The DANE Authentication Chain Extension for TLS

The information below is for an old version of the document
Document Type Expired Internet-Draft (individual)
Authors Viktor Dukhovni  , Shumon Huque  , Willem Toorop  , Paul Wouters  , Melinda Shore 
Last updated 2021-03-04 (latest revision 2020-06-14)
Stream Independent Submission
Expired & archived
plain text xml pdf htmlized bibtex
IETF conflict review conflict-review-dukhovni-tls-dnssec-chain
Stream ISE state Response to Review Needed
Revised I-D Needed
Consensus Boilerplate Unknown
Document shepherd No shepherd assigned
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This draft describes a new TLS extension for in-band transport of the complete set of DNSSEC validated records needed to perform DANE authentication of a TLS server without the need to perform separate out-of-band DNS lookups. When the requisite DNS records do not exist, the extension conveys a validated denial of existence proof.


Viktor Dukhovni (
Shumon Huque (
Willem Toorop (
Paul Wouters (
Melinda Shore (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)