TLSA Record Lookup Tool

Check TLSA records instantly across global resolvers to validate your DANE configuration and TLS certificate pins.

How to troubleshoot DANE and Certificate Pinning with a TLSA Lookup

TLSA records are used to cryptographically bind a TLS/SSL certificate to a domain name using DANE. Enter your domain name above to query its active TLSA records. Note: TLSA records are queried using a specific port and protocol format (e.g., _443._tcp.www.example.com or _25._tcp.mail.example.com). Ensure you query the exact hostname string.

Interpreting your TLSA results

  • DNSSEC Dependency: For a TLSA record to be trusted by clients, your domain must have DNSSEC enabled. If DNSSEC is broken or disabled, the TLSA record will be ignored.
  • Certificate Hash Mismatch: If the hash in your TLSA record does not mathematically match the SSL certificate currently installed on your server, strict DANE validators will reject the connection entirely. Always update your TLSA records before rolling over to a new certificate.
  • Usage, Selector, and Matching Type: The result will show three numbers before the hash (e.g., 3 1 1). These dictate how the client should verify the certificate (e.g., checking the exact public key vs the full certificate, using SHA-256 vs SHA-512).

Related tools

SSL/PKI DNS check lookup CAA record lookup DNSSEC lookup validator DNS propagation check lookup