Reviewer: Petr Špaček Review result: Ready with Nits Hi, I was assigned as the dnsdir reviewer for draft-ietf-uta-rfc6125bis-13. For more information about the DNS Directorate, please see https://wiki.ietf.org/en/group/dnsdir It seems that couple fixes for nits pointed out and agreed to (I believe) in the previous round of review did not make it into the -13 version. First, one new typo: Search for "can is", it should be just "is". Context: "IPv4 address can is a valid DNS name.". Three not-yet-fixed nits which I believe we agreed to fix in our previous e-mail exchange follow: > 6.3. Matching the DNS Domain Name Portion > 1. There is only one wildcard character. > 2. The wildcard character appears only as the complete content of the left-most label. > If the requirements are not met, the presented identifier is invalid and MUST be ignored. A wildcard in a presented identifier can only match exactly one label in a reference identifier. This specification covers only wildcard characters in presented identifiers, not wildcard characters in reference identifiers or in DNS domain names more generally. Therefore the use of wildcard characters as described herein is not to be confused with DNS wildcard matching, where the "*" label always matches at least one whole label and sometimes more; see [DNS-CONCEPTS], Section 4.3.3 and [DNS-WILDCARDS]. For information regarding the security characteristics of wildcard certificates, see Section 7.1. I recommend adding an explicit statement that rules given here _also_ intentionally deviate from RFC 4592 section 2.1.3. Reasoning: It explicitly mentions deviation from 4.3.3 but a causal reader might be confused by preceding 2.1.3. > 6.4. Matching an IP Address Portion > This document does not specify how an SRV-ID reference identity can include an IP address. I think SRV-ID clearly says it's just DNS name, so the presented identifier cannot match an IP address. I think this section should clearly say that IP addresses cannot match SRV-ID. > 7.4. IP Addresses Maybe add a reference to section 3. Designing Application Protocols where this is discussed (in the last paragraph)? All the rest was addressed in -13. Thank you! Petr Špaček dnsdir