In this article, we explain how to set a TLSA record within the DNS settings of your domain name.
Please note: The use of TLSA records is for advanced users. In this article, we indicate what you can do with a TLSA record and how you add it for the domain names within your control panel.
Important: We do not provide content support on setting up a TLS server or configuring TLSA records. If you want more information about this, we advise you to research this online. In the RFC you will find more information about the use and setting of TLSA records.
TLSA records (Transport Layer Security Authentication) are used to link a TLS server (X.509) certificate or 'public key' to a domain name that contains the TLSA record. This creates a so-called 'TLSA certificate association'.
Where do I add a TLSA record?
You can add all your DNS records easily and free of charge via your control panel. Go to the 'Domain & Hosting' tab and click the domain in the left column for which you want to set the TLSA record (do not check).
Now scroll to 'Advanced Domain Settings', followed by 'DNS'. If you do not see this yet, first click the switch behind 'TransIP settings' so the TransIP settings are switched off. This will show an overview of your DNS records .
How do I set a a TLSA record?
A TLSA record is made up of a series of parts. When setting a TLSA record, it is important that you stick to the right order.
- Port number
- Transport protocol
- The domain
- The 'Usage Field'
- The 'Selector Field'
- The 'Matching-Type Field'
- The hash based on the X.509 certificate
In the example below, you can see how you build a TLSA record for the root domain in your control panel.
You set up a TLSA record by starting with the name. Here you enter the port number, and transport protocol.
If you enter a TLSA record for the root domain, you only have to add the port number and the transport protocol.
If you enter a TLSA record for a subdomain, enter the port number, transport protocol and subdomain.
In both cases, you do not close the name with a dot. In the image above, you see a correct entry of the name of a TLSA record for both the root domain and a subdomain.
The 'TTL' of a DNS record determines how long the record can remain in the cache. We recommend keeping the TTL low, for example at 5 minutes or 1 hour.
Because we want to set a TLSA record, choose 'TLSA' under 'Type'.
In the value, enter the 'Usage Field', the 'Selector Field', the 'Matching-Type Field' and the hash of the X.509 certificate successively.
In the image below, we have entered the following data:
- Usage Field: Certificate Authority Constraint (0)
- Selector Field: Use full certificate (0)
- Matching-Type Field: SHA-256: SHA-256 hash
- Hash: d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971
Tips for setting up a TLSA record
As mentioned, we do not offer direct support for configuring a TLSA record. Of course, we can give some tips that make this a lot clearer and simpler.
This TLSA Record Generator is made by Shumon Huque and is ideally suited to create a TLSA record.
More information and explanations about the use of a TLSA record can be found in the RFC of TLSA records.
In this article, we explained how to add an TLSA record for your domain..
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.
If you want to discuss this article with other users, please leave a message under 'Comments'.