Skip to main content

A DANE Record and DNSSEC Authentication Chain Extension for TLS

Document Type Replaced Internet-Draft (tls WG)
Expired & archived
Authors Melinda Shore , Richard Barnes , Shumon Huque , Willem Toorop
Last updated 2018-09-22 (Latest revision 2018-03-21)
Replaces draft-shore-tls-dnssec-chain-extension
Replaced by draft-dukhovni-tls-dnssec-chain
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status Proposed Standard
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd Joseph A. Salowey
Shepherd write-up Show Last changed 2018-01-22
IESG IESG state Replaced by draft-dukhovni-tls-dnssec-chain
Action Holders
Consensus boilerplate Yes
Telechat date (None)
Responsible AD Benjamin Kaduk
Send notices to Joseph Salowey <>,
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This draft describes a new TLS extension for transport of a DNS record set serialized with the DNSSEC signatures needed to authenticate that record set. The intent of this proposal is to allow TLS clients to perform DANE authentication of a TLS server without needing to perform additional DNS record lookups. It is not intended to be used to validate the TLS server's address records.


Melinda Shore
Richard Barnes
Shumon Huque
Willem Toorop

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)