dane_query_entries - Linux


The dane_query_entries command queries a DNSSEC-enabled domain name system (DNS) to retrieve Domain Name System Security Extensions (DNSSEC) Authenticated Name Entries (ANEs) and Certificate Authorities (CAs). It’s used to verify the authenticity and integrity of DNS records by comparing them against the trusted DNSSEC root zone.


dane_query_entries [-v] [-d] [-n] [-t TYPE] [-e EXPR] [NAME]


  • -v: Prints verbose output with additional information.
  • -d: Prints delegating name servers (NS) records.
  • -n: Prints raw TLSA and CAA records instead of ANEs.
  • -t TYPE: Specifies the type of record to query (e.g., _443._tcp.example.com).
  • -e EXPR: Specifies a filtering expression (e.g., port=443).


Query for all ANEs in example.com

dane_query_entries example.com

Query for _443._tcp.example.com ANE

dane_query_entries -t _443._tcp example.com

Query for CAA records with *.example.com

dane_query_entries -n *_tcp.example.com

Common Issues

  • No ANEs found: Check if the queried domain is DNSSEC-enabled and has valid ANEs configured.
  • Inconsistent results: Make sure to use a DNSSEC-validating resolver.


dane_query_entries integrates with other tools:

  • dnssec-trigger: Monitor DNSSEC changes.
  • dnssec-update: Update DNSSEC records.

Related Commands

  • dig: Query DNS records.
  • dnssec-keygen: Generate DNSSEC keys.
  • DNSSEC Validator: Validate DNSSEC records.