Why is the DANE protocol depending on DNSSEC?

Question

Why is the DNS-based Authentication of Named Entities (DANE) protocol depending on Domain Name System Security Extensions (DNSSEC)?

Answer 1

The idea of the DNS-based Authentication of Named Entities (DANE) protocol is that domain owners publish the fingerprint of a certificate that their server uses in a DNS resource record. It is a measure to prevent certificate forgery. Users that wish to connect to the server via TLS can look up the fingerprint of the presented certificate in the DNS record for the corresponding domain name to see if it was permitted by the owner.

This means that DANE relies on the assumption that DNS responses can be trusted, which is not the case with regular DNS. So to assert the integrity of the DNS records, DANE uses the signature mechanism provided by DNSSEC. Otherwise a man-in-the-middle could simply modify the fingerprint in the TLSA record and DANE would be useless.