On 15 feb 2014, at 16:55, Rob Austein <sra at hactrn.net> wrote:
> This assumes that one considers being independent of the full PKIX
> path validation to be a feature. I'm not convinced.
Ah, if you want to require both classic PKIX and DANE, you should do TLSA {0,1} x y, not TLSA {1,2} x y.
jakob