Free DANE TLSA Record Checker

Validate DANE (DNS-based Authentication of Named Entities) TLSA records for your domain. Verify TLS certificate pinning over DNSSEC without relying on traditional certificate authorities.

No signup

Instant check

100% free

What Is DANE?

DANE (DNS-based Authentication of Named Entities) is a protocol that uses DNSSEC-signed TLSA records to authenticate TLS certificates without relying on traditional certificate authorities. It provides an additional layer of trust by binding certificates to DNS records, preventing fraudulent certificates from being accepted by validating clients.

Why It Matters

DANE eliminates dependence on the CA trust model, prevents fraudulent certificate issuance, and provides a cryptographically verifiable alternative for certificate validation using DNSSEC.

Common Mistakes

Publishing TLSA records without DNSSEC, incorrect certificate hash values, not updating TLSA records after certificate renewal, and using usage=3 without pinning a specific CA are common errors.

_443._tcp TLSA

usage=3 selector=1

DNSSEC: SIGNED

VALIDATED

DANE_ENGINE_V2

TRUSTED

How It Works

Input Domain

Type your domain into the DANE checker.

Check DNSSEC

We verify the domain zone is DNSSEC-signed.

Query TLSA

We retrieve TLSA records from _port._tcp.yourdomain.

Validate Records

We check usage, selector, matching type, and certificate data.

TLSA Record Detection

Queries DNS for TLSA records under service-specific names like _443._tcp.yourdomain. Verifies the records exist and are properly formatted.

DNSSEC Validation

Checks that the domain zone is DNSSEC-signed. DANE is only secure when combined with DNSSEC; unsigned zones cannot prevent DNS spoofing of TLSA records.

Usage Type Analysis

Parses the TLSA usage field (0-3). Usage=3 (Domain-issued certificate / DANE-EE) is the most common and pins your exact certificate without CA dependency.

Selector Parsing

Checks the selector field (0=full certificate, 1=public key only). Selector=1 is recommended as it allows certificate renewal without updating the TLSA record.

Matching Type Check

Validates the matching type (0=exact match, 1=SHA-256 hash, 2=SHA-512 hash). SHA-256 (type 1) is recommended for compact, secure pinning.

Certificate Data Display

Shows the raw certificate association data (hash or full certificate). Use this to verify your TLSA record matches your current certificate.

Frequently Asked Questions

What is DANE?

DANE (DNS-based Authentication of Named Entities) is a protocol that uses DNSSEC-signed TLSA records to authenticate TLS certificates. It provides an alternative to traditional certificate authority validation by binding certificates directly to DNS.

How does DANE work?

You publish TLSA records in DNS under _port._tcp.yourdomain (e.g., _443._tcp). These records specify how clients should validate the TLS certificate. DNSSEC ensures the TLSA records cannot be tampered with.

What is the difference between DANE and MTA-STS?

DANE uses DNSSEC-signed TLSA records at the DNS layer to validate certificates. MTA-STS uses an HTTPS-hosted policy file at the application layer. DANE is more deeply integrated into the DNS infrastructure; MTA-STS is easier to deploy without DNSSEC.

Does DANE require DNSSEC?

Yes. Without DNSSEC, an attacker could spoof TLSA records just like they could spoof any DNS record. DNSSEC cryptographic signatures are what make DANE trustworthy.

What TLSA usage type should I use?

Usage=3 (DANE-EE / Domain-issued certificate) is most common for self-signed or private CA certificates without relying on public CAs. Usage=2 trusts a specific CA. Usage=0 builds a PKIX chain with an additional TLSA constraint.

Is this DANE checker free?

Yes, this tool is 100% free with no signup required. For automated DANE monitoring, TLSA record change detection, and DNSSEC validation tracking, upgrade to CyberFurl Pro.

Related Security Tools

DNSSEC Checker

DNS security validation

MTA-STS Checker

SMTP TLS policy

SSL Checker

TLS certificate health

Need Continuous DANE Monitoring?

Automate DANE TLSA record checks, track DNSSEC signing status, and get alerted when TLSA records no longer match your certificates or DNSSEC validation fails.

Start Free Trial View Pricing