I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This draft specifies an extension in DNS for providing zone version information for the associated query name.  This data allows callers to better correlate the queried name to a zone version that it belongs, in order to better diagnose synchronicity issues.

The security considerations section does exist and describes that this EDNS extension does not protect against an active attacker and therefore should only be used for diagnostic purposes only.  The section continues, if zone version information is to protected against an active attacker then the user should use TSIG (RFC 8945) or SIG(0) (RFC 2931) to authenticate and provide integrity protection.  In addition, there are no new privacy issues introduced by the new extension given that version information is already provided publicly.  I agree with the aforementioned assertions.

General Comments:

What's an unsigned decimal integer vs. unsigned integer?

Editorials Comments:

s/and and/and/
s/correspond do/correspond to the/