Advanced DANE Record Checker

Check and validate TLSA records for DANE (DNS-based Authentication of Named Entities).

Network Security

What is DANE and Why Is It Critical for Security?

DANE (DNS-based Authentication of Named Entities) involves a set of protocols that allow domain administrators to bind X.509 certificates to their domain names using DNSSEC. This creates a cryptographically secure link between your domain and your SSL/TLS certificate, preventing attackers from using fraudulent certificates issued by compromised Certificate Authorities (CAs).

For email administrators, checking DANE records is even more vital. It prevents SMTP downgrade attacks and ensures that emails are delivered over encrypted channels, adhering to modern standards mapped out in RFC 6698.

01How DANE Works

DANE relies on a specific DNS record type called TLSA (RRType 52). This record stores the "fingerprint" or the full content of your certificate (or your CA's certificate). When a client (like a browser or mail server) connects to you, it queries this record via DNSSEC to verify the server's identity before exchanging sensitive data.

02The Risk of Ignoring It

Without DANE, your connection relies entirely on the global Public Key Infrastructure (PKI). If any of the hundreds of trusted CAs are compromised, they could issue a fake certificate for your site. DANE removes this vulnerability by telling the client exactly which certificate to trust.

How to Use the Advanced DANE Record Checker

Validating your TLSA records manually can be complex due to the hexadecimal formatting and specific field requirements. Our tool simplifies this process:

  1. 1
    Enter Domain NameInput the hostname you want to check (e.g., example.com or mail.example.com).
  2. 2
    Select Port & ProtocolDefault for HTTPS is 443/TCP. For SMTP, use 25/TCP. The tool constructs the query as _port._protocol.domain.
  3. 3
    Analyze ResultsReview the raw TLSA data, decoded fields, and verification status.

Understanding TLSA Record Fields

A TLSA record is composed of three numeric usage fields followed by the certificate association data. Understanding these is key to troubleshooting DANE compliance.

Field 1

Usage (0-3)

  • 0 (PKIX-TA): CA PIN. Use a specific CA for this domain.
  • 1 (PKIX-EE): Service Certificate PIN. Specific end-entity cert.
  • 2 (DANE-TA): Trust Anchor. Assert a private CA specific to this domain.
  • 3 (DANE-EE): Domain Issued. Self-signed or private cert, no public CA needed.
Field 2

Selector (0-1)

  • 0 (Full Certificate): Matches the entire certificate blob.
  • 1 (SPKI): Matches only the Subject Public Key Info (recommended for rotation).
Field 3

Matching Type (0-2)

  • 0 (Full Content): Exact binary match (large DNS record).
  • 1 (SHA-256): Hash of the selected data.
  • 2 (SHA-512): Stronger hash of the selected data.

Secure Your Infrastructure Today

Don't leave your user's security to chance. Verify your DANE records relative to your SSL/TLS configuration and ensure end-to-end encryption integrity.

Check SSL Handshake

Frequently Asked Questions

Common questions about DANE, TLSA records, and troubleshooting connection errors.

Q1What is a DANE (TLSA) Record?

DNS-Based Authentication of Named Entities (DANE) relies on the TLSA resource record to securely bind a TLS server certificate to a domain name. Unlike strictly relying on Certificate Authorities (CAs), DANE uses DNSSEC to authenticate the certificate, preventing Man-in-the-Middle (MitM) attacks even if a CA is compromised.

It is defined in RFC 6698 .

Q2What do the '3 1 1' or '3 0 1' parameters mean?

These numbers represent the Usage, Selector, and Matching Type fields of the TLSA record:

  • Usage 3 (DANE-EE): Domain-issued certificate (most common for self-signing or bypassing CA trust).
  • Selector 1 (SPKI): Matches only the public key (allows certificate renewal without changing DNS if key stays same).
  • Matching Type 1 (SHA-256): Checks the SHA-256 hash of the selected data.

So, _443._tcp.example.com. IN TLSA 3 1 1 [hash] tells the client to trust the server's public key if it matches the SHA-256 hash provided.

Q3Why am I getting a 'No TLSA Record Found' error?

This error means our tool queried the DNS for _port._protocol.domain (e.g., _443._tcp.example.com) but received no answer.

Common fixes:

  • Ensure you published the record at the correct subdomain (prefix with _port._protocol).
  • Check if your DNS propagation is complete.
  • Verify that your DNS host supports TLSA records (some basic registrars do not).

Q4Does DANE require DNSSEC?

