I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines a process where an ISP can declare that certain domain names (whose DNSSEC records are deemed misconfigured) are not covered by DNSSEC. The server then provides DNS resolution in response to client queries, where otherwise the server would have failed those queries. Summary This is more of a rant than a review, however it presents a security perspective that seems to be at odds with the operational-first perspective of the document. Details I am hearing that this is a controversial draft, and I can see why. The draft explains very well what motivates the proposed mechanism, and the motivation makes sense, especially if you are an ISP. But I think the draft gives excellent instructions on improving the security of an inherently problematic usage model. As an individual or even as a company, the local ISP is not my friend. State-controlled ISPs in less developed countries have been known to steal traffic and fake certificates in order to attack their own subscribers. Commercial ISPs in more developed countries throttle or block certain types of traffic for various reasons. Moreover, the local ISP is best positioned to identify the owner of individual IP endpoints and perform point attacks on local subscribers. DNS is an obvious attack vector. Even assuming that 99.9% of us will continue to trust ISPs for DNS resolution, IMHO the proposed solution would be better off with more automation and less celebration of "trained technical personnel". For example, the document has a SHOULD level requirement to test the NTA "periodically" in order to eventually remove it. How about an alternative that shifts the responsibility to DevOps or to the actual vendors, and also empowers the .1% who maintain their own resolvers: "NTA implementors MUST attempt to validate the domain in question once every MINUTE for the period of time that the Negative Trust Anchor is in place, until such validation is again successful, and MUST remove the NTA as soon as that happens." Similarly, I would guess the process of establishing an NTA could be automated, e.g. by querying multiple major DNS operators over a period of time (maybe operators that are known to run the same brand of resolver). In general, automating the process is more likely to encourage deployment of DNSSEC by smaller ISPs than adding complex manual "best practices". Thanks, Yaron