I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Status: not ready. I am a little puzzled by this I-D. The title is "Authentication and (D)TLS Profile for DNS-over-(D)TLS" and the intro says it specifies profiles which "which define the security properties a user should expect when using that profile to connect to the available DNS servers", however, as far as I can see, no properties other than server authentication are defined. The document also appears to claim that a connection that is authenticated and encrypted is "private" - that seems to stretch the meaning of "private" quite considerably. Other considerations surely exist, such as resistance against traffic analysis, key sizes, algorithm choice. As a result, claims like "Strict Privacy provides the strongest privacy guarantees" are just plain wrong. Given these large holes in scope, I have not attempted a more detailed analysis.