>The "technical omission" here is "using 6186 together with mail servers >supporting a high number of domains is going to be painful, and this >document doesn't say how to solve it". Wait a minute. If you don't use the SRV-IDs, which you don't need if use DNSSEC on the SRV records, 6186 scales just fine. No SNI, nothing but SRV records that have the domain name that should match the DNS-ID the server presents. What am I missing? On the other hand, if you need the SRV-ID records, a server that supports two domains is going to be just as schrod if the domains don't happen to bear a relationship to the DNS-ID that CAs can verify. R's, John