dane_raw_tlsa - Linux


dane_raw_tlsa is a Unix utility that aids in managing Transport Layer Security Authentication Name (TLSA) records stored in the Domain Name System (DNS). It verifies that a domain’s TLSA record matches the TLS certificate used by the corresponding website.


dane_raw_tlsa [-a a] [-h] [-s hostname] [-p port] [-d domain] [-p protocol] [-q queries]


  • -a a Raw TLSA record (see RFC 6698)
  • -h Display help and usage information
  • -s hostname Hostname to connect to
  • -p port Port to connect to (default: 443)
  • -d domain The domain name to verify (default: hostname)
  • -p protocol The protocol to use (default: tls)
  • -q queries The queries to run (default: all)


  • Verify the TLSA record for the website example.com:
dane_raw_tlsa -d example.com
  • Verify the TLSA record for a specific hostname and port:
dane_raw_tlsa -s mail.example.com -p 25
  • Verify all TLSA records for a domain:
dane_raw_tlsa -d example.com -q all

Common Issues

  • Error connecting to server: Ensure that the specified hostname is correct and the port is open.
  • No TLSA records found: The domain may not have any TLSA records configured.
  • TLSA records do not match certificate: The TLS certificate used by the website may not match the TLSA records in the DNS.


dane_raw_tlsa can be used alongside other tools for TLS and DNS management, such as:

  • openssl: To retrieve and inspect TLS certificates
  • dig: To query DNS records
  • bash: For scripting and automation

Related Commands

  • dig: DNS record lookup utility
  • openssl: TLS certificate management utility