Your company here ā€” click to reach over 10,000 unique daily visitors

tlsa - Man Page

Create and verify RFC-6698 TLSA DNS records


tlsa [-h] [--verify] [-create] [--version] [-4] [-6] [--insecure] [--resolv.conf /PATH/TO/RESOLV.CONF] [--port PORT] [--starttls {auto,smtp,imap,pop3,ftp}] [--protocol {tcp,udp,sctp}] [--only-rr] [--rootkey /PATH/TO/ROOT.KEY] [--ca-cert /PATH/TO/CERTSTORE] [--debug] [--quiet] [--certificate CERTIFICATE] [--output {rfc,generic,both}] [--usage {0,1,2,3}] [--selector {0,1}] [-mtype {0,1,2}] hostname


tlsa generates RFC-6698 TLSA DNS records. To generate these records for older nameserver implementations that do not yet support the TLSA record, specify --output generic to output the tlsa data in Generic Record (RFC-3597) format. Records are generated by connecting to the website using SSL and grabbing the (EE) certificate and the CA chain. Depending on the type and selector used, this information is used to generate TLSA records. Currently. tlsa has no AXFR support for en-mass TLSA record generation.



Create a TLSA record


Verify a TLSA record

--protocol tcp | udp | sctp

Use a specific transport protocol (default: tcp)

--resolvconf FILE

Specify a custom resolv.conf file (default: /etc/resolv.conf). Pass empty value (--resolvconf="") to disable default.

--port PORT

Use specified port (default: 443)

--starttls no | smtp | imap | pop3 | ftp

Start script type for protocols which need special commands to start a TLS connection. Supported are 'ftp' (port 21), 'smtp' (port 25), 'pop3' (port 110) and 'imap' (port 143). The default selects the type based on the port number. The value 'no' overrides auto detection.


Only print the DNS TLSA record

--certificate file.crt

Use specified certificate file, instead of retrieving the certificate from the server. Can be a single cert or a complete chain.

--ca-cert directory

Use specified directory containing CA bundles for CA validation (default: /etc/pki/tls/certs)

--rootkey filename

Use specified file to read the DNSSEC root key (in anchor or bind format)

--output rfc | generic | both

Output format of TLSA record. "TLSA" for rfc, "TYPE52" for generic (default: rfc)

--usage 0 | 1 | 2 | 3

Usage type: public CA (0), EE match validated by public CA (1), private CA (2), private EE (3) (default: 3)

--selector 0 | 1

The selector type describes what the type covers - full certificate (0) or public key (1) (default: 0)

--mtype 0 | 1 | 2

Type of the TLSA data. Exact match on content (0), SHA256 (1) or SHA512 (2) (default: 0)

If neither create or verify is specified, create is used.


tlsa requires the following python libraries: unbound, m2crypto, argparse and ipaddr


ipv4/ipv6 handling


typical usage:

tlsa www.fedoraproject.org

tlsa --verify -4 nohats.ca

tlsa --create --insecure fedoraproject.org

See Also

sshfp(1), ssh-keygen(1) and RFC-6698




Pieter Lexis <pieter.lexis@os3.nl>

Referenced By


December 7, 2015 Paul Wouters Internet / DNS