DANE/TLSA Record Generator

What is DANE?

DNS-based Authentication of Named Entities (DANE) uses DNSSEC-secured TLSA records to pin TLS certificates to specific DNS names. Defined in RFC 6698 and extended for SMTP in RFC 7672, DANE eliminates reliance on public certificate authorities by letting domain owners specify exactly which certificates are valid for their services.

For email, DANE provides a mechanism for sending servers to verify the receiving server's TLS certificate before delivering mail. This prevents downgrade attacks where an attacker strips STARTTLS to force plaintext delivery.

TLSA Record Fields

Common Configurations

DANE-EE + SPKI + SHA-256 (3 1 1) is the recommended configuration for SMTP. It pins the server's public key (surviving certificate renewals) using a compact SHA-256 hash. This is the most widely deployed DANE configuration.

DANE-TA (2 0 1 or 2 1 1) pins a CA certificate instead of the server cert. Useful when you want to allow any certificate issued by a specific CA without updating the TLSA record on each renewal.

DNSSEC Requirement

DANE requires DNSSEC to be enabled on your domain. Without DNSSEC, TLSA records can be spoofed by an attacker, making DANE provide no real security. Verify DNSSEC is active before deploying DANE. Most DNS providers offer one-click DNSSEC activation.

Certificate Rotation

When rotating TLS certificates, publish the new TLSA record before deploying the new certificate. This ensures sending servers can validate both old and new certificates during the transition period. Remove the old TLSA record only after the old certificate is no longer in use. Using selector 1 (SPKI) avoids this issue entirely when the key pair stays the same across renewals.

Read the complete DANE guide to learn more.