Skip to content
Tools to check DANE/TLSA records.
Python C
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


pydane: tool for checking dane records

pydane is a simple tool for checking server certificates against their potential DANE/TLSA records in DNS. There are numerous tools here and there, but most of them do not handle well the STARTTLS servers out there.

The aim of this tool is to quickly validate a TLSA record was properly created in DNS for the given service.


tlsa_check [options] hostname [port]

By default, tlsa_check checks an https server against the potential TLSA record.


  • Certificate and record matches, and record was obtained from a signed zone
% tlsa_check
Matching TLSA secure record for
  • Certificate and record matches, and record was not obtained from a signed zone
% tlsa_check
Not DNSSEC signed!
Matching TLSA insecure record for
  • No TLSA record was found
% tlsa_check 993
No TLSA record for IMAP(


  • Works only works for TLSA usage 3 because does not do any PKIX validation,
  • use default resolver, that may be not DNSSEC enabled, should use libunbound instead,
  • ports/protocols are hardcoded,
  • SSHFP not supported.
You can’t perform that action at this time.