Skip to main content

How to configure an TLSA record?

Updated

TLSA records associate a service (such as HTTPS for a website or SMTP for a mail server) with a specific SSL certificate. This provides an additional layer of security, as TLSA authentication can be verified using DANE tools.

IMPORTANT: To ensure TLSA records function properly, DNSSEC must be active and operational on the domain. Please follow these steps to activate DNSSEC on your domain before setting up the TLSA record.

The TLSA record contains the following components:

Host: This consists of the port and the protocol. For example, for a website (HTTPS), the host would be:
_443._tcp

TTL: Time To Live (1 hour is the recommended value).

Certificate Association: This is based on the X.509 SSL certificate and can be created using tools like: https://www.huque.com/bin/gen_tlsa

Usage: Defined using numeric values (0, 1, 2, 3):
0 = Certificate Authority Constraint.
1 = Service Certificate Constraint.
2 = Trust Anchor Assertion.
3 = Domain Issued Certificate.

Selector: Also defined with numeric values (0, 1):
0 = Full Certificate.
1 = Subject Public Key.

Matching Type: Defined using numeric values (0, 1, 2):
0 = No hash.
1 = SHA-256.
2 = SHA-512.

These values must be provided by your hosting provider. If you are using our web hosting product, we recommend the following values for Usage - Selector - Matching Type: 3 - 0 - 1.

To set up the TLSA record, follow these steps:

  1. In your account, go to DOMAINS ACTIVE.
  2. Hover over the relevant domain and click the Manage Icon on the right side.
  3. Click EDIT DNS ZONE.
  4. Click NEW RECORD.
  5. From the Type dropdown menu, select TLSA (TLS Authentication).
  6. Enter the Host provided by your hosting provider in the Host field. For example, for a website (HTTPS), this would be: “_443._tcp“.
  7. Select the Usage, Selector, and Matching Type values given by your hosting provider.
  8. Paste the Certificate Association provided by your hosting provider.
  9. Set the TTL.
  10. Click SAVE.

Note: DNS changes may take up to 24 hours to propagate across the Internet.

Important: This option is only available if the domain is using our name servers.

You can test the authentication here: https://www.huque.com/bin/danecheck

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk