I've been asked to review this document for DNS-related issues as part of the DNS Directorate review process. Some aspects of this review are beyond my expertise; I've added the DANE working group mailing list to the Cc: list here in case this is useful.

In 3.3, Encoding of extensions:

  If subjectAltName contains exactly one dNSName, the array and the int are omitted and extensionValue is the dNSName encoded as a CBOR text string.

I think the bouncyCaps here are wrong—should be dnsName or DNSName. But more importantly, "encoded as a CBOR text string" is too vague to be interoperable. Possibly this is intended to refer to RFC1035 section 5.1, the bit on encoding on page 35. If so, you should say so explicitly.

Section 9.18 adds a new TLSA selector type, but doesn't talk about the implications of this addition. I think this has the potential to create a lot of confusion, and should probably be discussed with subject matter experts before moving forward with this document. Possibly this discussion has already occurred, but if so, I think the text in the document is a bit lacking. What is intended here? Do we anticipate that all DANE implementations will adopt this new format? What does it mean for there to be a CBOR-encoded certificate, but no X.509 encoded certificate? Etc. I think this needs to be fleshed out before the document moves forward.