Any chance of getting DANE with cloudflare


I really can not figure it out is it possible to implement DANE?



Thank you for asking.

Recent topic:

More about this:

I believe my colleague @michael could add a few valuable notes and provide information about this here as far as he is more experienced than me with this kind of feature.

There are really three questions here.

  1. Does Cloudflare Support TLSA records? The answer is yes, you can use Cloudflare Authoratitive DNS to serve TLSA records.

  2. Does Cloudflare create TLSA records for managed certificates? The answer is no.

  3. Is it safe to implement TLSA records for Cloudflare managed certificates? Again, no.

If you are using Custom Certificates you can manage the TLSA records yourself. Technically you could deploy TLSA records yourself for the Cloudflare managed certs, but I would recommend you do not. Cloudflare will renew the certs and your TLSA records will not match.

Ideally Cloudflare would support TLSA for all Cloudflare managed certificates, but I have never seen any indication that they want to do this. I don’t understand why they don’t do this for the MX forwarder records, as MTA DANE is becoming more and more common. DANE for standard 443 traffic is not widely supported (if anything supports it at all), but Cloudflare could start an avalanche by deploying TLSA records on Universal and ACM certificates.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.