DANE TLS Test Sites

https://good.dane.huque.com/

TLSA record name: _443._tcp.good.dane.huque.com.
There is a valid signed TLSA record (DANE-EE) matching the server certificate at this site.

https://badhash.dane.huque.com/

TLSA record name: _443._tcp.badhash.dane.huque.com.
The signed TLSA record (DANE-EE) contains a hash value that doesn't match the server certificate.

https://badparam.dane.huque.com/

TLSA record name: _443._tcp.badparam.dane.huque.com.
The signed TLSA record contains invalid (unusable) TLSA parameters.

https://badsig.busted.huque.com/

TLSA record name: _443._tcp.badsig.busted.huque.com.
The TLSA record has an incorrect DNSSEC signature.

https://expiredsig.busted.huque.com/

TLSA record name: _443._tcp.expiredsig.busted.huque.com.
The TLSA record has an expired DNSSEC signature.

https://good-pkixta.dane.huque.com/

TLSA record name: _443._tcp.good-pkixta.dane.huque.com.
The TLSA record (PKIX-TA) has a hash value that correctly matches the PKIX root CA issuer in the server certificate chain.

https://bad-pkixta.dane.huque.com/

TLSA record name: _443._tcp.bad-pkixta.dane.huque.com.
The TLSA record (PKIX-TA) has a hash value that doesn't match any certificate issuer in the PKIX chain corresponding to the server certificate.

Other DANE Tools

• Generate a DNS TLSA Record
• Check a DANE TLS Service
• Check a DANE TLS SMTP Service
• Generate a DNS OPENPGPKEY record

References

• RFC 6698: DANE and TLSA record specification, August 2012
• RFC 7671: DANE Protocol: Updates and Operational Guidance
• RFC 7672: SMTP Security via opportunistic DANE TLS
• DNSSEC and Certificates; October 19 2012
• TLSA Record Generator; October 23 2013
• How DANE Strengthens Security for TLS, S/MIME, and Other Applications; November 2015
• Whither DANE? -- APNIC Blog; July 05 2019
• Shumon Huque's website