Conceptual overview of TLSA records.
DANE introduces a new DNS resource record — TLSA — to be authenticated by DNSSEC to augment
or replace the use of public certificates from the Certificate Authority. TLSA records are
stored as prefixed DNS domain names using the syntax
_<portnumber>._<protocol>.<FQDN>. For
example:
_443._tcp.example.com
TLSA records consist of four fields: a one octet Certificate Usage field, a one octet Selector field, a one octet Matching Type field, and Certificate Association Data.
TLSA Certificate Usage field
Indicates which is the certificate; identifies what the TLSA record is pointing at in
the chain of trust. The Certificate Usage Field contains a value of 3, 2,
1, or 0.
Note: Values 4-254 are unassigned; value 255 is private
use.
Value | Description |
---|---|
0 | PKIX-TA: Certificate Authority Constraint; public CA certificate or public key of such a certificate from the X.509 tree that must be validated by a trust anchor in the chain of trust. The TLSA record specifies the CA that will provide TLS certificates for the domain. |
1 | PKIX-EE: Service Certificate Constraint; points to a specific TLS certificate but needs validation from another trust anchor. The TLSA record specifies the exact TLS certificate that should be used for the domain. The certificate must be issued by a valid CA. |
2 | DANE-TA: Trust Anchor Assertion; private key from the X.509 tree that must be validated by a trust anchor in the chain of trust. The TLSA record specifies the trust anchor to be used for validating the TLS certificates for the domain. |
3 | DANE-EE: Domain-issued Certificate; no X.509 tree, trust anchors, or chain of trust needed for validation. The TLS record specifies the exact TLS certificate that should be used for the domain, but the TLS certificate doesn't need to be signed by a valid CA, thereby allowing for the use of self-signed certificates. |
TLSA Selector field
Indicates if the TLSA record matching against the full or partial key. The Selector Field
contains a value of 1 or 0.
Note: Values 2-254 are unassigned; value 255 is private
use.
Value | Description |
---|---|
0 | Full certificate |
1 | Partial key (SubjectPublicKeyInfo) |
TLSA Matching Type field
Indicates the kind of match: SHA256, SHA512, or full. The Matching Type Field contains a
value of 2, 1, or 0.
Note: Values 3-254 are unassigned; value 255 is private
use.
Value | Description |
---|---|
0 | Full: no hash; data is the certificate or the public key |
1 | SHA256: data is the SHA256 hash of the certificate or public key |
2 | SHA512: data is the SHA512 hash of the certificate or public key |
TLSA Record example
Example of a domain-issued end-entity
certificate:
_443._tcp.www.example.com. IN TLSA (
3 1 1 ecc104c4fbb06b249d3c7a
68f19cf28a60a9c6814874
ad7efde451688039fe01 )