TLSA record generator
Domain name:
Enter the full domain name (e.g. smtp.example.com)
Transport protocol:
Enter the transport protocol (e.g. tcp, udp, quic)
Port number:
Enter the port number (e.g. 25)
Usage:
The usage field describes the kind of certificate the TLSA record should match with. For SMTP, do not use PKIX-TA or PKIX-EE
0 - Certificate Authority Constraint (PKIX-TA)
1 - Service Certificate Constraint (PKIX-EE)
2 - Trust Anchor Assertion (DANE-TA)
3 - Domain Issued Certificate (DANE-EE)
Selector:
The selector field determines if the data contained in the TLSA record is based on the certificates public key, or the entire certificate.
0 - Full certificate (Cert)
1 - Subject Public Key (SPKI)
Matching-Type:
The matching field specifies how the certificate should be matched to the "Certificate Association Data" field. You normally shouldn't use full cert as DNS providers limit the amount of text in a record
0 - Full cert (no hash)
1 - SHA2-256 hash
2 - SHA2-512 hash
Certificate in PEM (X.509) format:
Paste the certificate in PEM (X.509) format
Generate