Diagnostic suite · live

TLSA / DANE Lookup

Query TLSA records for any TLS service. TLSA binds a TLS certificate (or its public key) to a DNS name, enabling DANE — pinning that only works over a DNSSEC-signed zone.

About the TLSA / DANE Lookup Tool

The TLSA Lookup tool queries TLSA records — the DNS-based Authentication of Named Entities (DANE) mechanism (RFC 6698). A TLSA record pins a TLS certificate, or its public key, to a specific hostname, port and protocol. When combined with a DNSSEC-signed zone, DANE lets a TLS client refuse any certificate that does not match the pin — a stronger guarantee than the public CA system alone.

Every TLSA record has three fields: usage (0/1/2/3 — PKIX-TA, PKIX-EE, DANE-TA, DANE-EE), selector (0/1 — Cert or SPKI), and matching type (0/1/2 — Full, SHA-256, SHA-512). Together they describe exactly which certificate association to enforce. TLSA is queried at the label `_port._proto.host`, e.g. `_25._tcp.mail.example.com` for SMTP.

DANE is most widely deployed for SMTP: mail servers that publish TLSA records force other mail servers to use TLS with a specific certificate, preventing downgrade attacks. Use TLSA Lookup to audit your own DANE deployment, or to investigate why an inbound MTA is rejecting your certificate. DANE requires DNSSEC — check our DNSSEC Checker first.

How to use this tool

  1. 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
  2. 2Click the action button to run the check — results are computed instantly from our edge network.
  3. 3Review the parsed output, key fields and any warnings shown in the result card.
  4. 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.

Key features

  • Custom port and protocol (tcp/udp/sctp)
  • Human-readable usage, selector and matching-type names
  • Perfect for SMTP DANE deployment audits
  • Runs over DoH — no dig required
Related searches: tlsa record lookup · dane check · smtp dane · dns tls certificate association · rfc 6698 · dane validator

Frequently asked questions

DANE (DNS-based Authentication of Named Entities) uses DNSSEC-signed TLSA records to bind a TLS certificate to a hostname, port and protocol. It replaces or supplements the public CA trust model with a pin published by the domain owner.