I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of the review is has issues. I found a few editorial things, and have one question, but I suspect that these can be resolved easily.

Firstly the description of split horizon seems to say that any time the resolver is authoritative for just some names and recurses for others. I don't think this is right: the split is that the answers given are different from what they are for any other resolver, and that's what creates the need for this draft. This is defined correctly in section 2, it's just a need to reword the intro slightly.

In Section 5 I think more clarity is needed about which DNS name needs to match, and how the matching is to be done, perhaps citing a UTA doc. I think what's supposed to be said is that the ADN is a subjectAltName matching under RFC 6125.

The one more serious question I have is how does rotation work. The DNS changes may not take place together with the authorization claim transmission, and this seems underspecified. Does the split horizon break until the two are in sync again?

Sincerely,
Watson Ladd