TLSA / DANE Lookup
Query TLSA records for any TLS service. TLSA binds a TLS certificate (or its public key) to a DNS name, enabling DANE — pinning that only works over a DNSSEC-signed zone.
About the TLSA / DANE Lookup Tool
The TLSA Lookup tool queries TLSA records — the DNS-based Authentication of Named Entities (DANE) mechanism (RFC 6698). A TLSA record pins a TLS certificate, or its public key, to a specific hostname, port and protocol. When combined with a DNSSEC-signed zone, DANE lets a TLS client refuse any certificate that does not match the pin — a stronger guarantee than the public CA system alone.
Every TLSA record has three fields: usage (0/1/2/3 — PKIX-TA, PKIX-EE, DANE-TA, DANE-EE), selector (0/1 — Cert or SPKI), and matching type (0/1/2 — Full, SHA-256, SHA-512). Together they describe exactly which certificate association to enforce. TLSA is queried at the label `_port._proto.host`, e.g. `_25._tcp.mail.example.com` for SMTP.
DANE is most widely deployed for SMTP: mail servers that publish TLSA records force other mail servers to use TLS with a specific certificate, preventing downgrade attacks. Use TLSA Lookup to audit your own DANE deployment, or to investigate why an inbound MTA is rejecting your certificate. DANE requires DNSSEC — check our DNSSEC Checker first.
How to use this tool
- 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
- 2Click the action button to run the check — results are computed instantly from our edge network.
- 3Review the parsed output, key fields and any warnings shown in the result card.
- 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.
Key features
- Custom port and protocol (tcp/udp/sctp)
- Human-readable usage, selector and matching-type names
- Perfect for SMTP DANE deployment audits
- Runs over DoH — no dig required