Adding TLSA Records
Posted: Wed Jun 04, 2025 2:12 am
TLSA records can be complex for non-technical users. They require a good understanding of DNS and TLS concepts.
While adding TLSA records might seem like a "costly" process due to its complexity, the actual financial cost is usually negligible, with the main expense being the time and effort required to manage them correctly.
Before applying TLSA records, DNSSEC needs to be enabled and functional on the domain. TLSA records can only be trusted if DNSSEC is enabled, as they rely on DNSSEC signatures for validation.
First you may want to find out what you dealing with, is it named or pdns. To locate named for example inside yours Linux installation
You can use the whereis command or the command -v command in your terminal to confirm the installation location of the named binary. The whereis command will search predefined directories for the program, while command -v will display the full path of the executable. For example, or in a terminal session will show you the exact path to the named executable.
Using a terminal find yours zone files.
In a standard Linux installation of BIND, the DNS zone files are typically located in the /var/named directory. Specifically, the zone files for a domain like "example.com" might be stored in a file named master-example.com within this directory.
1. As example use this time pdns where you can manually open interesting you zone file for example in nano
than write yours TLSA records, save the file and restart the service.
2. Can use command
3. Or trough GUI or even with help of online generator like Huque ...
You most welcome to check out our forum score at Huque to see how this should be setup correctly.
We use danpol.co.uk as Email provider with TLSA enabled.
Must remember when choosing between pdns and named:
PowerDNS supports DNSSEC in DNS clustering, while BIND does not.
While adding TLSA records might seem like a "costly" process due to its complexity, the actual financial cost is usually negligible, with the main expense being the time and effort required to manage them correctly.
Before applying TLSA records, DNSSEC needs to be enabled and functional on the domain. TLSA records can only be trusted if DNSSEC is enabled, as they rely on DNSSEC signatures for validation.
First you may want to find out what you dealing with, is it named or pdns. To locate named for example inside yours Linux installation
You can use the whereis command or the command -v command in your terminal to confirm the installation location of the named binary. The whereis command will search predefined directories for the program, while command -v will display the full path of the executable. For example,
Code: Select all
whereis namedCode: Select all
command -v namedUsing a terminal find yours zone files.
In a standard Linux installation of BIND, the DNS zone files are typically located in the /var/named directory. Specifically, the zone files for a domain like "example.com" might be stored in a file named master-example.com within this directory.
1. As example use this time pdns where you can manually open interesting you zone file for example in nano
Code: Select all
cd /var/named
ls
nano example.com.db2. Can use command
Code: Select all
pdnsutil dnsupdate example.com --type TLSA --name _25._tcp.example.com --ttl 3600 --content "3 0 1 somehash"You most welcome to check out our forum score at Huque to see how this should be setup correctly.
We use danpol.co.uk as Email provider with TLSA enabled.
Must remember when choosing between pdns and named:
PowerDNS supports DNSSEC in DNS clustering, while BIND does not.