DANE Test Sites
The following sites support the DANE protocol by publishing TLSA records. If you are developing software that supports the DANE protocol, you can visit these sites to test your DANE support. Note that we use the term “TLS certificate” here for what is commonly referred to as a “SSL certificate”.
Test sites verified on: November 10, 2014. Thanks to Viktor Dukhovni for his testing.
Sites that provide tests for DANE records
HTTP – Valid TLSA Record With Valid CA-signed TLS Certificate
- https://www.kumari.net/ – Note: the TLS certificate is for “*.kumari.net”, allowing you to test the use of wildcards.
- https://www.statdns.net/ – They host some seldom used resource record types in order to offer testing opportunities for existing and future DNS tools.
The following two sites have valid TLSA records with valid CA-signed TLS certificates, but also include non-https content and so may generate additional errors:
The following sites use a valid CA-signed TLS certificate, but the CA is CAcert, a free CA that is not commonly configured in web browsers:
HTTP – Valid TLSA Record With Valid Self-signed TLS Certificate
HTTP – Valid TLSA Record With Invalid CA-signed TLS Certificate
- https://rogue.nohats.ca – TLS certificate has expired
HTTP – Invalid (Broken) TLSA Record With Valid Self-signed TLS Certificate
- https://bad-hash.dane.verisignlabs.com – TLSA record has incorrect hash value but is correctly signed with DNSSEC
- https://bad-params.dane.verisignlabs.com – TLSA record has a correct hash value but incorrect TLSA parameters. It is correctly signed with DNSSEC.
HTTP – Valid TLSA Record With Invalid DNSSEC Signature
- https://bad-sig.dane.verisignlabs.com – Valid TLSA record but the DNSSEC signature is invalid.
The following sites support using DANE for email by publishing TLSA records associated with MX records:
- nlnetlabs.nl (for ports 25, 465, 587)
- nlnet.nl (for ports 25, 465, 587)
XMPP / Jabber
The following sites support using DANE for TLS connections to their XMPP/Jabber server:
- List of public XMPP servers supporting DANE records
Adding More Sites
If you support DANE with your site and would like to add it to this list, please contact us. Eventually, of course, we would like to hope that DANE is so widely deployed that this list of test sites will no longer be needed.