DANE / TLSA

DANE (DNS-Based Authentication of Named Entities) lets a domain publish TLSA records in DNS that pin which TLS certificate or public key is valid for a given service and port. Because the TLSA record is itself protected by DNSSEC, a client can verify it without trusting the public CA system. DANE sees the most real-world use with SMTP (Postfix and other MTAs use it to enforce TLS to receiving mail servers), where it complements MTA-STS. DANE requires the domain to have a fully working DNSSEC chain of trust, which is the main barrier to wider adoption.