Enforce DANE policy
From all I learned about DANE wrt. SMTP, the existence of a TLSA record is a signal that encryptions to this server must be performed encrypted. For example, postfix implements this policy when sending mail to servers that come with a TLSA record. It would be great if the dnssec-validator could be extended to do that as well: Visiting a website with a (DNSSEC-verified) TLSA record should enforce encryption for this connection. This nicely solves the problem of downgrade attacks which the usual http-to-https redirects are affected by.
Even though www.debian.org comes with a TLSA record, if I visit "http://www.debian.org" in a fresh Firefox profile (so I did not get the Strict-Transport-Security header yet), the page is loaded without encryption. I'd expect Firefox to not even contact the Debian servers on port 80, but immediately use https.