This document appears to pose no transport concerns beyond those raised by the protocols on which it is substantially based, DoT [RFC7858] and DSO [RFC8490]. There are of course connectivity risks associated with using client-established server-push over TCP, but the design of DSO appears to adequately account for these. nit in 6.1: "default port for DNS-over-TLS DNS over TLS [RFC7858]"