dane_query_data - Linux


dane_query_data is a command-line utility that allows for the retrieval of Domain Name System (DNS) Security (DNSSEC) Authenticated Data (AD) from a specified domain. Primarily used within the realm of DNSSEC, this tool aids in the validation of DNS records and the verification of the integrity of DNS responses.


dane_query_data [options] <domain>


  • -a, –algorithm : Specify the algorithm to use for the query (default: TLSA). Use "list" to list available algorithms.
  • -q, –qname : Query a specific record type within the domain (e.g., _tcp.example.com).
  • -p, –port : Specify the port for the query (default: 53).
  • -s, –server : Specify a specific DNS server to query (default: system resolver).
  • -t, –type : Specify the record type to query for (default: TLSA).
  • -v, –verbose: Enable verbose output, providing additional details about the query process.
  • -h, –help: Display help information and usage syntax.


  • Query the default TLSA record for the domain "example.com":
dane_query_data example.com
  • Query a specific TLSA record for the service "_tcp" in the domain "example.com":
dane_query_data -q _tcp.example.com example.com
  • Use a specific DNS server for the query:
dane_query_data -s example.com

Common Issues

  • Query fails: Ensure that the domain is properly configured with DNSSEC and that the queried record type exists. Verify the DNS server settings and firewall rules.
  • Unexpected output: Examine the verbose output (-v option) for more information about the query process. Check the algorithm and record type specified.


dane_query_data can be used in conjunction with other tools like openssl and dig for advanced DNSSEC validation tasks. For example, to verify a TLS certificate using a TLSA record:

dane_query_data example.com | openssl x509 -inform DER -noout -text | grep "Public Key Algorithm:"

Related Commands

  • dig, host, nslookup: Other DNS query tools.
  • openssl: Used for handling and validating cryptographic operations.