There are really three questions here.
-
Does Cloudflare Support TLSA records? The answer is yes, you can use Cloudflare Authoratitive DNS to serve TLSA records.
-
Does Cloudflare create TLSA records for managed certificates? The answer is no.
-
Is it safe to implement TLSA records for Cloudflare managed certificates? Again, no.
If you are using Custom Certificates you can manage the TLSA records yourself. Technically you could deploy TLSA records yourself for the Cloudflare managed certs, but I would recommend you do not. Cloudflare will renew the certs and your TLSA records will not match.
Ideally Cloudflare would support TLSA for all Cloudflare managed certificates, but I have never seen any indication that they want to do this. I don’t understand why they don’t do this for the MX forwarder records, as MTA DANE is becoming more and more common. DANE for standard 443 traffic is not widely supported (if anything supports it at all), but Cloudflare could start an avalanche by deploying TLSA records on Universal and ACM certificates.