Article overview

Help article

Setting an TLSA record

In this article, we explain how to set a TLSA record within the DNS settings of your domain name.

Please note: The use of TLSA records is for advanced users. In this article, we indicate what you can do with a TLSA record and how you add it for the domain names within your control panel.

Important: We do not provide content support on setting up a TLS server or configuring TLSA records. If you want more information about this, we advise you to research this online. In the RFC you will find more information about the use and setting of TLSA records.

TLSA records (Transport Layer Security Authentication) are used to link a TLS server (X.509) certificate or 'public key' to a domain name that contains the TLSA record. This creates a so-called 'TLSA certificate association'.


Where do I add a TLSA record?

You can add all your DNS records easily and free of charge via your control panel. Go to the 'Domain & Hosting' tab and click the domain in the left column for which you want to set the TLSA record (do not check).

Now scroll to 'Advanced Domain Settings', followed by 'DNS'. If you do not see this yet, first click the switch behind 'TransIP settings' so the TransIP settings are switched off. This will show an overview of your DNS records .

advanced domain settings


How do I set a a TLSA record?

A TLSA record is made up of a series of parts. When setting a TLSA record, it is important that you stick to the right order.

  • Port number
  • Transport protocol
  • The domain
  • The 'Usage Field'
  • The 'Selector Field'
  • The 'Matching-Type Field'
  • The hash based on the X.509 certificate

In the example below, you can see how you build a TLSA record for the root domain in your control panel.

tlsa record


Name

You set up a TLSA record by starting with the name. Here you enter the port number, and transport protocol.

If you enter a TLSA record for the root domain, you only have to add the port number and the transport protocol.

tlsa name

If you enter a TLSA record for a subdomain, enter the port number, transport protocol and subdomain.

tlsa subdomain name

In both cases, you do not close the name with a dot. In the image above, you see a correct entry of the name of a TLSA record for both the root domain and a subdomain.


TTL

The 'TTL' of a DNS record determines how long the record can remain in the cache. We recommend keeping the TTL low, for example at 5 minutes or 1 hour.


Type

Because we want to set a TLSA record, choose 'TLSA' under 'Type'.


Value

In the value, enter the 'Usage Field', the 'Selector Field', the 'Matching-Type Field' and the hash of the X.509 certificate successively.

In the image below, we have entered the following data:

tlsa record example

  • Usage Field: Certificate Authority Constraint (0)
  • Selector Field: Use full certificate (0)
  • Matching-Type Field: SHA-256: SHA-256 hash
  • Hash: d2abde240d7cd3ee6b4b28c54df034b97983a1d16e8a410e4561cb106618e971

Tips for setting up a TLSA record

As mentioned, we do not offer direct support for configuring a TLSA record. Of course, we can give some tips that make this a lot clearer and simpler.

This TLSA Record Generator is made by Shumon Huque and is ideally suited to create a TLSA record.

More information and explanations about the use of a TLSA record can be found in the RFC of TLSA records.


 

In this article, we explained how to add an TLSA record for your domain..

Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.

Do you have a good idea?

Give us your idea! If it's popular we'll add it to the wishlist!

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.

Are you stuck?

Ask one of our specialists to assist you

Contact us