I've only added this to configure.ac, so it will require additional changes to work with CMake.
This can be used on Gentoo as-is, or on Debian Jessie/Ubuntu Utopic if gnutls28 is modified to provide gnutls-dane.
core: implement support for DANE
Use gnutls-dane to obtain DANE TLSA records on SSL connections.
Performs a synchronous DNS lookup to get TLSA data between the
normal DNS resolve and the TCP connect.
configure: Add gnutls-dane library
irc: implement support for DANE
Use gnutls-dane to check DANE TLSA records on SSL connections.
Performs a check of the cached TLSA data when verifying the
Is there anything more than the CMake part of this that's missing?
No, it's all functional. You'd need to replicate the same version check logic in CMake, some of the older GnuTLS releases have severe flaws in their behaviour.
There should be a copy of weechat__dane_query_to_raw_tlsa() named dane_query_to_raw_tlsa() in a future release of GnuTLS that you could opt to use instead if you increase the minimum version requirements.
GnuTLS still has this outstanding bug if CA type TLSA records are used: http://savannah.gnu.org/support/?108552
Is it possible to test that with GnuTLS version currently in Debian unstable?
Yes but you'll need to modify the gnutls28 package to create libgnutls-dane0.
Debian aren't going to support gnutls-dane until GnuTLS stops linking against Unbound or Unbound doesn't depend on OpenSSL: http://lists.gnutls.org/pipermail/gnutls-devel/2014-February/006793.html
This could wait until GnuTLS 3.4 which will drop the libunbound dependency in favour of assuming a local validating resolver. Such a change may result in libgnutls-dane being merged into libgnutls.
However, the discussions on how to configure support for this in glibc appear to have stalled: https://sourceware.org/ml/libc-alpha/2014-06/msg00586.html
It looks like the issue has moved to GnuTLS 3.5 now and the issue is at https://gitlab.com/gnutls/gnutls/issues/21.