In this article we will show you how to set a TLSA record within the DNS settings of your domain name.
Please note: The use of TLSA records is for advanced users only. In this article, we indicate what you can do with a TLSA record and how you add it for the domain names within your control panel.
Important: We do not provide content support on setting up a TLS server or configuring TLSA records. If you want more information about this, we advise you to research this online. In the RFC you will find more information about the use and setting of TLSA records.
TLSA records (Transport Layer Security Authentication) are used to link a TLS server (X.509) certificate or 'public key' to a domain name that contains the TLSA record. This creates a so-called 'TLSA certificate association'.
Where do I add a TLSA record?
You can add all your DNS records easily and free of charge via your control panel. Go to the 'Domain & Hosting' tab and select the domain in the left column for which you want to set the DKIM record (don't check the box).
Now scroll to 'Advanced Domain Settings', followed by 'DNS'. If you do not see this yet, first click the switch behind 'TransIP settings' so the TransIP settings are switched off. The DNS records of your domain name will become visible, after which you can change them at will.
How do I set a a TLSA record?
A TLSA record is made up of a series of elements. When setting a TLSA record, it is important that you stick to the right order:
- Port number
- Transport protocol
- The domain
- The 'Usage Field'
- The 'Selector Field'
- The 'Matching-Type Field'
- The hash based on the X.509 certificate
In the example below, you can see how you build a TLSA record for the root domain in your control panel.
Name
You set up a TLSA record by starting with the name. This is where you enter the port number and transport protocol.
If you enter a TLSA record for the root domain, you only have to add the port number and the transport protocol.
If you enter a TLSA record for a subdomain, enter the port number, transport protocol and subdomain.
In both cases, you do not close the name with a dot. In the image above, you see a correct entry of the name of a TLSA record for both the root domain and a subdomain.
TTL
The 'TTL' of a DNS record determines how long the record can remain in the cache. We recommend keeping the TTL low, for example at 1 or 5 minutes.
Type
Because we're setting a TLSA record, we choose 'TLSA' under 'Type'.
Value
In the value, enter the 'Usage Field', the 'Selector Field', the 'Matching-Type Field' and the hash of the X.509 certificate successively.
In the image below, we have entered the following data:
- Usage Field: Certificate Authority Constraint (0)
- Selector Field: Use full certificate (0)
- Matching-Type Field: SHA-256 hash (1)
- Hash: d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971
Tips for setting up a TLSA record
As mentioned, we do not offer direct support for configuring a TLSA record. Of course, we can give you some tips that make this a lot clearer and simpler.
This TLSA Record Generator is made by Shumon Huque and is ideally suited for creating a TLSA record.
More information and explanations about the use of a TLSA record can be found in the RFC of TLSA records.
In this article we explained how to configure TLSA records in your control panel. For a general explanation about other DNS records and entering them, see the article ‘DNS and nameservers'.
If you have any questions regarding this article, please contact our support team. You can reach them using the 'Contact us' button below or via the 'Contact' button inside your control panel.
If you wish to discuss this article with other users, feel free to leave a comment below.