[1] It is proposed in RFC 6698 as a way to authenticate TLS client and server entities without a certificate authority (CA).
Trusting a large number of CAs might be a problem because any breached CA could issue a certificate for any domain name.
At least one of the TLSA RRs must provide a validation (path) for the certificate offered by the service at the specified address.
HTTP requires that the Common Name in the X.509 certificate provided by the service matches regardless of the TLSA asserting its validity.
The RR itself has 4 fields of data, describing which level of validation the domain owner provides.
The TLSA record for www.ietf.org specifies to check the SHA-256 hash of the public key of the certificate provided, ignoring any CA.