You're right that DANE kind of implies DNSSEC. Technically it can go without, but it's quite pointless to do because you cannot trust your TLSA record without DNSSEC.
DNSSEC works in an air gapped network when you deploy your own trust anchor in your DNS. I wouldn't touch a domain name that you don't own yourself (like google.com) but instead only use a domain name you purchased.
It surprises me that DANE is even listed on caniuse.com! I expected it to be way to exotic to be on that list. I'm under no illusion that browsers are going to support this anytime soon unfortunately.
Now let's hope I didn't wake up tptacek to lecture us on how DNSSEC is bad and how it will eat your children. ;)
DNSSEC works in an air gapped network when you deploy your own trust anchor in your DNS. I wouldn't touch a domain name that you don't own yourself (like google.com) but instead only use a domain name you purchased.
It surprises me that DANE is even listed on caniuse.com! I expected it to be way to exotic to be on that list. I'm under no illusion that browsers are going to support this anytime soon unfortunately.
Now let's hope I didn't wake up tptacek to lecture us on how DNSSEC is bad and how it will eat your children. ;)