DANE (DNS-based Authentication of Named Entities) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC).
TLSA resource record is an own type of DNS record. It consists of port number and protocol of the service secured by it.
An example record for port 25 over tcp could look like
_25._tcp.example.com IN TLSA 3 0 1 $DATA.
The TLSA parameters
3 0 1 are explaining the data following it. The first number is the Certificate Usage Field, the second is the Selector Field and the third is named Matching Type Field.
|0||PKIX trust anchor||Hash contains a public CA from the x509 tree by which your cert has to be signed|
|1||PKIX end entity||Hash contains your cert which also has to pass x509 validation|
|2||DANE trust anchor||Hash contains a private CA (unknown to the x509 tree) by which your cert has to be signed|
|3||DANE end entity||Hash contains your cert which is not matched against any other validation|
|0||cert||DATA is based on the full cert|
|1||SPKI||DATA is based on public key only|
|0||Full||DATA is the full cert or SPKI|
|1||sha256||DATA is the sha256 hash of the cert or SPKI|
|2||sha512||DATA is the sha512 hash of the cert or SPKI|
The RR can also easily be generated with the tools
ldns-dane from and
dane from AUR.
DANE supporting software
- Exim > 4.85
- Prosody (via AUR)