> Publication of EUI-48 or EUI-64 addresses in the global DNS may > result in privacy issues in the form of unique trackable identities. This might also result in such MAC addresses being spoofed, thereby allowing some sort of direct attack. So it isn't just a privacy concern. ... > These potential concerns can be mitigated through restricting access > to zones containing EUI48 or EUI64 RRs or storing such information > under a domain name whose construction requires that the querier > already know some other permanent identifier. This "can be" seems too weak. Shouldn't we have a MUST here? Also, I doubt that the second option (a shared secret) is sufficient. Regards Brian Carpenter