Just to make public what I have hinted at privately, I think that steps in section 4.1 may be somewhat underspecified. They give the logic a client, one which supports both DHCP and DNS, should follow in order to find a KDC, with DNS information being preferred. One scenario outlined in section 1 is of a user having entered userid and passphrase and waiting to be authenticated. The steps imply a number of timeouts in succession without specifying what balance to take of how long to wait for a server to respond versus how long to keep the user waiting. I would find it difficult to know what balance to strike without guidance. A related issue is that section 4.1 prefers DNS to DHCP for Kerberos information but the Security Considerations stress the weakness of DHCP and recommend authenticating DHCP. What if DHCP is secure and DNS is not? Should DNS still be preferred? Tom Petch ----- Original Message ----- From: "Jeffrey Hutzelman" <jhutz@xxxxxxx> To: "Samuel Weiler" <weiler+secdir@xxxxxxxxxx> Cc: <draft-sakane-dhc-dhcpv6-kdc-option@xxxxxxxxxxxxxx>; <secdir@xxxxxxxx>; <ietf@xxxxxxxx>; <jhutz@xxxxxxx> Sent: Thursday, May 24, 2012 6:50 PM Subject: Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option