DANE Test Sites

The following sites support the DANE protocol by publishing TLSA records. If you are developing software that supports the DANE protocol, you can visit these sites to test your DANE support.  Note that we use the term “TLS certificate” here for what is commonly referred to as a “SSL certificate”.

Test sites verified on: November 10, 2014.  Thanks to Viktor Dukhovni for his testing.

Sites that provide tests for DANE records

 HTTP – Valid TLSA Record With Valid CA-signed TLS Certificate

The following two sites have valid TLSA records with valid CA-signed TLS certificates, but also include non-https content and so may generate additional errors:

The following sites use a valid CA-signed TLS certificate, but the CA is CAcert, a free CA that is not commonly configured in web browsers:

HTTP – Valid TLSA Record With Valid Self-signed TLS Certificate

HTTP – Valid TLSA Record With Invalid CA-signed TLS Certificate

HTTP – Invalid (Broken) TLSA Record With Valid Self-signed TLS Certificate

HTTP – Valid TLSA Record With Invalid DNSSEC Signature


The following sites support using DANE for email by publishing TLSA records associated with MX records:

  • ietf.org
  • openssl.org
  • jhcloos.com
  • nlnetlabs.nl (for ports 25, 465, 587)
  • nlnet.nl (for ports 25, 465, 587)
  • spodhuis.org

XMPP / Jabber

The following sites support using DANE for TLS connections to their XMPP/Jabber server:

Adding More Sites

If you support DANE with your site and would like to add it to this list, please contact us. Eventually, of course, we would like to hope that DANE is so widely deployed that this list of test sites will no longer be needed.

October 4th, 2012 by | Posted in DANE, DNSSEC | Tags: , | 13 Comments

13 Responses to DANE Test Sites

  1. […] different test cases that you can use to test your DANE support.  We’ve added their sites to our list of DANE test sites and we definitely thank Verisign for making them […]

  2. Marco Davids says:

    Try all of these websites on the SIDN Labs DANE Validator (beta):


  3. ewjfoewjfew says:

    The torproject TLSA record goes against the draft for operational guidance http://tools.ietf.org/html/draft-dukhovni-dane-ops-01
    by publishing only SHA-512 thumbprint.

  4. roger says:

    HTTP – Valid TLSA Record With Valid Self-signed TLS Certificate

    These 2 sites have CA Signed SSL
    https://hacklab.to -> rapidSSL
    https://nohats.ca -> PostiveSSL

    • Dan York says:

      Thanks for the note about those two sites. When we originally listed them they were using self-signed certs. I’ll look into the change in their status.


  5. jungle says:

    I think this is also DANE:

    its at least DNSSEC

  6. Edmondas says:

    http://www.freebsd.org is mentioned several times (2nd and 5th urls).

  7. Peter says:

    erman e-mail provider Posteo supports DANE/TLSA since May 12,2014

  8. michael says:

    mqas.net supports DANE !

  9. Arne says:

    Tutanota supports DANE now for the website (https://tutanota.de), the web application (https://app.tutanota.de) and SMTP emails.

  10. Viktor Dukhovni says:

    Hi Dan, just wanted to suggest a couple of updates to the SMTP part of the Deploy360 DANE page:

    1. In cooperation with sys4.de and dotplex.de I have built an SMTP DANE test site that is both thorough, and conforms fully with the SMTP draft. Please publish:


    as the place to test one’s SMTP DANE implementation.

    2. Please remove dougbarton.us from the list of DANE SMTP sites, his certificate usage is not consistent with the upcoming RFC and he is recalcitrant about changing it.

    3. There are now over 1000 deployed SMTP with DANE domains, and DNSSEC denial of existence issues with TLSA lookups are essentially resolved (down from ~2700 known domains to ~80). DANE for SMTP is becoming ready for prime-time.

    4. The test site will soon publish a list of common mistakes to avoid. We need to encourage people who are ready to operate their domains with care to start adopting, and discourage people who just want to make a fashion statement and then leave their DANE or DNSSEC configuration “bitrot” to an eventual outage as they botch key rollover, neglect zone re-signing, etc.


Leave a Reply

Your email address will not be published. Required fields are marked *