I'm the DNS Directorate reviewer of this I-D.

IMO the document needs a little more work/clarification. Sorry Stephen.

Section 3 says "the public key...can also be published in the DNS". It does not explain which RRytpe or owner-name is to be used for that purpose. Presumably this key will be found in the ECHConfigList element of some HTTPS or SVCB record. This should be more explicit. An example RRtype corresponding to the ECHConfig PEM File given in Figure 1 would be helpful.

There's an unstated implication that the private key can be found in the ECHConfigList. As written "the public key...can also be published in the DNS" suggests the private key is already there. Which I'm sure is not what the author intended. Deleting "also" here could help avoid any confusion. However I think it would be much better if the Security Considerations section clearly stated that private keys MUST NOT be published in the DNS.

I think the I-D needs to recommend using DNSSEC and/or encrypted DNS transport to ensure the integrity of the data in the DNS responses. However I don't know enough about the ECH threat model to make a judgement on whether that is or isn't a valid concern.