What are TLSA Records?
TLSA records are used with DANE (DNS-based Authentication of Named Entities) to bind SSL/TLS certificates to a domain’s service. They provide an additional layer of security by allowing you to specify exactly which certificate (or its hash) is valid for a given service, which can protect against certificate mis-issuance.
How This Tool Works:
- The tool constructs the DNS query in the format _port._protocol.domain (e.g., _443._tcp.example.com).
- It then queries for TLSA records using Google's public DNS (8.8.8.8).
- If TLSA records exist, the tool displays the raw records.
Understanding a TLSA Record:
A typical TLSA record might be:
In this record:
- The first field (3) is the Certificate Usage (e.g., DANE-EE for end-entity certificates).
- The second field (1) is the Selector (e.g., 1 means the subjectPublicKeyInfo is matched).
- The third field (1) is the Matching Type (e.g., 1 means a SHA-256 hash is used).
- The fourth field is the Certificate Association Data (the actual certificate hash, in this case represented in hexadecimal).
Best Practices:
- Ensure that your TLSA record accurately reflects the certificate information for your service. Incorrect records could prevent clients from validating your certificate properly.
- If you manage your own certificate issuance, TLSA records add an extra level of trust by binding the certificate to your domain’s DNS.
- Regularly review your TLSA records in combination with your certificate renewal process to ensure they remain in sync.