Per citare la RFC :
Abstract
Encrypted communication on the Internet often uses Transport Layer
Security (TLS), which depends on third parties to certify the keys
used. This document improves on that situation by enabling the
administrators of domain names to specify the keys used in that
domain's TLS servers. This requires matching improvements in TLS
client software, but no change in TLS server software.
Section 1.1
...DNS-Based Authentication of Named Entities (DANE) offers the option
to use the DNSSEC infrastructure to store and sign keys and
certificates that are used by TLS. DANE is envisioned as a
preferable basis for binding public keys to DNS names, because the
entities that vouch for the binding of public key data to DNS names
are the same entities responsible for managing the DNS names in
question. While the resulting system still has residual security
vulnerabilities, it restricts the scope of assertions that can be
made by any entity, consistent with the naming scope imposed by the
DNS hierarchy. As a result, DANE embodies the security "principle of
least privilege" that is lacking in the current public CA model...
DANE e TLSA offrono un modo per fidarsi di un certificato per un dominio senza averlo firmato da una CA, questo è diverso da HPKP perché HPKP richiede ancora una CA per firmare il certificato, limita solo i certificati firmati.