DNS-based Authentication of Named Entities
DANE publishes TLS certificate information in DNSSEC-signed TLSA records, letting clients verify certificates without relying solely on certificate authorities. It can pin a domain to specific keys or certificates, limiting damage from a compromised CA. Its main real-world use is securing mail server connections against downgrade and impersonation.