What to put in the SNI when DANE is not in use

[bemasc]

When using DoT/DoQ/DoH, but not using DANE (no TLSA records or TLSA SvcParams), what SNI do we use? i.e. what is the Authentication Domain Name (ADN).

If DELEG follows the usual SVCB behavior, the ADN is the "apex name", and the nameserver must use a TLS certificate that covers this name (whether or not any AliasMode records appeared in the chain). However, this is very awkward for operational delegation scenarios: most businesses would not want to hand their DNS operator a valid certificate to impersonate their apex domain, enabling a trivial MITM attack (and bypassing Certificate Transparency protections!). Even in self-hosted infrastructure, using the high-value apex certificate in the DNS server may be difficult.

When DANE is in use, this problem is avoided because, in DANE modes where the ADN exists, the ADN is determined by the final TargetName, not the original owner name (as specified in SVCB-DANE).

There are many possible behaviors. The ADN could be:

1. The DELEG TargetName
2. The DELEG TargetName if DELEG is signed, otherwise the apex name.
3. The TargetName of the last securely resolved DELEG or SVCB record in the resolution chain, or the apex name if none are signed.
4. The apex name, coupled with a new X.509 Key Usage meaning "DNS authoritative nameserver".
5. A name explicitly specified in a SvcParam.

[pspacek]

I assume that DELEG TargetName is what operators would want as it removes need to have zillion certificates for every little domain hosted on their DNS platform.

[bemasc]

I agree, and that is what is proposed in #16.