Section 5.3 says "Implementations MUST support the denial of service
countermeasures defined by DTLS." That's good but it's not clear
whether this means that these countermeasures MUST always be enabled.
Since that is not explicitly stated, it seems that a server could
have those countermeasures enabled by default and a client could
have them disabled by default. That would result in a client and
server that would not interoperate until the administrator tracked
down the problem and changed their configuration. I suggest that
the document be changed to require not only that implementations
support these countermeasures but that they be enabled by default.