What is a TLSA Record?
A TLSA record (TLS Authentication record) is used to associate a TLS certificate or public key with the domain name where the record is found. This is part of a protocol called DANE (DNS-based Authentication of Named Entities).
Structure of a TLSA Record
_443._tcp.www.example.com. 3600 IN TLSA 3 1 1 d2cb3598...
Why Use TLSA?
TLSA records provide an additional layer of security beyond the traditional Certificate Authority (CA) system. By pinning a specific certificate or CA to a service in your DNS, you can protect against CA compromises or fraudulent certificate issuance.
Requirement: DNSSEC
TLSA records are only effective if your domain is secured with DNSSEC. Without DNSSEC, an attacker could spoof the TLSA record itself, defeating its security purpose.
Components of a TLSA Record
- Usage: How to use the record (e.g.,
3for "Domain-issued certificate"). - Selector: What part of the certificate is being matched (e.g.,
1for "Subject Public Key Info"). - Matching Type: How the data is matched (e.g.,
1for "SHA-256 hash"). - Certificate Association Data: The actual hash or certificate data.
Common Use Case: Secure SMTP
TLSA is most commonly used today to secure email delivery between mail servers (SMTP). It ensures that the encryption used between servers hasn't been downgraded or intercepted by a "Man-in-the-Middle" attack.