-described in section 3.5 of RFC 1034. The B<namelen> argument must be
-the number of characters in the name string or zero in which case the
-length is calculated with strlen(name). When B<name> starts with
-a dot (e.g ".example.com"), it will be matched by a certificate
-valid for any sub-domain of B<name>, (see also
-B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> below).
+described in section 3.5 of RFC 1034. Per section 6.4.2 of RFC 6125,
+B<name> values representing international domain names must be given
+in A-label form. The B<namelen> argument must be the number of
+characters in the name string or zero in which case the length is
+calculated with strlen(name). When B<name> starts with a dot (e.g
+".example.com"), it will be matched by a certificate valid for any
+sub-domain of B<name>, (see also B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS>
+below). Applications are strongly advised to use
+X509_VERIFY_PARAM_set1_host() in preference to explicitly calling
+L<X509_check_host(3)>, hostname checks are out of scope with the
+DANE-EE(3) certificate usage, and the internal check will be
+suppressed as appropriate when DANE support is added to OpenSSL.