| |

Generate TLSA Record from the command line for DANE and DNSSEC.

If DNSEC is enabled for your domain, you should also create a TSLA record to implement DANE (DNS-based Authentication of Named Entities) to properly authenticate your domain.

Although online tools exist to generate a TSLA record, you can also do it from the command line on the server where the SSL certificate is stored.

In this tutorial, we assume you are working with Ubuntu and you are logged in as root, so switch to root user if you are not already.

sudo -i

Install the “hash-slinger” package.

apt install hash-slinger

In the following example we will be creating a TLSA record for a web server on port 443, but of course you can also use the command for a mail server on port 25, for example.

tlsa --create --selector 1 -p 443 --certificate /etc/acme/certs/example.com_ecc/fullchain.cer example.com
_443._tcp.example.com. IN TLSA 3 1 1 a5c90a4fdf88297b3e33ff84e1d307a41fddf07bce95c5e09eb9382988b86aaa

Now take the above information to create a TLSA record in the DNS server assigned to the domain.