TLSA is a new kid in the DNS protocol. Ok, not exactly new, but change comes slowly even on the Internet. TLSA is a DNS record type, which allows a domain owner to specify which certificate is valid for a particular service.
If you read that hastily, read it again, because it’s pretty different from how we currently do things. I’m referring to the old model that wants you to buy a signed certificate for e.g. your website, mail server et cetera.
The commercial incentive for this is not an argument that makes up for the lack of technical alternative approaches. Simply said: everyone has the ability to generate certificates. It’s just that companies like Apple, Mozilla and Google collect a bunch of these, and then decide both for you, and for the owner of the domain you visit, which third parties are allowed to vouch for a verified and encrypted connection.
TLSA, which is part of the DANE specification, is a free (as in beer and libre) alternative. It removes the authority from centralised sources, to you, the owner of a domain. You simply add an SSL certificate’s cryptographic hash, together with a few other options, into the DNS, and the client (browser, etc.) will seek no further to verify the authenticity of its connection.
Although this is not supported by browsers yet, my instincts tell me that will probably change, one day soon. If you already knew about this and just want to find out about how to generate a hash, you’re almost there.