DNS-OARC DANE/TLSA Demonstration

This page and the following links provide a way for you to demonstrate and test The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol. DANE/TLSA provides a way to authenticate TLS (X.509) certificates using DNSSEC.

In order to make use of this demo, you should install the "DNSSEC/TLSA Validator" Firefox plugin. The best version is currently found at https://www.dnssec-validator.cz/. It works with all popular browsers.

You can test your browser's DANE/TLSA support with the following links. Note that these are self-signed X.509 certificates. Your browser should pop up a window explaining that the certificate could not be validated.

There is a valid, signed TLSA record for the certificate of this server.
The TLSA record for this server has an incorrect hash value, although it is correctly signed with DNSSEC.
The TLSA record for this server has a correct hash value, incorrect TLSA parameters, and is correctly signed with DNSSEC. NOTE: The current Firefox plugin accepts these TLSA records as valid.
The TLSA record for this server is correct, but the DNSSEC chain-of-trust is broken and/or has a bad signature. NOTE: If you have validation enabled you won't be able to look up the hostname anyway.