ZenovayTools

TLSA / DANE Checker

Check TLSA (DANE) DNS records for your domain. Validates _443._tcp and _25._tcp DANE records, parses usage/selector/matching-type fields, and verifies DNSSEC is required for DANE to be secure. Get a full DANE readiness assessment.

How to Use TLSA / DANE Checker

  1. 1Enter a domain name to check DANE/TLSA records.
  2. 2TLSA records at _443._tcp and _25._tcp are queried via DNS-over-HTTPS.
  3. 3Each record is parsed for usage, selector, and matching type fields.
  4. 4DNSSEC status and overall DANE readiness are assessed.
Zenovay

Privacy-first analytics for your website

Understand your visitors without invasive tracking. GDPR compliant, lightweight, and powerful.

Explore Zenovay

Related Tools

Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.

Frequently Asked Questions

What is DANE and how does it work?
DANE (DNS Authentication of Named Entities) is a security mechanism that uses DNSSEC to bind TLS certificates to domain names via TLSA DNS records. Instead of relying solely on certificate authorities (CAs), DANE allows domain owners to specify which certificates are valid for their domain directly in DNS. This prevents attacks where a rogue CA issues fraudulent certificates. DANE requires DNSSEC — without it, TLSA records can be spoofed and provide no security.
What are TLSA records?
TLSA records are DNS resource records (type 52) that specify TLS certificate association data. They are placed at names like _443._tcp.example.com (HTTPS) or _25._tcp.example.com (SMTP). Each record contains three fields: Usage (how to use the record), Selector (which part of the cert to match — full cert or public key), and Matching Type (how to compare — full bytes, SHA-256, or SHA-512).
What is the recommended TLSA configuration?
The best practice for most deployments is DANE-EE (usage 3) with SPKI selector (1) and SHA-256 matching (1) — written as "3 1 1". DANE-EE means the TLS certificate itself is the trust anchor (no PKIX chain needed), SPKI pins just the public key (not the full cert), and SHA-256 is the standard hash. This allows certificate renewal without changing the TLSA record as long as you keep the same key pair.
Why is DNSSEC required for DANE security?
Without DNSSEC, an attacker who can intercept or modify DNS responses can replace your TLSA records with their own. The entire trust model of DANE relies on DNSSEC to authenticate that the TLSA records are genuine and have not been tampered with. A TLSA record without DNSSEC validation is actually less secure than no TLSA at all, because it gives a false sense of security.
How do I generate TLSA records?
You can generate TLSA records from your certificate or public key using the command: openssl x509 -in cert.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | xxd -p -c 256. For Let's Encrypt certificates, use the hash of the SubjectPublicKeyInfo (SPKI) to allow automatic renewal. Tools like "tlsa" (from ldns-utils) and online TLSA generators can simplify this process.