Conceptual overview of TLSA records.
TLSA records consist of four fields: a one octet Certificate Usage field, a one octet Selector field, a one octet Matching Type field, and Certificate Association Data.
TLSA Certificate Usage field
|PKIX-TA: Certificate Authority Constraint; public CA certificate or public key of such a certificate from the X.509 tree that must be validated by a trust anchor in the chain of trust. The TLSA record specifies the CA that will provide TLS certificates for the domain.
|PKIX-EE: Service Certificate Constraint; points to a specific TLS certificate but needs validation from another trust anchor. The TLSA record specifies the exact TLS certificate that should be used for the domain. The certificate must be issued by a valid CA.
|DANE-TA: Trust Anchor Assertion; private key from the X.509 tree that must be validated by a trust anchor in the chain of trust. The TLSA record specifies the trust anchor to be used for validating the TLS certificates for the domain.
|DANE-EE: Domain-issued Certificate; no X.509 tree, trust anchors, or chain of trust needed for validation. The TLS record specifies the exact TLS certificate that should be used for the domain, but the TLS certificate doesn't need to be signed by a valid CA, thereby allowing for the use of self-signed certificates.
TLSA Selector field
|Partial key (SubjectPublicKeyInfo)
TLSA Matching Type field
|Full: no hash; data is the certificate or the public key
|SHA256: data is the SHA256 hash of the certificate or public key
|SHA512: data is the SHA512 hash of the certificate or public key
TLSA Record example
_443._tcp.www.example.com. IN TLSA (
3 1 1 ecc104c4fbb06b249d3c7a