diff --git a/configure.ac b/configure.ac
index 4d3717c8..721c83b9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -109,6 +109,10 @@ AC_ARG_ENABLE([fsanitize-ubsan],
   [AS_HELP_STRING([--enable-fsanitize-ubsan], [Turn on Undefined Behavior Sanitizer (for developers)])],
   [gl_cc_sanitize_ubsan=yes], [gl_cc_sanitize_ubsan=no])
 
+AC_ARG_ENABLE([dane],
+  [AS_HELP_STRING([--enable-dane], [Turn on DANE(TLSA DNS RR) validation (only works in conjunction with gnutls)])],
+  [enable_dane=yes], [enable_dane=no])
+
 AC_ARG_ENABLE([fsanitize-asan],
   [AS_HELP_STRING([--enable-fsanitize-asan], [Turn on Address Sanitizer (for developers) (mutually exclusive with Memory/Thread sanitizer or Valgrind tests)])],
   [gl_cc_sanitize_asan=yes], [gl_cc_sanitize_asan=no])
@@ -623,6 +627,16 @@ AS_IF([test x"$with_ssl" = xopenssl], [
     fi
 
     AC_CHECK_FUNCS(gnutls_priority_set_direct)
+
+    if [test x"$enable_dane" = xyes]; then
+      PKG_CHECK_MODULES([GNUTLS_DANE], [gnutls-dane], [
+        AC_MSG_NOTICE([compiling in DANE support via GnuTLS-DANE])
+        LIBS="$GNUTLS_DANE_LIBS $LIBS"
+        CFLAGS="$GNUTLS_DANE_CFLAGS -DHAVE_LIBGNUTLS_DANE $CFLAGS"
+        AC_DEFINE([HAVE_LIBGNUTLS_DANE], [1], [Define to 1 if using gnutls-dane])
+        have_gnutls_dane=yes
+      ])
+    fi
   ]) # endif: --with-ssl != no?
 ]) # endif: --with-ssl == openssl?
 
@@ -1022,4 +1036,5 @@ AC_MSG_NOTICE([Summary of build options:
   GPGME:             $have_gpg
   IRI:               $iri
   Fuzzing build:     $enable_fuzzing, $LIB_FUZZING_ENGINE
+  GnuTLS-DANE:       $have_gnutls_dane
 ])
diff --git a/src/gnutls.c b/src/gnutls.c
index 04b50b10..c8b81a87 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -41,6 +41,9 @@ as that of the covered work.  */
 #include <gnutls/abstract.h>
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
+#ifdef HAVE_LIBGNUTLS_DANE
+#include <gnutls/dane.h>
+#endif /* HAVE_LIBGNUTLS_DANE */
 #include <sys/ioctl.h>
 
 #include "utils.h"
@@ -920,6 +923,26 @@ ssl_check_certificate (int fd, const char *host)
   if (opt.check_cert == CHECK_CERT_QUIET && pinsuccess)
     return success;
 
+#ifdef HAVE_LIBGNUTLS_DANE
+  if(opt.check_dane == true) {
+    unsigned int dane_verify_flags = 0;
+    int dane_verify_status = dane_verify_session_crt(NULL, ctx->session, _sni_hostname(host), "tcp", 443, 0, 0, &dane_verify_flags);
+
+    if(dane_verify_status < 0) {
+      fprintf(stderr, "DANE-ERROR: %d(%s)\n", dane_verify_status, dane_strerror(dane_verify_status));
+      success = false;
+      goto out;
+    }
+    gnutls_datum_t verify_flags_status;
+    dane_verification_status_print(dane_verify_flags, &verify_flags_status, 0);
+
+    if(dane_verify_flags == 0)
+      fprintf(stdout, "DANE-STATUS: %d (%s)\n", dane_verify_flags, verify_flags_status.data);
+    else
+      fprintf(stderr, "DANE-STATUS: %d (%s)\n", dane_verify_flags, verify_flags_status.data);
+  }
+#endif /* HAVE_LIBGNUTLS_DANE */
+
   err = gnutls_certificate_verify_peers2 (ctx->session, &status);
   if (err < 0)
     {
diff --git a/src/init.c b/src/init.c
index 9b6665a6..0563cc3c 100644
--- a/src/init.c
+++ b/src/init.c
@@ -159,6 +159,9 @@ static const struct {
   { "certificate",      &opt.cert_file,         cmd_file },
   { "certificatetype",  &opt.cert_type,         cmd_cert_type },
   { "checkcertificate", &opt.check_cert,        cmd_check_cert },
+# ifdef HAVE_LIBGNUTLS_DANE
+  { "checkdane",        &opt.check_dane,        cmd_boolean },
+# endif
 #endif
   { "chooseconfig",     &opt.choose_config,     cmd_file },
 #ifdef HAVE_SSL
diff --git a/src/main.c b/src/main.c
index 65b7f3f3..5721e19a 100644
--- a/src/main.c
+++ b/src/main.c
@@ -237,8 +237,14 @@ _Noreturn static void print_version (void);
 
 #ifdef HAVE_SSL
 # define IF_SSL(x) x
+# ifdef HAVE_LIBGNUTLS_DANE
+#  define IF_GNUTLS_DANE(x) x
+# else
+#  define IF_GNUTLS_DANE(x) NULL
+# endif
 #else
 # define IF_SSL(x) NULL
+# define IF_GNUTLS_DANE(x) NULL
 #endif
 
 struct cmdline_option {
@@ -285,6 +291,7 @@ static struct cmdline_option option_data[] =
     { IF_SSL ("certificate"), 0, OPT_VALUE, "certificate", -1 },
     { IF_SSL ("certificate-type"), 0, OPT_VALUE, "certificatetype", -1 },
     { IF_SSL ("check-certificate"), 0, OPT_BOOLEAN, "checkcertificate", -1 },
+    { IF_GNUTLS_DANE ("check-dane"), 0, OPT_BOOLEAN, "checkdane", -1 },
     { "clobber", 0, OPT__CLOBBER, NULL, optional_argument },
 #ifdef HAVE_LIBZ
     { "compression", 0, OPT_VALUE, "compression", -1 },
@@ -849,6 +856,8 @@ HTTPS (SSL/TLS) options:\n"),
        --https-only                only follow secure HTTPS links\n"),
     N_("\
        --no-check-certificate      don't validate the server's certificate\n"),
+    N_("\
+       --check-dane                reads and validates the DNS TLSA records (DANE)\n"),
     N_("\
        --certificate=FILE          client certificate file\n"),
     N_("\
diff --git a/src/options.h b/src/options.h
index 881e2b2e..fd935ef5 100644
--- a/src/options.h
+++ b/src/options.h
@@ -261,6 +261,10 @@ struct options
   bool ftps_clear_data_connection;
 
   char *tls_ciphers_string;
+#ifdef HAVE_LIBGNUTLS_DANE
+  bool check_dane;             /* whether to validate the servers certificate using
+                                  DNS/DANE */
+#endif /* HAVE_LIBGNUTLS_DANE */
 #endif /* HAVE_SSL */
 
   bool cookies;                 /* whether cookies are used. */