Reviewer: Di Ma Review result: Ready with Issues This version adds more discussions about DNSSEC to priming exchange, which I think need clearer statements. In this document, the authors say “With such resolvers, an attacker that controls a rogue root server effectively controls the entire domain name space and can view all queries and alter all unsigned data undetected.” However, this is not true when a DNSSEC-aware resolver has been configured with one or more Trust Anchors from some TLDs. In such case, it is not safe to say "an attacker that controls a rogue root server effectively controls the entire domain name space". -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx