[ldns-users] TLSA verification using ldns-dane

Paul Wouters paul at nohats.ca
Wed Jun 1 03:00:38 UTC 2016

On Tue, 31 May 2016, A. Schulze wrote:

> i use the command "ldns-dane verify www.example.org 443" to check if
> the TLSA-Record _443._tcp.www.example.org match the certificate at 
> https://www.example.org.
> That works.
> Now I try to check a mailserver that support STARTTLS.

Not sure about ldns-dane, but I think it lacks STARTTLS
support. With the hash-slinger package installed, you can

tlsa --verify mx.nohats.ca --starttls smtp --port 25
SUCCESS (Usage 3 [DANE-EE]): Certificate offered by the server matches the TLSA record (


More information about the ldns-users mailing list