{"draft":"draft-dukhovni-tls-dnssec-chain-08","doc_id":"RFC9102","title":"TLS DNSSEC Chain Extension","authors":["V. Dukhovni","S. Huque","W. Toorop","P. Wouters","M. Shore"],"format":["HTML","TEXT","PDF","XML"],"page_count":"43","pub_status":"EXPERIMENTAL","status":"EXPERIMENTAL","source":"INDEPENDENT","abstract":"This document describes an experimental TLS extension for the in-band\r\ntransport of the complete set of records that can be validated by\r\nDNSSEC and that are needed to perform DNS-Based Authentication of\r\nNamed Entities (DANE) of a TLS server. This extension obviates the\r\nneed to perform separate, out-of-band DNS lookups.  When the\r\nrequisite DNS records do not exist, the extension conveys a\r\ndenial-of-existence proof that can be validated.\r\n\r\nThis experimental extension is developed outside the IETF and is\r\npublished here to guide implementation of the extension and to ensure\r\ninteroperability among implementations.","pub_date":"August 2021","keywords":[],"obsoletes":[],"obsoleted_by":[],"updates":[],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC9102","errata_url":"https:\/\/www.rfc-editor.org\/errata\/rfc9102"}