A Transport Layer Security Authentication (TLSA) Record provides communication security across the internet, by using channel encryption. The TLSA record is used to associate a TLS server certificate or public key with the domain name where the record is found, thereby forming a “TLSA Certificate Association.”
A TLSA record consists of the following fields:
-
Host - The hostname for the record, entered as either a simple, one-part name, or as a Fully Qualified Domain Name (FQDN) with or without a trailing dot. Examples:
-
hostname
-
hostname.example.biz
-
hostname.example.biz.
-
example.biz
-
example.biz.
-
-
Port - Enter an integer value between 0 - 65535.
-
Service - Select one of the following options from the dropdown menu:
-
tcp – Transmission Control Protocol
-
udp – User Diagram Protocol
-
sctp – Steam Control Transmission Protocol
-
-
Selector - The Selector Field specifies which part of the TLS certificate presented by the server will be matched against the association data. Select one of the options from the dropdown menu:
-
Full Certificate - The certificate binary structure.
-
SubjectPublicKeyInfo – Distinguished Encoding Rules (DER) encoded binary structure.
-
-
Matching - The Matching Type specifies how the certificate association is presented. Select one of the following options from the dropdown menu:
-
0 - An exact match of the selected content.
-
1 - SHA-256 hash match of the selected content.
-
2 - SHA-512 hash match of the selected content.
-
-
If the TLSA record's matching type is a hash, having the record use the same hash algorithm that was used in the signature in the certificate (if possible) will assist clients that support a small number of hash algorithms.
-
Usage - Select one of the following options from the dropdown menu:
-
0 (CA Constraint) - The certificate or public key MUST be found in any of the Public Key Infrastructure (PKIX) certification paths for the end entity certificate given by the server in Transport Layer Security (TLS). This certification limits which CAs can used to issue certificates for a given service.
-
1 (Service Certificate Constraint) - Used to specify an end entity certificate (or the public key) that MUST be matched with the end entity certificate given by the server in TLS. This certification limits which end entity certificate can be used by a given service on a host.
-
2 (Trust Anchor Assertion) - Used to specify a certificate (or the public key) that MUST be used as the “trust anchor” when validating the end entity certificate given by the server in TLS. This certification allows a domain administrator to specify a trust anchor. For example, if the domain issues its own certificates under its own CA that is not expected to be in the end user’s collection of trust anchors.
-
3 (Domain-Issued Certification) - Used to specify a certificate (or the public key) that MUST match the end entity certificate given by the server in TLS. This certification allows for a domain named administrator to issue certificates for a domain without involving a third-party CA. This certificate does NOT need to pass PKIX validation.
-
-
Data - Enter the hexadecimal string value for the certificate.
-
TTL