Just want simple TLS for your .internal network?

I prefer to assign an external name to an internal device and grab a free SSL cert from LetsEncrypt, but using DNS challenge instead as internal IP addresses aren't reachable by their servers.

Obligatory if DNS validation is good enough, DANE should've been too. Yes, MITM things could potentially ensue on untrusted networks without DNSSEC, but that's perfect being the enemy of good territory IMO.

This would allow folks to have .internal with auto-discovered, decentralized, trusted PKI. It would also enable something like a DNSSEC on/off toggle switch for IoT devices to allow owners to MITM them and provide local functionality for their cloud services.

I hadn't heard of DANE, so looked it up and found the wikipedia entry: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...

According to that, it's not supported by Chrome, nor Firefox.

It’s customarily used for e-mail transport.

No, it isn't; it can't be, because none of the major email domains are DNSSEC-signed to begin with.

Let me know if I've misunderstood your point, and there some other widespread niche usage DANE finds in SMTP.

“Customarily” must not necessarily mean “major email domains”. As I understand it, DANE is commonly used by organizations wanting to secure e-mail between them; DANE enforcement is agreed by both parties, and then used without issue.

Didn't they invent MTA-STS so they could not use DANE? They use MTA-STS.

I know that is what MTA-STS is for, but haven’t heard from people actually using it. I have, however, heard from people using DANE in the way i described.

(For those who don’t know, MTA-STS is basically DANE but for people who hate DNSSEC. And are OK with requiring every mail server to also have a web server running.)