The TLS Authentication record (TLSA) is used to associate a TLS server certificate or public key with the domain name where the record is found. With a TLSA record, you can store the fingerprint of a TLS/SSL certificate in the DNS of your domain.
TLSA records can only be trusted if DNSSEC is enabled on your domain so the DNS response is verified.
Record structure
Typ: TLSA
TTL: time to live – defines for how long the internet provider’s servers can remember this DNS setting. It is set in seconds.
Host: _port._protocol.domena for example _100._tcp.domena.tld
Usage: (from 0 to 3) (0 – PKIX-TA, 1 – PKIX-EE, 2 – DANE-TA, 3 – DANE-EE) Specifies the provided assignment to be used to associate with the certificate presented in the TLS handshake
Selector: (from 0 to 1) Specifies which part of the TLS certificate presented by the server will be matched against the assignment data
Matching-Type: (from 0 to 2) Specifies how the certificate association is presented
Points-to: value
Example of the record:
_100._tcp.www.domena.tld. IN TLSA 3 1 1 1fff7351cdb3957d2d3edd0f7d48bb6246f25361006c1f83379b85c6f3071adc
The setting is available in the Webadmin interface. The process is as follows:
- Log in to the Webadmin
- Select your domain
- Select the DNS in the left menu, then select DNS settings
- Select the TLSA
5. To create a new record simply select the button Create new record.