 1 Hour
  • Host: _port._protocol e.g.: _100._tcp*
  • Usage: (From 0 to 3) It specifies the provided association that will be used to match the certificate presented in the TLS handshake
  • Selector: (From 0 to 1) It specifies which part of the TLS certificate presented by the server will be matched against the association data
  • Matching-Type: (From 0 to 2) It specifies how the certificate association is presented.
  • Points to: Hash value.

*This hostname is used as an example.


Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more