diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index aef951df..3623810e 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -536,6 +536,23 @@ const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn)
 	return gnutls_protocol_get_name(gnutls_protocol_get_version(conn->tls));
 }
 
+/* CBN:TODO Implement! */
+int _getdns_tls_connection_get_pkix_auth(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return 0;
+
+	return 2 /* 2 is unknown */;
+}
+
+/* CBN:TODO Implement! */
+int _getdns_tls_connection_get_pin_auth(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return 0;
+	return 0;
+}
+
 getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn)
 {
 	int r;
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index ffabb201..f58cb013 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -842,6 +842,26 @@ const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn)
 	return SSL_get_version(conn->ssl);
 }
 
+int _getdns_tls_connection_get_pkix_auth(_getdns_tls_connection* conn)
+{
+	uint8_t usage = 255; /* 0 and 1 for also PKIX, 2 and 3 for DANE only */
+
+	if (!conn || !conn->ssl)
+		return 0;
+
+	if (SSL_get0_dane_tlsa(conn->ssl, &usage, NULL, NULL, NULL, NULL) < 0)
+		return SSL_get_verify_result(conn->ssl) == X509_V_OK  ? 1 : 0;
+
+	return usage <= 1 ? 1 : 2 /* 2 is unknown */;
+}
+
+int _getdns_tls_connection_get_pin_auth(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return 0;
+	return SSL_get0_dane_authority(conn->ssl, NULL, NULL) >= 0;
+}
+
 getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn)
 {
 	int r;
diff --git a/src/request-internal.c b/src/request-internal.c
index 8002750e..39e65038 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -218,6 +218,11 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner,
 	net_req->debug_tls_peer_cert.size = 0;
 	net_req->debug_tls_peer_cert.data = NULL;
 	net_req->debug_tls_version = NULL;
+	net_req->debug_pkix_auth = 0; /* 1 == authenticated with PKIX
+                                       * 0 == not authenticated with PKIX
+                                       * 2 == unknown
+	                               */
+	net_req->debug_pin_auth = 0;  /* == 1 if authenticated with pinset */
 	net_req->debug_udp = 0;
 
 	/* Scheduling, touch only via _getdns_netreq_change_state!
diff --git a/src/stub.c b/src/stub.c
index 10d11e2e..af801ba0 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1853,6 +1853,8 @@ upstream_write_cb(void *userarg)
 				_getdns_tls_x509_free(&upstream->upstreams->mf, cert);
 			}
 			netreq->debug_tls_version = _getdns_tls_connection_get_version(netreq->upstream->tls_obj);
+			netreq->debug_pkix_auth = _getdns_tls_connection_get_pkix_auth(netreq->upstream->tls_obj);
+			netreq->debug_pin_auth = _getdns_tls_connection_get_pin_auth(netreq->upstream->tls_obj);
 		}
 		/* Need this because auth status is reset on connection close */
 		netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state;
diff --git a/src/tls.h b/src/tls.h
index 567d5137..5662e362 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -265,6 +265,22 @@ _getdns_tls_session* _getdns_tls_connection_get_session(struct mem_funcs* mfs, _
  */
 const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn);
 
+/**
+ * Return whether or not the peer cert PKIX validated
+ *
+ * @param conn  the connection
+ * @return 1 when the peer cert PKIX validated, 0 if it did not validate, 2 otherwise
+ */
+int _getdns_tls_connection_get_pkix_auth(_getdns_tls_connection* conn);
+
+/**
+ * Return whether or not a pin from the pinset matched
+ *
+ * @param conn  the connection
+ * @return 1 when the peer cert matched a pinset, 0 otherwise
+ */
+int _getdns_tls_connection_get_pin_auth(_getdns_tls_connection* conn);
+
 /**
  * Attempt TLS handshake.
  *
diff --git a/src/types-internal.h b/src/types-internal.h
index 5c7ac74a..a7e20eda 100644
--- a/src/types-internal.h
+++ b/src/types-internal.h
@@ -244,6 +244,9 @@ typedef struct getdns_network_req
 	const char             *debug_tls_version;
 
 	/* Some booleans */
+	unsigned                debug_pkix_auth: 2; /* 1 if TLS connection is PKIX valid 
+	                                               2 if this is unknown */
+	unsigned                debug_pin_auth : 1; /* 1 if one of the pinset's matched */
 	unsigned                debug_udp      : 1;
 	unsigned                keepalive_sent : 1;
 	unsigned                badcookie_retry: 1;
diff --git a/src/util-internal.c b/src/util-internal.c
index 3b6971d8..f009d1cc 100644
--- a/src/util-internal.c
+++ b/src/util-internal.c
@@ -966,6 +966,18 @@ _getdns_create_call_reporting_dict(
 		getdns_dict_destroy(netreq_debug);
 		return NULL;
 	}
+	if (getdns_dict_set_int(netreq_debug, "tls_auth_pin",
+	    netreq->debug_pin_auth)) {
+
+		getdns_dict_destroy(netreq_debug);
+		return NULL;
+	}
+	if (getdns_dict_set_int(netreq_debug, "tls_auth_pkix",
+	    netreq->debug_pkix_auth)) {
+
+		getdns_dict_destroy(netreq_debug);
+		return NULL;
+	}
 	if (getdns_dict_util_set_string(netreq_debug, "tls_version",
 	    netreq->debug_tls_version)){