I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is that this document is ready.

This is my first time contemplating internationalized domain names, so this is probably more of a historical question: "www.á.com" converts to the A-label "www.xn--1ca.com". Is "www.xn--1ca.com" itself a valid domain name, and does that introduce ambiguity that could lead to security issues? I assume that this ambiguity is already sufficiently addressed in one of the referenced specs, but maybe bears repeating in this document's Security Considerations.