Main Hero

TLSA record

A TLSA record is a DNS record used to associate a service with a specific TLS certificate or public key. It is a core component of DANE and enables domain owners to define which certificates are valid for their services directly within DNS. By doing this, TLSA records reduce reliance on traditional certificate authorities and provide an additional layer of verification for secure connections.

TLSA records are published in DNS under a structured naming format that includes the service port and protocol, such as _25._tcp.mail.example.com. When a client connects to a server, it can query DNS for the corresponding TLSA record and verify that the presented certificate matches the expected value. If the certificate does not match, the connection can be rejected.

This mechanism enhances trust in TLS connections, particularly in email delivery, where it is used to validate SMTP servers and prevent interception or spoofing.

Advanced

TLSA records contain several parameters that define how certificate validation should occur. These include the usage field, selector, and matching type. The usage field determines how the certificate is verified, such as whether it must match a specific certificate or a trusted authority. The selector defines whether the full certificate or just the public key is used, while the matching type specifies the hashing method.

TLSA records rely on DNSSEC to ensure integrity and authenticity. Without DNSSEC, TLSA data cannot be trusted. In SMTP implementations, sending servers that support DANE will query TLSA records before establishing a TLS connection. If valid records are present, strict validation is enforced, and delivery will fail if the certificate does not match.

Managing TLSA records requires coordination with certificate lifecycle management. Any certificate changes must be reflected in DNS to avoid validation failures. This introduces operational complexity but provides stronger security guarantees compared to traditional certificate validation methods.

Relevance

  • Strengthens TLS security through DNS based validation
  • Reduces reliance on certificate authorities
  • Supports secure email delivery using DANE
  • Protects against certificate spoofing and interception

Applications

  • Validating SMTP server certificates for email delivery
  • Securing services such as HTTPS or other TLS enabled protocols
  • Enforcing strict certificate matching policies
  • Supporting high security infrastructure environments

Metrics

  • TLSA validation success rates
  • DNSSEC validation integrity
  • Certificate match versus mismatch frequency
  • Secure connection success rates

Issues

  • Lack of DNSSEC preventing secure use of TLSA
  • Misconfigured records causing connection failures
  • Certificate updates not reflected in DNS
  • Limited adoption across some systems

Example

A domain publishes a TLSA record for its mail server under _25._tcp.mail.example.com. When another mail server attempts to deliver email, it checks the TLSA record and validates the certificate presented by the server. If the certificate matches the record, the connection proceeds securely. If not, the delivery is blocked, preventing potential interception.