default.diff

diff --git a/draft-vandijk-dprive-ds-dot-signal-and-pin/draft-vandijk-dprive-ds-dot-signal-and-pin.md b/draft-vandijk-dprive-ds-dot-signal-and-pin/draft-vandijk-dprive-ds-dot-signal-and-pin.md
index f3e7770..918e5d3 100644
--- a/draft-vandijk-dprive-ds-dot-signal-and-pin/draft-vandijk-dprive-ds-dot-signal-and-pin.md
+++ b/draft-vandijk-dprive-ds-dot-signal-and-pin/draft-vandijk-dprive-ds-dot-signal-and-pin.md
@@ -98,13 +98,21 @@ The pseudo DNSKEY type can be used in CDNSKEY and CDS, as defined in RFC7344, re
 # Implementation
 
 The subsection titles in this section attempt to follow the terminology from [@RFC8499] in as far as it has suitable terms.
+'Implementation' is understood to mean both 'code changes' and 'operational changes' here.
 
 ## Authoritative server changes
 
+This specification defines no changes to query processing in authoritative servers.
+
+If DoT-signaling DS records are published for a zone, all name servers for the zone (from both the parent-side and child-side NS RRsets) SHOULD offer DoT service on port 853, and when they do, they SHOULD do so using keys present in the DS RRset.
+If, for some reason (such as a domain being hosted by two operators, one of which does not offer DoT), some of the name servers for the domain cannot offer DoT, those name servers MUST fail swiftly when a connection to tcp/853 is attempted, by providing a TCP RST.
+
 ## Validating resolver changes
 
 ## Stub resolver changes
 
+This specification defines no changes to stub resolvers.
+
 ## Zone validator changes
 
 ## Domain registry changes