Currently the second option (TLS extension) is considered ultimately more flexible and usable.
== Test Plans ==
Current test plans (yet to be fully realized) include fuzzing the added attack surface (i.e. throwing data blobs at the validator) as well as deliberately crafted DNSSEC chains (e.g. ones with expired signatures, missing links, invalid links, etc.)