diff --git a/Makefile b/Makefile
index 37107daab..f14db6d30 100644
--- a/Makefile
+++ b/Makefile
@@ -143,7 +143,7 @@ docker-dns-srv-test-build:
 	  --rm \
 	  --dns 127.0.0.1 \
 	  gcr.io/etcd-development/etcd-dns-srv-test:$(_GO_VERSION) \
-	  /bin/bash -c "/etc/init.d/bind9 start && cat /dev/null >/etc/hosts && dig +noall +answer SRV _etcd-client._tcp.etcd.local && dig +noall +answer SRV _etcd-server._tcp.etcd.local && dig +noall +answer m1.etcd.local m2.etcd.local m3.etcd.local"
+	  /bin/bash -c "/etc/init.d/bind9 start && cat /dev/null >/etc/hosts && dig +noall +answer SRV _etcd-client-ssl._tcp.etcd.local && dig +noall +answer SRV _etcd-server-ssl._tcp.etcd.local && dig +noall +answer m1.etcd.local m2.etcd.local m3.etcd.local"
 
 docker-dns-srv-test-push:
 	gcloud docker -- push gcr.io/etcd-development/etcd-dns-srv-test:$(_GO_VERSION)
@@ -162,5 +162,4 @@ docker-dns-srv-test-run:
 	  gcr.io/etcd-development/etcd-dns-srv-test:$(_GO_VERSION) \
 	  /bin/bash -c "cd /etcd && /run.sh && rm -rf m*.etcd"
 
-# TODO: run DNS/SRV with TLS
 # TODO: add DNS integration tests
diff --git a/e2e/docker-dns-srv/Procfile b/e2e/docker-dns-srv/Procfile
index 2fef52542..e1b2c411c 100644
--- a/e2e/docker-dns-srv/Procfile
+++ b/e2e/docker-dns-srv/Procfile
@@ -1,5 +1,5 @@
-etcd1: ./etcd --name m1 --listen-client-urls http://127.0.0.1:2379 --advertise-client-urls http://m1.etcd.local:2379 --listen-peer-urls http://127.0.0.1:2380 --initial-advertise-peer-urls=http://m1.etcd.local:2380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new
+etcd1: ./etcd --name m1 --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs/server-wildcard.crt --peer-key-file=/certs/server-wildcard.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server-wildcard.crt --key-file=/certs/server-wildcard.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth
 
-etcd2: ./etcd --name m2 --listen-client-urls http://127.0.0.1:22379 --advertise-client-urls http://m2.etcd.local:22379 --listen-peer-urls http://127.0.0.1:22380 --initial-advertise-peer-urls=http://m2.etcd.local:22380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new
+etcd2: ./etcd --name m2 --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs/server-wildcard.crt --peer-key-file=/certs/server-wildcard.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server-wildcard.crt --key-file=/certs/server-wildcard.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth
 
-etcd3: ./etcd --name m3 --listen-client-urls http://127.0.0.1:32379 --advertise-client-urls http://m3.etcd.local:32379 --listen-peer-urls http://127.0.0.1:32380 --initial-advertise-peer-urls=http://m3.etcd.local:32380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new
+etcd3: ./etcd --name m3 --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs/server-wildcard.crt --peer-key-file=/certs/server-wildcard.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server-wildcard.crt --key-file=/certs/server-wildcard.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth
diff --git a/e2e/docker-dns-srv/etcd.zone b/e2e/docker-dns-srv/etcd.zone
index 5e2fe283d..e501ed399 100644
--- a/e2e/docker-dns-srv/etcd.zone
+++ b/e2e/docker-dns-srv/etcd.zone
@@ -8,9 +8,9 @@ etcd.local.	IN	NS	bindhostname.
 m1.etcd.local.	300	IN	A	127.0.0.1
 m2.etcd.local.	300	IN	A	127.0.0.1
 m3.etcd.local.	300	IN	A	127.0.0.1
-_etcd-client._tcp	300	IN	SRV	0 0 2379 m1.etcd.local.
-_etcd-client._tcp	300	IN	SRV	0 0 22379 m2.etcd.local.
-_etcd-client._tcp	300	IN	SRV	0 0 32379 m3.etcd.local.
-_etcd-server._tcp	300	IN	SRV	0 0 2380 m1.etcd.local.
-_etcd-server._tcp	300	IN	SRV	0 0 22380 m2.etcd.local.
-_etcd-server._tcp	300	IN	SRV	0 0 32380 m3.etcd.local.
\ No newline at end of file
+_etcd-client-ssl._tcp	300	IN	SRV	0 0 2379 m1.etcd.local.
+_etcd-client-ssl._tcp	300	IN	SRV	0 0 22379 m2.etcd.local.
+_etcd-client-ssl._tcp	300	IN	SRV	0 0 32379 m3.etcd.local.
+_etcd-server-ssl._tcp	300	IN	SRV	0 0 2380 m1.etcd.local.
+_etcd-server-ssl._tcp	300	IN	SRV	0 0 22380 m2.etcd.local.
+_etcd-server-ssl._tcp	300	IN	SRV	0 0 32380 m3.etcd.local.
\ No newline at end of file
diff --git a/e2e/docker-dns-srv/run.sh b/e2e/docker-dns-srv/run.sh
index 528cf5f86..7c7415f8d 100755
--- a/e2e/docker-dns-srv/run.sh
+++ b/e2e/docker-dns-srv/run.sh
@@ -9,5 +9,8 @@ goreman -f /Procfile start &
 sleep 7s
 
 ETCDCTL_API=3 ./etcdctl \
+  --cacert=/certs/ca.crt \
+  --cert=/certs/server-wildcard.crt \
+  --key=/certs//server-wildcard.key.insecure \
   --discovery-srv etcd.local \
   put foo bar