TLSA DNS record problem


I have an issue with setting up TLSA DNS record type.
I own 2 domains ( and both of them are not registered in cloudflare registrar but registrar is set to redirect DNS queries to cloudflare Nameservers.

I do DNS management of records through Cloudflare.
I have setup a MX records for both domains together with SPF, DKIM and DMARC records.
These MX records both link to an A record IPv4 host address under domain
On this host i have basic setup of email server Debian 9 linux (postfix) where i would like to configure secure incomming and outgoing mail transfer using DANE.

  1. I have created a public private RSA 2048 bit key pair using openssl utility
  2. I made certificate signing request file using public key generated in previous step
  3. Then i created selfsigned custom root certificate authority X.509 certificate
  4. With this custom root CA certificate and the CSR file i made a X.509 host certificate
  5. I took the host certificate and fed it to this tool
  6. I have set domain name, port to 25, protocol: tcp, usage field: 3, selector field: 1, matching field: 1, pasted the host certificate and let the tool generate output
  7. In the cloudflare DNS section web interface i have created for domain1 TLSA record and pasted there the SHA-256 digest from tool
  8. I have then waited several hours

The problem: Problem is when i now do a dig from command line for TLSA record type i get no output. Even the DANE SMTP validator shows no TLSA record. And im now lost as to what is the problem?

Im including screenshot of the DNS TLSA record:

Any help/suggestion is greatly appreciated!
Im kind of new to the field of system administration.

Edit: I have been checking the whole cloudflare community and found out that anoter user had basically the same problem: Support for TLSA / DANE proto


1 Like

I am not sure if it is due to the “Flexible SSL” or what. Because, as far as I got and understand, whenever the certificate get renewed, the TLSA/DANE record should be updated too.

Nevertheless, maybe we have to pay the dedicated SSL certificated for $10 (because of www, mail and other sub-domain names), setup to the Full SSL Strict, add Origin Auth Pulls too, and change postfix/dovecot to use the SSL certificate (not just STARTSSL as TLS) for e-mail.

Moreover, I am not sure because I have posted another problem/topic where I cannot change to Full SSL neither few other things (Origin Auth Pulls, HSTS change, etc.) because of the CloudFlare hosting optimized partner which has limited the default (Free plan) options and try that out (using some “CloudFlare Mobile Plan”).

I am still looking for a solution.

Appreciate to follow up this topic too.

Actually i did not setup postfix for TLSA yet. this problem of mine is just about the TLSA record not showing up. But i can confirm that in the mean time problem went away. So i guess it had to do something with local DNS cache not being updated.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.