I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: this draft is ready. From the introduction, This draft sets out to specify a way for validating resolvers to tell a server in a DNS query which DNSSEC key(s) they would use to validate responses from that zone. This is done in two ways: using an EDNS option for use in the OPT meta-RR [RFC6891] that contains the key tags (described in Section 4), and by periodically sending special "key tag queries" to a server authoritative for the zone (described in Section 5). That pretty well sums it up. The security and privacy considerations sections cover all relevant issues. I see no problems with this document. Minor editorial comment: section 5.3 ends with this bracketed comment: [ Note RFC1035 says NULL RRs are not allowed in master files, but I believe that to be incorrect ] I assume this will be resolved prior to publication? --Scott