On Fri, Feb 27, 2015 at 01:39:47PM -0500, Sam Hartman wrote: > If you're willing to trust DNS and if you're using DNSSec, I don't see > why you can't just trust the target of the redirection. That's what one generally does. Indeed TLSA records don't change that part of the picture when trust in DNSSEC anchors makes sense. > What are you getting out of forcing DANE? I don't want to hijack this thread, so perhaps we can leave that question for some future more appropriate context. -- Viktor.