SSL_CTX_dane_enable.pod states: SSL_dane_enable() may be called before the SSL handshake is initiated with L<SSL_connect(3)> to enable DANE for that connection. "may" seems to be a bit confusing here: if you want "to enable DANE for that connection" then you "must" call the function, right?