Nit:
1. Section 6.1, s/This connection is made to TCP port 853, the default port for DNS-over-TLS DNS over TLS [RFC7858]./This connection is made to TCP port 853, the default port for DNS-over-TLS [RFC7858].
2. Table 2, RECONFIRM should be C-U TLV type.

Comments:
1. why are UNSUBSCRIBE and RECONFIRM the client unidirectional message?
2. In UNSUBSCRIBE message, why do you choose to use SUBSCRIBE MESSAGE ID, not NAME+TYPE+CLASS?
3. In the section of Security Considerations:
    1) you should also mention that TLS provides the anti-replay protection service for DNS Push;
    2) maybe you need to consider the client authentication to achieve policy control and detect illegal client;
    3) TLS WG are specifying the SNI encryption mechanism, will it influence your TLS name authentication?