The following sites support the DANE protocol by publishing TLSA records. If you are developing software that supports the DANE protocol, you can visit these sites to test your DANE support. Note that we use the term “TLS certificate” here for what is commonly referred to as a “SSL certificate”.
HTTP – Valid TLSA Record With Valid CA-signed TLS Certificate
- https://www.kumari.net/ - Note: the TLS certificate is for “*.kumari.net”, allowing you to test the use of wildcards.
The following sites use a valid CA-signed TLS certificate, but the CA is CAcert, a free CA that is not commonly configured in web browsers:
The following site has a valid TLSA record and a valid CA-signed TLS certificate, but the domain is not tied into the global DNSSEC chain-of-trust, i.e. there is no DS record for huque.com in the .COM TLD:
HTTP – Valid TLSA Record With Valid Self-signed TLS Certificate
HTTP – Valid TLSA Record With Invalid CA-signed TLS Certificate
- https://rogue.nohats.ca - TLS certificate has expired
HTTP – Invalid (Broken) TLSA Record
- https://bad-hash.dane.verisignlabs.com – TLSA record has incorrect hash value but is correctly signed with DNSSEC
- https://bad-params.dane.verisignlabs.com – TLSA record has a correct hash value but incorrect TLSA parameters. It is correctly signed with DNSSEC.
HTTP – Valid TLSA Record With Invalid DNSSEC Signature
- https://bad-sig.dane.verisignlabs.com – Valid TLSA record but the DNSSEC signature is invalid.
The following sites support using DANE for email by publishing TLSA records associated with MX records:
- nlnetlabs.nl (for ports 25, 465, 587)
- nlnet.nl (for ports 25, 465, 587)
XMPP / Jabber
The following sites support using DANE for TLS connections to their XMPP/Jabber server:
Adding More Sites
If you support DANE with your site and would like to add it to this list, please contact us. Eventually, of course, we would like to hope that DANE is so widely deployed that this list of test sites will no longer be needed.