A DANE/TLSA records exsists of the following items:
_[port]._[protocol].[domain] TLSA [usage] [selector] [matching type] [certificate hash]
The port which will be used by the end-user. This will be 443 or 25.
The protocol will almost always be tcp, but maybe in the future also udp will be used.
The full name of the website or hostname. Wildcards don't exsists, so every entry has to be added.
This one will describes the kind of certificate the TLSA record should match with.
| usage | description |
|---|---|
| 0 PKIX-TA | PKI trust anchor certificate (the PKI CA certificate in the chain). Do not use with SMTP. |
| 1 PKIX-EE | PKI 'end-entity' certificate (the PKI certificate for the domain). Do not use with SMTP. |
| 2 DANE-TA | trust anchor certificate (the CA certificate in the chain) |
| 3 DANE-EE | 'end-entity' certificate (the certificate for the domain) |
For e-mail (SMTP) applications, this value must be either 2 (DANE-TA) or 3 (DANE-EE). Values usage=0 and usage=1 should not be used for SMTP (see rfc7672 section 3.1.3).
Because Certificate Authorities may use multiple trust anchors, or may rotate their keys, it is most common to use usage=3 (DANE-EE) for DANE with SMTP.
The second value in the TLSA record is the 'selector' field, it determines if the data contained in the TLSA record is based on the certificate public key, or the entire certificate.
| selector | benefit | consequence |
|---|---|---|
| 0 | (full certificate) | Allows for effective revocation of a certificate TLSA must be renewed with each certificate renewal |
| 1 | (subject public key) | TLSA record requires no renewal on certificate renewal (unless key is changed) TLSA record renewal may be forgotten on eventual key rotation |
The third value in the TLSA record is the 'matching' field, it determines how the value in 'certificate association data' should be matched to the 'selector'.
The matching field specifies how the certificate should be matched to the Certificate Association Data field. This applies to the content specified in the Selector field.
| value | certificate part |
|---|---|
| 0 | Exact match |
| 1 | SHA2-256 hash digest |
| 2 | SHA2-512 hash digest |
Here will follow some examples about creating the certificate hash. Keep in mind that if you use sha512, you have to change the values below also. And keep in mind that you use the right certificate. For example, if you use a trust anchor certificate (usage=2), than only use that certificate, not the end-user one. If there are multiple certificates in the file, OpenSSL will only use the first one.
openssl x509 -in certificate.pem -outform DER | sha256sum
openssl x509 -in certificate.pem -pubkey -noout | openssl rsa -pubin -outform der | sha256sum
A webserver listening on https://www.example.com and https://example.com on port 443, with a check on the full end-user certificate and with a hash op SHA-256, will have the next two DANE records:
_443._tcp.example.com TLSA 3 0 1 370c66fd4a0673ce1b62e76b819835dabb20702e4497cb10affe46e8135381e7
_443._tcp.www.example.com TLSA 3 0 1 370c66fd4a0673ce1b62e76b819835dabb20702e4497cb10affe46e8135381e7