Yes, absolutely. DANE relies on the chain of trust established by DNSSEC. Without DNSSEC signing on your zone, clients cannot trust the TLSA record, as it could have been spoofed by a simple DNS poisoning attack. If your domain is not DNSSEC-signed, DANE validation will fail or be ignored by clients.

Q5What is the error 'PKIX-EE: CA Not Trusted'?

This isn't a direct DANE error, but often appears when testing mail servers. However, in the context of DANE:

Validation Failure: TLSA signature mismatch

If you see validation failures, it means the certificate presented by the server does not match the hash in your TLSA record. This happens often when you renew your certificate (e.g., via Let's Encrypt) but forget to update the DNS record.Tip: Use Selector 1 (SPKI) and keep your private key constant during renewal to avoid this.

Q6Can I use DANE with Let's Encrypt?

Yes! In fact, it's a great combination. To make managing it easier:

  • Use Usage 3 (DANE-EE) + Selector 1 (SPKI).
  • Configure your ACME client (like Certbot) to reuse the account private key or the certificate private key (CSR reuse) so the hash doesn't change on every renewal.
  • Alternatively, use automation tools that update your DNS automatically when the certificate renews.

Q7What is the difference between DANE and MTA-STS?

Both secure SMTP email transmission, but they work differently:

  • DANE uses DNSSEC to authenticate the certificate directly. It is harder to set up but more secure against CAs.
  • MTA-STS uses a text file hosted on HTTPS and a TXT record to enforce TLS. It relies on the Web PKI (trusted CAs) and is often easier for large organizations to deploy without DNSSEC.

Many experts recommend implementing both for maximum compatibility and security.

Q8How do I generate the 'Matching Type' hash?

You can use OpenSSL to generate the SHA-256 hash for your TLSA record. For a certificate file server.crt with Usage 3, Selector 1, Matching 1:

openssl x509 -in server.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256

Or simply use our Advanced DANE Record Checker tool after setting it up to verify your live hash!

Still have questions? Check out the Full DANE Protocol Documentation or validate your server's security with our SSL Handshake Simulator.

Related DNS & Network Tools

Explore more powerful tools in this category.

MX Record Checker

Check Mail Exchange (MX) records for any domain name instantly.

SPF Record Checker

Verify Sender Policy Framework (SPF) records to prevent email spoofing.

DKIM Record Lookup

Retrieve and verify DomainKeys Identified Mail (DKIM) records.

DMARC Checker

Analyze DMARC records to ensure email authentication policies.

BIMI Record Checker

Check Brand Indicators for Message Identification (BIMI) records.

MTA-STS Record Checker

Verify MTA Strict Transport Security configurations.

TLS-RPT Record Checker

Check TLS Reporting (TLS-RPT) DNS records.

Email Blacklist Checker

Check if your mail server IP is listed on major DNSBL blacklists.

Online Port Checker

Check if a specific port is open on a target server or IP.

Advance DNS Leak Test

Verify if your VPN is leaking DNS queries and protect your online privacy.

Resolve IP to Hostname

Perform a reverse DNS lookup to find the hostname of an IP.

Website to IP Lookup

Convert domain names to IP addresses with detailed DNS and geolocation information.

Advanced Traceroute Online

Record the whole path through which network request routes to the provided Domain or IP Address.

Advanced - IPsec VPN Phase 1 & 2 Parameter Matcher

Troubleshoot VPN site-to-site configuration mismatches by comparing Local and Remote Phase 1 and Phase 2 parameters.

Advanced DNSSEC Checker

Verify DNSSEC records (DNSKEY, DS, RRSIG) and check the Chain of Trust status instantly.

Advanced VoIP MOS Score Calculator

Calculate Mean Opinion Score (MOS) for VoIP based on Latency, Jitter, and Packet Loss.

Advanced Fresnel Zone Calculator

Calculate 1st Fresnel Zone radius and recommended clearance for wireless links.

Advanced EIRP Calculator

Calculate Effective Isotropic Radiated Power (EIRP) for wireless links.

Advanced Fiber Loss Budget Calculator

Calculate total optical fiber loss budget, including splices and connectors, for reliable network planning.

Advanced Antenna Downtilt and Coverage Calculator

Calculate optimal antenna downtilt angle and coverage radius for precise network planning.

Advanced MTU Calculator

Calculate MTU, MSS, and protocol overheads (IPv4, IPv6, VLAN, PPPoE, etc.) for network optimization.