The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
P. Hoffman, J. Schlyter · 2012-08
Abstract
Encrypted communication on the Internet often uses Transport Layer Security (TLS), which depends on third parties to certify the keys used. This document improves on that situation by enabling the administrators of domain names to specify the keys used in that domain's TLS servers. This requires matching improvements in TLS client software, but no change in TLS server software.
Why This RFC Matters
RFC 6698 introduced DANE, allowing domain operators to publish TLS certificate constraints directly in DNSSEC-signed DNS records (TLSA records), creating a second trust anchor independent of the CA ecosystem. This provides a defense against rogue or compromised certificate authorities issuing fraudulent certificates for domains they do not control — a known attack vector that DANE eliminates for DNSSEC-enabled domains. DANE is widely adopted for email (SMTP MTA-STS complement), and the TLSA record type is increasingly used alongside Certificate Transparency to strengthen the web PKI.