I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document is basically ready. A few minor nits are below. The primary comment is that there are a few instances where abbreviated certificate checks are cited and potentially mask a need to do full certification path validation. Therefore this document provides guidelines that enable protocols that rely on SRV lookups to locate and use TLSA records. In section 1 - May be worth adding a note to the third bullet to clarify that multiple target endpoints may be defined for a given service domain, including a mix of endpoints that have and do not have TLSA records. - Should the "always use" in the third bullet be "MUST use"? - May be worth clarifying in the fifth bullet that no usable TLSA records for one target endpoint does not mean there are no usable TLSA records for another target endpoint. The security considerations address this point and the point in the first bullet above, but it seems worth reenforcing in the body as well. - Bullet 5 should reference RFC5280 alongside RFC6125 and/or reference "non-DANE behavior" a la section 3.1 (but using the target server hostname). In Section 4.2 - Should this reference RFC6698 section 2.1 or section 4? Section 4 seems like a better target to me. - Replace reference to "expiration checks from RFC5280" with "validation checks from RFC5280" unless you mean for some forms of 5280 checks to be honored here. Current wording could create a misimpression that only expiration checks need be performed. In section 10.2 - In the last sentence, clients must also validate the certificate back to the designated trust anchor, not just check the reference identifiers.