‹ Back
Deploy360 21 February 2014

NIST Offers New Tool To Verify TLSA Records For DANE / DNSSEC

Dan York
By Dan YorkDirector, Online Content

Are you experimenting with using the DANE protocol to provide an additional layer of security to your TLS/SSL certificates via DNSSEC?  Would you like to easily test that your TLSA record needed for DANE works correctly?

If so, the folks at the US National Institute of Standards and Technology (NIST) now have a new tool for testing TLSA records and DANE support.  All you do is go to:

and in the simplest form just enter in the URL of the site you want to test.  Here is an example of what happened when I entered (click image to see larger version):


The site basically tests that you have your TLSA record correctly configured and that it matches the TLS/SSL certificate you are using with your web server.

Now, if you don’t have a site with a TLSA record but want to see how the tool works, the NIST tool helpfully lets you choose from one of the DANE test sites we list here on Deploy360.  You can also connect to the NIST “DANE Reference site” to explore different usage types.

In an email message to several public mailing lists, tool author Stephen Nightingale at NIST indicated that his latest version of this tool was now offering the choice of testing from clients based either on TLSlite or GnuTLS. He goes on to note:

Mine was one of the ‘DANE-in-the-App’ sites that Viktor Dukhovni reviewed, and he kindly gave an extensive critique. Many of his points have been addressed. A few things still to clear up:

  • I’m not checking for certificate revocation. That is on the list to fix.
  • For 0xx and 1xx uses, it is hard to identify a single canonical CA list. I have overlapping, but different Root Cert sets from Mozilla, Fedora and Linux Mint. So when searching for an authority to build a verification chain I cycle through all of these until succeeding or exhaustion of the possibilities. Some of the DANE 360 listed sets (including some from members of this group) fail to authenticate because the root certs are not in my authorities. A golden, canonical CA list would be nice to find. But I guess that its non-universal availability is one of the problems of the CA system that DANE is aiming squarely at.

The differences between TLSlite and GnuTLS clients highlight the fact that there are unresolved interoperability issues among TLS implementations. It seems reasonable that TLS interoperability testing be instituted as pre-requisite to DANE testing. The development of a TLS Interoperability test suite is therefore on our ‘to-do’ list. I look forward to seeing the newly upgraded OpenSSL client with added DANE. It is quite possible that as an interim step before its appearance I will add this DANE-in-the-App implementation to pyOpenSSL and/or Twisted.

Thanks to Stephen and the team at NIST for making this tool public and we hope that it will help those of you working with DANE to test out your implementations.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Testing DANE For Sending Secure Email at the Go6lab
Deploy36028 May 2015

Testing DANE For Sending Secure Email at the Go6lab

After successful DNSSEC signing of,, and other domains in Go6lab we decided that it was time to...

21 Sites You Can Use To Test DANE Support (DNSSEC + SSL/TLS)
Deploy36010 October 2012

21 Sites You Can Use To Test DANE Support (DNSSEC + SSL/TLS)

Have you been working on an application that uses the new DANE protocol to combine the encryption of SSL/TLS with...

Hash-slinger Helps You Easily Create TLSA records for DNSSEC / DANE
Deploy36030 November 2012

Hash-slinger Helps You Easily Create TLSA records for DNSSEC / DANE

If you are looking to get started with the DANE protocol to provide higher security for SSL/TLS certificates, a basic...

Join the conversation with Internet Society members around the world