The traditional DNS is not safe enough. This is why the security extension called DNSSEC was created. One of the elements that are part of the DNSSEC chain of trust is TLSA records. Let’s see what they do and how.
What is a TLSA record?
The TLSA record is the TLS Authentication record, which links the public key (TLS server certificate), and the domain name, where you put the TLSA record. The TLSA record is the vessel for the TLS/SSL certificate’s fingerprint in the DNS zone that you are managing for your domain.
To be able to trust a TLSA record, you will first need to have DNSSEC activated for the domain.
If the DNSSEC insurance the domain name, then the domain could be trusted with TLSA records.
Otherwise, there is no way to validate those records properly.
What’s inside a TLSA record?
- Type: TLSA
- Host: The host of the TLS server. It will include the port (number) and protocol (UDP, TCP, and SCTP).
- Usage: This value can be 0, 1, 2, 3, 4, or 255
0 – CA certificate, or public key, that must be any of the PKIX certification paths. It limits which CA can issue a certificate for the host.
1 – Service certificate constraint. It limits which entity certificate can be used by a service on a host.
2 – Trust anchor assertion. The DNS admin can indicate a new trust anchor.
3 – Domain-issued certificate. This is when the DNS admin issues a certificate for the domain without a third-party CA.
4-254 – Unassigned
255 – Private use
- Selector: This shows which part of the certificate will be matching with the data.
0 – Full certificate
1 – SubjectPublicKeyInfo
2-254 – Unassigned
255 – Private use
- Matching-type: How the certificate associates.
0 – No hash
1 – SHA-256
2 – SHA-512
3-254 – Unassigned
255 – Private use
- Points to: The hash of the certificate.
- TTL: Time to live for the record.
Why do you need a TLSA record?
The TLSA record enters as a part of the DANE security protocol of improved DNS protection. It serves as a tool that allows users to verify the certificate TLSA or SSL, from a website, by just performing a DNS query.
How to check a TLSA record?
You can check the TLSA record using Dig command:
dig example.com TLSA
Also you can use a web-based tool like https://toolbox.googleapps.com/apps/dig/.
Can I use TLSA records if the domain’s DNSSEC is not activated?
No. If the DNSSEC for a domain is disabled, you won’t be able to use TLSA records because their verification will fail.
Conclusion
With the TLSA records, we can define the matching rules between the data from the TLSA certificate associations and the TLS server.
It will set the specific port number and the protocol for the TLS session.
