From Shumon: We might want to be clearer about whether the serialization chain ends in the TLS server's domain name or in a TLSA record corresponding to the server's TLS certificate. For DANE authentication, the latter would be needed, but it may make sense to have the former (also), so that the client can authenticate the server's DNSSEC name to IP address mapping.
From Shumon: We might want to be clearer about whether the serialization chain ends in the TLS server's domain name or in a TLSA record corresponding to the server's TLS certificate. For DANE authentication, the latter would be needed, but it may make sense to have the former (also), so that the client can authenticate the server's DNSSEC name to IP address mapping.