Articles in this section

Why was AWStats deprecated, what tool replaces it, and what happens to existing servers and domains that still use AWStats?
AWStats traffic significantly differs from Plesk traffic stats in a domain
How to enable the local DNS zone for a Plesk domain?
DNS bind service fails on a Plesk server after recent bind package update: loading from master file /var/named/chroot/var/0.13.203.in-addr.arpa.next failed: too many records
How to track which file is being most downloaded on a website on a Plesk server?
Why is it not possible to add a DS record to a root domain in Plesk?
Unable to start BIND DNS server service on a server with Plesk for Debian/Ubuntu: option 'dnssec-enable' no longer exists
How to disable the automatic "notify-to-soa yes" in named.conf for domains in a Plesk server?
Installing extension Slave DNS Manager on Plesk for Windows fails: BIND DNS Server is not installed. To install Slave DNS Manager in Plesk for Windows, copy the "rndc.exe" file to the "C:\Program Files (x86)\Plesk\dns\bin\rndc.exe" folder
Plesk warning: "Domain is not resolvable" on domains that resolve to Cloudflare
See more

How to create TLSA DNS record in Plesk and adjust DANE?

Anton Kuznetsov

Updated February 16, 2026 09:06

kb: how-to

Question

How to create TLSA DNS record in Plesk and adjust DANE?

Answer

Via Plesk CLI utility

Open panel.ini via preferred editor
Add the following directive:

CONFIG_TEXT: [ext-sslit]
allowIssueDaneCertificatesInCLI = true
Connect to a Plesk server via SSH.
Execute the following command:

# plesk ext sslit --certificate -issue -domain example.com -registrationEmail jdoe@example.com-secure-domain -secure-mail -dane
Execute the following command to finish the installation:

# plesk ext sslit --certificate -issue -domain example.com -continue

Via CLI manually

Create example.com domain in Plesk.
Issue a Let's Encrypt certificate for this domain.
Log into the server via SSH.
Install hash-slinger package with the command:

# yum install hash-slinger
Find name of the certificate file for example.com domain using a command below:

# plesk db "select cert_file from certificates where name like '%example.com%'"
+-----------+
| cert_file |
+-----------+
| scfygh0Pw |
+-----------+
Switch to the /usr/local/psa/var/certificates/ directory:

# cd /usr/local/psa/var/certificates/
Using the name of the certificate file from the step №5 and the next command, generate TLSA record for mail.example.com on port 25:

# tlsa --create --selector 1 -p25 --certificate scfygh0Pw mail.example.com

The output was the following:

CONFIG_TEXT: _25._tcp.mail.example.com. IN TLSA 3 1 1 f8bda51d176a1d315eeec8a53c52febedf43319bf7c7ebbccafa9e14d9616541
Go to Plesk > Domains > example.com > Hosting & DNS > DNS.
Press the Add Record and using the values from the step №7, created a TLSA record for mail.example.com:
After install Plesk DNSSEC extension by pressing Get It Free button in Plesk > Extensions > Extensions Catalog > Categories > DNS.
Enable DNSSEC for example.com domain by pressing the Sign the DNS Zone button in Domains > example.com > Hosting & DNS > DNSSEC.

Note: Algorithm was chosen as RSASHA256

To verify the results, open https://www.mailhardener.com/tools/dane-validator, specified mail.example.com an press the Inspect button

As the result it shows the configured TLSA DNS record and reported that DANE is properly configured for mail.example.com:

Comments

0 comments

Please sign in to leave a comment.