A TLSA record is made up of a series of parts. When setting a TLSA record, it is important that you keep the correct order.
- Port number
- Transport protocol
- The domain
- The 'Usage Field'
- The 'Selector Field'
- The 'Matching-Type Field'
- The hash based on the X.509 certificate
Enter it in our DNS editor as follows:
Name: 443._tcp.domainname.ext (includes port number, transport protocol and domain)
Content: 0 0 1 [hash]
TTL: Specified in seconds. Set it to 300 (5 minutes)
The "Content" field contains sequentially (and separated by a space) the 'Usage Field', the 'Selector Field', the 'Matching-Type Field' and the hash of the X.509 certificate.
So above is:
- Usage Field: Certificate Authority Constraint ( 0 )
- Selector Field: Use full certificate ( 0 )
- Matching-Type Field: SHA-256 hash ( 1 )
- hash: [hash]