I've reviewed this document as part of TSV-ART's ongoing effort to review key IETF documents. These comments were written primarily for the transport area directors, but are copied to the document's authors for their information and to allow them to address any issues raised. When done at the time of IETF Last Call, the authors should consider this review together with any other last-call comments they receive. Please always CC tsv-art@ietf.org if you reply to or forward this review.

Summary: Ready with nits

The draft describe authentication mechanisms for DNS servers accessed via TLS and DTLS, and defines profiles for DNS clients and servers implementing DNS-over-TLS and DTLS. There seems little of transport concern here, since the draft refers to RFC 7858 and draft-ietf-dprive-dnsodtls to specify DNS over TLS and DTLS, and doesn't define such mechanisms itself, Similarly, the (D)TLS profile is a security profile, rather than transport-related changes.

I just had a couple of nits:

- The short title at the top of each page is “(D)TLS Authentication”. If there’s space, it'd be clearer if this was “(D)TLS Authentication for DNS”, or similar, to avoid confusion about what is being authenticated. 

- Section 9 mandates implementation of TLS session resumption without server-side state [RFC5077], TLS False Start, and the TLS Cached Information Extension. I can’t comment on the security implications, if any, but these extensions seem appropriate for reducing transport overheads. However, the recommendations in this draft seem inconsistent with those in RFC 7858 (e.g., RFC 7858 says "DNS servers SHOULD enable fast TLS session resumption [RFC5077], and this SHOULD be used when reestablishing connections" but this draft is "MUST implement"). It would help to align these, or mark this draft as updating the RFC. 

Colin