diff --git a/README.md b/README.md
index aab2604ff..4455102bb 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,7 @@ the following additional features are available:
   + Bridging between RTP and SRTP user agents
   + Opportunistic SRTP (RFC 8643)
   + AES-GCM Authenticated Encryption (AEAD) (RFC 7714)
+  + `a=tls-id` as per RFC 8842
 - Support for RTCP profile with feedback extensions (RTP/AVPF, RFC 4585 and 5124)
 - Arbitrary bridging between any of the supported RTP profiles (RTP/AVP, RTP/AVPF,
   RTP/SAVP, RTP/SAVPF)
diff --git a/daemon/call.c b/daemon/call.c
index 3111a8236..75110771e 100644
--- a/daemon/call.c
+++ b/daemon/call.c
@@ -2307,6 +2307,7 @@ static void __dtls_logic(const struct sdp_ng_flags *flags,
 		struct call_media *other_media, struct stream_params *sp)
 {
 	unsigned int tmp;
+	struct call *call = other_media->call;
 
 	/* active and passive are from our POV */
 	tmp = other_media->media_flags;
@@ -2329,10 +2330,19 @@ static void __dtls_logic(const struct sdp_ng_flags *flags,
 			MEDIA_CLEAR(other_media, SETUP_ACTIVE);
 	}
 
+	// restart DTLS?
 	if (memcmp(&other_media->fingerprint, &sp->fingerprint, sizeof(sp->fingerprint))) {
 		__fingerprint_changed(other_media);
 		other_media->fingerprint = sp->fingerprint;
 	}
+	else if (other_media->tls_id.len && (sp->tls_id.len || str_cmp_str(&other_media->tls_id, &sp->tls_id))) {
+		// previously seen tls-id and new tls-id is different or not present
+		ilogs(crypto, LOG_INFO, "TLS-ID changed, restarting DTLS");
+		__dtls_restart(other_media);
+	}
+
+	call_str_cpy(call, &other_media->tls_id, &sp->tls_id);
+
 	MEDIA_CLEAR(other_media, DTLS);
 	if (MEDIA_ISSET2(other_media, SETUP_PASSIVE, SETUP_ACTIVE)
 			&& other_media->fingerprint.hash_func)
diff --git a/daemon/sdp.c b/daemon/sdp.c
index 12c8da51c..bf2f32b15 100644
--- a/daemon/sdp.c
+++ b/daemon/sdp.c
@@ -254,6 +254,7 @@ struct sdp_attribute {	/* example: a=rtpmap:8 PCMA/8000 */
 		ATTR_T38FAXTRANSCODINGMMR,
 		ATTR_T38FAXTRANSCODINGJBIG,
 		ATTR_T38FAXRATEMANAGEMENT,
+		ATTR_TLS_ID,
 		ATTR_END_OF_CANDIDATES,
 	} attr;
 
@@ -1036,6 +1037,9 @@ static int parse_attribute(struct sdp_attribute *a) {
 		case CSH_LOOKUP("fingerprint"):
 			ret = parse_attribute_fingerprint(a);
 			break;
+		case CSH_LOOKUP("tls-id"):
+			a->attr = ATTR_TLS_ID;
+			break;
 		case CSH_LOOKUP("ice-mismatch"):
 			a->attr = ATTR_ICE;
 			break;
@@ -1645,6 +1649,11 @@ int sdp_streams(const GQueue *sessions, GQueue *streams, struct sdp_ng_flags *fl
 				sp->fingerprint.digest_len = sp->fingerprint.hash_func->num_bytes;
 			}
 
+			// a=tls-id
+			attr = attr_get_by_id_m_s(media, ATTR_TLS_ID);
+			if (attr)
+				sp->tls_id = attr->value;
+
 			// OSRTP (RFC 8643)
 			if (sp->protocol && sp->protocol->rtp && !sp->protocol->srtp
 					&& sp->protocol->osrtp_proto)
diff --git a/include/call.h b/include/call.h
index 424438f12..353c312ff 100644
--- a/include/call.h
+++ b/include/call.h
@@ -291,6 +291,7 @@ struct stream_params {
 	int			ptime;
 	str			media_id;
 	struct t38_options	t38_options;
+	str			tls_id;
 };
 
 struct endpoint_map {
@@ -410,6 +411,7 @@ struct call_media {
 	GQueue			sdes_in, sdes_out;
 	struct dtls_fingerprint fingerprint;			/* as received */
 	const struct dtls_hash_func *fp_hash_func;		/* outgoing */
+	str			tls_id;
 
 	GQueue			streams;			/* normally RTP + RTCP */
 	GQueue			endpoint_maps;