Adding a TLSA Record

TLSA records allow domain name owners to associate TLS server certificates with their domain names, which provides TLS clients with an additional way to validate these TLS server certificates through the DNS.

Please refer to this document to learn about how TLSA records work and their format.

To add a TLSA record, perform the following operations:

  1. On the Domains page, click the domain where you wish to add a new record and then open the DNS tab.
  2. Select the DNS Records subtab.
  3. Click Add New DNS Record.
  4. Select the TLSA DNS record type and specify the following DNS record properties:
    • In the Service Port field, enter a service port.
    • In the Service Protocol field, enter a service protocol.
    • In the Domain field, enter the host name for which you are creating this record. If you are creating this record for the host name that matches the name of your domain, leave the field empty.
    • In the Certificate Usage field, enter a type of certificate usage.
    • In the Selector field, enter a type of selector.
    • In the Matching Type field, enter a matching type.
    • In the Certificate Association Data field, enter certificate association data.

    • TTL (Time To Live): Set how many seconds will elapse before the record is refreshed in the DNS cache. To set the TTL, choose between Default TTL and Custom. In the latter case, you must specify your own TTL for the record being created.

      Note: The TTL parameter can be edited later.

  5. Click Finish.

Examples of TLSA records:

Service Port Service Protocol Domain Certificate Usage Selector Matching Type Certificate Association Data Description
443 tcp example.com. 3 1 1

a60a6...

With this record, clients can validate whether the certificate of the server at https://example.com meets the following requirement: The SHA-256 hash of the public key of the certificate must be equal to the SHA-256 hash specified in the record.
443 tcp example.com. 2 0 1 9e201... With this record, clients can validate whether the certificate of the server at https://example.com was issues by a specific CA: One of the SHA-256 hashes of the CA certificates that are in the certificate chain of the server certificate must be equal to the SHA-256 hash specified in the record.

© 2025 Ingram Micro, Inc. All Rights Reserved. Privacy Policy, Terms of Use and Legal

CloudBlue, an Ingram Micro business, uses cookies to improve the usability of our site. By continuing to use this site and/or logging in you are accepting the use of these cookies. For more information, visit our Privacy Policy.
I accept