This document proposes a new TLS extension called "dnssec_chain" that allows the TLS server to deliver the DNSSEC authentication chain needed for a DANE record to the TLS client. The client then authenticates the chain locally using a preconfigured trust anchor. This avoids the client needing to perform DNS queries itself and works around middleboxes that could interfere with DANE/DNSSEC lookups. The rationale is that the client can authenticate the DANE record without needing a secure connection to a validating DNS resolver. Prototypes of the dnssec_chain extension are being developed.